00:00:00.234-->00:00:04.204 >> So if you are in here it is the Esoteric Exfiltration talk, if you are looking for the other 00:00:04.204-->00:00:11.044 one it's probably in a different room. So, uhm... this is me I'm Willa Riggins. Uhm, I am a 00:00:11.044-->00:00:15.749 senior penetration tester from Veracode, a member of the FamiLAB hackerspace down in 00:00:15.749-->00:00:20.754 Orlando, uh... I'm the DC407 point of contact... I just, I do a lot of things - OWASP and 00:00:23.023-->00:00:28.829 BSides. Uhm,but really if you look at my twitter I just retweet cats. [laughter] That's 00:00:28.829-->00:00:34.968 really all I do. So exfil101 - how many of you are familiar with exfiltration at all? 00:00:34.968-->00:00:39.973 Anybody in the room? Awesome! So it's the know-it-all crowd. So, for those who aren't in the know 00:00:42.142-->00:00:45.746 - data exfiltration is the unauthorised transfer of sensitive information from a 00:00:45.746-->00:00:50.684 target's network to a location that the threat actor controls. Now that's from a Trandmicro 00:00:50.684-->00:00:55.689 article. But, basically, that, lie, "threat actor control" is kind of our wishy-washy term 00:00:57.858-->00:01:03.630 here - uhm, what is that? It can be their server, their social media account, it could be their 00:01:03.630-->00:01:10.404 dropbox, could be anything, right? So why do you care? Uhm, data loss costs you money and 00:01:10.404-->00:01:17.144 your sanity. If anybody's ever work incident response, it sucks when you loose stuff. Uhm, if 00:01:17.144-->00:01:22.149 you've ever found creds on Pastebin, that had your name in it, that suscks! So anyway, back 00:01:25.686-->00:01:30.691 in 2012, Reddit Netsec - anyone follow Netsec on Reddit? Yes! So I did a survey back in 2012 and 00:01:34.928-->00:01:39.933 82% of the folks who replied said "Hey, this stuff is important." Uhm, you know, "It 00:01:41.935-->00:01:47.741 means a lot to us and our networks and our money and our companies". Uhm, so, let's talk 00:01:47.741-->00:01:52.579 a little bit about covert channels and where to find them, and this is kind of where the 00:01:52.579-->00:01:57.451 meat of the talk is going to be cause I've done all the stuff, I've done the research, I've 00:01:57.451-->00:02:02.923 gotten caught... Uhm and the getting caught stuff is the most exciting part because then you 00:02:02.923-->00:02:09.062 learn how not to do that. Uhm, so, the first thing is mask your traffic with normal usage 00:02:09.062-->00:02:14.835 patterns - so if you know a company uses, you know, social media or they're on webtraffic, 00:02:14.835-->00:02:19.806 or they're using protocols for their everyday business like FTP or like, uhm, you know, everyone 00:02:19.806-->00:02:24.811 uses HTTP or HTTPS. Uhm, some folks have RDP open. Uhm, just knowing that stuff is really 00:02:26.913-->00:02:30.917 important cause then you can kind of build a model of "What does a normal employees traffic 00:02:30.917-->00:02:36.857 look like, and how can I look like that?" Uhm, hide data in known safe payloads, so don't 00:02:36.857-->00:02:41.862 save. Uhm, status updates to Facebook or Twitter, that kind of stuff looks innocuous, right? 00:02:45.132-->00:02:49.403 You probably post five tweets every minute, that's you know, that's a lot of data - that's 00:02:49.403-->00:02:55.108 140 characters times five, uh, not a huge amount of through put there but it's still cool, like, 00:02:55.108-->00:03:00.047 you could do something with that. Uhm, say with HTTP post, how many ASP.net devs do we have 00:03:03.617-->00:03:07.487 in the room? [chatter] [laughter] How many of you hate the view state because it's 2Mb? 00:03:07.487-->00:03:13.093 Yea, that's 2Mb of data that you can send out and, you know, no one's going to notice it - it's 00:03:13.093-->00:03:18.865 just gone. Encoded base 64 it, like viewstate, put it in a form and just submit it to whatever 00:03:18.865-->00:03:25.505 web server. Uhm, that's a "meg", you know, every single request it's gone. Uhm, the other thing 00:03:25.505-->00:03:30.010 is stay quiet, you know, stay within the normal payload size like that 2Mb viewstate, don't 00:03:30.010-->00:03:37.017 try and upload 36gb to twitter... Don't! [laughter] I've... We've done this, uhm, 00:03:37.017-->00:03:41.455 it's not fun, don't try to do that - you'll get rate limited, people will be like "What the 00:03:41.455-->00:03:45.559 hell is this, like, why are there all these tweets with random data in it?" Uhm, 00:03:45.559-->00:03:51.498 Facebook will probably get really angry if I did that Uhm, it's important to realize that 00:03:51.498-->00:03:55.368 not only are you going to get caught by other people seeing that you're posting all this 00:03:55.368-->00:04:00.006 crap, but also it's going to throw a flag on whatever egress is there, so If there's a 00:04:00.006-->00:04:04.277 firewall or an out-firewall they're gonna see a spike in traffic and go "What is that? 00:04:04.277-->00:04:08.849 What device did that come from?" And that's, that's one way you're definitely gonna get 00:04:08.849-->00:04:15.288 caught, if you send 36GBs of data over one channel from one device all at the same time. So 00:04:15.288-->00:04:20.260 yea, definitely stay quiet and set your payload sizes based on what the channel is - so Twitter 00:04:20.260-->00:04:26.800 obviously is a 140 characters, uhm, you're kinda limited there; DNS is even smaller, DNS as an 00:04:26.800-->00:04:33.507 exfill method kinda sucks. Facebook gives you a lot more leeway but, uhm, you know, 00:04:33.507-->00:04:36.743 there's a lot of management involved with that, but we'll talk about that a little bit 00:04:36.743-->00:04:41.581 later. Encoding and encrypting your data, so, depending on who you're doing this for and why 00:04:41.581-->00:04:45.919 you're doing this, you might not want people to know that you stole that data, right? You 00:04:45.919-->00:04:49.723 don't want them to know, you don't want them to Google and be like "Why is my name in this 00:04:49.723-->00:04:54.795 weird twitter stream of binary data? why is it in there?". Cause they'll trace it back, 00:04:54.795-->00:04:58.665 figure it out, contact Twitter which will take a long time, they'll get back and they'll be 00:04:58.665-->00:05:02.135 like "Oh, it's this device that's uploading all this crap from your server" - you just 00:05:04.271-->00:05:07.807 want to make sure that people can't find it. There's a really cool tool called "Cloakify", by 00:05:07.807-->00:05:12.846 one of our other attendees who might be here... Uhm, that basically does DLP avoidance. 00:05:12.846-->00:05:18.251 That's a really cool thing that, uhm, you can use that to kind of transform the data before you 00:05:18.251-->00:05:24.758 send it out. So... So we talked about transport, right? We talked a little bit about why 00:05:24.758-->00:05:30.664 you do the things the way you do them, but let's talk about specific examples. So, on the 00:05:30.664-->00:05:35.402 transport layer, you know, you have network protocols we can do point-to-point stuff with HTTP; 00:05:35.402-->00:05:42.275 we can do Tellnet, Netcal, all that stuff. Third-party drops like Dropbox or putting it on 00:05:42.275-->00:05:48.281 Facebook or anything like that, that's kind of taking the threat actor control to a third party 00:05:48.281-->00:05:53.320 and then getting it relayed down to another, you know, device. So,those are cool cause, it's... 00:05:53.320-->00:05:56.990 it's kinda like a deaddrop. Then going to the airwaves, which is something that I really wanted 00:05:56.990-->00:06:01.361 to show off today, but I am a terrible...like, I didn't sacrifice enough things to the 00:06:01.361-->00:06:07.334 demo gods and my demo.... doesn't work, and then the radios I brought, don't work, 00:06:07.334-->00:06:13.907 so... Uhm I will be having to contact Sparkphone and figure out what to do there... So, 00:06:13.907-->00:06:18.912 network protocols, the obvious stuff, HTTP, SSH, NetCat - I mean, if you can get out with 00:06:21.181-->00:06:25.118 that stuff by all means use it, like, that's the easiest low hanging fruit. You're gonna get 00:06:25.118-->00:06:28.989 out, that's fine, and by the time anyone notices that you did what you did, as long as you've 00:06:28.989-->00:06:33.093 throttled it and hid it like you're supposed to, no one's gonna notice. Uhm, you can get 00:06:33.093-->00:06:38.331 all this stuff out. Now if you have a company with a really awesome sock, who, uh, is going 00:06:38.331-->00:06:43.336 to bust you within like ten minutes of you doing the thing that you did - maybe you should 00:06:43.336-->00:06:48.174 hide in something else like we talked a little bit about RTP - if that's a normal part of your 00:06:48.174-->00:06:53.313 business, you know, RTP into another machine; map the drive and exfill data that way. It's 00:06:53.313-->00:06:58.418 super easy, you don't need a tool to do it, uhm... and no one's gonna really notice until 00:06:58.418-->00:07:04.057 later when they're like "Why is this RTP session using so much data?" Uhm, so, that's sorta 00:07:04.057-->00:07:07.460 stuff is really interesting. There's some other stuff where, like, uhm.. If they use a 00:07:07.460-->00:07:14.367 specific proprietary protocol, I won't name any, uhm.. but you can basically hide data in that 00:07:14.367-->00:07:21.074 by munging the protocol so if there's a request that, like, list files or something you 00:07:21.074-->00:07:26.079 could make it so that instead of listing a directory it lists, uhm.. a page 64 of the data 00:07:26.079-->00:07:30.517 you're "exfilling". You could do some really cool stuff with that. Uhm, so that's kind of the 00:07:30.517-->00:07:35.588 discrete way of doing that data on the wire stuff. Uh, third-party drops... Uhm... 00:07:35.588-->00:07:39.526 Obvious stuff is any file-sharing service that will let you upload the size of data 00:07:39.526-->00:07:45.799 that you have. Uhm.. again you probably wanna throttle it, uhm, and these are typically blocked 00:07:45.799-->00:07:51.271 at same proxy level or an egress firewall. Like if these are available to you, yea.... 00:07:51.271-->00:07:56.643 that's.. that's like "Exfils done, we don't need... we have another problem, right?" Uhm, 00:07:56.643-->00:08:02.449 but Pastebin - how many of you have Pastebin at work? Can you get Pastebin ? See... yea... 00:08:02.449-->00:08:07.454 that's not a lot of hands - that's awesome! So, we've blocked Pastebin ... [laughter] 00:08:07.454-->00:08:10.724 What else is out there that you could use? There's like twelve other services that you could 00:08:10.724-->00:08:16.129 use that do exactly the same thing and they're probably unblocked, right? So doing it 00:08:16.129-->00:08:20.734 discretely, right, we can use Flicker imager and do staggo; put it inside a picture of a 00:08:20.734-->00:08:25.472 squirrel - done that, that's awesome! [laughter] Uhm, those two services in particular will 00:08:25.472-->00:08:29.676 let you upload things that are completely losless - so you can upload it and you can download 00:08:29.676-->00:08:34.080 it and all your stagnant data is there. Uhm, there's simple Python libraries that do all 00:08:34.080-->00:08:39.552 that stuff, uhm, the APIs change constantly but if you keep up with it, I mean, you can exfill 00:08:39.552-->00:08:43.123 data that way; and when it goes out the firewall it looks like you're uploading squirrel 00:08:43.123-->00:08:49.729 pictures which is super weird but nobody's ever gonna ask you "Why?". [laughter and chatter] 00:08:49.729-->00:08:55.869 So, Twitter and Facebook, I put Twitter in the same category as DNS - I kinda hate it as an 00:08:55.869-->00:09:01.041 exfill method cause a 140 characters is just too slow. Uhm, and by the time you get any 00:09:01.041-->00:09:07.180 meaningful amount of data out that wall, uhm... I mean, you're gonna have to recompile it and 00:09:07.180-->00:09:12.152 get it all down and it's just no fun. Uhm, Facebook though... Facebook has this really cool 00:09:12.152-->00:09:17.123 thing called "Groups". Anybody in a Facebook group? Where's the moms in the room?... Cause I'm 00:09:17.123-->00:09:22.762 in like twelve. [laughter] Okay. So Facebook groups let you upload files and it is in the 00:09:22.762-->00:09:28.401 API to actually let you upload files in Facebook groups. So I create a fake Facebook account; 00:09:28.401-->00:09:33.206 I create a fake group with just me in it and then I upload a bunch of files. Uhm, you can 00:09:33.206-->00:09:38.244 totally do that, right? And most of you at work Facebook''s unlocked, I know the army does 00:09:38.244-->00:09:43.683 that, I know a lot of the DOD companies do that because it's required for business - in 00:09:43.683-->00:09:48.488 theory. Uhm, so you can't block Facebook, you can't block Twitter, can't block all these 00:09:48.488-->00:09:53.493 services that "I HAVE to use for business; so I'll abuse them and exfill data". It's cool. So 00:09:57.363-->00:10:03.503 kinda getting past that and doing the airwaves stuff. Uhm... [pause] A lot of folks think of 00:10:03.503-->00:10:07.173 this in the tempest realm, right? We talk about, you know, you have a room with a faraday 00:10:07.173-->00:10:10.643 cage on it, you're not gonna get anything out of that room. We've seen talks where they've done 00:10:10.643-->00:10:16.082 like fans where you spin the fan at the right oscillation - you can exfil data that way. I don't 00:10:16.082-->00:10:20.987 know anyone who has done that on a pentest - has anybody actually done that? Like tempest attacks 00:10:20.987-->00:10:26.726 for exfil.. on a pentest where you have two days of sleep and you really don't have the time 00:10:26.726-->00:10:33.233 to set that up? Yea, like you can't do that - that's too much effort for low return. But, what 00:10:33.233-->00:10:38.204 if you had a device you could just plug in? So a USB port, onsite, you broke-and-entered 00:10:38.204-->00:10:42.041 with your lock picks and your little door tool and you shimmied and you just plugged 00:10:42.041-->00:10:46.412 the tool in the back of the machine and that was it. No WiFi antenna, no, like, HID-device 00:10:46.412-->00:10:51.417 just a USB serial that you plug in and all of a sudden you have a remote connection. You could 00:10:54.921-->00:10:59.025 do a lot with that, uhm, you could write code and do all kinds of fun stuff; or you could 00:10:59.025-->00:11:05.198 just stream data over it, uhm, serial out. Uhm... and the XP radius that I have are like 00:11:05.198-->00:11:10.370 28mile range, they do mesh, uhm, I have them in my hotel room if anyone wants to see them I'll 00:11:10.370-->00:11:16.042 bring them. Uhm, I just need breakout boards that don't suck. Uhm... but the cool thing with 00:11:16.042-->00:11:21.080 that is you can build a mesh network that went all the way up "The Strip" and the chances of 00:11:21.080-->00:11:26.019 anyone being able to triangulate each and every node, by the time you are done exfilling data, is 00:11:26.019-->00:11:30.957 extremely low. Uhm, and these things cost like... I think the series that I'm using are like 00:11:30.957-->00:11:36.462 70 bucks, you can get 1mile range ones for like 40, so they're kinda like throwaway 00:11:36.462-->00:11:41.467 pentest devices - just strap it to the back of a t-seed plug it in, walk away. Uhm, hand radio 00:11:43.770-->00:11:48.775 stuff, you could do APRS, right? Any hands in the room? APRS messaging? It's totally illegal 00:11:50.777-->00:11:56.482 - don't do it! ...But you could technically exfill over APRS, right? [laughter] Cause it's 00:11:56.482-->00:12:01.354 just text, it's just text data, it's digital. Uhm, I could just say "Hey, my truck is here, my 00:12:01.354-->00:12:05.959 truck is here, my truck is in Japan, my truck is here...". Uhm, and you could use that to 00:12:05.959-->00:12:11.531 exfill data, uhm, and the cool thing with that one is that you can repeat it with internet 00:12:11.531-->00:12:15.301 repeaters and stuff like that - you don't even have to be in the country. Uhm, you could just 00:12:15.301-->00:12:20.306 exfill like that. And then lasers - how many people are fans of lasers? So basically use 00:12:22.408-->00:12:26.512 the laser mic techinique - everybody knows what... everybody don't know about the 00:12:26.512-->00:12:31.818 laser mic thing? Hitting the laser as the glass, you feel the vibrations from the glass and 00:12:31.818-->00:12:36.522 you read it digitally by refelcting it off something. Do that with data! Why not.... 00:12:36.522-->00:12:41.461 right? I mean, that stuff's insane and totally out of the scope of pentest but it sounds 00:12:41.461-->00:12:47.000 really cool so let's put it inside... [laughter] So all this stuff is about attacking and 00:12:47.000-->00:12:52.138 breaking stuff but, uhm, what does Putin say about all this stuff, right? What do you do? 00:12:52.138-->00:12:57.543 You can't block Facebook, you can't block Twitter, so what the hell are you gonna do? So we can 00:12:57.543-->00:13:03.082 block N-points, we can block individual malware N-points, we can block some stuff, uhm, by 00:13:03.082-->00:13:08.755 URI or IP, right? So every time I standup a fake service with Pastebin code on it you block 00:13:08.755-->00:13:14.894 it, fine, whatever. Uhm, I can block egress at the firewall by the port protocol or application 00:13:14.894-->00:13:18.231 firewall or whatever, I can just shut that down, whatever the hell you're doing I'll just 00:13:18.231-->00:13:23.803 block it. Uhm, you can try to detect anomalies and payload size so, you know, look at the 00:13:23.803-->00:13:27.774 frequency, look at the "Hey, why is this machine turning on at three in the morning, going on 00:13:27.774-->00:13:32.879 Facebook and uploading 6GB of data, like, why is that happening? It doesn't make any 00:13:32.879-->00:13:37.450 sense." You can look for that stuff and that's, that's cool. Uhm, and you can block USB 00:13:37.450-->00:13:43.756 devices by classic deice ID. [pause] Now, none of that stuff works, uhm... Unfortunately 00:13:43.756-->00:13:48.861 blacklist just don't work, if you've got a proxy at your company - I won't name names - 00:13:48.861-->00:13:53.332 but a lot of them, like, you can standup a new websites, categorize it, get it approved 00:13:53.332-->00:13:59.105 through the proxy service and it's good to go in 48hours. So, you can standup your malicious 00:13:59.105-->00:14:03.676 website, looks like a "My Little Pony" fansite - which is awesome - and then have, like, a 00:14:03.676-->00:14:09.849 "/exfill" and just exfill data to that. Like, just use your Appache login to, just whatever, 00:14:09.849-->00:14:14.253 doesn't matter, just stream data out. People think you just really like "My Little Pony" 00:14:14.253-->00:14:18.391 and, you know, that's fine. Please don't access that at work, that's as far as the 00:14:18.391-->00:14:23.863 conversation goes, cool! Uhm, we can disrupt normal business if we start blocking stuff, so 00:14:23.863-->00:14:28.801 Facebook, Twitter, DropBox - a lot of companies use that for, you know, large file transfers 00:14:28.801-->00:14:35.775 anyway but if they have to use it I can use it. Uhm, and that's kind of like Moxie Marlinspike 00:14:35.775-->00:14:40.446 talks about the scope of choice with Google and Facebook and TIA, uh, and how you can't 00:14:40.446-->00:14:45.518 really not use Facebook if you wanna be friends with everyone, right? So, the choice is then 00:14:45.518-->00:14:50.389 "Do I interact with people or do I, you know, just not participate?" And that's what we 00:14:50.389-->00:14:56.763 wanna force people to do as attackers, is to decide between making money and preventing my 00:14:56.763-->00:15:02.268 exfill.. Uhm, and there's kind of a balance there, uhm, and it's for companies to kinda 00:15:02.268-->00:15:07.807 figure out what's more risky. In context this protocol were difficult to automate, you 00:15:07.807-->00:15:12.378 can... like you can do Deep Packet Inspection - it's awesome, right? DPI can do all 00:15:12.378-->00:15:16.883 kinds of fun things but if it's inside a squirrel picture and steggoed and all this other 00:15:16.883-->00:15:22.555 stuff, like, good luck telling your system to do that. Uhm, you might have the data in a pcap 00:15:22.555-->00:15:28.161 somewhere, that's fine, but if you're gonna take my forty thousand squirrel pictures and 00:15:28.161-->00:15:33.166 somehow decode them all you should go play DefCon CTF... [laughter] Uhm, USB device IDs, 00:15:36.803-->00:15:40.773 those don't work, there's a lot of manufacturers that are just repeating the same ID for 00:15:40.773-->00:15:45.945 whatever the hell that is. Uhm, and it's.. each of those cost money, so why would they pay for 00:15:45.945-->00:15:50.950 a USB device ID for a crappy mouse you bought down the street? Like, they're not gonna 00:15:50.950-->00:15:57.590 do that, so if you're trying to block it by device ID it's just not gonna work. So, weaponizing 00:15:57.590-->00:16:02.528 squirrels, uhm, "Squirrel" is the name of a tool, a tool that's not, uhm, ready today 00:16:05.198-->00:16:11.737 cause I suck at everything. It's a Python 2.7 based application, it will be MIT-licensed, uhm, 00:16:11.737-->00:16:15.341 you will be able to download it; do whatever you want with it, uh.. munge it, take it apart, 00:16:15.341-->00:16:20.479 uhm, steal code - I don't care, like, the whole point is that you'll be able to do exfill and 00:16:20.479-->00:16:25.785 it'll be easy. So, it ex tense will be a simple module-based plugins so all you have to do is 00:16:25.785-->00:16:30.890 write a little bit of the base code, uh, for your module, for your exfill channel, and all 00:16:30.890-->00:16:35.728 the, like, taking the file and chunking it up, all that's taken care of. All of the login, all 00:16:35.728-->00:16:39.999 of the... all the stuff you don't wanna care about is done. All you've got to do is write a 00:16:39.999-->00:16:45.938 "send" and "receive". Uhm, and so you can put this on the box that you've poned, executed with 00:16:45.938-->00:16:50.943 the CLI and exfill. That's it, that's all you have to do. So this is what it looks like when 00:16:53.112-->00:16:59.518 you execute it. Uhm, right now it just has a.. you can put the file in the channel you wanna 00:16:59.518-->00:17:03.856 use under the "Settings" collection; and all the channels are not committed to show what 00:17:03.856-->00:17:09.862 the settings are. Uhm, like for "Imager" which is one of the examples I used, you can put in 00:17:09.862-->00:17:14.233 the client-secret client ID and then that's all you really need for that one to exfill. So, 00:17:14.233-->00:17:21.007 uhm... cool! And that's what the tool, the module, looks like, it's really hard to read on this 00:17:21.007-->00:17:26.612 screen. So they told me that this was a four by three projector, uhm, but apparently 00:17:26.612-->00:17:32.985 have tons more space. Uhm, but if you can see that at all, uhm, all the stuff is just metadata 00:17:32.985-->00:17:39.091 saying "What the hell is this thing? How big can my chunks be, and, uh, what does it do?", and 00:17:39.091-->00:17:41.193 the rest of it is just "Send" and "Receive". And all you have to do is write "Send" or 00:17:41.193-->00:17:46.198 "Receive" and it'll work. [pause] So, this is the URL that the code will be available at 00:17:50.703-->00:17:56.075 soon as I stop being sick and my family stops, like, almost dying. Uh... you will be able to 00:17:56.075-->00:18:02.381 download the code at that URL, obviously it's not available today but... Uhm, closing stuff: 00:18:02.381-->00:18:06.852 stuff I wanna do. Uhm, additional modules, obviously, uh... because the demo's not 00:18:06.852-->00:18:11.490 done, it should work. [laughter] Uhm, executable payload generation with pi-installers, 00:18:11.490-->00:18:17.930 so doing kind of an MSF-thivim thing uh.. to a MSF-post mudule, longer range hardware, get with 00:18:17.930-->00:18:23.970 the Cloakify guy and shove that stuff into my code; uh.. and customized timing. All of these 00:18:23.970-->00:18:28.341 are super awesome because they've contributed in some way to me actually getting this done 00:18:28.341-->00:18:34.413 (slash) me being here. Uh, Varacode especially... and BSides, and DC407, and FamiLAB 00:18:34.413-->00:18:39.418 and all those cool people. Uhm, and thank you... That's kind of the talk. [applause]