So if you're in here, this is the esoteric exfiltration talk.
If you're looking for the other one, it's probably in a different room.
So this is me.
I'm Willa Riggins.
I'm a senior penetration tester from Veracode,
member of the FamLab hackerspace down in Orlando.
I'm the DC407 point of contact.
I do a lot of things, OOSP and B-sides.
But really, if you look at my Twitter, I just retweet cats.
That's really all I do.
All right, so Exfil 101.
How many of you are familiar with exfiltration at all?
Anybody in the room?
Awesome.
So it's the know-it-all crowd.
So for those who aren't in the know,
data exfiltration is the unauthorized transfer of sensitive information
from a target's network to a location that the threat actor controls.
That's from a Trend Micro article.
But basically, that threat actor control is kind of our wishy-washy term here.
What is that?
Like, that could be their server, it could be their social media account,
it could be their Dropbox, it could be anything, right?
So why do you care?
Data loss costs you money and your sanity.
If anybody's ever worked incident response, it sucks when you lose stuff.
If you've ever found like creds on Pastebin that had your name in it, that sucks.
So anyway, back in 2012, Reddit, NetSec, anybody follow NetSec?
Any of you guys on Reddit?
Yes.
Okay.
So I did a survey back in 2012, and 82% of the folks who replied said,
hey, this stuff is important, you know.
It means a lot to us and our networks and our money and our companies.
So let's talk a little bit about covert channels and where to find them.
And this is kind of where the meat of the talk is going to be because I've done all
this stuff, I've done the research, I've gotten caught.
And the getting caught stuff is kind of the most exciting part because then you learn
how not to do that.
So the first thing is mask your traffic with normal usage patterns.
So if you know a company uses, you know, social media or their own web traffic or they're
using protocols for their everyday business like FTP or like, you know, everybody uses
HTTP or HTTPS.
Some folks have RDP open.
Just knowing that stuff is really important because then you can kind of build a model
of,
you know, what does normal employee's traffic look like and how can I look like that?
High data and known safe payloads.
So known safe, right?
Status updates to Facebook or Twitter.
That kind of stuff looks innocuous, right?
You probably post like five tweets every minute.
That's, you know, that's a lot of data.
That's 140 characters times five.
Not a huge amount of throughput there, but it's still cool.
Like you could do something with that.
Same with HTTP post.
HTTP.net devs do we have in the room?
Yeah.
How many of you hate the view state because it's two meg?
Yeah.
That's two meg of data every single request that you could send out and, you know, no
one's going to notice it.
It's just gone.
Encode it, base 64 it like view state, put it in a form and just submit it to whatever
web server.
That's a meg, you know.
Every single request.
It's gone.
The other thing is stay quiet, you know, stay within a normal payload size like that two
meg view state.
Don't try and upload 36 gig to Twitter.
Don't.
We've done this.
It's not fun.
Don't try to do that.
You'll get rate limited.
People will be like what the hell is this?
Like why are there all these tweets with random data in it?
Facebook will probably get really angry if I did that.
It's important to realize that not only are you going to get caught by other people seeing
that you're posting all this crap, but also it's going to throw a flag on whatever egress
is there.
So if there's a firewall or an app firewall, they're going to see a spike in traffic and
go what is that?
What device did it come from?
And that's one way you're definitely going to get caught if you send 36 gig of data over
one channel from one device all at the same time.
So yeah.
Definitely stay quiet.
And set your payload sizes based on what the channel is.
So Twitter obviously is 140 characters.
You kind of limit it there.
DNS is even smaller.
DNS as an exfil method kind of sucks.
Facebook gives you a lot more leeway, but there's a lot of management involved with
that.
But we'll talk about that a little bit later.
And encoding and encrypting your data.
So depending on who you're doing this for or why you're doing it, you might not want
people to know that you stole that data, right?
You don't want them to know.
You don't want them to Google and be like why is my name in this weird Twitter stream
of binary data?
Why is it in there?
Because they'll trace it back, figure it out, contact Twitter, which will take a long time.
They'll get back and they'll be like oh, it's this device, it's uploading all this crap
from your server.
You just want to make sure that people can't find it.
There's a really cool tool called Cloakify by one of our other attendees who might be
here that basically does DLP avoidance.
That's a really cool thing that you can use that to kind of transform the data before
you send it out.
So talking about transport, right, we talked a little bit about why you do the things the
way you do them.
But let's talk about specific examples.
So on the transport layer, you know, you have network protocols, so we can do point to point
stuff with HTTP.
We can do Telnet, Netcat, all that stuff.
Third party drops like Dropbox or, you know, putting it on Facebook or anything like that.
That's kind of taking the threat actor control to a third party and then getting it relayed
down to another, you know, device.
So those are cool because it's kind of like a dead drop.
And then going to the airwaves.
Which is something I really wanted to show off today.
But I am a terrible, like I didn't sacrifice enough things to the demo gods.
And my demo doesn't work.
And the radios I brought don't work.
So I will be having to contact SparkFun and figure out what to do there.
So network protocols.
The obvious stuff, HTTP, SSH, Netcat, if you can get out with that stuff, by all means,
use it.
Like that's the easiest low hanging fruit.
You're going to get out.
That's fine.
And by the time anyone notices you did what you did, as long as you've throttled it and
hidden like you're supposed to, no one's going to notice.
You can get all this stuff out.
Now if you have a company with a really awesome SOC who is going to bust you within like ten
minutes of you doing the thing that you did, maybe you should hide in something else.
Like we talked a little bit about RDP.
If that's a normal part of your business, you know, RDP into another machine, map the
drive and exfil data that way.
It's super easy.
You don't need a tool to do it.
And no one's going to really notice until later when they're like, why is this RDP session
using so much data?
So that sort of stuff is really interesting.
There's some other stuff where like if they use a specific proprietary protocol, I won't
name any, but you can basically hide data in that by munging the protocol.
So if there's a request that like lists files or something, you could make it so that instead
of listing a directory, it lists basic stuff.
So that's kind of the discreet way of doing that data on the wire stuff.
Third party drops.
Obvious stuff is any file sharing service that will let you upload the size of data
that you have.
Again, you probably want to throttle it.
And these are typically blocked at some proxy level or an egress firewall.
Like if these are available to you, yeah, that's like exfil's done.
We don't need, we have another problem, right?
But Pacebin, how many of you have Pacebin at work?
Can you get to Pacebin?
See, yeah, that's not a lot of hands.
That's awesome.
So we've blocked Pacebin.
What else is out there that you could use?
Like there's like 12 other services that do exactly the same thing, and they're probably
unblocked, right?
So doing it discreetly, right?
We can use Flickr, Imgur, and do Stego, put it inside of a picture of a squirrel, done
that.
That's awesome.
Those two services in particular.
We'll let you upload things that are completely lossless.
So you upload it, and you can download it, and all your Stego data is there.
There's simple Python libraries that do all that stuff.
The API is changed constantly.
But if you keep up with it, I mean, you can exfil data that way.
And when it goes out the firewall, it looks like you're uploading squirrel pictures, which
is super weird, but nobody's ever going to ask you why.
So Twitter and Facebook, I put Twitter in the same category as DNS.
I kind of hate it as an exfil method, because 140 characters is just too slow.
And by the time you get any meaningful amount of data out that wall, I mean, it's just you're
going to have to recompile it and get it all down, and it's just no fun.
Facebook though.
Facebook has this really cool thing called groups.
Anybody in a Facebook group?
Where's the moms in the room, because I'm in like 12.
So Facebook groups let you upload files.
And it is in the API.
It's in the API to let you actually upload files into Facebook groups.
So I create a fake Facebook account, I create a group with just me in it, and then I upload
a bunch of files.
I can totally do that, right?
And most of you at work, Facebook's unblocked.
I know the Army does that.
I know a lot of the DoD companies do that, because it's required for business theory.
So you can't block Facebook, you can't block Twitter, you can't block all these services
that I have to use for business.
So I'll abuse them and exfil data, it's cool.
So kind of getting past that and doing the airwave stuff.
A lot of folks think about this in the Tempest realm, right?
We talk about you have a room with a Faraday cage on it, you're not going to get anything
out of that room.
We've seen talks where they've done fans where you spin the fan at the right oscillation
and you can exfil data that way.
I don't know anyone who's done that on a pen test.
Has anybody actually done that?
Like Tempest attacks for exfil on a pen test where you have two days of sleep and you really
don't have the time to set that up?
Yeah.
Like you can't do that.
Like that's just, that's too much effort for low return.
But what if you had a device you could just plug in to a USB port on site, you broke and
entered with your lockpicks and your little door tool and you shimmied in, you just plug
the tool in the back of the machine and that was it.
No Wi-Fi antenna.
No like HID devices.
Just a USB serial UART that you plug in and all of a sudden you had a remote connection.
You could do a lot with that.
You could write code and do all kinds of fun stuff or you could just stream data over it,
serial out.
And the XB radios that I have are like 28 mile range.
They do mesh.
I have them in my hotel room if anyone wants to see them, I'll bring them.
I just need breakout boards that don't suck.
But the cool thing with that is you could build a mesh network that went all the way
up the strip.
And the chances of anyone being able to triangulate each and every node by the time you were done
exfilling data is extremely low.
And these things cost like, I think the series that I'm using, they're like 70 bucks.
You can get one mile range ones for like 40.
So they're kind of like throw away pen test devices.
Just strap it to the back of a teensy, plug it in, walk away.
Ham radio stuff.
You could do APRS, right?
Any hams in the room?
APRS messages?
It's totally illegal.
Don't do it.
But you could technically exfill over APRS, right?
Because it's just text.
It's just text data.
It's digital.
I could just say, hey, my truck is here.
My truck is here.
My truck is in Japan.
My truck is here.
And you could use that to exfill data.
And the cool thing with that one is that you can repeat it with Internet repeaters and
stuff like that.
You don't even have to be in the country.
You could just exfill with that.
And then lasers.
So basically use the laser mic technique that everybody knows about.
Everybody don't know about the laser mic thing.
You aim the laser at the glass.
You feel the vibrations from the glass.
And you read it digitally by reflecting it off something.
Do that with data.
Why not?
Right?
I mean, that stuff is insane and totally out of the scope of a pen test, but it sounds
really cool.
So let's put it in slide.
So all this stuff is about attacking and breaking stuff.
But what does the blue team say about all this stuff, right?
What do you do?
You can't block Facebook.
You can't block Twitter.
So what the hell are you going to do?
So we can block endpoints.
We can block individual malware endpoints.
We can block some stuff by URI or IP, right?
So every time I stand up a fake service with paste bin code on it, you block it.
Fine.
Whatever.
I can block egress at the firewall by the port protocol or application firewall or
whatever.
I can just shut that down.
Whatever that is.
Whatever the hell you're doing, I'll just block it.
You can try to detect anomalies in payload size.
So look at the frequency.
Look at, hey, why is this machine turning on at 3 in the morning, getting on Facebook
and uploading 6 gig of data?
Why is that happening?
That doesn't make any sense.
You can look for that stuff.
And that's cool.
And you can block USB devices by class or device ID.
Now none of that stuff works.
Unfortunately, blacklists just don't work.
If you've got a proxy at your company.
I won't name names, but a lot of them, you can stand up a new website, categorize it,
get it approved through the proxy service, and it's good to go in 48 hours.
So you can stand up your malicious website that looks like a My Little Pony fan site,
which is awesome, and then have a slash exfil and just exfil data to that.
Just use your Apache logs.
Just whatever.
It doesn't matter.
Just stream data out.
People think you just really like My Little Pony, and that's fine.
Please don't access that.
It's not at work.
That's as far as the conversation goes.
Cool.
We can disrupt normal business if we start blocking stuff.
So Facebook, Twitter, Dropbox, a lot of companies use that for large file transfers anyway.
But if they have to use it, I can use it.
And that's kind of like Moxie Marlinspike talks about the scope of choice with Google
and the Facebook and TIA and how you can't really not use Facebook if you want to be
friends with everyone, right?
So the choice is then do I interact with people?
Or do I, you know, just not participate?
And that's what we want to force people to do as attackers is to decide between making
money and preventing my exfil.
And there's kind of a balance there.
And it's for companies to kind of figure out what's more risky.
And context is critical but difficult to automate.
You can't, like, you can do deep packet inspection.
It's awesome, right?
DPI can do all kinds of fun things, but if it's inside a squirrel picture and stegoed
and all this other stuff, like, good luck telling your system to do that.
You might have the data in a PCAP somewhere, that's fine.
But if you're going to take my 40,000 squirrel pictures and somehow decode them all, you
should go play DEF CON CTF.
USB device IDs, those don't work.
There's a lot of manufacturers that are just repeating the same ID for whatever the hell
it is.
And it's, each of those costs money.
So, why would they pay for a USB device ID for a crappy mouse you bought down the street?
Like, they're not going to do that.
So if you try to block it by device ID, it's just not going to work.
So weaponizing squirrels.
Squirrels is the name of a tool, a tool that's not ready today, because I suck at everything.
It's a Python 2.7 based application.
It'll be MIT licensed.
You'll be able to download it, do whatever you want with it.
Mudge it, take it apart, steal code, I don't care.
The whole point is that you'll be able to do exfil, and it'll be easy.
So it's extensible via simple module-based plug-ins.
So all you have to do is write a little bit of the base code for your module for your
exfil channel, and all the, like, taking the file and chunking it up, all that's taken
care of.
All the logging, all the stuff you don't want to care about is done.
All you have to do is write a send and a receive.
And so you can put this on.
The box that you've pwned, execute it with the CLI and exfil.
That's it.
That's all you have to do.
So this is what it looks like when you execute it.
Right now it just has a, you know, you put the file name, the channel you want to use,
and then a settings collection.
And all the channels are documented to show what the settings are.
Like for Imgur, which is one of the examples I used, you can put in your client secret
client ID, and then that's all you really need for that one to execute.
So, um, cool.
And that's what the tool, the module looks like.
It's really hard to read on the screen.
So they told me this was a four by three projector.
But apparently I have tons more space.
But if you can see that at all, all this stuff is just metadata saying what the hell is this
thing, how big can my chunks be, and, you know, what does it do.
And the rest of it is just send and receive.
And all you have to do is write send and receive.
And it'll work.
So this is the URL that the code will be available at as soon as I stop being sick
and my family stops, like, almost dying.
You'll be able to download the code at that URL.
Obviously it's not available today.
But, um, closing stuff, stuff I want to do.
Additional modules.
Obviously because the demo is not done, it should work.
Executable payload generation with PI installer.
So doing kind of an MSF Venom thing, do an MSF post module, longer range hardware.
Get with the Cloakify guy and shove that stuff into my code.
And customize timing.
All these people are super awesome because they contributed in some way to me actually
getting this done, slash me being here.
Veracode especially and Bsides and DC407 and FamLab and all those cool people.
And thank you.
That's kind of the talk.
So.
Thank you.
Thank you.