Abstract image of a woman sitting on books and studying on a laptop

LST Toolkit: Exfiltration Over Sound, Light, Touch

Dimitry Snezhkov, profile picture
Dimitry Snezhkov

The document discusses offensive and defensive strategies around exfiltrating sensitive data from secured environments. It describes observing defenses that focus on network-level exfiltration and lack behavioral context. Custom threat modeling and solutions may be needed. Tactics discussed include exploiting existing facilities, avoiding defenses, and transforming data to bypass monitoring. The document also outlines fictional scenarios where innovative techniques like encoding data in screen pixels or QR codes are used to exfiltrate information despite strengthened defenses.

Technology
1 of 82
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
A Dramedy in 7 Acts. it is non-judgmental and ends with no absolutes Data Transfer Over Light, Sound and Touch in Secure Environments. Dimitry Snezhkov
Exfiltration. Defined as “an unauthorized release of data from within a computer system or network” A successful exfiltration is essential in monetization of a compromised resource. A Starting Point Exfiltration is about keeping your spoils.
Common data contexts: • Traditional payment rails security. • Customer data protection. • PII or PHI. However, *Your* Data Context may be Unique: Arguably more interesting monetization contexts: • Easier monetization channels. Theft at institutional level and above. • Intel Prop/know-how. Algorithms. AI. Time to market boost. • Optimization code. HFTrading, strategies. Shortest path to value. • Research documents. Spontaneous breakthroughs • Exploitation capabilities plus. Revenue and control baseline. • Reputational and political agenda vectors. The whole enchilada. Play Exposition: Sensitive Data Context
Ultimately: What good is data... if you are unable to exfiltrate it? Play Exposition: Sensitive Data Context Defense: What is my sensitive data and who is my adversary? Offense: What is their sensitive data and what are the defenses?
Exfiltration: Defensive Process Observations Threat model does not always deal with removing strategic links from the kill chain • Exfiltration mitigation is often given lower priority (exploitation first). • Strategy and tools focus on containing network level exfiltration. • Reliance on products • Traffic based • DLP and DRM based • Lack of behavioral context Exfiltration mitigation for sensitive environments may need custom threat modeling. Play Exposition: Defense
Exfiltration: Offensive Process Observations • Assumption on exfiltration channels being relatively easy to find and most likely available. (They often are) But usually, it’s : “We will get there when we get there”. • We got there. And … there are no readily available exfiltration methods. • Airgap / Heavily defended systems. • Endpoint mechanisms employing DLP mechanisms • Tight communication protocols (the usual menu: ICMP/DNS/HTTP etc.) • A problem can also be compounded by lack of needed tools to exfiltrate data. For sensitive environments and data custom solutions may be needed. Play Exposition: Offense
Tactical, strategic, and technical approaches of: • Edge case Exfiltration Mechanisms/ Vectors • Building Exfiltration Tools, Quick retooling in the field. • Weaponization of existing facilities to achieve goals. • Utilization of existing mechanisms. • Avoiding exfiltration defenses • Defensive and Offensive Mindsets. Challenges to both sides. • More importantly Ideas and workflow. The business of turning chopsticks into swords Play Exposition: Offensive Goals
Meet (Fictional) Play Characters … M.E.Mr. Controller Van Door Jay Sohn Sofia Bob! Provides direction … often in a very direct manner. Product sales, Known for good donuts Product Developer Nice guy, needs a raise A guy fixated on exfiltration The cleaning lady No one knows what Bob does, even Bob himself
• A secure code, document and data vault deployed via the terminal server • Accessible over screen emulator from remote workstations • A Sandbox, with elements of DRM, DLP, OS policies. • Designed secure from the ground up. • $$$$$ Offensive Goals: • Test exfiltration of data. • Test infiltration and modification of data - a bonus Product X Entrance. Drumroll anyone? State of the art product… We Shall Test It
- Where is Bob? - Bob! Give him access to the computer! Here is the super duper file OK… State of the art product… 9:30 am Act I: The Job… When a pixel breaks the trust, lies to the screen
Cursory Offensive Assessment: • A well locked down system. • Lack of ”normal” exfiltration vectors. • Monitoring and active prevention. • Locked down policies for device management. • DRM elements • DLP mechanisms Immediate options? Not many. Hardened Remote Desktop flavor. • No copy/paste • No printing • No drive mounts Act I: Sitting down with the product
Act I: Sitting down with the product RDP Vault
Act I: Sitting down with the product
Act I: Sitting down with the product Offensive Play Assessment: • What would exfiltration even look like in this environment? • What would drive it (client side)? • What would capturing data on the local system? • What mechanisms can stop us? • What is available on the remote system to facilitate transfer? • Model of operation shapes up to be: • A very slim Producer (Remote). Less options. • A more featured Consumer (Local). More options. • Any Tools used need OpSec – Number of defensive tech/agents on the box is very high: Defensive Agent A: “Would you like me to flag this as a malware?” Defensive Agent B: “Oh, no. Please go ahead … “ Defensive Agent C: “I am late to the party. Carry on…” Strategic Challenge: Digital => Analog => Digital
We have RDP. It’s a start Meaning: we have access to at least: • A. Screen • B. Keyboard • C. Mouse Act I: Sitting down with the product Taking Detailed Offensive stock of the system. • Absence of common tools. Slimmed down OS. • Absence of reliable interfaces for command exec. • Standard Office and other format viewers (DRM’d) • A file explorer. • A web browser.
Act I: Sitting down with the product Producer Remote CPU Consumer Local CPU
A. Screen A web browser ... is interesting. Probably not directly – Sandboxed for execution. However: • It can load a file. • If it can load a file – it can process the file. • If it can process the file - we can attempt to script the processing (JS). • If we can script the processing – we can present/render a file in a different format. Possible Chain: Browser -> File -> Process -> Script -> -> Browser -> Screen Render Can we force the screen to lie to the control mechanisms? Act I: Sitting down with the product
Producer Act I: The Light Bulb
Consumer Act I: The Light Bulb Pixel Robot Fencing
PIXELTRAITOR I NEED LOYALTY I EXPRECT LOYALTY • Fencing. • 1/3 of spectrum (RGB) • Mouse positions • Producer lights up a pixel • Consumer does the heavy lifting. • Screen calibration is needed. Act I: The Light Bulb
- Hello. - Hello. 7:15 pmAct I: The Test
- Van Door! Your product is crap. - Go Fix! - Report in my inbox in the am! Here is your report. And here is your critical file, exfiltrated. State of the art developers … We did not test for this. Who knew? Act I: The Verdict
- We shall see! - Go Test! - Report in my inbox in the am! OK… Issue is Fixed! Ready to buy? 9:30 am Act II When a pixel breaks the trust, lies to the screen, and flips
The issue was mitigated by offsetting screen colors by a small deviation (PixelTraitor works on static color codes so reading from a pixel must be precise.) Act II: The Fix int flip(int x) { return (-(~x)); } flip(0xE2)); • Increase offset • Decrease offset • Random times SGVsbG8gd29ybGRFbmNvZGUgdG8gQmFzZTY0IGZvcm1hdA0KU2ltcGx5IHVzZSB0aGUgZm9ybSBiZWxvdw== SGVsbG8gd29ybGRFbmNvZGUgdG8gQmFz0TY0IGZvcm1hdA0KU2ltcGx5IHVzZSB0aGUgZm9ybSBiZWxvdw==
We have a tougher set of problems: • Color beaming stream is long running • Recovery tolerance on a flipped pixel is `0` What to do? Compensate for color deviation by stretching detection across full spectrum. Act II: Sitting down with the product That was a mouthful… Wait for me…
Producer Act I: The Light Bulb AAFFAA – known value, keep it. AAFFAB – adjust to the nearest known value AAFFAC – adjust to the nearest known value
Consumer Act I: The Light Bulb Pixel Robot
JUST MORE VERY DISHONEST SCREEN MEDIA! PIXEL TRAITOR – FS Act I: The Light Bulb • Push on full spectrum (RGB) • Deviation in color algorithm • Fencing. • Mouse positions • Producer lights up pixel • Consumer does the heavy lifting. • Screen calibration is less important.
- Hello. - Hello. 7:15 pm Weirdo. Act I: The Test
- Van Door! Your product is crap. - Go Fix! - Report in my inbox in the am! Here is your report. And here is your critical file, exfiltrated. State of the art developers … We did not test for this. Who knew? Act II: The Verdict
- We shall see! - Go Test! - Report in my inbox in the am! OK… Issue is Fixed! Ready to buy? 9:30 am Act III When the square comes alive!
• The issue was mitigated by redrawing a screen every rand(XX) seconds/minutes Much like a page refresh in a reader • Very fast refresh. Not as annoying to the users if you are reading off the screen. No prior knowledge when the next refresh is scheduled. • Breaks the tool relying on a sequence of long running data streams that need to be re-assembled . One pixel value off - and the entire stream is garbage. Act III: The Fix SGVsbG8gd29ybGRFbmNvZGUgdG8gQmFzZTY0IGZvcm1hdA0KU2ltcGx5IHVzZSB0aGUgZm9ybSBiZWxvdw== SGVsbG8gd29ybGRFbmNvZGUgdG8gQmFz0TY0IGZvcm1hdA0KU2ltcGx5IHVzZSB0aGUgZm9ybSBiZWxvdw==
We have an even tougher set of problems • No color mechanism can be utilized. • Fast but sequential stream What to do? • Move away from the color • Pack more data into the beam. (Keep OpSec focus and available tools in mind) Act III: Sitting down with the product
Producer Act III: The Light Bulb • Data Packing Level • Size for capture • QR version • Fast generation • Color is only a signal for the operator
Consumer Act III: The Light Bulb Option 1: Control Pixel color (deprecated) Option 2: Beaming stop/start commands in the QR itself
I will build a great, great wall on our southern border • Push data in QR Codes • Pack bytes for bandwidth. Race the screen refreshes. • Calibrate speed of beat refreshes. • No color dependency. • No images (heavy and slow. Use CSS) DemoQRacy Act III: The Light Bulb
- Hello. - Hello. 7:15 pm Get a real Job. Act III: The Test
- Van Door! Your product is crap. - Go Fix! - Report in my inbox in the am! Here is your report. And here is your critical file, exfiltrated. State of the art developers … We did not test for this. Who knew? Act III: The Verdict
- We shall see! - Go Test! - Report in my inbox in the am! OK… Issue is Fixed! Ready to buy? 9:30 am Act IV When you give a little to get a little….
• The issue was not entirely mitigated. • Company accepted the risk for now. • Vendor Dev: Product R&D needed more time to research. • One alternative is to lock the screen when no activity is present. Bad UX. QR is not super fast but quite a bit of strategic data can be exfilled in 5 minutes… Act IV: The Fix
Offense: We should admit - we actually got lucky. We had access to the QR lib on CDN. CDN was available. What to do? • We need better tools. • We need OpSec tools • We need to bring tool in to make the tools… - Bring tools in. How? - Infiltrate data. - Via Screen?!? Are you insane. - Well, no, not insane…. A. Screen. B. Keyboard. - Yeah, right.. Are you going to type it all? - Yes. Act IV: Sitting down with the product
Producer Act IV: The Light Bulb Remote Browser Form Local Type Remote Disk save
Consumer Act IV: The Light Bulb Binary Transfer. B64 Text Transfer. ASCII.
Great Success! I Like. • Roles flip. • Push keystrokes. • Robot library. • Base64 for binary. • Unpack in the browser’s memory • Save to OS • Reuse in Browser KeyBorat Act IV: The Light Bulb My name-a Borat!
- Hello. - Hello. 7:15 pm Artificial Insanity Act IV: The Test
- Van Door! Your product is crap. - Go Fix! - Report in my inbox in the am! Here is your report. And here is your critical file, exfiltrated. State of the art developers … We did not test for this. Who knew? Act IV: The Verdict
- We shall see! - Go Test! - Report in my inbox in the am! OK… Issue is Fixed! Ready to buy? 9:30 am Act V Keep calm and blame Anesthesia.
• The issue was addressed with the introduction of a kernel driver/module that counts keystrokes/wpm. • Dev team will be exposing the feature to the product management interface in the next release. Act V: The Fix
Tough. Keyboard Vector is gone... What to do? A. Screen. B. Keyboard. Act V: Sitting down with the product - Bring tools in. How? - Infiltrate. - Via Screen?!? Are you insane. - Well, no, not insane. A. Screen. B. Keyboard. C. Mouse - Yeah, right.. Are you going to .. I don’t even know…. - Yes.
Act V: The Light Bulb Producer Build a Matrix of Image Row/columns. Map B64 Drive Mouse with Offsets to the Base
Act V: The Light Bulb Consumer • Mapped images • HTML Anchors • Export of data • Lockup of browser • Lockup of Mouse Knight#A
Act V: The Light Bulb Anesthesia: Consumer
Zzzzz….. • Push mouse clicks. • Robot library. • Base64 for binary. • Unpack buffer in the browser • Save to OS • Drive back in the browser. Act V: The Light Bulb Anesthesia
- Hello. - Hello. 7:15 pmYou get paid for doing *THIS*?! Act IV: The Test
- Van Door! Your product is crap. - Go Fix! - Report in my inbox in the am! Here is your report. And here is your critical file, exfiltrated. State of the art developers … We did not test for this. Who knew? Act V: The Verdict
The issue was not fixed.. Risk Accepted. More R&D needed. Thank you for testing our product …. No more donuts for you Intermission Not done yet.
- Where is Bob? - Bob! Give him access to the computer! - Go Test! - Report in my inbox in the am!OK… State of the art Next Gen product…9:30 am Act VI: The “Next Gen” Job…
Immediate Issues for the Offense: • Locked down system. • Lack of ”normal” exfiltration vectors. • Monitoring and active prevention. • Locked down policies for device management. • DRM • DLP • Screen overlay for color variations, activity based locks • Enhanced behavioral detection (mouse/keyboard) Immediate options? Less than a few. Act VI: Sitting down with the product
This is serious. What to do? • Screen • Keyboard • Mouse - @#$$#@%@#$% @#$T234 23 23 - Yes ..? - You are insane….. Act VI: Sitting down with the product
An obsession is an unwelcome, uncontrollable, and persistent idea, thought, image, or emotion that a person cannot help thinking even though it creates significant distress or anxiety. Take it for what you will…. Narration
Act VI: The Light Bulb Producer Option A: Direct Offset Frequencies Option B: Music Notes Frequencies
Act VI: The Light Bulb Consumer • Common pitch variations, drop edges • Consensus on the frequency • Barriers between samples • Slow (serial, long pitch) • Needs a reasonably quiet room, no interference TarsosDSP: https://github.com/JorenSix/TarsosDSP
Do re mi mi fa do do … Act VI: The Light Bulb ToneDeaf It was like listening to three cats getting strangled in an alley • Tone <> frequency based • Quick sampling and fencing • Very slow for anything big
- Hello. - Hello. 7:15 pm Get Out .Now!. Act IV: The Test
It’s all downhill from now…. Narration Not a reseller
- What ?! What do you not like?!! - Do re mi mi fa do do … - And that I have to be at the desk - You are insane….. Act VI: Getting Comfortable This Implementation Sucks. - Slow - Error-Prone sampling (Digital -> Analog -> Digital) - Quiet Room - Range
Act VII: The Light Bulb, Reinvented Producer File:// vs. hosted (http://) There are options … Concept of profiles
Act VII: The Light Bulb, Reinvented Consumer Binary encoding via Emscripten – Avoid Base64 (future) https://github.com/kripken/emscripten
SHHHHHH…… • Pitch Modulation • Webaudio Profiles • Quiet.JS • library for sending and receiving • data via sound card. • around the 44.1kHz - 19kHz range Act VII: The Light Bulb, Reinvented DogWhistle Do you understand the words that are coming out of my mouth? https://github.com/quiet/quiet-js
- Hello - Hello 7:15 pmWTF is this? Act VII: The Test Audible QuietJS Profile
Act VII: The Light Bulb, Reinvented Range Extension I knew it: computers make you insane Producer Consumer SEND/RECV Decoupling
- Hello. - Hello. 7:15 pmAt least it’s quiet Sigh…. Act VII: The Test Cabe64 QuietJS Profile … QuietJS “quiet” 30ft cable
- Hello - Hello 7:15 pmWhat is he up to Act VII: The Test Ultrasonic QuietJS Profile
- Hello. - Hello. 7:15 pmI don’t believe you.. Act VII: The Test Audible QuietJS Profile – Extended over BT
Act VII: The Test No! No!
Act VII: The Test BT < 100m?
Not fixing this! Assistive tech. Not on the roadmap! 9:30 am Act VI: The Verdict Moar Testing! I will be over here. I. Want. This. Product. Tested!
LST Toolkit: Exfiltration Over Sound, Light, Touch
Well that was fun Act VII: The Final Act Kinda miss the weirdo 7:15 pm
- Van Door! - Send me the PO… - Next time, do your Threat modeling! - And I want Tier 5 support on this, for free! Yes sir. Oh wait, Tier 5 support is me… You don’t want me fixing this… Act VII: The Final Act 9:30 am
Offense: • Principle of Utilization • Approved software becomes tools • Safe process becomes a vector • Retooling in the field is the norm • Building blocks iteratively from slim cradles Epilogue Defense: • Threat model around data and context • Products or process: Have mechanisms to instrument environments for detection. You might not cover all out of the box. • Anticipate the kill chain and remove strategic links/components of the kill chain
• Contact: @Op_nomad • Code: https://github.com/dsnezhkov/LST Thank you! Q&A

More Related Content

TXT
Beta
sandra6387
 
PPTX
Troubleshooting methods of computer peripherals
Devyani Chaudhari
 
PPTX
Sandbox detection: leak, abuse, test - Hacktivity 2015
Zoltan Balazs
 
PPTX
Owning windows 8 with human interface devices
Nikhil Mittal
 
PPTX
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 
PDF
What the Heck Just Happened?
Ken Evans
 
PDF
Needlesand haystacks i360-dublin
Derek King
 
PDF
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
Beta
sandra6387
 
Troubleshooting methods of computer peripherals
Devyani Chaudhari
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Zoltan Balazs
 
Owning windows 8 with human interface devices
Nikhil Mittal
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 
What the Heck Just Happened?
Ken Evans
 
Needlesand haystacks i360-dublin
Derek King
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 

Similar to LST Toolkit: Exfiltration Over Sound, Light, Touch (20)

ODP
PLMCE - Security and why you need to review yours
David Busby, CISSP
 
PPTX
Five Cliches of Online Game Development
iandundore
 
PDF
How to not fail at security data analytics (by CxOSidekick)
Dinis Cruz
 
PPT
Computer graphic lecturer no 3
Muhammad ismail Shah
 
PDF
Super Easy Memory Forensics
IIJ
 
PPTX
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Jakub Kałużny
 
PPTX
Creating Havoc using Human Interface Device
Positive Hack Days
 
PPT
Anti-Forensic Rootkits
amiable_indian
 
PDF
Man in the Binder - Michael Shalyt & Idan Revivo, CheckPoint
DroidConTLV
 
PDF
How shit works: the CPU
Tomer Gabel
 
PPSX
Introduction to threat_modeling
Prabath Siriwardena
 
PDF
You suck at Memory Analysis
Francisco Ribeiro
 
KEY
Drop, Stop & Roll
John Hoffoss
 
PPTX
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 
PPTX
AktaionPPTv5_JZedits
Rod Soto
 
PPT
honeypots.ppt
DetSersi
 
DOC
Web design and_hosting
xmgkklglt1991
 
PPTX
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
PROIDEA
 
PDF
DEFCON 23 - Ian Latter - remote access the apt
Felipe Prado
 
PPTX
Hunt for the red DA
Neil Lines
 
PLMCE - Security and why you need to review yours
David Busby, CISSP
 
Five Cliches of Online Game Development
iandundore
 
How to not fail at security data analytics (by CxOSidekick)
Dinis Cruz
 
Computer graphic lecturer no 3
Muhammad ismail Shah
 
Super Easy Memory Forensics
IIJ
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Jakub Kałużny
 
Creating Havoc using Human Interface Device
Positive Hack Days
 
Anti-Forensic Rootkits
amiable_indian
 
Man in the Binder - Michael Shalyt & Idan Revivo, CheckPoint
DroidConTLV
 
How shit works: the CPU
Tomer Gabel
 
Introduction to threat_modeling
Prabath Siriwardena
 
You suck at Memory Analysis
Francisco Ribeiro
 
Drop, Stop & Roll
John Hoffoss
 
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 
AktaionPPTv5_JZedits
Rod Soto
 
honeypots.ppt
DetSersi
 
Web design and_hosting
xmgkklglt1991
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
PROIDEA
 
DEFCON 23 - Ian Latter - remote access the apt
Felipe Prado
 
Hunt for the red DA
Neil Lines
 
Ad

More from Dimitry Snezhkov (7)

PDF
BH-ElfPack-Presentation.pdf
Dimitry Snezhkov
 
PDF
Racketeer Toolkit. Prototyping Controlled Ransomware Operations
Dimitry Snezhkov
 
PDF
Your House is My House: Use of Offensive Enclaves In Adversarial Operations
Dimitry Snezhkov
 
PDF
Deep Sea Phishing Gear
Dimitry Snezhkov
 
PDF
Foxtrot C2: A Journey of Payload Delivery
Dimitry Snezhkov
 
PDF
Typhoon Managed Execution Toolkit
Dimitry Snezhkov
 
PDF
Foxtrot C2: Forced Payload Delivery
Dimitry Snezhkov
 
BH-ElfPack-Presentation.pdf
Dimitry Snezhkov
 
Racketeer Toolkit. Prototyping Controlled Ransomware Operations
Dimitry Snezhkov
 
Your House is My House: Use of Offensive Enclaves In Adversarial Operations
Dimitry Snezhkov
 
Deep Sea Phishing Gear
Dimitry Snezhkov
 
Foxtrot C2: A Journey of Payload Delivery
Dimitry Snezhkov
 
Typhoon Managed Execution Toolkit
Dimitry Snezhkov
 
Foxtrot C2: Forced Payload Delivery
Dimitry Snezhkov
 
Ad

Recently uploaded (20)

PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
August Patch Tuesday
Ivanti
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
August Patch Tuesday
Ivanti
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
What is a Computer? Input Devices /output devices
GulJan8
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 

LST Toolkit: Exfiltration Over Sound, Light, Touch

  • 1. A Dramedy in 7 Acts. it is non-judgmental and ends with no absolutes Data Transfer Over Light, Sound and Touch in Secure Environments. Dimitry Snezhkov
  • 2. Exfiltration. Defined as “an unauthorized release of data from within a computer system or network” A successful exfiltration is essential in monetization of a compromised resource. A Starting Point Exfiltration is about keeping your spoils.
  • 3. Common data contexts: • Traditional payment rails security. • Customer data protection. • PII or PHI. However, *Your* Data Context may be Unique: Arguably more interesting monetization contexts: • Easier monetization channels. Theft at institutional level and above. • Intel Prop/know-how. Algorithms. AI. Time to market boost. • Optimization code. HFTrading, strategies. Shortest path to value. • Research documents. Spontaneous breakthroughs • Exploitation capabilities plus. Revenue and control baseline. • Reputational and political agenda vectors. The whole enchilada. Play Exposition: Sensitive Data Context
  • 4. Ultimately: What good is data... if you are unable to exfiltrate it? Play Exposition: Sensitive Data Context Defense: What is my sensitive data and who is my adversary? Offense: What is their sensitive data and what are the defenses?
  • 5. Exfiltration: Defensive Process Observations Threat model does not always deal with removing strategic links from the kill chain • Exfiltration mitigation is often given lower priority (exploitation first). • Strategy and tools focus on containing network level exfiltration. • Reliance on products • Traffic based • DLP and DRM based • Lack of behavioral context Exfiltration mitigation for sensitive environments may need custom threat modeling. Play Exposition: Defense
  • 6. Exfiltration: Offensive Process Observations • Assumption on exfiltration channels being relatively easy to find and most likely available. (They often are) But usually, it’s : “We will get there when we get there”. • We got there. And … there are no readily available exfiltration methods. • Airgap / Heavily defended systems. • Endpoint mechanisms employing DLP mechanisms • Tight communication protocols (the usual menu: ICMP/DNS/HTTP etc.) • A problem can also be compounded by lack of needed tools to exfiltrate data. For sensitive environments and data custom solutions may be needed. Play Exposition: Offense
  • 7. Tactical, strategic, and technical approaches of: • Edge case Exfiltration Mechanisms/ Vectors • Building Exfiltration Tools, Quick retooling in the field. • Weaponization of existing facilities to achieve goals. • Utilization of existing mechanisms. • Avoiding exfiltration defenses • Defensive and Offensive Mindsets. Challenges to both sides. • More importantly Ideas and workflow. The business of turning chopsticks into swords Play Exposition: Offensive Goals
  • 8. Meet (Fictional) Play Characters … M.E.Mr. Controller Van Door Jay Sohn Sofia Bob! Provides direction … often in a very direct manner. Product sales, Known for good donuts Product Developer Nice guy, needs a raise A guy fixated on exfiltration The cleaning lady No one knows what Bob does, even Bob himself
  • 9. • A secure code, document and data vault deployed via the terminal server • Accessible over screen emulator from remote workstations • A Sandbox, with elements of DRM, DLP, OS policies. • Designed secure from the ground up. • $$$$$ Offensive Goals: • Test exfiltration of data. • Test infiltration and modification of data - a bonus Product X Entrance. Drumroll anyone? State of the art product… We Shall Test It
  • 10. - Where is Bob? - Bob! Give him access to the computer! Here is the super duper file OK… State of the art product… 9:30 am Act I: The Job… When a pixel breaks the trust, lies to the screen
  • 11. Cursory Offensive Assessment: • A well locked down system. • Lack of ”normal” exfiltration vectors. • Monitoring and active prevention. • Locked down policies for device management. • DRM elements • DLP mechanisms Immediate options? Not many. Hardened Remote Desktop flavor. • No copy/paste • No printing • No drive mounts Act I: Sitting down with the product
  • 12. Act I: Sitting down with the product RDP Vault
  • 13. Act I: Sitting down with the product
  • 14. Act I: Sitting down with the product Offensive Play Assessment: • What would exfiltration even look like in this environment? • What would drive it (client side)? • What would capturing data on the local system? • What mechanisms can stop us? • What is available on the remote system to facilitate transfer? • Model of operation shapes up to be: • A very slim Producer (Remote). Less options. • A more featured Consumer (Local). More options. • Any Tools used need OpSec – Number of defensive tech/agents on the box is very high: Defensive Agent A: “Would you like me to flag this as a malware?” Defensive Agent B: “Oh, no. Please go ahead … “ Defensive Agent C: “I am late to the party. Carry on…” Strategic Challenge: Digital => Analog => Digital
  • 15. We have RDP. It’s a start Meaning: we have access to at least: • A. Screen • B. Keyboard • C. Mouse Act I: Sitting down with the product Taking Detailed Offensive stock of the system. • Absence of common tools. Slimmed down OS. • Absence of reliable interfaces for command exec. • Standard Office and other format viewers (DRM’d) • A file explorer. • A web browser.
  • 16. Act I: Sitting down with the product Producer Remote CPU Consumer Local CPU
  • 17. A. Screen A web browser ... is interesting. Probably not directly – Sandboxed for execution. However: • It can load a file. • If it can load a file – it can process the file. • If it can process the file - we can attempt to script the processing (JS). • If we can script the processing – we can present/render a file in a different format. Possible Chain: Browser -> File -> Process -> Script -> -> Browser -> Screen Render Can we force the screen to lie to the control mechanisms? Act I: Sitting down with the product
  • 18. Producer Act I: The Light Bulb
  • 19. Consumer Act I: The Light Bulb Pixel Robot Fencing
  • 20. PIXELTRAITOR I NEED LOYALTY I EXPRECT LOYALTY • Fencing. • 1/3 of spectrum (RGB) • Mouse positions • Producer lights up a pixel • Consumer does the heavy lifting. • Screen calibration is needed. Act I: The Light Bulb
  • 21. - Hello. - Hello. 7:15 pmAct I: The Test
  • 22. - Van Door! Your product is crap. - Go Fix! - Report in my inbox in the am! Here is your report. And here is your critical file, exfiltrated. State of the art developers … We did not test for this. Who knew? Act I: The Verdict
  • 23. - We shall see! - Go Test! - Report in my inbox in the am! OK… Issue is Fixed! Ready to buy? 9:30 am Act II When a pixel breaks the trust, lies to the screen, and flips
  • 24. The issue was mitigated by offsetting screen colors by a small deviation (PixelTraitor works on static color codes so reading from a pixel must be precise.) Act II: The Fix int flip(int x) { return (-(~x)); } flip(0xE2)); • Increase offset • Decrease offset • Random times SGVsbG8gd29ybGRFbmNvZGUgdG8gQmFzZTY0IGZvcm1hdA0KU2ltcGx5IHVzZSB0aGUgZm9ybSBiZWxvdw== SGVsbG8gd29ybGRFbmNvZGUgdG8gQmFz0TY0IGZvcm1hdA0KU2ltcGx5IHVzZSB0aGUgZm9ybSBiZWxvdw==
  • 25. We have a tougher set of problems: • Color beaming stream is long running • Recovery tolerance on a flipped pixel is `0` What to do? Compensate for color deviation by stretching detection across full spectrum. Act II: Sitting down with the product That was a mouthful… Wait for me…
  • 26. Producer Act I: The Light Bulb AAFFAA – known value, keep it. AAFFAB – adjust to the nearest known value AAFFAC – adjust to the nearest known value
  • 27. Consumer Act I: The Light Bulb Pixel Robot
  • 28. JUST MORE VERY DISHONEST SCREEN MEDIA! PIXEL TRAITOR – FS Act I: The Light Bulb • Push on full spectrum (RGB) • Deviation in color algorithm • Fencing. • Mouse positions • Producer lights up pixel • Consumer does the heavy lifting. • Screen calibration is less important.
  • 29. - Hello. - Hello. 7:15 pm Weirdo. Act I: The Test
  • 30. - Van Door! Your product is crap. - Go Fix! - Report in my inbox in the am! Here is your report. And here is your critical file, exfiltrated. State of the art developers … We did not test for this. Who knew? Act II: The Verdict
  • 31. - We shall see! - Go Test! - Report in my inbox in the am! OK… Issue is Fixed! Ready to buy? 9:30 am Act III When the square comes alive!
  • 32. • The issue was mitigated by redrawing a screen every rand(XX) seconds/minutes Much like a page refresh in a reader • Very fast refresh. Not as annoying to the users if you are reading off the screen. No prior knowledge when the next refresh is scheduled. • Breaks the tool relying on a sequence of long running data streams that need to be re-assembled . One pixel value off - and the entire stream is garbage. Act III: The Fix SGVsbG8gd29ybGRFbmNvZGUgdG8gQmFzZTY0IGZvcm1hdA0KU2ltcGx5IHVzZSB0aGUgZm9ybSBiZWxvdw== SGVsbG8gd29ybGRFbmNvZGUgdG8gQmFz0TY0IGZvcm1hdA0KU2ltcGx5IHVzZSB0aGUgZm9ybSBiZWxvdw==
  • 33. We have an even tougher set of problems • No color mechanism can be utilized. • Fast but sequential stream What to do? • Move away from the color • Pack more data into the beam. (Keep OpSec focus and available tools in mind) Act III: Sitting down with the product
  • 34. Producer Act III: The Light Bulb • Data Packing Level • Size for capture • QR version • Fast generation • Color is only a signal for the operator
  • 35. Consumer Act III: The Light Bulb Option 1: Control Pixel color (deprecated) Option 2: Beaming stop/start commands in the QR itself
  • 36. I will build a great, great wall on our southern border • Push data in QR Codes • Pack bytes for bandwidth. Race the screen refreshes. • Calibrate speed of beat refreshes. • No color dependency. • No images (heavy and slow. Use CSS) DemoQRacy Act III: The Light Bulb
  • 37. - Hello. - Hello. 7:15 pm Get a real Job. Act III: The Test
  • 38. - Van Door! Your product is crap. - Go Fix! - Report in my inbox in the am! Here is your report. And here is your critical file, exfiltrated. State of the art developers … We did not test for this. Who knew? Act III: The Verdict
  • 39. - We shall see! - Go Test! - Report in my inbox in the am! OK… Issue is Fixed! Ready to buy? 9:30 am Act IV When you give a little to get a little….
  • 40. • The issue was not entirely mitigated. • Company accepted the risk for now. • Vendor Dev: Product R&D needed more time to research. • One alternative is to lock the screen when no activity is present. Bad UX. QR is not super fast but quite a bit of strategic data can be exfilled in 5 minutes… Act IV: The Fix
  • 41. Offense: We should admit - we actually got lucky. We had access to the QR lib on CDN. CDN was available. What to do? • We need better tools. • We need OpSec tools • We need to bring tool in to make the tools… - Bring tools in. How? - Infiltrate data. - Via Screen?!? Are you insane. - Well, no, not insane…. A. Screen. B. Keyboard. - Yeah, right.. Are you going to type it all? - Yes. Act IV: Sitting down with the product
  • 42. Producer Act IV: The Light Bulb Remote Browser Form Local Type Remote Disk save
  • 43. Consumer Act IV: The Light Bulb Binary Transfer. B64 Text Transfer. ASCII.
  • 44. Great Success! I Like. • Roles flip. • Push keystrokes. • Robot library. • Base64 for binary. • Unpack in the browser’s memory • Save to OS • Reuse in Browser KeyBorat Act IV: The Light Bulb My name-a Borat!
  • 45. - Hello. - Hello. 7:15 pm Artificial Insanity Act IV: The Test
  • 46. - Van Door! Your product is crap. - Go Fix! - Report in my inbox in the am! Here is your report. And here is your critical file, exfiltrated. State of the art developers … We did not test for this. Who knew? Act IV: The Verdict
  • 47. - We shall see! - Go Test! - Report in my inbox in the am! OK… Issue is Fixed! Ready to buy? 9:30 am Act V Keep calm and blame Anesthesia.
  • 48. • The issue was addressed with the introduction of a kernel driver/module that counts keystrokes/wpm. • Dev team will be exposing the feature to the product management interface in the next release. Act V: The Fix
  • 49. Tough. Keyboard Vector is gone... What to do? A. Screen. B. Keyboard. Act V: Sitting down with the product - Bring tools in. How? - Infiltrate. - Via Screen?!? Are you insane. - Well, no, not insane. A. Screen. B. Keyboard. C. Mouse - Yeah, right.. Are you going to .. I don’t even know…. - Yes.
  • 50. Act V: The Light Bulb Producer Build a Matrix of Image Row/columns. Map B64 Drive Mouse with Offsets to the Base
  • 51. Act V: The Light Bulb Consumer • Mapped images • HTML Anchors • Export of data • Lockup of browser • Lockup of Mouse Knight#A
  • 52. Act V: The Light Bulb Anesthesia: Consumer
  • 53. Zzzzz….. • Push mouse clicks. • Robot library. • Base64 for binary. • Unpack buffer in the browser • Save to OS • Drive back in the browser. Act V: The Light Bulb Anesthesia
  • 54. - Hello. - Hello. 7:15 pmYou get paid for doing *THIS*?! Act IV: The Test
  • 55. - Van Door! Your product is crap. - Go Fix! - Report in my inbox in the am! Here is your report. And here is your critical file, exfiltrated. State of the art developers … We did not test for this. Who knew? Act V: The Verdict
  • 56. The issue was not fixed.. Risk Accepted. More R&D needed. Thank you for testing our product …. No more donuts for you Intermission Not done yet.
  • 57. - Where is Bob? - Bob! Give him access to the computer! - Go Test! - Report in my inbox in the am!OK… State of the art Next Gen product…9:30 am Act VI: The “Next Gen” Job…
  • 58. Immediate Issues for the Offense: • Locked down system. • Lack of ”normal” exfiltration vectors. • Monitoring and active prevention. • Locked down policies for device management. • DRM • DLP • Screen overlay for color variations, activity based locks • Enhanced behavioral detection (mouse/keyboard) Immediate options? Less than a few. Act VI: Sitting down with the product
  • 59. This is serious. What to do? • Screen • Keyboard • Mouse - @#$$#@%@#$% @#$T234 23 23 - Yes ..? - You are insane….. Act VI: Sitting down with the product
  • 60. An obsession is an unwelcome, uncontrollable, and persistent idea, thought, image, or emotion that a person cannot help thinking even though it creates significant distress or anxiety. Take it for what you will…. Narration
  • 61. Act VI: The Light Bulb Producer Option A: Direct Offset Frequencies Option B: Music Notes Frequencies
  • 62. Act VI: The Light Bulb Consumer • Common pitch variations, drop edges • Consensus on the frequency • Barriers between samples • Slow (serial, long pitch) • Needs a reasonably quiet room, no interference TarsosDSP: https://github.com/JorenSix/TarsosDSP
  • 63. Do re mi mi fa do do … Act VI: The Light Bulb ToneDeaf It was like listening to three cats getting strangled in an alley • Tone <> frequency based • Quick sampling and fencing • Very slow for anything big
  • 64. - Hello. - Hello. 7:15 pm Get Out .Now!. Act IV: The Test
  • 65. It’s all downhill from now…. Narration Not a reseller
  • 66. - What ?! What do you not like?!! - Do re mi mi fa do do … - And that I have to be at the desk - You are insane….. Act VI: Getting Comfortable This Implementation Sucks. - Slow - Error-Prone sampling (Digital -> Analog -> Digital) - Quiet Room - Range
  • 67. Act VII: The Light Bulb, Reinvented Producer File:// vs. hosted (http://) There are options … Concept of profiles
  • 68. Act VII: The Light Bulb, Reinvented Consumer Binary encoding via Emscripten – Avoid Base64 (future) https://github.com/kripken/emscripten
  • 69. SHHHHHH…… • Pitch Modulation • Webaudio Profiles • Quiet.JS • library for sending and receiving • data via sound card. • around the 44.1kHz - 19kHz range Act VII: The Light Bulb, Reinvented DogWhistle Do you understand the words that are coming out of my mouth? https://github.com/quiet/quiet-js
  • 70. - Hello - Hello 7:15 pmWTF is this? Act VII: The Test Audible QuietJS Profile
  • 71. Act VII: The Light Bulb, Reinvented Range Extension I knew it: computers make you insane Producer Consumer SEND/RECV Decoupling
  • 72. - Hello. - Hello. 7:15 pmAt least it’s quiet Sigh…. Act VII: The Test Cabe64 QuietJS Profile … QuietJS “quiet” 30ft cable
  • 73. - Hello - Hello 7:15 pmWhat is he up to Act VII: The Test Ultrasonic QuietJS Profile
  • 74. - Hello. - Hello. 7:15 pmI don’t believe you.. Act VII: The Test Audible QuietJS Profile – Extended over BT
  • 75. Act VII: The Test No! No!
  • 76. Act VII: The Test BT < 100m?
  • 77. Not fixing this! Assistive tech. Not on the roadmap! 9:30 am Act VI: The Verdict Moar Testing! I will be over here. I. Want. This. Product. Tested!
  • 79. Well that was fun Act VII: The Final Act Kinda miss the weirdo 7:15 pm
  • 80. - Van Door! - Send me the PO… - Next time, do your Threat modeling! - And I want Tier 5 support on this, for free! Yes sir. Oh wait, Tier 5 support is me… You don’t want me fixing this… Act VII: The Final Act 9:30 am
  • 81. Offense: • Principle of Utilization • Approved software becomes tools • Safe process becomes a vector • Retooling in the field is the norm • Building blocks iteratively from slim cradles Epilogue Defense: • Threat model around data and context • Products or process: Have mechanisms to instrument environments for detection. You might not cover all out of the box. • Anticipate the kill chain and remove strategic links/components of the kill chain
  • 82. • Contact: @Op_nomad • Code: https://github.com/dsnezhkov/LST Thank you! Q&A