Total E(A)gression defcon
Download as PPTX, PDF0 likes179 views
The document discusses techniques for evading intrusion detection systems (IDS) using stealthy implants, particularly focusing on TLS fingerprinting. It addresses the vulnerabilities of network IDS and explores various strategies to mimic legitimate client TLS signatures, highlighting the importance of analyzing encrypted flows. The author also proposes ideas for improving detection tools and offers insights from both offensive and defensive perspectives in cybersecurity.
![Objective: Circumvent most of Network IDS
Last year I presented an Implant framework with different modules[1]:
● Network: https egress
● Gmail: Ability to transparently egress using gmail server
● [...]
“Give me a string to egress, and I shall hack the planet” – Rebujacker 2019
Feedback provided by a blue team engineer listening to my talk.
“Are you sure this is as stealthy? I think it is easy to detect your Implant by looking at client TLS”
There are relatively easy ways to fingerprint Client-Server software by just looking to some
handshake bytes of a encrypted flow.
This triggered my attention to be able to design a skeleton of a network module, that if shown
effective, could be used alongside different SaaS to egress without being detected.
[1] https://www.slideshare.net/AlvaroFolgadoRueda1/siestatime-defcon27-red-team-village](https://image.slidesharecdn.com/totaleagression-defcon-200808013156/85/Total-E-A-gression-defcon-3-320.jpg)
![IDS Overview - DPI vs Non-DPI
Different ways to detect a malicious Implant by crawling the Corp
Network outbound packages
Deep Packet Inspection:
● You are able to scrutinize every package (Proxy TLS)
● Complex to deploy and use, need of fine grained rules
Non Deep Packet Inspection:
● Endpoint Information (IP Blocks,Domains,[...])
● Client/Server Software Fingerprint (OS Sock,Certificates,[...])](https://image.slidesharecdn.com/totaleagression-defcon-200808013156/85/Total-E-A-gression-defcon-4-320.jpg)
![Deep Dive into TLS Fingerprinting
Before the encrypted connection happens (TLS) and the target application protocol is wrapped, client
and server provide a piece of information that is “unique” per client-Server software.
● You are able to detect with certain accuracy the client software engaging in a TLS connection
(ssh,putty,slack [....])
● You are able to detect with certain accuracy the server software that the previous client is
connecting to (ISS,apache,metasploit,cobalt strike[...])
● Matching both results (opt-in to apply some AI, etc...), you can extract a IoC (Indicator of
Compromise)
Analyzing plain-text TLS headers and extract a “hash” to compare against a public-shared DB. This
is similar to the “traditional” AV detection techniques but applied within network analysis field.
● The equivalent of “virustotal” for TLS hashes : https://ja3er.com/
[1] https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967](https://image.slidesharecdn.com/totaleagression-defcon-200808013156/85/Total-E-A-gression-defcon-7-320.jpg)
![[1] https://github.com/salesforce/ja3/blob/master/python/ja3.py#L218](https://image.slidesharecdn.com/totaleagression-defcon-200808013156/85/Total-E-A-gression-defcon-8-320.jpg)
![Objective: Mimic a rightful client TLS signature
● Idea A : Just configure your designed http client TLS configurations
○ Most of http client libraries (java, go, C#, [...]) they let you to modify a lot of properties, but not
every possible “RFC6066-Friendly” TLS Extension byte
○ And let’s forget about wrapping bytes in the right order...
● Idea B: Copy the entire “Client Hello” bytes and send them within the TCP socket
○ TLS handshake breaks
● Idea C: Modify Go Source Code
○ Complex changes, and framework can break [??]
○ Will not cover every situation [ongoing]
● Idea D: Modify OS Native libraries like openSSL [...]
[...]](https://image.slidesharecdn.com/totaleagression-defcon-200808013156/85/Total-E-A-gression-defcon-10-320.jpg)
![[1] https://github.com/rebujacker/SiestaTime/blob/master/src/bichito/modules/network/gmail_Mimic.go#L148
[2] https://github.com/rebujacker/Rebugo/blob/master/tls/handshake_messages.go#L140](https://image.slidesharecdn.com/totaleagression-defcon-200808013156/85/Total-E-A-gression-defcon-11-320.jpg)
![[1] https://github.com/rebujacker/SiestaTime/blob/master/src/bichito/biComs.go#L106
[2] https://github.com/rebujacker/SiestaTime/blob/master/src/bichito/modules/network/gmail_Mimic.go#L158
[3] https://github.com/rebujacker/SiestaTime/blob/master/src/bichito/modules/network/gmail_Mimic.go#L173](https://image.slidesharecdn.com/totaleagression-defcon-200808013156/85/Total-E-A-gression-defcon-13-320.jpg)
![What about Deep Packet Inspection?
● Let’s imagine they have a TLS Software Proxy (EG. PolarProxy), and certificates
deployed in every corp. Laptop:
○ Using String greps to generate “IoC” based on content
○ Use Cryptography (easy with a lot of already built native libraries)
● What about Human Eyes (threat Hunters):
○ Use techniques like Steganography
○ Some native libraries already created for this purpose [1]
[1] https://github.com/auyer/steganography](https://image.slidesharecdn.com/totaleagression-defcon-200808013156/85/Total-E-A-gression-defcon-14-320.jpg)
![How to Improve Detection? - Helping Defender
● Is there a way to TLS Fingerprint analysis? Can we Improve tools like JA3?
○ Improve tools like JA3:
■ More Granularity within TLS bytes. This will make the developer work on
implants harder
■ Analyze more “non-padding” bytes before encryption arrives
○ Fined Grained DPI techniques targeting the set of Open source/Commercial
implants strings and other similar payloads to Egress (difficult with mal. profiles)
○ AI matching to generate better IoC’s
○ […]](https://image.slidesharecdn.com/totaleagression-defcon-200808013156/85/Total-E-A-gression-defcon-18-320.jpg)
![Thanks - Q&A
● Questions ! → @rebujacker (twitter,github [...])
● Repository/Code:
https://github.com/rebujacker/SiestaTime
https://github.com/rebujacker/Rebugo
https://siestatime.readthedocs.io/en/latest/](https://image.slidesharecdn.com/totaleagression-defcon-200808013156/85/Total-E-A-gression-defcon-22-320.jpg)
Total E(A)gression defcon
- 1. Total E(A)gression Evading IDS for stealthier Implants
- 2. Who am I ? Alvaro Folgado (@rebujacker) ● Product Security Engineer: ○ Software/Architecture Sec. Reviews … ○ Offensive AppSec,Bug Hunt,Research … ● Actual Projects: ○ Implant Framework: ■ Siesta Time C2 (Go) ■ Modular Bichito Implant (go,C++,...) ● Speaker:
- 3. Objective: Circumvent most of Network IDS Last year I presented an Implant framework with different modules[1]: ● Network: https egress ● Gmail: Ability to transparently egress using gmail server ● [...] “Give me a string to egress, and I shall hack the planet” – Rebujacker 2019 Feedback provided by a blue team engineer listening to my talk. “Are you sure this is as stealthy? I think it is easy to detect your Implant by looking at client TLS” There are relatively easy ways to fingerprint Client-Server software by just looking to some handshake bytes of a encrypted flow. This triggered my attention to be able to design a skeleton of a network module, that if shown effective, could be used alongside different SaaS to egress without being detected. [1] https://www.slideshare.net/AlvaroFolgadoRueda1/siestatime-defcon27-red-team-village
- 4. IDS Overview - DPI vs Non-DPI Different ways to detect a malicious Implant by crawling the Corp Network outbound packages Deep Packet Inspection: ● You are able to scrutinize every package (Proxy TLS) ● Complex to deploy and use, need of fine grained rules Non Deep Packet Inspection: ● Endpoint Information (IP Blocks,Domains,[...]) ● Client/Server Software Fingerprint (OS Sock,Certificates,[...])
- 5. IDS Plan - Non DPI common IoC’s
- 6. IDS Plan - TLS Fingerprint
- 7. Deep Dive into TLS Fingerprinting Before the encrypted connection happens (TLS) and the target application protocol is wrapped, client and server provide a piece of information that is “unique” per client-Server software. ● You are able to detect with certain accuracy the client software engaging in a TLS connection (ssh,putty,slack [....]) ● You are able to detect with certain accuracy the server software that the previous client is connecting to (ISS,apache,metasploit,cobalt strike[...]) ● Matching both results (opt-in to apply some AI, etc...), you can extract a IoC (Indicator of Compromise) Analyzing plain-text TLS headers and extract a “hash” to compare against a public-shared DB. This is similar to the “traditional” AV detection techniques but applied within network analysis field. ● The equivalent of “virustotal” for TLS hashes : https://ja3er.com/ [1] https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967
- 10. Objective: Mimic a rightful client TLS signature ● Idea A : Just configure your designed http client TLS configurations ○ Most of http client libraries (java, go, C#, [...]) they let you to modify a lot of properties, but not every possible “RFC6066-Friendly” TLS Extension byte ○ And let’s forget about wrapping bytes in the right order... ● Idea B: Copy the entire “Client Hello” bytes and send them within the TCP socket ○ TLS handshake breaks ● Idea C: Modify Go Source Code ○ Complex changes, and framework can break [??] ○ Will not cover every situation [ongoing] ● Idea D: Modify OS Native libraries like openSSL [...] [...]
- 12. Objective: Wrap-Up Google Go gmail Library ● Once the go TLS libraries accept new configurations, these changes need to be wrapped up within Golang Gmail Libraries: ○ Use gmail “Go Quickstart” credentials to request an access token. This will need to be performed with the “new TLS” option ○ Query Gmail with the access token
- 13. [1] https://github.com/rebujacker/SiestaTime/blob/master/src/bichito/biComs.go#L106 [2] https://github.com/rebujacker/SiestaTime/blob/master/src/bichito/modules/network/gmail_Mimic.go#L158 [3] https://github.com/rebujacker/SiestaTime/blob/master/src/bichito/modules/network/gmail_Mimic.go#L173
- 14. What about Deep Packet Inspection? ● Let’s imagine they have a TLS Software Proxy (EG. PolarProxy), and certificates deployed in every corp. Laptop: ○ Using String greps to generate “IoC” based on content ○ Use Cryptography (easy with a lot of already built native libraries) ● What about Human Eyes (threat Hunters): ○ Use techniques like Steganography ○ Some native libraries already created for this purpose [1] [1] https://github.com/auyer/steganography
- 16. Demo Using Siesta Time Framework to Generate 2 Implants : ● Implant1, Using Normal Gmail Module with Golang Fingerprint and get detected by Suricata ● Implant2, Using “TLS Fingerprint Mimic” and Gmail, bypass Suricata-JA3C extensions rules
- 18. How to Improve Detection? - Helping Defender ● Is there a way to TLS Fingerprint analysis? Can we Improve tools like JA3? ○ Improve tools like JA3: ■ More Granularity within TLS bytes. This will make the developer work on implants harder ■ Analyze more “non-padding” bytes before encryption arrives ○ Fined Grained DPI techniques targeting the set of Open source/Commercial implants strings and other similar payloads to Egress (difficult with mal. profiles) ○ AI matching to generate better IoC’s ○ […]
- 20. How to Improve Detection? - Helping Defender Focus on HIDS (EDR’s). Detecting common malware patterns on interaction from the Implant and target foothold’s Operating System resources: ● Process Injections ● Use of key OS/API libraries to attack ● Process parent Spoofing, strange process childrens from obvious “trojanizable” software like office (Macros, etc...) ● Calls/Invoke into interpreters like cmd,java,python...
- 22. Thanks - Q&A ● Questions ! → @rebujacker (twitter,github [...]) ● Repository/Code: https://github.com/rebujacker/SiestaTime https://github.com/rebujacker/Rebugo https://siestatime.readthedocs.io/en/latest/
- 23. Sources/Notes https://github.com/salesforce/ja3 https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 Notes A lot of the elements and features are still buggy or not working! In the same way, a lot can change in the near future ☺