Esoteric Exfiltration
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 93 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/36301 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2411 / 93
4
6
7
11
15
20
26
33
34
35
36
39
40
46
49
53
58
62
63
66
68
72
79
90
92
93
00:00
Software testingComputer-assisted translationTwitterPoint (geometry)Family
00:30
AuthorizationHypermediaInformationTerm (mathematics)Sensitivity analysisTwitterServer (computing)Heat transferSoftwareGame controllerUniform resource locatorInsertion loss
01:06
Insertion lossDependent and independent variablesIncidence algebraWeightRight angleBinary file
01:24
SoftwareArchaeological field survey2 (number)WeightInformation security
01:46
Covering spaceBitCausality
02:00
Mobile appFirewall (computing)FlagFacebookRandomizationTwitterBit rateView (database)Computer wormEndliche ModelltheorieNormal (geometry)CausalityFile Transfer ProtocolCommunications protocolWeb 2.0HypermediaPattern languageAuditory maskingMikroblogSingle-precision floating-point formatForm (programming)Direct numerical simulation1 (number)Server (computing)State of matterMultiplication signFigurate numberApplication service providerBinary codeLimit (category theory)Streaming mediaMultilaterationData managementMereologyCodierung <Programmierung>Right angleWriting
05:20
MathematicsFigurate numberGodDrop (liquid)CausalityGame controllerFacebookPoint (geometry)Latent heatCommunications protocolDemo (music)SoftwareBitRight angleTelnetNetwork topology
06:13
Computer networkDrop (liquid)Virtual machineSerial portMedical imagingBitRight angleMultiplication signCountingService (economics)Binary fileFirewall (computing)Range (statistics)FacebookHoaxGroup actionStatistical hypothesis testingSoftware testing1 (number)Level (video gaming)Proxy serverOscillationArithmetic meanComputer fileMereologyHand fanSlide ruleVermaschtes NetzVibrationStreaming mediaCommunications protocolLaserDirectory serviceBlock (periodic table)TwitterElectronic mailing listDirect numerical simulationInternetworkingQuicksortTheorySeries (mathematics)Connected spaceInheritance (object-oriented programming)Library (computing)SteganographyCausalityCategory of beingLogical constant
12:44
AutomationSocial classAxiom of choiceRight angleFacebookMorley's categoricity theoremHeat transferMalwareComputer fileTwitterBlock (periodic table)WebsiteData conversionFrequencyComputer wormService (economics)Software bugStreaming mediaVirtual machineProxy serverIntrusion detection systemMobile appPhysical systemGoodness of fitHand fanSteganographyFirewall (computing)Cartesian coordinate systemContext awarenessCommunications protocolFigurate numberChemical equationCodeHoaxMultiplication signRandom matrixInteractive television
15:55
Computer fileCodeModule (mathematics)BitPlug-in (computing)Point (geometry)Cartesian coordinate systemCuboidCausality
16:51
Function (mathematics)Right angleSet (mathematics)Client (computing)Medical imagingComputer fileComputer animation
17:16
Module (mathematics)Module (mathematics)TouchscreenVideo projectorCodeJSONXMLUML
17:47
Data acquisitionCodeFamily
18:01
Module (mathematics)Demo (music)Multiplication signCodeInstallation artElectric generatorComputer wormComputer hardware
18:22
Code
18:36
Computer animation
Transcript: English(auto-generated)
00:00
Um, so if you're in here, this is the esoteric exfiltration talk. Uh, if you're looking for the other one, it's probably in a different room. So, um, this is me. Uh, I'm Willa Riggins. Um, I'm a senior penetration tester from Veracode. Uh, a member of the FamLab Hackerspace down in Orlando. Uh, I'm the DC407 point of contact. I just,
00:20
I do a lot of things. Um, OASP and B-sides. Um, but really if you look at my Twitter, I just retweet cats. That's, that's, that's, that's really all I do. Alright, so exfil 101. How many of you are familiar with exfiltration at all? Anybody? In the room? Awesome. So it's the know it all crowd. So, for those who aren't in the know, um, data
00:43
exfiltration is the unauthorized transfer of sensitive information from a target's network to a location that the threat actor controls. Uh, that's from a Trend Micro article. Um, but basically that, like, threat actor control is kind of our, our wishy washy term here. Um, what is that? Like, that could be their server, could be their
01:02
social media account, could be their Dropbox, could be anything, right? So why do you care? Um, data loss costs you money and your sanity. Uh, if anybody's ever worked incident response, it sucks when you lose stuff. Um, if you've ever found, like, creds on Paceman that had your name
01:20
in it, that sucks. So, anyway, back in 2012, uh, Reddit NetSec, anybody follow NetSec on Reddit? Yes. Okay. So I did a survey back in 2012, uh, 82% of the folks who replied said, hey, this stuff is important. Um, you know, it, it, it
01:42
means a lot to us and our networks and our money and our companies. Um, so, let's talk a little bit about covert channels, uh, and where to find them. And this is kind of where the meat of the talk is gonna be, cause I've done all this stuff, I've done the research, I've gotten caught, um, and
02:00
the getting caught stuff is kind of the, the most exciting part because then you learn how not to do that. Um, so, the first thing is mask your traffic with normal usage patterns. So, if you know a company uses, you know, social media or they're on web traffic, uh, or they're using protocols for their everyday business like FTP or like, um, you know, everybody uses HTTP or HTTPS, um, some folks have
02:24
RDP open, um, just knowing that stuff is really important cause then you can kind of build a model of what does a normal employee's traffic look like and how can I look like that? Um, hide data and known safe payloads, so, known safe, right? Um, status updates to Facebook or Twitter,
02:41
um, that kind of stuff looks innocuous, right? You probably post like 5 tweets every minute, that's, you know, that's a lot of data, that's 140 characters times 5, uh, not a huge amount of throughput there, but it's still cool, like, you could do something with that. Um, same with HTTP post, how many ASP.NET devs do we have in the room? Yeah, how
03:04
many of you hate the view state because it's 2 meg? Yeah, that's 2 meg of data every single request that you could send out and, you know, no one's gonna notice it, it's just gone. Uh, encode it, base 64 it like view state, put it in a form and just submit it to whatever web server, um, that's a meg, you know, every single request
03:23
it's gone. Um, the other thing is stay quiet, you know, stay within a normal payload size, like that 2 meg view state, uh, don't try and upload 36 gig to Twitter, don't. I've, we've done this, uh, it's not fun, don't try to do that. Uh, you'll get rate limited, um, people will be
03:41
like, what the hell is this? Like, why are there all these tweets with random data in it? Um, Facebook will probably get really angry if I, I did that. Um, it's important to realize that not only are you going to get caught by other people seeing that you're posting all this crap, um, but also it's gonna throw a flag on whatever egress is there. So if there's a firewall or an app firewall, they're gonna see a
04:02
spike in traffic and go, what is that, what device did come from? Um, and that's, that's one way you're definitely gonna get caught if you send 36 gig of data over one channel from one device all at the same time. Um, so yeah, definitely stay quiet, um, and, and set your payload sizes based on what the channel is. So Twitter
04:20
obviously is 140 characters, um, you kind of limit it there. DNS is even smaller, DNS is an exfil method, kind of sucks. Um, Facebook gives you a lot more leeway, um, but, you know, there's a lot of management involved with that. But we'll talk about that a little bit later. Um, and encoding, encrypting your data. So depending on who
04:41
you're doing this for or why you're doing it, you might not want people to know that you stole that data, right? You don't want them to know, you don't want them to Google and be like, why is my name in this weird Twitter stream of binary data? Like, why is it in there? Um, cause they'll trace it back, figure it out, contact Twitter, which will take a long time. They'll get back and they'll be like, oh, it's this device, it's uploading all this crap from
05:01
your server. Um, like, you just want to make sure that people can't find it. There's a really cool tool called Cloakify, um, by one of our other attendees who might be here, um, that basically does DLP avoidance. Uh, that's, that's a really cool thing that, um, you can use that to kind of transform the data before you send it out. Um, so.
05:22
So talking about transport, right? We talked a little bit about, um, why you do the things the way you do them, but let's talk about specific examples. Um, so on the transport layer, you know, you have network protocols, so we can do point to point stuff with HTTP, we can do telnet, netcat, all that stuff. Uh, third party drops like, uh,
05:41
Dropbox or, you know, putting it on Facebook or anything like that, um, that's kind of taking the threat actor control to a third party and then getting it relayed down to another, you know, device. So, those are cool cause it's, it's kind of like a dead drop. Uh, and then going to the airwaves, which is something I really wanted to show off today, uh, but I am a terrible, like, I didn't
06:00
sacrifice enough things to the demo gods and my demo doesn't work and then the radios I brought don't work. So, um, I will be having to contact SparkFun and figure out what to do there. Um, so, network protocols. Um, the obvious stuff, HTTP, SSH, netcat, I mean, if you can get out
06:21
with that stuff, by all means, use it. Like, that's the easiest low hanging fruit, you're gonna get out, that's fine. And by the time anyone notices you did what you did, as long as you've throttled it and hidden like you're supposed to, no one's gonna notice. Uh, you can get all this stuff out. Now, if you have a company with a really awesome sock, who, uh, is going to bust you within like 10 minutes
06:40
of you doing the thing that you did, um, maybe you should hide in something else. Like, we talked a little bit about RDP. If that's a normal part of your business, you know, RDP into another machine, map the drive and exfil data that way. It's super easy, you don't need a tool to do it, um, and no one's gonna really notice until later when they're like, why is this RDP session using so much data? Um, so, that sort
07:04
of stuff is really interesting. There's some other stuff where like, um, if they use a specific proprietary protocol, I won't name any, um, but you can basically hide data in that by munging the, the protocol. So if there's a request that like, lists files or something, you
07:21
could make it so that instead of listing a directory, it lists, uh, uh, base 64 of the data you're exfilling. Uh, you could do some really cool stuff with that. Um, so that's kind of the discrete way of doing that data on the wire stuff. Uh, third party drops, um, obvious stuff is any file sharing service that will let you upload the size of data that you have. Um, again, you probably want to
07:43
throttle it, um, and these are typically blocked at some proxy level or an egress firewall. Like, if these are available to you, yeah, that's, that's like, exfil's done, we don't need, we have another problem, right? Um, but pastebin, how many of you have pastebin at work? Can you
08:00
get to pastebin? See, yeah, that's not a lot of hands. That's awesome. So, we've blocked pastebin. What else is out there that you could use? Like, there's like 12 other services that do exactly the same thing and they're probably unblocked, right? So doing it discreetly, right? We can use flickr, imager and do stego, put it inside of a
08:21
picture of a squirrel, done that, that's awesome. Um, those two services in particular will let you upload things that are completely lossless. So you upload it and you can download it and all your stego data is there. Um, there's simple python libraries that do all that stuff, um, the API has changed constantly. But if you keep up with it, I mean, you can exfil data that way. And when it goes out the
08:42
firewall, it looks like you're uploading squirrel pictures, which is super weird, but nobody's ever gonna ask you why. So Twitter and Facebook, um, I put Twitter in the same category as DNS. I, I kinda hate it, um, as an exfil method, cause 140 characters is just too slow. Um, and by the time you get
09:01
any meaningful amount of data out, out that wall, um, I mean, it's just, you're gonna have to recompile it and get it all down and it's just no fun. Um, Facebook though, Facebook has this really cool thing called groups. Anybody in Facebook group? Where's the moms in the room? Cause I, I'm in like 12. Okay. So Facebook groups let you upload files and
09:22
it is in the API to let you actually upload files into Facebook groups. So I create a fake Facebook account, I create a group with just me in it, and I upload a bunch of files. Um, and totally do that, right? And most of you at work, Facebook's unblocked. I know the army does that, I know a lot of the DOD companies do that because it's
09:41
required for business. Theory. Um, so you can't block Facebook, can't block Twitter, can't block all these services that I have to use for business, um, so I'll abuse them and exfil data. It's cool. So kinda getting past that and doing the airwave stuff, um, a lot of folks think about this in the
10:04
Tempest realm, right? We talk about, you know, you have a room with a Faraday cage on it, you're not gonna get anything out of that room. We've seen talks where they've done, like, fans, where you spin the fan at the right oscillation and you can exfil data that way. I don't know anyone who's done that on a pen test. Has anybody actually done that? Like Tempest attacks for exfil on a
10:23
pen test, where you have two days of sleep and you really don't have the time to set that up? Yeah. Like, you can't do that, like, that's just, that's too much effort for low return. But what if you had a device you could just plug in to a USB port on site, you, you broke and centered with your lockpicks and your little door tool and
10:41
you shimmied in, you just plug the tool in the back of the machine and that was it. No wifi antenna, no, like, HID device, just a USB serial UART that you plug in and all of a sudden you had a remote connection. You could do a lot with that. Um, you could write code and do all kinds of fun stuff or you could just stream data over it, um,
11:01
serial out. Um, and the XB radios that I have are like I have them in my hotel room, if anyone wants to see them, I'll bring them, uh, I just need breakout boards that don't suck. Um, but the cool thing with that is you could build a mesh network that went all the way up the strip and the chances of
11:21
anyone being able to triangulate each and every node by the time you are done exfilling data is extremely low. Um, and these things cost like, I think the series that I'm using, they're like 70 bucks. You can get one mile range ones for like 40. Um, so they're kind of like throwaway pentest devices, just strap it to the back of a teensy, plug it in, walk away. Um, ham radio stuff, you could
11:44
do APRS, right? Any hams in the room? APRS messaging, it's totally illegal, don't do it. But you could technically exfil over APRS, right? Because it's just text, it's just text data, it's digital, um, I could just say, hey, my truck
12:01
is here, my truck is here, my truck is in Japan, my truck is here. Um, and you could use that to exfil data. Um, and the cool thing with that one is that you can repeat it with internet repeaters and stuff like that, you don't even have to be in the country. Um, you could just exfil with that. Um, and then lasers. How many people are fans of lasers? So, basically use the laser mic technique that
12:24
everybody knows about, everybody don't know about the laser mic thing. You aim the laser at the glass, you feel the vibrations from the glass and you read it digitally by reflecting it off something. Do that with data, why not? Right? I mean, that stuff's insane and totally out of the scope of a pen test, but it sounds really cool, so let's
12:42
put it in the slide. So all this stuff is about attacking and breaking stuff, but, um, what does the blue team say about all this stuff, right? What do you do? Um, you can't block Facebook, you can't block Twitter, so what the hell are you gonna do? So we can block endpoints, we can block individual malware endpoints, we can block some
13:01
stuff, um, by URI or IP, right? So every time I stand up a fake service with pastebin code on it, um, you block it, fine, whatever. Um, I can block egress at the firewall by the port protocol or application firewall or whatever, I can just shut that down, whatever the hell you're doing, I'll just block it. Um, you can try to detect anomalies and payload
13:22
size, so, you know, look at the frequency, look at, hey, why is this machine turning on at three in the morning, getting on Facebook and uploading six gig of data? Like, why is that happening? That doesn't make any sense. You can look for that stuff, and that's, that's cool. Um, and you can block USB devices by class or device ID. Now, none of that
13:41
stuff works. Um, unfortunately, blacklists just don't work. If you've got a proxy at your company, I won't name names, but a lot of them, like, you can stand up a new website, categorize it, get it approved through the proxy service, and it's good to go in 48 hours. So you can stand up your malicious website that looks like a My Little Pony fan
14:01
site, which is awesome, and then have, like, a slash exfil, and just exfil data to that. Like, just use your Apache logs, just, whatever, it doesn't matter, just stream data out. People think you just really like My Little Pony, and, you know, that's fine, please don't access that at work. That's as far as the conversation goes. Cool. Um,
14:21
we can disrupt normal business if we start blocking stuff, so, Facebook, Twitter, Dropbox, a lot of companies use that for, you know, large file transfers anyway, but if they have to use it, I can use it. Um, and, and that's kind of, like, Moxie Marlin-Spike talks about the, the scope of choice with Google and the Facebook and TIA, uh, and how you can't
14:41
really not use Facebook if you want to be friends with everyone, right? So, the choice is then, do I interact with people, or do I, you know, just not participate? And that's what we want to force people to do as attackers, is to decide between making money, and preventing my exfil. Um, and there's kind of a balance there, uh, and it's
15:01
for companies to kind of figure out what, what's more risky. Um, and context is critical but difficult to automate. You can't, like, you can do deep packet inspection, it's awesome, right? DPI can do all kinds of fun things, but if it's inside a squirrel picture, and Stego'd and all this other stuff, like, good luck telling your system to do that. Um, you might have the data in a
15:22
PCAP somewhere, that's fine, but if you're gonna take my 40,000 squirrel pictures and somehow decode them all, um, you should go play Defcon CTF. Um, USB device IDs, those don't work. There's a lot of manufacturers that are just repeating the same ID for whatever the hell it is. Um,
15:42
and it's, each of those costs money, so why would they pay for a USB device ID for a crappy mouse you bought down the street? Like, they're not gonna do that. So if you try to block it by device ID, it's just not gonna work. So, weaponizing squirrels. Um, squirrels is the name of a
16:01
tool, a tool that's not, uh, ready today, cause I suck at everything. Um, it's a Python 2.7 based application, it'll be MIT licensed, uh, you'll be able to download it, do whatever you want with it, uh, munch it, take it apart, um, steal code, I don't care. Like, the whole point is that you'll be able to do exfil, and it'll be easy. So
16:22
it's extensible via simple module based plugins, so all you have to do is write a little bit of the base code, uh, for your module, for your exfil channel, and all the, like, taking the, the file and chunking it up, all that's taken care of, all the logging, all the, all the stuff you don't wanna care about is done. All you have to do is write a send and receive. Um, and so you can
16:43
put this on the box that you've pwned, execute it with the CLI, and exfil. That's it, that's all you have to do. So, this is what it looks like when you execute it. Um, right now, it just has, uh, you know, you put the file name, the channel you wanna use, and then a settings collection. And
17:02
all the channels are documented to show what the settings are, uh, like for Imgur, which is one of the examples I used, uh, you can put in your client secret client ID, and then that's all you really need for that one to exfil. So, um, cool. And that's what the tool, the, the module looks like. It's really hard to read on the
17:21
screen. So they told me this was a 4 by 3 projector. Um, but apparently I have tons more space. Um, but if you can see that at all, um, all this stuff is just metadata saying what the hell is this thing, how big can my chunks be, and, you know, what does it do? And the rest of it is just send and receive. And all you have to do is write send and
17:44
receive and it'll work. So this is the URL that the code will be available at. As soon as I stop being sick and my family stops, like, almost dying, uh, you'll be able to download the code at that URL. Obviously it's not available today. But, um, closing stuff. Stuff I wanna do. Um,
18:04
additional modules. Obviously, uh, because the demo's not done, it should work. Um, executable payload generation with a Pi installer. So doing kind of an MSF venom thing. Uh, do an MSF post module, longer range hardware. Get with the cloakify guy and shove that stuff into my code. Uh, and
18:22
customized timing. Uh, all these people are super awesome because they contributed in some way to me actually getting this done. Uh, slash me being here. Uh, Veracode especially. And besides, and DC407 and FamLab and all those cool people. Um, and thank you. That's kind of the talk. Thank you.