The 2nd Annual 44Con was held 5th to 7th September 2012 in Kensington / London. For a technical conference it is as good as we get in the UK, I felt a little let down by the fact that there didn’t seem to be two full tracks running simultaneous over the full two day period and that the talks schedule was not available until the morning of the Con. But on the whole they deserve to be commended for what they have brought to the UK technical conference scene. My highlights this year:
BeEF – I’m the Butcher, would you like some BeEF? – Michele Oru & Thomas Mackenzie
This talk centred around the (Browser Exploitation Framework) BeEF talked about some new social engineering modules the team have added to the framework. Namely they have added support for WebSockets, the RESTful API, a mass e-mailer function (intended to end phishing e-mail to unsuspecting users) and a fake Flash update function, which prompts the user to install a fake Flash player update (Google Chrome only).
Once the victim has installed the fake Flash player update the attacker is rewarded with improved victim hook persistence and is able to enumerate all cookies from a user including HttpOnly cookies.
The mass e-mailer was written to improve on the options available in the Social-Engineer Toolkit (SET), and was demo’d in the following context:
- Attacker clones a genuine website e.g. www.edfenergy.com
- A genuine looking phishing e-mail is delivered to victim e.g. an edfenergy customer.
- Victim follows link to cloned website (www.efdenergy.com), victims browser is hooked into beef.
- Victim logs into cloned website, credentials are captured in BeEF console.
- Note: The original site (www.edfenery.com) is loaded in an overlay iFrame (if it can be framed), if not the victim’s traffic is redirected to the original site.
These discussion of these new social engineering tools/techniques was followed up by a discussion of the closer integration of BeEF and Metasploit. More details here: http://code.google.com/p/beef/wiki/MSFIntegration
Malware Analysis As A Hobby – Michael Boman & Siavosh Zarrasvand
This talk introduced the Malware Analyst Research Toolkit (MART) which aims to bring a documented process to malware analysis utilising several components; the main player of which was a virtualised ‘Cuckoo’ sandbox.
Obviously to conduct any detailed research a plethora of malware sample are required, the following methods were utilised to acquire the malware:
- Spidering malicious/phishing e-mail URLs.
- Using malicious received e-mail attachments.
- Sharing with other malware analysts.
Once suitable malware is obtained it is sent to the Cuckoo sandbox for analysis, this analysis stage recorded the following:
- List of any dropped files
- Details of any outbound DNS/HTTP requests
- Created a pcap file of the malware network interactions
- Took screenshots of the interaction of the malware with a user’s desktop
- Details of all hosts (i.e. IPs) involved in any malware communications
- Details of all registry keys added, amended, deleted etc..
- Details of the malwares process flow
The speakers then conducted a workshop to help anyone who wanted to build their own MART. For more details see: http://blog.michaelboman.org/search?q=mart
IPS False Positive Abuse – Arron Finnon
After some discussion on the well known limitations of Intrusion Prevention System (IPS) the speaker discussed some fun ways of abusing IPS signatures e.g. changing Firefox’s user agent string to match IPS signatures; Snort ID 1390 and 1394 were given as typical examples of ‘Alert’ and ‘Drop’ rules.
Stonesoft’s expensive ‘Evader’ product was mentioned, the product is designed to (see if it can) bypass security device filters and signatures. A novel ‘free’ approach was suggested; utilising pcap files of malicious traffic along with the Fragrouter functionality now contained in TCPRelay for testing your own environment.
The discussion moved on to the interesting idea of trying to develop an Open Source testing methodology for IDS/IPS devices and/or implementations i.e. something akin to OWASP for web applications. This sounds like a great idea and hopefully we’ll see some output from this effort soon; the initial thinking was a top 5 issues (similar to OWASP top 10) that once adopted could be easily added to.
Domain Generation Algorithm (DGA) Detection & Optimisation – Gunter Ollmann
This talk centred on the detection of the Domains (e.g. attacker-callback-domain.com) being used by malware housed on infected hosts within your environment to get back to their command and control network(s).
Apparently the new generation of malware has a significant backup strategy i.e. the callback Domain(s) can be generated dynamically at some future date (e.g. by incorporating some information from the most popular article on the BBC news website for a given day). The speaker even stated that sometimes the defenders can register these callback Domains (via reversing the algorithm) and beat the attackers to registering the Domains.
The infected hosts may try and contact any of several hundred callback domains trying to find a valid command and control server. The identification of these domains and subsequently the hosts that would be infected within your environment focused on analysing the failed DNS look-ups. For example if several hosts are making numerous failed DNS look-ups, to ‘strange’ Domains analysis of these records could potentially identify infected hosts within your environment. Example of failed DNS lookups:
Terrorism, tracking, privacy and human interactions – Dan Cuthbert & Glenn Wilkinson
Whilst this talk was generally speaking very interesting the key point to take away is that a new tool is shortly to be released ‘Snoopy’. ‘Snoopy’ is a distributed wireless tracking and reporting framework comprising of a client and server architecture. The client component can be installed on any Linux device capable of packet sniffing/packet injection.
The functionality of the tool ranges from:
- Rogue Access Point functionality (i.e. similar to karma/karmetasploit)
- General Man-in-the-Middle (MitM) capabilities
- SSL MitM via SSLStrip
- Java Script to profile devices
- Data extraction e.g. search for all .doc instances
All of the above attacks are reported back to the ‘Snoopy’ server which utilises a MySQL database for data storage. Finally some sample data gathered via the tools was demo’d in Paterva’s new Maltego Radium tool (basically think Maltego with loads of additions and improvements).
Post-Exploitation Tu-Dot-Oh! – Rich Smith
This talk focused on long term Penetration Tests i.e. test engagement of 6-12 months (we almost need a new term for this type of engagement!). The goals for the testing were 2-fold:
- Read target CEO’s e-mail
- Access and alter target companies source code
The fact that exploitation was the start of the attack and not the end was a major theme here. Another theme was that the way things are currently being done e.g. using binary droppers (think msfpayload), may not be the answer. The problem with binary droppers is that all of the payloads capabilities are built into them, providing a wealth of information for any savvy reverse engineers of forensics teams. And the solution?
- A single payload that can be run everywhere (any Operating System)
- A payload that provides scrambling and stealth; the full capbilities of the attacker are not built into the payload but kept server side.
The speakers solution was to use Python over the wire bytecode; i.e. it was portable with functionality provided via ‘reach back’ rather than ‘bake in’. The python bytecode demonstrated made use of import hooks and using HTTPS GET request to pull further bytecode which runs in memory without touching the disk. Some of the other feature of the tool demo’d:
- Resolves bytecode trees remotely and transparently i.e. no source code mods
- Scrubs memory after use
- Zip imports are used for larger bytecode imports from the server
- Unique victim IDs are taken from System Management BIOS (32-bit UUID) which are truly unique (unlike MAC addresses)
- A polling mechansim at random intervals is utilised to GET tasks from the server which are queued up on a UUID basis