Blackhat 2017&Defcon 25学习笔记

https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/

1、容器安全

https://www.blackhat.com/docs/us-17/thursday/us-17-Cherny-Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same-Origin-Bypass-And-Persistence.pdf

https://www.blackhat.com/docs/us-17/thursday/us-17-Cherny-Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same-Origin-Bypass-And-Persistence_wp.pdf

 Developers are the new Targets

 New Attacks: Host Rebinding & Shadow Container

 Protect your PIPE: Scan images & Monitor Containers inRuntime

2、WEB安全

a) WEB缓存欺骗攻击

https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack.pdf

https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack-wp.pdf

POC：

1. The attacker lures a logged-on user to accesshttps://www.bank.com/account.do/logo.png.

2. The victim's browser requests https://www.bank.com/account.do/logo.png.

3. The request arrives to the proxy, which is not familiar with this file, and thereforeasks the web server for it.

4. The web server returns the content of the victim's account page with a 200 OKresponse, meaning the URL stays the same.

5. The caching mechanism receives the file and identifies that the URL ends with astatic extension (.png). Because the mechanism is configured to cache all static filesand disregard any caching headers, the imposter .png file is cached. A new directorynamed account.do is created in the cache directory, and the file is cached with thename logo.png.

6. The user receives his account page.

7. The attacker accesses https://www.bank.com/account.do/logo.png. The requestarrives to the proxy server, which directly returns the victim’s cached account pageto the attacker's browser.

Exploit(Paypal中招):

https://www.youtube.com/watch?v=e_jYtALsqFs

b)应用安全成熟度模型

https://www.blackhat.com/docs/us-17/wednesday/us-17-Valtman-The-Art-Of-Securing-100-Products.pdf

3、 Ransomeware

a)Tracking desktopransomware payments

https://www.blackhat.com/docs/us-17/wednesday/us-17-Invernizzi-Tracking-Ransomware-End-To-End.pdf

Only 37% of users backup their data

Since 2016 “ransomware” search queries increased by 877%

Life of a ransomware infection

• Victim gets infected
  
• Victim is shown ransom note
  
• Victim visits payment site via Tor
  
• Victim buys bitcoin at exchange
  

漏洞：

CVE-2017-0290 

CVE-2016-7240

CVE-2016-7200 

CVE-2017-5030

5、渗透测试

a) Microsoft The Industrial Revolution of Lateral Movement

https://www.blackhat.com/docs/us-17/thursday/us-17-Beery-The-Industrial-Revolution-Of-Lateral-Movement.pdf

当黑客团体的CEO必须要把黑客业务进行创新，并且快速增长；还需要开拓和扩展黑客业务；

Cyber Kill Chain从技术层面的攻击转向Cyber Value Chain价值链，黑客需要的是数据而不是原材料被攻击者的信息；

自动化的横向移动将会成为新的热点，包括WMI,PSEXEC,WINRM,ATEXEC等等
出现过的工具：
Gofetch(https://github.com/GoFetchAD/GoFetch)

DeathStar(https://github.com/byt3bl33d3r/DeathStar/blob/master/DeathStar.py)

Invoke-GoFetct

BloodHound(https://github.com/BloodHoundAD/BloodHound)

防御工具

https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b
https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b

6、AV相关

a) SafeBreach Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox

https://www.blackhat.com/docs/us-17/thursday/us-17-Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox.pdf

https://www.blackhat.com/docs/us-17/thursday/us-17-Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox-wp.pdf

Lots and lots of research on exfiltration techniques, 

• “Covert Channels in TCP\IP Protocol Stack” by Aleksandra Mileva and Boris Panajotov

• “A survey of covert channels and countermeasures in computer network protocols” bySebastian Zander, Grenville Armitage and Philip Branch

• “Covert timing channels using HTTP Catch Headers” by Dennis Kolegov, OlegBroslavsky and Nikita Oleksov

• “LED-it-GO Leaking (a lot of) Data from Air-Gapped Computers via the (small) Hard Drive LED” byMordechai Guri, Boris Zadov, Eran Atias and Yuval Elovici

• “Diskfiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard DriveNoise” by Mordechai Guri, Yosef Solewicz, Andrey Daidakulov and Yuval Elovici• “BitWhisper: Covert Signaling Channel between Air-Gapped Computers using ThermalManipulations” by Mordechai Guri, Matan Monitz, Yisroel Mirski and Yuval Elovici

• Covert Communications Despite Traffic Data Retention” by George Danezis –N/A since IP ID is no longer implemented as a global counter

• Piggybacking UDP source port/payload (with spoofed source IP) e.g. DNS – egress filtering will kill it• “In Plain Sight: The Perfect Exfiltration” by Amit Klein and Itzik Kotler – AV services/SW updatedon’t have regular HTTP cache layer

“AVLeak: Fingerprinting Antivirus Emulators Through Black-Box Testing” by Jeremy Blackthorne,Alexei Bulazel, Andrew Fasano, Patrick Biernat and Bülent Yener

• “Your sandbox is blinded: Impact of decoy injection to public malware analysis systems” byKatsunari Yoshioka, Yoshihiko Hosobuchi, Tatsunori Orii and Tsutomu Matsumoto

• “Enter Sandbox – part 8: All those… host names… will be lost, in time, like tears… in… rain”by Hexacorn Ltd. 

 “Sandbox detection: leak, abuse, test” by Zoltan Balazs

• “Art of Anti Detection 1 – Introduction to AV & Detection Techniques” by Ege Balci

• Google's Project Zero entry “Comodo: Comodo Antivirus Forwards Emulated API callsto the Real API during scans” by Tavis Ormandy

猥琐的案例：

Rocket

The Rocket is the main attacker malware, responsible for sensitive datacollection (which becomes the payload for exfiltration). The Rocketcontains a "vanilla" copy of another malware executable, called Satellite.

Satellite

The Satellite is the secondary malware executable, which triggers the AVagent and later conducts the actual exfiltration.

步骤：

0. The Attacker infects the endpoint with the Rocket

1. The Rocket collects sensitive data from the endpoint andembeds it into the Satellite

2. The Rocket writes the Satellite to disk and executes it

3. The Satellite triggers the AV agent

4. The AV agent sends the Satellite to the AV cloud servicefor further inspection

5. The AV cloud service executes the Satellite in a sandbox

6. The Satellite sends the collected data over the internet to theattacker

Exfiltration demonstrated possible with:

• Google VirusTotal (www.virustotal.com)

• Joe Security Joe Sandbox Cloud (www.file-analyzer.net) – only DNS, limited to 10 queries

• Payload Security Hybrid Analysis (www.reverse.it)

参考资料：

https://www.usenix.org/system/files/conference/woot16/woot16-paper-blackthorne_update.pdf

b) Getting-Past-The-Hype-Of-Endpoint-Security-Solutions

https://www.blackhat.com/docs/us-17/thursday/us-17-Giuliano-Lies-And-Damn-Lies-Getting-Past-The-Hype-Of-Endpoint-Security-Solutions.pdf

https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise/

https://www.mcafee.com/de/resources/solution-briefs/sb-indicators-of-attack.pdf

目前终端安全解决方案：

7、C&C

a)AD Botnet

https://www.blackhat.com/docs/us-17/wednesday/us-17-Miller-The-Active-Directory-Botnet.pdf

• What if the C2 servers exist inside your internal network?

• What if the C2 servers exist as a part of your critical infrastructure?

• What if the C2 servers use your production services for communication?

• What if the C2 servers can bypass your internal firewalls and networksegmentation to communicate with all hosts?

• What if the C2 servers can communicate with remote attackers using yourproduction cloud?

AD C2 channel的好处

• AD is a central authentication and access control point for organizations

• All end user devices need connectivity to AD for authentication

• All servers (or most) need connectivity to AD for authentication

• This means that AD is a central connectivity point for all systems

• This introduces the capability to bypass all network-layer security using AD

• All users can (by default) write data into their own account attributes

• When AD integrates with Azure AD, then direct remote controls is possible

8、虚拟化安全

a) FireEYE发布RVMI

https://www.blackhat.com/docs/us-17/thursday/us-17-Pfoh-rVMI-A-New-Paradigm-For-Full-System-Analysis.pdf

https://github.com/fireeye/rvmi

9、Powershell

a) Mandiant Powershell混淆

https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science.pdf

https://docs.microsoft.com/zh-cn/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing

https://github.com/Invoke-IR/Uproot

https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/

Powershell混淆工具:

veil:https://github.com/Veil-Framework/Veil-Evasion

Powersploit:https://github.com/PowerShellMafia/PowerSploit

Empire:https://github.com/EmpireProject/Empire

10、信息安全

a) Protecting-Visual-Assets-Digital-Image-Counter-Forensics

https://www.blackhat.com/docs/us-17/wednesday/us-17-Mazurov-Brown-Protecting-Visual-Assets-Digital-Image-Counter-Forensics.pdf

  Exif Viewer —https://addons.mozilla.org/firefox/addon/exif-viewer/

  Stand-alone: ExifTool —https://www.sno.phy.queensu.ca/~phil/exiftool/

Meta信息删除

exiftool filename.jpg -overwrite_original -all=

GPS伪造

exiftool IMG_1270.jpg -GPSLatitude="36 deg 05', 18.4"" -GPSLongitude="115 deg 10', 40.2"" -GPSLongitudeRef=W -overwrite_original

Dheera Venkatraman, “Why blurring sensitive information is a bad idea” https://dheera.net/projects/blur

11、DEVSECOPS

a) Defending-Web-Applications-in-the-Age-of-DevOps

https://www.blackhat.com/docs/us-17/thursday/us-17-Lackey-Practical%20Tips-for-Defending-Web-Applications-in-the-Age-of-DevOps.pdf

https://www.slideshare.net/zanelackey/building-a-modern-security-engineering-organization

The long and perilous journey of Dev->QA->Security->Dev- >Sysops->Production becomes just Dev->Production 

Developer Training

– Threat Modeling

– Design Reviews

– Static Analysis

– Dynamic Scanning

– Pentesting

– Security Visibility

– Feedback

– Continuous Feedback

经验之谈：

   1.Ability to detect attackers as early as possible in the attack chain

   You want to know when the attacker discovers the vulnerability, long before the database goes out thedoor

    2.Ability to continuously test and refine your vulnerability triage/response

    The beauty of DevOps is that you can actually move faster than your attackers for the first time, especially the more you empower development / DevOps teams

    3.Ability to continuously test and refine your incident response/DFIR/SecOps process

b)Orange-Is-The-New-Purple

https://www.blackhat.com/docs/us-17/wednesday/us-17-Wright-Orange-Is-The-New-Purple.pdf

Security's goals?create it securely,maintain it properly,prove it’s secure,plan for sunsetting;

Builder's goals?time to market,correctness,optimization,minimal defects;

-- SANS: 2016 State of Application Security: Closing the Gap

Blue Team provides feedback for Yellow Team, either via gained insight from PurpleTeam, or threat modeling, giving requirements and discussing solutions for:

- DFIR output- Log Generation & Activities- Capability for introspectiono Reference: http://gauss.ececs.uc.edu/Courses/c6056/pdf/logging.pdf

- Log content/events

- Log generationo Something as simple as timezone sync

- Change Management

- Integrity Monitoring

- Anti-V, Anti-M

- Full coverage monitoring

Red Team - Offensive security or “ethical hacking” of any type that has been authorizedby the organization (penetration testing, physical hacks, black-box testing, compliancetesting, social engineering, web app scanning, etc). “The Breakers”

Blue Team - Defensive security, traditionally protection, damage control, and IncidentResponse (IR). Can also include operational security, threat hunters. Data Forensics(DF). “The Defenders”

Purple Team – Common term for activities combining Red and Blue Teams. Thesejoint activities improve the security posture of a testing scope by building betterdefenses based on discovered weaknesses. Primary goal is to maximize the results ofRed Team activities and improve Blue Team capability.

White Team – All-knowing, neutral, third-party, set the rules of engagement, makes aplan, organizes the other teams, and monitors progress. This could include elements ofCompliance, Management, Analysts, and/or logistics (this is where my role mostlyoperates in the ecosystem). “The Game Masters”

Yellow Team - Individuals who practice the art of creating code, programmers,application developers, software engineers and software architects. “The Builders”.This is an entirely new concept being introduced via this paper.

c) AMAZON WEB SERVICES KILL CHAIN PENTEST

https://www.youtube.com/watch?v=fm4CqlxqQfs

12.机器学习

Endgame 在OPENAI基础上做的

https://github.com/endgameinc/gym-malware

13.内核Fuzzing

github.com/kernelslacker/trinity

https://github.com/intelpt

14.攻击Printer

https://github.com/RUB-NDS/PRET

15. 欺骗C&C

欺骗C&C，针对一些通用的C&C方式进行主动入侵防御和阻断；

https://github.com/countercept/doublepulsar-detection-script

16. ServerLess Pentest

https://gist.github.com/andrewkrug/3d3012eb045d996e5ab4ee0d7cd5214c

17. VMWARE API

利用VMWARE API在HOST对Guest进行代码执行漏洞；

https://github.com/guardicore/vmware_guest_auth_bypass

18. JAVA漏洞

JSON漏洞

https://github.com/mbechler/marshalsec

JdbcRowSetImpl.setAutoCommit Gadget

Defcon

1、COM C&C

https://github.com/zerosum0x0/koadic

2、攻击持续集成

https://github.com/spaceB0x/cider