Cookie Monster: Exfiltrating Data and More, Byte by Tasty Byte

good afternoon and welcome to b-sides las vegas lucky 13. you are in breaking ground this talk is titled cookie monster exfiltrating data and more bite by tasty bite i will be given by eric and mick whitehorn gillum just a few quick announcements before we start here i would like to thank our sponsors especially our diamond sponsors lastpass and palo alto networks and our gold sponsors intel google and bluecat it's their support along with our other sponsors donors and volunteers that make besides possible regarding cell phones these talks are being live streamed and as a courtesy to our speakers and audience we'd like everybody to silence your cell phone if you would thank you if you have a question

use the audience microphone this is the one i'm holding so that youtube can hear what your question was we appreciate that uh as a reminder the besides photo policy prohibits taking pictures without the explicit permission of everyone in frame again these talks are being recorded so these will be available online youtube in the future last but not least we would like to please ask you to please keep your masks on at all times and with that let's get started please welcome eric and mick thank you i hope everybody's having a good time and is excited to be here is actually making ir to be here talking we've spoken at other b sides but never las

vegas first time here so really excited about uh being able to present in front of all of you so as we said it's a cookie monster excel trading data and more the n more kind of got dropped off we'll talk about that towards the end yeah it kind of dropped off and this really has been here it's been like four years in the making we built this utility that we're going to talk about to serve a specific purpose and then over the years we thought maybe we should do more with it back and forth back and forth and finally decided that we wanted to make it publicly available to people but overall this tool while it serves a

purpose it's really more about getting us thinking about our networks right as most of the conversations and talks have been here it's about knowing your network and visibility into your network and what's actually occurring and that's what this tool is here to help do before we start talking about it a little bit about us we both work for secure ideas it's a consulting company security consulting company based out of jacksonville florida our ceo kevin johnson former sands instructor started it back in 2010 it's our 12th year hard to believe we've been around that long but we do pen testing et cetera right so what we're talking about is something that we've tested it's not just us

coming up with a theory it's something we actually tried my name is eric keane i'm a principal security consultant uh before i started working for secure ideas five years ago i was responsible for very large active directory infrastructures at fortune 50 companies uh like windows environments i know that probably gets me booed off stage when i say i actually kind of like windows but i do and when i'm not working i'm a movie enthusiast i love movies i was actually a film major acting minor i love watching movies now that my kids are older we're getting to watch all of the really good movies uh it's not just you know disney movies which are nice but i

like what action films too uh so i'm mick whitehorn gillam uh i'm from canada but i'm i don't live there now uh you probably tell that uh i write code i've been doing it for a really long time uh started when i was six basically on the command line migrated to batch files within a couple of years and then actual real programming languages not long after that and if you can't guess my age that makes me old um so yeah uh i used to run long distances so as i do on the slide but it's been a while uh covid unfortunately i used to lift weights and then covet yeah so yeah it's harder now i'm heavier now um

because you know that happens too so we're here to talk about data exfiltration and i'll admit for us when we're doing our pen tests this is usually not something that's on our radar at all right unless you're a very very mature organization and you have some controls really probably all i'm going to have to do is just browse out to an s3 bucket and i can take whatever i want off your network right that's not true for everybody and and you know there's all these wonderful options you know sure you can use command and control channels you can use network protocols ftp https uh cloud services like i said one of our favorites uh code repos then there's all

those physical yeah i need to move a little further away from you evidently we'll get an echo physical things that you read about that sound so awesome but i don't think i've ever had to do or probably never will but you know using lights on a device and doing morse code or something strange or fan speeds or cable harmonics all this stuff but like i said that's really really high tech and not often what's needed and i mean i love my picture there of the the monitor on the copier right for that physical access in case that's all we have is the ability to print something and when we're talking about trying to get data off of a network there's all

these controls that organizations are putting in place there's a considerable amount of time effort money etc all they're trying to prevent what we had to do you know our small list you can limit the open ports which most orgs are doing yep only http https although you'll still find even large orbs that somehow forgot about some random port that suddenly you can get access out there that's not covered by a firewall or a a proxy smb oh let's not yet please no although it does happen smb although i've seen smb in that's even worse let's move past uh then we have next-gen firewalls right seeing what's going on doing that deep packet inspection all those intrusion detection and prevention

systems the inspection proxies that are ripping apart everything that we tried to hide over that tls encryption right let's break that apart then you have your dlp software making sure people aren't opening files that they're not supposed to with credit card information or whatever it might be then your drive encryption so that people just can't walk off with your laptop hopefully uh and then you know of course we have netflow and other things that are showing what devices are actually talking to and where right all of these things that somebody is going to have to try and defeat of course once again if you don't have all of these things maybe having somebody trying to actually

trade data should not be one of your top priorities but that's what we were trying to solve way back in 2018 hard to believe it's been four years we were actually doing a red team assignment different from what we typically do we're pen testers but we do red team as well right pen testing if you're not familiar the difference red team and pen testing pen testing is down and dirty we have like this much time to get wherever you want us to get to red teaming we're going to try and be really stealthy we've been on the network for a while and our problems really came down to that last bullet point the blue team was

really responsive you messed up at all once and they were on you we made a small mistake on one device trying to test a website to see if we could get a phishing campaign to work they caught it that domain was burned i'm sorry if i'm echoing i don't know what i did wrong but our client wanted us to exfoliate data right they had these controls they only allowed https out not over not even http they proxied everything they were ripping everything apart they were inspecting it they limited where we could go right we had very limited domain options um content filtering dlp software that everything we knew that they were ripping the traffic apart but we couldn't tell what

they were using right and they wanted us to get this file that they gave us that was full of credit cards and other sensitive information and see if we could get it somewhere we didn't want to try that the good old s3 bucket they weren't using the cloud it was 2018 this institution hadn't moved there yet and we knew we had one shot so mick myself and another gentleman we're sitting around we're discussing we're like what are we gonna do that might mask this and let us get some data off of this network we need something that's quick we didn't have a lot of time we're getting towards the end of the engagement and we need something that's low-tech

right we don't want to invest the time and effort to try and get one of their devices to do some strange harmonics on a cable or something so we actually said what's normal in web traffic that's there that probably isn't going to be looked at by anything and that brought us to cookies right so uh just to do a quick overview because people are at different levels with cookies most people probably if you deal with http traffic on a regular basis this is going to be why is that guy explaining cookies but for the people in the audience that might not uh so example there that's a request there's a cookie in it that's being sent to the server

in normal traffic uh that would be set one of two ways uh would be common so either a response header would have come back that said set cookie and provided the value or a response of some other kind like a json response uh would be a common one sent the value back and then javascript on the page picked it up and shoved it in through the browser's api uh those be the two ways they normally would get set um and then when the requests go to the server whatever the scope is for the cookie uh those cookies get included in a header just like in the picture there and the important part is as you see

from our website secure ideas right it's pretty much unintelligible right there there's nothing there to give you any indication of what it is and if that's what a system is looking at to determine if this is normal behavior or not i we were pretty sure we could do something that would look kind of like that and bypass all of those wonderful controls which brought us to cookie monster so cookies have a max size right you can't just send that that whole file all at once it's gonna be way way too big so we said let's you know come up with this idea let's encode the data take that file just encode it read everything read the contents and

code the contents break it apart into nice sized chunks send all of those out and request as cookies merge it all back together on the back end bam we have a file right and of course we needed a mascot as soon as you build a utility if you don't have a mascot it's not a utility right okay so cookie monster v1 back in 2018 built on node we had a web server in our case it was apache because we wanted to have that tls encryption just because we didn't want to send anything over http and it wouldn't have worked anyways through the proxy so we had the cert and then we had the feeder the one lim

the one thing that we found on the network which was very nice for us it was 2018 so powershell was still a very good attack vector back then right not quite as good now we can have discussions about that i think it's still a good attack vector but uh powershell was enabled we could use it so we built the feeder the script around invoke web we create web request this is sending just like it sounds a request as if it was like a browser to a website so we encoded the file on memory all right took up a little bit of space we used that normal commandlet to bypass them if they were looking for something

using a.net library because that is a little odd in most cases we made sure to set the user agent on the on the request so it didn't say powershell right that would be kind of obvious uh and then we also said let's allow it to send a whole bunch of files not just one and then put that random sleep in there so it's not just you know sending requests over request of a request let it take some time somewhere between oh like half a second and a minute whatever you want to make it look a little odd and not sit there and be a consistent state it was simple but effective and you know you look at that

and it looks very different from our cookie and i'm kind of embarrassed to say that this is what we came up with but we were running out of time and the funny thing is it worked right this bypassed their content filter their inspection proxy everything to us any person looking at it who has any idea what a cookie looks like this looks pretty odd right we've got double slashes in the front and that was because we were encoding certain things we didn't want it to be able to see it that's not normal we have some random integers in there that we're telling cookie monster the back end hey this is part one of x so that incremented and then we had our

payload which is the first that was part one of the file and then we had some other bad things in there right the web server did things like said okay whatever but overall it worked um if somebody would have seen this while we were going through the 45 minutes or so was sending the data um you know they would have instantly known it was wrong right if they would have gone to that website that we had picked when we got that domain name it would have aired because of nav cookies it was down and dirty but it worked it's not good enough we know it's not good enough right that that was like gen one

let's let's do a proof of concept we needed to be better we need to be hiding in plain sight better than we were this is a picture of a snake do you see the snake no she's right there do you see him it's a copperhead okay can you see him now that's the no broke that's the bad end of the no rope you don't want to get bit by it would be really really bad okay this is one that mick saw when he was running when he was running that's not true yeah this this is what we needed to be we needed to be like this guy so we came up with version two we said all right let's let's take a

step back we want to stick with our same premise but things have gotten better right we're sure detections have gotten better so let's set up some other stuff for us number one let's set up a unique id for for our device because before it would accept like if we had four computers all sending files at the same time it was going to get confused really fast so let's add a unique id let's do some better padding let's get rid of that slash in the front right let's do something a little bit better do some graceful handling in case the server goes offline or something strange so that we can do some retries because when you encode the contents of a file

and you miss a section you pretty much lost everything we mick made a beautiful ui all right a functional ui uh and a whole bunch of other enhancements and then we put it on github because well once again we think this is gonna work i admit we don't know if this version is gonna work so when we get to the question time and you say is that going to work we're going to say maybe we have no reason to believe it won't but we admit as of right now no one has paid us to try and exfiltrate data out of their network if you're interested in helping us test this please let us know reach out right we'll

be happy to do it or if you test it yourself let us know or test it yourself let us know we want to know so the server enhancements all on mick oh that that's right that's me that's you uh so uh i rewrote it like pretty much the whole thing uh updated it to node 18 is what i was using but it would probably work on 14 or higher uh i did stuff i so user interface uh is there still doesn't have built-in tls but we do that through a reverse proxy definitely if you're using it for real data even in you know a testing environment be nice and tls encrypt the data keeps a lot of stuff in memory at this

point in time uh [Music] when when eric wrote that bullet point that's because that's that's what i told him but it's not actually entirely true anymore oh i need to change it all right um it does write a temp file at one point uh but yeah so it still reassembles still decodes and it can send well i can send one command actually i've it can send am i premature on this it will go ahead it can send one one command to the server it's kind of hard coded in there it's who am i so you can send who mi's up to the server yeah um we didn't really want to push out a full c2

framework because you know ethical concerns and all that so we did it that way because that way if anyone uses it they'll probably get detected that's right hopefully because everybody knows who mi is the immediate notice that you've been compromised right who am i equals you're in trouble the only people that don't know who they are people that don't belong there so the feeder still using powershell i like powershell right windows guy i like powershell i know it's protected right you can do all sorts of things to see what's happening if you've turned on the logging and everything else many organizations still haven't it's a little bit more customizable you can set any user agent you want it has a

default that looks like a windows 11 box you can set it to go through your own proxy you can reconfigure the cookie size to be anywhere from well pretty much anywhere but you don't want to go over 40 4 000 bytes i think is that the limit uh and and now it adds some other things in there right it goes to a random page itself it kind of picks some random page to 72 and it has that heartbeat option and yes we did originally have the idea that we wanted to to accept commands and do functions based upon commands but that was a little bit more we like the idea of this being a way of testing your

ex filtration controls right now more than a command framework it probably could be expanded out but uh we'll let that up to you if you want to do it so now everybody needs to like with me hope please work that the demo is going to function because as you all know they never do but hey we'll see what happens all right no minimize thank you all right so here we go here is our file of credit cards i don't have dlp on my box right but you know we'll assume we got past it just random credit card numbers and just to show that it's a new thing uh where are we we're in b sides las

vegas all right so over here we have our feeder so it's a simple little ui can everybody see it here let me make it a little bit bigger here there we go so you know you can change a couple of settings you can add some things oh we're out of frame we're not a frame sorry i'm going to start the server

and so over here we can look at the powershell if we want i just have my simple little uh script it says invoke the feeder cookie monster feeder give it the url i want to go to the base url a proxy because i want to send it through burp so we can see what it looks like and the file name and now everybody crosses their fingers hey all right we are we are successful it worked at least it started so here we go we can see that it's getting data and if we look in burp right it's sending us to random pages and to top it off the server is responding back with data right

yeah this is a big win you know it's not just something you know that says hi uh yeah it's a small selection you could put more in if you want but it's our small selection and it's running through you can see it's doing all the gets we have it doing again it'll do any web method you want what we've found is you know miter and many of the other groups that are seeing how data exfiltration happens it's via posts so if that's one of the things your data exfiltration is looking for it's not going to catch us because we'll do a get or a put or whatever we feel like it delete it doesn't make a difference

trace or we can make up our own method whatever we want yeah uh and we can see here we go the cookies look a lot better that looks a lot more normal right like a cookie and that has everything so uh we also included we decided that our identifier should be like a google identifier because everybody's using google for tracking their website so there you go uh so that identifies the box we still have our our session data that's holding it but we added a random letter in the front all right so in theory my file is sitting over there

i'm just going to scp to the box to grab my file oops helps if i change the ip address

all right and in theory if this worked there's my new file the exact same one it worked oh always a good day always a good day so but just to show in case you want to do the other thing we have this other option for you so now cookie monster is running in the background every 30 seconds or if you want to change that he goes out and he just does a quick heartbeat to the server

and we can see there there he is that should match him but i'll trust it matches him it matches and there we go we're going to do the one command you're who am i and then we just sit here and we wait and we'll go back to burp uh there was the response back from our seat from our server saying hey please do something so we said set the cookie my server and cookie monster responded

and there you go right so normal web traffic it looked just like web traffic once again we set this up just to do this one method right using powershell it doesn't need to be powershell it could be anything you want uh all right so let me go back so i can

we didn't really explicitly call it up there but so a lot of people probably recognized that cookie was base 64 encoded um thank you we threw another character on the front of it just a random character that we ignore but it's enough to throw off the padding of the base64 so if you grab the whole thing and decode it it looks like junk yep so if you just grab the actual encoded part you're good but once again we're not trying to defeat people right at no point am i trying to defeat a real person who's looking at this because if your job is to be looking at every single web request going out that's a

really bad day i'm sorry for you right we have systems that do this and we just need to defeat that system so pros and cons of cookie monster pros standard high use port right web traffic happening all the time everywhere it runs as any method we could make up anything we want once again it doesn't care it's just running in the background looking for cookies right the cookies are you know once again cookies themselves are typically encoded or encrypted or some random stuff that isn't going to be inspected or useful cons there are cons you can't make a perfect tool unfortunately it requires a lot of web requests to send a message right depending on your

file do simple math if we're only going to send 500 bytes at a time you're sending a one gig file that's going to be a lot of requests we admit that but once again you could space it out over a long period of time too you don't need to send it all at once uh it can make some files bigger because encoding things the data that it could make it a bigger file than what it was originally um and then of course you have to host it somewhere so if they have some really good content filtering or um based on reputation filtering it may not work but it's there and once again we we know

it's it's listed in mitre it's listed in other places the this is a attack that is known we just tried to tweak it a little bit and pick an area that might not be used setting a custom server header is is easier to pick out than trying to inspect cookies i i don't know why a real legitimate detection system would be trying to break cookies apart but there could be a valid reason and then once again your max size is just over 4 000 bytes because that's the biggest you can actually set with the cookie or the the entire um it's the the entire header yeah that header and everything breaks yeah but it that would be that would look weird that

would also look very weird so yeah please don't send it that big so where do we go from here well you know we think more feeders would be good not not just powershell python we've talked about it why even limit ourselves to just a programmatic way let's build an actual website that's just sitting in the background looking for the cookies and then you can browse there yourself and just send the data and it looks 100 legit because i'm not actually going to move even as fast or as normal or repetitive as something with asleep or you upload an html file on it i'm relatively confident i could implement that that feeder in the web browser

uh we want to enhance the server some more uh we want to store the information somewhere in a little bit better we still need to work on on breaking it apart by device we have some potential limits there even better disguises um because we know we can have them better web pages like we said better things to see uh yeah so a couple options i floated around there where one would be use use an interception proxy to collect a bunch of responses to then pass to this pass the project file in there like a burp project or a owasp zap project or proxy it and actually point it at live sources and get your responses from

there yeah just forward them on perfect yeah uh better obfuscation redirects et cetera we want to have other encoding options why limit ourselves to cookies let's use jwts right the signatures in the jwt that is a hundred percent unreadable it's supposed to be it's always opaque anyway yeah it's always opaque i mean that would be incredible uh we just didn't have time to do it uh do some iterations of encoding uh have the server actually dictate the cookies because right now it's hard-coded in both right so this cookie monster first thing before it sends a file goes out to say what should i do we get the cookies back to actually look like the server is

setting some cookies uh all sorts of things oh and and let's actually have the ability to have cookie monster tell the feeder to stop doing the heartbeat that that would probably be a good thing to add in there yeah um and you know then we have these other questions like we said the whole command and control framework is that something we want to get into i don't know we think once again we think it would bypass it but i don't know if that's something we want to be responsible for you know people have written command control frameworks i'm like this is awesome let's release it to the world oh boy what did we do right that might

not be where we want to go with this so what's the point of talking about this awesome tool other than saying hey we think we made this awesome tool how do you detect or prevent it well all right so you're gonna have a large number of requests going to a single source or will you why not have like one central server just getting everything from a whole bunch of websites that you create out there that's going to mask it even more all right so maybe that's not a good one uh reputational based filtering yeah that that'll work oh wait all of the people who do the reputational based filtering will be more than happy to tell you

the web domains and what their reputation is right now all right and it's easy to find domains that are expiring okay so we can't use that uh sending cookies without getting it from a server okay that's pretty strange except all of the websites that say remember me forever yeah because of long-lived cookies it wouldn't be that weird to see traffic today that you didn't see a set cookie for so you know uh let's see cookies being rotated without server yep uh the endpoint protections and heuristics absolutely but as we all know those you don't want to put all your cookies ha in one basket right or all your eggs in one place um they can be broken and and let's face it

that may not actually catch it depending on what's going on in the background it all comes down to what everybody's been talking about like all the keynotes and everybody what's normal in your environment where are people talking where are they suddenly going that they weren't going to before that's what's going to detect it right knowing that level of information but maybe we missed something right is this did we write a utility that nobody needs did we solve a problem that didn't exist anybody have any ideas i think we came up with something different and something a little unique a new take on stuff how would you protect against it in your environment that's why we came to breaking ground

right we're like hey we think we have something we thought we've come up with ideas to break all of the ways that a system is going to try and detect it what did we miss anybody have any ideas if you have a question let us know right um you know we're here because we want to get your thoughts you know know who's using that sensitive data where it is don't let it float around and i that's it so we're really early we'd like questions or we could go through the demo again and watch it break since we have to get hubripo on there i i just want to say there's some really bad code in there

fair enough and i'm gonna i'm gonna repeat that i said i was a windows guy i can write powershell that doesn't mean it's good-looking powershell it's functional it works but it it's not good looking so eric has an excuse i know better i run a dev team and i told my developers don't write stuff like this we will have a hard conversation if you write stuff like that it works uh it's not pretty it needs a lot of polish but it's there it's based on an idea we know it worked four years ago we think it's going to work even better now we'd like to know if it does for you if you ever give it a

try any questions please give us questions yeah i've got the microphone here if anybody has a question or wants to try to answer the question they had at the end about how you would prevent against this against this i can just raise your hand and i can bring the mic over please give us something coming from the back it came all the way from the back um so one question i have is this in your slide you had um you know sending cookies without getting them from the server cookies rotate being set from the server or you know stuff like that so i mean to me that sounds like maybe a spec change on the http side you know to

deal with that because implementation in the browser but a question i have and this is this is the question what in your research is anyone else legitimately rotating cookies or setting cookies without receiving them first so is there any false positives we might get based off of that so absolutely the seeing a cookie being sent before it was set will absolutely happen right because okay let me take a step back if you're sending all of the traffic from your devices all the time through the proxy even when they're at home and not vpned in okay then that would probably be pretty rare but how far back are you going to take that data set right how

long do you say it did i see that cookie a minute ago or did i i looked back a month ago right because right websites remember me forever so absolutely the looking for a cookie being sent before it is set by the server would give you false positives uh the rotating that would be weird that would be a weird thing that would be uncommon so yes we do admit that is a limitation so i think i saw another hand over this way awesome

hey uh just like say like really awesome tool so far i love it man my question was when you said you have the reverse proxy handling say cls connections and whatnot um do you have kind of a fear of being fingerprinted using ja3 because i know uh ciphers and things that are offered to income to clients are being fingerprinted now like i don't know if uh it's on the internet but j3 is a way to fingerprint c2 frameworks and certain endpoints based on the offer tls ciphers and whatnot um is there any changes that have to be made to this framework specifically to accommodate you know randomizing that or is that more on the proxy side no so get

your if you get the certificate from a legitimate source right we're not using it for the encryption of the program we're just using it as a normal tls encryption if i heard your question right so the question was do we need to compensate for specific ciphers or anything as far as going out and being used for the the reverse proxy correct yeah it was more so just you know will you account for being fingerprinted by offering the same tls ciphers uh over and over after each deployment of the tool so right so if we would stand this up in multiple locations or we'd stand it up again and like we use nginx is what we used if

we've got a cert for that server it would be one right whichever website we decide to stand up at the time to host cookie monster could have a new certificate so you'd go through the renegotiation as necessary but once again it doesn't need to be the same certificate everywhere okay cool thank you yep i think if i wanted to make it distributed i'd probably stick it in there as a an end point behind a bunch of like cloudfront instances or something like that [Music] who else has a question upfront first anybody have a better way of detecting it come on i know there are a lot of smart people in this room i know you're smarter than

me too yeah like i guess if you want to add like more uh obfuscation techniques to it or maybe make it so that there's not so many patterns would it add too much complexity if you have like a little i know there are some a lot of links that have like really crazy parameters or like when well when you visit google sometimes people are website it has like a bunch of garbage um what would look like garbage uh parameters and it looks like a really crazy link so i'm wondering if you do have a skating and maybe throw in some parameter and use that to alternative sophistication would that uh too much complexity to the

project we could i mean we we absolutely could have it send parameters it would not add that much complexity to what we're doing um or having the web server respected right it's just extra development programming um yeah i don't think that would be difficult at all so yeah uh to add some kind of generated parameters in there right we just don't want to we actually just don't want to send any real data through it right the whole idea is to keep all of the important data stuck in the cookies cool and would it help at all like uh to kind of alternate um the obfuscation technique you're using in the cookies yeah possibly possibly like we said talk

about jwts is the way we definitely want to go next yeah jwt signatures would be a neat hiding spot um you could do possibly some uh like base64 encoded image uploads you know you could stagger it in there there are options there are a lot of ways to go with it um in terms of more variety and another simple one would be to just renegotiate what names we're going to use for the cookies periodically so that they're not always the same cookie names those could also change sessions are common j session id is another different common name for a session cookie but it doesn't even have to be either of those it could look like a cognito

cookie yeah lots of options yeah you mentioned one of the drawbacks of the tool was that you the data would be going out to an unknown host right and you know obviously setting something up at the last second as a destination is risky and i've been in situations where outbound proxies are incredibly extremely stringent i mean have you done much research on like anything with like legitimacy you can hijack like a google sites or like an old defunct cert you can renew yourself i mean maybe outside of that part but like any yeah i mean so extensive research no i mean when we need a site we have our places that we go that list recently expired sites you

can check those through any of the tools to say what's your reputation do you have one right they provide it for you so beyond that no i have not done extensive research into you know using this specific item or one that will absolutely be this utility versus another

hey i have two questions sure uh the first is have you thought about using web sockets to create that connection and send the information that's fine it's like a continuous connection we actually did discuss that and so we went back and forth we think it could work but would that be inspected more than not so that's one of those it was one of those takeoffs and something we debated of potentially doing um yeah it really came down to we we were afraid that that would look more suspicious to somebody watching which kind of feeds it to the next question because if that is the typical way that client communicates on the web application could you take that into

account and maybe first of all clone that way of communicating via websockets and use that as the base for your communication but then also could you take the cookies they typically send on their applications and then name them accordingly to then bypass any filters that might come on to the names of the cookies from before absolutely right if we wanted to once again we get to dictate whatever we want the whole idea is as long as what i am sending is understandable by the server it doesn't make a difference right so we could pick up the cookies if we found a website that we really wanted to clone we could right assuming it had the right

number of cookies in it for us which is four right now four or more or more um so we could but then of course then you have the other problem of hey that's saying that's rsa.com but it's not right so i'd rather go and pick up my sites now like my five six financial sites that have expired or whatever rated sit up there put up a good website that says coming soon and then when we need to exfiltrate data we just throw a cookie monster in the back end right and it's waiting there ready cool thanks really interesting also the idea of a c2 server sounds really interesting with this as well so risky exactly that's where we were we're

like this would be awesome because i didn't say it i have a hate relationship with metasploit and many of the other frameworks out there i will type something and say go and i get that horrible exploit ran but session failed whatever a peer of mine nathan would go up there just hit enter and it works right so me no bad i'm not good with cg framework so i like living off the land who else has a question there we go hey thanks for the talk uh quick question so you mentioned that the um the file you're trying to exfiltrate it'll break down and have like an id as part of like each request going through

right so the files split into smaller sizes if you're excel trading a large file and maybe some of the requests time out and they don't send those chunks can you from the server side to say hey request part 5 or something so yes so there's another part that we started we went down that path of hey had the server tell me it failed or not and what we decided instead is to just we're doing it sequentially right so server goes offline the feeder pauses tries pauses tries and once it gets a good message it'll continue again we did discuss the whole let's send a final act and do everything it just came down to time before we got here uh we do

pen testing a lot and this was a side project for mick and i that was yeah that makes sense that was the scope creeping on me because i decided to rewrite a thing yeah we write a thing to do a thing yeah and so we did change and uh so let me find i've been heartbeating in the background as we've been talking so let me find somebody so we changed the entire mechanism right this itn there oh you can't see it because i'm not sharing the screen um this entire itn there is actually the the encoded you know this is part we have 28 parts this is part 2 or whatever so it still gets that information it's just

encoded in a better way okay cool yeah i mean my main thing was like obviously if you're exciting a large file and it fails you don't want to repeat the entire process all over again so just be able to say oh i'm missing this part can i just request this only yep that is definitely something that we've talked about and so it would be a good addition to put in uh just time all right thanks any other questions make sure you're not the

hello i wanted to ask one thing uh i suppose this is quite stealthy on the network level but what about the detection when you have like windows defender and you're doing the base 60 for encryption or use the invoker web request functionality does this get that detected a lot or what's your experience with yeah no by by default okay so as of right now the feeder has not been submitted to anything that's saying it's malicious that could change and then it would right and then defenders going to pick it up but the behavior that we are exploiting underneath the hood no it's invoke web request it's it is an expected behavior of powershell we are

doing nothing malicious at all right it's not malicious but i think uh nowadays when you're basing coding for example or when you're using the invoke web request it sometimes gets flagged because it's unusual activity so it might yeah so if you have the full defender suite identity and all the cloud the it very well could i i can't speak to that the default defender ed point protection on its own it isn't going to care does that thank you yeah any other questions thoughts is anybody going to download it and try it awesome who's going to download and try it all right eric secure ideas.com make it secure ideas.com let us know all right not a difficult email address

please let us know how it goes because we only get to try it when somebody pays us to so you guys [Applause]