Offensive Rust Tales

okay ladies and gentlemen uh we have our final speaker of the morning session andres tevez speaking with us about offensive rust tales not too offensive we hope no definitely not okay so i am happy to be here and after the past two years behind webcams this is great um okay who else did participate in red teaming in the past years in the room okay at least one guy that's something okay would you like to execute my binary okay that's good so how many guys are you using corporate laptops okay some of you most of you use windows i assume and do you use office like openoffice or microsoft office if microsoft office then this will be an

interesting presentation okay about me i am andres davis currently working as a senior i.t security researcher at kujo ai i have more than 15 years i.t security experience on different fields like i was a developer researcher penetration tester and i think many more things you may run my code in production if you use syslog ng for example then that might be some of my codes okay i have done security research in the past 10 years more than that but it's rather hard to present on a conference if you are not called a security researcher so when i was working at a bigger company like morgan stanley and i am going to my pr team that okay i hacked

this and i would like to present about it then they said no please no please don't so i changed and now i am trying to present something the presentation will be mostly about red teaming 101 because we have only one guy who participated that's great it might be helpful for you guys i will provide some details about when should you do red teaming when should you execute it what is it called who should it look like who should do that and of course why should you do that

okay so a red team is a group of professional people hopefully professional and this is the key authorized to do something like emulated attack achieve something gain access to your systems and is it is it familiar for you so did you do something similar like maybe pen tests yeah it's similar if if you go to a pentester company and ask them to do something they will focus on an application or a website or or some mostly simple thing and they will have a limited time because you won't pay much enough for them so in most cases it will be 10 days or something and one or two guys will be there or will help you

so time is limited and the penetration test in the most case is rather noisy so if you have a team who can detect they feel detected if they are not sleeping red team on the other hand is a bit different because in that case you have those guys so red team is is more complex because in that case you are not really focusing on generating as many vulnerabilities as possible in a network rather you are focusing on how to do it end to end and what will happen from the other side so if you have a blue team most of most of us don't have a blue team but if we would have one then that blue team should detect an

attack and if the red team is good enough they can fight and that could be interesting so red team is more time it takes more time it takes more resources and as well it takes more money but it should be more silent than a simple penetration testing maybe you have heard something about ransomware gangs is it similar or is it yes it's rather similar but in that case you pay much more and you lose some data as well so not that serious so why are we doing this i am doing this because it's fun and it's interesting and challenging from a customer viewpoint or from the business viewpoint it's a relatively safe option because you know who is coming you can define a

target you can tell them this is the service that you should reach this is our amazon production service if you can reach that then we are we are happy and and please document what you did okay next up is the who if you are a big company then you should have a right team so it's an internal one you maintain that team you pay them lots of money and then they play with your network and if they are good then they will kill the network and everybody will be happy in hungary the more realistic way is to pay for someone and search for a professional company who can do that for you i am not sure if there is one in hungary

but did you see and other question is then should you do that if your organization is prepared and if your organization is at least partially confident that they can catch an intruder and by catching an intruder i don't mean that grabbing his hand at the gate and then taking away to a back room rather catching them on the network and if they are doing something like executing an unsigned application on your corporate laptop and then gaining other excesses and you can catch that then you are there you should you should start a red team exercise so bvv i found this for my presentation when i was looking up for documents this is a great representation how all the teams should

cooperate in a network or not in a network really in a company this is valid for a huge company like fortune 500 14 000 if your company is let's say 100 people then you definitely won't need this or all of this but you would need some yellow team you know yellow team most of you most of you are developers so if you are a developer you are part of the yellow team there are green teams devops sec devops something like that yellow that was okay so orange team is basically training if you are learning something about fishing if you are learning something new then that should be done by the yellow team orange team and i will talk about red teaming and i

am blue team is the opposite of the red team they are trying to defend the network if they catch you then you might get fired if you have a paper that you can do that you might not get fired you might get a promotion and the purple theme is when you are mature enough and all your red teaming is willing to do blue team stuff and the other then they are merged into a purple team okay let's see at the typical attack scenario how this should work normally we start with information gathering if you have an internal team this is rather easy you sit down and go and ask the users if it's an external company then they

should go and look up data in their wasn't way so go to showdown dns dumpster execute port scans go to linkedin maybe you could go and try to get a job at the company just saying if you call hr hr will provide you lots of information like what systems are we using what uh competencies are we lack of because we would like to hire someone so we should not have that right okay the next step is to decide how to evade and how to get into the system most cases most companies are using emails or slack but email is more common because it's more integrated with the external world so you might get an email

in the past time you might get a phishing email protection training like what you should not do like click on a link and don't download it if you download it don't execute it if you execute it then don't let it drive your show why so infiltration gets somehow into the network physical access in in the modern world like best from here you can you can do physical access red teaming like get into an office and use your lock picks and pick the office door and get into the office and see how can you get access to a server room normally we have a server room that's well protected but there might be a back door and that's direct aiming for

okay let's assume that somehow you did send in an email or you did you did send in a link and you have at least one user who was somehow asked to execute that binary we call the stager the next part of the presentation will be more about stagers and how they should work okay corporate laptop yes

no i don't want to do that so gain initial access execute something it can be a file it can be a binary it can be anything in a microsoft environment you can execute help files and those have files can execute other binaries or you can execute you can open an excel file and those extra files could execute binaries like commands or poover shell you know excel is great in powershell and if somehow you executed your binary then that's the last phase then you are going for the target just an example if you have a production system production system is running on aws then the red team should get access to the aws systems like use vpn but vpn is

very protected is it not like security tokens passwords and and sessions and and all the other stuff okay let's move forward so as i mentioned with sending an email the victim is somewhat known we did our homework we did collect his i don't know laptop we know that he's running windows we know that what components are running on his laptop like we know at least the antivirus maybe we know the version maybe we might know the firewalls if there is any he downloaded the binary or stager and then here we must bypass some protections like if you download something from the internet the browser is telling you that don't do that don't execute it no no no

but you are executing it because you would like to do something you would like to update a system so if i for example call you by phone and tell you that i am from i don't know an antivirus company and i will push you an update and this update is rather important because if you don't execute it then your ships will die or i don't know or your apes will be lost that's that's better you you will lose your apes so you execute it the execution will download something from the internet that's the red theme in my case in this later demo i downloaded pp and i will dab it later poopy because it's it resonates better

how we should use that application so it's poopy and puppy and also we have a component called hiddenvnc but my

sorry whatever so let's hide them vnc behind that connect to me item vnc will be interesting at the later stage and if hyden vs is rather similar to vnc you can get access to a computer and you can run applications on that computer the good thing is that you can see the output of that application but the user can see so you can copy things and execute browsers you will see the browser window but the user won't see it you will have the same session and with that access you you can access anything in the browser like cookies tokens sso if you have password save in your browser maybe then that's also there and it's

also accessible so that will be the demo later let's get back to information gathering

here i would like to provide some details during my investigation how to how to discover valid users in a system i did run into this i tried to report this but nobody really was interested and after i think two days two or three days ago i discovered that this is well known so it was just new for me but it's interesting so information gathering do you know microsoft yes yes we know and do you know azure most of you are using i assume azure ads maybe maybe microsoft office from the browser how are you authenticating to that yes it's out2 and o2 is great because it's integrated all the user likes it they can get in without providing new

passwords so it's a great thing this is a window if you are trying to log into office you will see this window and it depends on what data you put in if you use your private email address it will show you something if you use your corporate email address it will show you totally different thing and there is an authentication backend for this and the authentication backend decides based on many things like you provide an email address it has a domain part and it has a username part and it will provide you details about that specific user so if you send something to these endpoints then you can figure out what the email is is it a

valid email address you might get login with that is it logged out is it throttled maybe you'll see it later so you set an email address you get that window and you might get a simple login window if you are keem at g something something you might get this window if you are came at d something something something hopeful nobody knows this window okay try to remove as many features as possible and there are interesting places when you provide one email address you might have different authentications for that so you can authenticate directly and you can authenticate with a federated authentication this is rather strange i didn't know about that okay let's see what's behind

so there is an api called get credential type if you type in your email address you will see those like we will know that you have a certificate authentication param can you authenticate with facebook can you authenticate with fido google is there a password at all and we can oh microsoft did remain in okay so if you go down you see much more stuff like what branding information is there but logos are the company using in an email so imagine a case that you would like to send an email a phishing email and you don't have the logo for the company here it is microsoft stores it for you you can download it from the cloud and then

you can use it i think this is great for phishing and i would like to highlight this here is the most important part if that's zero then we are okay if that's other values then we are more okay okay let's see some great animations so we have two things we have federated authentication and non-federated authentication federated in this case means that someone else is doing the real work and microsoft is just interfacing with them and then microsoft creates a token and you can use that token there are token click click click ok so depending on your domain you will get a federated url and the federated url will do the authentication this is not really important for us

because we need to go to the federated endpoint and figure out some data about the users but if you are not federated then there is exist result value and let's assume that we have a random string in our email address that is exists result value will be one if we have a valid email address then the value will be zero so what happens if you would like to figure out an email to attack or to figure out an email a victim's email yes you try three four times and then you will get an email and there is no authentication happening here so you can basically ask thousand times million times maybe at the million you might get a

throttle but that's it there are also other values here there is one for throttling so if your authentication is throttled then that value will be two if there are some errors then it could be minus one four and five and six is for federated authentication or it might be federated authentication is this similar so did we hear something like this in the past like a web application and if you go to a web application provide your email and type in a random password and then what happens the application tells you that okay your password is wrong but the email seems to be okay so maybe try some new passwords because you might figure it out or the other way

like normally we should tell the user here that go away something is broken we don't know what or your authentication session did not happen try again but definitely not telling anybody that it is it's a valid user in the specific domain so infiltrating infrastructures infiltrating this might be interesting so as i mentioned we sent in an email and in my case it was a simple email and the victim downloaded the binary and he executed it because he was instructed to do so by his boss by someone what happens in a system if if you execute first let's start from downloading if you get an email and there is a link in that email you would like to download something so

go there click on the link and chrome and edge will tell you that it's an exa don't do that don't execute it but you will because you are people if you have a huge binary like more than 65 megabytes i think then the browser will simply ignore it if it's a if it's an exa who cares it's a big access so we don't scan it let's go through okay next up marco fab have you ever heard about marco fab okay some some if you download something from the internet most of the browsers will use alternate data streams to store info about that data so it will be marked as it's an external data it's from the internet mostly it's from the

internet so it's not safe please don't execute it smart screen might yell at you that don't execute it but you will execute it those markov maps are interesting because if you download the zip file and you happen to use 7-zip then 7-zip is not really using markov web so if you unzip something from a zip file 7-z if you simply drop the barcode web and you will be safe because you are the danzip the other option is that you simply use an iso file you download the iso file it's a huge iso file so we don't mark it and the iso file itself is marked by the markov web but if you click on it

windows will happily open it and mount it you will have a virtual cd-rom and no markov web in the virtual cd-roms so you can execute binaries without any yelling in my case the small disc footprint is 1.2 megabytes so it depends if it would be a virus then it should be much much much smaller but this is a small footprint my application is doing some data gathering like figuring out what user is running it which domain is it running in so if we are in the proper domain and executed by the proper user then we are happy and we will download components based on those if you are somewhere else like you are executed in a sandbox those sandboxes

won't have the proper domains so application won't execute this helps us target a specific attack and it will also make the life of the protection so the blue team much harder because normally they won't have any details about the attack they will have a binary that's downloading something from somewhere but if they don't know specifically the username and the domain then it won't be downloaded by them so everybody is happy except the blue team sandbox evasion please raise your hand if you have seen a sandbox with more than eight gigabytes of ram okay okay have you ever seen a sandbox with four cpu cores okay might be can we detect these values like is there an api to carry it

yes sadly but there is so those two values can bypass mostly all of the sandboxes and that's it as i mentioned i will have plugins i will talk about it later plugin in this case is a simple hexa binary i could encrypt it but basically i used https so don't have to encrypt it again but we could specifically target it for the user and based on the username and domain we could encrypt it as well so if someone downloads it there is a there is no key really because the key is based on the environment the key is not in the binary so if someone is looking at the binary they won't have that key

one of my plugins is the vnc implementation i should definitely switch off the wi-fi so the height and vnc is great for accessing browsers and other applications we'll talk about it later and as i mentioned we have multi-factor authentication you know if if you use multi-factor authentication like two or three or four steps and biometrics and other stuff what will be the end of an authentication what do you have some ideas like hash or cookies you will have a cookie right do you store those cookies in the browser yes okay so what happens if we copy the the browser's profile and then re-execute it in another process we might have that data yes okay so this was a short introduction so far

and let's talk a bit about rust rust is a great programming language it's from the reversing viewpoint it's it's rather hard to understand it's doing stuff rather differently its main advantage is that the code is ugly and the binary is ugly as well so if you if you try to reverse some some other programs this might get interesting it has a static binary so if you compile something it will be a bit a bit bigger than a normal windows application but your mail verb won't ask for the ers because it's it's not that good if you if you send the application to your victim and he executes it or she or they and then the application asks for a dll because

please download me msvcrt whatever to to be executed you might get pass through that but that's a bit harder so static binary is great for attacks rust has a steep learning curve steep in this case means that you will you will back for mercy after two weeks and after two more weeks you might get through through that phase rust has also great async code so you can create really easy async code implementation if you are a javascript programmer you know what i am talking about you execute it you forget it and then you might use the data or not from a dynamic analysis perspective this is also great because i execute a lot of stuff and if someone is trying to

analyze my binary if you go through and and find out all the different random parts of the application and they are not really doing anything to be honest for me it was strange to see that rust is well integrated into windows so you can create great windows applications and these are the rather helpful error messages so if you are trying to work with trusts you will run into borrow checker barrel checker is something that's trying to protect your code from yourself that's my view on it and also it's it's rather painful so to satisfy but if you learn how to do that then you will be a great trust programmer and hopefully you will be better in other

programming languages as well so helpful message lifetime mismatch okay great unnecessary unsafe block don't do unsafe stuff no it's it's bad for you and and others my favorite was the x does not long live does not live long enough for you but i do not kill it what happened okay so let's talk a bit about how my application works and how my loader works you know loader is rather simple you download something execute it it pokes around collects some information it hashes that information and then based on those hashes it will go and try to find other components so normally the louder loader section is totally harmless it does not do anything if you don't count that it downloads malwares

and executes them but that's not really bad for me and we have other components we have the hidden vnc implementation not so harmless it could be used for many stuff i will talk about it later in more details and we have also puppy pup is harmless we love puppies so it's great you can execute applications you can execute any python code because pp has an integrated python environment in it so some rust code every good technical presentation should contain at least some source code is it visible is it readable okay i choose those mainly for readability and to provide some visibility how rust look like in this case i used visual studio code and visual studio provides some some

hints some typings in most cases that's uh static but in some in some cases it might be misleading the misleading section is where you are trying to figure out why the hell is it not compiling or not working but normally it's okay for a string it works so these these are the three functions that i talked about exec exec obviously it downloads a binary from somewhere it gets the binary data in a reference then it creates a thread and executes it that's great for our purposes we download something and don't write it onto the disk so no bad code will ever touch the disk it will only be in the memory check as i mentioned is

validating the values about cpu and memory now and host names and if we have enough memory so we are not running in a virtual machine a small virtual machine or not running in a sandbox then we go through if we if you don't pass that is the panic exit panic in this case we will create a screenshot about your desktop and it will upload it to my server so i will see who is trying to message my application if it's not the target hash in this case hash function is used to identify the domain and the user and then based on those hash values i can target the user so if i know that he

is using a rather old laptop i can create specific implants for him that can be executed in his old laptop so this is what happens if you are in the target we will collect information and we will upload the json file to our servers and this happens if you are not the target or if you are like a malevolent analyst so if a malevolence executes the binary then we will have his desktop it's not really useful but it's fun okay a bit talk about pp this is an interesting application it implemented huge amount of services originally i wanted to create a crypter loader and much more stuff but after some some time i figured it out that i don't

really have two years for this so i started to look for smaller components that are usable in my case and up is great in this because it has python it runs on android you can execute it on windows it runs on linux and because this is python it's rather easy to create an installer it handles multi it handles scripts you can generate dlls just name it in most cases poopy will do that the only issue is that poopy is based on python 2.7 so if you are trying to compile it then you might have to patch it at least 10 times and 10 different places and that might help you to build a docker image the docker image might work

but it's in most cases it's not working but you can figure it out maybe later i will push the changes to the ppmain repository so this is the nice ui i think it's unreadable from the back lines but i try to do the best so if you ever used metal prater or other similar tools then this will be rather similar to you i have four more minutes and i am late okay let's speed this up this was about pupi modules and what puppy implemented it has a desktop it can enable your desktop it can execute your binaries ssh ssh and it can also support persistency so they created multiple models to help you with persistency

and based on your level of access it can automatically do that for you you can copy files so in my case i did simply download my binary and then use poopy to enable persistency and my binary is not handful so we can execute it automatically okay let's speed it up again what the user sees so normally this is what the user sees and what happens if you use item vnc we see those there are some minor differences if we execute a window here at the user side it won't be visible there and the same stance if you execute it on the height of vnc it will not be visible by the user this is mainly used by financial mervers because

your money is in your bank urbanite provides you a web application and web application is protected by some authentication and if you are through that authentication this approach is great to defeat most of the bank bank side protections and there is a tiny hint for browser developers if your application runs in a standard windows era environment you can query the desktop name it will be default but if it's something else then maybe you are not running where you should be so you might be running in a item virtual desktop or any any other places that you don't really want to start your browser okay some more technical stuff all this is based on the origin of

windows implementation who is old enough can remember in those apis the old windows apis those were introduced in windows 3.1 in 1992 i think microsoft did mention at least four times that we did rewrite everything from sketch everything and everything is not really true because the core windows api is there so since windows i think maybe windows maybe 1.0 but definitely from windows 3.1 there is this api you have a vmd pros vndpros will handle all the messages for you vnd was introduced in in the origin of windows 3.1 and it tried to implement something like multithreading but it was called cooperative multitasking because you should cooperate with other applications so if your vmd process is running

at full scale and it does something like i don't know downloads a binary then you basically killed all the other windows applications so it's not good not that great later they created more stuff this is a plain old vnd approach how it's implemented it gets a message the message is something like in this case vm paint so you should be repainted application we repaint it button list drop down is something and then it must go forward and use the def window pros on the left side if you see it there is a set window hookah x this is a great function because you can execute it and you can indirectly inject your dll into any v in those

applications is it is it good or is it useful yes from my view it's it's a great application i really in the past have never even seen application using it for good purposes but this is there since i don't know windows 95

that was an application but it doesn't really add anything for us so how to create a item vnc first call create desktop then write your own window handler and then implement your vnc so it's rather fast create the stop create desktop is there since windows 2000 and you can call it and in most cases it will work it's rather easy to use the handling of the windows and other stuff is a bit different part so an implementation is server client based your application is connected to the server in this case the victim is running the client and the attacker is running the server as i mentioned we have messages in windows and those messages can be sent

from one window to the other and in this case we implemented a tcp based vnd process so if i click on the server application on the window then the message will be sent over tcp to the client and the client will do that we have to do some mapping on most coordinates and stuff like that but it it works some more unreadable code open desktop is the right side and the left side is how to create your desktop so windows provides apis

windows provides apis to iterate all over the windows and you can figure out which desktop you would like to iterate over and then you can use to render the window there are apis for that and then you can copy out it and you can basically render your own windows implementation it's less interesting than it is the server part is totally unreadable but this is also rather simple we have a vnd process on the server that will handle the messages that you generated by clicking or moving your mouse or painting it and the right side is how you create a windows desktop application so how to pop up a window if it's similar to you then i am sad to

say that you are old okay why is it this good for us i am not sure what this application is but we might execute it and and if we can log keystrokes then if you see if you read that string this application might not get second factor authentications for a month so if you have the password then you can access all the fine data in this something volt okay so left side is the target in this case the victim right side is the attacker if he executed the application normally the user is seeing this so he started his browser and wisely he saved his own password there in the firefox password store what happens if we

execute the application in the in our desktop we will see the same so firefox will provide us all the necessary passwords what happens if we log into to ams office can you guess yes we can access anything in a mesh office with the original users privileges like basically anything and because we are talking about cloud editing and this would be the demo if i can figure out how to provide sound so there will be three different parts the left side is the victim the right side is the attacker and underneath will be puppy [Music] so we can see that there is some antivirus running on the application or the the server the user did get an email that he should

download that specific file he executes a virus cam because that's important don't execute anything without wire scanning and that was it we have an up-to-date windows system and we just provided access to an attacker

pp is also connected so we can do basically anything the user is using his password store normally so he's trying to access it he's trying to figure out his password to report this to i t for example but it doesn't know the original password so he looks up in the password store but we have a keylogger so we know that's the password source password and we can execute it in our separated environment and we have access to all the passwords and that would be persistency so the next time our application will be executed in my later investigations i figured it out that it's better to execute binary from network shares because in those cases anti-virus applications are almost

ignoring them all of them so don't use persistency by copying rather try to execute it from a network share

and this was a i think this was a reboot and everything is up and running again without proper access to the user's computer headset is up and running

it will be the same but with a different antivirus really had not had the time to execute it with with windows defender but it's almost the same

and the best part is that you are protected because your antivirus tells you that you are protected it doesn't really detect anything strange like creating new desktops downloading and executing binaries loading the ls into other applications migrating your binary into an explorer so that's it

these are

thank you these are the references i think we will upload the pdf later so okay any questions

so first have anything

so just a quick one what if the av vendor is disabling the execution of rust having a signature for rust any rust compiled application and they are disabling that sorry again i don't know so what if an av vendor is disabling the execution of rust all rust applications because we are not really having a lot of in-house and surprising applications they are just disabling that i did not run into this issue but if you sign your application for example if you buy your signing certificate for 400 bucks then everything is okay i assume so in this case signing would be the key i would say depends of how the av is trusting the signature versus the compiler

in most cases av avs are detecting signatures like error roots or something but the compiler so you can strip there is a strip co command in rust compile and the later originally it was used by the nightly build but right now you can use it in any rust production code and it will strip most of the strings i am not sure why your avs is marking all the last code i mean they can go for any compiled code not looking for strings but but for like startup code or anything else it depends it depends on the av let's talk later okay thanks thank you okay i'm rush thank you very much [Applause] it's now uh break time uh the next

uh well the afternoon session commences at 1 45. thank you