PG - Maximizing Bro Detection - John B. Althouse

hello all [Music] right okay we're going to get started with our next talk uh which is maximizing bro detection with

John all right we're going to talk about bro my name is John Al house so what is bro um if you've never heard of bro you're probably thinking the same thing that I thought of when uh when I first heard about bro uh and it's uh and it's it's not it's not this guy um and and it's not what what everyone thinks when I'm like I'm gonna I need to deploy bro and they're like okay is it going in bro uction all right all right um uh but it it's so bro was created in uh it it was created 20 years ago so it's pretty old and the idea around the name was more of a 1984 George orwellian

nod uh but I like to think of it more as like an electronic allseeing eye uh you know with uh with some binary there and the eyeball um all right so what is bro bro is a a network mon network monitoring scripting and logging framework it's open source uh and it lives somewhere between Network intrustion detection systems and full packet capture so it's not capturing every packet but it's capturing all the data the metadata for each packet um and the sessions um but it it's not only based off of rules either like a normal Network intrusion detection system is it's session and packet aware so uh so unlike I guess your traditional nids like snort or something like that um

it's not just looking at each packet and then moving on it can look at the entire session so it can say uh let's say you have a a SSH session um it knows that you have an SSH session it's logging that it's logging uh how long the session was as far as time goes uh how many bytes were sent how many were received uh so we can look at the whole session or can just look at each individual packet um and what really makes bro shine is its extremely versatile uh scripting language uh so we're just going to do a quick uh quick kill chain real real fast so uh so on your you know your your your

penetration test or your exploitation of a company uh start off with the Recon how are you going to detect the Recon uh you can use uh network security monitoring um which is where bur is uh to uh to log it full packet capture is always great uh Network en chion detection systems only if you have signatures for whatever type of Recon they're doing uh against the edge of your network um but honestly you don't really want alerts for you know recon at the edge of your network because the internet's a dirty place and that happens all day or Cloud monitoring uh like uh um like Pace bin um so for the exploitation side of things again

network security monitoring full Peak app is great nids only if there's a signature and this is when your host intrusion detection systems really come into play endpoint is is great uh for the exploitation phase um and then under command and control everything again nids only if there's a uh if there's a signature but your host intrustion detection system your endpoint uh agent uh is not really useful or or you cannot rely on it as your primary source of Truth after the exploitation phase and uh and the re like a good example I was uh I was doing an evaluation of a endpoint protection product and uh and I exploited the system uh and then the uh

the product was just running uh like the process name was the name of the product so of course I just migrated my interpreter session into that process and now I'm doing everything as the inpoint agent um a funny thing happened when I did that was I would it would tell the endpoint manager that it was still alive but it stopped logging and it stopped accepting commands so just just an example uh I wouldn't really Li at least right now uh with most products maybe not all of them there could be some really good cases that I just don't know about um but you know in general I wouldn't rely on them as a single source

of Truth after exploitation phase and then actions uh you know network security monitoring full PE half again so so that's why uh network security monitoring is uh you know it's it's valid and important um still so uh bro takes the traffic logs it you can then action alert on it it can do things like it can capture every file so every file that's going across the network and and clear text it can capture it and uh and create a local copy of it then with that file you could like put it into your uh um you know explode it so that you can do some analysis on every file if you want to um it can find Long sessions so uh again

because it's session aware and maybe you're interested in really long running SSH sessions uh bro is great for for you know and these are just examples of things that it can do like alert on large outbound file transfers that's you know that's pretty useful uh complex scripts uh a good example of a complex script uh so let's say let's say you can only deploy deploy bro on the edge of your network right and you have a domain controller inside that network uh and you have all these zel all this Intel of uh evil domains right um so if someone does a DNS lookup on one of those evil domains that you know of uh they're

going to do a DNS lookup against their local domain controller which is then going to do the the lookup um outside to the Internet so whatever's sitting at the edge that would just be like okay well your domain controller is infected um so uh an example script that brala came out with and that's uh out there on the internet it's existing um and anyone can get it uh what that script does is it uh it sees that DNS request for that no malicious domain it then Waits and grabs the a reccord IP and the response the DNS response and then it waits to see what IP connects to that IP in the a record response and then it will alert

saying this is the true source of the uh of the infection things like that uh so you can get real complex with it um bro's great with that so uh yeah your first look at the BRS it's a it's a lot of logs um probably can't read all those so let me name a couple out uh communic ation logs DHCP DNS uh file logs FTP HTTP Uh Sears IRC uh tunnels uh there's there's a lot of logs and that's just the name a few SMB um and you can uh and you can create your own uh you can also uh a a good place to try out Bros scripts if you've never done Bros scripting is try. b.org

uh and just to show you here's tr. b.org you you can put in your uh your script and uh and then run it against some example pcaps or maybe upload your own pcap um but to give you an example of what some of the BR logs look like let's say SSL log here uh you got your Source IP port responding IP import uh TLS versions server names uh subjects issuers uh and and this is for uh every single connection can create multiple uh log lines um for example in a files. log it's hashing every single file that it sees going across the network so let's say so here we got SSL sessions so this is probably a

certificate that it's hashing um and then over here you got md5 hash Shaw 1 hash every single file that is transferred on the network bro will uh bro will hash it for you um and md5 Sha one sh 256 or you can add your own uh let's go back to uh uh so all right bro Intel framework this is awesome this is this is a part where bro really shines above your traditional Network and chion detection systems so let's say uh let's take snort uh again as an example traditional snort uh if you had uh if you were given 10,000 evil domains um what you would do with snort is you would then make 10,000 signatures uh

snort signatures uh and uh and that's that's a it's a little ridiculous and and it doesn't really make sense in a lot of environments uh what the Bro Intel framework is is it looks literally like this it's just a list of Intel um for example here's a here's a domain so you'll just put you know your evil domain and then uh and then say the indicator type is Intel domain and then you have some details of like where you where that Intel came from whatnot uh IP addresses file hack ES file names uh certificate serials uh and so it's really easy to just add Intel to Bro very quickly on the Fly um so you might

be thinking okay great yeah NSM uh network security monitoring but isn't Mo aren't most uh like sophisticated taxs aren't they over SSL you know what can uh what can you monitor on the edge um you know if it's encrypted so let's let's do that all right so SSL Sears uh remember that threat actors are human um and so and so they're generally lazy uh and they'll take the shortest path path first uh and and they have pride in their work I mean all we all do we're all humans right uh this is uh so this is what your thread actor looks like and uh thread actors generally use when when it comes to SSL when they're doing an

exploit over SSL or they're using SSL for their commanded control Channel they'll generally use either the same CT all the time um unlikely but uh or the same search generation tool or algorithm especially if they wrote that tool or algorithm uh or they'll have some pool of CTS that they've created that they think look really good and they'll just use that that pool of searchs that they've generated either way all of this is good in tell to share because we can detect on all of that um so adding some of these s sell uh uh parts to the Bro Intel framework uh some things that could be useful you could add the search subjects to the Bro

Intel framework uh maybe your thread actor is always using the same subject or the same style subject um issuers the CT serials uh valid before and after dates let's say your your thread actor created all of his shts all in the same day uh that would be pretty good um and theny ciphers could be useful for uh let's say you just want to find out if you have weak ciphers running at any point of your network um you could add that to the Intel framework um and then of course the the SSL C hash is already being hashed by Intel file hash so you can uh you can already detect without making any modifications all cert

hashes uh and then adding uh adding something to the Bro Intel framework is really easy this is literally it and you could just take this script and replace a piece of it with something else and you can then detect on that for this one this is uh search seral so you honestly you would just replace sech cials with like search subject and then that's how you would add sear subjects to the Bro Intel framework um so for an example uh Metasploit SSL Sears metas sploit by default uh whenever you do something over Metasploit and you're asking for it to go over SSL it will automatically generate a brand new sht every time you do it um this is great so it's never the

same CT twice so that would be really hard to uh to add to uh to your Intel list so let's detect that so what is the uh the men exploit uh randomly generated CT look like in bro um so the certificate issuer here it might be hard to see um the CN equals uh hrz vo. goov that's probably not a government domain uh you got the O field with a lot of random text the L field that's supposed to be your city uh that doesn't look like a city uh the state is uh what what Wisconsin and um and the country code is us so how does how does metlo come up with these randomly

generated searchs well if you look at the code um country code is always going to be us the state is uh some random States looks like the location the uh City Field is random uh Alpha uh 10 to 30 characters same with the O field and CN field is a random host name so the random host name is just some random text uh with a com network of bid is edu at the end of it uh the state is all 50 states um the random text Alpha is just saying um uppercase characters and lowercase characters and that's your pool for random uh mixed mixed text Alpha so how can we use this to detect um so the country code is always us

that's that's good that's going to make it easy to narrow down the state is all uh 50 states so that's it's not a good indicator but the the location field the O field um is uh is random text Alpha uh 10 to 30 characters and that's that's interesting because that's not what cities look like city names um all right so uh so again this is what the uh theer looks like um obviously the I mean you look at it with your naked eye you know this is not a legit CT um so how do we detect on that random mix tax Alpha um for city names uh and I so I've ran through I made a bunch of

shars and this is what the fields look like uh you know random length and whatnot um so I was like all right let me create a a Rex for this um and uh and so I wrote this really long Rex like complicated thing and then I and then I finally had an epiphany and I just did this uh and it works great uh what this is is just it's a uh a lowercase character followed by two uppercase characters uh and remember the location field that's the city what what US cities start with a lowercase character and end with two uppercase characters or more um and and the only thing that I could think of was

Washington DC uh if you don't do a space so I thought this was going to false positive all over the place and it and it didn't um after you filter out think we had like five false positives and about a 40,000 Inn environment uh we were getting about one false positive every two weeks to a month that's pretty good uh and the code looks like this is really hard for you guys to see but I'm releasing all this code later so um uh so you can check it out then and then the alert's going to look like this uh where we have the source IP responding IP the message I'm saying you know metas flit SSL there's a random ISS

US city uh and uh and it's pretty obvious when you look at the uh the CT details there um all right so I I talked about this at Nova hackers um which is a small uh local hacker group uh in Virginia in October of 2014 thought it was pretty cool I was just sharing it with my buddies and my local hacker space it's run by muik um so uh so then in uh in November of 2014 HD Moore goes ahead and makes a change to how metas was randomly generated H htps so all right HD let's go for round two all right so what he what HD did is he made a change that um emulates the uh

autogenerated snake oil CT from ubuntu14.04 uh and then he made some uh some updates so they're going with 2048 bet RSA sha 256 so he's trying to make his uh his s sessions with metas a little bit more secure so that's nice um so this is what the new code looks like um and and what he's doing here is uh he's specifying a year and then he's saying the valid um the valid from and or valid not before and valid not after part of the certificate the times uh he's saying that it's between now and 3 years ago randomized somewhere between there and uh and then uh it's valid until up to 10 years from that point so that's that's

actually really good I was going to use that for detection uh but he already made that change so he kind of beat me to it I was just I was expecting him to iterate and I was going to but it didn't um uh and then he's making it so he got rid of all the other things where it was us the you know the random city name and all that and he just went with very simple uh the subject ini issuer is just a CN field and it's some random text how are we going to detect that this is what the shirt looks like an example and it's just really small and simple uh so there's really not much I

can do but again he was trying to mimic the snake oil Ser um and uh and so let's let's compare those two uh so they both have uh they both contain only the CN field and their shts um they're both 20 48 bit Keys the issue and subject are the same um they're both valid for 10 years snle assorts are valid for 10 years starting as soon as you create it whereas the mlits are random randomized again very good but here's where they different snake oil SS are they're usually shot one at least for now until someone patches and fixes uh the way that those CTS are generated whereas the mes boyert is always shot 256 um and

then the snake CT the CN is hostname do doain using uppercase characters if there's a uppercase character in your host name or your domain uh whereas the metas always uses random mix random Alpha lowercase between two to 10 characters um so we can actually detect on that and here's the Bros script for doing it uh basically all I'm saying is if this if the sert is not originating from inside my network uh if this if it has a subject and issuer uh you know if the uh the subject and issuer are the same and if the subject is not in my false positive list and this way you can tune out you know simple things like Local Host uh you

know the obvious ones and and uh and deploying this that really had like 10 false positives and after that they kind of went away and then so what I'm saying is I'm just looking for CN the the SSL subject the search subject uh is CN equals and then lowercase characters between uh 2 to 10 and then that's it and the search subject ends and that the search Cipher is sha 256 uh so after filtering out about like I said 10 false positives uh this is really firing a false positive about once every two weeks and that is just that's pretty good um and and again whenever I run a a metas sploid uh over SSL it detects it every single

time so that that was uh metas so let's let's move on to something a little bit more complicated something a little bit harder reverse SSH shells and I got to give credit to to W on this one it was his epiphany that made it happen so uh so reverse Sage shells you might see a lot of people talking about them or or maybe you've had pin tests done in your company um they're they're pretty popular uh because it's it's SSH right um so how does that work so uh an exploit script uh runs on a uh on a host inside of your network and what it's going to run is something like this it run this

SSH command so it's just binding a port um and then sshing out to let's say Amazon AWS and then on your Amazon C2 server let's say you're using Amazon for C2 because it's great um you would just s to that Port that was bound and then what you're doing what you now have is you're sitting at a full console uh inside that inside your target Network and all the communication is over SSH and it's encrypted and it's just going to Amazon which probably looks pretty normal especially if you have a lot of developers in your in your company so AWS iips those that's not a good indicator for this um uh reverse s the fact that there's reverse s

communication that's a good indicator to share if you were to share you know some indicators with your uh um secret scroll groups uh so let's detect that reverse Sage communication how are we going to do that so with every key press and SSH a packet is sent and received so for interactive reverse s or for interactive ssing let's say you want to do PWD right so client sends the server the letter P uh and then the server responds hey I got that P and then this is when the letter P pops up on your on your terminal you know that's how you know your terminal is not hung right you type some characters and if they don't show

up then you you've lost your terminal right um and then it continues PWD client server back and forth so for each uh character that you press uh that character is padded uh and the SSH client in Linux uh pads it the 48 bytes Mac pads it the 42 bytes so you press you know P it sends out 48 bytes uh client to server and then the server responds I got the P that's another 48 BS bytes you know back and forth so on reverse SSH it's 96 bytes it's double padded you have a an SSH session over an SSH session so it's the same thing it's just double padded so instead of 48 bytes it's now 96 bytes and instead of going

from client to server it's the the flow is from server to client because remember you're typing on your your uh evil Amazon C2 server um so 96 bytes cool that's uh that's a good detection mechanism let's just look for that all the time but uh but 96 by packets and SSH sessions happen all the time um so so uh so the only way that we could do this to detect this interactive reverse SSH shell ignore me all right it's hard to do it's it's really hard um what was I talking about bro um right so we need to look at each packet individually one after the other so for you're typing at your command console right so it's 96 by packets

going back and forth because the ver reverse SSH shell uh so you need to look at the first packet is 96 bytes then the very next packet also has to be 96 bytes and then you have that at least three times over and and else quit that was my first attempt at writing um a detection for this uh so that doesn't work at all um forward SSH shells look like that all the time and that would be if you were to SSH into something and then SSH from that host into something else and then type like that that that forward s shell would have those 96 by packets going back and forth all the time so so

instead I decided to go all right so the it's a reverse SSH shell so so the uh so the threat actor is is on the server side and he's typing from the server side to the client um so let's look at from server to client 96 bytes then from client to server 96 bytes have that happen three times over and then and and uh and if if uh if something doesn't match it then quit uh so way too many false posits that didn't work at all um so so here's here's the the key to making this work for detecting interactive reverse s stage shells uh you go you look for from server to client 96 bytes so it's

initiating the typing um then from client to server 96 bytes it's responding uh seeing that three times over and if uh if there's anything else in between there like let's say 112 byte packet then it quits and starts starts the logic over again um and then at the end uh you want to see from client to server larger than 96 bytes then you will alert and what that is is if you're typing into you're you're doing uh your reverse SSH shell and you're typing into it from the server side and then you hit enter at the end that output is going to be larger than 96 bytes so you're you're detecting on the return here's an

example of that from server to client so let's say PWD uh and then from the server side you hit enter and then the client side sends out the details VAR ww path whatever it is uh and that is going to be larger than 96 bytes uh this works excellently uh very few false POS I'm talking again maybe once every other week um a lot of true positives um but honestly in uh in about a 40,000 Inn environment what you find a lot more of rather than actual threat actors is uh is employees trying to bypass security mechanisms and you guys are probably all thinking like I do that to get past our firewall yeah so so this is how you can

detect that um so uh so you know some lessons learned with this snort based Network intrusion detection systems they don't have that granular next packet analysis you can't tell snort uh I want to look for this and then the very next packet has to look like this snort doesn't have a way to do that um but bro does and the scripting language that bro has really gives you that power um and because there's a multiple variations of SSH clients you know where Mac is like 42 byte pads and Linux is 48 byte pads uh I had to write multiple uh scripts for this but it really wasn't that many four to six scripts is is pretty much all you

need depending on you know what you're running in your environment uh and the script literally looks like this um the beginning of it is just looking for an SSH uh session and then we're looking for the uh um the traffic back and forth individually and we're just kind of counting um and again it's you probably can't see it but I'm releasing the script uh so you can just take a look at it in your own time all right so to conclude um the point of this talk was not to burn detection logic which I totally just did someone in here probably works at rapid 7 and metlo has already been updated so don't expect the script to work you know

after you know in 10 minutes um but the point of the talk was to show you what's possible with bro and uh and what's and hopefully change your perspective on what can be detected and how um if you can see uh the evil and packet data then you can write a Bros script to detect it that's that's the whole point of this really the takeaway uh so I want to give some shout outs to uh to these guys guys uh without them I I wouldn't know how anything Works um and uh and that's it the Bros scripts are available there

[Applause]