Offensive Operating Against SysMon, Carlos Perez – Paul’s Security Weekly #577

Carlos Perez delivers the Technical Segment on How to Operate Offensively Against Sysmon. He talks about how SysMon allows him to create rules, and track specific types of tradecraft, around process creation and process termination. He dives into network connection, driver loading, image loading, creation of remote threats, and more! Full Show NotesVisit our website: […]
The post Offensive Operating Against SysMon, Carlos Perez – Paul’s Security Weekly #577 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/ZcUh9FtxQUc/

Mail Security Tester – A Testing Framework For Mail Security And Filtering Solutions

A testing framework for mail security and filtering solutions.IMPORTANT: Don’t do anything evil with this! Tests of cloud or otherwise hosted solutions should always be approved by the tested provider. Only use your own test accounts and don’t annoy anyone with a load of test mails.InstallationThe mail security testing framework works with with Python >=3.5. Just pull this repository and go ahead. No further dependencies are required.UsageThe script mail-tester.py runs the tests. Read the help message with ./mail-tester.py –help and check the list of test and evasion modules with ./mail-tester.py -l to get an overview about the capabilities and the usage of the script. Some hints:At least the parameters –smtp-server and –to should be given for a minimal test run.All parameters can also be stored in configuration files without the prefix –. These configuration files can be used by invoking ./mail-tester.py @tester.conf (configuration contained in tester.conf).Multiple recipients can be configured with –to for testing of different filter configurations.Some mail filtering solutions may reject messages after a while. Use –auto-delay for automatic throttling of the mails. This can be fine-tuned with –delay-step, –delay-max and –delay.Some tests (Spam and Malware) require samples. Put these in directories and configure these directories with –spam-folder and –malware-folder parameters. The samples are not included in this repository (and will not be). Good places to get malware are theZoo, Das Malwerk or other collections. Spam can be exported straight from yout Spam folder, but must be in EML format.Blacklists can be supplied with the –blacklist parameter and are used as sender addresses.The Shellshock and subject XSS test cases should have a valid backconnect domain, where you are able to see any backconnects (especially DNS requests). The free Canary Tokens service can be used for this purpose. Thanks to Thinkst for providing this awesome service!Some neat attachment recognition evasion tricks can be enabled with –evasion content-disposition. These were used in the past to confuse AV/sandboxing solutions and let them pass malicious mails.Don’t forget to log the test results with –log. Mail filtering providers often reject mails in the SMTP dialog, which is reflected in the generated log.Test cases can be dumped with –output as plain files in a directory, in MBox (–mbox) or MailDir (–maildir) format. This is useful to test mail user agents without sending any mails, to document or review generated test cases.Development and ExtensionTestsOwn tests can be implemented with a class in one of the iexisting or newly created Python files in the tests/ directory. The class must be a subclass of MailTestBase located in the module tests.base of this project. Newly implemented tests are discovered automatically when the class variable active is set to True. Further (if you plan to contribute tests back to the main repository), the class variables identifier, name and description should be set appropriately.The following base classes exist with methods or class variables intended for overriding:MailTestBase: Test class for generic tests.generateTestCases(): Yields test messages. These should be generated with the MIME* classes from the Python email.mime.* packages or with the Message class from email.message to ensure valid mail messages.active: Boolean value if test should be active.identifier: Short identifier of the test. This one is used to enable or disable tests in parameters.name: Short test title.description: Longer test description, should fit within approximately 100 characters.delivery_sender and delivery_recipient: Boolean values, False by default. Normally, the sender and recipients are set in the message and the Python SMTP module takes them over from there. Sometimes it is desirable to set them explicitely in the SMTP library, which can be configured by setting this values to True.finalizeMessage(msg): By default, the base test class sets the From and To headers accrodingly. This behaviour can be overridden if required for the test case.MailAttachmentTestBase: Test class for attachment test cases. This generates a complete valid mail with a Subject and a text part and attaches the test case to it. Derived from MailTestBase, therefore the methods/variables from it can be overridden here, too.generateAttachments(): Yields test cases as (description, attachment) tuples.subject: Sets the subject. The place holder {} is replaced by the description yielded by generateAttachments().generateTestCases(): is already overridden with an implementation of the message generation described above, but may be further adapted if required.Setting the subjects of generated messages is highly recommended to be able to recongize the tests in the receiving inbox.EvasionsEvasion classes implement techniques for evading recognition of particular mail properties by mail security solutions. Currently, a evasion technique that tries to hide attachments from such solutions by intentionally broken Content-Disposition headers is implemented.Implement new EvasionsEvasions are implemented by a factory class pattern. The DeliveryBase class instantiaties a factory class derived from the BaseEvasionFactory class. The factory constructor receives a flag that indicates if the evasion is activated. The evasion factory instance is then passed to the test class and stored in its evasions attribute that contains a dict with the evasion identifiers as keys. Inside the test, a evasion class (based on EvasionBase) is instantiated with getEvasionGenerator(). The constructor parameter are defined individually per evasion technique.The following base classes are used to implement evasions:BaseEvasionFactory: Evasion factories must be based on this class. Usually, only the following class variables should be set:active: Set to True if the evasion should be active.identifier: Short identifier of the evasion module used for enabling it in the test configuration.name: Short title of the evasion technique.description: Longer description of the evasion technique. Should fit in approximately 100 characters.generator_evasion: Evasion class that is instantiated if the evasion is enabled.generator_default: Evasion class that is instantiated if the evasion is disabled.BaseEvasion: Implementation of evasions must be a subclass of this base class. The following method must be overridden:__init__(): Should instantiate the class with the base message or attachment that should be manipulated with evasion techniques.generate(): Apply the evasion technique to the object passed to the constructor and yield it to the caller as (description, object with evasion applied) tuple.Generally, the evasion class should yield all evasion variants and pass the default as dedicated test case, while the default evasion classes only pass the given object or create the required data structures, like headers.Using Evasion Techniques in Test CasesEvasion techniques are used in test cases where they are applicable. E.g. if an evasion technique manipulates the header of a mail or attachment, the following steps have to be implemented:Generate the base object (mail or attachment) without consideration of the evasion.Instantiate the appropriate evasion class by utilization of the evasion factory instance from self.evasions, e.g.: evasion_items = self.evasions[“evasion_identifier"].getEvasionGenerator(message)Iterate over the generator and yield the test cases:for evasion_item in evasion_items: yield evasion_itemUsage of the Content Disposition Evasion TechniqueThe content disposition evasion technique is already implemented in the framework and should be used for all test cases that target on the recognition of malicious attachments. The constructor receives an attachment and the intended file name. The evasion class then yields (evasion name, attachment with applied evasion technique) tuples that can directly be yielded by the tests generateAttachments() method.Download Mail-Security-Tester

Link: http://feedproxy.google.com/~r/PentestTools/~3/HrZh9xBkVuo/mail-security-tester-testing-framework.html

Brian Coulson, LogRhythm – Paul’s Security Weekly #575

Brian Coulson is a Senior Security Research Engineer in the Threat Research Group of LogRhythm Labs in Boulder, CO. His primary focus is the Threat Detection Modules such as UEBA, and NTBA. Full Show NotesVisit our website: http://securityweekly.com Follow us on Twitter: https://www.twitter.com/securityweekly
The post Brian Coulson, LogRhythm – Paul’s Security Weekly #575 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/9Hm3cUeQiuk/

PacketWhisper – Stealthily Exfiltrate Data And Defeat Attribution Using DNS Queries And Text-Based Steganography

PacketWhisper – Stealthily Transfer Data & Defeat Attribution Using DNS Queries & Text-Based Steganography, without the need for attacker-controlled Name Servers or domains; Evade DLP/MLS Devices; Defeat Data- & DNS Name Server Whitelisting Controls. Convert any file type (e.g. executables, Office, Zip, images) into a list of Fully Qualified Domain Names (FQDNs), use DNS queries to transfer data. Simple yet extremely effective.AuthorJoe Gervais (TryCatchHCF)Why is this different from every other DNS exfiltration technique?Traditional DNS exfiltration relies on one of the following: DNS tunneling; Hiding data in DNS query fields; or Encoded / encrypted payloads that are broken up and used as subdomains in the DNS query. All of these methods require that the attacker control a domain and/or an associated DNS Name Server to receive the data, which leads to attribution. Those approaches are also vulnerable to DNS Name Server blacklisting (common) and whitelisting (increasingly common). Another problem is that DFIR analysts are familiar with these methods, and SIEM systems will often detect and alert on seeing them.PacketWhisper overcomes these limitations.What if data could be transferred using the target’s own whitelisted DNS servers, without the communicating systems ever directly connecting to each other or to a common endpoint? Even if the network boundary employed data whitelisting to block data exfiltration?How It WorksTo make it all happen, PacketWhisper combines DNS queries with text-based steganography. Leveraging the Cloakify Toolset, it transforms the payload into a list of FQDN strings. PacketWhisper then uses the list of FQDNs to create sequential DNS queries, transferring the payload across (or within) network boundaries, with the data hidden in plain sight, and without the two systems ever directly connecting to a each other or to a common endpoint. The ciphers used by PacketWhisper provide multiple levels of deception to avoid generating alerts as well as to mislead analysis attempts.To receive the data, you capture the network traffic containing the DNS queries, using whatever method is most convenient for you. (See “Capturing The PCAP File" below for examples of capture points.) You then load the captured PCAP file into PacketWhisper (running on whatever system is convenient), which extracts the payload from the file and Decloakifies it into its original form.DNS is an attractive protocol to use because, even though it’s a relatively slow means of transferring data, DNS is almost always allowed across network boundaries, even on the most sensitive networks.Important note: We’re using DNS queries to transfer the data, not successful DNS lookups. PacketWhisper never needs to successfully resolve any of its DNS queries. In fact PacketWhisper doesn’t even look at the DNS responses. This expands our use cases, and underscores the fact that we never need to control a domain we’re querying for, never need to control a DNS Name Server handling DNS requests.So using PacketWhisper, we transform a payload that looks like this:Into a list of FQDNs like this:Which PacketWhisper turns into DNS queries that show up in network traffic like this:Which you capture as a PCAP file anywhere along the DNS resolution path, and then load that PCAP into your local copy of PacketWhisper to recover the payload:TutorialSee the DEF CON 26 slides (included in project) from my Packet Hacking Village presentation. The slides present background on DNS exfiltration, text-based steganography / Cloakify Toolset, and how PacketWhisper combines them all into a method for transferring data. I specifically created the slides to be useful on their own, so the background and information should be complete. However you can also view the video of my DC26 Packet Hacking Village presentation which provides additional context. [NOTE: Video should be online sometime in September, at which point I’ll add the URL here.]I’ve included a sample PCAP file in the project (cleverly named "sample.pcap") that contains separate payloads for each of the ciphers. They could have been any filetype, of course, but in this case I just transmitted text files into the PCAP. Load it up in PacketWhisper and give it a try!As a quick test in your own environment, run PacketWhisper from a VM, then send a file while doing a packet capture on the VM’s network interface via the host system. You can then load the PCAP file into whichever PacketWhisper instance is convenient to decode the file. Just remember it’s not a speedy transfer. Smaller files and patience are your friend.RequiresPython 2.7.x (3.6.x port is underway)For decoding payloads: tcpdump (included on Linux & MacOS) or WinDump (Windows)Question: "Why didn’t you use Scapy or dnspython toolset?"Answer: I hate project dependencies in my operational tools. I keep my projects as atomic, self-contained as possible for maximum reliability, especially on the client side where I may not control the environment and/or have minimal privileges. The way PacketWhisper is structured, I can get it running on a limited shell host just by tar’ing up the project and extracting on the target host.Question: "Why isn’t PacketWhisper a project fork of Cloakify Toolset?"Answer: Same answer as above. We only need a very specific subset of Cloakify’s capabilities, and adding everything else to PacketWhisper would just lead to a cluttered directory and tools/ciphers that can’t be used by PacketWhisper. Since I own both projects, I promise to synchronize any changes between the two.Run PacketWhisper$ python packetWhisper.pyFQDN-Based CiphersFQDN-based ciphers consist of 3 categories:Unique Random Subdomain FQDNs (Recommended – avoids DNS caching, overcomes NAT)Unique Repeating FQDNs (DNS may cache, but overcomes NAT)Common Website FQDNs (DNS caching may block, NAT interferes)Unique Random Subdomain FQDNsRECOMMENDED CIPHER MODE FOR MOST USE CASESThese are FQDNs with randomized elements built into the subdomains. This helps prevent DNS caching, while also allowing us to transfer data beyond a NAT’d network devices that may be along the DNS query path. Since the sending system’s IP address isn’t available beyond the NAT device, the cipher-generated subdomains contain unique tag elements to help us identify PacketWhisper payloads in the packet capture.These ciphers mimic the formats of various services that rely on complex subdomains as a means to identify a session, user, cached content etc. This approach helps PacketWhisper’s DNS queries blend in with the rest of the network’s traffic.The first part of the subdomain name is actually a string from the cipher list. The rest of the subdomain name is randomized to make each FQDN unique, which prevents DNS caching from shutting down the DNS query path prematurely. We then add the domain name. We construct the FQDNs this way to look like the usual FQDNs associated with the selected domain, to blend in better with normal webtraffic seen on any network.Unique Repeating FQDNsCreated to stand out from all other DNS queries on the network, but without any randomization involved. This means that DNS caching may interfere, but as a side benefit your DNS queries will be easy for you to find even in the largest collection of multi-client pcaps. This is due to the fact that the FQDNs are odd endpoints, like the list of "Johns" (Red Lectroid aliens) at the fictional Yoyodyne Propulsion Systems from the movie ‘Buckaroo Banzai Across the 8th Dimension’.Common Website FQDNsThese are FQDNs constructed out of common Website URLs.NOTE: Since most environments are NAT’d at the perimeter (removing visibility of client’s IP address), this mode is generally only useful for transferring data between systems connected to the same local /24 network (for example, the guest wifi at your favorite coffee shop).Since Common Website ciphers only have the source IP address as a way to distinguish its queries from all the other similar DNS queries on the network, PacketWhisper will transmit a unique "knock sequence" DNS query at beginning and end of the payload, which helps us pick out the transmitting host from the pcap file later.Example FQDN: www.github.comTransmitting the Cloakified PayloadOnce you’ve selected a cipher, PacketWhisper encodes (Cloakifies) the payload into a list of FQDN strings per the desired cipher. It then sequentially generates DNS requests to send the data along the DNS resolution path. PacketWhisper adds a small delay between each DNS query, which helps prevent out-of-order DNS requests.Capturing the PCAP FileThe key element here is of course being able to capture the network traffic containing the DNS queries that PacketWhisper generated. There are a lot of options, since you only need to be somewhere, anywhere, with visibility to the DNS query path.Example Points of Capture:Connected to the same local network (e.g. your local coffee shop)Systems and devices that are internal to the organizationPerimeter network appliancesNetwork infrastructure outside of the organizationNetwork tap anywhere along the query pathUse your imagination. Any device along the DNS resolution path is an option, including wall displays. "Wait, what?"NOTE: VPN connections block visibility between host and VPN exit node. If the client you’re transferring from has an active VPN connection, you won’t be able to see any DNS queries unless you can capture upstream from the VPN exit node. Even capturing on the same system will fail. Since many of you are probably using VPNs, if you want to test out PacketWhisper, try transmitting from a hosted virtual machine (VM) and capture the traffic on the VM’s network interface on the host system.Extracting The PayloadOnce you’ve captured the pcap file, recover the payload by running PacketWhisper on a system that has tcpdump (included on Linux & MacOS) or WinDump (Windows) installed. PacketWhisper will ask you which cipher was used, then extract the payload from the pcap, and finally decode the extracted payload with the matching cipher.Important note: Within the same PCAP, you can transmit one payload per cipher used. A PCAP containing more than one payload using the same cipher will cause problems. For example my supplied ‘example.pcap’ file contains 5 payloads, one for each of the operational ciphers currently available. If one of the payloads had used the same cipher as another one, PacketWhisper will fail to extract either of them. The easy fix is to break up the PCAP file (this is why the PacketWhisper transmit code prints out the UTC date-time when starting and ending transmission). I’m working on allowing multiple payloads using the same cipher, solution is already in place, I just need to get around to it.Limitations / Use NotesBe sure your PCAP file is actually PCAP format. If you used tcpdump or WinDump to capture the file you’ll be fine. Wireshark however offers a wide variety of "Save As…" options for saving Wireshark traffic, only one of which is actually tcpdump/PCAP friendly. I’m working on better error reporting to help catch mistakes early.Not a secure encryption scheme. PacketWhisper is not a secure encryption scheme. It’s vulnerable to frequency analysis attacks. Use the ‘Unique Random Subdomain FQDNs’ category of ciphers to add entropy and help degrade frequency analysis attacks. If payload secrecy is required, be sure to encrypt the payload before using PacketWhisper to process it.Not a high-bandwidth transfer method. PacketWhisper relies on DNS queries, which are UDP-based, meaning order of delivery (or even successful delivery) of the request is not guaranteed. PacketWhisper by default adds a small (1/2-second) delay between each DNS query. You can safely transfer payloads at a rate of about 7.2K per hour (120 bytes per minute). That’s based on the size of the original payload, not the Cloakified output file. You can opt for no delay between between queries, which dramatically speeds up the transfer but at the risk of increased network noise and corrupted payload.And let’s face it, if you have non-DNS modes of data transfer available, you can just use the main Cloakify Toolset project to hide the file in plain sight (maybe turn the payload into a list of PokemonGo monsters w/ LatLon coordinates) and use all that high bandwidth available via FTP/HTTP/etc. DNS is extremely useful when other protocols are blocked, but always be aware of your options.DNS is DNS. Different OS’s have different DNS caching policies, etc. Networks may be down, isolated, etc. PacketWhisper includes a quick manual check to see if it can resolve common FQDNs, but DNS is often a messy business. Remember the old IT troubleshooting mantra: "It’s always DNS."Detection / PreventionSee the DEF CON 26 slides (included in project) from my Packet Hacking Village presentation. Mitigation strategies are covered toward the end of the presentation. As in all things, "Security In Depth" is your friend, especially since DNS resolution paths span vast amounts of terrain that are outside of your organization’s control.Download PacketWhisper

Link: http://feedproxy.google.com/~r/PentestTools/~3/AuHYq-ZR2pA/packetwhisper-stealthily-exfiltrate.html

KisMac – Open Source Wireless Stumbling And Security Tool For Mac OS X

KisMAC is a free, open source wireless stumbling and security tool for Mac OS X.Whats new:Mac OS 10.9 – 10.12 (64-bit only)ARC (64-bit only)New GUIModern Objective-c syntaxRewrote most part of deprecated methodsRemove debug info from releaseHow Build:git clone https://github.com/IGRSoft/KisMac2.git ./KissMac2cd KissMac2git submodule update –init –recursiveopen KisMac2.xcworkspaceBuildCurrent Developer and Origin:This project, KisMac2, is an active project to continue where original development of KisMac has stopped. The lead developer is Vitalii Parovishnyk (Korich) – http://IGRSoft.com and you are welcome to contact us and join in the project.Michael Rossberg / Geoffrey Kruse / kismac-ng.org is the original KisMac and the project is not actively maintained since 2011, please see the KisMac Wikipedia page for more information on the earlier history of that project.Nightly Builds:http://downloads.igrsoft.com/beta/KisMac2.zipDownload KisMac2

Link: http://feedproxy.google.com/~r/PentestTools/~3/kV7MP4V-kAs/kismac-open-source-wireless-stumbling.html