sometimes the problem becomes more tractable when
play

Sometimes, the problem becomes more tractable when presented with the - PowerPoint PPT Presentation

Oct 23, 2023 •129 likes •441 views

Sometimes, the problem becomes more tractable when presented with the solution DISCLAIMER!!! This project is meant for educational purposes only. Views, concepts, techniques, knowledge, etc are that of the authors and do not represent our

  1. “Sometimes, the problem becomes more tractable when presented with the solution”

  2. DISCLAIMER!!! This project is meant for educational purposes only. Views, concepts, techniques, knowledge, etc are that of the authors and do not represent our employers. This briefing is intended to strengthen network defense by highlighting the relative ease attack tools can be built such that network security professionals gain greater awareness to audit networks and secure computer systems. Only execute concepts presented here on isolated networks of which YOU have express permission to conduct these assessments. We are not liable for damages resulting from concepts or tools discussed in this presentation. Use at your own risk!

  3. What to Expect • Background, Intent, and Motivation • Botnet Overview (Characteristics and Features) • System Exploitation Overview • How to Create your Botnet! – Remote Code Execution – Bypassing Infrastructure Security – Establishing a Beacon Bot http://logout.hu/dl/upc/2011-06/230806_gremlin_in_my_computer-lyvind_berget.jpg, Retrieved 17 Sep 13 – Payload Migration for Advanced Exploitation • Advancing the Attack • Live Demos • Conclusion and Questions Splinter RAT – Botnet * Solomon Sonya 3

  4. Research Motivation Splinter RAT – Botnet * Solomon Sonya * 2014

  5. Network Defense is Behind • Network defense is failing to keep up with emerging threats • Intent: – Bridge gap between Botnet creation and exploitation – Understanding how this malware is created and communicates gives you the knowledge of what to look for on your network and helps you identify ways to prevent future intrusions • Truly knowing how to attack allows us to develop better ways to defend our critical assets Splinter RAT – Botnet * Solomon Sonya 5

  6. What is this Botnet You Speak of? Splinter RAT – Botnet * Solomon Sonya * 2014

  7. Botnet Terminology • Network of autonomous agents that synchronize with the Command and Control (C2) Server to exe commands and automate remote exploitation • Controller – Robust UI; only run by BotMaster/BotHerder to control 1++ agents simultaneously • Dropper – Exploits victim, configures environment, downloads and executes implant • Implant – Listener agent on each infected machine, syncs with to Controller, exe’s commands • Very light-weight 1. Exploit a system, establish shell and maintain persistent connection to Controller 2. Listen for Commands and Executes received statements 3. Pipe response and status back to Controller 4. Evade detection and persist on host as long as possible Splinter RAT – Botnet * Solomon Sonya 7

  8. Botnet Concept Victim Box Controller Victim Network Victim Network Splinter RAT – Botnet * Solomon Sonya 8

  9. So Where Do We Begin? Splinter RAT – Botnet * Solomon Sonya * 2014

  10. Anatomy of an Attack Reconnaissance Scanning Penetration Pivot Privileges++ Pillage Paralyze Stealth & Persistence Cover Tracks

  11. PENETRATION: Using a Dropper Script … Penetration Penetration Pivot Privileges++ Pillage Paralyze … Splinter RAT – Botnet * Solomon Sonya * 2014

  12. Dropper Concept: Pictogram Controller Malicious Domain Stage 1: Infect Victim Stage 2: Establish C2 Control Stage 3: Persistence * 4 * Stage 4: Pivot Control Link * 2 * Established — Exploit — PDF/Malicious Document * 3 * — Phishing Email — Drive-by-Download, Browser Exploit — Infected Media: (USB/CD/DVD) — Malicious Insider — Malicious Executable (Game, SW…) * 1 * — BYOD Dropper Victim Box — Water-Hole, Malicious Executable Script — etc Splinter RAT – Botnet * Solomon Sonya 12

  13. Stealth & Persistence: Beacon Bot Splinter RAT – Botnet * Solomon Sonya * 2014

  14. Beacon Bot: Overview • Inspiration: Raphael Mudge • Motivation: Minimize footprint and detection on the network – Steps: Wake, check-in, download and exe commands, sleep, RECURSE Controller * 2 * Victim Box * 4 * Check-in, Download Cmd List * 5 * * 1 * * 3 * * 6 * Splinter RAT – Botnet * Solomon Sonya 14

  15. Splinter RAT – Botnet * Solomon Sonya * 2014

  16. PENETRATION: Payload Migration . . . http://resources.infosecinstitute.com/armitage-gui/ Special thanks to Raphael Mudge (@armitagehacker) Splinter RAT – Botnet * Solomon Sonya * 2014

  17. How Can We Migrate Additional Payloads? http://www.derbycon.com/2011/03/31/new-training-and-speaker-announcement/ Sometimes, initial Metasploit connection is blocked Internet X X X Control Splinter RAT – Botnet * Solomon Sonya 17

  18. Solution: Payload Migration!!! http://www.derbycon.com/2011/03/31/new-training-and-speaker-announcement/ 1. Exploit Established Connection in Splinter 2. Migrate Meterpreter through Splinter 3. Execute Meterpreter on Victim Box 4. Connect Outbound to Metasploit 5. Advance Exploitation with Metasploit Internet Control http://humanlly.deviantart.com/art/Kali-Linux-364491207 Splinter RAT – Botnet * Solomon Sonya 18

  19. Splinter RAT – Botnet * Solomon Sonya * 2014

  20. Social Engineering (Surgical Approach) • DNS Host File Poisoning • Credential Harvesting • Spoofing UAC Splinter RAT – Botnet * Solomon Sonya * 2014

  21. DNS Cache Poisoning At least 3 ways exist to poison DNS entries: • Cache Poison DNS servers with incorrect response (much harder now)  very noisy, and detectable now • MiTM, constantly poison host with gratuitous ARP (fastest one wins!)  very noise, highly detectable • Spoof host file by adding new entry (only once)  extremely efficient… wait, what is a host file??? Splinter RAT – Botnet * Solomon Sonya 21

  22. Windows Host DNS File • Location: %systemroot%\system32\drivers\etc\hosts • Important flat file (no extension) used to map or override IP addresses before accessing a DNS server • (Before resolving an IP of a domain name, the host file is checked if an entry exists) • Sometimes used for redirects, ad, and spyware blocking Splinter RAT – Botnet * Solomon Sonya 22

  23. So how does it work? • Say you wish to go to facebook.com • If an entry for www.facebook.com exists in the host file, browser will go to this address, otherwise, the domain name server is used to resolve the IP • IT IS VERY IMPORTANT TO CHECK ENTRIES IN YOUR HOST FILE Splinter RAT – Botnet * Solomon Sonya 23

  24. And now for the Attack!!! Harvested Credentials…. www.facebook.com http://www.toolswatch.org/wp-content/uploads/2012/08/SET.jpg Poison Entry Host DNS File NOTE: [1] Admin Credentials may be required on victim system [2] This feature was tested on IE. N/A for all versions and sites Special thanks to Dave Kennedy (ReL1K) (@HackingDave) and setoolkit Splinter RAT – Botnet * Solomon Sonya 24

  25. Splinter RAT – Botnet * Solomon Sonya * 2014

  26. Scorched Earth… And now for the DDOS Splinter RAT – Botnet * Solomon Sonya * 2014 http://www.artsjournal.com/dewey21c/2010/03/proposal_to_scorch_the_earth_i.html

  27. DOS (Denial of Service) Attacks • Most Define: “Denial of service… send too much information than server can handle…” • What about: “Resource Starvation” such that access to a system at a minimum is degraded, maximum is disrupted 404 Not Found . . . DOS Website FAULT! Controller Implants Splinter RAT – Botnet * Solomon Sonya 27

  28. Website DOS Attack Procedure • Many Techniques exist!!! • Abbreviated Version: – Analyze the legitimate traffic – Learn the protocol and structure – Mimic the behavior – HAPPY DANCE! Splinter RAT – Botnet * Solomon Sonya 28

  29. Splinter RAT – Botnet * Solomon Sonya * 2014

  30. Additional Features • Orbiter Payload • Clipboard Injection • Spoof UAC • Relay bot • Screen Scrape • Logging Agent • Enumeration • File Browser and Transfer • Want more? Send me an email! Splinter RAT – Botnet * Solomon Sonya 30

  31. Questions? • Github Code Repository: github.com/splinterbotnet • Email: splinterbotnet@gmail.com • Solomon Sonya: @Carpenter1010 Splinter RAT – Botnet * Solomon Sonya 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Part I (B) Find the hidden parameter! (Fixed parameter tractable problems) (C) Find an approximate

Part I (B) Find the hidden parameter! (Fixed parameter tractable problems) (C) Find an approximate

Hard Problems What do you do when your problem is NP-Hard ? Give up? (A) Solve a special case! Part I (B) Find the hidden parameter! (Fixed parameter tractable problems) (C) Find an approximate solution. Traveling Salesperson Problem (D) Find a

546 views • 5 slides
A Bottom Set Strategy for Tractable Feature Construction F il i p Zelezn y CVUT Prague ,

A Bottom Set Strategy for Tractable Feature Construction F il i p Zelezn y CVUT Prague ,

laboratory Gerstner If you have a bottom clause, you have almost solved the problem. A Bottom Set Strategy for Tractable Feature Construction F il i p Zelezn y CVUT Prague , School of Electrical Engineering, Dept. of Cybernetics

118 views • 7 slides
Chapter 4 ICS-275 Fall 2010 Fall 2010 ICS 275 - Constraint Networks 1 Tractable Tractable

Chapter 4 ICS-275 Fall 2010 Fall 2010 ICS 275 - Constraint Networks 1 Tractable Tractable

Directional consistency Chapter 4 ICS-275 Fall 2010 Fall 2010 ICS 275 - Constraint Networks 1 Tractable Tractable classes classes Fall 2010 2 Backtrack-free search: or What level of consistency will guarantee global- consistency

418 views • 41 slides
Maximum Betweenness Centrality: Approximability and Tractable Cases Martin Fink and Joachim

Maximum Betweenness Centrality: Approximability and Tractable Cases Martin Fink and Joachim

Maximum Betweenness Centrality: Approximability and Tractable Cases Martin Fink and Joachim Spoerhase Universit at W urzburg A Centrality Problem Imagine an abstract network. computer network transportation network This network can be

1.04k views • 59 slides
Tractable Term Structure ModelsA New Approach Bruno Feunou, Jean-S ebastien Fontaine, Anh

Tractable Term Structure ModelsA New Approach Bruno Feunou, Jean-S ebastien Fontaine, Anh

Tractable Term Structure ModelsA New Approach Bruno Feunou, Jean-S ebastien Fontaine, Anh Le, Christian Lundblad Bank of Canada and FRBSF Fixed Income Conference November 2015 Feunou, Fontaine, Le Tractable Term Structure Modeling: A New

648 views • 37 slides
Tractable Combina/ons of Global Constraints CP 2013, pp

Tractable Combina/ons of Global Constraints CP 2013, pp

Tractable Combina/ons of Global Constraints CP 2013, pp 230246 Authors: Cohen, Jeavons, Thornstensen, Zivny Presented by Robert Woodward Disclaimer:

494 views • 30 slides
Adversarial BoltzmannMachines Belief Nets Networks Variational NADE

Adversarial BoltzmannMachines Belief Nets Networks Variational NADE

Unsupervised Learning Non-probabilistic Models Probabilistic Sparse Coding (Generative) Models Autoencoders Others (e.g. k-means) Tractable Models Non-Tractable Models Generative Fully observed Adversarial

815 views • 58 slides
Tractable Constraint Languages Zion Schell Based on Chapter 11 of Rina Dechter's Constraint

Tractable Constraint Languages Zion Schell Based on Chapter 11 of Rina Dechter's Constraint

Tractable Constraint Languages Zion Schell Based on Chapter 11 of Rina Dechter's Constraint Processing by David Cohen and Peter Jeavons Zion Schell Tractable Constraint Languages - 1 4-15-13 Disclaimer This chapter is a bit weird It

1.03k views • 74 slides
Chordal deletion is fixed-parameter tractable D aniel Marx Humboldt-Universit at zu Berlin

Chordal deletion is fixed-parameter tractable D aniel Marx Humboldt-Universit at zu Berlin

Chordal deletion is fixed-parameter tractable D aniel Marx Humboldt-Universit at zu Berlin dmarx@informatik.hu-berlin.de June 22, 2006 WG 2006 Bergen, Norway Chordal deletion is fixed-parameter tractable p.1/17 Graph modification

522 views • 34 slides
Sum Product Networks What is a Sum Product Network? 1. It is a tractable probabilistic model

Sum Product Networks What is a Sum Product Network? 1. It is a tractable probabilistic model

Sum Product Networks What is a Sum Product Network? 1. It is a tractable probabilistic model (represented by a DAG) over a set of random variables with restrictions on what the structure can become. 2. Allows to compute marginal densities,

427 views • 6 slides
Tractable Representations Inference Probabilistic Learning Models Applications Guy Van den

Tractable Representations Inference Probabilistic Learning Models Applications Guy Van den

Tractable Representations Inference Probabilistic Learning Models Applications Guy Van den Broeck University of California, Los Angeles based on joint AAAI-2020 and UAI-2019 tutorials with Antonio Vergari YooJung Choi University of

2.07k views • 177 slides
Towards Compact and Tractable Automaton-based Representations of Time Granularities Ugo Dal Lago

Towards Compact and Tractable Automaton-based Representations of Time Granularities Ugo Dal Lago

Towards Compact and Tractable Automaton-based Representations of Time Granularities Ugo Dal Lago 1 , Angelo Montanari 2 , and Gabriele Puppis 2 1 Dipartimento di Scienze dellInformazione, Universit` a di Bologna Mura Anteo Zamboni 7, 40127

342 views • 21 slides
Identifying tractable decentralized control problems on the basis of information structure

Identifying tractable decentralized control problems on the basis of information structure

Identifying tractable decentralized control problems on the basis of information structure Aditya Mahajan, Ashutosh Nayyar, and Demosthenis Teneketzis Dept of EECS, University of Michigan, Ann Arbor September 26, 2008 Optimal design of

446 views • 18 slides
Tractable Policy Management Framework DAIS ITA for IoT Geeth de Mel, IBM United Kingdom Ltd.,

Tractable Policy Management Framework DAIS ITA for IoT Geeth de Mel, IBM United Kingdom Ltd.,

Tractable Policy Management Framework DAIS ITA for IoT Geeth de Mel, IBM United Kingdom Ltd., UK Distributed Analytics Emre Goynugur, Murat Sensoy, Ozyegin University, Turkey and Information Seraphin Calo, IBM Thomas J. Watson Research

270 views • 14 slides
Optimal Approximation of Queries Using Tractable Propositional Languages Robert Fink and Dan

Optimal Approximation of Queries Using Tractable Propositional Languages Robert Fink and Dan

Optimal Approximation of Queries Using Tractable Propositional Languages Robert Fink and Dan Olteanu (ICDT 2011) Oxford University Department of Computer Science DAHU Seminar ENS Cachan February 2012 Motivation for approximation in

703 views • 45 slides
Probabilistic Query Evaluation: Towards Tractable Combined Complexity Mikal Monet 1 , 2 ,

Probabilistic Query Evaluation: Towards Tractable Combined Complexity Mikal Monet 1 , 2 ,

Probabilistic Query Evaluation: Towards Tractable Combined Complexity Mikal Monet 1 , 2 , supervised by Pierre Senellart 2 , 3 and Antoine Amarilli 1 May 31th, 2017 1 LTCI, Tlcom ParisTech, Universit Paris-Saclay; Paris, France 2 Inria

836 views • 58 slides
Towards Internet Connectivity for Implanted Devices Vikram Iyer, Vamsi Talla, Bryce Kellogg Shyam

Towards Internet Connectivity for Implanted Devices Vikram Iyer, Vamsi Talla, Bryce Kellogg Shyam

Towards Internet Connectivity for Implanted Devices Vikram Iyer, Vamsi Talla, Bryce Kellogg Shyam Gollakota, Josh Smith Brain implants for reanimation of limbs Need wireless connectivity to make this practical and safe Brown University -

414 views • 30 slides
1 SRIM is a Monte Carlo simulation program for calculating the trajectory of accelerated ions in

1 SRIM is a Monte Carlo simulation program for calculating the trajectory of accelerated ions in

Ion implantation is used mostly for doping of silicon in VLSI processing. Ion implantation provides a technique by which the dose of implanted dopants can be precisely controlled. In ion implantation, an ion beam is accelerated towards the target

595 views • 32 slides
Simulations of CMOS sensors with a small collection electrode, improved for a faster

Simulations of CMOS sensors with a small collection electrode, improved for a faster

Pixel 2018, December 2018, Taipei Taiwan Simulations of CMOS sensors with a small collection electrode, improved for a faster charge-collection and increased radiation tolerance Magdalena Munker (CERN), Walter Snoeys (CERN), Heinz Pernegger

503 views • 28 slides
Thrombogenicity on Surface Modified FD Matthew Gounis, PhD Professor, Department of Radiology

Thrombogenicity on Surface Modified FD Matthew Gounis, PhD Professor, Department of Radiology

OCT Evidence of Reduced Thrombogenicity on Surface Modified FD Matthew Gounis, PhD Professor, Department of Radiology New England Center for Stroke Research WLNC 2017, Los Angeles Introduction In vitro- Pipeline Flex Embolization Device +

323 views • 15 slides
ISOLDE Emily Ghosh ISOLDE I sotope mass S eparator O n- L ine DE tector Located at Proton

ISOLDE Emily Ghosh ISOLDE I sotope mass S eparator O n- L ine DE tector Located at Proton

ISOLDE Emily Ghosh ISOLDE I sotope mass S eparator O n- L ine DE tector Located at Proton Synchrotron Booster (PSB) at CERN Use of radioactive nuclei beams for experiments in Nuclear and Atomic Physics Solid State Material Science

343 views • 13 slides
implantation and decay counter Rin Yokoyama ( University of Tennessee, Knoxville ) R. Grzywacz,

implantation and decay counter Rin Yokoyama ( University of Tennessee, Knoxville ) R. Grzywacz,

YSO fragment implantation and decay counter Rin Yokoyama ( University of Tennessee, Knoxville ) R. Grzywacz, M. Singh, T . King, S. Go, A. Keeler, J. Agramunt, N. Brewer, J. Liu, S. Nishimura, V. Phong, M. Rajabali, C. Rasco, K. Rykaczewski,

509 views • 15 slides
NCCAVS Junction Technologies User Group Meeting Updates on New Technologies Friday, July

NCCAVS Junction Technologies User Group Meeting Updates on New Technologies Friday, July

NCCAVS Junction Technologies User Group Meeting Updates on New Technologies Friday, July 12, 2019 Sponsors: Sumitomo Heavy Industries Ion Technology Axcelis UC Components Co-Chairs: Susan Felch John Borland Michael Current Agenda

282 views • 3 slides
Python Deflowered Shangri-La! Christos Kalkanis chris@immunityinc.com Overview Full

Python Deflowered Shangri-La! Christos Kalkanis chris@immunityinc.com Overview Full

Python Deflowered Shangri-La! Christos Kalkanis chris@immunityinc.com Overview Full Python VM as injectable payload In-memory execution Asynchronous implant framework more :-) History The principles behind this talk

1.27k views • 99 slides

More recommend