vaaseline vnc attack automation suite
play

VAASeline: VNC Attack Automation Suite 'Lubricating blind entry' - PowerPoint PPT Presentation

May 07, 2023 •379 likes •954 views

VAASeline: VNC Attack Automation Suite 'Lubricating blind entry' Rich Smith rich@immunityinc.com 1 Agenda VNC and it's underlying protocol RFB Why attack automation is needed Why RFB is hard to automate The VAASeline technique

  1. VAASeline: VNC Attack Automation Suite 'Lubricating blind entry' Rich Smith rich@immunityinc.com 1

  2. Agenda ● VNC and it's underlying protocol RFB ● Why attack automation is needed ● Why RFB is hard to automate ● The VAASeline technique (RPC over RFB) ● The VAASeline toolkit (Python module) ● Live demo of VAASeline lubricated entry 2

  3. Post-Compromise not just Exploitation ● Exploits are important .... ● ...but so is what you do afterwards! ● Post-compromise actions key for: – Further recon – Attack escalation – Realisation of final goal 3

  4. Post- Attack Actions Recon Attack Scope Recon Goal Post- Attack Attack Actions 4

  5. VNC & RFB 5

  6. VNC & RFB ● Virtual Network Computing (VNC) ● Remote FrameBuffer protocol (RFB) ● VNC is built on top of the RFB protocol ● Created by Olivetti Research/AT&T Labs in the late 1990's 6

  7. VNC & RFB...Cont'd ● TCP port 5900,5901,.... ● Currently RFB protocol at version 3.8 ● Open protocol standard http://www.realvnc.com/docs/rfbproto.pdf ● RealVNC maintains list of encoding and security type numbers separately ● Allows for proprietary extensions 7

  8. VNC & RFB...Cont'd ● RFB conceptually replaces the input connections from a mouse & keyboard, and the output connection to a monitor with network packets ● You send input packets to a server of KeyEvents or PointerEvents ● The server returns FramebufferUpdate packets 8

  9. Simplified keypress VNC flow 4. FrameBufferUpdate 5. User sees screen VNC VNC update Client Server 2. KeyEvent 3.Pass to window manager 1. Keystroke 9

  10. VNC in your network ● People find it very useful! ● Found frequently across real networks ● May be part of Shadow IT , may not be well managed ● Frequently password authentication.... ● .... often easy to access 10

  11. Questions ● Once you have access, how to best use a VNC system in your attack workflow? ● What about 1000 VNC systems ? 11

  12. Attack Automation 12

  13. The need for automation? ● Return On Investment (ROI) For an attacker ● Total Cost of 0wnership (TCO) ● Currently VNC Post-Compromise requires an attacker to use a VNC client – Reduces ROI – Increases TCO ● 'Too expensive' to use as a general vector 13

  14. The need for automation? ● Requiring a human in the loop is slow, expensive & does not scale ● Goal: – Reduce cost of attack to price of bandwidth ● Answering even simple questions such as: ' What are the privileges of users with VNC servers with blank passwords? ' Quickly become infeasible with many servers 14

  15. Shouldn't This Be Easy ? 15

  16. Shouldn't this be easy? ● That's what I thought.... ● ...devil is in the details of RFB ● A subtler problem than it may initially seem 16

  17. RFB is a blackbox ● RFB v3.8 is a very simple protocol ● Well suited to it's original task ● Only real complexities lie in FrameBuffer encodings ● Inputs and Outputs channels are discrete ● The protocol requires the human to close the data processing loop 17

  18. VNC Client User Input: Keystroke/ Mouse User closes the RFB Input protocol loop, by Event Visual Change interpretting the visual update VNC VNC Server Client RFB Output Event 18

  19. RFB is a blackbox ● The results of any user input over RFB only result as a visual screen update ● No return code or 'results' from an action that resulted from given input ● Removing the user removes FrameBuffer interpretation – it blinds the automator ● Like using Windows without a monitor! 19

  20. Problem Statement ● Given access to a VNC system: ● How can you execute arbitrary code such that: – A user is not required in the loop – An automated system is able to statefully determine the results of its actions 20

  21. Solution Criteria ● Only use standard RFB v 3.8 ● Be able to execute arbitrary code ● Reliable over high latency links ● A toolkit that is re-taskable to an attackers requirements ● Initially just target Win32 platforms 21

  22. VAASeline Technique 22

  23. VAASeline technique ● To explain how the technique used was developed, we'll go from first principles ● Firstly, lets look at some RFB protocol units 23

  24. VAASeline Technique ● RFB protocol messages can be divided into 3 groups for attack automation purposes: 24

  25. RFB Input Packets ● KeyEvent & PointerEvent protocol messages KeyEvent 0x04 (1 byte) 1 byte 2 bytes 4 bytes Type Down Pad Key sym Flag PointerEvent 0x04 (1 byte) 1 byte 2 bytes 2 bytes Type Button X-pos Y-pos Mask 25

  26. Simple execution ● Mouse emulation hard as knowledge of screen layout/resolution etc is needed ● Easy to emulate key sequences, however ● Windows Hot-Key sequences can therefore be sent ● e.g. Windows Key + R: Opens 'run command' ● Focus is then in that window so arbitrary command can be run 26

  27. Simple execution ● Packet sequence to execute calc.exe: ● Packet sequence to execute calc.exe: ● Packet sequence to execute calc.exe: ● Execution indeed! But not that useful.... ● Could call ftp or tftp for file up/download.. ● ..but doesn't use RFB – if we attack using protocol X, we want to use protocol X afterward 27

  28. More complex actions ● Single command execution is of only limited use ● More complex actions can be scripted on Win32 platforms using VBScript and cscript.exe ● However only short keystroke sequences can be delivered using KeyEvent packets ● RFB is meant to deal with users typing at human speed not machine speed ● Keystrokes go MIA without notification 28

  29. ClientCutText & ServerCutText ● To be able to pass longer keystroke sequences a new method is needed ● ClientCutText & ServerCutText packets provide us with a mechanism ● These packets allow the clipboard buffers to be shared between client and server for copy/paste Client/ServerCutText 0x03 / 0x06 Type Pad Len Data 29

  30. An aside.... ● This also means that during a VNC connection clipboard contents is sent over the wire: – By both server & client – In the clear – Everytime new buffer is updated – Useful with people who use password managers & copy/paste on websites :) – passive_cb_sniff.py for simple example 30

  31. Scripting ● With a combination of KeyEvents and ClientCutText packets we can dump arbitrary amounts of data to a target without loss ● Send a ClientCutText packet with our data in, then Ctrl-V to 'paste' it ● Dump and run VBScripts on target via notepad and then use cscript.exe to invoke them ● Ctrl-A + Ctrl-V also lets us check the whole buffer was sent correctly – Error detection and retry 31

  32. Problems with blind execution ● Both methods discussed are still blind – No way to stdout/results back – No way to know if commands have failed – Uploading binaries via ClientCutText + notepad + vbs unencoder is unreliable 32

  33. A matter of context ● An advantage of the Client/ServerCutText packets is that they operate at the layer below the window manager ● Thus they do not depend on the current context of the window manager ● Just need to send a ClientCutText packet to the server and it deals with updating the clipboard ● Any new text on the server's clipboard solicits a new ServerCutText packet to the client 33

  34. Guerilla RPC 34

  35. Guerilla RPC ● Using Client/ServerCutText we have a crude shared I/O channel using pure RFB ● Client sends in command/data via ClientCutText ● Server returns status/output via ServerCutText ● Writing a special VNC client to send special ClientCutText packets is easy ● However the server is not in our control to alter its behaviour 35

  36. Guerilla RPC ● Basic idea: – Upload a VBScript to the server that monitors the clipboard (cb_mon) – Send crafted ClientCutText packet – cb_mon picks up special packets & takes an actions based on their content – cb_mon places the results of the action on the clipboard – VNC server send the results back as a ServerCutText packet 36

  37. Guerilla RPC Server Client Setup: 1. KeyEvent packets to open 'Run Command' Window 2. ClientCutText packets to echo vbscript 3. KeyEvent packets to open 'Run Command' Window 4. ClientCutText packets to run vbscript Execution: 1. ClientCutText packet containing command 2. ServerCutText packet containing response 3.Continuing for arbitrary number of iterations 37

  38. VAASeline protocol ● For this to work we need a pure ASCII protocol ● Avoid 0x00 (string terminator) ● Differentiate commands for normal data ● Use low value ASCII for Magic bytes VAASeline protocol 0x01,0x03,0x01,0x03 (1 byte) (1 byte) (Variable length) 0x0B (4 bytes) (1 byte) Magic Seq ID Opcode Data/Operands EOD Operands are seperated by more magic: 0x02,0x02,0x03,0x03 & 0x03,0x03,0x02,0x02 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Htel Splendide Royal Junior Suite Junior Suite Junior Suite Suite Suite Suite Suite Suite

Htel Splendide Royal Junior Suite Junior Suite Junior Suite Suite Suite Suite Suite Suite

Htel Splendide Royal Junior Suite Junior Suite Junior Suite Suite Suite Suite Suite Suite 12 spacious Suites Junior Suite: 45m 2 Suite: 65m 2 Apartment Suite: 110m 2 Fine Italian Cuisine Renowned Chef Vito Grippa

498 views • 18 slides
Not Your Parents Test Automation: Application of Non-Traditional Automation Presented by: Paul

Not Your Parents Test Automation: Application of Non-Traditional Automation Presented by: Paul

T9 Test Automation Thursday, May 3rd, 2018 11:15 AM Not Your Parents Test Automation: Application of Non-Traditional Automation Presented by: Paul Grizzaffi Magenic Brought to you by: 350 Corporate Way, Suite 400, Orange Park, FL 32073 888

544 views • 21 slides
1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures

1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures

Industrial Automation Spring 2019, EPFL 1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures aiming at replacing human work through machines (e.g. automation is applied science) 2) the

1.39k views • 63 slides
THE PAST, PRESENT & FUTURE OF ENTERPRISE SECURITY THE GOLDEN AGE OF ATTACK AUTOMATION

THE PAST, PRESENT & FUTURE OF ENTERPRISE SECURITY THE GOLDEN AGE OF ATTACK AUTOMATION

THE PAST, PRESENT & FUTURE OF ENTERPRISE SECURITY THE GOLDEN AGE OF ATTACK AUTOMATION Marcello Salvati - @byt3bl33d3r - https://github.com/byt3bl33d3r - Lead researcher @coalfirelabs - Years of experience building open source security

657 views • 38 slides
iPanSec.com SOAPA Dashboard Smart InfoSec Automation Zero Trust Assurance Suite SOAPA

iPanSec.com SOAPA Dashboard Smart InfoSec Automation Zero Trust Assurance Suite SOAPA

iPanSec.com SOAPA Dashboard Smart InfoSec Automation Zero Trust Assurance Suite SOAPA Dashboard Integrated with Network Layer (PacketX , UPAS) Field WiFi /BLE /ZigBee Layer (ArcRan iSecMaster) Endpoint Layer (Comodo)

549 views • 13 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Industrial Automation Automation Industrielle Industrielle Automation 9.2 Dependability -

Industrial Automation Automation Industrielle Industrielle Automation 9.2 Dependability -

Industrial Automation Automation Industrielle Industrielle Automation 9.2 Dependability - Evaluation Estimation de la fiabilit Verlsslichkeitsabschtzung Dr. Jean-Charles Tournier CERN, Geneva, Switzerland 2015 - JCT The material

1.78k views • 91 slides
Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and

Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and

Industrial Automation Automation Industrielle Industrielle Automation Safety analysis and standards 9.6 Analyse de scurit et normes Sicherheitsanalyse und Normen Prof Dr. Hubert Kirrmann & Dr. B. Eschermann ABB Research Center,

799 views • 31 slides
Document Automation in Dynamics CRM Document Automation The value of Automation Reduce User

Document Automation in Dynamics CRM Document Automation The value of Automation Reduce User

Document Automation in Dynamics CRM Document Automation The value of Automation Reduce User Workload Reduce Errors by standardized processes Speeds up processes CRM Workflows are faster than users, no delay

424 views • 6 slides
Infrastructure Automation Infrastructure Automation 2 Ansible Ansible What is Ansible?

Infrastructure Automation Infrastructure Automation 2 Ansible Ansible What is Ansible?

Infrastructure Automation Infrastructure Automation 2 Ansible Ansible What is Ansible? Ansible is an open source automation engine Why Ansible? Modular Idempotent Huge support/community Agentless Simple to learn

709 views • 29 slides
Automation + Machine Learning = Hands Free NFV A Word On Automation through ML for Openstack

Automation + Machine Learning = Hands Free NFV A Word On Automation through ML for Openstack

01.11.2017 Automation + Machine Learning = Hands Free NFV A Word On Automation through ML for Openstack NFV PRAKASH RAMCHANDRAN MICHAEL TIEN JAYANTHI A GOKHALE Agenda NFV Automation Challenges? Practical Viewpoint from Dell Labs?

1.04k views • 41 slides
nada technologies, inc. automation solutions and support semicon taiwan presentation automation

nada technologies, inc. automation solutions and support semicon taiwan presentation automation

nada technologies, inc. automation solutions and support semicon taiwan presentation automation products - 2007 NADAtech - automation solutions and support wafer automation company formed in 2002 comprised of former PST and Asyst

546 views • 18 slides
"Test Automation on Large Agile Projects: It?s Not a Cakew alk" Presented by: Scott

"Test Automation on Large Agile Projects: It?s Not a Cakew alk" Presented by: Scott

AW12 Concurrent Session 11/7/2012 3:45 PM "Test Automation on Large Agile Projects: It?s Not a Cakew alk" Presented by: Scott Schnier Agilex Technologies Brought to you by: 340 Corporate Way, Suite 300, Orange Park, FL 32073 888

273 views • 24 slides
"Automation Strategies for Testing Complex Data and Dashboards" Presented by: Greg

"Automation Strategies for Testing Complex Data and Dashboards" Presented by: Greg

W3 Concurrent Session 5/4/2011 11:30 AM "Automation Strategies for Testing Complex Data and Dashboards" Presented by: Greg Paskal JCPenney Brought to you by: 340 Corporate Way, Suite 300, Orange Park, FL 32073 888 268 8770

382 views • 25 slides
TRUCK Wi-Fi POWERED BY Eagle Automation and Andium The automation specialists at Eagle

TRUCK Wi-Fi POWERED BY Eagle Automation and Andium The automation specialists at Eagle

TRUCK Wi-Fi POWERED BY Eagle Automation and Andium The automation specialists at Eagle Automation have partnered with technology developer Andium to create new industry-ready products, giving users the ability to improve their operations

724 views • 21 slides
"Test Automation Success: Choosing the Right People and Process" Presented by: Kiran

"Test Automation Success: Choosing the Right People and Process" Presented by: Kiran

W8 Track 4/28/2010 1:45 PM "Test Automation Success: Choosing the Right People and Process" Presented by: Kiran Pyneni Aetna, Inc. Brought to you by: 330 Corporate Way, Suite 300, Orange Park, FL 32073 888 268 8770 904

418 views • 13 slides
Introduction to Computer Science CSCI 109 Readings St. Amant, Ch. 3 Andrew Goodney Fall 2019

Introduction to Computer Science CSCI 109 Readings St. Amant, Ch. 3 Andrew Goodney Fall 2019

Introduction to Computer Science CSCI 109 Readings St. Amant, Ch. 3 Andrew Goodney Fall 2019 Lecture 2: Architecture Sept. 9th, 2019 Reminders u Take the survey if you havent already u https://tinyurl.com/y2cot2r5 v Password:

1.19k views • 64 slides
More SQL January 30, 2020 Data Science CSCI 1951A Brown University Instructor: Ellie Pavlick

More SQL January 30, 2020 Data Science CSCI 1951A Brown University Instructor: Ellie Pavlick

More SQL January 30, 2020 Data Science CSCI 1951A Brown University Instructor: Ellie Pavlick HTAs: Josh Levin, Diane Mutako, Sol Zitter 1 Announcements People with overrides-Friday EOD to use codes, then we will give then to someone

1.58k views • 140 slides
Observe your neighbors and remove your seatbelt Type introspection and type-unsafety in Qt

Observe your neighbors and remove your seatbelt Type introspection and type-unsafety in Qt

Observe your neighbors and remove your seatbelt Type introspection and type-unsafety in Qt Stephen Kelly stephen.kelly@kdab.com KDAB Stephen Kelly C++/Qt user since 2006 KDE contributor since 2007 Qt contributor since 2009

769 views • 45 slides
HolographicAlgorithms Beyond Matchgates Heng Guo (joint work with Jin-Yi Cai and Tyson Williams )

HolographicAlgorithms Beyond Matchgates Heng Guo (joint work with Jin-Yi Cai and Tyson Williams )

HolographicAlgorithms Beyond Matchgates Heng Guo (joint work with Jin-Yi Cai and Tyson Williams ) University of Wisconsin-Madison Kbenhavn July 11th 2014 Heng Guo (CS, UW-Madison) General Holographic Algorithms ICALP 2014 1 / 22 Counting

1.24k views • 94 slides
Modular Reasoning for Actor Specification Diagrams Rigorous reasoning for open distributed

Modular Reasoning for Actor Specification Diagrams Rigorous reasoning for open distributed

Reasoning About Open Systems Project Collaboration with Agha, Mason, Smith, Talcott Modular Reasoning for Actor Specification Diagrams Rigorous reasoning for open distributed systems Scott F . Smith General multi-language framework

428 views • 10 slides
CS502: Compiler Design Lexical Analysis (Cont.) Manas Thakur Fall 2020 Recognizing strings in

CS502: Compiler Design Lexical Analysis (Cont.) Manas Thakur Fall 2020 Recognizing strings in

CS502: Compiler Design Lexical Analysis (Cont.) Manas Thakur Fall 2020 Recognizing strings in regular languages Done using Finite Automata A kind of state machine A state denotes a remembrance of the string read so far. An arrow

781 views • 14 slides
WDO WORKSHOP ACER Workshop on Within Day Obligations TI TRE 15 May, 2017 In total 48

WDO WORKSHOP ACER Workshop on Within Day Obligations TI TRE 15 May, 2017 In total 48

WDO WORKSHOP ACER Workshop on Within Day Obligations TI TRE 15 May, 2017 In total 48 registered participants WDO WORKSHOP Opening remarks Reflections on ACERs First Monitoring Report and the Balancing Network Code Gas Department

1.51k views • 111 slides
Samsung Galaxy Gear - A Long Time Coming cs160. cs160. valkyriesavage.com valkyriesavage.com

Samsung Galaxy Gear - A Long Time Coming cs160. cs160. valkyriesavage.com valkyriesavage.com

Samsung Galaxy Gear - A Long Time Coming cs160. cs160. valkyriesavage.com valkyriesavage.com welcome to cs160! June 22, 2015 Valkyrie Savage http://stackoverflow.com/questions/238177 Tim Mott, mid-1970s, from Moggridge, Designing

1.14k views • 64 slides

More recommend