 Here's my plan, right? We're going to deliver our squirt virus into the email, right? It's going to live on their mail server until the admin is clever enough to read it. At that point, we're going to squirt as prime. Pretty good plan. Connect back shellcode out to us, listening on the public internet. We're going to display some privileges, drop out nice and prepare rootpick. And from there, we'll trojan as SSH up good and proper. Sniff of skin strokes, wait for the logs in the database server. Yeah, it's all good, right? All good. Okay. Those didn't look like email addresses to my word. All right, anyway, so, got a brand new pine 08, run it through our mail spoofer. You see, now, something he's got to read, right? Now, that looks like a compelling piece of email to me. And we fire up our net cap and we hang around. You'll notice for convenience, that's on 41337 instead of 443, but never mind. And look at that shell, right pine squirt work perfectly. Yep, you ready, admin? Yeah, he's a clever man, nice username. Oh, shit, where does pine go? Ah, look, damn thing dropped core, right? He's probably going to notice that. He's sitting there using his pine van all gone, ah, shit. So, at this point, you know, he's probably going to spot us. Hacksaw.com, pretty poor choice of reverse, like I now admit. And, ah, yeah, look at that. He's started that shell, he's going to start running around where we're going. Ah, shit. Now, if you're a clever man, you know, if you're a wise man, it's time to drop carrier, right? Plus, plus, plus. 88 more, just to get the hell out of here, right? Things have gone horribly wrong. Ooh. Apparently, pear shape doesn't translate well into North American English. You know, ah, sorry about that. But yeah, did you see that? In the pear sample, back there? What the hell? Look, look, look. SSH session root at the name server. That sounds pretty good, huh? Pretty good. I'd like that. If I drop carrier now, alright? I'm never going to get a chance like that, right? Man, I really, really, really wish there was a way I could get to the other end of that SSH session. It's already root, right? I don't even have to go out there and root the box. All I've got to do is get down to that SSH session, man. Only there was a way. Like fucking duh, there is. That's just why I'm standing here. So, yeah, I'll smack a few magic keystrokes a little bit of this, a little bit of that, and bang, bang, bang, bang. SSH jack. Doot, doot, doot, doot, doot, doot. Just like that. Anyway, so my name's Meilestorm. My mom calls me Adam. I'm from New Zealand, which is why I sound a little fucked up. For those of you who are not familiar, it's a very small island. It has people from any city in the entire North America. And yeah, we have lots of sheep and apparently hobbits. I haven't seen any right now. Let me tell you right now, there are no hobbits. Right? There's no hobbits. They don't have preciouses. They don't exist. It's sad folk and fanboys. See, I work for a Linux integrator. I don't actually do much security for a living, so I'm kind of here in a personal capacity which is why I can say fucked. In the past, I've been a corporal security consultant. I've done network engineering. I've done all sorts of stuff. So, right. What the fuck can we just do, right? We saw ourselves a pretty classic intrusion, right? Slightly different modus operandi than you probably used to, right? Server boxes was pretty well secured. Instead of attacking the server directly, I decided that the best way to do it is to attack the admin's desktop and then from there to the server. But there's desktops, right? I mean Linux desktops, just as much as Windows desktops. There's a whole bunch of complexity. There's a lot of candy and enlightenment and things that make your desktop look real pretty. And all that complexity, all that kind of intellectual candy floss that's there just rot your brain, right? That's who all the bugs are. So, I want to rule out that someone's a big Linux serverer. I'm not going to go out for the server. It's got intrusion detection all over the place and intrusion prevention, like it works. I'm going to go attack the desktops, right? That's where it's at. And certainly people who have Linux desktops, right? They're real geeky. They have their glasses and long hair and units of beers and shit, right? And they look after all the good stuff. So, that's where you're going to go. But sometimes, right? Sometimes you're not perfect, right? Things go wrong. In that particular place, you know, we got there, we got busted. We dropped before he's going to notice. So, you know, you can drop carry like some sort of fancy. Oh, maybe, maybe you can do something a little different in place and adaptability. Something a little new. So, what are we doing, right? When you hack something, what do you do? What are your goals? Well, generally, tribal registration is pretty important. And why is it important, generally? Because it's the only way you can get in there and kind of consolidate yourself. Make yourself stealthy. When you root a box, you're probably going to be there for a little while, because you have a bunch of reconnaissance. You have to figure out what you want to do next. Very rarely do you ever, you know, just get root on the box. So, that's where you're going to go. Very rarely do you ever, you know, just get root on the box. You won't be able to come and give you out from the shell and develop these boxes quite as often as they used to. So, yeah, you have to do reconnaissance, right? You're usually on your way. There's kind of another thing you could do, right? You could be a good gorilla star, right? You walk in there, you get what you want, you get the hell out real fast. And that saves you a bunch of time and effort. And I like to explain that to people, right? That's a big difference between all you fuckers and the people they pay to do this for them. At least the cheap ones anyway, I don't know. So this is just a really big name for root and other stuff, instead of the stuff you've got. Cross-host privilege escalation, right? So, privilege escalation is pretty normal. You have a user account, you want to get some root. That's good. I think root on another box is just as good as root on this box, most of the time, right? And local root, you know, it can be a distraction, you're on your way to somewhere, you don't have time to sit around it and root to the box up good and proper. You know, local vulnerability vulnerabilities are easy to exploit often, right? We have a lot more information, a lot more versions to stack the layout. We know what we're getting ourselves into. It can be kind of tempting to sit around and escalate your privileges, because you feel good about it, right? You know, you're achieving something when you see that it's all good, right? You feel good about yourself. You feel easier than local privilege escalation. Trust relationships. Yeah, it's kind of old-school, I know. You must be, like, five, six, seven years ago talking about trust relationships. It's kind of old-school, yeah. You mean, you know, you've got other posts, and back when ports were 24, we're just magically root. That can be what exported slash read-write to the entire world. That's good, right? We're just a bunch of long-haired units. We love each other, it's all good. You know, like, this space is your disc space. It makes you feel good, right? It's old-school, you know? You feel like your mommy's tucking you up in bed. No, it's good. But we called that hacking, right? That's just embarrassing. That was just mounting stuff. How many of you watched this with where a simple nomad goes, like, mount and he's a hacker? Sorry, I kept you in the room. And that's my favorite thing about trust relationships. Instant gratification, right? You turn up, there's a trust relationship between hosts, right? It's like Christmas, it's good. Right now, you get root on another box, or shell on another box, it's great, right? It makes you feel really good. Traditional trust relationships, right? I call them long transient trusts for no reason other than that. I'm not obviously about to talk about transient trusts. That's what I'm calling traditional kind of fixed trusts. Things like posts. Things like SSHT-based trusts. They're trust relationships that exist kind of as stored authentication credentials. What Bruce and I would probably call one factor authentication. Or it can be authentication based on properties of the connection, you know, the source of rest, the whole thing below, all that sort of thing, right? That's your traditional run-of-the-mill garden trust relationship. And then there's trust relationships which are transient, which, you know, trust relationships that exist only for a period of time. And generally, the most interesting class of those is posts authentication connections. If you've initially carried out your authentication, the remainder of that session is effectively a transient trust relationship between the hosts. Unless you personally authenticate every single packet of sand, then you may have to accept some sort of transient trust relationship between hosts. So we're going to look at a couple of methods, you know, the traditional methods for exploiting and transient trust relationships. And to do so, I picked a couple of meters, just out of here, right? How easy it's going to be to do it, how sneaky it is, how stealthy. How close to write the fuck now you can do it. And overall kind of feeling of feasibility, right? Because in a text, if you're only going to be able to use it one time, 100. So yeah, we're going to evaluate them, and for the purposes of this, a non-root shell box. Right, so your traditional non-transient trust, right? It's pretty straightforward. Our job is to impersonate the credentials that are used to authenticate that connection for trust, whether it be by coming through the trusted box, using stored key material like there's a safe trust, or by spoofing. And that's pretty straightforward, right? That's easy. It's pretty sneaky, right? No one knows that you turned up, sorted out the trust and abused it, right? When, yeah, right now, right? You turn up, you find a trust, you're gone. It's all good. But overall feasibility, it's not so good. But how often do people still rely on thoughts being low 10, 20, 40, right? Outside of like bank advice or whatever. Not that often, unfortunately. So you don't see this, which is a pity, because I like it. The other interesting way to attack a transient trust relationship, a traditional way of doing it, if you will, is the key log, right? So during authentication, you log the user's input, either by trojanning SSH having it and listening to your keystrokes, or by logging in from the keyboard to the house. Or even shoulder surfing, right? So you steal the credentials and then later on you reuse them for your own good, right? Classic technique. Easy hell, yeah. Everyone does it, right? It is the standard way of getting from one box to another. Stealthy sure you do it, right? When, this is the downside of this, you have to wait for them to log back in, right? And say, like in our example earlier on, you get busted. So if you now go ahead and kill the SSH client, they're not going to reconnect, right? They're wondering where the pine went. So yeah, that's not so good. Overall feasibility though, it's a really good technique, right? It's kind of the gold standard. That's what everyone does. You can always fall back on a key log, right? It's all good. It's technique, right? It's man in the middle, right? Similar sort of thing except that we impersonate the server to the client and the client to the server. We sit in the middle, the authentication credentials. Optionally, if it's encrypted, we have one bit of jiggery pokey with fake certificates, fake host keys, that sort of thing. And then later on, we can either sniff their connection to see what they're doing and if it's feeling particularly nasty, we can take it over. Now the downside of that is, of course, the user is probably going to notice. So ease. It's a relatively well understood sort of thing. You know, it's not wildly complicated. The downside is, as people just deploy PKI systems, or at least look at their host keys, which I hope you do. It's not so good. Stealthy, yeah, same thing, right? SSH pops up huge mongers warnings saying, you know, oh look, someone has messed with your host key. It might be bad. When, same problem, right? We have to wait until authentication time to do it. But overall feasibility, yeah, it's okay, right? We can do this occasionally. Now this is a kind of old-school, right? The TCP hijack attack, right? You take a running open post authentication connection and your bust opens, sequence numbers and your hijack, right? This is old school. It's been used quite famously by Mr. Kevin Mitnick. But unfortunately, when you go and do it, oh yeah, the users notice and look at them. That does look like Shimomura, don't you think? He looks pretty pissed. He's got two exclamation marks next to him. That's how you tell. So yeah, these days not so good. People have decent, hopefully, random number sequence generation. And yeah, it's not so stealthy. But the plus side, right? It has all the properties we're looking for, right? We can do it right now. Right now, open connection. It's got the credentials we want at the other end. We can go and steal it. All good. But the downside is, yeah, overall feasibility, not so good, right? You're going to need raw sockets. You're going to need promiscuous interface to try and see the sequence numbers. If you're not doing it blind, doing it blind these days is not as easy as it used to be. So yeah, I like it, right? I'd like to be able to do this, but it's not always feasible. But this is the fun one. After we have authenticated the session, we turn up on the user's box and we sneak down their running connection from inside the box. And they don't notice. That sounds easy. It is. It sounds stealthy. It is. It sounds like you could do it right now. Mmm. And is it feasible? Well, the code's on your CD. Yeah, hijack the application. Why not, right? It is slightly different, right? It demands slightly different methodology, right? When you're going to hack someone. Normally, you hack them on a public holiday, on a weekend, you know, when they're getting married, something like that. Here, what you're interested in is maximizing the number of open post-authentication sessions for you to sneak down. So really what you want to do is you want to turn up during peak time, right, the middle of the day when everybody's right there at their desks and then you want to sneak in and take their route right out from under them without them noticing. Right? Just daylight robbery. And the funny thing is, right, it's not even that difficult, right? This is just a party trick. I mean, all I did, right, was I thought, you know, there's a lot to be learned from kind of old school DOS viruses. There's a lot to be learned from things we've done in the past. And this is just creative re-application of the same tricks that, you know, binary reverse engineers and virus writers and all those sort of, you know, kind of sneaky fuckers I've been doing for a while. Right, so I took those numbers that I just pulled out of my ass earlier on and I put them on a graph to make it kind of look legitimate. And as this graph clearly demonstrates, right, my technique is wildly better than everything except classic trust relationships which you'd have to be a retard to deploy, right, and then seriously. So yeah, I graphed them and really the conclusion from this graph is that transient trust relationships exploiting them is almost as much fun and as easy as exploiting traditional trust relationships. For your hijacking pleasure, I present to you my SSH jacket. It doesn't actually look like that, right? It looks different, it looks like a script and stuff. So yeah, it's a Python script which, when pointed at an SSH session, gives you a shell at the other end. Just like that. So we're going to talk about briefly how it works, a few kind of implementation details, but a nitty-gritty stuff so you can do it yourself. And then we're going to diverge briefly into considering anti-forensics whilst implementing and using it. And then there'll be like one slide of mitigation, just the responsible bit of the talk. And then we'll talk about a few other bits and pieces that you might have up your sleeves or I might have up mine. Here with this commercial software with the two buttons and stuff. I'm kind of a one-button sort of guy. That's pretty sweet. I just hack your network, right? I don't do presentations. So yeah, SSH, right? For those of you who aren't familiar, which probably isn't anybody, I guess, channel metaphor, right? Effectively, SSH provides a multiplexed transport, right? You can run multiple sessions across a single encrypted TCP pipe, right? And it provides a number of useful things for you to connect to those sessions. The typical ones you'll see is your TTY, apparently that's pronounced titty, I'm not sure. A shell for you to talk to on the other end of your titty. And of course, TCP sockets is the other thing we normally shunt around. X connections, that sort of thing. People are quite familiar with that. So what we're trying to do here, of course, is we want to be able to take the user session away from him and use his credentials. But we don't want him to notice, right? And this sort of virtual channel metaphor is exactly what we're looking for. How's it work, huh? Well, we're going to take the features provided by SSH and we're just going to use them for evil, right? That's what happens all about, right? So what we do is we ask for a second shell. We say, hey, server, I'm Bob, I'm authenticated, you saw that earlier, right? I gave you my password. I'm good, right? You want to give me another shell? I can go another one. Maybe two. And then we're going to glue it to the hacker. Give him a socket. Connect it up. Ooh, look, a shell. Just like that. So using Python and a little bit of debug trickery, we go ahead and we ptrace attach to the client process. Now this implies, obviously, that you need to be able to ptrace attach. So obviously you have to be root or you have to be running as the same user. Right? And that's not as stupid as it sounds. You think about all the Firefox bugs we've had lately, right? Admins who run the links on the desktop are almost always going to run Firefox. There's been a few Firefox kind of zero-day run code sort of bugs. You turn up on the desktop. You find every running SSH connection. You jump down them. And then we just rummage around. And we find ourselves the virtual channel setup code SSH session to open if you're wondering. Right? And then we just go ahead and patch it. So instead of talking to the user, it talks to us. And then we run it. And then we just put everything back like nothing ever happened. Except that the shell just popped out my netcat. Yeah, this is... I like the thing. This is the sort of thing that your mother warned you about. Right? Hackers, we're sneaky. Sneaky. Well, one of you guys is sneaky. The guy earlier on, yeah. Yeah. We don't just install LK4 anymore. You know, just trojan ourselves, stuff, right? That's kind of boring. I mean, we don't install BNC. Who cares about ISC? That's right. ISC is crap. Except the older ones get caught. They're always running egg drop bots and crazy shit like that. And yeah, good hackers. A little bit of creativity here and there. Maybe they'll do something new and interesting like Jack your SSH connections. And if you hire some pen testers, and they're good, maybe they'll do it too. So all we're really doing here, it's just automated debugging. Right? It's not crazy. And of course, if you give me a debugger and one of your processes that happens to be doing something important, of course I can fuck with that, right? That's normal. That's what the buggers do. And humans with the buggers can do sneaky things. But what we really want is we want to automate it, right? We want the sneakiness of a human and the speed and portability of a script. So that's what we do. So we're using Python. We're using GDP. And we've come up with effectively an automated debugging toolkit. Of course, one of the downsides about this and if you've done any binary reverse engineering is that debugging binaries when you don't have any symbol information is not really debugging. It's not fun anymore. So you have to do a bunch of tricks that normal reverse engineers, people who are doing binary analysis have to do. And we'll talk a little bit about that in a second. The nitty-gritty implementation details. Write a little bit about Python and about GDMI. One of the things we have to do is we have to find a safe place that we're going to stop the program and kind of mess with its execution flow. Because obviously we can't just go in a wildly executing code in its memory space and hope it's going to work. And then we have to find the code we're going to run. We have to execute that code. Or we have to inject some code there first, obviously. And then we have to put it all back again. And, of course, what I'm discussing is in specific reference to my SSH jacket, but it's equally applicable to anything that you're doing this sort of stuff. We'll talk about a few of the other interesting things you could do later. So, yeah, GDB is the GNU debugger for those of you who aren't familiar with it. I'm sure you've heard of Richard Storman. He writes some good stuff. One of them happens to be a debugger. It's pretty cool. And GDMI is its programmatic interface. GDBMI is actually pretty suck. It's about half implemented, but it's good enough. So I went ahead and just wrote some Python bindings for it. It implements pretty basic functionality, but it's good enough to get the job done, right? The SSH client, as you normally use it, is single threaded. It doesn't expect re-running other code in the middle of other code. So, yeah, and there's all sorts of kind of nasty global data structures and arrays of function pointers and shit like that, right? So we have to be a little careful about what we're doing. It's also completely asynchronous. So when you, for example, when we ask for that virtual channel, right there, it goes into a queue where the list of packets have to be sent to set it up, and there's a whole kind of, you know, state machine that models how the SSH client interacts with the server. So we have to be kind of careful. So we have to find the safe place where we can run our code. And what you're aiming for in the choice of a safe place is really minimal deviation from the normal operation of the code. And funnily enough, right, that happens to be in the middle of the mainline, right? We read the find source, I find the select collider site, that's probably a good place. So we ptrace attach, we stop the process, we drop a break point in that safe place, and we let it run until it comes back. Just like that. But where is select? Normally, right? Normally if you're debugging something, you just go, hey, gdbs select, and it goes, oh, yeah, it's all good. But we don't have any symbol information, so we have to do a little, you know, let's see if everyone does this sort of thing. So where does select come from? It comes from libc, so how does it get in there? Well, the loader puts it there. Where does it put it? It dynamically links it into our address space. So we ask, where'd you dynamically link it? It says over here, that's all good. Then, you know, we have to rummage around in the global offset table, find it in there, elf procedure linkage table, another exciting piece of the elf format, and then we rather boringly rummage through the code segment until we find it in there. So we're going to use that PLT entry. In this case, actually it's quite easy, because there is the only one called to select in the hold down binary, so we can put a breakpoint right in the middle of the elf PLT. Save me a step, nice. So, yeah, now we've found select. So where are we going to put our evil code? Well, we're going to go and patch SSH session two of them, which is a piece of code responsible for setting up a new virtual channel and asking the server to connect something to the server. Unfortunately for us, there's a unique error string in there. It happens to bitch about the doop refailing, and that's the only occurrence of that string in the binary. So we rummage around, we find it in the read-only data section and walk the code segment looking for cause to that. Now we know roughly where we are in this function. Nice and easy. So, yeah, the evil code itself, right, it's going to overwrite the first half of the virtual channel set up code. We're going to save the registers, we're going to save the flags and it looks like shellcode, same sort of thing. We're going to call socket, we're going to call connect, we're going to connect it back to wherever we happen to be listening and then we're going to substitute it for the file handles that it's expecting to be a normal Unix TDY. I like Unix, it's cool. Let's see you do that in Windows where your Winsock sockets are different from your file, ah Jesus. And then we're going to leave the registers set up just right so that the second half of the function runs perfectly. And for really no good reason at all, we're going to call instead of the kernel syscalls, which I could, but just, you know, a bit of variety. Sick of kernel syscalls, very boring. So, yeah, why all the effort, right? Why do we go to so much effort to overwrite half a function? Wouldn't it be simpler to just have a piece of code which we've already compiled, which happens to set up virtual channels and we'll just kind of copy it into its address space and run it, right? That would be a lot more straightforward. Yeah, it might be. But one of the really suck things about that is you have to link it by hand because you've tried, it's not fun, right? That's not a fun game at all. And so I thought maybe it would be easier to just let the bottom half of the function, which contains all the symbol references, just let it be and inject stuff up the top to take advantage of that. It's particularly nasty for sysh because it has this whole kind of, you may remember from, you know, programming classes or this data driven metaphor, it's just popular kind of late 90s or something. You have like wild arrays of function pointers and you just let the data index into them and that's it. All right, that's pretty yuck to have to reverse engineer on the fly. It's especially tedious if you have to do it for every binary. In this case, we actually patch it up at runtime to make sure that the shellcode we have will run in this particular environment and you'll see actually it's surprisingly successful. So what do we do? Well, we work backwards from that unique error message we found. We find the appropriate place on top of the function. We just kind of walk up until we see a bit and then we learn a few bits and pieces like how big the local stack is and we patch in the command line parameter so it's user friendly and a few other bits and pieces that we discovered as we were, you know, doing our thing. And now we have a nice little piece of evil. Yeah, let's wedge it in. Back up the instruction pointer so we know where we were. Back up the old code that we're about to override, stash it somewhere in memory and then we go ahead and just inject our code. No, it's going to take care of a few bits and pieces. We've got a break point at the end to catch it when it's finished. What do you think we're going to do next? That guy over there right, he's busy. He's playing hunt the wampus. He's just doing his job. That wampus, it's still going to kill him and we got ourselves a shell. Just like that, transparent. The user doesn't even notice. He sits there running something interactive. Shell pops out from underneath him and he doesn't even notice. Sucks for him, huh? So maybe you're going to go home and do something, right? So what are you going to do? How are you going to do it? How are you guys going to go home and hijack yourself some action? Well, it's pretty straightforward. What I did, and you don't have to kind of do what I did, of course, is I wrote the hijack code in C first. It makes it nice and easy. Compile it up and compile it directly into SSH because I wanted to prove that you could have two shell sessions down in SSH and you can. So I hooked it up like a magic keystroke right and bring up the command prompt and I typed in, open me a shell please and it gave me one. Just to prove the point. And then, of course, the compiler had conveniently generated most of my shell code for me. Gee, that was so hard. Glad I bought the book. And then I went ahead and implemented hijacking for a binary. They had debug symbols. Make it nice and easy. Just to prove that I get the code in and out of memory, in and out of the half of the function, nice and easily. And then they really suck a bit, so I had to go ahead and write code to do it. And then, oh look, Jackie Friends, fun and profit. And then if you're really nice, package it up for the security consultants, put some 3D, some spinny round, if you're a little whoosh. Maybe do it in flash, I don't know. A few bits and pieces, the things that didn't fit in elsewhere. Think about how much you use SSH. You use it for SCP. You use it for CVS. You pipe stuff over SSH all the time. You have backup solution. You can't find a decent one. It gets around. There's a lot of it. And yeah, this does work over SCP. It does work over stuff over SSH. It's a few little wrinkles, but it works just fine. Actually, the code on your CD doesn't work just fine. The stuff I have right now does. And it'll be on blackhead.com or DEF CON or wherever they put this stuff after I've finished. So yeah, it does. It jacks SCP just fine. You'll notice in the client you can hit tilled and then I think it's hash or something. It brings up a list of the open virtual channels you have. Does it show up in that list? Yeah, it does actually. How many of you knew you could list the virtual channels open with tilled and hash? One, one, horns. Thank you. But of course that's the client that's listing it. So you want to go patch that? Sure, no problem. And what happens when they log out? Well, anyone who's used port forwarding, you've got an open shell, you've got a port forward as well. You're using the port forward to, you know, look at GoPorn or whatever, right? And you log out, right? You haven't finished looking at the GoPorn, the connection stays open. Great. Well, the same thing happens here. So your SCPing, your SCP takes 30 seconds. I happen to catch it in time, run a shell over it. Your SCP will stay running once it's finished copying so that I can do some hacking. Play Hunt the Wampus. And how well does it work? Well, at the moment any open SSH3 it should work on. It's known to work on the Out of the Box, Steven Sarge, RHEL3, RH9. It works on Slackware as well, 9.1. It doesn't work on SUSE because their compiler is just retarded. I work with a guy who used to work at SUSE on their AMD64 stuff and they got paid by AMD to write loads of extra optimizations for AMD64 and then they went and back ported them over to Intel. And now the compiler just generates code that's so wildly broken. I look at it, right? I can't believe it even executes. I've seen it miscompile, like really basic stuff. Anyway, so it doesn't work on SUSE, right? Ah. I'll get round to it. I'll probably just write some one-off custom code that's going to work on SUSE because the magic heuristic stuff that works on everything else doesn't work on their compiler. Silly SUSE. It's also worth mentioning, I guess, Python 222324 it's known to work with. 21 it ought to work, but I haven't tested on 21. Anything older than that, you probably there's a few bits and pieces that are broken. GDB, I haven't noticed any version it doesn't work with yet. It's a pretty straightforward text interface. Now, if you'll indulge me, a brief tangent into anti-forensics. Now, those of you who were at Black Hat or Ruxcon last year may have seen the grugs talk on anti-forensic stuff. I don't know if he was doing it at Defcon, was he? No. No. It's very interesting. Well, I saw it at Ruxcon a few years ago, or a year and a half ago. And yes, I'm a very interesting thing to say about anti-forensics. And of course, when you're attacking systems like this, right, in the middle of the day, or when everyone's using them, it assumes that you're taking pretty basic anti-forensic precautions. You don't want to leave too many trails. So yeah, I'm going to talk just a brief, very brief overview of anti-forensic technique and then how I've implemented it successfully and unsuccessfully in some places when I was using and writing the SSH jacket. The most important thing, the most important thing is don't put anything on disk. Do it all in memory, right? Memory goes away when they reboot the box. Right, there's nothing on disk, there's no tripwire. There's nothing for them to look at with NK, so whatever other expensive anti-forensic products they're using. You know, suck if you get swapped out the disk, you know, well. But really, you want to try and keep everything in memory only. Use local tools, right? These are touring complete machines. You can write your split code and whatever is available, right? If you have to import scanner and orc, do it. Right? If it has a Perl interpreter, great, use that. If it has a Python interpreter use that. If you're good, right, you turn up you find what's there and you write your tools on the spot. That way you don't have to go and you know, double you get magichacksortarble.tards.gz from hacksort.com, right, which is a real fucking giveaway. You don't want to know what you did. And yeah, try to make new network connections, right? You don't want anything for their intrusion detection or cough prevention systems on the spot. And you don't want them sniffing your traffic and kind of replaying it later and figuring out what the hell you did. So yeah, reuse your existing connection, hide in plain sight, use encryption. How well do I do? Well, we do use general purpose tools, right? GDP is pretty general purpose. I mean, if you turn up on a box it doesn't have GDP. Maybe it's not such a giveaway to go ahead and install it, right? And maybe you just help it, right? You're just doing a bit of administration for them. Some of the boxes I've seen are admin by Russian hackers. Remotely, right? They don't even have to go on site to reboot it. How nice. So yeah, we do. We use general purpose tools. We use the Python interpreter. We use TV. That's nice. SSH is encrypted. So the packet load is not much use. And yeah, our new shell that's going across the existing SSH connection. Right, there's nothing new there. There's no new connection for any intrusion detection or things to spot. It's not very interesting. So that's good. We're looking okay. Where do I suck? Well, Python code lying around does not work. I've got to copy the script to class and then I've got to go Python, SSH, Jack, etc. That's not very nice. There's a script lying around for them to look at. Even Python bytecode lying around, you can turn that back into code pretty easily. And of course the other problem is we have that connection coming from the SSH client out to, you know, our new which has the tspe connection with the shell on the other end. That's a new connection. That's not so nice. And yeah, it's in the clear as well. So obviously if I were a cunning man, if I were a patient man, I would have implemented SSH Connect back because all the code in the client is there. We could just SSH out. That would be nice. I haven't done that yet, sorry. But if you happen to turn up over SSH, so say it's the second box you routed in a row and you just came in across the SSH connection. Why don't you set up a core port? Bring it back down like that. That would be a pretty good idea. So let's not leave our scripts lying around on disk. How about we just go ahead and load that Python directly into memory? Well, good, right? So let's just run up a Python interpreter, ask it to read from sample in and execute it. And then locally, we'll take our Python script if we want to run it wrongly, we'll compile it up, we'll turn it into bytecode, we'll compress it with base64, we'll send it across the wire. Maybe we'll have a little loader at the other end so that we can run it. And then send it across your shell. That's all good, right? Nothing on disk. Does that sound straightforward to anybody? It's pretty straightforward to me, right? There's three lines right there and then a little bit of jigglypuffery. Oh, I know you want a script. You always want. You want scripts, don't you? Okay, I wrote a script for you. Make it nice and easy. It does all of the above, right? So I'm going to have to load the Python live with what might require. The command line arguments packs it up, sends it across, runs it. You give it a shell on the road end, it knows how to do the rest. And then if you're really cool, right, how can screen? Screen's really neat. Screen is a terminal multiplexer, right? You must know screen. Screen has this really cool feature, called bang. It'll run a local command and then it runs your other options. But it will inject the output of that local command into your remote session. So I sit there and screen. I go control A and I screen the sketchy. I go bang, bang, bang, bang, bang, bang, bang. I have to load fshjack, cross-side the destination post report and it runs it on the road machine, just like I was there. It's pretty cool, right? You can always forget you're running it remotely and obviously for your convenience, that's on the CD. So what else can I do with this? Well, it will be nice to actually generate a shellcode on the road. I didn't get around to writing a single yet and other people have already written those people. One's even in Python, right, most definitely. It doesn't have a lot of documentation, so I read for it, but I haven't implemented it yet. Sorry. Yeah, pure Python debugger, that will be cool. Aha! What other protocols have virtual channel infrastructures? And are used on clients? Lots. Especially for the past few clients. Hmm. MSIDP? Citrix. I've already had a chat with some people who like hacking in Citrix, and they're pretty keen on this idea. Citrix has got a virtual channel infrastructure for running in your drive mapping, and all the other crazy shit you're playing here for. What's wrong with Higgs, right? Yeah, an all manner of things, right? I mean, once you have an automated programmatic debugging toolkit, you start seeing all the things you can just beat with that hammer, right? It's a really cool thing to have in your toolkit. You can have it disassemble stuff on the fly, figure stuff out and patch it. All programmatic, it's cool. Right, now, being as it is that I'm obviously some sort of long hair, and I'm from the Antipodes, I'm not very fashionable, I'm kind of stuck in the 80s and shit, but I'm not sure if this is still fashionable, right? Because, blame your Theo for everything. Is that still fashionable? Yeah? Yeah, okay. Unfortunately for me, it's not Theo's fault. It's actually a feature of all things. The SSH protocol specification says it's just fine to have mobile channels on the other end. In fact, it's a requirement. But that's pretty cool, huh? I hadn't really thought about it before. I might say it's fine, right? That's all there is to it, right? But no, imagine like a graphic book client, like a cab client, with multiple shells or what not, right? It's a good idea. So yeah, it's a feature, right? If you could get a shell from a server back to the client, that would be a buck. Unfortunately Theo's took care of that. He's a good dude. Same with unsolicited port forward, and if you could port forward from a server back to the client without asking you to do so, that would be a buck also. SSH implementations. Because SSH is, you know, the client of a server are very, very similar in functionality. They both have to deal with this multiplexing and multiplexing. Generally, most people write that code once, right? They use it in both client and server implementations. So you have to be pretty careful. So if I were you, and you're using a funny SSH server, I'd probably be a crazy Cisco one, but no. Yeah, I might have a look at that. It's funny, but work, isn't it? Anyway, yes. If it's not OpenSSH spot, please don't send me a bug. It's not a bug. It's playing me instead. I don't want Theo to bring me up and harass me. If my arse or whatever. OpenSSH is cool. For the record, OpenSSH is cool. It's big, fat, bloated, piece of crap, but I like it. I use it every day. Mitigation technique. Responsible slide, right here. Don't get rooted. It's easy. You could, if you were coming, patch Ptrace, maybe, so you couldn't do it as a user. No, they didn't do it, I suppose. Patch is around to do that already. One of the things that's not on there is you could SSH agent, they try to prevent this attack by making it set to ID. I don't know that making your SSH client set to ID isn't a good idea. There's probably also other things that will go wrong. One of the most important things that you can actually do to help yourself is if you're running trust relationships with your hosts. There's a bunch of tools you can use to restrict what those keys can be used for. You can restrict what commands are executed. You can restrict where the port forwarding is allowed. You can restrict X forwarding. You can use it to really do them. Oh yeah, and then Steve Gibson has some really good ideas about those raw sockets right there. They add soda buggers. I think we should get him in charge of the anti-bugger movement. Why do you care? It's just a party trick, right? It's like you log in the fast. That's all, right? It's not wildly zero day. If you get rid of this group, you knew that. Rich's desktop, yeah, it's a good way, right? Attacking desktop machines that are full of complexity is a very good way to get to well-protected servers. And especially Linux athletes. In our running Linux on the desktop, there's probably looking out for interesting stuff. And yeah, try it against IDP or ICA. That could be interesting. Briefly mad greets. There's not much for scene in New Zealand. There's only a few of us who all drink beer. There's like, what's it for? I'm through tables, I'll see. But yeah, I thought I'd better say hi to them. And Gino Spice, he gave me my first security card a few years ago. He's a good dude. Oh yeah, and there was a few talks of rucksack on the interest in the health. Strong clothes, health, encrypted, right? That's some crazy shit, right? There's like symbiotic P-tracing processes that take memory in and out of each other and unencrypted kids crazy. Go look at it. Apparently I'm out of time, so you don't get to shit me. Sorry. There was also a demo. I'm getting the air signal. If you want to see a demo, come see me afterwards. We'll do it on a box that doesn't look like a screensaver. Thank you guys.