crazy sexy hacking · crazy sexy hacking my career ending tin-foil hat talk. me: mark baggett...
TRANSCRIPT
![Page 1: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/1.jpg)
crazy sexy hacking
MY CAREER ENDING TIN-FOIL HAT TALK
![Page 2: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/2.jpg)
Me:
Mark Baggett
@MarkBaggettOwner of In Depth Defense
Penetration Testing & Incident Response Services
/opt/metasploit-framework# grep -ri "mark baggett" * | wc -l7
![Page 3: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/3.jpg)
Instructor for these guys
![Page 4: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/4.jpg)
Course Author
SEC573 Python for Penetration Testers
Come challenge pyWars!
![Page 5: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/5.jpg)
What keeps me up at night?
�This talk is a collection of research and attack techniques that scare me
�Why career ending? Because this talk will reveal the full extent of my paranoia.
� Is my fear rational? You decide.
![Page 6: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/6.jpg)
Stealing Private Keys based on Sound
� Acoustic RSA Key Extraction
� Daniel Genkin
� Adi Shamir
� Eran Tromer
� https://www.cs.tau.ac.il/~tromer/acoustic/
� 30 CM with cell phones
� 4 meters parabolic microphones
� "Greatly Extended range" with laser vibrometers
� Attack can also be done from a web page using the computers build in microphone
![Page 7: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/7.jpg)
Adi Shamir is a space alien
![Page 8: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/8.jpg)
Backdoored SD Memory� bunnie & xobs
� http://bunniefoo.com/bunnie/sdcard-30c3-pub.pdf
� Every form of Solid State drive has a chip that is use to read and write to it
� Laptop Drives, USB Sticks, Smart phones memory
� They are programmed by this piece of software
![Page 9: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/9.jpg)
SD Backdoors
� Can not access the phone or laptop using the device, but they don't need to!
� Can modify executables on the disk to obtain remote code execution
� Can modify data accessed by programs to create/receive beacon data from external hosts.
� Scenario: Backdoored USB drops outside Microsoft that always update targeted source code
![Page 10: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/10.jpg)
Our phones are secretly taking naked photos of us and sending them to the iCloud!
![Page 11: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/11.jpg)
Code Caves
� Joshua Pitt created a tool call Backdoor Factory
� http://www.slideshare.net/midnite_runr/patching-windows-executables-with-the-backdoor-factory
� Finds areas inside EXEs on disk and stuffs malware in those areas.
� Legitimate program has malware inside it.
![Page 12: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/12.jpg)
Code Caves�Code Caves exist all over the place!!
�More difficult to find then adding a new section to the EXE file like msfvenom -k
![Page 13: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/13.jpg)
Adolf Hitler is still alive and has been writing software compilers!
![Page 14: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/14.jpg)
But there are other code caves!
� Patched a vulnerability in VGX.DLL. A DLL used to register websites that are in “VML” format.
� VML has been replace by SVG. No active development on VML since 1998.
� Old functions in DLLs that aren't used any more are code caves!
![Page 15: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/15.jpg)
Malware lives in code caves in legitimately loaded DLLs!
� DLLs listed in an uninfected CSRSS.EXE
� DLLs listed in an INFECTED CSRSS.EXE
� But what about Digital Signatures?
![Page 16: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/16.jpg)
Code caves in DLLs� Can not be put in digitally signed DLLs
� We could use DLLs that are not digitally sign
� Load it in a code cave AFTER the dll signature check has completed
� Or find some way to defeat digital signatures. That must be hard right?
![Page 17: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/17.jpg)
WT
Heck
?
![Page 18: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/18.jpg)
Application Compatibility Toolkits
�Initial work by me and presented for the first time publicly at Derbycon 2012
�Demo
![Page 19: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/19.jpg)
SDBEXPLORER.EXE by Jon Ericson
� Jon found that SDB files has a "section" iecommands that is not configured through Compatibility Manager called patch_bits
� Patch_bits allow you do in memory patching of executables. This is how Microsoft "Fix-ups" work.
� SDBEXPLORER also allows the registration if .SDB files so that they do not show up in Add/Remove Programs
� Jon patched explorer.exe, a signed executable adding new functions to the program
![Page 20: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/20.jpg)
EXPLORER.EXE IS USED BY BIGFOOT TO CONTROL OUR MINDS (he lives in a code cave)
![Page 21: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/21.jpg)
As a matter of fact all of those things we can’t find are probably in code caves!!!
CODE CAVE!!
CODE CAVE!!
CODE CAVE!!
![Page 22: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/22.jpg)
Memory Caves??
� While experimenting with Winpmem by Johannes Stüttgen & Michael Cohen I noticed the memory dump skip several addresses when it is dumping memory.
9e000 – 100000 is out of
range
![Page 23: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/23.jpg)
Coloring outside the lines
�Can I read from addresses outside those ranges??
�That interesting. But what is there?
Read 10000 bytes
starting at 9e000
![Page 24: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/24.jpg)
What is that stuff?
� PCI, DMA and other BIOS memory lives in RAM
� You can write to this memory AFTER it has been loaded from the chip!
![Page 25: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/25.jpg)
Ho
w w
e in
terf
ace
wit
h h
ard
war
e
USER MODE APPLICATIONS
KERNEL MODE APPLICATIONS
DEVICE DRIVERS
BUS ADAPTERS, BIOS, ETC IN MEMORY
![Page 26: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/26.jpg)
Ho
w t
o a
void
det
ecti
on
USER MODE APPLICATIONS
KERNEL MODE APPLICATIONS
DEVICE DRIVERS
BUS ADAPTERS, BIOS, ETC IN MEMORY
INF
EC
TE
D
CO
DE
RO
OT
KIT
HU
NT
ER
S &
ME
MO
RY
FO
RE
NS
ICS
LO
OK
HE
RE
![Page 27: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/27.jpg)
The internet is the pinnacle of human achievement!
� The Internet and modern technologies are AMAZING, EXTREMELY COMPLEX, and HORRIBLY FLAWED
� They are (dare I say) impossible to protect against attack
� THE BEST defense is one that detects attacks quickly and minimizes the impact of those attacks
� The Internet is the most influential and significant human creation of all times.
� THIS IS AS GOOD AS WE CAN DO!!
![Page 28: crazy sexy hacking · crazy sexy hacking MY CAREER ENDING TIN-FOIL HAT TALK. Me: Mark Baggett @MarkBaggett Owner of In Depth Defense Penetration Testing & Incident Response Services](https://reader030.vdocuments.mx/reader030/viewer/2022040201/5e4f66b5dc8ca92caf4a5db9/html5/thumbnails/28.jpg)
Do you really think we put a man on the moon?