Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Hogy jussunk ki lezárt hálózatokból?
1. XFLTReaT: Hogy jussunk ki
lezárt hálózatokból?
Balázs Bucsay / @xoreipeip
Senior Security Consultant @ NCC Group
2. Workshop
• Needed:
• VMware OR VirtualBox
• Windows Vista SP1 or later installed
• Virtual Machine distributed
• 5-6Gb free space
• Windows and Linux BASIC skills
• Grab it:
• USB sticks
• http://192.168.121.1/
3. Bio / Balázs Bucsay
• Senior Security Consultant @ NCC Group
• Strictly technical certificates: OSCE, OSCP, OSWP, GIAC GPEN, CREST CCT Inf
• Former Research Director @ MRG Effitas
• Twitter: @xoreipeip
• Linkedin: https://www.linkedin.com/in/bucsayb
4. Presentations
• Talks around the world: • North America: Hacker Halted, Shakacon
• Australia: RuxCon
• Asia: Hack in the Box GSEC
• Europe:
• DeepSec / Vienna (AT)
• BruCON / Ghent (BE)
• PHDays / Moscow (RU)
• HackCon / Oslo (NO)
• Hacktivity / Budapest (HU)
• Inf. Gov. & eDisc. Summit / London (UK)
@xoreipeip
6. MAC Address Change
• MAC => Media Access Control
• Every modern network device has a MAC address
• It can be changed
• When/why to change?
• Free limited sessions (20 min)
• Steal other ppl session
• Don’t be a jerk!
• MAC collision would make both of you miserable
7. Alternative gateways
• Gateways/routers are routing the traffic
• Very rare
• Maybe there is another gateway on the network
• Change router to the unfiltered one
8. Misconfigured proxies
• Check if the proxy allows:
• to connect to external sites
• GET http://external.host HTTP/1.0
• to make a connection to HTTP ports (tcp/80; 8080; 8443…)
• HTTP CONNECT
• to connect specific ports (tcp/21; 25)
• Broken HTTP or byte streams
• One of the mobile operators was an example
9. Misconfigured firewalls
• ICMP is allowed (ping)
• UDP on 53 allowed (DNS)
• TCP on 21/80/443/465/587
Not really misconfiguration but:
• Protocol specific traffic is allowed:
• DNS is allowed
• HTTP
• etc.
14. What is XFLTReaT?
XFLTReaT (say exfil-treat or exfiltrate)
• Tunnelling framework
• Open-source
• Python based
• OOP
• Modular
• Multi client
• Plug and Play (at least as easy as it can be)
• Check functionality
• STILL NOT PRODUCTION GRADE
@xoreipeip
15. Check functionality
• Easy way to figure out, which protocol is not filtered on the network
• Automated approach: No deep knowledge is needed
• Client sends a challenge over the selected (or all) modules to the server
• If the server responses with the solution:
• We know that the server is up and running
• The specific module/protocol is working over the network
• Connection can be made
@xoreipeip
19. Install
• Ubuntu VM
• Network should be NAT’d (Share with my Windows/Mac)
• Default user: user ; password: user
• # sudo bash
• # dhclient ens33 OR dhclient enp0s3
• # ping 8.8.8.8
• # cd /home/user/xfltreat/
• Use text editor to open xfltreat.conf
• CHANGE YOUR CLIENT PRIVATE IP ADDRESS (clientip = 10.9.0.XXX)
• Enable modules: TCP, UDP, ICMP @xoreipeip
20. Check + Client mode
• python2.7 xfltreat.py --check
• Open browser
• http://www.whatismyipaddress.com
• Change config, enable ONLY ONE module that worked
• python2.7 xfltreat.py --client --verbose=2
• Check your IP again in the browser
• Repeat with a different module
@xoreipeip
21. Dynamic Virtual Channels
• Introduced in Window Server 2008 & Windows Vista SP1
• Bi-directional channels can be created in the active RDP session
• How it works:
• DLL plugin have to be loaded in the mstsc.exe process’ context
• When initialized it creates a listener with the channel name
• Magic happens only when the server connects to channel explicitly
• This is how Copy&Paste, Remote drives, remote hardware are working thru RDP
• Plugin could be implemented for Unices (FreeRDP)
@xoreipeip
22. Universal Dynamic Virtual Channel Connector
• https://github.com/earthquake/UniversalDVC/
• Two parts:
• .DLL that needs to be registered on the client (mstsc.exe)
• .REG file if other user is used than the Administrator
• .EXE that can be used on the server
• Three modes for both sides:
• listen()
• connect()
• Named Pipe
@xoreipeip
26. Elevator pitch
• Have you ever struggled testing over a Windows Jump box?
• Have you been asked to provide a list of tools that you need for testing?
• Have you spent a day or half a day installing your tools and still forgot something
to get approved?
@xoreipeip
27. RDP module
• Windows only + Server mode only
• Disappointing bit that all stuff needs to be configured/installed
• 8 Mbps with the module itself
• 18 Mbps with UDVC + TCP Generic module
• Win32 API calls from Python is not a good idea
• Threading could help, maybe calling functions directly too
• NAT’d – because it is TUN and not TAP
@xoreipeip
29. Install
• Windows
• Are you using Vista SP1 or newer?
• Are you using 32bit or 64bit Windows?
• Install vc_redist.x86 / x64.exe
• Unzip the right zip file
• Open a cmd/powershell with Administrator rights
• regsvr32.exe /u UDVC-Plugin[x86 | x64].dll
@xoreipeip
30. Install
• Windows
• Is your user not an Administrator?
• Double click on UDVC-Plugin.reg (from Github)
• Start regedit.exe and go to:
HKEY_CURRENT_USERSOFTWAREMicrosoftTerminal Server
ClientDefaultAddInsUDVC-Plugin
• Change ip to 0.0.0.0
@xoreipeip
32. Start XFLTReaT
• Server side:
• C:xfltreat
• python xfltreat.py --server
• Client side
• edit xfltreat.py
• Set the IP of the RDP Client (RDP Client IP!)
• Enable only TCP Generic module
• Modify port to 31337
• python xfltreat.py --client
@xoreipeip
33. Find the secret service
• Target: 172.31.34.175
• Command: nmap -vvv -n 172.31.34.175
• What does it say? Netcat it!
@xoreipeip
34. Offense
• Bypass basic obstacles
• Specific ports are unfiltered (TCP / UDP)
• DNS allowed
• ICMP allowed
• Bypass not that basic obstacles
• Specific protocol allowed (IPS or any other active device in place)
• Special authentication required
• Test over jump boxes – segregated networks
• Exfiltrate information from internal networks
• Get unfiltered internet access @xoreipeip
36. TODO + Help me!
@xoreipeip
• What to do next?
• Commenting
• Bug fixes
• Authentication + encryption modules
• New modules
• How can you help?
• Help develop stuff (use next-version branch)
• Follow me on twitter, retweet XFLTReaT related tweets
37. Q&A - Thank you for your attention
Balazs Bucsay / @xoreipeip
38. Office Locations
Europe
Manchester - Head Office
Amsterdam
Basingstoke
Cambridge
Copenhagen
Cheltenham
Delft
Edinburgh
Glasgow
The Hague
Leatherhead
Leeds
London
Madrid
Malmö
Milton Keynes
Munich
Vilnius
Zurich
North America
Atlanta, GA
Austin, TX
Boston, MA
Campbell, CA
Chicago, IL
Kitchener, ON
New York, NY
San Francisco, CA
Seattle, WA
Sunnyvale, CA
Toronto, ON
Asia-Pacific
Singapore
Sydney
Middle East
Dubai
Hinweis der Redaktion
Kicsit clickbait-es cim
Mi a hacker? Hackeles. Nem megyunk bele, nem is tudnam kifejteni.
Nem lehet mindent kijatszani,
nem arrol van szo h mikent lopj meg masokat
Technologiat alapjaiban kell megerteni, megnezni mi mire valo, mi mukodik az aktualis helyzetben es atgondolni, hogy ez mikent hasznalhato ki.
Amit megtanulsz: hasznalni egy toolt ami jo erre. Par otletet kapni mikent valosithato meg a cel