1. Kuba Gretzky: Keynote: A Smooth Sea Never Made a Skilled Phisherman

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

uh my name is Kuba grety it's a huge honor to be the first Speaker this year thank you dorota and Andre for picking me to be actually the first person uh today and today I will be uh talking about uh how a smooth SE never made a skilled fisherman I'll be talking about the toolkits that the red teams use and what the uh how it should be much better than the bad guys are using because the bad guys toolkits are evolving and it should be uh the same in general uh for the red teams so quickly about me my name is kuag grety I am an offensive security tools developer uh also xmmo game hacker I used to do write Bots for online games like 20 years ago where I learned all the skills that I'm using today uh I also run a Blog that's at break the.org I write about my own research and all the and also about the the the tools that I'm releasing and updating uh I am the creator of evil Jinx so you can also refer to me as that evil Jinx guy like some people do because that's what I'm mostly just known for uh and I'm also releasing evil Jinx Pro uh this year so this this is also what the talk will be uh mainly uh about uh I've released a pound drop this like a Dropbox for red teams Tool uh that I released several years ago it is unfortunately a bit outdated right now but I plan to do something about it and maybe integrated it with uh evil Jinx at at one point last year I also started this community that's called the break de red it's a community for red teamers and I only uh allow people to join who actually exist so no Anonymous access you just the the the entrance is free but basically every person that wants to join needs to be pre-approved for the to like maintain the quality of content and discussions uh inside and to make sure that everyone is actually on the uh on the red teams inside uh I have also released a course on how to use evil Jinx like you know I made a tool hard enough to use that I had to release the course to to teach people how to do it uh and here I have to say a huge thank you to every one of you who actually bought of course I know that there are some people on in the audience here because this actually uh makes it possible for me to work on evil Jinx Pro uh this year and and also the last year and this is actually why it's it's possible to sell fund uh this whole uh project so uh like as mentioned uh it all started actually at zcon uh 7 years ago I had a lightning talk during the lunchtime break uh it was like 15 minutes it was my first time at zcon also my first the cyber security conference I I believe and also my first time speaking and I had like this uh Wi-Fi uh hacking Hardware that was based on Raspberry Pi with connected cables to it and I was presenting it and at the end when I actually uh sh the credits and and things other things I did I mentioned briefly uh evil Jinx that I released just like a month before and uh after I actually ended the the presentation someone from the audience actually approached me and told me man why didn't you actually talk about this project instead so so then I thought maybe there's something there so so then apparently a lot of people actually like the project and have been using it ever ever since and uh then later I released evil Jing second version and the third version but what the talk is about is like defenses against fishing are evolving sh fishing is getting harder Black Market fishing toolkits keep evolving and the red teamers are essentially left alone with open source toolkits that they have to somehow Like Glue up together and make it work and there's a lot of effort that every red teamer has to put uh into making all the open source toolkits actually work you probably know uh yourself and I actually plan to help and solve this problem for everyone and this this is with the release of evil Jinx Pro that that's supposedly will come sometime later this year and I want to solve all the issues that actually red teams have uh regarding the the setup the infrastructure the the main maintenance as well for it and also the detection part and the detection part regarding fishing like evil Jinx is a reverse fishing framework and the main issue with it is uh your links get detected like there is like this red uh red panel shown on in Chrome when when your fishing link is is detected and how to prevent Scanners from accessing it and as well first of all I wanted to like address the elephant in the room like because I'm writing offensive security tools so they are open source and I'm also giving like the the bad guys the capability to do the bad things so what can we do the bad guys like fishing the bad guys like free Tools Red teams need to simulate the bad guys and the red teams also need the better tools than the bad guys are actually using but we cannot give the bad guys the tools that the red teams have which would be better than they are using so it's basically will turn into a loop so I was thinking how can I actually prevent that so that I can create a tool that actually makes the red teamer lives easier but not give it out to the bad guys and that's why I create created this break the red Community like I mentioned before that's like a vetted Community for people who work uh specifically on red teams and I know that they exist and they work for another company that is also red teaming so it actually gives like this uh good environment for people to share your ttps and not be worried too much about them being used by Bad actors and also uh evil Jinx Pro will be only available once it releases to the people who actually join uh the the community so here I want to jump in into what will be available in evil Jinx Pro once it releases on the on the second part of the talk I want to also focus on uh on one of the technical s so first one will be a more like a bit of an advertisement about the features and later I will actually teach you something interesting so uh first of all I read it evil Jinx to to get to have client service architecture so like you remember uh evil Jinx right now you have to SSH into a server configure it and it's like a client and a server uh in in one thing so right now it's separated we have a client that connects to several different servers uh on the on the outside and you can also depl deploy servers from the client so there's like just one command that you just set up the IP your SSH key or the or the root password set up the username and you CLI type in deploy it will automatically deploy to to the server that you want no need to SSH anymore to every server just to make sure that everything is working and also I have added a multiuser collaboration so now if you have several people actually working on a specific set of on one campaign that for example encapsulates encapsulates several servers they can all connect to one server and they can uh one person can create lures like set up the the the campaign uh set up the fish lits the other one can actually start preparing different things and you can all see the actions in real time together what you are doing it's uh like similar like a like a team server on any kind of uh C2 framework so uh I've also been thinking about how to hide the API there's also like a public API that's being uh exposed and you have to use a special uh Sni uh host name to connect to evil Jinx on Port 44 free so like the whole API is pretty well hidden because if someone doesn't know the the randomly generated host name they will not be able to access this API this is probably like a technical detail that I'll explain uh sometime later uh this is a set of commands that should deploy one uh server that you that you want so you basically just add uh server with the IP and its name then you register it with the with the server which is the licensing server and then you type in deploy and that should be it uh now also evil Jinx because it's a client server uh it has a client server architecture it has the the full API that's accessible through HTTP requests or persistent websocket connections and here's like a sample of the response that you get from the evil Jin server uh to grab the the list of sessions so I'm really eager to see uh if the community in the future will uh try to use it to autom some of the stuff that evil Jinx is doing and uh maybe like use some kind of this AI hype to uh to do fishing automation or whatever there's also evil puppet which is the module that I also talked about last year uh this is like a background browser browser that's controllable with uh fish lits and essentially what it allows you it allows you to extract specific Shadow tokens from the legitimate session that's running in the in the background uh I I covered like uh I covered it uh a bit in in the other talks but uh here you can see that U it will trigger on when when the fished user is actually approaching this path that is being uh outlined here it will open the login page in the background browser grab the username that the user uh entered in real time on the on the fishing session in their own browser then type it in and also type in the password and later uh click the button to submit and once the post request actually is initiated it will grab this Shadow token that is crucial to inject into the reverse proxy session to not get the account blocked because it it contains a browser Telemetry that has to be retrieved from the uh legitimate browser that should probably be a separate talk so I'll just talk about it a bit briefly here uh there's also a reverse proxy as a website spoofer so for now all of the unauthorized requests uh to evil Jinx uh actually resulted in the redirection to the rroll video or or the or the other uh website that you specified but this time you can actually proxy another website the same way as as in general evil Jinx works it will reverse proxy uh another the content from another website and show it in context of the fishing domain uh that you are using so this is a a bit more convenient uh because it uh it allows you to present that your fishing domain is actually hosting a legitimate website and you don't have to put like some kind of static content that can be easily fingerprintable you can specify whichever URL you want so here as an example I used the Cameron's World website that's is being proxied through linkedin. fake.com another thing TLS Wild Card certificates so you know that uh even evil Jinx currently is able to retrieve and renew uh certificates from let's encrypt but all the TLs certificates are registered for the full host name with the subdomain and this is actually an issue because every time you ever register a TLS certificate maybe some of you don't know because I I didn't know before uh this uh certificate gets published in the TLs transparency log which is publicly accessible world wide so all of the Bots and scanners that try to look for fishing Ur URLs and uh scan uh scan the fishing links uh will retrieve the domains from there and start looking if this is a uh a website that's hosting a fake login page or or whatever and that's when the scanning uh begins so with the Wild Card certificates this problem just uh vanishes because the Wild Card certificate will hide the subdomain uh that you are using in your host name so the the Bots would have to uh would have to uh Brute Force the subdomain to find your host name so this actually prevents the majority of scannings from from the Bots worldwide uh there is also automated JavaScript obfuscation implemented I use the engine uh that's uh hosted on obfuscator doio and every injected script into the landing page that you're using in your fish or uh or it's a JavaScript that's injected to handle the redirection uh to the real website afterwards after the fishing is is a success every script is actually dynamically Opus skated it's catched for 5 minutes and then it re Opus skates it but it actually prevents any kind of scanners to uh fingerprint uh the scripts that you want to inject into your fishing landing pages uh and protect them from signature uh matching then I have also Rewritten uh SQ the database to sqlite before it was Bond DB it was long time ago before actually there was no SQL driver for go uh to be U to be written natively you had to use uh C and compile it through the c c libraries and it would then rely on the lip C version so it was hard to make one binary that would work on all distributions so sorry Melvin I don't know if Melvin made it today but you'll have to probably rewrite the bobber this is like a a very nice thing that that Melvin from trusted SE actually released and made like this Triforce of free tools working together and uh it was reliant on actually retrieving the data from the bond DB uh database another thing it's the external DNS management for now evil Jinx had a local name server uh working on the same host as the as the fishing server so you had to point the domain the fishing domain that you registered you had to point the name servers to the IP of the evil Jinx server which was kind of suspicious and probably if if someone looked into it uh it would be pretty much uh uh easy to tell that it is like a fishing instance uh that's just hosting the name server on the same IP as the as the fishing server and uh now you can actually avoid that and evil Jinx supports uh the the use of external DNS uh providers like Cloud flare uh digital ocean and Route 53 for now AWS and more uh will come so basically all of all of this is doable through the lip DNS uh library that actually provides like this interface for any IPI that I can put into it so uh let me know later if there's any DNS provider that you want implemented that you are using uh on a daily basis and this will give this will give me great feedback and now we go into J for Signature poofing so first of all I wanted to ask how many of you know what is ja4 or ja3 okay great that that that may be interesting so this is something uh that came up like a pretty pretty new thing so basically it is used uh to fingerprint the the software that is being uh that that is uh initiating the TLs handshake and establishing the TLs uh connection so what I did I implemented the spoofing of this but let's dive now deeper to the more technical part of this talk and talk more about j4 so j4 plus is essentially like a suite of network fingerprinting uh algorithms you could say like it generates signatures for several different types of handshakes that you can use but we will be focusing in this talk only on the LS handshake and more specifically uh of course I have to credit uh it was made by John alhouse the j4 from Fox iio a really great guy I talk to him briefly uh about a few things and it is a successor to j3 j3 I think was uh released by a different uh company before and now John is uh releasing j4 under his his own company if I'm not mistaken uh so in en the j4 is a signature generated from the TLs handshake client hello pocket so if you know like this is U the client hello packet gives the server the information what is the TLs version it supports what is the a alpn so if the client that's initiating the TLs connection supports HTTP 1.1 or does it also uh support http2 or even quick that is also so uh that is also embedded in this client hello packet it's it says it lists all the supported Cipher Suites uh with which the secure communication will be established and it also uh lists the list of TLS extension that are used and one of the TLs extensions that you probably are familiar with is the Sni extension which actually uh outputs the uh the host name of the server that you are connecting to so uh basically it gives the firewall the ability to tell uh what domain uh the client is trying to connect to before the connection is actually encrypted so this is sent in plain text so it can be uh intercepted and uh and scanned this is how the ja4 fingerprint uh signature looks like it's basically it's divided into three sections there is a a section B section and a C- section no pun intended uh and the first section actually tells you what is the uh TCP uh what is the protocol TLS version if it supports Sni on the host name or the IP number of Cipher suits and but we will and and and the other things the second part the B part is what we will be mostly focusing on and this actually tells what is the list of uh it it sorts the list of all the codes for all the cipher Suites and uh and creates a signature out of them like it hashes the full set of these uh of the list of of these uh codes and the the third section that we will not be focusing on is just a hash of all the extensions that are uh being sent in the client hello packet so this is a screenshot from war shark uh and in war shark you can see that the client hello packet so this is basically the the reading of what the client hello packet looks like in warshack you can take a look yourself uh when you have free time and this is where the cipher suits are are listed and this is the list of uh extensions this is uh when I expanded the drop down you can see the codes for each uh Cipher Suite which are being used to generate this signature so the j4 in raw form you can see that the first section before the underscore is is the same because it just has information about the about the other comp other characteristics of the connection but the second B part is just a list of all of the codes for the cipher Suites and later it is uh uh there's I think the sh 20 256 hash I think taken out of it and truncated into uh 12 characters so here let's take a look uh what are the most common uh applications that what are their j4 signatures and here you can take a look at Google Chrome for example which is uh take only look at the middle section at the at the B section because the other ones will uh vary uh will will be different too often and what I want you to take a closer look at is the sliver malware and evil Jinx like you can tell that the the the middle section is the same and the funny thing is the they are both written in go language so they use the same go TLS Library which has the same list of supported Cipher Suites and if you do not change it you can basically fingerprint every software that's connecting to you that was written in go language so this is like a clear way to uh to block evil Jinx from uh from talking to the destination server that they are that you they are trying attackers are trying to attack so Scouting For prey the Google Chrome j4b signature is this one you can remember it because it will be uh mentioned later in in the talk uh there is also this golang uh signature that I mentioned and you can think like who actually uses j3 or j4 is there any service and basically Cloud FL Cloud flare of course is using it I had an issue with evil Jinx uh previously I think like a year ago when I when I did some test and whenever a page was actually protected with Cloud flare uh immediately when I uh went into the fishing page that was proxied by evil Jinx I got presented with the uh with the capture that I had to solve and I had no idea why or how exactly it is happening because it made no sense and later when I actually uh customized and modified several of the cipher Suites that the go is using and I just added I think two removed few then this capture stopped appearing so it actually proven to me that cloud flare is doing this kind of thing uh scanning for J fre or j4 signatures so what can be done in terms of the attackers how how can we uh prevent the hunters from uh from from basically well not the hunters but how how can we prevent the destination server from knowing that they are using evil Jinx so this is basically what what I mentioned you can modified list of supported TLS ciphers if you need and also there is this UT TLS library that I implemented into evil Jinx Pro that basically will uh randomize the list of Cipher Suites every time the connection is made to prevent any kind of any form of blacklisting of the j4 signature so it gives you different JS for signature with every TLS connection and it's also good to avoid J for Blacklist so this is enough until Defenders deploy more advanced detections and probably they will I even have a few ideas maybe not a good idea to share them right now but uh there's also another option when a client connects to the fishing server which hosts evil Jinx uh you can actually grab the TLs client hello packet that's coming from the client's browser and you can copy the list of the cipher Suites into the connection that evil Jinx is making to the destination server so that it actually U mimics the the client uh to the the real client to the to the server so what then I I get I had the idea if if the servers can actually detect evil Jinx what about actually detecting who is connecting to evil Jinx itself like all the Bots that are actually scanning the the fishing links and things like is it possible to actually harness the power of j4 to actually make it uh in in reverse and make the hunters become the hunted so then you basically have evil Jinx becoming the defender and the the tables have turned so so basically uh I decided that it will be maybe a good idea to reinvent the wheel because why not like it's always a great idea so Cloud flare is already great at detecting uh the Bots this is like their entire business model so basically let's try to see what cloud cloud flare is great at and do the same thing there is a cloud flare Turn Style uh that you can use with evil Jinx that this is like mainly their service to detect bots in real time to prevent you also from showing the the the capture it only shows the capture when whenever it uh detects some anomalies uh you can check it out I I made like a proof of concept that you can actually use Turn Style with evil jinx as a redirector so it will protect your fishing pages with Turn Style but why not Implement our own bgu that would be available in evil Jinx Pro like by default and behold it's a poor man's Cloud flare idea so it's like a very cheap version probably but I decided to do it properly and prepare with some kind of research so I forked the go vhost library that I've been using to extract the host names from the Sni extension data and I added the code to generate j4 signatures for every connection that's actually coming into evil Jinx because the the the code for for go was not publicly available so I used the documentation that John Althouse published and uh wrote my my own signature calculation uh uh code and then I set up the loging so that every time I got the connection to evil Jinx I would lck the IP j4 some additional Telemetry that I will talk about a bit later and then I will have some data set to analyze later later I also disabled the usage of wild card certificates because like I told you if you don't use Wild Card certificates the Bots will immediately start scanning your server and that was my uh that's what I wanted to do for for a change so basically I wanted every bot uh to scan my website uh while I was gathering as much data as as possible I also uploaded the fishing link to every URL scanning service I could find like virus total uh others uh that I found randomly on on the internet and then I waited so I gathered the data for a bit like one month and what were the results I got like a total of 820 requests to my fishing links and also to fishing domains and they came from 680 unique IPS so you can see like what is the percentage of unique IPS being used and this actually also proven to me that IP blacklisting is dead these days it's like uh I even saw one bot scanning my uh my page in real time it was scanning this spoth page that I was actually uh retrieving from the external resource and it was scanning every single URL it found in the HTML content uh and the origin IP was different with every request so they are definitely using IP rotating services so uh IP blacklisting basically makes no sense these days uh I've also loged the ASN for every IP that I got just in case I could see some kind of uh uh maybe patterns of what organizations use what IP ranges and maybe just scan I don't know I saw Alo uh ASN or or others but essentially there were too many to make any kind of reliable uh information out of it and uh here like a plug for IP info like thanks to these guys because they release uh free databases of ASN ASN and also IP uh to G location which they which they update daily and you can just download it so and use it in your own projects which is pretty amazing so the most popular J 4B signatures that I encountered during this test and this is actually uh pretty uh it was actually pretty sad to see because 80% of all requests came from Google Chrome which they had like the j4b signature there were only like 11% of uh of requests originating from from go uh software and the Google bot because it advertised itself in the user agent was just 1% and it also has the unique uh j4 signature so the result it was a partial failure uh the j4 signatures on their own are not enough to detect Bots unfortunately because most Bots use the Chrome engine like the Headless browsers and things like that but then I had a new idea like all the fish users that you are actually attacking as a red team uh must have JavaScript enabled because otherwise the login page will not work like JavaScript is everywhere these days so it is safe to assume that JavaScript will I will always be available on the on the target system how many Bots actually are able to run JavaScript and that that's what I wanted to find out so before I also started this I started generating uh Gathering Telemetry through the injected uh through the injected JavaScript that I had in every landing page of my fishing server and it would report back the Telemetry to the evil Jinx server for analysis in real time like through the Ajax request then evil Jinx actually analyzes it and then spits back information as a response whether it's allowed or not for this user to to connect and uh the question was like how many page views out of this whole uh 820 resulted in Telemetry data being sent back to the evil Jin server which meant how many of these Bots actually did run JavaScript and the answer was 305 so that was pretty amazing like how these Bots work and how how like little of them actually have JavaScript enabled uh so then I began uh analyzing brow browser Telemetry that I actually got returned uh with to evil Jinx so I decided to go for the low hanging fruit because uh that was probably would result in the less false positives and there were like really Taun of also mentioned I think there's the FP collect library that I used uh to uh to collect this information in JavaScript uh then I decided to analyze the Telemetry and I would get the browser window size and the user agent for the analyzing the user agent I use the UA parser library that you can see uh link to here it would only help me to grab the name of the browser OS and the version so first I started with window size analysis so that may seem a bit like a joke but it was actually interesting to see that most of the so basically browser window is divided into two specific uh sets it's the the inner window and the outer window the inner window is what you see except for the toolbar and the uh the edges I believe and the outer window is what you have as a as a as a full window of of what you are running and most of the Bots actually uh kep seems to be using uh a very generic screen dimensions and they seem they all are running in full screen mode I test it on my on PC and you can only get these kind of results if you actually type in F uh f11 in Chrome uh to to put the page into into full screen so it was pretty unlikely that you would be fishing a Target who uses like exclusively a browser in full screen mode I don't know if you maybe encounter it any any cases like that but to me it seems pretty unlikely so this is like the first thing that I started to to detect then there was also another case that the outer window was actually smaller than the inner window like how is it possible how can you make the the the window uh smaller and the inner window bigger that made no sense so I uh started Googling it a bit and apparently you can do it when you zoom out the page with control uh and minus but then also the device pixel ratio uh gets uh below one and every bot actually reported the the device pixel ratio to be always one and it did it never changed so this was another like a signature that something was uh suspicious about the the browser that's connecting to your website another thing was unnatural unrealistic window sizes outer window of size one pixel that just is pretty much not possible and then I began to do the browser version analysis and I could see that almost all like uh I'm talking about 95% probably of all browsers that ever contacted evil Jinx had outdated W browser versions so Defenders if you're like writing the Bots just make sure to like at least keep the user agent updated with the with all the updates because it's the really the the lowest hanging fruit because it is very unlikely for any request to come from the browser that is uh six months older or or anything then there was this interesting case that I found and I couldn't tell what how to I knew that it is a bot because it used the the link that I specifically prepared for for the Bots and it actually reported an iPhone uh running the Safari browser connecting to my uh to my server and uh the window dimensions looked pretty okay I don't know what are the dimensions of the iPhone phone maybe you can like figure out if it's something is fishy about it uh then the version was pretty up toate and I I was thinking what else can I look into so I looked at the other Telemetry that was also gathered and I saw like the video card data uh the video card was made by Google and it was angle then I later googled this uh angle thing and I think I I saw if I remember correctly it was only for Android devices uh essentially and then I also uh compared with the ja4 signature that I also captured and it told me that it was actually chromium engine connecting so it was not really Safari on the iPhone I could tell by crosschecking all this data that I gathered that it was actually a fake user agent so it is was not Safari really the so the real detection power comes from crosschecking all these data through the all different sensors so j4 actually was not useless in this situation it serves as a really great um addition to to what to what you can do with uh for detecting the the bots so here I set up a bit of like a customization for evil Jinx Pro where you can set up your own uh yaml script and to Blacklist specific uh J for uh signatures or you can set up what versions of of major browsers you allow and all of that will be uh all the other requests will basically be shown uh this generic website that you are redirect from a different site uh to actually uh fool the user that there's no uh fishing involved so here I wanted to uh tell you to contact me later after the after the talk and uh let me know uh probably best to also contact me on the email with the subject zcon break Dev if you are on the red team and you want to join the great community of uh red teamers and want to share information uh I would be it would be great to have you and uh everyone is invited especially from the zon crowd because then I can confirm you really exist so it will be much easier uh so evil Jinx Pro is actually coming soon later this year and uh how much time do we have still left 10 minutes okay so if we have if we have 10 minutes I can actually uh show you maybe a a small live demo if I manage to okay so this is uh this is the client of evil Jinx uh Pro so you can see right now it is running on the local machine and I can actually list all the servers that are being supported by uh that are configured right now and you'll be able to connect to each one of them uh one by one so I here I connected to the local server then I connect to to another server that I have on the on the list and and this is this shows you how quickly you can move from one server to another and you can check the the information uh and setup based on all of the all of the servers separately so this gives you like a quick idea of of what to what to do and here we'll try to make if we have some more time I'll actually try to make a D because I wanted to show you something interesting so here I prepared a link for uh for zcon presentation okay so I'm opening the page it is also now checking the bodard you can check that the bodard check uh passed so that was actually when it uh gathered the Telemetry in the background reported it back to evil Jinx and returned back the response that okay it is fine uh to show the the uh the web the web the web the fishing website let's just prepare okay so we got the the capture now I have to so I got the approval request for the MFA that I need to accept okay we are signed in and okay we can see that it the authorization tokens got uh accepted so the fishing [Music] worked now you can list the the session it is also in the demo mode right now so you cannot see the password it's just filled with with asterisks and I will copy the cookies that were captured now I will clear the browsing data to show you how I import the cookies from the intercepted and the captured session and now when I open the life.com which is the the real website this cookie actually provides me access to the targets uh to the Target uh account and uh this is essentially how evil Jinx worked for for the last seven years but there is one thing that I wanted to show you as a maybe like a funny thing because when I when I sign out from life.com which is the official Microsoft website I sign sign out okay you can see that the that the website is actually correctly not logging me in but then when I import the cookies again tell me what should happen we're logged back in again so uh Microsoft you do you do not only invalidate the session tokens on the client side you need to invalidate them also on the server so to to make it work much more secure so basically uh that's the end of the talk thank you if you have any questions I will be free later and uh I have stickers as well so [Music]

Info

Channel: x33fcon

Views: 1,415

Rating: undefined out of 5

Keywords: x33fcon, IT security, conference, cyber security, red team, blue team, purple team

Id: Nh99d3YnpI4

Channel Id: undefined

Length: 42min 26sec (2546 seconds)

Published: Mon Jul 08 2024