Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

The long goodbye…

endI remember when I first saw him… I thought he was ugly, unruly and unworthy of my attention… and so I shunned him. After a time, I looked back, unable to ignore that “something” that I was missing. I went back, and once more he failed to impress. Again, I shunend him. There was just that something that was missing. It was all there in the promise, but in reality, it just didn’t click… once again I shunned him and moved on. It was some time later that I realised what I’d done. That i’d misread him and mistaken what he offered. He was my future after all, and there was nothing else that would be better for me. I embraced him, let myself fall into a rhythm and never looked back!

Years later I can think on that moment, having moved on to newer and better things, and remember the first time I saw him across the room. He seemed to glow, at least that’s what my memory tells me. We’re not together anymore, and I miss him sometimes, but you know what… it’s OK. It’s Ok for both of us. We grew apart and he just couldn’t fill my needs anymore. To be honest, it was me that first broke away… I don’t want to call it playing away, but it’s what it was I guess. There were just needs that he couldn’t forfill anymore, and I needed something that I couldn’t get from him anymore. I knew that he knew… and he knew that it was what I needed… he never judged! He was good like that.

The time has come though my friend. I can’t be with you anymore… those long nights we spent together have to come to an end. The time has come to say goodbye forever.

Goodbye my friend… you’ll always be in my memories!

Windows XP (2001 – 2014)

{quick post} PySC Project

Back at the beginning of 2012 I played around with some Python ctypes as part of a project I was working on in the background. At the time I released a few code snippets that used ctypes to do a few fun things, but never really got around to releasing the main project I was working on.

Python ctypes posts from 2012:

PySC_ascii_art

The main project I was working on was a simple Python script that injects shellcode into a running process using CreateRemoteThread (nothing brand new here). The interesting part of the project (for me anyway) was the ability for the Python script to request the shellcode to inject using DNS TXT requests, ICMP request/responses or simple HTTP(S) request (using SSPI if required). I demo’d the code at the BSides London conference in 2012 at the underground / lightning talks an had some positive feedback, however the time just hasn’t been there to finish things off since then.

As a result of the lack of time to finish things off, I’ve put up the latest modular version of PySC (version 0.8) on Github for people to use, tear apart , and generally laugh at as you see fit. As the project is still in prototype your mileage may vary.

PySC was designed to be configured using the config.py file present in /config directory, and run headless on a Windows system after being packed into an executable using something like PyInstaller. However you can run it using command line options as well by running it with -h to see the various options.

The /optional directory also includes some example server-side implementations for Metasploit and a Python Scapy ICMP listener for delivering Shellcode to the PySC client.

Check the source-code for details…

https://github.com/ChrisJohnRiley/PySC

PySC 0.8 (prototype release – 26 December 2013)

PySC expands on the numerous available tools and scripts to inject into a process on a
running system.

Aims of this project:

- Remove shellcode from the script to help avoid detection by AV and HIPS systems
– Offer a flexible command line based script
– Also provide the ability to run fully automated, as an EXE (by using pyinstaller)

To this end this prototype script offers the ability to download shellcode from a
remote DNS server (using TXT records) or through Internet Explorer (using SSPI to
utilize system-wide proxy settings and authorization tokens) and injects it into a
specified process. If injection into the specified process is not possible, the script
falls back to injecting into the current process.

Module dependancies: none

Notes:

PySC will by default run silent (no user feedback) to enable user
feedback (error/status messages) please use debug mode (-d/–debug
at command-line, or set debug = True in the script itself)

Any command-line options passed to PySC at runtime override the
hard-coded values within the script.

To use PySC as a stand-alone executable, set the desired parameters
in the script itself, and use pyinstaller to create an .exe

{Book Review} Offensive Countermeasures: The Art of Active Defense

A few months back at Blackhat, John and Paul were nice enough to give me a copy of their book “Offensive Countermeasures: The Art of Active Defense” to read. It’s been a whirlwind few months since then, but the quiet of Christmas has given me a chance to really sit down and soak up the contents.

offensive_countermeasures

Active Defense has been getting a bit of a bashing after all the “hack back” bullsh*t that people have been throwing around. John and Paul make a good effort to put some of this to rest by really discussing the things that an enterprise really can achieve without getting into the revenge of hacking the hackers business. Some of people’s main concerns in active defense have been the lack of information on what you can and can’t do in the eyes of the law. The first section of the book puts a spotlight on a few court cases that deal with differing degrees of hacking back or active defense… and not all successful ones. This section helps to put the books content in focus and aims to really explain the whys and whatfors to come in the sections that follow.

The main section of the book is split up into the 3 A’s. Annoyance, Attribution and Attack. Each section goes into depth on some of the options enterprises have to more actively defend their networks. Each section has a number of example tools, mostly focused around the ADHD distribution, that people can use to perform some of the actions discussed.

I found it particular interesting that the book finished off with a section dedicated to core concepts. Far too many companies think they can jump from 0 straight to 100 without building a secure base to build from. Active defense isn’t for everyone, and if you don’t have your basics all in-hand, then anything you do is more likely to backfire than help.

The book itself is compact, but is a good starting point for meaningful discussions about active defense that don’t devolve into legal arguments from moment one. Because of the compact size of the book, there are a few things that aren’t really discussed although they fall into the active defense category. These omissions where a little disappointing, but keeping true to the core of active defense makes sense for what has to be seen at the first introductory text on the subject. Here’s hoping that future revisions expand on the base and start covering fun things like honeytokens. Overall the information that is presented is useful for people looking for a quick schooling in how they can use active defense to improve their overall level of security, and as an education for people who jump straight to hacking back without considering any other options.

If this book is anything to go by, the discussion on what really is possible in defending your networks intelligently from attackers should be a very interesting one to follow. The time for standing still and just taking punch after punch is over. Time to duck and dodge, and make it harder for attackers!

Links:

DEF CON 21 Video – Defense by numbers: Making problems for script kiddies

For those that didn’t manage to wake up for the crack of dawn DEF CON Sundays slot, the fine folks over at DC have released the videos of most (if not all) presentations –> https://www.youtube.com/user/DEFCONConference/

My presentation, for those interested, can be found below.

http://www.youtube.com/watch?v=H9Kxas65f7A

Links:

Follow

Get every new post delivered to your Inbox.

Join 120 other followers