Part 6: Security Conferences & Presentations

This content is based on the H6 tasks of Data Security by Mr. Karvinen. Security conferences and presentations can be an invaluable source of information, plus they are a great way to stay up to date with the industry. In the spirit of such we will have a look at two interesting presentations in detail. In case you wonder, there a wide range of different conferences, some examples are DEF CON, BlackHat, and Disobey. There are many more, and the great thing is that most of presentations end up online where you can watch them for free. So why not take advantage of this opportunity.

Ben Kurtz: Writing Golang Malware

In this talk, Ben Kurtz highlights why Golang based malware is on the rise and why the language itself is so useful for this specific purpose. We are given a wonderful introduction into the world of Golang malware. According to Ben, Golang is magical due to its extensiveness/completeness, versatility, unparalleled third party library support, and the cross-compiler. In his opinion Golang is the fastest way to get things done.

Golang (or GO) is not interpreted and statically compiled. Now when some popular Golang payloads appeared a lot of endpoint detection and response companies (EDRs) tried to push signatures for this. To no surprise this resulted instead in flagging Golang runtime which is used by all Golang programs. This means it also hit rather crucial tools like Docker and Terraform. As a result the signatures had to be pulled again rather quickly. This highlights how signatures for Go can be rather troublesome to accurately implement due to the static compilation. This makes it an interesting option for malware authors.

Additionally there a lot of interesting libraries out there. One great example he gives us is Binject which is a forked stdlib parser, and supports accessing, adding, and changing signatures as well as plenty of other cool stuff. Or ccpgo which supports calls to application binary interfaces (ABI), adds Apple M1 support etc.

In terms of exploitation tools/repos there are plenty out there, some good examples were:

  • Binjection, with which we can insert shellcode into binaries
  • Backdoorfactory, a man-in-the-middle (Mitm) tool that can infect downloaded binaries with shellcode
  • Bettercap, which intercepts web downloads and replaces them with shellcode (download-autopwn)
  • Limelighter, to sign EXE/DLL files with real certificates or create a brand new one.
  • Relic, which can sign basically everything (RPM, DEB, JAR, XAP, APK, DMG, etc.)
  • GoWMIExec, for remote Windows management Instrumentation calls from Go to run shell commands.
  • Go-smb2, for full Server Message Block (SMB) support.
  • Gophish, a phishing toolkit
  • Gobuster, brute force tool for URIs, vhosts, etc.
  • madns, DNS server for XML external entity (XXE) exploitation and the like
  • Modlishka, for a reverse proxy and 2FA bypass
This allows us to do almost anything we would want and makes things like intercepting a binary, inject shellcode and then re-signing easy as pie. The possibilities seem nearly endless.

As Ben quickly hinted at earlier, there are also a variety of options to evade Endpoint Detection & Response (EDR) and Network Intrusion Detection Systems (NIDS). According to him some of the most popular tools for this are:

  • Garble, a Golang obfuscator which can strip out Go metadata, replace string literals with labdas to avoid sigs, etc.
  • Ratnet, which is aimed at NIDS evasion with a custom protocol, pluggable transport methods (UDP, TLS, HTTPS, DNS, AWS S3), end-to-end encryption, offline and mesh functionality, etc. This is an amazing tool I highly recommend checking it out.
  • Chashell, to reverse shell over DNS
  • Chisel, for a TCP/UDP tunnel over HTTP
  • Gost, a HTTP/Socks5 tunnel
  • Holeysocks, for reverse socks via SSH
  • Pandorasbox, another tool to evade EDR, provides encrypted in-memory VFS (virtual file system) functionality.
  • Universal Loader, gives use reflective DLL loading so we never have to touch the disk and can do stuff from memory.
  • Go-donut, a payload creation framework to convert an exe, dll, (etc.) assembly to an encrypted and injectable shellcode. It also serves as an assembly loader for remote and local loads of payloads into processes, as well as many other functionalities.
  • ScareCrow, another popular payload creation framework that works with limelighter, provides AES encryption, disables Event Tracing for Windows (ETW) and so on .
  • BananaPhone, an improved Golang version of Hell's Gate, which allows for direct system calls.
  • Gopherheaven, a Golang version of Heaven's Gate, which allows to call 64-bit code from 32-bit, evading EDRs.

Now that we know more about the different exploitation and evasion tools, Ben gives us some insight on Post-exploitation tools:

  • Go-mimikatz, contains a combination of go-donut and BananaPhone. It loads Mimikatz, a tool for viewing and saving authentication credentials (such as Kerberos tickets) into the RAM turns it then into a Donut payload, and injects itself with BanaPhone system calls.
  • Taskmaster, a windows task scheduler library to gain persistence.
  • Gscript, embedds a JS based runtime logic for persistence. It can also disable AVs, EDRs, firewalls, and do all kinds of fun stuff.
  • GosecretsdumpGosecretsdump, extemely fast at dumping hashes from NTDS.dit files
  • goLazagne, extracts browser, email, and admin tool passwords
  • rclone, to extract data from cloud storage
  • sudophisher, replaces ASKPASS to log the sudo password
He also presents some complete client server frameworks which are available. One of the most popular being sliver. It is essentially an open source alternative to cobalt strike with a huge set of features and everything you could wish for. There is merlin, which appears to be another powerful framework and also comes with some nice injection based features.

This is one of the best and most interesting talks I have come across that talks about this topic. Big thanks to Ben Kurtz for sharing his awesome presentation and extensive knowledge. I highly recommend to check out his full talk below. It really sparked my interest for Go, and my picture of the language and its capabilities has completely changed.

Roy Davis: Pwning ATMs For Fun and Profit

This talk by Roy Davis focuses on the security of ATMs, or better said the lacking of such. He dives into the details on the workings and vulnerability of ATMs. ATMs are still an important way for most people to withdraw cash, and this will most likely not change as long as people rely on physical currency. The number of ATMs on a global scale is actually increasing steadily. The only thing that doesn't seem to increase is the security maintenance of ATMs. To better learn how ATMs work, Roy acquired his own ATM (running Windows CE 6.0) through an auction. It was one of those freestanding (owner operated) ATMs, which are quite popular in the United States and can be found in gas stations and restaurants. They generally also come with much worse security than the type of ATM you see cemented into the wall of a Bank.

After hooking the ATM up at home and going through some troubles to get it working, he ran Nmap and noticed open port 5555 which is the remote management agent. While this can be, and has been used as an attack vector, it wasn't of special interest for Roy. He was looking for alternative non-destructive ways, which would leave no evidence of an "attack". Surprisingly there were a couple of things which were anything else than secure.

The first problem is with the locks that are used on the outside as well as inside of the machine. These are very simple tubular/cylinder locks which can be picked rather easily and don't hold off an attacker for more than a couple seconds. Even better, the key for the specific model he purchased is universal, so one could simply buy a key for this specific model from ebay and it will work on every ATM of said model.

Another interesting this was that if he installed a software update, he was able to reset the master password to the default password which is given in the technical documentation by rebooting again and entering a special key combination. But this only works when the safe door is open, so this is of limited usefulness, unless we can trick the sensor that tells if the door is open or closed. This can be achieved by simply unplugging or cutting a specific cable.

When it comes to the safe itself inside the ATM, we face a particular type of electronic lock that is found in almost all of the ATMs of a certain type. This specific lock has known attacks that can defeat it. The simplest but very expensive method is to just get some specialized hardware (little black box, or phoenix device) to connect to the lock and to reset the safe combo. Alternatively, we can simply apply 9V of power to the motor that opens the lock. We can do so behind the removable keypad, in an existing hole which we can widen with a drill bit for easier access. There we find the cable that powers the 9V DC motor and opens the safe.

Since Roy wanted to get the ATM fully operational and connected to the real ATM network, he had to become a licensed ATM operator. This came with the benefit that he can use now a LAN tap to sniff the traffic between his ATM and the ATM network. The traffic itself was encrypted with TLS 1.2. but it was possible to upload an own signing certificate in the ATM configuration software. Unfortunately he doesn't provide us with any follow up research on this in his talk.

This talk highlights perfectly how common the oversight in terms of security is. Even when it comes to products like ATMs where we would assume that security is the main priority, may it be physical or digital.