[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto

•

0 recomendaciones•462 vistas

Designed under Raspberry Pi and aimed for Red Team Ops, we take advantage of “Sec/Net/Dev/Ops” enterprise tools to capture network credentials in a stealth mode. Using a low-profile hardware & electronics camouflaged as simple network outlet box to be sitting under/over a desk. CIRCO include different techniques for network data exfiltration to avoid detection from IDS/IPS or monitoring systems. This tool gathers information and use a combination of honeypots to trick Automation Systems to give us their network credentials! We will build a physical network & infrastructure lab to show how CIRCO works (live demo) Major features for release v1.5: - Allow existing IP-Phone to co-exist with CIRCO - Eliminate template files (craft all packets) - Support NTP exfiltration - Software encrypted via Bluetooth (prevent forensic) - Self destroy and alarm switch - Bypass active & passive fingerprinting (NAC) - Credentials integration into Faraday

Presentaciones y charlas públicas

C I R C OCisco Implant Raspberry Controlled Operations
https://circo.cc

• My name is Emilio and I’m hacker
• I like to play with packets, networks, electronics and 3D printers
• I presented security tools at various conferences (DEF CON, BlackHat
Asia, AV Tokyo HIVE, SECCON, HITB, etc)
• Sorry, I’m not a native programmer or English/Japanese speaker J
Helloこんにちは
https://circo.cc

▪ Allow existing IP-Phone to co-exist with CIRCO
▪ Eliminate template files (craft all packets)
▪ Support NTP exfiltration
▪ Software encrypted via Bluetooth (prevent forensic)
▪ Self destroy and alarm switch (thanks Will)
▪ Bypass fingerprinting (NAC)
▪ Credentials integration into Faraday (thanks Fran)
https://circo.cc
What’s new? 新機能

▪ Cisco DNA (Digital Network Architecture)
▪ Infoblox NetMRI
▪ Micro Focus® Network Automation (formerly HP NA)
▪ Service Now Discovery*
▪ ForeScout CounterACT (NAC)
▪ Trusted network administrators
▪ Others
* SNMP discovery only
https://circo.cc
Who we target? ターゲットは？

Demo Box v1
https://circo.cc
Production Box v1.4

▪ Components
□ CIRCO: Implant (hardware & software)
□ CARPA: Credentials Receiver (Internet VPS, software and domain NS)
□ JAULA: Wireless Credentials Receiver (software)
▪ Python 2
□ Mainly Scapy for packet manipulation
□ Migration into Python 3 started…
▪ Features:
□ Honeypots services to behave as a Cisco Switch or IP-Phone
□ Trick NAC systems (nmap, Phone whitelisted, Golden MAC)
□ OSfooler-NG (https://github.com/segofensiva/OSfooler-ng/)
▪ Exfiltration via cover channel protocols
□ ICMP (ping), Traceroute, NTP, HTTP, HTTPS, DNS, Proxy (DNS) and Wireless
▪ Extra: Get plain credentials if a PC is plugged into the IP-Phone
□ net-creds (https://github.com/DanMcInerney/net-creds) https://circo.cc
Software ソフトウェア

▪ Cisco CDP & LLDP Advertisement
(as IP-Phone & Network Switch)
▪ Cisco SNMP Agent
▪ Cisco Telnet CLI (IOS 15.x)
▪ Cisco SSH CLI (IOS 15.x)
▪ Mimic packets format like IOS to avoid NAC/IDS/IPS
https://circo.cc
Fake Services (Honeypots)
シスコハニーポット

https://circo.cc
Exfiltration Format
流出のフォーマット
▪ Telnet
□ t,<username>,<password>,<src_IP>
□ t,e,<enable_password>,<src_IP>
▪ SSH
□ s,<username>,<password>,<src_IP>
□ s,e,<enable_password>,<src_IP>
▪ SNMP (v1/v2)
□ p,<community>,<src_IP>
▪ net-creds* (optional)
□ n,<credentials>,<src_IP>
* Under development

▪ ICMP (IP.id & ICMP.seq fields)
▪ Traceroute (IP.id field & UDP payload)
▪ HTTP and HTTPS (IP.id & TCP.window fields)
▪ NTP (NTP.stratum, NTP.poll, NTP.tx.timestamp)
▪ DNS (NS query evil.sub.domain)
▪ DNS (A query) via Proxy (DHCP Option 252, WPAD.<domain>, PAC
Guessing via DNS)
▪ Wireless* (SSID Name & Dot11.beacon, Dot11.SC and Dot11.interval)
https://circo.cc
Network Exfiltration Techniques
ネットワーク流出テクニック
* Proximity required
Credentials & IP address are encrypted with AES256 before sending

https://circo.cc
Traceroute Exfiltration Flow

https://circo.cc
HTTP/HTTPS Exfiltration Flow

https://circo.cc
Proxy (DHCP) Exfiltration Flow

https://circo.cc
Proxy (WPAD) Exfiltration Flow

Proxy (DNS Guessing) Exfiltration Flow
https://circo.cc

https://circo.cc
Wireless Exfiltration Flow

ありがとうございます！
Emilio
ekio_jp
https://github.com/ekiojp/circo
https://circo.cc
Thank You!

Más contenido relacionado

La actualidad más candente

Nodemcu - introduction

Michal Sedlak

Hta r33

SelectedPresentations

Nikto

Sorina Chirilă

mmsys2019 live streaming at scale

Jordi Cenzano

Rete di casa e raspberry pi - Home network and Raspberry Pi

Daniele Albrizio

Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted...

RootedCON

IoT Hands-On-Lab, KINGS, 2019

Jong-Hyun Kim

Esp8266 - Intro for dummies

Pavlos Isaris

PHP7.2와 모던 암호학

Johney Park

Programando o ESP8266 com Python

Relsi Maron

WebRTC と Native とそれから、それから。

tnoho

Denis Baranov: Root via XSS

qqlan

Инциденты с использованием ransomware. Расследование

Positive Hack Days

Create a-strong-two-factors-authentication-device-for-less-than-chf-100

Cyber Security Alliance

BalCCon2k18 - Towards the perfect cryptocurrency wallet

Nemanja Nikodijević

How to setup your linux server

Marian Marinov

This is a co-speaker session, featuring Ray Potter, who spoke at RSA '14 alongside his mentor and advisor, Whit Diffie, and Yier Jin, an Assistant Professor at the University of Central Florida who has earned recognition for his work cracking the Nest thermostat. As we are seven months away from the conference, with plenty of time for additional developments, please view these talking points and flow as a living framework. Their slide deck will be fully updated in early April 2015 to address new research and timely examples in addition to the Nest research. After short biographical introductions, Potter and Jin will begin by discussing current security and privacy concerns. This segment will cover IoT and Wearable devices that are available at the time of the conference, as well as exceptional examples that are rumored, upcoming, and potentially some that have already been discontinued. (Samsung Galaxy Gear watch, I'm looking at you!) Jin will continue into his own research on the Nest learning thermostat. He will address the infrastructure of the IoT poster child, including an assessment and security analysis of the firmware and hardware. Jin will continue, speaking specifically about the boot process and device initialization. Potter will share his thoughts with the attendees, engaging Jin in dialogue on the attack vectors of the Nest and other connected endpoints. This section of the talk will include discussion of the repercussions of the device vulnerabilities - worst case scenarios, including the enablement of other criminal activity, privacy leakage, and extensive attacks via the local network due to compromised IoT devices. The session will continue with Potter sharing his expertise on compliance, security standardization and encryption. This look at the upside of benchmarked assurance will give attendees food for thought in future innovation. Jin will offer insight on enhancing the design flow for security in the constrained devices, including secure boot protocols and hardware-supported trust computation. The duo will wrap up the presentation with an outlook on the burgeoning industry of connected devices. With their appreciation for innovation and technology, tempered by their professional expertise in security, Jin and Potter share an optimistic view for the future with significant caveats for consumers who hope to achieve ideal and safe results with IoT and Wearables.

How Smart Thermostats Have Made Us Vulnerable

Ray Potter

IETF 106 - Default IPv6 Local Only Addressing for Non-Internet Devices

Mark Smith

La actualidad más candente (18)

Nodemcu - introduction

Hta r33

Nikto

mmsys2019 live streaming at scale

Rete di casa e raspberry pi - Home network and Raspberry Pi

Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted...

IoT Hands-On-Lab, KINGS, 2019

Esp8266 - Intro for dummies

PHP7.2와 모던 암호학

Programando o ESP8266 com Python

WebRTC と Native とそれから、それから。

Denis Baranov: Root via XSS

Инциденты с использованием ransomware. Расследование

Create a-strong-two-factors-authentication-device-for-less-than-chf-100

BalCCon2k18 - Towards the perfect cryptocurrency wallet

How to setup your linux server

How Smart Thermostats Have Made Us Vulnerable

IETF 106 - Default IPv6 Local Only Addressing for Non-Internet Devices

Similar a [CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto

Every admin tool is an attack tool, yet there are no good or bad shells - that part is up to you. Coming from dozens of engagements consulting various role-based remote operations architectures & Red Team assessments for organizations in 4 continents, with a fresh research hijacking full tokens from network logon-type sessions - we’ll dive into a technical, hands-on set of examples for both Offensive and Defensive teams, of what SUCKS and what ROCKS on the Windows ‘Living off the land’ remote admin operations, Protocols, and APIs. We'll talk about the Pros and Cons of jump server architectures, as well as role-based shells, limiting PowerShell in creative ways. We'll also introduce fresh research to achieve Full Token hijack from network logon-type sessions, without any hash and/or TGT!

InSecure Remote Operations - NullCon 2023 by Yossi Sassi

Yossi Sassi

WebRTC meetup barcelona 2017

Juan De Bravo

Null Delhi chapter - Feb 2019

Nikhil Raj

Recon with Nmap

OWASP Delhi

M2M/IoT is rapidly growing and since its early days different “standard” protocols have emerged (e.g. OMA-DM, TR-069, MQTT, …) or are emerging (e.g. CoAP or Lightweight M2M). Understanding which protocol to use for which application can be intimidating, therefore we propose to give an overview of these protocols to help you understand their goals and characteristics. We’ll present common M2M use cases and why they usually require more than just one protocol ; we will also see whether CoAP associated with Lightweight M2M allows to forge “one protocol to rule them all”.

Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?

Julien Vermillard

Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network. And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier. Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.

D1 t1 t. yunusov k. nesterov - bootkit via sms

qqlan

Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...

Sergey Gordeychik

Kamailio - SIP Servers Everywhere

Daniel-Constantin Mierla

NetFlow Monitoring for Cyber Threat Defense

Cisco Canada

Exploring the Final Frontier of Data Center Orchestration: Network Elements -...

Puppet

There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices. To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.

CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols

PROIDEA

Root via sms. 4G security assessment

Sergey Gordeychik

Shameful secrets of proprietary network protocols

Slawomir Jasek

DevCon 5 (July 2013) - WebSockets

Crocodile WebRTC SDK and Cloud Signalling Network

When it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.

Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014

Jakub Kałużny

We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters. Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo. Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...

CODE BLUE

Network attacks in wired Lan environments Protection in wired Lan Layout of modern networks ( wired + wireless ) Difference between wired and wireless security Most powerful situation to acquire in any network Wireless attacks Why NTP ? Captive portal attacks Conclusion and some wild thoughts For complete data to perform this attack please go to the Github link below: https://github.com/mohitrajain/Wireless_security_beyond_password_cracking

Wireless security beyond password cracking by Mohit Ranjan

OWASP Delhi

DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...

Felipe Prado

Twisted: a quick introduction

Robert Coup

us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...

sonjeku1

Similar a [CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto (20)

InSecure Remote Operations - NullCon 2023 by Yossi Sassi

WebRTC meetup barcelona 2017

Null Delhi chapter - Feb 2019

Recon with Nmap

Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?

D1 t1 t. yunusov k. nesterov - bootkit via sms

Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...

Kamailio - SIP Servers Everywhere

NetFlow Monitoring for Cyber Threat Defense

Exploring the Final Frontier of Data Center Orchestration: Network Elements -...

CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols

Root via sms. 4G security assessment

Shameful secrets of proprietary network protocols

DevCon 5 (July 2013) - WebSockets

Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...

Wireless security beyond password cracking by Mohit Ranjan

DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...

Twisted: a quick introduction

us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...

Más de CODE BLUE

It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...

CODE BLUE

Most 5G networks are built in fundamentally new ways, opening new hacking avenues. Mobile networks have so far been monolithic systems from big vendors; now they become open vendor-mixed ecosystems. Networks are rapidly adopting cloud technologies including dockerization and orchestration. Cloud hacking techniques become highly relevant to mobile networks. The talk dives into the hacking potential of the technologies needed for these open networks. We illustrate the security challenges with vulnerabilities we found in real-world networks.

[cb22] Tales of 5G hacking by Karsten Nohl

CODE BLUE

Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe. Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker? In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.

[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...

CODE BLUE

While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior. ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues. This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions. The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US. In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced. From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue. The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

CODE BLUE

ハッカーたちの間では、セキュリティ向上のために研究を共有することの重要性が何年も前から知られていた。一方、協調して脆弱性を開示することの重要性も、世界中の政府によってますます認識されるようになってきた。情報開示とセキュリティ研究者の保護という原則は国境を越えて共通であるものの、国によって重要な違いがある。本パネルでは、重要な公共政策や企業の行動に影響を与える可能性のあるグローバルな視点を提示する。 ENISAは、2022年4月に「EUにおける脆弱性開示政策の調整」を発表した。本報告書では、EU加盟国における脆弱性開示の協調政策の現状を客観的に紹介するだけでなく、中国、日本、米国における脆弱性開示の運用を紹介している。それらを踏まえて、協調的な脆弱性開示プロセスに望ましい要素やベストプラクティスの要素を検討し、その後、課題や問題点について議論する予定。本報告書の内容を共有し、日本における運用の課題と今後の方向性、米国における国家安全保障と脆弱性対応の課題を、各法域の代表者とのパネルディスカッションで明らかにすることを目的としています。パネリストは、日本では早期警戒パートナーシップ通知機関の実務に携わる方々、欧州では上記報告書の執筆者、米国では上記報告書の寄稿者日本では、脆弱性対応における体制意識、インセンティブ、未処理案件の増加、いわゆるトリアージなどの課題が紹介される予定米国からは、国家安全保障のための脆弱性情報の開示方針（Vulnerabilities Equities Process）、脆弱性研究の不起訴方針の公表などを紹介するとともに、この問題の歴史的背景を紹介する。パネルディスカッションを通じて、脆弱性開示政策を取り巻く国際情勢や今後の動向、特にサイバーセキュリティにおける脆弱性の重要な役割とそれを取り巻く社会が抱える課題について参加者に理解していただくことを目的とする。

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（4） by 板橋博之

CODE BLUE

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

CODE BLUE

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（3） by Lorenzo Pupillo

CODE BLUE

[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...

CODE BLUE

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（2）by Allan Friedman

CODE BLUE

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

CODE BLUE

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（1）by 高橋郁夫

CODE BLUE

Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year). At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365. Currently, he is learning about ROP derivative technology and embedded equipment security.

[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...

CODE BLUE

2021年10月、Lazarusグループに関連する可能性が高いユニークなローダーであるWSLinkの最初の分析を公開。ほとんどのサンプルは難読化され、高度な仮想マシン（VM）難読化機能で保護されている。サンプルには明確なアーティファクトが含まれておらず、当初は難読化を公的に知られているVMと関連付けなかったが、後にそれをCodevirtualizerに接続することに成功。このVMは、ジャンクコードの挿入、仮想オペランドの暗号化、仮想オペコードの重複、難読化手法仮想命令のマージ、ネストされたVMなど、いくつかの追加の難読化技術を導入する。本発表では、VMの内部を分析し、合理的な時間で難読化技術を「見抜く」ための半自動化されたアプローチについて説明する。また、難読化されたバイトコードと難読化されていないバイトコードを比較し、本手法の有効性を紹介する。われわれの手法は、仮想オペコードのセマンティクスを抽出する既知の難読化解除手法に基づいており、単純化規則によるシンボリック実行を使用。さらに、バイトコードチャンクとVMの内部構成を記号ではなく、具体的な値として扱い、既知の難読化手法で追加の難読化技術を自動的に処理できるようにする。

[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka

CODE BLUE

In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM. Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.

[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...

CODE BLUE

Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials. The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals. CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle. In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust. In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection. In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.

[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...

CODE BLUE

Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists. China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace. In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace. We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.

[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...

CODE BLUE

Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration. In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.

[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...

CODE BLUE

Goで書かれたマルウェアは年々増加している。Goはクロスプラットフォームの性質を持っており、複数のプラットフォームを標的にしたい攻撃者にとって好都合な言語である。その一方で、ライブラリが静的にリンクされていることからユーザ関数とライブラリの区別が難しく、アナリストにとって解析が困難である。そうした状況で、Goマルウェアの分類や探索の需要が高まっている。本講演ではgimpfuzzyという新たな提案手法を用いてGoマルウェアに対し類似性の計算や分類が可能であることを検証する。われわれは既存手法であるgimphashにFuzzy Hashingを組み込んだ「gimpfuzzy」を新たに実装した。講演では提案手法を利用した分類の判別率を検証し、分類された結果の中からいくつかの事例を取り上げその妥当性について確認する。また、Goマルウェアの分類における課題についても検討を行う予定である。

[cb22] Mal-gopherとは？Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部祐太, 甘粕伸幸, 野村和也

CODE BLUE

Malware analysts normally obtain IP addresses of the malware's command & control (C2) servers by analyzing samples. This approach works in commoditized attacks or campaigns. However, with targeted attacks using APT malware, it's difficult to acquire a sufficient number of samples for organizations other than antivirus companies. As a result, malware C2 IOCs collected by a single organization are just the tip of the iceberg. For years, I have reversed the C2 protocols of high-profile APT malware families then discovered the active C2 servers on the Internet by emulating the protocols. In this presentation, I will explain how to emulate the protocols of two long-term pieces of malware used by PRC-linked cyber espionage threat actors: Winnti 4.0 and ShadowPad. Both pieces of malware support multiple C2 protocols like TCP/TLS/HTTP/HTTPS/UDP. It's also common to have different data formats and encoding algorithms per each protocol in one piece of malware. I'll cover the protocol details while referring to unique functions such as server-mode in Winnti 4.0 and multiple protocol listening at a single port in ShadowPad. Additionally, I'll share the findings regarding the Internet-wide C2 scanning and its limitations. After the presentation, I'll publish over 140 C2 IOCs with the date ranges in which they were discovered. These dates are more helpful than just IP address information since the C2s are typically found on hosted servers, meaning that the C2 could sometimes exist on a specific IP only for a very limited time. 65% of these IOCs have 0 detection on VirusTotal as of the time of this writing.

[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...

CODE BLUE

We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware. To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed. * Malware C2 Monitoring * Malware Hunting using Cloud * YARA CI/CD system * Malware Analysis System on Cloud * Memory Forensic on Cloud Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...

CODE BLUE

Más de CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...

[cb22] Tales of 5G hacking by Karsten Nohl

[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（4） by 板橋博之

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（3） by Lorenzo Pupillo

[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（2）by Allan Friedman

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（1）by 高橋郁夫

[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...

[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka

[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...

[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...

[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...

[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...

[cb22] Mal-gopherとは？Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部祐太, 甘粕伸幸, 野村和也

[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...

Último

Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx

raffaeleoman

Report Writing Webinar Training

KylaCullinane

Dreaming Marissa Sánchez Music Video Treatment

nswingard

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service

Delhi Call girls

💚❤️Call girl in Chandigarh ☎️8868886958☎️ Call Girl service in Chandigarh☎️ Chandigarh Call Girls Service ☎️ Call Girls In Chandigarh Call Girl Service In Chandigarh 💯Call Ruhi 🔝8868886958🔝Chandigarh Call Girl WhatsApp Chat: ☎️ +91-8868886958 Call Girls In Chandigarh offer you everything from intimate moments to wild nights - be it intimate or wild. Their girls are always prepared to meet all your needs and desires so you're assured a memorable experience with them. Beautiful Babes are sure to turn heads wherever they go, captivating men with their seductive personalities and captivating looks - not to mention their sensually alluring bodies that are sure to satisfy all your naughty fantasies, from blowjobs to anal massages; not forgetting BDSM and orgies as well. Show them some appreciation when the time is right. Call Girl Chandigarh that their clients can be very demanding. To maintain their reputation and gain more clients, these sexy call girls always work tirelessly to provide exceptional service that ensures each customer's happiness - so much so that many men seek them out to have an unforgettable experience with Passionate about providing erotic pleasure for their clients - fulfilling all sexy fantasies while offering role play services such as BDSM. ★OUR BEST SERVICES: - FOR BOOKING ★ A-Level (5-star escort) ★ Strip-tease ★ BBBJ (Bareback Blowjob) ★ Spending time in my rooms ★ BJ (Blowjob Without a Condom) ★. Extra ball (Have ride many times) ☛ ☛ ☛ ✔✔ secure✔✔ 100% safe WHATSAPP CALL ME💥✨✨⭐⭐⚡💦💦💨🔥💫💫 Their services range from erotic encounters and movie dates to in-call and out-call services, making this option available 24/7. Available for services including NSA, threesomes and foursomes sessions as well as massage services and casual foreplay - they even provide real girlfriend experience. Find one online or visit local women's clubs, hotels or restaurants. Hiring a Chandigarh call girl for an evening or day out can be the perfect addition to your social gathering or office event, or you could arrange for her to visit your home or hotel room. Not only are these women gorgeous, they're intelligent as well, with great senses of humor - sure to please and leave you wanting more. If you want a cheap escort in Chandigarh, look for someone who is either a student or works part time so that she will always be available when you need her. In addition to this, look for housewives as this ensures they have stable lives that can keep you satisfied for extended periods. These beautiful ladies will capture your attention at first sight with stunning eyes and full, seductive lips; not to mention a seductive personality that makes you want to spend more time with them; moreover they are discreet enough to meet up anywhere nearby! Hiring a call girl in Chandigarh can be done through either the internet or calling her directly, with services like massage or sex sessions offered to request from specific agencies within.

No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...

Sheetaleventcompany

Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...

Delhi Call girls

Introduction to Prompt Engineering (Focusing on ChatGPT)

Chameera Dedduwage

ICT role in 21st century education and it's challenges.pdf

Islamia university of Rahim Yar khan campus

SaaStr Workshop Wednesday w/ Lucas Price, Yardstick

saastr

My Presentation "In Your Hands" by Halle Bailey

hlharris

Presentation on Engagement in Book Clubs

samaasim06

I had the honour of delivering the Keynote Address at the 34th Annual Conference of the Nigerian Political Science Association (NPSA) in Lokoja. The conference theme, "Governance and Nation-Building in Nigeria: Some Reflections on Options for Policy," is relevant and timely. The challenges of nation-building are manifesting worldwide, including our continent and country. Violent conflicts and subterranean discord and discontent are prevalent, and the revival of irredentist ethno-regional and religious identities further complicates the situation. I believe that the conference was a great opportunity to discuss these challenges and reflect on practical policy options. I salute the President of the NPSA, Professor Hassan Saliu, for his leadership and the Executive Committee's effort to mobilize the membership despite a paucity of resources and the prevailing tough economic times. I am optimistic that the NPSA will continue to thrive, and I urge all of us to work towards the continued stability and unity of our country.

Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...

Kayode Fayemi

The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf

Senaatti-kiinteistöt

Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx

mohammadalnahdi22

Yesterday in Lagos, I had the honour of delivering a lecture titled “If this Giant Must Walk; Manifesto for a New Nigeria“ at the Inaugural Memorial Lecture of Prince Emeka Obasi, founder and publisher of Business Hallmark and the inspirational figure behind the Public Policy Research and Analysis Centre - promoters of the revered Zik Leadership and Governance Awards. My lecture focused on the challenges of nation-building in Nigeria and how we can approach them in a way that promotes progress and unity. I discussed the many sources of concern about our country’s future prospects, including violent conflicts, revisionist contestations of the Amalgamation Act of 1914, discontent with the Nigerian economy, and dysfunctions in the federal system. Central to my lecture was the call to address these challenges by crafting a new manifesto for Nigeria. This manifesto, I proposed, should champion integrity, compassion, character, competence, and commitment to national unity and progress within a framework of democratic governance and cultural diversity. I firmly believe that by doing so, we can guide Nigeria to stride forward with pride and purpose. I want to thank the Board and Management of the Public Policy Forum for their kind invitation to speak at this important event and for their commitment to promoting public policy research and analysis in Nigeria. My gratitude also to the late Prince Emeka Obasi, a true inspiration and a builder of bridges across divides, for his contributions to the country. My thoughts are with his family and loved ones.

If this Giant Must Walk: A Manifesto for a New Nigeria

Kayode Fayemi

BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service

Delhi Call girls

lONG QUESTION ANSWER PAKISTAN STUDIES10.

lodhisaajjda

Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...

Hasting Chen

Dreaming Music Video Treatment _ Project & Portfolio III

NhPhngng3

Air breathing and respiratory adaptations in diver animals

aqsarehman5055

[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto

1. C I R C OCisco Implant Raspberry Controlled Operations https://circo.cc

2. • My name is Emilio and I’m hacker • I like to play with packets, networks, electronics and 3D printers • I presented security tools at various conferences (DEF CON, BlackHat Asia, AV Tokyo HIVE, SECCON, HITB, etc) • Sorry, I’m not a native programmer or English/Japanese speaker J Helloこんにちは https://circo.cc

3. ▪ Allow existing IP-Phone to co-exist with CIRCO ▪ Eliminate template files (craft all packets) ▪ Support NTP exfiltration ▪ Software encrypted via Bluetooth (prevent forensic) ▪ Self destroy and alarm switch (thanks Will) ▪ Bypass fingerprinting (NAC) ▪ Credentials integration into Faraday (thanks Fran) https://circo.cc What’s new? 新機能

4. ▪ Cisco DNA (Digital Network Architecture) ▪ Infoblox NetMRI ▪ Micro Focus® Network Automation (formerly HP NA) ▪ Service Now Discovery* ▪ ForeScout CounterACT (NAC) ▪ Trusted network administrators ▪ Others * SNMP discovery only https://circo.cc Who we target? ターゲットは？

5. https://circo.cc CIRCO Evolution 進化

6. Demo Box v1 https://circo.cc Production Box v1.4

7. Production Box v1.5 https://circo.cc

8. ▪ Components □ CIRCO: Implant (hardware & software) □ CARPA: Credentials Receiver (Internet VPS, software and domain NS) □ JAULA: Wireless Credentials Receiver (software) ▪ Python 2 □ Mainly Scapy for packet manipulation □ Migration into Python 3 started… ▪ Features: □ Honeypots services to behave as a Cisco Switch or IP-Phone □ Trick NAC systems (nmap, Phone whitelisted, Golden MAC) □ OSfooler-NG (https://github.com/segofensiva/OSfooler-ng/) ▪ Exfiltration via cover channel protocols □ ICMP (ping), Traceroute, NTP, HTTP, HTTPS, DNS, Proxy (DNS) and Wireless ▪ Extra: Get plain credentials if a PC is plugged into the IP-Phone □ net-creds (https://github.com/DanMcInerney/net-creds) https://circo.cc Software ソフトウェア

9. ▪ Cisco CDP & LLDP Advertisement (as IP-Phone & Network Switch) ▪ Cisco SNMP Agent ▪ Cisco Telnet CLI (IOS 15.x) ▪ Cisco SSH CLI (IOS 15.x) ▪ Mimic packets format like IOS to avoid NAC/IDS/IPS https://circo.cc Fake Services (Honeypots) シスコハニーポット

10. Demo Time! デモの時間!

11. https://circo.cc Lab Network Diagram

12. https://circo.cc Exfiltration Format 流出のフォーマット ▪ Telnet □ t,<username>,<password>,<src_IP> □ t,e,<enable_password>,<src_IP> ▪ SSH □ s,<username>,<password>,<src_IP> □ s,e,<enable_password>,<src_IP> ▪ SNMP (v1/v2) □ p,<community>,<src_IP> ▪ net-creds* (optional) □ n,<credentials>,<src_IP> * Under development

13. ▪ ICMP (IP.id & ICMP.seq fields) ▪ Traceroute (IP.id field & UDP payload) ▪ HTTP and HTTPS (IP.id & TCP.window fields) ▪ NTP (NTP.stratum, NTP.poll, NTP.tx.timestamp) ▪ DNS (NS query evil.sub.domain) ▪ DNS (A query) via Proxy (DHCP Option 252, WPAD.<domain>, PAC Guessing via DNS) ▪ Wireless* (SSID Name & Dot11.beacon, Dot11.SC and Dot11.interval) https://circo.cc Network Exfiltration Techniques ネットワーク流出テクニック * Proximity required Credentials & IP address are encrypted with AES256 before sending

14. https://circo.cc ICMP Exfiltration Flow

15. https://circo.cc Traceroute Exfiltration Flow

16. https://circo.cc HTTP/HTTPS Exfiltration Flow

17. https://circo.cc NTP Packet “Fraction”

18. https://circo.cc NTP Exfiltration Flow

19. https://circo.cc DNS Exfiltration Flow

20. https://circo.cc Proxy (DHCP) Exfiltration Flow

21. https://circo.cc Proxy (WPAD) Exfiltration Flow

22. Proxy (DNS Guessing) Exfiltration Flow https://circo.cc

23. https://circo.cc Wireless Exfiltration Flow

24. ありがとうございます！ Emilio ekio_jp https://github.com/ekiojp/circo https://circo.cc Thank You!