HITBSecConf2011 – Malaysia » The Grugq (Senior Security Researcher, COSEINC)



The Grugq (Senior Security Researcher, COSEINC)

Presentation Title Smashing the Slack for Fun and Profit
Presentation Abstract

An explosion of applications using structured file formats has provided today’s hackers with a wealth of potential “slack space”. This profusion of structured data files means that for an attacker, finding new secret places to store data is pretty easy. Developing a new toolset, from scratch, to access and manipulate this new secret data store… now this is a pain in the ass.

The traditional one-off tool development approach is simply too time consuming and crude for effective real world use. Each new tool must:

* Implement data access mechanisms;
* Provide a namespace to separate unique data units;
* Enable strong encryption for data security, and
* Utilise subtle obfuscation to reduce the chance of discovery

Qondom: the Metasploit of Anti-Forensic Data Hiding Attacks

The solution to the problem of constantly developing new attack tools is explored in this talk. The primary solution is a framework for rapidly developing novel anti-forensic tools which target specific data hiding vectors. This framework provides everything except the attack specific code, allowing for rapid retargeting to new platforms. Pluggable backend data I/O modules can be easily developed for almost any new data hiding attack.

The supreme utility of this toolkit will be illustrated through several typical use-cases. Each of these use-case examples uses a different brand new 0day anti-forensic data hiding attack. Fully functional example implementations for SQLite, ZIP and other structured formats will be demonstrated.

Data Exfiltration without Tears

Some novel approaches to data exfiltration will be presented and discussed. These leverage popular web technologies to bypass monitoring and filtering by blending in with existing normal traffic, but without using custom tools which can leave a fingerprint for forensic analysts.

haxh: the resurrection of the hacker’s shell

There is now a new, more robust, implementation of the haxh hacking harness. A hacking harness is the class of penetration testing assistance tools which bridge the gap between vanilla command line hacking and graphical exploit environments. This tool extends the terminal environment by adding multiplexed background processes and completely programmable control over almost all shell interactions.

Using the simple, yet powerful, core haxh API and Expect-like functionality, it is simple to develop programs which automate interaction with the slave terminal process (typically the shell). Many potent new hacking assistance utilities can be crafted using these basic building blocks. Included utilities provide formidable capabilities to the penetration tester:

* Anti forensic trace-free remote execution of scripts and binaries
* Inline safe file transfer(no more uuencode + cate!)
* Aliases for common post-login commands(e.g. ‘unset HISTFILE’)
* Sanity checks for $PATH and $LD_PRELOAD

The new anti-forensics is back with a vengeance!

About The Grugq

The Grugq is a pioneering information security researcher with over a decade of professional experience. He has worked extensively with digital forensic analysis, binary reverse engineering, rootkits, Voice over IP, telecommunications and financial security. The Grugq’s professional career has included Fortune 100 companies, leading information security firms and innovative start-ups. Currently living in Thailand, the Grugq works as a senior security researcher for Coseinc. While not on engagements, the Grugq continues his research on security, forensics and beer.