Red Team Ops Psychology – an Act in 4 Parts

· Leave a comment ·

Disclaimers

  1. This Blog post is for fun. Do not self-diagnose!
  2. Do take it with a grain of salt.
  3. The technics mentioned here were relevant when I was a Red Team operator. Things might have changed by now!
  4. Non-technical people reading this (for any reason): skip the jargon, check the references! You could analyze any profession in a psychological tongue-in-cheek way too!

Setting: A Hypothetical Job Interview for the role of “Senior Red Teamer Operator”

Characters:

  • Interviewer
  • Interviewee (John)

Part 1 – The Addiction Part (kind of)

– So John, can you answer me this one question, what really happens when an implant is double-clicked in an assume-breach scenario?

– Of course! Can you hint me on what transport is the implant using to reach the C2 server? Is it DNS? HTTPS? anything more fancy?

– Let’s assume it’s HTTPS with Cert Pinning. Are you familiar with that?

– I sure am! So yeah, the implant when double-clicked starts a process in the host, it can be directly executing the malware code or plant it somewhere to be executed at a later time like COM hijacking on Windows. Eventually, maybe after self-decrypting its main components, the malicious code attempts to reach the C2 server. So, it most probably goes with DNS, resolving the C2 server’s IP address from a Domain Name embedded or calculated in its code. Then it starts a TLS handshake with the C2 server (or a reflector). The C2 Server provides a Server Hello TLS message attaching a x509 Certificate and the malware checks whether the Certificate matches with the “Pin”, a value which is embedded to the code and most of the time is a SHA2 hash. If all goes well, the rest of the TLS Handshake takes place and this is the point that the Red Team operator used to get a message like “Meterpreter session opened (session N)” but now they get something like “Host called home” or anything along these lines…

– That’s a brief but sufficient ans…

– I’m not done! This message is printed to the Red Team operator’s screen through some call which ends up to the drawing system of their GPU and the screen’s pixels change in a way to symbolize one of the phrases I just stated. The operator’s eyes then, perceive this change and the image goes directly to the Frontal Lobe of their brain for decoding. This is happening super fast! Keep in mind I’m skipping a lot of stuff here, like the retina’s decoding from light to electricomagnetic signals sent to the Optic Nerve and the flipped image trigonometry. I can explain these later if you wish, now…

– I think that’s way more than en…

– So yeah, the image is processed in the Visual Cortex of the brain, the words are, we could say, “parsed”, but I’m skipping some stuff here, and then are passed to Middle Temporal Gyrus (or MTG for short) of the Red Team operator’s brain that makes him realise what the phrases printed in the C2 server mean, and they mean that a shell just called home!

– John, we could skip to the next que…

– That’s actually the best part! Now that the operator realises that they got a shell, one thing happens before everything else related to Lateral Movement, checking if the host is Domain-joined and the rest. The operator’s neuroreceptors get a huge pinch of Dopamine in his midbrain, which effectively does two things: first sets the operator in a very good and motivated mood and second, with the help of Glutamate they take note on how exactly they got this shell, making them a better Red Team operator, hence making it more possible for them to feel that good again in the future. That might lead to a promotion leading to even more Dopamine! We could say, at this point, that the Red Team operator is a junky for shells! Isn’t it amazing?

– This was actually a very weird way to explain a connect-back! I have another question for you: How would you continue if you realized that the phishing campaign you sent didn’t go well?

Part 2 – The Conditioning Part

– Oh, what do you mean? Did we get any HTTP canary, did anyone even open the email? Did we get a shell and it was insta-killed?

– Let’s say you get no shells and none opened your emails. Radio silence kind of thing!

– Oh then, I’d check if the email pretext is good enough. It has to be urgent and formal just enough to push someone towards the wrong decision of clicking the malware. I could talk for hours on phychological violence of phishing campaigns and the general ethincs of the Red Teamer, anyway…

– Let’s assume that with the changed pretext the email gets opened but you’re not getting a shell?

– I’m really glad you are asking me this question! You know there was this guy called B.F Skinner, who has been the father of Behaviourism, the concept that we, as a species, are kind of animals that form our behaviour mainly through conditioning and our reward system! So this guy…

– John, could we please skip to the technical part now?

– Sure. So I’d get from the Information Gathering phase what kind of AV they’re currently using and try creating AV-bypasses for this specific AV by hand.

– And if you are getting a shell now but it dies on you in seconds?

– So, this Skinner guy made an experiment by putting rats and pigeons in a box. He used conditioning to make them learn to press a button in that box. They learned that by rewarding them with food every time they pushed that button. Really, not every time, and that’s exactly the catch! The animals got more conditioned to the button when he didn’t provide food in every button push, but just sometimes!

– John, can you please tell me why the shell dies? I find all these things really interesting but kind of irrelevant!

– The interview is for a Senior role, so I believed I had to explain full-stack. I’ll try to be more brief. My point is that the Red Team operator is getting kind of Skinnerbox’d, on learning how to land a working shell, by not getting it most of the time. And also, by waiting random amounts of time until they get the reward. So, if I had to fix that malware I’d finally need to write some code!

– Glad to hear that! What kind of code?

– C++ or C# most probably. The shells often die because of some Post Exploitation operation that is executed and is identified, traced and blocked by Endpoint Protection software on the host. So I’d need to get the same software in a Virtual Machine, run the same malware, do the same Post Exploitation actions and see where and how it gets killed. Then I’d try to either patch away the EDR’s DLLs from the process memory, as some of them work on userland, or change the order of the malware’s syscalls, as these are the ones that tend to be signature’d by EDRs.

– I see. Can you explain how you’d write the code.

– I guess I can! I’d run my IDE, most probably VSCode for these languages and do changes to the original malware. I’d use Git to keep all code changes tidy, maybe a branch per target, and then fail to compile a bunch of times. When the code compiles I’ll run the malware on the VM, do the actions and see if it gets killed. If it does I’d go back to square one, trying something else.

– That’s a bit generic but I get your idea.

– This continuing cycle of searching Windows API docs, coding, compiling, running and getting, or not getting a reward is the basis of it all. It is a Skinner box as well! I do something and I might get rewarded. This hooks me into trying it more and more, so I’ll eventually manage it! Monkeys could even author Shakespeare exactly this way!

– Your approach is really optimistic John. I like that. It all sounds so based, but in a really absurd way! So there is this question now: how would you get notified when you get a shell?

Part 3 – The Compulsive Part

– This brings me to this other topic! By now, having done so many things for this assessment, I’d totally be obsessed! It has to work, right? I mean, I wordsmith’d the pretext, modified the code, tested rigorously, launched the phishing campaign and all. So every minute I don’t get a connect-back must be painful by now!

– So, would you set up some Slack notification or something?

– There are plenty of ways! I can continously stare at my screen, waiting for the shell to come. But, as some persistence technics require reboot to work, we really have no clue how long it can take to get a shell, or if they’re going to work at all. So most C2s have notification systems, for Slack or Telegram messages on every new connect-back. I’d use one of those. I could also check the Payload Delivery server logs. I didn’t mention it, but we are totally keeping those! So, every some minutes I check my Slack or Telegram or the tail -f of the logs, as I might have missed something when I went to the freezer to get water, or when I went for a smoke.

– This is a lot of dedication! I like that!

– Probably you shouldn’t. Checking all the time is a part of the job that is not useful and is kind of addictive as well. Like checking socials or messages on your phone all the time. You could even say that is the compulsion part of an obsession. Because, Red Team operators more often than not get obsessed with landing in the target organization. It gets very personal. You could argue that it is passion, and sometimes it really is that, but I’d say it easily becomes an obsession. And compulsion follows obsession sooner or later! It can loosely be seen as an addiction too!

– Wait, you are saying that the Red Teamers have OCD?

– No! You can have Obsession-Compulsion cycles without having an OCD, just like you can have narcissistic traits without being a narcissist. The thing is that I believe these cycles make the professionals less effective, which is counter-intuitive, but I can explain.

– I don’t know if this an interview anymore.

– It really is a blog post, but let’s continue pretending for a moment – it’s gonna end soon!

– Ok, go ahead. If this way of working is ineffective, as you say, what is an effective one? To keep the interview format, what new ways would you bring to the Team in case you join?

Part 4 – The Cure for this Profession

– If I join the team I’d work in a very specific way. My way really comes from Buddh…

– I was really afraid we’d end up to something like this.

– It’s not a religious belief though. It is about not merging oneself with the outcome. Not valuing myself as a person from whether I managed to send a piercing phishing campaign or a well-baked payload. It might seem bad at first, but really relieves me from a lot of pressure I’d put on myself. Without this pressure and mental overhead I can really, calmly, hack them. My mind’s CPU can stop spending cycles on my self-worth and I use those cycles to better think of a good spear-phishing target or create a solid Malleable Profile.

– This is a very philosophical point of view Jo…

– Thank you, sir!

– I was saying that I appreciate it, but I’d like to ask if there is a more practical example of what value you could add to our team?

– Well, I speak Terraform fluently, as I like the preparation phase. For me, preparation is the best part of an assessment as the reward cycle hasn’t started yet and so the actions a Team takes are calm and measured. It is when the rewarding phase comes that Red Teamers lose their cool. They login from home, they do OpSec unsafe stuff, they run Powershell hoping to not get caught that one time. And that’s why they fail. These actions are reckless ways to get Dopamine. It’s their midbrain loosely overriding their Frontal Cortex that knows that Elastic SIEM has a bunch of rules that booby trap Powershell, and that DCSyncing from any Domain Admin user is easily detected.

– Thank you John for your time. We’ll send you an email later today on how we can proceed with the hiring process.

– Really? we just started… We are like 15 minutes in!

References

Addiction Neuroscience 101 – YouTube

The Neurobiology of Addiction Addiction 101 in Olson – YouTube

The Skinner Box – How Games Condition People to Play More – Extra Credits – YouTube

Kubernetes – a psycho-political view

· Leave a comment ·


It is said before in this blog, that people create stuff “in Image and Likeness, which is a bible reference for how god created the mankind. While god (as a figure and idea) is not really my cup o’ tea, I do find this part of bible a bit intriguing. It is intriguing how we (the mankind) created god’s idea in our own Image and Likeness (and other gods and goddesses and in-betweens). For example, christian god gets angry, or pleased, or creative, while it presumably is (or is not) the Super-Duper extra-terrestrial being that created everything and exists everywhere. It is the same need to make stuff out of a known template, that makes god of Pokemon, an equally Super Duper being, still catchable in a regular Pokeball (like all other Pokemon).

This same urge to follow our own template is around us in many things humans create. When one crosses the Rubicon to the world of computers, this resemblance that makes everything look like something else, has its root to humans really. And the reason this happens is the amazing fact that when a computer has to be programmed to solve a problem, we tend to get into the computer’s shoes, try to solve it and keep a record of our steps. Then code these steps in a programming language and that’s it: Let there be software (or hardware). The examples are too many to handle, but the central one is the Von Neumann architecture altogether, that computers still follow.

The catch with this approach is that humans have problems. And recreating the original conditions for these problems in a computer, can lead to these same problems – unless some other axiomatic truth is interfering with the results (demonstrated with the sentence “humans/computers have to work – computers do not question what they have to do“).

Human problems are of multiple types. Personal problems are one type. Problems that have to do with how one is managing oneself. They have clear boundaries, and exist without depending on external stuff, while they can get solved without involving external entities. Yet, I propose that, humanity as a whole is suffering way more from a different kind. The Social ones. The ones that cannot be solved atomically, and not generally by the ones having them. Homelessness, Climate Change, Capitalism are trending in this category.

Computers do not directly inherit social problems from humans, as they are not social animals (and they didn’t get their own Aristotle yet), but they get programmed to eventually be. Think of the Internet, think of networks and distributed computing. And this brings us to the topic. Think of Kubernetes.

Kubernetes has been created to distribute workloads across computers. Its heart is a component called scheduler that basically orders the hosts to run containers, depending on their current workload. To make it graphic, imagine the below:

but with computers.

Yet, you won’t find the scheduler in the above photograph.

He is in this one:

overseer

Kubernetes is Greeklish for “Κυβερνήτης” a Greek word for captain or governor, with the latin root of “guberno” which is the word that “government” comes from. So far so good! That thing went political instantly. So let’s dive in a bit more in this technology called Kubernetes.

A Kubernetes cluster consists of a bunch of computers connected through a standard TCP/IP network. The computers are divided in 2 roles. Masters and Workers. And these are actually official terms, not some kind of jargon – “Kubernetes Master” is pretty googlable. We somehow programmed class division at the root of that system as well. Oh, and there are no elections (like e.g Elasticsearch clusters) – Workers will stay workers until they fail out of existence.

So deriving from the names the following is not really clear: “Workers” or “Worker nodes”, well, “work“, but what do Masters do? They don’t rip the “surplus value” as this would make Kubernetes a system analyzed through Marxism and close the case, but they “work” too. Yet, what they do is not general “workload”. The “scheduler” runs in the Master nodes. The Masters order the Workers. We are at least consistent on how we design co-existence for people or computers, aren’t we?

Finally, we, the Kubernetes Users – or should I say stakeholders – only talk with Master nodes. This scheme looks a lot like the 1900 movie where the Padrone (Robert De Niro) has his selected overseer (Donald Sutherland) (who is also initiating fascism in the movie and also kills a cat – what’s worse?) to order and keep in-check the villagers working on his fields (Gérard Depardieu’s family). The reason I do this uncalled-for parallel, is not to pitch a ~50 year old movie. Is to prove the point that this scheme is familiar over 1900 (the movie and the real century), has led to some bad stuff (with Wars of various temperatures and revolutions), and looks very similar with what happens in our cloud computers every day.

The good part is that computers don’t really get depressed. They -at most- fail and get decommissioned, but they don’t get abused by the capital in a way that gets into their psychology. So there’s no sense of Hegel’s dialectic duo here: a slave that gets minified by the master just enough to keep existing only to re-assure the master’s role. Masters and Workers in Kubernetes do not have such issues. They do not indulge in any class struggle, they co-exist without any existential angst – but peacefully. So what is the point of all that?

Back to the Big Picture

What happened here is that some people started creating a Container Orchestrator. When they faced the who-runs-what-depending-on-what they took the old trusted path: one orders – rest obey. If the ordering entity has enough info (metrics delivered by the kubelet of Workers) the system will run smoothly. And it did and it is called Kubernetes and conquered the clouds.

The problem with this design is not any lack of efficiency. It is lack of imagination. And given that we indeed create stuff “in image and in likeness“, this design might have something to say for us, humans, and our society. The fact that when we face a leadership problem we fall back to that “old trusted path” – dictatorship, might indeed mean that our inner deep-rooted values are reflected. And it works both ways. Seeing such designs as so familiar (Kubernetes has dominated the cloud – it is everywhere), can deprive our imagination from other, more creative and less master/slave (for god’s sake) designs.

Finally, if we want to eventually see a more equal society, we have to design stuff towards it. So we don’t see inequalities and divisions whenever we rest our eyes on our creations. And our mind will eventually flip the switch. And out society might (just might) follow.

Disclaimer

I have worked a lot with Kubernetes while wearing my SecDevOps hat. I have done all kinds of stuff with it. Worked on Cloud SIEM designs, open-sourced some, created tools for it, and even tried it out as a game engine. This is to ensure you that I am not into a tech savvy rant for some trying-to-be-original issue. I am not canceling a technology, and I am not gonna suggest Nomad as a “Communist Alternative“.

This is (as always) a tongue-in-cheek approach of how we recycle ideas in sectors that seem pretty much irrelevant (IT), preventing us from thinking out-of-the-box, repeating ourselves, our surroundings and the collective unconscious on original fields, maybe tainting them and depriving them from the possibility of developing something new and unseen. Depriving them from the possibility to inspire us back.

Thoughts on an “Obsessive Simulation of a Critical Procedure”

· 2 Comments ·

The Email

Some days ago I got a very weird email:

OSCP mail

I felt like something was very wrong. What with the “Professional” word in there (“Offensive Security Certified Professional“)? I don’t feel that professional. Specifically, this XKCD is so much expressing me:

lease

 

A professional?

So, as I’m not feeling that professional, this organization must be wrong to call me one. Yet, I actually pwned the machines required to “pass”, and be considered one. So, what am I?

Am I an OSCΗ (Offensive Security Certified Hobbyist)?

Being an OSCP means that you can do an Internal Penetration Test, and deliver some report. While the report requirements are too low (IMHO), the market is full of bad actual Penetration Test reports anyway, so it’s only fair. Yet, does this make you a Professional?

It (at least) makes you *Professional* on Capture The Flag

The infamous OSCP Lab and the Exam itself are basically CTFs. Nothing more. So, you don’t need to be a professional to play CTFs. I know 16-year-olds that play CTFs. And they think about batman half of the day. They could skill-wise earn an OSCP most probably.

But, then, skill is not the only thing needed to earn an OSCP. Far from it…

 

The ingredients of the OSCP recipe

The Exam

Well, to know computers is the easy part of the OSCP. In case you don’t know the well known process of OSCP exam, it goes as follows (as of 5/19):

  • You have 24 hours
  • You are presented with 5 hosts (Windows or Linux)
    • 25 point host – considered quite difficult
    • 25 point host with BoF – considered a gift from OffSec
    • 2 x 20 point boxes – difficult enough but doable
    • 1 x 10 point box – single remote exploit to root
  • You have to get root or Administrator/SYSTEM to 4 out of 5 boxes – 75/100 points to pass
  • The process is proctored
    • You are being watched and recorded for the whole 24-hour thing
    • Your screen is also watched and recorded
    • You have to write on a chat and get permission to take a break, even for a minute.
  • Metasploit and meterpreter can be used (successfully or not) only to one box.
  • When you finish, you get 24 more non-proctored hours to write a report and send it over to OffSec, with very specific/intimidating rules for packaging it.
  • If you have a report from 10 machines of the Lab and **all** the PDF exercises, you can submit them for 5 more points.

So, which part of this is something that makes you a Professional?

 

Mentality

For me, what made the whole exam a bearable experience that didn’t result in a mental breakdown, was handling it Professionally altogether. And by that, I mean bringing it to its logical proportions, evaluating what the exam actually means for me, my skills and my life in general.

Being a Professional on Penetration Testing some years now (without being OSCP), I’ve learned that there is a possibility that I won’t “hack” my way in some company. It happens. To even the best, and I don’t claim to be one of them. So there is some fat chance that I won’t get the enlightenment needed to get the Privilege Escalation for the 25 point box. Or find the exploit for the 10 point box (which was actually the case for me). And this is not a moment. This can be a 6-hour state of not finding this Privilege Escalation, that keeps you under the 75 passing points.

The ones that can patiently accept their not enlightened selves for 6 hours, falling back these 75 precious points, while calmly and constantly trying their best to earn them – these are Professionals.

 

Flawed Psychology Fucks People (FP2)

Given the situation of someone having 70 points (just under the passing line) for 6 hours (with the exam finishing in 2 hours) many bad things can cross one’s mind. It vastly depends on the background, but for me, problematic parenting (that happened long ago anyway), combined with bad school environment, some moderate impostor syndrome, a huge expectation from everyone I know that it’s a piece of cake for me (hence pressure), gave me plenty of triggers for bad thoughts.

Some of them:

  • I’m not enough / I’m not made for this (classic impostor syndrome verse)
  • If I had done the PDF exercises and Lab Report I could have the 5 points that I now miss (pointless regret)
  • “You can’t do it, it’s very difficult” (typical bad-fatherish voice)
  • I’m gonna fail and all my friends will realize that I’m not that good at hacking.
  • I had to study Windows/Linux Privilege Escalation more. It’s my fault. (another pointless regret).
  • If I fail this then I’m not a good hacker. And I haven’t invested to anything as much as hacking.

Continuing to look for the correct Privilege Escalation vector, while these thoughts knock your head’s door is not a simple task. It is not only about not opening to them. It is about minimizing them out of existence. About fortifying and allowing yourself to care only as much as needed and no more. Plus, all these thoughts count towards your thinking capacity, and you need all of it anyway.

What with the non-stop 24 hours?

There is no direction. It is 24 hours and a .ovpn file. Everything is up to you. You can sleep, eat, go out for beers, go pee every five minutes or get on an LSD trip. If somewhere in there you manage to get 4/5 root flags, and the next day you report it slightly better than a young monkey, you are an OSCP. That’s it. That’s the deal.

So it tests the maturity of your time managing skills. Do you get into rabbit-holes a lot? Do you stay in rabbit-holes out of stubborness of investing time to them? Do you have the tendency to procrastinate when you are looking up something on Github? Do you maybe check your phone every X minutes (X < 10)? These things are gonna cost. They cost in life anyway, but this 24-hour exam they are gonna cost X100.

 

“Try Harder”

Handling all the above while pwning 4/5 boxes in 24 hours is not easy. This is what makes you a Professional. This is OSCP.

The Trying Harder, the classic quote of OffSec is not about the boxes. Is about fixing the flaws that plague oneself, to refine the person as a whole. The challenge could very well be anything else. Yet, it’s not out of coincidence that the subject of a test that goes so deep into one’s psychology is an IT Security one. It has been well proven that IT Security and Human Psychology are well connected. I found somewhere a blog just about that. I think it was called securo-something

The Hassle Exploit

· Leave a comment ·

The catching up (troubles of my mere existence)

It’s been a long time again. I can say from the WordPress Editor UI, that has had some changes (it’s totally not recognizable). Things have changed in many ways, but I’m still Penetration Testing for food (and accommodation sometimes). I also bought a wok (that’s totally irrelevant).

As I said, I’m still Penetration Testing. Mostly big companies. I try to secure their money and assets, so people that want them won’t get them. I arguably am like Peter Pan’s villain – I’m securing rich people’s stuff, so poor people won’t get them without paying, having sex with them (that’s not the majority of my projects) or allowing a permission in their Android phones

So, I have this controversial job, most of the time, probably the same with my readers (at least during the day). We could be considered “Captain Hooks” of some sort. I’ll let my psychologist know about my identity crisis. Or my mom.

The subject looks like it needs a post of its own, so moving on…

The Warmup

So yeah, I pentest a lot, it’s a job and I am pleased doing it. The thing that gives me the  most chills is Red Teaming.

Oh boy, Red Teaming is the real thing. Attack simulation and such, from physically opening a door, to phishing and vishing, to NTLM relaying, to DAing a Domain (or a bunch o’ them), to displaying dickpics in all ATMs of the country before dispensing money. I mostly skip the last part (or flash them for a brief second – like Tyler Durden’s appearances).

But my favorite part is phishing. I love people, in a philosophical sense. I love them with their defects (as a race), with their ambitions and fears. That’s what made me come up to here (not sure if it’s considered “up” anyway), and that’s what motivates me in life. Looking for ways to fool them really got me from the beginning. I’m one of them (us?) myself, and that helps a lot, too.

 

The Real Topic of the Post

By now, I’m not sure what I really am gonna write below. I was planning to introduce you to the Wormnest tool. Something I made to serve payloads with style, but that’s gonna be technical (you know HTTP headers, Python Development, Reverse Proxies and TLS certs), so I’m leaving it for some other time. *Fixing the title*. So, let’s continue with our next guest:

 

Hassle in Social Engineering

Most social engineering projects start with setting up a Mail Server. And setting up a Mail Server is a hassle. I don’t like hassles. Fuck hassles (Taxes are a hassle – Fuck taxes). Plus, when you set everything up (it’s not that difficult, it’s just a hassle), you will still be Greylisted anyways in most cases, that shows how badly designed the Mailing Protocol is (for 2018), etc-etc.

Setting up a phone number is not that bad anyway. You just buy it, or get your company to buy it. And background checking a telephone number is so much more hassle than checking an SMTP server… It is 1000 times more difficult to get a mobile phone number blacklisted than an SMTP server. And re-deployment is as easy as “buy another number”. And the cost is less.

Actually, its all about avoiding hassle. And in a totally different meaning. The “hassle” is an exploit to Human Psychology. And it’s obvious when you think of it.

Hassling as an Exploit

Well, you know how your country’s law enforcement system works. Right? Exactly, you have no clue. What about the tax system? Yep, thought so. And, of course you know the Terms and Conditions of Gmail. I mean you are using it all the time. Well, that’s a “No“, right. Then you have been exploited (like most of us).

Hassle is a bad thing. Creates bad feelings in a lingering way. The feelings create an experience, and the experience breaks into our behavior (from time to time).

We all avoid hassle, as this experience has formed our behavior into avoiding it. So, the exploit lies into putting hassle in things that you want people to avoid. That’s an old one. But a golden one.

The Bible’s “Have faith and doubt not” is just the payload (do you remember the color notation it’s gonna come in handy here). The exploit for that is hassle.

Hassling vs Troubling

Well, hassle and trouble are very different. SO VERY DIFFERENT. And the difference lies in the below example:

Example to show the difference between hassle and trouble:

There are 2 countries, with the following rules for murder with intention:

Country 1: A Murderer will go to jail for 15 years.

Country 2: A Murderer will have to sign a form based on Law 2142/2014, and then provide it to local authorities. After that, he/she is going to receive the form based on Law 3354/2011 by postal service, complete and sign it, along with 3 of his/hers victim’s blood family members and provide this form to the ministry of Law Enforcement. After receiving Law Enforcement final report on the case, and providing it to local authorities, he/she is free of charges.
Ones that not comply will go to jail for 20 years.

In the second country, add the fact that the Ministry of Law Enforcement is open only 10:00 to 13:00 all weekdays except Mondays, and that the one accountant that handles such cases is on vacation in Bahamas for an indefinite period of time.

I don’t know about you but I’d prefer to live in Country 1. Not because I like jailing laws, but because it is clear that if you perform murder, to stay free, you have to escape. Not complete written forms, that none informs you were to find (and it’s probably fruitless to ask the Murder Community here…), and wait in queues.

In the bottom line: in the first country if you are a murderer you are in trouble. In the second country you are in hassle.

Defying the Laws of Tradition

Fighting against trouble, is always easier than fighting against hassle. The second one takes more courage in the long run. There is no real enemy in there, so you have nothing clear to fear, yet you feel disappointed, as the things you are trying to achieve never really get fulfilled. Yet, nothing virtually is there to prevent you. Hence, it’s easier to surrender when putting a fight against hassle, with the illusion that you could achieve the goal given more time/patience/etc.

The only won fight against hassle, that I’m aware of, is in Margaritaville (a South Park episode).

Hassle in Phishing

This exploit doesn’t need any serious setup (nowhere near a valid SMTP server). It is easy to pull off. You just have to introduce someone into a hassle-inducing situation. And then carefully place your payload in a shortcut/gateway you provide. It’s as simple as that. Most installers do it that way:

 

  • Customize before installation (for advanced users)
    (Too much hassle, to find the correct settings)
  • Express Install (hassle free!)
    (Installs Google Chrome and other rootkits along with the main software)

So, a Mail Social Engineering Scenario could be the following:

From: Outlook Security <outlook@example.com>
To: Victimious John <victim@example.com>

Outlook Security Notice – 12/10/2018

It is identified by Microsoft Windows Defender that your host is running a PUP, posing danger in the host’s network. It is highly recommended to inform your IT Administrator, showing this email and the mail threads received by that host the last 7 days.

To fix the issue yourself, please download the remediation patch available by Microsoft at https://microsoft-malware/KB-19660 ¹.

Thank You
The Outlook Security Team

[1]: Create URLs like this automatically using Wormnest (shameless plug)!

Breakdown of the victim’s psychological aspect

Outlook Security Notice – 12/10/2018

It has a date, and no “Dear X,” it must be formal and serious.

It is identified by Microsoft Windows Defender that your host is running a PUP, posing danger in the host’s network.

Defender is an Antivirus, it probably knows more about my computer than me (spoiler alert: it does). I don’t know what a PUP is, but googling it is too much of a hassle.

It is highly recommended to inform your IT Administrator,

This creep that sweats and swears in every situation that includes computers? Oh, well…

showing this email and the mail threads received by that host the last 7 days

He’s gonna get mad at me when he sees that I use the corporate email in buying shaving stuff in shop.workingmother.com with discount (well, I googled “working mother shop” and it existed).

To fix the issue yourself,

Yeeeeees?

please download the remediation patch available by Microsoft at https://microsoft-malware/KB-19660

I’m so eager to eat whatever this link brings in my computer

Thank You
The Outlook Security Team

I thank you “Outlook Security Team“, have a nice day!

Bonus points:

Actually mentioning the IT Administrator gets points in the non-phishing direction…

 

Hassle in Vishing (The something-wrong-with-your-mail Scenario)

– Hello is that John Victimious

– Yes, it’s me. Who is calling?

– My name is John Smith (who else?). I’m calling on behalf of your corporate mail provider.

– Google?

– Yes, Google Corporation <Receivers Country name here>.

– Oh, is there something wrong?

– Well, not exactly. Can you please login to a page and give me what you see?

– I’m a bit busy now, can I sent you an email when I manage?

– You can’t send me an email, you have to call at <phone number>, ask for email verification support, wait 8-9 minutes as it is the mean waiting time, then describe the situation and wait for someone to handle the case. Plus, it has to be done today, because it’s probable that you’ll have trouble logging into your email tomorrow.

– Oh, never mind. What is the website?

– It is google.yolose.com. Y, O, L, O, S, E.

– Ok, I’m in. Do I just login here and tell you what I get?

– Exactly!

– OK, gimme a sec. *types the creds* hmm… Yes. I see a green tick, saying that “The account has been verified against <TargetCompany>

– Great! You’re set! Thank you for your time!

See? Just introducing some hassle will bend most defenses. Plus…

Hassle is a recognized attribute of dealing with Authorities

One of the reasons we really get overwhelmed with hassle situations, is because we have met hassle in the past and had a negative experience, as said before. But, hassle in our lives has been introduced in a quite specific way. And that’s when Dealing with Authorities. The paperwork in most countries is so staggering that creates hassle for even the simplest of tasks.

That’s another good reason to use hassle in your Social Engineering. You give the impression of authority, even without being yourself aware of that!

 

Final Thoughts

Really Generic/Philosophical…

It’s not humanity that sucks, it’s its systems. It became (humanity) so big, so fast, that people didn’t have the time to develop really sane ways of co-existing (in groups of more than 150 in the same community e.g: cities). That’s where ideology and common ideas come into play, to unite the 150+ people that are forced to live so close together.

But, as all projects with tight deadlines, communities are full of bugs. And some become security vulnerabilities. And people end up being massively exploited as they carry their common (vulnerable) traits.

The Hassle Vulnerability is not a new one. It is being exploited by lawyers and tax makers for years now. But to patch it, a new community needs to be build. A community that won’t be so obviously based on it

 

Between an Incident Response and a Break-up

· 1 Comment ·

Long time again… Sometimes I feel like I am gathering inspiration for too long, and it starts defusing after a while.

There is a perfect timing – a sweet spot – for writing a poem or a python package. If you miss it  that’s it, you missed it… You need to gather your inspiration all over again…

It’s been almost a year since my first post (Dating as a form of Penetration Testing). It is time for a break-up parallelization. Here we go!

 

Incident Response as a form of a Break-up

The Setup

Sometimes bad things happen. Those bad things vary in type, but a security incident in a company can be a very bad thing. A Bad like Jesse James thing. A company can lose thousands of $ or because of a spear-phishing campaign, or a compromised account on the database server.

A break-up, in the other hand is a more straightforward thing. You gotta get separated from someone or something beloved (I won’t forget the moment I gave up my ThinkPad, for my corporal machine).

For a guy the beloved thing is his girlfriend (or even his boyfriend), for a sys admin it’s the rootkit‘d File Server (he spend days and mojo building).

And you gotta get separated for sure… The Relationship/Server is no good anymore. It actually does more harm than good

Going Deeper

Technically speaking, there are several phases, both on an incident response, and on a break-up. And if you think of it hard enough, they seem to be the same phases…

SANS documents the Incident Response Phases in the GCIH cert material as follows:

  • Identification
  • Containment
  • Eradication (Cleaning Up)
  • Recovery
  • Lessons Learned

Hell, doesn’t this sound awfully familiar already?

So, let’s shine! Our star tonight: the Separated & Hacked SysAdmin

 

Identification

I don’t actually feel the same way I used to with her. I feel nothing when I touch her… I don’t care if I will be seeing her tonight or not

# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 19356 648 ? Ss May20 0:02 /sbin/init
root 2 0.0 0.0 0 0 ? S May20 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S May20 0:03 [migration/0]
[...]
root 4108 0.0 0.0 11716 548 ? S May20 0:02 /usr/sbin/.httpd
apache 37008 0.0 0.0 213148 11328 ? S May21 0:04 /usr/sbin/httpd

It is this time! The shivers you get. The mindblow. The spine that tingles a bit. The urge to cry… The realization that you have no tears…

It happened on Monday. It had to be about 19:something. Stayed at work late and had to come at her place for the night. The moment he was typing the ps command (for no reason, like every Linux guy who is bored in front of the #), he was thinking of his girlfriend…

Stayed late just to have some time alone. Didn’t have work to do. Didn’t need to be at work at all. But, for some reason he couldn’t get his head around the forthcoming sleepover. It ‘d be the same thing again. The same meal, the same sex, the same “Calvin and Hobbes” comic in the WC… He wouldn’t do it.

Then he grasped the ps output. Couldn’t actually believe what he was staring at. At first he was like “Hey, my httpd ain’t running as root. I fixed the config two days ago“. And then he went: “what the fuck is this bro?” (he loves P.C. Principle from South Park).

After the shock he had two phone calls to make. More like three. The first one was to his girlfriend. Talked about the incident. He couldn’t come over… He was somewhat hopeful for this. Somewhat… Sometimes digital forensics are better than sex. But that night… That night anything was better than sex!

And then he called the Incident Response team, and his best friends. Ordered pizza from the office to his home (that makes it four phone calls). Arranged a meeting for tomorrow morning with the Incident Response guys and headed for home were his friends were also heading after the Bromance Alarm.

He had to figure out both issues the following day. How comes he can’t see her face in his mind?. How this rogue process was planted? He had to get his shit together…

 

Containment

SANS got me on this again! SANS explains the Containment Phase as “to stop the bleeding“. SANS guys must be really experienced with break-ups apart from sleuthkit.

So, the sys-admin guy broke-up the next morning. He was the smart type of guy – he didn’t depress his feelings. He felt like so and he broke-up!

Ironically, he did so over the phone, while the Incident Response guys were unplugging the Ethernet from his server (after gathering live memory dumps of course)…

The containment phase began the same evening. He gathered the gang again and went to a Pub. Got almost wasted with just beers and nachos. Then he introduced himself to a stranger, while his friends were constantly provoking him, like high-schoolers (do we –men– actually ever escape the high-school age?). Told everything to her, while constantly burping like Rick from Rick and Morty.

He knew nothing about what was going to happen next… He knew nothing about the Nightingale Syndrome that the woman was under. To make a long story short, after almost crying on her arms, they got pre-laid in the Pub’s WC and completely laid in her place…

She became his “rebound girl” for a while. He slept over in her house for almost a week. He went home to pick up things like toothbrush and clothes. Too many memories in there… It was time for…

 

Eradication

The Friday Night was a bummer. All day Friday in work he was trying to remove the malware from the compromised server. There were also, crontabs, services, even a kernel mod was found by the forensics team…

He kept removing shit and more shit kept spawning. Rogue binaries in /root/bin/ and bogus entries in lsmod output… All day Friday he was removing malware…

Then he got home. A Friday evening. His friends were all busy and he kind of missed his ex.

What follows is often seen in movies and teenager video-clips. He got his zippo and went to the bathroom with all the pictures he had from the previous holidays they did together. He set them on fire on the bathtub. Later he brought presents and all romance-shit card-postals and letters from the Erasmus era. Her old sunglasses, her toothbrush, 3 pairs of socks… He kept burning stuff all night and more kept spawning…

 

Recovery

He took days burning stuff and drinking Mountain Dew or Dr. Pepper. He also made a new friend – the pizzaboy. Gained some weight, stopped going out, lost the NBA finals. He was a mess for some time…

 

Then, suddenly one morning, he woke up motivated! Went for a walk before work by himself. Had some push-ups before putting his jeans on. It was time to finally recover…

Went to work and rebuilt the whole server. LDAP authentication, public key only authentication on SSH, remote sys-logging, etc.

Then he got home. Cooked a meal for himself, after a long time. Brewed some coffee. Checked out Hacker News from his Android, like he used to, even before he met his ex.

Later that day, he went to the Pub, alone. Got some beer and sat by the window, alone. Nothing happened. None talked to him and he talked to no one. He did some thinking, all by himself.

Before going to bed, ’round midnight, he remembered he loved Kerouac and Burroughs. Their books were on the shelf collecting dust for too long. It had been years since he last read his favorite books. Goddammit, what had happened to him…

Fell asleep while reading the Junky, feeling nostalgic. It was the first day for the rest of his life…

 

Lessons Learned

He went to work earlier that morning. Determined. Whatever fucked that server up wouldn’t happen again. At least wouldn’t without him noticing

Utilized syslog everywhere. Everywhere! Even to the coffee machine. Spent countless hours setting up Kibana, added a Suricata to the firewall appliance and FINALLY created VLANs!

The thing went personal. This was not just his company’s network, it was his personal fortress

 

He stayed up late at work, and when he got home, he got a beer and did some more thinking. Why did he abandon everything while being with his ex-girlfriend? Why did he give up all the music he used to like? His favorite books? His friends? His role as linux-guru sys-admin?

Felt a bit desperate on why he left everything for her. Couldn’t understand why he lost the best bits of himself just by being with her… He wouldn’t do that again.

The thing went personal. He was not just a body and soul looking forward to mate again, he was his personal fortress

 

 

 

Highly inspired by “\”How To Break Up\” Tales Of Mere Existence” and my life.

Thanks for reading my 12th article.