Every security professional knows that it’s impossible to secure a system the full 100%. But we try. We use anti-virus, anti-exploit programs like EMET, anti-malware programs like Malwarebytes. Or perhaps even anti-keyboard logging applications like Zemana’s AntiLogger and a password manager like LastPass.
But do those really help?
Programs like EMET, Cylance and other anti-exploit tools work by monitoring how a process is used and if that use is acceptable. They monitor your PDF reader or browser for example and when they see code functions executed in an unexpected manner that could indicate some kind of hack or exploit; they terminate the program.
The main advantage of these tools is that they, unlike most anti-virus and anti-malware applications do not rely on signatures to work. The downside is, that if the bad stuff happens outside of the application that gets protected; it’s useless.
These tools usually work by a combination of signature matching and some light forms of the anti-exploit tooling. But we like our systems fast so they can’t bog us down too much. This means there are very possible ways of evading anti-virus solutions. The moment your bad application does not match a signature; chances are very high the anti-virus or malware tool will not find the bad piece of software.
anti keylog applications
This tool does not stop an attacker. It has one simple purpose, and that is to prevent bad software that logs keystrokes to either not be able to intercept this data, or make sure that the data is illegible.
The obvious downside is that some applications might depend on not 100% API specified usage of the keyboard buffer, and those also won’t work.
Big extra advantage of the password manager is that keyloggers usually don’t work. Other than the obvious advantage of being able to use huge long complex passwords that is. But..a lot of password managers use the clipboard for this; which also can be logged.
How easy can you get around this?
Sadly, very easy if you can get the user to execute a program you send them. On a fully patched Windows 8.1 system loaded up with anti-virus, EMET and AntiLogger; all it took was Metasploit’s Meterpreter and Shellter.
Shellter gets around the anti-virus, rather reliably. EMET is useless in this case, because we drop an infected binary and get a user to execute it.
The only thing that worked reliably ended up being the anti-keylogging tool.
Show me the money
We need a binary to send to someone. The binary needs to be 32bit but that’s no problem; in this case I send my fictional buddy (everyone knows I have no friends) Putty, a well known windows terminal program used to connect to Linux servers over SSH.
I download putty and Shellter. After unpacking Shellter on my Kali machine; I run it and use the default settings to backdoor putty.exe with Meterpreters reverse_tcp payload:
Once done, I email my buddy the putty.exe (as a .zip). And start up my Meterpreter’s multi/handler:
Now I wait, and wait. Until my buddy runs the putty.exe on his fully “secured” system. Until:
Thanks buddy! (he does complain that the application didn’t start by the way.)
Curious to see what I privileges I have I do getprivs:
What the hell? Does that guy run as admin or something? Not that I mind though if he did ;) so, lets try the magical “getsystem”:
Yeah, you got that right, I managed to evade anti-virus, anti exploit tools, all in a matter of minutes and the fact that my buddy was willing to run a program I send him. Not only that, because he runs as administrator, I could even get full system user. And you know why?
That imaginary idiot runs programs I send him. Big BIG mistake;
Anti-virus is trivial to evade, as demonstrated;
Anti exploit tools don’t help you here; it’s not an exploit, but just a program he runs;
The idiot ran it as administrator /doublefacepalm.
Now though, what about the key-logger tool? Innocently I walk over to my buddies imaginary desk, and ask him if he can log into our support portal, a web-application, to look at a ticket I have questions about.
I see him type the URL, enter his user name and password, and log in. After we are done I go back and dump the credentials that Meterpreter should log for me:
Well darn! I guess AntiLogger does work!
Not to be foiled, I figure that perhaps the clipboard monitoring tool made by my friend OJ aka 0-day Reeves, aka TheColonial made a while ago (more info: http://buffered.io/posts/3-months-of-meterpreter/)
Invoking the extra badassery he made, I start the clipboard monitor:
After a while I do a clipboard_dump to see if anything interesting is there:
Well, not very. But at least it works. Now what about the password manager my somewhat fictional buddy uses? Will those credentials be captured after all?
And..nothing. Seems that this rather obscure password manager uses browser plug-ins and does not use the clipboard to transfer data. How disappointing (from an attackers point of view).
How about a more popular password manager tool like LastPass though? How does that fare work:
Well I’ll be darned; nothing. So because this also uses a browser plug-in; the clipboard isn’t used and this too is a great way to protect your passwords. Obviously when you copy it from the password manager to be used outside of a browser, the clipboard is used. It’s not a complete fix.
It’s easy to evade anti-virus and anti-malware tools using tools like Metasploit, Meterpreter and Shellter. And unless you try actually execute evil code by abusing an exploit, anti-exploit tools like EMET will be rather useless too.
What did work, though it did not prevent the takeover of the system, were a solid password manager that uses a browser plugin and Zemana’s AntiLogger.
What would have helped? If my fictional buddy wouldn’t have executed the program I had send him, what a trusting dumb-ass. And shows that you can’t trust anyone, and you should never, ever run programs unless you absolutely trust the source that send them.
That concludes today’s frightening lesson.