Aids and techniques demonstrated at this year’s arsenal track
Tools to enable the work of security researchers, pen testers, and bug bounty hunters were demonstrated at this year’s Black Hat Europe conference, held at London’s Excel Centre this week.
The annual security conference saw hackers from across the world gather to share research and other insights.
One of the conference’s regular features is the arsenal track, where attendees can witness live demos of various hacking tools.
Node Security Shield
One of the tools showcased this year, Node Security Shield, “provides zero-day protection for NodeJS applications”, Lavakumar Kuppan of Domdog Security, which created the tool, told The Daily Swig.
“It is a defensive tool designed to be used by developers as well as security engineers,” they said.
“Existing defensive systems like WAF [web application firewall], RASP [runtime application self-protection], or any of the supply-chain attack protection systems all take a similar approach. They look for known bad patterns. This approach is fine for blocking well known attacks, but it is ineffective against zero-days.
“Node Security Shield takes the opposite approach. Application owners typically know and can define the expected behavior of their application. Node Security Shield ensures that only the defined good behavior is allowed, and any deviations are either blocked or trigger an alert.”
“This enables us to block or provide exploitation mitigation against zero-day attacks. Also this approach is extremely fast compared to the other systems that have to compare every incoming request against an ever increasing list of attack patterns.
“With systems like WAF and RASP there is a risk of legitimate functionality being affected because it is unclear what those products will block and allow. That risk is significantly less with this approach since the application owners have a very clear understanding of what this tool will allow and what it will block.”
The tool was inspired by the Log4Shell vulnerability, a zero-day vulnerability in Log4j, a popular Java logging framework, which could lead to arbitrary code execution. Many application that relied on Log4j became vulnerable as a result of the problem.
“The fact that an application can just randomly make a network connection to a server that the developer’s never intended it to, bothered us a lot.
“So [we] set out to build a system where the application owners can define who their application can talk to and enforce it, thereby blocking the exploitation of zero-days like Log4Shell.”
The tool was developed as an internal project at Domdog Security to protect their own NodeJS applications, however the team said they are “aware of at least two other companies that are experimenting with it now”.
Kuppan added: “We are looking to add the ability to control file system access in the next release. Most user feedback has pointed towards wanting the ability to update the Resource Access Policy dynamically without requiring app restart. So that is also in the roadmap.”
“Using this static code detection approach has [meant it has] better performance compared to techniques that require rendering of the page.
Katz added: “We have future thoughts on adding more capabilities for more coverage on obfuscation tools, using collecting features for training of machine learning modules that will enable classification of malicious versus benign code.”
A third tool, Invoke-DNSteal, allows users to perform file transfers using the DNS protocol as a covert communications channel, its creator Joel Gamez told The Daily Swig.
Although it has been designed primarily for pen testers, bug bounty hunters could also use it in “very restricted environments, in order to exfiltrate information from a compromised computer”, Gamez noted.
“Unlike other DNS data exfiltration tools, Invoke-DNSteal stands out for two main features:
The first, is that it does not use any type of library nor does it depend on third parties to work.
“For the server side, it only uses Python and sockets, so any device (however limited) that can run Python can run the server.
“For the victim (or client, if you prefer) side, native PowerShell queries will be used to send information via DNS, thus bypassing many anti-virus and EDR solutions.”
Also unlike other tools, says Gamez, Invoke-DNSteal focuses on the resolver and not the DNS domain.
“All DNS exfiltration tools need a domain to send information to. To do so, they will need to resolve that request using any DNS resolver.
“In the case of Invoke-DNSteal, we focus on using a resolver (or a list of them) controlled by the attacker, which will resolve any domain, even if it does not exist.
“In this way, it is possible to send information to random domains that do not exist, thus circumventing most DNS anti-spoofing solutions on the market.”
Users are also able to control the size and sending time of the payloads, which will also help them to evade protections.
“I decided to create this tool because I did not find any that solved this problem, or that used this technique of using random domains that do not exist to perform these bypasses,” Gamez said.
“In the next versions we will add a sequence control (remember that UDP [User Datagram Protocol] does not exist by default), payload encryption by default, a client for Linux and some improvements in payload compression, among many other things.”