[Dailydave] Better, more FLAME-like, penetration testing
Dave Aitel
dave at immunityinc.com
Fri Sep 27 15:03:18 EDT 2013
> Awesome, sounds like http://www.youtube.com/watch?v=F3hi5nsy1lE , just not as great on payload protection.
>
>
> Daniel Uriah Clemens
I knew Wes pretty well, back from when he worked with Justine at ISS.
And of course, keep in mind he named his Mosquito project MOSREF, as a
bit of a play on the CANVAS remote compiler core, MOSDEF. Frankly,
there's only a slight difference between injecting LISP and injecting
Python at that layer.
But the design of INNUENDO is a lot more than "put a dynamic language in
memory" - it's about building an entire stack aimed at covert
communications and behavior. MOSDEF and CORE and Meterpreter and
Mosquito and all manner of things are essentially connection bound. You
can see them as a tree, spawning downwards from patient zero. Even when
they are going over UDP, they are doing so with a persistent connection.
This model is even built into their nomenclature and DB schemas. And
it's wrong.
But compare that to the C&C structure for FLAME (and I can't link to
this enough because it should be required daily reading for everyone in
this business):
http://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/
That is the operational plan INNUENDO models. Even for the most basic
things: moving a big file from point A to point B. INNUENDO has a built
in resilient bit-torrent like protocol. If the implant can't connect for
a few days, and then gets back online, it'll auto-resume, while at the
same time handling whatever other requests have come in for it.
Admittedly, I think the Python part of it is important. There's
something about being able to adjust your operational plans faster than
incident response teams, while using the same toolkit. But INNUENDO is
not just "can package Python into Lsass" any more than Flame is about
how to build a web proxy in Lua.
-dave
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130927/d18dcfce/attachment.sig>
More information about the Dailydave
mailing list