In a comment on another thread, Serioso had asked my opinion of a NYT article about how some NSA tools had been reverse engineered and then deployed against others by the “Bad Guys”. My general response was that it was old news from 2016 and that I got my new news from things like Black Hat Conferences.
Thinking about that, many folks may not realize that us White Hats would actually attend a real thing named Black Hat…
So here’s a 1 hour video on the “New Ultimate Hacking Toolkit” just presented at Black Hat Asia in March, 26-29, of 2019. Her accent is a bit hard to follow some times, for me, but my ears have trouble anyway so YMMV ;-) And yes, there are lots of Lady Hackers too ;-)
Note that in the first 3 or 4 minutes she is giving background, including talking about the common practice of reverse engineering things. Then, at about 15 minutes, she presents a tool that is very useful for “lateral” movement. This is what I alluded to when responding to Larry L. about the movement of all US Government computing resources to an AWS contract (and my hypothetical exploit target would be an irrelevant person at an uninteresting agency where attention to security was low). The next step after that is privilege escalation and then lateral movement. You cycle on those two processes until you have very high privilege on a very interesting system. This presentation gives examples of the kind of tool kit used for that cycle.
Also note that in the introduction she mentions that the full toolkit will be released to the public 5 minutes before her talk ends. And that this is common practice. So why publish such a strong “weapon”? Because that is how you pentest your systems, find the vulnerabilities, and close them. We, the White Hats, must know (and use) what tools the Black Hats may already have so that we can find and close the exploits.
Now, as soon as those tools were released “into the wild”, all sorts of Systems Admins all over the planet started running them in their shops, finding and closing exposures, and generally locking things down. Even the folks not at Black Hat. “We all share”… So someone AT Black Hat finds something important, they fire off a text message to their guy back in the shop to “look at this” and he sends it to his friend at the next company over who sends it to… And very rapidly, we’re talking hours, a huge number of security exposures slam shut. That’s why.
That is also why “news” from 2016 isn’t really news. That all broke loose and was delt with then, because in computer security “time is of the essence”.
One side note on “hashes”. In cryptography, various kinds of attacks are based on getting partial knowledge of the process and keys. So if you have “some of the magic sauce” it is much easier to break the rest. In W.W.II, the tendency for German Soldiers to end the messages with a “Heil Hitler” was exploited to break Enigma as that gave a large body of what was likely the same source text, in the crypt text samples. A “hash” is a number used to “hash up” the source data into a more difficult to decrypt cypher. Knowing the hash number takes out part of the defenses and makes the rest of the attack easier. So that’s why she spends time discussing tools to find and extract “hash” entries from various places.
So here’s an example of “Real Security News” from now. If it doesn’t scare the pants of any Microsoft system user, they were not paying attention:
Perhaps this is part of why Microsoft, in Windows 10, has provided a Linux Kernel on the side…
https://www.howtogeek.com/413564/windows-10-is-getting-a-built-in-linux-kernel/
Might they be slowly inching toward a “someday” replacement of their own kernel? Not yet though:
Microsoft today announced Windows Subsystem for Linux version 2—that’s WSL 2. It will feature “dramatic file system performance increases” and support for Docker. To make all this possible, Windows 10 will have a Linux kernel.
No, Microsoft isn’t making Windows 10 into a Linux distribution. It will still be based on the Windows kernel. But Microsoft “will be shipping a real Linux kernel with Windows that will make full system call compatibility possible.” The kernel will be compiled by Microsoft based on the latest stable branch of the kernel.org source code. It will initially be based on version 4.19 of the Linux kernel.
Microsoft’s Linux kernel will be tuned for WSL 2 and “optimized for size and performance to give an amazing Linux experience on Windows.” The Linux kernel will be updated through Windows Update. Yes, you’ll be getting Linux kernel security updates through Windows Update. The kernel’s full source code will be available online on Github.
So there’s that. It will make life much easier for all us *Nix folks when assigned a Windoz box as our “workstation”… we can rapidly get to a more robust and tool filled (and familiar) world by sidestepping into WSL. Yeah, 1/2 a loaf, but better than none. (And I won’t need to run my VM Linux from a USB stick anymore ;-)
In Conclusion
In the world of computer security, response times are critical. Often minutes or hours. Sometimes you have days. On rare occasions you can have a few weeks notice that a patch is coming. Rarely is anything from a few years back still relevant. Part of the Standard Operating Procedure is that the White Hat Researchers who find an exploit and develop model code to demonstrate it (or if you like “tools” or “warez” to exploit it) will notify the involved vendors privately about the exposure, and give them some time to develop a fix or patch. Often a month or two. THEN they will present it in public like in this video. (And all the folks watching the presentation get real motivated to install that new patch…).
This process seems to work well to motivate vendors to fix exposures, while also increasing acceptance of the fix, while also not shoving the exploit into the wild when their is no fix.
Sometimes there is a discovered exploit being used “in the wild” for which there is no fix and that has not been seen before. This is called a “zero day” as you have “zero days” of advance notice to make the patch / fix. (As compared to the 2 months advance notice from the White Hats…). It is these Zero Day events that cause the most Systems Admin peptic moments. You know there is an exploit. You know it is in use. You know it is only a matter of time until it is deployed against you and your systems. You also know there is NO fix and NO prevent. Sometimes these can run for weeks to get the attack reverse engineered, the exposure defined, a patch written and tested, then deployed. That’s when things are most grim in a shop.
So this video is a great example of how far various tool kits have come. You can also see that as soon as a tool kit is defined, it gets shared around. that’s why anyone can “look like” any particular attacking party (or nation or …). Because to prevent their attacks we had to have their tools (or workalikes) that often means we have reverse engineered them or captured them in use. It’s just S.O.P. to do that.
The video is also a great example of why I’m not keen on running Windows. This is but one of many tool kits for busting Microsoft “security” features. While there are similar tool kits of Linux, they are fewer and the kinds of exploits that work are often much more compute intensive and more obscure things (like stack smashing and doing stochastic attacks with many trials of things – that often show up as unexplained load on a system; such that your IDS / IPS can see it and stop it; or even just watching an “htop” panel can flag the attack).
That is why I tend to run hardware where my “normal load” is about 80% of full, and I have a monitor panel, often htop, running in the corner. Someone launches any significant load on the system, it will slow a lot (only 20% of performance unused on average…) and htop will display a lot of unexpected activity. (Heavy CPU use processes float to the top of the list).
So even the tools in that video would show up as momentary “bursts” of load that were not expected. Hopefully enough to get attention pulled to the monitor screen and then asking the key question “Why is that process running?” ;-)
Musings from the Chiefio 
Thing is that Windows NT kernels have always been modular in conception and a POSIX compatible subsystem has been available for about 25 years now. It would not surprise me that the old WOW32 that allowed 16 bit programs to run on 32 bit versions gets incorporated into 64 bit kernels as a 32 bit module and further allows old working code to continue to work. If I am remembering correctly, Microsoft had its own version of UNIX, too.
Yep that is what happens at our shop. One of the staff sees something on line while browsing, and within minutes an email is in the box of the head sys admin and the sysadmin staff and head security officer. They take a look and decide if we are vulnerable to this problem. Sometimes it is irrelevant to us because we do not use the serivce which is exploited, other times we are but have already patched it, or immediately push a patch if the vendors have a solution to the exploit. If not we sometimes simply turn off the vulnerable service and use a fall back method until a solution is found.
Everybody knows it is a constant battle. I have heard stories or folks building systems taking a coffee break and when coming back finding that some script kiddy hit their system while the were gone and took advantage of something that had not been locked down on the new system in just 15 minutes.
I am in the process of running a deep scan on my system right now to be sure that link did not leave an easter egg behind.
Interesting that wsl2 will feature an actual linux kernel, my understanding is that wsl1 implemented the linux system call interface from scratch without any linux kernel code at all.
A lot of what any operating system does is the same. That’s why you can do a decent job of Virtual Machines just by translating one OS call into your native version.
For MS, they may have started that way, and now have a real “Hypervisor” running to either kernel can get “real hardware”… Just guessing…