Hi,
there was a discussion/talk on the IRC channal (#Evilzone) about when to use binary explorations and root kits.
I figured that it could be interesting for some people and further makes some advertisment for the irc.
So I decided to post it...
<noncetonic�>�� I will say that binary exploitation is hardly ever used by sophisticated attackers
<noncetonic> 0day is expensive
<Traitor4000> noncetonic, So then when your attacking a network what do you do just use malware ?
<Teddy> Traitor4000,you were asking about binary exploration the other day...and that people told you it was out dated (and so on), That's the answer to it
<noncetonic> Traitor4000: pretty much
<Traitor4000> noncetonic, Doesnt malware have to use exploits live priv escelation etc
<noncetonic> it's much easier to bypass your AV than to find an 0day in something you are using ubiquitously enough in the environment to warrant the money expenditure
<noncetonic> Traitor4000: no
<noncetonic> I can write linux malware to drop my key into your authorized hosts file
<noncetonic> having root on a box is often not super desireable
<noncetonic> I'd rather get access to a user who actively uses the machine
<noncetonic> so that I can assess their value
<noncetonic> and if they are useful leverage them to do the same sorts of activities they normally do
<noncetonic> as to avoid anomaly detection
<Traitor4000> fuck logitech
<Epslon> noncetonic, [23:21] (+noncetonic) having root on a box is often not super desireable, pls explain?
<Epslon> Traitor4000 no luck huh?
<TurboBorland> the whole like last 5 lines were his explanation
<Traitor4000> yeah the fix didnt work
<Epslon> TurboBorland i mean more, duh
<noncetonic> Epslon: it's all about anomoly detection
<TurboBorland> what more do you want?
<noncetonic> if root is NEVER used on a box
<noncetonic> and suddenly root is using the box
<Epslon> Well keep trying man, im sure you'll get it
<Epslon> Oh i see...
<noncetonic> it looks fucking weird and will prompt an investigation
<Epslon> So you mean keeping a low profile
<TurboBorland> why would you use root?
<noncetonic> investigations are bad because if I haven't had enough time to clean up my environment I get busted
<e`> that's why you have a rk
<noncetonic> e`: no
<e`> yes
<noncetonic> no need for rootkits
<Epslon> rk?
<TurboBorland> wat
<Epslon> Thats for maintaining access not for cleaning up
<Epslon> Well not most of the time anyways
<noncetonic> don't need it for maintaining access either...
<TurboBorland> it can be used for a billion things
<TurboBorland> most especially communication with netfilter
<e`> you won't need much cleaning up if you hide yourself with a proper rk
<noncetonic> e`: you'd need to clean up the rootkit.....
<noncetonic> you can't just leave your toolkit behind
<e`> clean up the rootkit ?
<noncetonic> that's how shit gets burned
<Epslon> Yeah tripwire
<noncetonic> it's much better to compromise a user, keylog their ass
<noncetonic> steal their creds
<noncetonic> and just ssh into the box from the corporate network...
<Epslon> usually enjoy ssh backdoor patches
<noncetonic> you don't need that
<Epslon> But they need root
<e`> and how are you keylogging without modifying the underlying fs
<noncetonic> e`: using built-in linux shit for one
<noncetonic> like showkeys
<TurboBorland> until ssh needs to get patched
<Epslon> And can be a huge give away
<e`> that will still cause suspicious processes
<noncetonic> the less of your toolkit you have to drop on a box the better
<noncetonic> e`: it's very easy to hide from the process list lol
<Epslon> using inbuilt tools might be a good way to go
<TurboBorland> not without root
<TurboBorland> as it parses /proc
<e`> and hiding from the process list is still best done with an rk
<Epslon> Even with root you can easily be found out
<noncetonic> TurboBorland: you of all people know how easy you can do it by changing your $0
<e`> lol $0
<TurboBorland> with root it's practically impossible
<noncetonic> anyway, we have sudo access since we have the user's creds anyway
<noncetonic> so root is easily gotten if needed
<Epslon> Actually the risk of being found out depends on your skills, mostly
<TurboBorland> when I say root I never mean the root account
<TurboBorland> no one really uses the root account like ever, unless they're su users
<noncetonic> ^
<TurboBorland> you can d/l a decent kit, what skill is that?
<TurboBorland> google + can download?
<Epslon> [23:31] (TurboBorland) no one really uses the root account like ever, unless they're su users really?
<noncetonic> that'd be super noisey
<e`> you won't find a public decent kit
<TurboBorland> sure you can
<Epslon> e` so code one...
<TurboBorland> http://turbochaos.blogspot.com/2013/10/writing-linux-rootkits-201-23.html
<e`> i've done so ofc
<e`> i wouldn't talk about it otherwise
<Epslon> Ok
<noncetonic> rootkits are only useful for long game exploitation where you are stuck and need to maintain access
* Traitor4000 hat die Verbindung getrennt (Connection reset by peer)
<noncetonic> most TLA/NGO threat actors have a fairly set goal
<noncetonic> and will be in and out asap and hardly ever have to go back to old boxes as they pivot around
<noncetonic> unless it's a key box
* LaliBela (shades@E0767A7C.1F7C14B9.3D357804.IP) hat #Evilzone betreten
<noncetonic> which is why rootkits are mainly overkill
<LaliBela> Would sombody kick my old nick?
<TurboBorland> I like to feel safe
<Teddy> LaliBela, /ghost kick doesn't work because it is just channal not server wide
<TurboBorland> besides, it's just for proper integration of future shit
.................................
aitor4000�>�� noncetonic, so all you do is drop malware?
�18�<��20Traitor4000�>�� and SE
�18�<��20noncetonic�>�� I wouldn't say that's _all_ I do
�18�<��20noncetonic�>�� I do drop 0day when it's monetarily and timeline responsible to take the time to buy/research a bug
�18�<��20Traitor4000�>�� Oh and i guess you can exploit security misconfiguration
�18�<��25Epslon�>�� Thats basic
�18�<��25Epslon�>�� Misconfigurations = Gates 
�18�<��20Traitor4000�>�� noncetonic, Have you ever tried shit like hooking up a WAP to their network that you can access seems like that would be good.
�18�<��20noncetonic�>�� and I also break into buildings to drop off hardware that phones home
�18�<��20noncetonic�>�� Traitor4000: that is the STUPIDEST idea I've ever heard lol
�18�<��20noncetonic�>�� that would create a ton of anomalies
�18�<��20noncetonic�>�� and with the number of organizations now using ARUBA networks for their WiFi solution you'd set off red flags left and right
�18�<��20Traitor4000�>�� noncetonic, so what hardware coul you use wireless access flashdrives?
�18�<��20noncetonic�>�� it's much easier to just drop hardware inline and have it communicate out via 4g
