Attacker's Tool Chest: Anatomy of tools and tactics from the field on network security

When you start trying to talk to people about Security topics you may come to find that not everyone has a clear understanding what different terminology actually means. I don't think it is their fault really. We as a culture tend to under-explain topics to outsiders. For ease of explaining something to a non-technical person we will often overload a term (like Virus), or switch to an improper term (Like Trojan) that they are more likely to know...even if they don't understand what it means.
To combat that I think it is a good idea to get a running list of terms I have had to explain or clarify to people. These are my own explanations, meant to capture the unique qualities of each type of Tool or Technique.



Scanners, Sniffers, and other Recon tools - These are the basic bread and butter of every single hacker. If you do onto know what these are pause reading this and go read the wikipedia page on Net Mapping at https://en.wikipedia.org/wiki/Network_mapping and then the one on network enumeration at https://en.wikipedia.org/wiki/Network_enumeration
Back? Excellent. Scanning a network is the first step for every hacker, good or bad, on a new network. Imagine walking into a restaurant you have never been to. Instead of looking around you immediately sit at the first table in your line of sight and immediately you order food without looking at the menu. Doesn't sound reasonable does it? Red team (attackers) uses scanners to orient themselves in unfamiliar networks. They are also used to find vulnerable machines with exploit scanners. Blue Team (defenders) Uses these same tools to locate and catalog machines as they enter or leave the network. They also use the scanners to find vulnerable machines, but for the purposes of patching them.

Back Doors - This is probably the most misused term in all of the tools. A back door is simply a secondary way to access a machine which does not involve the primary interface. Most machines are designed intentionally with multiple ways you can access them. Imagine you have a web portal with a typical login screen. You find out 3 months later that a developer placed a second login page on the server which automatically logged in as the admin (I am not making this up). The developer has effectively installed a back door into the server.

Trojan/Trojan Email - Another abused term. Outside of security circles a Trojan has become synchronous with any form of network attack. It actually refers to a program that is masquerading as another program. The effect is to trick the user into running an application they did not expect to contain anything malicious. This can take the form of a Control Flow Redirection, where the software runs some malicious code then launches the legitimate executable to further hide from the user. A Trojan Email is similar in that it is a malicious email that appears to come from a trusted source. The Trojan's payload can either be a malicious file, or a link to a malicious site. The Trojan Email is probably the most effective tool in the malicious hacker's arsenal.

Downloader - In the newest evolutions of Malware we are seeing staged delivery to complicate analysis. The first sign of infection is usually more difficult to detect in the wild. Downloaders will often carry anti-forensic code to determine if it is safe to try and retrieve it's payload. They will do things like detect Virtual Machines, Analytical Sand Boxes, Debbuggers, etc. often times the downloader is the payload included in the Trojan. There is a special case of downloader which can be used when you have physical access to a machine (see my post on the Darkduino tool DnE payload http://the-it-ninja.blogspot.com/2015/10/darkduino-payload-1-powershell-dne.html).

Bot - A bot is the reverse of a back door. it's main purpose it to make the machine call out to a location controlled by the malicious attacker. The methods used and types of bots vary widely but they all serve the same basic function to allow automated control of a machine remotely. It often bypasses most firewalls which are concerned more with inbound connection attempts than outbound. While most people think a bot is inherently malicious, I disagree. a virtous bot can be used to monitor systems for changing and report critical events. They can be used to manage large numbers of servers. Indeed, distributed computing would not be possible without the concept of a bot and master relationship. I have written several examples of bots available at https://github.com/dreilly369/rellik-cnc-examples/tree/master/static/agents

Botnet - The group of all machines infected by a particular bot. Botnets can be rented, built, or hijacked. Usually the size of a botnet is a point of bragging rights in some underground forums. Criminals however, monetize botnets by renting them to other criminals or hacktivitst groups. They can steal the personal information and sell that in part of a package. Finally we are seeing the rise of Crypto Locker attacks. A bot may encrypt the files on a hard drive (or the entire hard drive itself) then hold the keys ransom.

Command and Control Server  - A Command and Control Server (or CnCS for short) is a system loaded with the administrative portion of a Botnet. CnCSs come in many flavors. HTTP/S, DNS, IRC, NTP, and more. Each describes the primary protocol used to communicate with the bots. The server will usually be running a web panel to allow the bot master to log in and issue commands to one or all known bots. The hosting system may or may not be owned by the bot master. An example CnCS application I have written for research is available at https://github.com/dreilly369/rellik-cnc-examples

Implant - Any of a number of hardware devices meant to be installed and left on a target network. These can take the form of something as large as a laptop computer or as small as a mini USB Key. Similarly the intended function can range from simply logging keystrokes to adding a full computer to the network. The one thing all implants have in common is they require physical access to a Network to be installed.  An example of an Implant is my DarkDuino Tool http://the-it-ninja.blogspot.com/2015/09/building-darkduino-tool.html

Debugger - A class of programs which allows you to temporarily take control of a process and analyze it's behavior. When you are analyzing a file for malicious activity you will use a Debugger extensively to determine what behaviors it exhibits. A word of caution when using debuggers though: Most advanced Malware comes with code that is meant to frustrate or prevent debugging efforts. On Windows, when a system attaches a debugger to a process it sets a binary flag called beingDebugged to true. Malware has, for years, known to check the isDebuggerPresent() flag before trying to load anything malicious. There are many tips and tricks to hide your debugger from Malware on the net.

Drop Box/Pivot Box - A special class of Implant. A drop box is a small (but full fledged) computer. It is usually running some version of Linux to make the network setup much simpler. The primary function of a Drop Box is to allow an attacker persistent access to a network they wouldn't otherwise have. Imagine an office network which only uses Ethernet connections. An attacker may choose to install a drop box which bridges a Wireless card to the Ethernet port. Installing this on the target network would allow the attacker to come back later, connect to the wireless interface, and operate on the network as if he/she were sitting at a computer inside the building. An example of a good system for a drop box would be a Raspberry Pi or BeagleBone Black.

Burner Box - A system meant to be used for something and then destroyed. They are handy for both security analysts and criminals. Analysts use them to build a sandbox to execute potential Malware samples in. The machine is built, infected, monitored, and then destroyed without allowing the Malware a chance to infect other systems. For an attacker a Burner Box is a disposal attack platform that could be abandoned without giving up much information on the operation, intended targets, etc. In this way, it is similar to the use of a Burner Cell Phone.

If you have your own clarifications you would like to add send me a comment and I will see about adding it.