3

I sometimes come across systems that are segregated in a way I know to be flawed. The arrangement usually looks like this:

There is a general IT environment, which follows best practice: patching, anti-virus, password policy, USB disabled, etc. However, there needs to be a balance of security and usability in this environment (e.g. Internet access is allowed) so it is inherently at risk, and would be an easy target for APTs.

There is also some super sensitive database, which sits behind its own firewall. The only access to the database is remote desktop inbound, and maybe a WSUS server outbound. The admins argue that this database is "tightly restricted" and there is no way that data could be exfiltrated. Generally, remote desktop is correctly locked down - shared drives and clipboard are disabled.

I know this is flawed. If a workstation is compromised, an attacker can quietly sit and harvest the remote desktop credentials. They can then take control of the database through remote desktop. The final piece of the puzzle is to exfiltrate the data. I know in theory it is possible to do this. For example, the malware on the database could encode data as QR codes, display it on screen, and let remote desktop relay it to the client. The client could parse QR codes in the remote desktop session and capture data. In fact, I'm sure much more efficient schemes than QR codes could be used.

However, I don't currently have a practical means to exploit this. Do you know a practical way to exfiltrate data in this situation, something a bit like sqlmap?

Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
paj28
  • 32,736
  • 8
  • 92
  • 130
  • 5
    FTR: By definition, if there is *any* remote networked access to a system (or network) it cannot be considered "air gapped". What about other common management tools like remote file system (e.g.: \\192.168.1.1\c$) or remote registry? – Iszi Dec 15 '14 at 17:22
  • @Iszi - It tends only to be remote desktop or citrix that is allowed through. Also, while I tend to agree with your definition of "air gap" not everyone does. – paj28 Dec 15 '14 at 17:30
  • 4
    @paj28 Then they are wrong. What they have is a network with extremely restricted access, not an air-gapped network. – Xander Dec 15 '14 at 18:36
  • You mention the general environment can get out to the Internet. How is outbound traffic restricted from the database server, if at all? – Iszi Dec 15 '14 at 21:59
  • @Iszi - normally restricted to certain support servers, such as WSUS, AV, monitoring, or domain controller. The details vary, but the general principle is common. – paj28 Dec 15 '14 at 22:01
  • 1
    @paj28 Looks like your way in (and out) is through the centralized management systems, then. Exfiltration capabilities will be limited by what traffic is allowed out to those systems (and, ultimately, from those to your external systems) and your own patience and/or ability to work around the unavailability of certain ports/services without getting caught. – Iszi Dec 16 '14 at 00:55
  • Ummm.. What about screenshots? – k1DBLITZ Dec 16 '14 at 21:32

1 Answers1

2

Some remote desktop protocols have a shared clipboard. In this case, exfiltrating data is simply a matter of copy-and-paste: copy on the remote desktop, paste on the local one.

Some protocols have built-in file transfer. Exfiltrating data becomes as simple as dragging the database files from the remote desktop to the local one.

All remote desktop protocols support video display. Exfiltration can be as primitive as starting a screen-recording program on the local system, watching the desired data scroll by, and transcribing it at your leisure, or a more sophisticated system such as automated OCR or the QR-code scheme mentioned in the question can be used.

If the data can be viewed remotely, it can be exfiltrated. It's just a question of how easy it is.

Mark
  • 34,390
  • 9
  • 85
  • 134