Transcript Attack Analysis

Network Security
Attack Analysis
Outline
•
•
•
•
Types of Attacks
Vulnerabilities Exploited
Network Attack Phases
Attack Detection Tools
cs490ns - cotter
2
Vulnerability Summary for
Week of April 29, 2013
• From US-CERT
– www-us-cert.gov/ncas/bulletins/SB13-119
• Ranks vulnerabilities based on CVSS score
(common vulnerability scoring system)
– High – base score of 10.0 – 7.0
– Medium – base score of 6.9 to 4.0
– Low – base score of 3.99 – 0.0
CVSS
scoring
Vulnerability Summary for
Week of April 29, 2013
• High Vulnerabilities
Product
Description
Pub.
CVSS
Source & Patch
Bitzipper
Crafted ZIP archive allows
execution of remote code or DOS
4/21/13
9.3
CVE-2013-0138
Cisco
routers
Multiple buffer overflows, bypass
LDSP, DOS attacks, …
4/25/13
7.50010.0
CVE-2013-1178,
etc.
Siemens
Can cause DOS via crafted packets
Simatic_s7 to TPC port 102, UDP port 161
4/21/13
7.8
CVE-2013-0700,
CVE-2013-2780
Total of 27 High level vulnerabilities
Vulnerability Summary for
Week of April 29, 2013
• Medium Vulnerabilities
Product
Description
Pub.
CVSS
Source &
Patch
Apache
activemq
Default config of Apache ActiveMQ
allows DOS
4/21/13
5.0
CVE-20126551
IBM websphere
XSS vulnerability in admin console in 4/24/13
WebSphere App Server allows
injection of script
6.8
CVE-20130542
Linux
kernel
Vcc_recvmsg in net/atm/common.c
does not initialize memory -
4.9
CVE-20133222
Total of 57 medium vulnerabilities
4/22/13
Vulnerability Summary for
Week of April 29, 2013
• Low Vulnerabilities
Product
Description
Pub.
CVSS
Source & Patch
Google_a
uthenticator
Requires user-readable permissions
for the secret file, which allows
users to see secret
4/24/13
1.9
CVE-2012-6140
Total of 5 low priority vulnerabilities
nvd.nist.gov
Types of Attacks
• Software vulnerabilities
– Buffer overflows
•
•
•
•
•
Viruses, trojans, etc.
System or service configuration mistakes
Password weaknesses
Denial-of-Service attacks
Wireless Attacks
cs490ns - cotter
9
Buffer Overflows
• Objective:
– Send more data to an application input than it is
designed to handle.
– Craft the data such that the overflow portion will
be interpreted as executable code.
– Typically done by getting data to overflow in
stack so that it overwrites PC address
• Depends on:
– Traditional (non-checked) data validation.
– Code instructions that do not validate input.
cs490ns - cotter
10
Buffer Overflow Example
void function(char *str) {
char buffer[16];
strcpy(buffer,str);
}
void main() {
char large_string[256];
int i;
for( i = 0; i < 255; i++)
large_string[i] = 'A';
function(large_string);
}
cs490ns - cotter
11
Stack Structure for function
bottom of
memory
code
<-----top of
stack
*str
ret
sfp
buffer
code
cs490ns - cotter
top of
memory
buffer
sfp
ret
*str
[XXXXXXXXXXXXXXXX][XXXX][XXXX][XXXX]
bottom of
stack
pointer to char buffer (argument into function)
pointer to return address in main
saved frame pointer (reference into memory frame)
Local storage allocated for character array
…
12
Stack Overflow
Before strcpy:
bottom of
memory
<------
top of
memory
buffer
sfp
ret
*str
[XXXXXXXXXXXXXXXX][1F3C][1F9A][1F7C]
top of
stack
bottom of
stack
After strcpy:
bottom of
memory
<-----top of
stack
cs490ns - cotter
top of
memory
buffer
sfp
ret
*str
[AAAAAAAAAAAAAAAA][AAAA][AAAA][AAAA]
bottom of
stack
13
Stack Manipulation
bottom of
memory
<-----top of
stack
top of
memory
buffer
sfp
ret
*str
[AAAAAAAAAAAAAAAA][XXXX][1F94][XXXX]
bottom of
stack
Overflow buffer with the bytes needed to
overwrite the return pointer with a desired address
That points to an instruction of your own crafting
bottom of
memory
<-----top of
stack
cs490ns - cotter
top of
memory
buffer
sfp
ret
*str
[AAAAAAAAAAAAAAAA][XXXX][1F41][XXXX]
bottom of
stack
14
Viruses, trojans, etc.
• Check for evidence of programs (and
versions) that are susceptible to attack.
• Test for outdated (or unchecked) virus scan
software.
cs490ns - cotter
15
System or service
configuration mistakes
• Default passwords left in place
– Router passwords
– Program passwords
• Default (unused) services left running
– Sendmail
– Echo, time, etc.
• Default settings for firewalls and routers
cs490ns - cotter
16
Password weaknesses
Test for standard password weaknesses
– Short passwords
– Dictionary based passwords
– Personal information passwords (pets, family,
etc.)
Test for unencrypted passwords
Try to download encrypted password files
– /etc/passwd, /etc/shadow
Use dictionary, etc as source
– Encrypt word, compare to password file
cs490ns - cotter
17
Wireless Attacks
•
•
•
•
•
Scan for Access Points (War Driving)
Look for SSID beacons
Test for mac address blocking
Look for unencrypted access points
If encrypted, test for WEP / WPA / WPA2
– If WEP, consider the value of capturing data and
trying to recover secret through IV
cs490ns - cotter
18
Network Attack Phases
•
•
•
•
•
•
•
Reconnaissance
Vulnerability Identification
Penetration
Control
Embedding
Data extraction / modification
Attack Relay
cs490ns - cotter
19
Reconnaissance
Find out about network topology
–
–
–
–
What IP addresses are active?
What Operating Systems do they use?
What services / servers do they support?
What other machines do they talk to?
Tools
– Port Scanners
– DNS queries (zone transfers)
Defense
– Snort, Shadow
cs490ns - cotter
20
Vulnerability Identification
Once systems have been scanned, specific
sweeps are made to check for specific service or
system vulnerabilities
– See SANS top 20
– Buffer overflows, etc.
Most Popular Targets
– Servers difficult to remove or relocate ( DNS, mail,
web, etc.)
Defense
– Don’t expose vulnerabilities!
cs490ns - cotter
21
Penetration
Most sucessful hack is one that is not detected
– Second best is an attack that cannot be traced.
Systems with some security typically rely on a
“hard shell”.
– Firewall or proxy servers
– Perhaps IDS
If firewall is secure, then use the users
– Track external site visits
– Taint DNS records to point to an attack machine
– Let users establish the connection for you!
cs490ns - cotter
22
Control
Typically a bootstrap process.
– Find an exploit that allows you to control a process
(program).
– Use that process to start up a process of your
choosing with permissions of the owner of the
original process
– This process will contact the attack host and
download the full exploit.
– Use that process to execute another exploit that will
get root privilege (if needed).
cs490ns - cotter
23
Embedding
Once into the system, the hacker will attempt to
hide several different access programs.
–
–
–
–
If one exploit is discovered, perhaps others will not.
Alter logging programs to not display packets
Alter process display programs to not show processes
Etc.
Want to be sure that the attack program (bot)
will survive a restart.
cs490ns - cotter
24
Embedding
Store exploits by overwriting little used
existing files (games, etc.)
Store most of the exploit as fragments inside
other files (steganography), then use a small
reassembly program to rebuild on command
Hide program on unused portions of the disk
Load portions of the bot onto unused
eeprom on the network card.
cs490ns - cotter
25
Data extraction / modification
First order of business is to send system data
back to relay
– Windows – registry
– Linux - /proc
Transmit data slowly – over several different
sessions
Encrypt and embed data into known (or
expected) data flows – www, ftp, e-mail, etc.
– Use existing programs RMON and arpwatch
cs490ns - cotter
26
Attack Relay
• Use this new system as a relay to attack
other systems.
– Use multiple relays – ideally in multiple countries
– to link to attacked machines.
– Use multiple machines for an attack
• A few suspicious packets from a machine once in a
week may not be acted upon
• Multiple machines are harder to block.
cs490ns - cotter
27
Attack Detection Tools
• Scanners
– Virus Scanners
– SpyBots
– Malware scanners
• IDS
– Network based
– Host based
cs490ns - cotter
28
Profile of an Advanced
Cyber Intrusion
 Ongoing (since 1999) series of suspected
intrusions on US commercial and military sites
from PRC
 Information presented in an unclassified
document that details China’s capability to
conduct cyber attacks
 One element of that report is a detailed report
of an intrusion into a US commercial network
Awareness of the Problem
Information security staff at the company
became aware of the intrusion when they
detected large volumes of data leaving their
network
– Coming from multiple machines
– Going to multiple addresses mostly (completely?)
within the US
Were able to implement blocks to stop the
flow, but an unknown volume of data was
transmitted.
Two Teams
• Able to distinguish teams based on the tools and techniques
used.
• Forensic Profile
– Able to distinguish individuals based on “keyboard behavior” –
tools, techniques, command combinations, elapsed time between
keyboard entries, etc.
• Breach Team
– Figure out how to get into the network and secure machines.
• Collection Team
– Determine what information to extract and implement the
extraction.
Data Compromised
Information extracted was very carefully
selected.
– Files picked out of directories of related
information
– Files generally were not opened pripr to extraction
Suggests that intruders had very detailed
knowledge of the information in the network
and had been able to search through the files
to identify what they wanted.
– Took a lot of time
– Took detailed knowledge of the company
Activity prior to exfiltration
Information Security (IS) detected low levels
of intrusive activity prior to exfiltration.
– Seemed to be focused on maintenance of their
presence within the network
– When detected IS would block the link.
– Apparently intruders were able to open up other
links undetected to continue their reconaissance.
Process continued for several days (at least).
Reconnaissance Phase
Identify specific files, directories and file
shares that contained desirable information
Identify specific users who would have access
to desired information and compromise their
accounts.
Uncover and use password policies
Identify group memberships
Construct detailed network architecture
diagrams to facilitate information movement
Process was very methodical and quiet.
Data Exfiltration Operation
Cmd /
Control
External Command and
Control (C2)
Compromised
users
Staging Sys via
RDP
Work
station
Staging
Work
station
Staging
File
Server
Staging
File
Server
Sending Hosts
(Internal)
Exfilt
Host
Collection Host
(External)
External
Host
Exfilt
Host
External
Host
File
Server
Exfilt
Host
External
Host
Analysis
• Used dozens of accounts over about 150
occasions to gather information.
– Very difficult to correlate the activities prior to
exfiltration.
• Group memberships were particularly
important in accessing data from noncompromised accounts.
Data Staging Process
Took place over several days
Noticed an increase in short duration communications
– Appeared to be used to verify resources, set up redundant
channels, etc.
Transfer done in the evening (same time each night).
Transfer desired data from file servers to mail servers.
– 75% of the company’s several dozen mail servers were
involved in the intrusion.
Rename files to resemble legitimate Windows files on
mail servers.
Encrypt and compress files into 650 MB RAR archives
Exfiltration
• Secure a compromised user machine for use as an internal C2
station
• Move data into staging servers
• Test all staging servers by downloading a 20MB video file.
– Terminated download before complete.
• Identify local (US) external hosts to receive the data
• Used several versions of FTP (both standard and customized
versions) to get a working configuration for offloading files.
• Finally got a working configuration to a US University site.
• Replicated the configuration 5 more times to increase
throughput.
• Eventually detected and blocked. IS noted repeated attempts
over the next 5 hours to regain access.
References
• Stealth Coordinated Attack HOWTO
by Dragos Ruiu – 1999
– Google for a copy (it seems to move around)
• Network Intrusion Detection 3rd ed.- Northcutt and Novak – New
Riders Publishing 2003
• Maximum Linux Security – Anonymous
– Sams Publishing – 2000
• Ethical Hacking and Network Defense – Simpson
– Thomson Course Technonogy – 2006
• Smashing the Stack for Fun and Profit
– http://www.phrack.org/phrack/60/p60-0x06.txt
• PRC and Cyber Warfare
– http://www.uscc.gov/researchpapers/2009/NorthropGrumman_PRC_Cy
ber_Paper_FINAL_Approved%20Report_16Oct2009.pdf
cs490ns - cotter
39
Summary
• There are many ways that hackers can get
into systems
• Complexity of systems today makes it
difficult to protect all possible attack vectors.
• Several web sites available to identify trends
(SANS, etc.)
• Understand the process!
cs490ns - cotter
40