Introduction to Information Security - Cs Team Site | courses.cs.tau.ac.il
Download
Report
Transcript Introduction to Information Security - Cs Team Site | courses.cs.tau.ac.il
Introduction to Information Security
Network Travesal (Hacking Operations)
& Miscellaneous related subjects
1
Network Traversal - Introduction
• We now move from discussing the act of hacking a single machine or
device, to discuss the act of traversing through an entire network:
• How organized networks are structured.
• How hackers penetrate organized networks, usually administered by a single
person, or team of administrators.
• How hackers traverse the network to gain access to more resources and
data.
• Sometimes referred to as lateral movement.
Victim Network
Ve
rti
cal
Horizontal/Lateral
First Target: Patient 0
• Hackers will try to infect one computer, by different methods:
•
•
•
•
Chance / statistical luck!
Spear-phishing or human error.
Social engineering
Pure hacking.
• After infecting patient 0. Hackers can attempt to launch different
types of attacks which can now depend on the internal network
structure.
• By using information and access readily available on the hacked
machine, hackers can attempt to laterally traverse the network.
Spearphishing
• “Spear phishing is an e-mail spoofing fraud attempt that targets a
specific organization, seeking unauthorized access to confidential
data. Spear phishing attempts are not typically initiated by "random
hackers" but are more likely to be conducted by perpetrators out for
financial gain, trade secrets or military information.” -http://searchsecurity.techtarget.com/definition/spear-phishing
An email I received
• True story: I received this email last year. Can you spot the fail?
Network-wide Users
• In an organized network , each user is given a single user/password
credential, this password is used to authenticate the user against all
machines in the network which the user should have access to.
• Example: TAU. Your user and password is used to login to the *n?x
machines as well as the video website.
• If a computer used by one of the users is compromised. you can use
his credentials if gained to login to all machines in the network.
Sniffing for passwords
• By local example
• .bashrc << __EOF__
• alias ‘sudo’ ‘/tmp/sudo.sh’
• __EOF__
• /tmp/sudo.sh << __EOF__
• #!/bin/bash
• echo “Enter password:”
• read PASS
• echo $PASS > /tmp/.password.log
• sudo $1 $2 $3 $4 $5 $6
• __EOF__
Sniffing for passwords
• On windows and other GUI based applications: key logging is used to
record credentials being entered.
• By actually sniffing the network, looking for “telnet” or other
unencrypted communication ways – communication where
passwords are given in clear text format.
• Sniffing the network traffic looking for hashes which can later be
cracked (More in next slide).
Cracking passwords
• Gaining root access to /etc/shadow (previously /etc/passwd) leads to
obtaining password hashes
• John the Ripper or other password brute forcing techniques can then
be used to retrieve the clear text password.
• The clear text password can be used to login to other computers.
• Users tend to use the same password for all computers and services,
making it easy to gain access to other resources.
rlogin/rsh - history
• Instead of logging in all the time – rlogin/rsh is used to authenticate a
user without the need to enter a password.
• Once a connection is received from a trusted machine and it declares
that the user remotely connecting is the user, the user automatically
gains remote machine access with the same credentials.
• Many hacking techniques employ:
• echo “+ +” > ~root/.rhosts
• This lets anybody from any host connect to the computer.
• IP spoofing can be used to gain remote access as well. And this poor
authentication is still being used in some dark corners of the world.
• NFS V < 4 has also utilizes the same bad authentication by only
comparing host/port(using identd) to identify the user.
Domain of computers
Unix NIS (Network Information Service)
• The NIS (formerly known as Yellow Pages/YP) protocol is and old
protocol used to sync passwords across a network.
• The NIS passwords are used to spread credential of a network of
computers.
• From each of the servers in the network access is given to a virtual
directory which contains files such as “passwd”/ “shadow”, etc.
• By using shell: # ypcat passwd
• You can get the network hashes of ALL users!
• In a secure network scheme this does not include the root account, however
local account access can be gained on all computers sharing the passwd file.
Pass the hash
• Passing the hash is an original way of authentication for SSO (Single
Sign On) which is easily exploitable.
• In windows based systems, by simply passing the hash, a user is able
to proove that he has the credentials needed to gain access to a
resource (such as a network share).
• Once hackers log in to a system, they can use locally existing network
hashes to pass them to other systems by this process:
•
•
•
•
•
Gain local administrator privileges
View locally logged in accounts.
Impersonate a user locally.
Use regular windows operations to access network resources.
Gain more access and run remote code using psexec (sysinternals utility).
LSASS
• Slide was taking from “WCE Internals by Amplia Security”
Hash harvesting
• On windows computers, hashes are saved locally even after a logon session
is terminated in case access to the domain is no longer available.
• Several tools are in the wild used to do this hash harvesting, such as:
•
•
•
•
•
WCE – Windows Credential Editor
Pass The Hash Toolkit.
gsecdump
Maybe more.
pwdump - hash dumping is also possible localy by dumping the SAM file (Security
Accounts Manager)
• WCE and its like:
• User ProcessReadMemory() to read the memory of LSASS for harvesting
• Inject code to implement the impersonation of users.
• Side Note – cracking NTLM hashes:
• NTLM aka NT LanMan (Lan Manager) hashes are DES based hashes of max 14 byte
passwords: Each 7 bytes of the password is hashed seperately making it easier
instead of 256^14 we get 256^7 * 2. Therefore a rainbow table can be easily
created.
Unix NFS (Network File System)
• The Unix NFS comparable to windows “Sharing”. Is a method of
sharing directories by allowing other to locally mount a remote
directory as if it was their own.
• As we previously learned using u+s and o+x to a file that hands us
root privileges we are able to escalate our privileges:
• echo "main(){setuid(0);setgid(0);system("/bin/sh");}" > a.c
• gcc –o a a.c
• Misconfigured NFS, allows mounted directory to contain suid files,
therefore allowing root on one machine the ability to gain
• http://packetstorm.wowhacker.com/mag/faith/faith8.txt
Shared binaries patching
• Administrators or users share binaries on network shares / NFS.
(Usually installation files).
• If those network shares are writable by a hacker he can modify them
and then wait for other users to execute them.
• Example at TAU:
user@nova:~$ mount | grep '/ type'
netapp1:/vol/vol0/linux-root/precise/common/ on / type nfs
(rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,nolock,proto=tcp,port=65535,timeo=70,retrans=3,sec=sys,l
ocal_lock=all,addr=132.67.192.53)
Some miscellaneous related topics
• 0-day gap
• C2 Intelligence
• Passive DNS
• Deception Tactics
0-day gap
• TTM (time-to-market) between vulnerability discovery to patch is
called 0-day response time.
• Companies have public contact info for disclosing exploits by
researchers.
• If an exploit is disclosed there is a race between hackers and
developers to exploit vs to close.
• Companies hire vulnerability researchers to look for bugs that could
compromise their security.
0-Day Example
C2 (C&C) Intelligence
• Anti-viruses classic model, was signature based.
• Signatures inside binaries.
• Signatures in the windows registry keys & values.
• Signatures in network traffic.
• Network anti-viruses use the same engines but from the network
• Old attitude:
• Only detect what you can _remove_.
• New attitude:
• Just detection and blocking is better than nothing.
• Signatures were rephrased as intelligence with emphasis on
detection - another common name is Indicator of Compromise or IOC
• Some intelligence vendors take active measures to discover
intelligence.
Caveats of Intelligence
• Without ‘hacking’ hackers there is no way to create an IOC
before someone was attacked.
• If hackers create different C2 servers for each attack you’ll
never have the intelligence on time.
Passive DNS
Security researchers have been collecting IP-Host pairs for a few years now.
This is done using data collectors installed at many ISP DNSs.
Passive DNS (Cont.)
• The Host-IP pairs can be used to back-track hackers’ resources.
• If hacker An0n2016 uses cnn-news.com (its blacklisted).
• Using the database we can see:
• Now without much more information, you would educated guess
that adobe-updatre.org is being used by the same hacker, therefore
we can blacklist it to.
• Virustotal.com has a publicly query-able passive database but it is an
incomplete one.
Other Techniques for Realtime C2 Intelligence
• Newly created domains
• Domain that is seen for the first time.
• Whois/Whowas & NLP
• The internet domain registry contains data on the owner
• Look for:
• Private registration
• Domain popularity
• Geolocation
• Maybe your network shouldn’t be connecting to China.
Deception Solutions
• A new breed of product aimed at exposing attackers by deceiving
them to working on.
Credit: https://www.cymmetria.com/
Questions?
Good Luck in the Test!
• The test is hard.
• You will need to prepare a folder with this semesters material and
bookmarks for subjects!
• Hopefully, there will be a 3 hour rehearsal exercise before the test.
• Feel free to drop by us questions and ask for help.