Post on 29-Jul-2020
transcript
Hacking Exposed: Live 2009
George Kurtz – SVP/GM Risk and Compliance BU
Stuart McClure – VP Operations / Strategy Risk and Compliance BU
McAfee04/21/09 | Session ID: HT2-105
Please Download The Most Current Slides At:
www.foundstone.com/hackingexposedrsa2009.pdf
Hacking Exposed: LIVE – RSA 2009
www.foundstone.com/hackingexposedrsa2009.zip
With Flash (.swf) file…
1
A little about us…George Kurtz
• Former CEO and Co-founder of Foundstone
• Co-Author of Best-Selling Hacking Exposed and Other Security Texts
• Voted Conde Nast Most High-Maintenance Traveler of the Year by my Co-workers at McAfee
• Stuart McClure• Former President/CTO and co-
founder of Foundstone
• Lead-Author of Best-Selling Hacking Exposed, Web Hacking, HE: Windows
• Better known as: Stu “I never met a GUI I didn’t like” McClure
3
Agenda
The Hack
The Digital Battlefield
Countermeasures (Apply)
Summary
The Digital Battlefield
At the heart of ALL threatsWhen Opportunity Meets Motivation… Meets Ability…
Bots, BotnetsDDOS networks
Spyware,Adware, PUPs
User-propagatedviruses, Trojans,
PW stealers
Spam, mass-mailers,phishing, pharming
Vulnerabilities,Exploits,
Scripted attacks
Targetedattacks
PDA,cell phone,
wireless
Social Engineering
POOR COMMON SENSE
MALICIOUSINTENT
MISUSEDFUNCTIONALITY
DESIGNFLAWS
ThreatsThe land of opportunity…
• Misused functionality– File sharing
– Usernames/passwords
– Autorun
– BHO
• Design flaws– Operating system (Windows RPC
MS08-067)
– Adobe Flash, Windows Media Player, Quicktime
– Java
– Web Applications• Google, MSN, Hotmail
– Network
– Database
• Malicious Intent— Direct/Targeted attack— Malware attack network ports— Botnets
• Poor common sense— Executing email attachments
— .exe, .doc, .xls, etc.— Click on untrusted web links in:
— Email— IM/IRC— Web sites (install plug-ins)— Texting
Digital Battlefield
7
Our Mission
• Primary Goal:– Complete Compromise of the PDC
• Secondary Goal:– Compromise CEO Laptop
• Tertiary Goal:– Sell more books the evil way!
• What we know about the network
– Firewall with restrictive rules in place
– Ingress: Ports 80, 443 open to the web server
– Egress: Ports 21, 53(TCP/UDP), 80, 4438
The Hack
Cross-Site Request Forgery - CSRF
• Let’s start with selling more books!
• CSRF also known as one-click attack and session riding
• CSRF exploits the trust a user has with their browser
• Cross Site Scripting (XSS) – exploits the trust a user has with a particular site
• The following characteristics are common to CSRF:– Site must rely on a user's identity
– Trick the user's browser into sending malicious requests to a target site
– Exploit the site's trust in that identity
– Abuse the established session – have the browser do the dirty work and pass the authentication cookie
10
Have to get that Amazon rank up…
• The Hacking Exposed Boys need some new Lappies!– We can’t hack on old hardware
• Our Goal - ratchet up the Amazon.com ranking and sell some books!
• Abuse one-click “book ordering” while people visit our Hacking Exposed Blog
11
Digital Battlefield
12
CSRF
Authentication Cookie
DEMO
13 13
And the Results are in…
14 14
Drive By Shooting - Spear Phishing Style
• Email to CEO
• Obfuscate URL
• Drive by Shooting– IE 7 MS09-002 (Feb 09)
– Memory Corruption Vuln
• Shovel a shell to Attack Linux port 80
• One click Attack – Download packed hack kit
• a.exe15
Note: A real attack would download a Bot/trojan/rootkit,etc
Digital Battlefield
16
Remote Shell (443)
Phish Website
Evil Payload
DEMO
17
Inflicting Some Damage on Windows
• Enumerate PDC
• Dump local hashes
• Dump Windows Zero Config
• Life is good!
18
DEMO
19
First You Steal the Hash –Then You Steal the Cash
• Password hashes are password equivalents
• So… why can’t we simply use the hash as the password?
• Load password hash of target account into memory on our compromised system
• We “become” the target account– Beats trying to crack passwords!
20
Passing Hash
• There is no need to crack the password!
• This process was developed by folks at Foundstone and never publicly released
• Recently publicly available code has been released by Marcus Murray at Trusec.de
21
Passing Hash
I want my Hash - Goal: Gain Access To Sensitive Shares on the PDC
• We compromise one server/workstation using a remote/local exploit
• We extract logged on hashes and find a domain admin or other user account hashes
• We use the hash to log on to a domain controller or other targetsystem
• If an Active Directory database is compromised, the attacker cannow impersonate any account in the domain
22
Digital Battlefield
23
Remote Shell (443)
Passed Hash
Evil Payload
Remote Shell (backupadmin) 80
DEMO
24
Where Did Mr. CEO Go?
• Oops the CEO has just left the building!
25
26
25,00025,001
There’s an App for Pwning Too!
The fastest way to Pwn Windows
Iphone Pwnage
• Shell out
• Ping PDC
• Nmap PDC
• Pop PDC – shovel shell out to Attack Linux
• Stu will be command line challenged – but he will have to deal with it
27
Digital Battlefield
28
Server Services (MS-08-067) Exploit
Remote Shell (443)
Connect with CEO Credentials
29
30
Countermeasures: Apply
CSRF Countermeasures
• Root cause– Poor web design
• Insufficient re-authentication– Require authentication in GET and POST parameters, don’t rely only on
cookies– Checking the HTTP Referrer header– Restrict crossdomain.xml usage, granting unintended access to Flash movies– Limit the lifetime of authentication cookies
– Poor user common sense
• Users should not click on links they don’t know or trust!!
• Detection/Prevention– Web Application Firewall (WAF)
• Commercial Options (including HIPS), or
• Free or Open Source: Breach Security’s ModSecurity, OWASP Stinger Project (Java/J2EE) [limited], AQTRONIX WebKnight, SQLGuard (Java)
32
POOR COMMON SENSE
MALICIOUSINTENT
MISUSED FUNCTIONALITY
DESIGNFLAWS
Spear Phishing Countermeasures
• Root cause– Poor common sense
– It’s a feature, not a bug!• Invisible iFRAMEs need to go away…
• Unlikely…
• Detection/Prevention– User Education/Awareness
• DON’T CLICK ON WEB LINKS!!!
– Web filtering gateways/firewalls (blacklisting/whitelisting)
– Email/SPAM gateways
33
POOR COMMON SENSE
MALICIOUSINTENT
MISUSEDFUNCTIONALITY
DESIGNFLAWS
Passing Hash Countermeasures
• Root cause– It’s a feature, not a bug!
• Need to remove the “feature” in the MS SAM
• Unlikely…
• Detection/Prevention– Two-factor authentication
– Eliminate password reuse (John the Ripper)
– Don’t let a bad guy get Admin and dump the SAM!
– Don’t backup the SAM and leave it lying about…
– Control your running processes: HIPS, Whitelisting products
• Free or Open Source: AntiHook (Win), Winsonar (Win), Samurai (Win), ProcessGuard (Win), OSSEC - Linux
34
POOR COMMON SENSE
MALICIOUSINTENT
MISUSEDFUNCTIONALITY
DESIGNFLAWS
iPhone Hack Countermeasures
• Root cause– It’s a feature, not a bug!
• Ability to Jailbreak the iPhone…
• Detection/Prevention– Secure your WAPs (WPA2, MAC address restrictions, etc.)
– Fix your vulnerabilities!
– Deploy HIPS/NIPS:
• Free or Open Source: AntiHook (Win), Winsonar (Win), Samurai (Win), ProcessGuard (Win), OSSEC - Linux
35
POOR COMMON SENSE
MALICIOUSINTENT
MISUSEDFUNCTIONALITY
DESIGNFLAWS
Summary• It’s a jungle out there….but you need to
prepare yourself
• Secure coding and penetration reviews are a must
• Understand the level of vulnerabilities in your own network and applications
– Leverage Policy Compliance and Vulnerability Management tools
– Software must be kept up to date
– Images must be hardened (best practices)
• Education is critical
• Defense-in-Depth– Integrated Endpoint protection (AV, HIPS, process
whitelisting)
– Network Protection (IPS, Firewalls, DLP)
36
Special Thanks
• Ryan Permeh
• Tom Lee
• Brian Holub
• Robin Kier
• All of the high IQ boys @ AVERT Labs and Foundstone Consulting!
• The Phishme Team
37
Special Thanks To:
38
Think Evil – Do Good!
39
Achtung baby!!!
Questions
40
Contact Info:
george_kurtz@mcafee.com
Stuart_mcclure@mcafee.com
www.hackingexposed.com