Ethical Hacking

Alex Loffler Sept 2013

What is a Hacker?

“Originally,  a  hacker  was  anybody  who  tinkered with any kind of system, mechanical or electrical, in order to better understand how it worked. Today hackers are persons who create or modify computer software, typically with the goal of using software in a manner not intended  by  the  original  computer  programmer”  – Wikipedia

“A  person  who  enjoys  exploring the details of programmable

systems and stretching their capabilities, as opposed to most users,  who  prefer  to  learn  only  the  minimum  necessary.“  – Wikipedia

Hacker Ethics The Hacker Manifesto An  essay  written  by  ‘The  Mentor’  (born  Loyd Blankenship) after his arrest in Jan 1986 Considered a cornerstone of hacker culture by hackers across the globe. States:

� Hacking is an alternative way to learn � Often out of frustration/boredom created by the limitations of current society � Expresses the satori of a hacker realizing his potential � Hacking supersedes the selfish desire to exploit or harm other people � Technology should be used to expand our horizons and to keep the world free

Hacker ethics are concerned primarily with sharing, openness, collaboration, and engaging in the Hands-On Imperative

The Reality in 2012

Malicious activity is increasing in: �Volume �Sophistication (TTP) �Intensity and focus (APT)

Source: Verizon 2012 Data Breach Investigations Report

0 1 2 3 4 5 6 1 day

91% of breaches led to data compromise  within  “days”  or  less

79%  of  breaches  took  “weeks”  or more to discover

Initial Penetration

week

2 3

The Reality in 2012 Response after compromise creates an undesirable foot-race

� The damage has already been done

Accept that we will never keep 100% of the attackers out � The  ‘fortress  mentality’  is  becoming  obsolete

Move  backwards  in  the  “Kill  Chain”  to  move  the  defensive  wall  

out � Requires rapid analysis of huge, real-time data sets

Recon Weaponize Deliver Exploit Install C2 Action

Detection Response

The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him. - Sun Tzu, The Art of War

Hacking Methodology Phase 1 – Passive Reconnaissance Phase 2 – Active Reconnaissance Phase 3 – Vulnerability Research Phase 4 – Penetration Phase 5 – Going Deeper Phase 6 – Covering Your Tracks

80%

20%

Phase 1 & 2 - Reconnaissance

Phase 1 – Passive Recon

� Locations � Policies, processes/attitudes

� Press releases, public sentiment � Technology preferences/standards

� Financial information

Phase 2 – Active Recon (Scanning) � Social engineering � Network perimeter scans

� Topology mapping � DNS Zone transfers

� Fire-walking � Port Scanning � Dumpster Diving

Gather anything and everything about the target

Phase 3 – Vulnerability Research

Use Well Known Vulnerabilities � Useful to an extent � Typically already patched

Buy 0-days from white- or black-market sources

� Expensive � No Guarantees � Can backfire!

Roll your own 0-day � Time consuming � Requires Highly Skilled Resources � Creates a Dilemma

Responsible Disclosure – aka  ‘Now  What?’ Discover a new Vulnerability

� Accidental discovery � Directed Research

Develop an exploit � Usually build a proof of concept to verify and classify the vulnerability

Now What? 1. Sell the exploit to the highest bidder 2. Use the exploit 3. Full Disclosure 4. Inform CERT/CC 5. Sell the exploit to a white market vendor

Disclosure Debate � Security through Transparency - Full public disclosure enables informed choice and keeps vendors on their toes

wrt admitting to flaws and patching them.

� Security through Obscurity - Full  public  disclosure  does  not  give  anyone  time  to  react  to  a  security  flaw  who’s  details are now available to even the least sophisticated of attackers.

Responsible Disclosure attempts to find a middle ground

Phase 4 & Phase 5 – Penetration Phase 4 – Penetration Initial targets are typically low value assets

� Web servers � VPN end points � DMZ Networks

Phase 5 – Going Deeper Pivot and move up the food chain

� Start attacking peers and higher value internal targets � Admin credentials

� Password hash cracking � Network devices – routers/switches/AP’s

� Peripheral devices – Printers, etc.

Phase 6 – Covering Your Tracks

Entrench and consolidate position

� Hidden accounts � Back doors � Robust C2 side channels � Root Kits � Stenography

The ARP protocol Address Resolution Protocol (ARP) is a telecommunications protocol used for resolution of

network layer addresses into link layer addresses, a critical function in multiple-access networks. ARP was defined by RFC 826 in 1982. It is Internet Standard STD 37.

When computers communicate across a network, the sender sends an ARP packet

asking who has or knows a particular IP address. This request is broadcast to everyone on the LAN and assumes the only response will

be coming from the true owner of the IP address. The protocol has no ability to validate the authenticity of the response.

Additionally, there is nothing in the ARP protocol that says one has to wait for a request before sending a response!

MITM: Before

MITM: After

Rogue Devices

NewsTweek

NewsTweek

NewsTweek

NewsTweek

IPv6 Timeline: 1998 – IPv6 standard is published (RFC2460) 2008 – Study indicates IPv6 penetration < 1% of internet enabled hosts1 2011 – The last top level (/8) block of IPv4 addresses is assigned in Feb 2011 – 8th June, World IPv6 Day. Over 1000 websites participated in a 24-hour  ‘test-flight’  2

2012 – 6th June. 2nd event 10x the participation 2013 – Total global traffic @ 1.35%

IPv4 = 232 ~4.2 billion (4,294,967,296) IPv6 = 2128 ~340 undecillion (3.4x1038) or 340,282,366,920,938,463,463,374,607,431,768,211,456

� Subnets are /64 - 4,294,967,296 x the size of the internet – good luck scanning for hosts! � No broadcasts.

� Multicasts, but they are local only.

IPv6 was designed using security models that are over 14 years old...

2 octets each

Separated by colons

Leading zeros omitted

Longest chain of :0:0: replaced with ::

2a01:2b3:4:a::1

IPv6 Headers IPv6 is much simpler than IPv4...

� No Header Length � No Identification � No Checksum � No Fragmentation � No Options � Every option is an extension header

� Fragmentation, IPSEC, Src Routing, Dest Options.

... In theory � What happens if I repeat a header extension? � What happens if I define conflicting options?

Packets can include all, some, or none of the extension headers.

Known IPv6 Vulnerabilities

0

5

10

15

20

25

30

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011

IPv6 Vulnerabilities (CVE)

Same old problems, and some new ones... ARP Spoofing => ND Spoofing

� Attacker claims to be every system on the LAN

DHCP => Auto configuration � Attacker can set any IP as the default route, define new network prefixes, DNS servers, etc.

Duplicate address detection DOS � Attacker answers every NS query

Kick the default router � Attacker spoofs an RA from the default router with 0 lifetime & sends their own RA. All hosts now use the attackers IP

Many 3rd party firewall solutions fail open (do not support IPv6) Most  new  OS’s  have  IPv6  enabled  by  default  (Vista  and  above,  Linux,  OSX,  etc)

� If  both  stacks  are  configured,  most  OS’s  will  route  traffic  over  IPv6  in  preference  to  the  IPv4  stack � Configuring an IPv6 stack is as simple as sending out an RA multicast packet to the local LAN

RA Flooding – DOS attack � Attacker floods the network with RA packets. Cisco ASA, Windows -Vista, -7, -2008, Cisco ASAs, Cisco IOS (Recently

Fixed CSCti24526, CSCti33534), Linux (pre 2.6.37) are vulnerable

Little to no IPv6 monitoring on LANs � Detected 17 IPv6 devices at my local coffee shop, not bad given the company does not officially support IPv6! � IPv6 is a side channel today

IPv6 is still an immature technology!

Trends Industry Trends

� Increasing rates of product & service delivery � Increasing rate of new potential attack surfaces

� Diminishing product & service lifespan � Lower tolerance for hardening (security testing & controls)

� Dissolving network boundaries � Partners, cloud services, mobile devices, BYOD programs, etc.

� Signature based controls are rapidly becoming ineffective (IPS, AV, etc).

TELUS � 7.5M Mobile & 1.4M HSIA Customers

� Poor endpoint security + High-speed networks + High end CPUs + Personal Data = High value Targets

�Super Data Centers

03/12/2013

24

TELUS – SDC Module

03/12/2013

25

TELUS – SDC Site

03/12/2013

26

What’s  Next? Ultra high density, on demand compute fabric

� Cloud Computing

High-speed mobile devices � LTE (4G) cellular network

� 326Mb/s down, 85 Mb/s up � Cloud based mobile thin clients

Advanced Persistent Threats � High stealth, sophisticated attack vectors

� Nation-state, criminal organizations � Low-speed, high stealth, stenographic data egress

Intelligent Threat Mitigation Platforms

� Big Data based threat detection and prevention � Static code analysis & execution watchdogs � Anomaly detection engines � Behavioural Modelling � Global Threat Intelligence Communities

Questions?