OperatingSystemsSecurity

AndWhyIt(Mostly)Doesn'tMatter

PatrickHof-RedTeamPentestingGmbHpatrick.hof@redteam-pentesting.de

https://www.redteam-pentesting.de/

RadboudUniversity,Nijmegen,19December2016

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Foundedin2004atRWTHAachenUniversity

9penetrationtesters

Conductingpenetrationtestsworld-wide

Specialisationexclusivelyonpenetrationtests

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

RedTeamPentesting,Dates&Facts

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Targetsandattacker-modeldefinedinpreliminarymeeting

Conductedfromtheattacker'sperspective→Samemethodsas“badguys”

Individualisedsearchforsecurityvulnerabilities

Detaileddocumentation

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

Pentest–Introduction

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Ifyoulookatthesecurity-relatedheadlinesin2016,we'reprettymuchdoomed

Largedatabreaches2016(justtonameafew):Dec14th,Yahoo:Morethan1B(!)useraccounts(fromAugust2013)

Nov23rd,AdultFriendFinder:421Museraccounts

Sep2nd,Dropbox:68Museraccounts(from2012)

May17th,LinkedIn:117Museraccounts(from2012)

andthelistgoeson...1

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

TheSituation

Explanations?

DataBreaches2016

1:Source:https://www.identityforce.com/blog/2016-data-breaches

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

CVE-2016-5195

CVE-2016-0800

CVE-2016-3714

CVE-2015-0235

CVE-2014-6271

CVE-2014-0160

Weevenhavelogosnow!Finally,peoplewillunderstandtheseverityofthesituation!

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

TheSituation

Explanations?

BrandedSecurityVulns

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Whydoweseesomanyincidents?

Thereseemtobemoresecurity-relatedincidentsthanever

Inourpentests,weusuallycanachievewhatweagreedbeforeshouldnothappen,whyisthat?

ItriedtofindthecheesiestimageIcouldget...

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

TheSituation

Explanations?

SecurityIncidentsWhereverYouLook

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

IDS/IPS

Trafficanalysisuptoapplicationlayer

Antivirus

Securityappliancescombiningalloftheabove

Operatingsystemssecurity(ASLR,DEP/NXetc.)

2FA

Centralizedsecurity,e.g.grouppoliciesonWindows

...

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

TheSituation

Explanations?

DefenseMechanismsAreGettingMoreAdvanced

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Whenwestarted10yearsago,“pentests”werenotwidelyknown

Now,companiesareinvestingmorethaneverinITsecurity(searchfor“HotCybersecurityStocks2016”onGoogle,Idareyou)

Shouldn'tthisreducetheamountofincidents?

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

TheSituation

Explanations?

InvestmentsinITSecurityareRising

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Ok,somaybethingsarenotasbadasImakeitlooklike.

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

TheSituation

Explanations?

WhysoManyIncidents?

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Theory:Workingasapentesteronlyshowsveryvulnerablecompanies,everyoneelseissecureandthereforedoesn'tdopentests.

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

TheSituation

Explanations?

WhysoManyIncidents?

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Theory:Workingasapentesteronlyshowsveryvulnerablecompanies,everyoneelseissecureandthereforedoesn'tdopentests.

Answer:No,thosewhodopentestsarerathersecurity-aware,otherwisetheywouldn'tbother.

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

TheSituation

Explanations?

WhysoManyIncidents?

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Theory:Themediaaregivingaskewedviewonthingsforthesakeofmakingscaryheadlinesabout“thecybers”,thereforemakingitseemworsethanitactuallyis.

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

TheSituation

Explanations?

WhysoManyIncidents?

Sowehavetogetvery,verytoughoncyberandcyberwarfare.Itisa,itisahugeproblem.Ihaveason.He's10yearsold.Hehascomputers.Heissogoodwiththesecomputers,it'sunbelievable.Thesecurityaspectofcyberisvery,verytough.–AbrahamLincoln

“”

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Theory:Themediaaregivingaskewedviewonthingsforthesakeofmakingscaryheadlinesabout“thecybers”,thereforemakingitseemworsethanitactuallyis.

Answer:Mightbepartlytrue,butapartfromtheusualmediasensationalism,manyhacksarereal.Wedoseealotofvulnerablesystemsinourworkandwealsogetfeedbackfromclientsaboutbreachestheyhadthatwereneverreportedtoanyone.

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

TheSituation

Explanations?

WhysoManyIncidents?

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Theory:Thereissomuchmoneyinthesecurityindustrythateveryoneisinterestedinscaringpeopleintobuyingasmuch“security”aspossible.

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

TheSituation

Explanations?

WhysoManyIncidents?

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Theory:Thereissomuchmoneyinthesecurityindustrythateveryoneisinterestedinscaringpeopleintobuyingasmuch“security”aspossible.

Answer:Partlytrue,there'salotofveryquestionablestuffouttherethatmakesmillionsinprofits,butasIalreadysaid:wedoseealotofveryinsecuresystemsinourwork,andifyoulookattherecentsecurityresearch,othersdotoo.

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

TheSituation

Explanations?

WhysoManyIncidents?

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Someideaswhattherealproblemscouldbe:

Everythingisonlinethesedays,orintheprocessofgoingonline:Banking,shopping,socialinteraction...

ITismoreandmoreprevalentineverycompany,(almost)nobodyworkswithoutITortheInternet

Employeesshouldbeabletoworkfromanywhere(andbeavailable24/7),soremoteaccessisneededevenfromprivatehardware(BYOD)

Thingschangefast,companiesaretryingtokeepupwiththelatesttrends

Thereisahugemarketforcheapgadgetsandthe“InternetofThings”

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

Explanations!

OperatingSystemsSecurity

Conclusion

TheRealProblems

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Complexitybreedsbugs,bugsarevulnerabilitieswaitingtobeexploited

Companiesaddmorefeaturesinsteadofsecuringthealreadyavailable

Attackersareinterestedindata,notnecessarilyarootshell

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

Explanations!

OperatingSystemsSecurity

Conclusion

TheRealProblems

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Malvertising:Adnetworkscurrentlyhaveahugemalwareproblem

ContentDeliveryNetworks(CDN):Onehack,millionsofvictims

Hidebehindthe“bigname”whendeliveringmalware

JavaScriptbloat

March2016:The“left-padfiasco”1:2.486.696downloadsinFebruaryaloneforamodulethatleft-padsstrings!

Again:hackonedeveloper,targetloadsofapplications

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

Explanations!

OperatingSystemsSecurity

Conclusion

TheRealProblems

1:http://www.haneycodes.net/npm-left-pad-have-we-forgotten-how-to-program/

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

MoreBuzzwords:

InternetofThings(IoT)

TheCloud

Antivirus

Smartphones

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

Explanations!

OperatingSystemsSecurity

Conclusion

TheRealProblems

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

9.12.2016:Netgear,8modelscanbeexploitedlikeit's'99:

http://<router_IP>/cgi-bin/;COMMAND

ThisishowIexploitedmyLinksysWRT54GWi-firoutertoinstallLinux,in2002!Eventhen,commandinjectionswerealreadyawell-knownvulnerability.

Thereareexploitkitsusedbymalvertiserstoopenuphomerouterswithvulnerabilitieslikethisone.

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

Explanations!

OperatingSystemsSecurity

Conclusion

Example:HomeRouters

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Antivirussoftwareisoftenindistinguishablefromakernelrootkit

Embedsitselfdeeplyintothesystem,hookingkernelfunctions

CheckoutTavisOrmandy'sworkatGoogleProjectZeroExploitsforSymantecandNorton,Avast,TrendMicro...

Recentresearch(12.12.2016)byAndrewFasano:McAfeeVirusScanforLinux,10vulnerabilitiesthatcanbe

chainedtoachieveremotecommandexecutionasroot1

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

Explanations!

OperatingSystemsSecurity

Conclusion

Example:Antivirus

1:https://nation.state.actor/mcafee.html

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Problem:Transparentlysendingobjectsbackandforthblursthedistinctionbetweenuntrustedclientandtrustedserverforprogrammers

Oneofthenewertools(released2015):ysoserial1

ObjectInputStream.readObject()AnnotationInvocationHandler.readObject()[...]Runtime.getRuntime()InvokerTransformer.transform()Method.invoke()Runtime.exec()

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

Explanations!

OperatingSystemsSecurity

Conclusion

Example:SerializationConsideredHarmful

1:https://github.com/frohoff/ysoserial

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

OperatingSystemsSecurity:

MostlyPostExploitationaka:wealreadygotthedata,butwhilewe'reatit...

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

Explanations!

OperatingSystemsSecurity

Conclusion

WhatElse?

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Inmanycases:Onceyouarepartofthedomain,itisjustamatteroftimeuntilyouaredomainadmin

Getlocaluserhashes/ticketsfrommemory

Ifnotalreadydomainadmin:Accessothermachineswithcredentials/hashes/ticketsfounduntilyouhaveadomainadminaccount

Gameover,connecttodomaincontrollerandcreateforexampleagoldenticket

mimikatz1implementsallthis

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

Explanations!

OperatingSystemsSecurity

Conclusion

OperatingSystemsSecurity:Windows

1:https://github.com/gentilkiwi/mimikatz

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Linuxisfoundmostlyonservers

There,youhavetheusualproblem:Onlyfewinstalltheirpatchesontime→Outdatedkernel,glibcetc.

Uselocalprivilegeescalationtogetroot

Morefragmented,ratherindividualhowyoucangetaccesstomoresystems

E.g.passwordsinthe.bash_history,privateSSHkeys,weakpasswords,openshares,configfileswithcredentials...

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

Explanations!

OperatingSystemsSecurity

Conclusion

OperatingSystemsSecurity:Linux

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Westarttoseethatconsumersdemandsecurity,butonlywhenithurts(e.g.Ransomware)

Nobodycaresifthey'repartofabotnet,everyonecaresiftheirfamilyphotosareencrypted(orforcompanies:theirpreciousExcelreports)

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

Explanations!

OperatingSystemsSecurity

Conclusion

AreWeReallyDoomed?

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Reducecomplexity(KISS)insteadofincreasingit

Makesecuritypartofthedevelopmentcycle

Patchyoursystemsregularly!

NoteverythingneedstobeconnectedtotheInternet

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

Explanations!

OperatingSystemsSecurity

Conclusion

AreWeReallyDoomed?

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter

Thankyouforlistening!

RedTeamPentesting

PenetrationTests

We'reDoomed

WhatNow?

Explanations!

OperatingSystemsSecurity

Conclusion

Questions?

RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter