Introduction to Information Security Network Traversal nirkrako at post.tau.ac.il itamargi at post.tau.ac.il Network Traversal Introduction • We now move from discussing the act of hacking a single machine or device, to discuss the act of traversing through an entire network: o How organized networks are structured. o How hackers penetrate organized networks, usually administered by a single person, or team of administrators. o How hackers traverse the network to gain access to more resources and data. Victim Network Ve rti ca l Horizontal/Lateral First Target: Patient 0 • Hackers will try to infect one computer, by different methods: o o o o Chance / statistical Luck! Spear-phishing or human error. Social engineering Pure hacking. • After infecting patient 0. Hackers can attempt to launch different types of attacks which can now depend on the internal network structure. • By using information and access readily available on the hacked machine, hackers can attempt to laterally traverse the network. Spearphishing • “Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by "random hackers" but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.” -http://searchsecurity.techtarget.com/definition/spe ar-phishing An email I received • True story: I received this email last year. Can you spot the fail? Network-wide Users • In an organized network , each user is given a single user/password credential, this password is used to authenticate the user against all machines in the network which the user should have access to. • Example: TAU. Your user and password is used to login to the *n?x machines as well as the video website. • If a computer used by one of the users is compromised. you can use his credentials if gained to login to all machines in the network. Sniffing for passwords • • • • • • • • • • • By local example .bashrc << __EOF__ alias ‘sudo’ ‘/tmp/sudo.sh’ __EOF__ /tmp/sudo.sh << __EOF__ #!/bin/bash echo “Enter password:” read PASS echo $PASS > /tmp/.password.log sudo $1 $2 $3 $4 $5 $6 __EOF__ Sniffing for passwords • On windows and other GUI based applications: key logging is used to record credentials being entered. • By actually sniffing the network, looking for “telnet” or other unencrypted communication ways – communication where passwords are given in clear text format. • Sniffing the network traffic looking for hashes which can later be cracked (More in next slide). Cracking passwords • Gaining root access to /etc/shadow (previously /etc/passwd) leads to obtaining password hashes • John the Ripper or other password brute forcing techniques can then be used to retrieve the clear text password. • The clear text password can be used to login to other computers. • Users tend to use the same password for all computers and services, making it easy to gain access to other resources. rlogin/rsh - history • Instead of logging in all the time – rlogin/rsh is used to authenticate a user without the need to enter a password. • Once a connection is received from a trusted machine and it declares that the user remotely connecting is the user, the user automatically gains remote machine access with the same credentials. • Many hacking techniques employ: o o echo “+ +” > ~root/.rhosts This lets anybody from any host connect to the computer. • IP spoofing can be used to gain remote access as well. And this poor authentication is still being used in some dark corners of the world. • NFS V < 4 has also utilizes the same bad authentication by only comparing host/port(using identd) to identify the user. Domain of computers Unix NIS (Network Information Service) • The NIS (formerly known as Yellow Pages/YP) protocol is and old protocol used to sync passwords across a network. • The NIS passwords are used to spread credential of a network of computers. • From each of the servers in the network access is given to a virtual directory which contains files such as “passwd”/ “shadow”, etc. • By using shell: # ypcat passwd o You can get the network hashes of ALL users! o In a secure network scheme this does not include the root account, however local account access can be gained on all computers sharing the passwd file. Pass the hash • Passing the hash is an original way of authentication for SSO (Single Sign On) which is easily exploitable. • In windows based systems, by simply passing the hash, a user is able to proove that he has the credentials needed to gain access to a resource (such as a network share). • Once hackers log in to a system, they can use locally existing network hashes to pass them to other systems by this process: o o o o o Gain local administrator privileges View locally logged in accounts. Impersonate a user locally. Use regular windows operations to access network resources. Gain more access and run remote code using psexec (sysinternals utility). LSASS • Slide was taking from “WCE Internals by Amplia Security” Hash harvesting • • On windows computers, hashes are saved locally even after a logon session is terminated in case access to the domain is no longer available. Several tools are in the wild used to do this hash harvesting, such as: o o o o o • WCE and its like: o o • WCE – Windows Credential Editor Pass The Hash Toolkit. gsecdump Maybe more. pwdump - hash dumping is also possible localy by dumping the SAM file (Security Accounts Manager) User ProcessReadMemory() to read the memory of LSASS for harvesting Inject code to implement the impersonation of users. Side Note – cracking NTLM hashes: o NTLM aka NT LanMan (Lan Manager) hashes are DES based hashes of max 14 byte passwords: Each 7 bytes of the password is hashed seperately making it easier instead of 256^14 we get 256^7 * 2. Therefore a rainbow table can be easily created. Unix NFS (Network File System) • The Unix NFS comparable to windows “Sharing”. Is a method of sharing directories by allowing other to locally mount a remote directory as if it was their own. • As we previously learned using u+s and o+x to a file that hands us root privileges we are able to escalate our privileges: o o echo "main(){setuid(0);setgid(0);system("/bin/sh");}" > a.c gcc –o a a.c • Misconfigured NFS, allows mounted directory to contain suid files, therefore allowing root on one machine the ability to gain o http://packetstorm.wowhacker.com/mag/faith/faith8.txt Shared binaries patching • Administrators or users share binaries on network shares / NFS. (Usually installation files). • If those network shares are writable by a hacker he can modify them and then wait for other users to execute them. • Example at TAU: user@nova:~$ mount | grep '/ type' netapp1:/vol/vol0/linux-root/precise/common/ on / type nfs (rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,nolock,proto=tcp,port=65535,timeo=70,retrans =3,sec=sys,local_lock=all,addr=132.67.192.53) More Misc Subjects • Network based anti-viruses • Passive DNS Network based antiviruses • Network anti-viruses aim to catch malware at endpoints by analyzing aspects of network traffic. • Companies that provide this service reverse engineer malware and collect intelligence on how malwares operate from a network perspective. • Input is made into blacklist rules such as: o Command and Control Domains o Command and control Ips o Specific looking URLs Passive DNS • • • • • • • • Security researchers have been collecting IP-Host pairs for a few years now. This is done using instrumented programs installed by ISPs at their DNSs. The Host-IP pairs can be used to back-track hackers’ resources. For example, if hacker A uses domain blblbfizzly.com , we can now blacklist it. we look it up in passive dns to find ip pairs we find it matches the following IPs: 8.8.8.8 and 8.8.4.4. We can look up in th e same database for pairs with 8.8.4.4 we find it matches gogogofizzly.com and bijo888rocks.com Now without much more information, you would educatedly guess that gogogofizzly.com is being used by the same hacker A, therfeore we can blacklist it to. Virustotal.com has a publicly query-able passive database but it is an incomplete one. Random Practical Subjects Not Covered • Honey pots o File based o Computer based o Network based • Penetration testing o Metasploit o Nessus • SIEM/SOC Systems o Sinkholes. • Security Resources: o CVE o Virustotal • Security Patches o 0-Day Gap. • Command and Control Channels • Many more… Questions? Good Luck in the Test! • The test is hard. • You will need to prepare a folder with this semesters material and bookmarks for subjects! • Hopefully, there will be a 3 hour rehearsal exercise before the test. • Feel free to drop by us questions and ask for help. • No homework for you, come back 1 year!