Daniel Kouril Sven Gabriel Security Training Daniel Kouril Sven Gabriel Zamereni, predstaveni EGI Conference 2016, Amsterdam
Agenda Brief technical introduction Capture-the-Flag Game Purpose of introduction, audience, roles of attendees, skills needed
Requirements Chrome browser v.38 or higher is required Not chromium, FF, IE; any common OS
Cyber Attacks
Attack & Incentives Getting (unauthorized) access to data Cyber espionage, money stealing Disruption of services Blackmailing, demonstration of capabilities Modification of data Damage reputation Misuse resources Botnets Ransomware, bitcoins, spam
Attackers’ behavior Striving to overcome security precautions Hiding their activities Often try to stay unnoticed for a long time No attribution
(d)DoS example Overloading the service and/or network with common requests Reflected attacks Hiding origin IP address spoofing Amplifications Some protocols return significantly longer responses than requests NTP, SNMP, DNS Hard to attribute, prevent
Typical attackers’ steps Select target Find vulnerability, weakness Find a way to exploit vulnerability or bypass security Make the target work for attacker
Vulnerabilities Different types Programming error Design flaw Misconfiguration Weak protection Human error CVE – directory of known vulnerabilities CVE-YYYY-id unique identifier Known vs. Zero-day Unpatched known vulnerabilities expose a major threat
SQL Injections Insufficient sanitization of users’ input Consider an application managing users “SELECT * FROM users WHERE name =‘” + userName + “‘;” userName == “sveng” yields: SELECT * FROM users WHERE name =‘sveng‘; userName == “' OR '1'='1 -- ” yields: SELECT * FROM users WHERE name = '' OR '1'='1 -- ‘; Typical programming error, from wikipedia; also add sql queries, …
Finding vulnerabilities Collect information about the target Estimate weaknesses Manual vs. automated probing Often blackbox-style analysis
Metasploit Framework Tool for development and testing exploits Directory of exploit codes Text-based console (msfconsole), controlled by commands show exploit – list of exploits use <exploit> - activate a particular exploit show options – display variables to set set RHOST <IP> show payload – show what will be injected exploit – trigger the exploitation process Web exists
Game You’re an attacker who is trying to take over a remote machine You will exercise the techniques described earlier The goal is to use the remote machine to reflect a DoS attack about another victim DoS’ing the target Damaging reputation of the “reflector”