490 likes | 497 Views
Join Mark Lachniet as he shares insights on successful hacking techniques and practical examples of attacks on networks, passwords, and systems. Discover controls and detection methods to enhance your security.
E N D
How to Annoy a Penetration Tester(and Bad Guys Too) WACCI 2016 10/07/16 Mark Lachniet marklac@cdw.com (847-968-0155)
Trivia QuestioN What 19th Century Writer is credited with having invented the detective fiction genre?
Trivia QuestioN Edgar Allan Poe: the “Dupin” novels The first popula model of a logic-based detective – C Auguste Dupin "The Murders in the Rue Morgue" (1841) Poe Found Dead, October 7th 1849 (167 years ago today)
About The Speaker • Currently “sell stuff” at CDW (previously Berbee for Wisconsin people) and work with the CDW Threat Check team • Previously a white-hat hacker (penetration tester), compliance nit-picker, incident responder and forensics guy • Licensed private investigator in the state of Michigan • On Michigan HTCIA board most years • Whitepapers – hostile forensics, Usenet, etc. • First person to “internetify” a pinball game that I know of (http://lachniet.com/hobbit) • Frequent presenter to PIs, law enforcement, private sector, education, legal etc. | Security solutions
Agenda • Will focus on attacks that don’t rely on un-patched systems but rather “working as intended” • Discuss the ways that I have been most successful in: • Getting access to a network • Getting a password • Escalating this access to administrator • Escalating this access to diverse systems • Give practical examples • Give example controls and detection info • Question and Answers | Security solutions
Getting In From the Outside • On the Internet, hacking “stuff” is easy but hacking a specific target can be hard • Most organizations have decent firewall rules and keep their Internet-facing servers patched • If you have unpatched Internet-facing systems you will probably discover this fact fairly quickly (the hard way) • Primary means of attack over the Internet in order of preference: • Social engineering / Phishing • Password guessing • Known, attackable missing patches (i.e. Metasploit) • Manipulation of server interfaces (i.e. Tomcat) • Attacks on web applications (SQL injection, etc.) | Security solutions
Social Engineering and Phishing - Discovery • Attacking an organization through phishing is FAR easier than attacking it through technical means • Many people are vulnerable to phishing, especially those who have not been using computers their whole lives • Humans have an in-built desire to be helpful, and attackers take advantage of this (and will continue to do so at an increasing rate) • The first step is to do discovery using public records: • Social media (LinkedIn, Facebook, etc.,) • Scripts and software to enumerate names and e-mail addresses from search engines • Look for user phone / email directories on official web sites | Security solutions
Social Engineering and Phishing - Discovery • Identify generic inboxes such as marketing, accounts payable, IT helpdesk, etc. • Metadata from office and PDF documents – shows actual usernames and software packages used • Connect to webmail or SMTP and run census data against it to identify valid usernames • Timing attacks on Exchange server • The goal of discovery is a list of valid user IDs / emails • Free Tool: FOCA • https://www.elevenpaths.com/labstools/foca/index.html • Free Tool: Maletego • https://www.paterva.com/web6/products/maltego.php | Security solutions
The Internet of things Fail • So how about we connect everything in our lives to the Internet like refrigerators, ovens, thermostats, door locks, pet doors and surveillance cameras? • What could go wrong? HUMANS! • Enter the search engine Shodan.io! • http://search.slashdot.org/story/16/01/24/0256224/iot-security-is-so-bad-theres-a-search-engine-for-sleeping-kids • My Shodan Search: port:554 has_screenshot:true country:"US" org:"Comcast Cable“ • i.e. show me all the systems running a system on port 554 for which a screen shot is available, for US systems originating on Comcast Cable • The following data was pulled from a fresh search 1/26/16 | Security solutions
The Internet of Fail • So how about we connect everything in our lives to the Internet, like this office in Tracy California, and not require a password? | Security solutions
The Internet of Fail • The screen capture has a caption of CDC and we can see (if you reverse the image in a mirror) the word dentistry in the window • A little searching in yelp finds us a convenient match when we search for dentists in Tracy, CA: California Dental Care (CDC) • Is this a HIPAA compliance issue? It may depend on the resolution of the camera! In this case it seems to suck but very high resolution ones CAN read documents from a distance, certainly see faces • http://www.yelp.com/biz/california-dental-care-tracy | Security solutions
The Internet of Fail • Yelp gives some nice pictures of the inside… sure looks like the same desk! Note the Dell monitor and paper thingy | Security solutions
The Internet of Fail • Pull up the web site and get location information including “Next to Mi Pueblo Market” • Its Google Street View time… put in the address, find the market, find the dentist office • If this was a pen-test we’d have an engineer go goof under the camera and take a screen cap Nice and Stalky! | Security solutions
The Internet of Fail • Or how about all of the open VNC screens at MSU? | Security solutions
Lessons Learned • Controls: OpSec! Don’t put crap out there unless you have to! Beware of friends and family posting stuff about you (and their EXIF data). Don’t use your work address (i.e. @ic.fbi.gov) for personal stuff • Controls: Regularly check you and your organization’s posture and exposure to see what is exposed • Controls:Have user ID’s that are NOT the same as email addresses and are not easy to discover (i.e. through metadata). Blocking repeat connections to mail services. • Detection: Hard to do, can be done without ever touching one of your servers • Detection: Could possibly see in server logs (Exchange, web servers) but would be very hard to differentiate from search engines | Security solutions
Phishing – Enticement • Focus on: Management, billing, HR • Avoid: IT, Risk Management, legal • Create customized phishing emails: • Must look legit – steal HTML signature block from boss • Use timely information about the organization (time to re-up your insurance, pay day, etc.) • “bypass your organization’s firewall and content filter” • Contests - Amazon gift card for participating in a survey • Infected PDF documents – tracking from UPS or a vendor invoice that looks just legit enough to open • Free iPad! (who falls for this any more!?!) • Request from IT staff to test new and better system | Security solutions
Phishing Example – The Citrix Server • Create a fake Citrix web site registered under a name such as http://www.organization-beta.com that looks exactly like the official Citrix server (costs about $15) • Send a phishing e-mail saying that IT is responding to user demand and rolling out a new, much faster, Citrix server and that they have been selected to test it. Fake the IT director as the source with a perfectly copied signature at the end • The e-mail is from the lookalike domain, so any responses go to the attacker and not the IT director • The fake web site will take their login information (user ID and password) and log it to a text file. After submitting their login, they get redirected to the real Citrix server login page • User believes that they must have made a mistake typing in their password and often doesn’t notice the URL change • Possibly take 3-4 logins before redirecting – the users will type in every password they know which is useful to the attacker | Security solutions
Results from a CDW Password Study • Dave Reflexia from CDW’s Security Assessment Team (the hackers) has been compiling a list of passwords from both our customer engagements and from data dumps from hacks • He has performed analysis on this to identify the characteristics of passwords “in the wild” • Contains 933,979,289 password records • This is very helpful for efficiently cracking the passwords using tools such as oclHashCat • https://blog.cdw.com/security/password-security-report • Here are some interesting findings from the top 100 most common passwords: | Security solutions
Results from a CDW Password Study • Passwords based on the season are popular: • Given any especially large user population, it is very likely to find someone who takes this approach • This often allows us to get in over the Internet if we can find enough valid usernames through search tools • Among the most popular are those formatted with the season, capitalized, followed by the full year, such as Summer2014 (3930 occurrences) • Also popular was the same with a two-digit year such as Summer14 (6126 occurrences) • You will note that only one of these variations, such as fall15, is short of the default Windows password length of seven characters | Security solutions
Results from a CDW Password Study • Also popular are variations on the word password: • 21,328 instances of the password “password” • Also popular was a capitalized version, with a one to three digit number at the end, such as Password123 (19,472 instances) • We see the perpetual trick of “leet speak” vowel substitution, which hasn’t been a fresh idea for at least fifteen years (12,134) • Rounding out the top 100, were initial user passwords and help desk passwords. 34,147 passwords containing a variation on the world welcome, with Welcome1 topping out the list at 22,538 instances • 4,105 of passwords based on the word helpdesk, with good old “helpdesk” pulling in 1,629 occurrences. | Security solutions
Results from a CDW Password Study • Some results on password size: • Having an 8-character password is not surprising as it is the recommended default by Microsoft • If you know what your opponents minimum password size and complexity is you can greatly decrease the amount of time it will take to crack it | Security solutions
Passwords Guessing – Outlook only • A lot of organizations use multi-factor authentication for stuff like VPN but DON’T use it for Outlook e-mail. This is dangerous! • “so what if they can get e-mail, they can’t run anything” • People often store passwords and legally interesting data in e-mail – we sometimes search mailboxes for “pass” “password” • If Outlook allows remote access over XMLRPC to the Internet, an attacker can set up outlook on their attacking computer, sync all the e-mail, and then create a message rule that runs an executable • SEE: https://silentbreaksecurity.com/malicious-outlook-rules/ • Attacker can then send a message that matches the rule and get program execution on the target system! Bam! | Security solutions
Passwords Guessing • Controls: User training, check service accounts, no seasons, different starter passwords for each user • Controls: ONLY use multi-factor authentication for all external facing systems (including Outlook!) • Note: Even multi-factor authentication won’t save your bacon if you are dumb enough to be phished. If there is a live person watching they can use your token! • Controls: Do a password strength audit • Detection: A long shot but you could plant fake e-mail addresses out there and look for evidence that people tried to log in using that account. Since it would likely never be a valid user any attempt would be demonstrative of profiling • Detection: Check log files for the outlook server and any web servers associated with outlook (like OWA) • Detection: Check all log files associated with a suspect user and geo-locate them to see where they are coming from, use an IP blacklist file of TOR and VPN servers if you can find one | Security solutions
Attacks on Applications • Look for interfaces to middleware and control panels • Sometimes can find control panels for SQL databases • Tomcat, JBOSS jmxconsole, – often left with a default password, can be used to upload a “WAR” file to get a command shell on the server • Web application security attacks: • Time consuming and expensive • Test all client-side fields for proper input validation • May be able to find SQL injection attacks – if you can find one you can dump database contents (often including passwords) and even run commands (via xp_cmdshell) • See OWASP.ORG for more information • Controls: Make sure all management ports are firewalled, all interfaces have unique passwords, test web applications for security (even if off the shelf!), require proof of third party tests from vendors, keep dev/QA systems off the Internet! • Controls: Never trust a developer (or perhaps “trust but verify”) | Security solutions
Attacks on the Inside Network – Getting On • Need to be able to connect to the inside network • May be able to do it remotely or from guest wireless via VPN, VDI, Remote Desktop systems with a password already known • Plug into the pass-through port on an IP phone • Move a printer to a small hub/wireless router • Unmonitored but connected ports – conf room, lounges, library • Guess the wireless password (or find it written on a piece of paper at the front desk) • Crack a wireless password (with WPA/WPA2 pre-shared keys it is possible to capture a few packets and then use wordlists or brute force attacks to identify the PSK) | Security solutions
Attacks on the Inside Network – Getting On • Controls: Disable pass-through ports on phones • Controls: Keep ports unplugged until needed • Controls: Networking mojo - use Network Access Control (NAC) systems, limit # of MAC addresses per physical port on switch, only allow known MAC addresses (requires decent inventory) • Controls: Make wireless passwords long and not just a simple word/number combo • Detection: Very difficult without dedicated technology like NAC or intrusion detection. SOMETIMES can get information from switches about what port a MAC address connected to so that you can pin it to a physical location but this is rare • Detection: Logs on any system that users can use to run programs like Citrix, VMWare, remote desktop, etc (as these will appear to be legitimate systems from the IT point of view but could be controlled from anywhere) | Security solutions
Internal Attacks – Getting Started • Once on the inside the first thing that will happen is to discover the network ranges in use • Use Wireshark to sniff the network and identify IP addresses and server names, DHCP leases • Sniff switch traffic such as the Cisco Discovery Protocol (CDP) protocol • Use NMAP ping sweeps to find live machines • Use Nessus to scan live machines for known vulnerabilities • Controls: Use very large 10.x.x.x/16 network address spaces with sparse usage • Detection: Easily done with intrusion prevention tools • Detection: Search logs from multiple systems at once and look at the timeline for bursts of unusual activity | Security solutions
Internal Attacks – AD Account Checking • Assuming that you can’t identify systems that are vulnerable to attacks using known exploits and go directly to an exploit, you want to check Active Directory for easy passwords • Some server configurations will let you enumerate all of the domain’s user ID’s without authenticating, but this is more rare on modern systems, so you will usually need an account • Your first task as an attacker is to get at least one valid user ID and password, preferably for a somewhat privileged user • This may be as simple as getting a login that is used for a cafeteria • Use the low-privilege account to list all user ID’s in AD • Check each user ID for passwords=blank, same as user ID, or 1-2 simple passwords (often works for service accounts) • Controls: No generic accounts, even if they have minimal rights. make sure servers require auth to list domain accounts, make sure all accounts have a password that is not blank or equal to the user ID • Detection: Server logs! Look for more than one failed login in a minute or so. This one can be found with forensics on a limited number of machines (tip: look for workstation names that don’t fit) | Security solutions
Fake AP Wireless Attacks • Can use the “fake Access Point” wireless attack • Many Windows systems remember AP’s they have connected to and constantly broadcast looking for them • The Fake AP sees these broadcasts and impersonates a previous AP such as a coffee shop so the client will connect to it (only works for open access points, not WPA, etc.) • Once connected, the attacker can view traffic to get passwords (if unencrypted HTTP, Telnet, etc.) • Use a look-alike “captive portal” to get user to put in password • Can also manipulate what is seen by modifying traffic • Fake AP attacks can also be useful to get onto Ethernet as many machines allow both to be connected at once • Controls: Don’t let Windows “remember” previous access points, use wireless kill key when plugged in • Detection: Modern wireless systems can detect “rogue access points” but in densely populated areas it is worthless because there are too many – may require a laptop walk-through looking for strong signals | Security solutions
Attacking Name Resolution: Responder.py • If you can’t get that first user ID, you can attack systems with misconfigured name resolution systems • Responder.py is demonstrative of this attack: • Issue occurs when machines are not properly configured to the local name resolution system (DNS) • Windows tries to resolve names like SERVER1 or cnn.com • If the machine cannot resolve the name using DNS, it resorts to LLMNR and NetBIOS which are *broadcast* on the local network • Any machine that sees the broadcast may respond that it is them, and hence get the machine to connect to them and the malicious processes they are running (like Responder.py) • Common for IT people who like to set up their own machines, since they are too cool to accept restrictive group policy | Security solutions
Attacking with Responder.py • Works especially well for systems that are not domain joined machines, such as those owned by IT admins and guests • The best attack is to pretend to be WPAD.organization.org and serve up a proxy-auto-config (PAC) file • The PAC file list the attacker as being the proxy to use for Internet browsing, hence we can Man-In-The-Middle all traffic • Responder lets us do things like pop up authentication windows in order to access web servers, log user ID’s and passwords, and even modify HTML on the fly to inject executables, etc. • Controls: Make sure that you have a WPAD server defined in the correct DNS system so that machines don’t resort to insecure name resolution, ensure that DNS is properly configured – especially for domain joined systems and in DHCP leases, don’t let machines that aren’t properly configured on secure networks, find “lost” machines • Detection: IPS, network logging – probably not stored in normal log files | Security solutions
Attacking with Responder.py • Example: the WPAD server (from my log files) LLMNR poisoned answer sent to this IP: 172.16.12.34. The requested name was : OFFICECUBES-015. LLMNR poisoned answer sent to this IP: 172.16.12.34. The requested name was : wpad. [+]WPAD (no auth) file sent to: 172.16.12.34 LLMNR poisoned answer sent to this IP: 172.16.12.34. The requested name was : isaproxysrv.. Client IP is: 172.16.12.34 LLMNR poisoned answer sent to this IP: 172.16.12.34. The requested name was : cnn Requested URL: http://www.bing.com/search?q=cnn&src=IE-TopResult&FORM=IE10TR Complete Cookie: _FS=mkt=en-US&NU=1; _SS=SID=D4BDAC3EFAA0459AA61EE66D4C33B36C; MUID=24A89A3984E36E6E24F79C4685FC6E88; OrigMUID=24A89A3984E36E6E24F79C4685FC6E88%2c367b40a8a956494fb9d5b3a227458330; SRCHD=D=3448476&MS=3448476&AF=IE10SS; SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20140722 Client IP is: 172.16.12.34 | Security solutions
Windows Server Name Resolution Attacks • From the inside, plugged into your network (or your wireless) we have other tricks like the sticky samba: • To do this, use a customized version of SAMBA (a Windows fileshare emulator) that is configured for this purpose • See: http://www.foofus.net/~jmk/passhash.html for patches, or use Metasploit • The SAMBA server will automatically respond to all broadcast requests for a Windows file share by clients on the network and hold up its electronic hand saying “Oh! Oh! That’s me!” (just like Responder.py) • When the client connects, we get their password hash and can then crack it • Does tend to cause a lot of tech support calls for internal staff, as every single Windows request on that “broadcast domain” can go to our server and fail • Controls/Detection: Same as Responder.py | Security solutions
Internal Penetration and Pivoting • Once I get a user ID and password, I start looking to see what this account will get me into – usually this is a large chunk of workstations (if not all workstations, if not all windows systems, if not all systems) • Scan all Windows machines with Medusa to see if I can log in. If I can, I can browse around the machine (as is the case when “Domain Users” is added as a user group to domain members) • If I have local administrator access (“Domain Users” is added as a member of local administrators) we dump the local password hashes and session tokens • This allows me to get the credentials of every user that has a password cached on the machine, or that has a local account (often a service account or domain admin) • I then use THOSE accounts to scan each machine in the environment and repeat the process, until I finally find a cached credential for a domain administrator | Security solutions
Internal Penetration and Pivoting • Then I crack that hash and use it to pull data from a domain controller for analysis using volume shadow copy to get NTDS.DIT (the database of user Active Directory) • Once we have pulled the passwords from the domain controller, we run them through a password cracker in order to create statistics on how long it takes to crack the passwords • Compare the “average” organization with target for time to crack • Identifies the most common passwords and where in use • Useful for identifying very bad passwords very quickly, often these are used to get into yet more systems • In a penetration tests, these passwords are not used only on Windows machines but on SQL databases, network devices, appliances, physical security systems, etc. • Find exceptions to the password complexity rules • Often find leftover account provisioning passwords (changeme) | Security solutions
Example Trust Relationship Compromise | Security solutions
Internal Penetration and Pivoting (East/West) • Controls: • Don’t allow local administrator rights for users • Add individual domain user accounts as local machine users, not “Domain Users” • Don’t use the same local administrator password in more than one place (painful!). • Don’t use the same admin password for more than one type of system (i.e. AD and Cisco and SQL) • Don’t log on to workstations with domain admin accounts unless absolutely necessary (use split-admin roles). • Enable workstation firewalls and network segmentation so I can’t connect and pull the data in the first place. • Detection: Have an alarm set so you get a text or email every time a new domain admin is made. • Detection: Workstation logs showing login attempts (will require a lot of log pulling if you don’t have an IPS) | Security solutions
Random Passwords, Random Places • Another common mistake of organizations is a failure to accurately identify their sensitive information and appropriately handle it from “cradle to grave” • Once I get a domain user account password (or preferably domain admin account) one of the first things I do is connect to the organization’s various file shares and search for all files containing the word ‘password’ in them • Inevitably, I will find passwords for various internal systems, scripts and batch files that get run automatically, passwords used for testing, passwords for vendors or service accounts, text files or spreadsheets with users’ personal passwords to gmail and such • Approximately 50% of the time I can find a password for the organization, about 25% of the time it is an admin password. • Searching through e-mail – amazing what people put in there • Often allows escalation (to banking, DNS/SSL providers, etc.) | Security solutions
Random Passwords, Random Places • Controls: Training! • Controls: Use a password safe so you can safely store your passwords • Controls: Log in as admin, do a keyword search for all files containing the word password. Weep. • Detection: A lot of activity from one host? (will be accessing every bit of every file on servers) • Detection: Alerts if an account tries to access to many denied file shares? (often a search will just be pointed at the “user” or “group” drive root since they don’t want to do each directory individually) | Security solutions
Messing with IT Administrators • IT Admin workstations are useful to hack! • They don’t like doing things the same way as everyone else (for example having a domain joined computer) • Install a key logger and then complain about the firewall • Look for device configuration backup files (especially Cisco routers and switches that use the easily decrypted “password type 7” format) • Look for cached passwords in programs like PuTTY or WinSCP. We may not be able to reveal the password but we can often change the IP address and change it from SSH to Telnet, then sniff the traffic as it connects to our system to get password • Proxy through their workstation to get to restricted networks • Review documentation, work notes, etc. for passwords • Controls: Make IT admin workstations AT LEAST as secure, don’t store backups with passwords in them, don’t cache passwords in windows or office documents (use a password safe) | Security solutions
Connect to Everything! • Make a list of all the Telnet, SQL, FTP, web interfaces, etc. found during port and Nessus scanning • Connect to each of them and find out what they are for – a good way to find interesting services on random ports • Research product on Internet – what is the default password? Try it! • This has gotten us into countless APC power devices, video surveillance systems, SAN/NAS devices, etc. • Multi-Function Printing (MFP) devices are especially interesting if they have a LDAP connection to AD for scan to home folder functionality – have found many devices with default printer credentials but with configured LDAP credentials that we could steal to get domain access • SQL databases are also interesting, often have no or stupid passwords – users often don’t even know they are there | Security solutions
Logging and Incident Response • Many organizations do not have formal oversight of information security (i.e. a group that meets regularly to talk about security risks, track findings and tasks, etc.) • Most organizations do not have a good logging system, let alone a way to use log data proactively to identify abuse • While some organizations do have an incident response plan, many don’t and those that do have one that isn’t terribly good • The most effective way to catch a hacker is a combination of technology (logging systems) and human oversight (someone to tune and monitor systems) • Unannounced penetration tests are useful for testing staff • Consider the following Hierarchy of logging – each level assumes all of the levels below it | Security solutions
Lachniet’s Hierarchy of Logging | Security solutions
Logging and Incident Response • Even basic logging, providing it is stored off-device and includes minimal information such as IP addresses, ports, administrative actions, etc. is better than nothing • Can then be used in the event that you have a particularly nasty incident that involves fraud, pornography, etc. • Example: Simply getting an email any time a user is added to “Domain Admins” or “Enterprise Admins” • Example: Getting a list of all new user adds and having helpdesk staff tie these back to a specific ticket so they can see if they are all legitimate • Example: Logins to Internet-facing systems (from other countries, from multiple simultaneous locations, during odd hours when they should be sleeping or on-site, etc.) | Security solutions
Physical Security and Social Engineering • Did a combo framework assessment (policy) and penetration test for a large religious organization • Requested some physical security review, in particular if we could get into a certain floor and steal PHI • I wasn’t assigned to the physical security project, but I was walking in with a co-worker to check in on the first day • Saw that we were in an elevator with a number of badged employees and asked “hey, do you guys know where the big printer on floor #6 is? I’m told it keeps sticking and malfunctioning and was sent to fix it” (there is always a misbehaving big printer somewhere) • Staff badged me in and showed me the mail room and printer • Got a cup of coffee, made myself at home… • About 15 minutes later….. | Security solutions
Physical Security and Social Engineering • The same types of attacks are happening through the phone (i.e. the “Microsoft Technical Support” phone calls, and are obviously happening through e-mail and we ardebad at defense! • Conducting targeted SE engagements can give you a better read on employee awareness, complemented by service-based learning and phishing platforms for long-term awareness | Security solutions
Training and Testing • You can never get too much security training • Consider using LMS system and make sure that all users take it (get a nasty-gram from H.R.) • Send your IT people to decent training • Use real-world phishing exercises to make the point • Scan your own stuff, regularly. • Periodically contract real red team / penetration tests (try to make sure they don’t suck first) • Get practice and procedure reviews to help prioritize funding and prioritize over multiple years • Test your people and test your tools, you need both! | Security solutions
Product Integration • All of the things I have mentioned are fairly basic, simple things to do, most of which are low cost (except political) • We can further reduce our residual risk through leading-edge security products, particularly if used correctly: • Log the heck out of everything • Identify odd executables in traffic, ”detonate” and alert • Content filters that can proxy HTTPS traffic (and especially identify unusual traffic afterwards) • Good workstation software that can block most known attacks (whitelisting if you can manage it!) • Web filtering at the office and on the road • Filtering through protected DNS servers • Multi-factor authentication • System inventory and patching software | Security solutions
Q&A / Discussion ???? Thank You! | Security solutions