1 / 65

CORPORATE ESPIONAGE

CORPORATE ESPIONAGE. James McFadyen and Jacolon Walker ( jtm ) (disable). Outline. Part I: Intro Corporate Espionage, Corporate Attitude Part II: Enterprise Security Technology The different technology Part II: Evasion techniques Can’t sto p me!. Part I. Introduction.

taber
Download Presentation

CORPORATE ESPIONAGE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CORPORATE ESPIONAGE James McFadyen and Jacolon Walker (jtm) (disable)

  2. Outline • Part I: Intro • Corporate Espionage, Corporate Attitude • Part II: Enterprise Security Technology • The different technology • Part II: Evasion techniques • Can’t stop me!

  3. Part I Introduction

  4. “Corporate Espionage” • Not really, but… • Focuses on technology found in real business environments. • Considers the human element - the security analyst. • Discusses techniques used by attackers to evade detection and compromise protected networks. • This is NOT comprehensive – the purpose is to introduce the concepts.

  5. Corporate Attitude • Motivating factor for security is not security itself! • Business Continuity - $$$ • Compliance – PCI / HIPAA etc… • Management and executives do care about security, but things are often ignored if it does not directly affect their revenue stream or cause some compliance violation. • This fact is useful for attackers – comprehensive security is VERY difficult.

  6. S.O.C • Security Operations Center • Comprised of analysts who monitor for attacks in real time for scans, attacks, compromises, policy violations and infections. • 24/7 • Research and create signatures and policies for client networks • MSSP (Managed Security Service Provider) • Have many clients who outsource their security needs to the S.O.C

  7. Part ii Enterprise Security Technology

  8. Firewall • Software or hardware based • Controls incoming / outgoing network traffic • Firewalls today can handle routing / NAT • Hardware firewalls generally sit at network perimeter • Statefulpacket inspection: • Maintain information and context in a session • Stateless packet inspection: • Simpler filtering, does not keep track of active session • Rules define which traffic gets accepted and rejected. • Usually the first line of defense.

  9. Firewall • Hardware examples: • Cisco ASA • SonicWALL • Watchguard • Software examples: • pf • iptables • Windows Firewall

  10. Firewall

  11. IDS / HIDS • IDS: Intrusion Detection System • HIDS: Host based Intrusion Detection System • Appliance (software or hardware) that detectsmalicious traffic, or any traffic violating the defined policies. • Use keyword matching or content matching • Searching for something specific within a packet or session • Can also use regular expression matching in payload • Ex: content:”sEleCt”; pcre:”/^INSERT INTO” • Analyst would see the alerts based on priority • False positives

  12. IDS / HIDS • IDS • Snort • Suricata • HIDS • OSSEC

  13. IDS / HIDS

  14. IPS • Intrusion Prevention System • Similar to IDS, but also attempts to prevent the traffic from passing through the device. • Rule / Signature based • Like a firewall, the packets will be dropped. • Rules and signatures are more complex than that of a firewall.

  15. IPS • Sourcefire • TippingPoint • McAfee IPS • Fortinet • Secureworks

  16. Web Application Firewall • Software or hardware • Plugins or filters • Applies to HTTP sessions • Some vendors can handle HTTPS • Checks for web attacks such as XSS and SQL Injection • Content matching, regular expressions

  17. Web Application Firewall • Blue Coat • Barracuda • Trustwave • Imperva

  18. Log Analysis • Dynamic or static • Great forensics tools, but can be difficult to find security events in real time. • Regular expression searches • Keyword searches • Solution such as Splunk can allow analyst to search for events easily. • Pulls from logs, not network traffic • Splunk

  19. S.I.E.M • Security Information & Events Management • Normalizes and correlates network traffic to identify security events and reduce false positive • Pulls in log data from multiple types of devices • Identifies common attributes and associates different events where applicable • Alerts on actionable security events • Helpful in compliance reporting • Set complex rules to define expected behavior of a network.

  20. S.I.E.M • HAWK eyeCon • Nitro Security • ArcSight • RSA enVision • Q1 Labs

  21. Part III Evasion Techniques

  22. Tools • Useful tools: • hping3, firewalk, nmap, custom tools (scapy is great!), netcat, tcpdump, wireshark, fragroute • … so you discovered a firewall, now what?

  23. Evasion: Basics • Firewalls will drop packets that do not adhere to protocol specification • Ex: Sending a SYN ACK without first sending SYN is not how TCP works! • Tools like “xprobe” can be used to detect operating systems behind a firewall by using the TCP / UDP / ICMP protocols. This is ‘fingerprinting’. • Firewalls behave differently! • Firewalking: • Send TCP / UDP / ICMP packets and examine response • Window size, sequence numbers, type encode, etc…

  24. TCP Header structtcpheader { unsigned short intth_sport; unsigned short intth_dport; unsigned intth_seq; unsigned intth_ack; unsigned char th_x2:4, th_off:4; unsigned char th_flags; unsigned short intth_win; unsigned short intth_sum; unsigned short intth_urp; }; /* total tcp header length: 20 bytes (=160 bits) */

  25. UDP Header structudpheader { unsigned short intuh_sport; unsigned short intuh_dport; unsigned short intuh_len; unsigned short intuh_check; }; /* total udp header length: 8 bytes (=64 bits) */

  26. ICMP Header structicmpheader { unsigned char icmp_type; unsigned char icmp_code; unsigned short inticmp_cksum; /* The following data structures are ICMP type specific */ unsigned short inticmp_id; unsigned short inticmp_seq; }; /* total icmp header length: 8 bytes (=64 bits) */

  27. Evasion: Scan Techniques • Different Types of scans will produce different results • XMAS scan: FIN PSH URG flags set on TCP segment. • NULL scan: TCP flags are set to all 0 • FIN scan: FIN flag set on TCP segment • ACK scan: ACK flag set on TCP segment • SYN scan: SYN flag set • SYN ACK: SYN ACK flag set • FTP Bounce: uses another host to act as proxy • Zombie Scan: Use idle host on a network to hide real source address

  28. Evasion: Scan Techniques • Specify different source port • Some poorly configured systems may block packets from a certain source port • Default UNIX based firewalls can be bypassed with an XMAS or a NULL scan. • Inverted Technique – crafting malformed TCP packets • Closed ports will respond with RA (Reset Acknowledge) – RFC793

  29. Evasion: Fragmentation • Can be used to bypass Firewalls, IDS • Can also cause Denial of Service by exhausting resources • IP packet has a MTU (maximum transmission unit) that is smaller than the MTU of the current network it is traversing. • Can occur on ANY router the packet travels through • Destination host will reassemble the packet

  30. Evasion: Fragmentation • Fragments of packets must include: • Fragment ID # (IP ID) • Offset (multiple of 8 bytes) • Length of the data • MF flag – more fragments

  31. Evasion: Fragmentation • Fragment Offset • Fragment offset field maximum = 8191 (13 bits) • Max IP packet = 65535 bytes • Fragment offset * 8 = real offset

  32. Evasion: Fragmentation

  33. Evasion: Fragmentation • Sample tcpdump output ping.com > myhost.com: icmp: echo request (frag 21223:1480@0+) ping.com > myhost.com: (frag 21223:1480@1480+) ping.com > myhost.com: (frag 21223:1480@2960)

  34. Evasion: Fragmentation • Protocol header found in first fragment • Stateful packet filtering sees all fragments as one packet • Stateless sees each individually • Packet can have DF (don’t fragment) flag set, which tells routers that it cannot be fragmented. • Routers will respond with “unreachable – need to frag” message if DF flag is set and it needs to be fragmented. • ICMP error message returns MTU of the network which is useful in Path MTU discovery. • Can leverage this to discover MTU of a network • router.ru > mail.mysite.ru: icmp: host.ru unreachable – need to frag (mtu 308) (DF)

  35. Evasion: Fragmentation • Fragment packets with nmap: • nmap -f host • Specify MTU with nmap • nmap --mtu host

  36. Evasion: Source Routing • Loose Source Routing: • Use any intermediate gateway • This will cause different source IP which could potentially be whitelisted (trusted device). • Strict Source Routing: • Defining your own route for a network • Need to be on directly connected network

  37. Evading Snort Rules • Simple case: • A rule exists to pick up certain user agent • Simply change user agent.

  38. Snort Example Signatures • # jwalker • alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WORM AirOSadmin.cgi/css Exploit Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/admin.cgi/"; http_uri; fast_pattern:only; content:".css HTTP/1."; http_raw_header; content:"Content-Type|3A| multipart/form-data"; http_header; reference:url,seclists.org/fulldisclosure/2011/Dec/419; classtype:trojan-activity; sid:2014041; rev:2;) • # jwalker • alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DNS Query to msnsolution.nicaze.net"; content:"msnsolution|06|nicaze|03|net"; offset:12; fast_pattern; reference:md5,89332c92d0360095e2dda8385d400258; sid:10000500; rev:1;) • # jwalker • alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET LOIC JavascriptDDoS Inbound"; flow:established,to_server; content:"GET /?id="; nocase; pcre:"/[0-9]{13}/"; content:"&msg="; nocase; detection_filter:trackby_src, count 100, seconds 60; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:10000101; rev:1;) • # jwalker • alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET LOIC JavascriptDDoS Outbound"; flow:established,from_client; content:"GET /?id="; nocase; pcre:"/[0-9]{13}/"; content:"&msg="; nocase; detection_filter:trackby_src, count 100, seconds 60; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:10000102; rev:1;) • # jwalker • alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"Combat Arms UDP DDoS"; detection_filter:trackby_src, count 10, seconds 30; dsize:1024<>2048; sid:10000103; rev:1;) • # jwalker • alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN FHScan core User-Agent Detect"; flow:to_server,established; content:"FHScan Core 1."; http_header; reference:url,www.tarasco.org/security/FHScan_Fast_HTTP_Vulnerability_Scanner/index.html; classtype:attempted-recon; sid:2014541; rev:4;) • # jwalker • alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Session_Id length greater than Client_Hello Length)"; flow:to_server,established; content:"|16 03 00|"; depth:3; content:"|01 00 00 33 03 00|"; distance:2; within:6; byte_test:1,>,51,32,relative; reference:md5,a01d75158cf4618677f494f9626b1c4c; classtype:trojan-activity; sid:2014634; rev:3;)

  39. Snort Rule Example • Sample w3af signature: (envelope) – (alert, log, passive) (protocol) (usually defined as any) (anything coming inbound) (to our servers that are defined) (ports) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS(msg:"ET SCAN w3af User Agent"; flow: established,to_server; content:"User-Agent|3a| w3af.sourceforge.net"; http_header; fast_pattern:only; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757; classtype:attempted-recon; sid:2007757; rev:12;) (message tag) defines what the signature name is (alert that pops up) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN w3af User Agent"; flow: established,to_server; content:"User-Agent|3a| w3af.sourceforge.net"; http_header; fast_pattern:only; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757; classtype:attempted-recon; sid:2007757; rev:12;) (rule) what to look for alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN w3af User Agent"; flow: established,to_server; content:"User-Agent|3a| w3af.sourceforge.net"; http_header; fast_pattern:only; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757; classtype:attempted-recon; sid:2007757; rev:12;)

  40. Snort Rule Example • Other tags – flow, content, reference, classtype, sid, rev • Classtype – different classes lump together alerts of similar priorities • sid: (signature ID) – can track signature through their life cycle on Emerging Threats or through Sourcefire. “rev” is the revision number for the signature ID. • Need to understand the HTTP headers!!

  41. Snort Rule Example • Attacker settings: • Snort Alerts:

  42. Snort Rules Example • User agent can be changed.. • Since it looks for that User Agent, this won’t be detected by that specific rule.

  43. MS08-067 • Extremely popular. • First attempt uses a meterpreter reverse TCP payload… • Success!

More Related