Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS...
Transcript of Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS...
![Page 1: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/1.jpg)
Hacking Exposed: Live 2009
George Kurtz – SVP/GM Risk and Compliance BU
Stuart McClure – VP Operations / Strategy Risk and Compliance BU
McAfee04/21/09 | Session ID: HT2-105
![Page 2: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/2.jpg)
Please Download The Most Current Slides At:
www.foundstone.com/hackingexposedrsa2009.pdf
Hacking Exposed: LIVE – RSA 2009
www.foundstone.com/hackingexposedrsa2009.zip
With Flash (.swf) file…
1
![Page 3: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/3.jpg)
A little about us…George Kurtz
• Former CEO and Co-founder of Foundstone
• Co-Author of Best-Selling Hacking Exposed and Other Security Texts
• Voted Conde Nast Most High-Maintenance Traveler of the Year by my Co-workers at McAfee
• Stuart McClure• Former President/CTO and co-
founder of Foundstone
• Lead-Author of Best-Selling Hacking Exposed, Web Hacking, HE: Windows
• Better known as: Stu “I never met a GUI I didn’t like” McClure
![Page 4: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/4.jpg)
3
Agenda
The Hack
The Digital Battlefield
Countermeasures (Apply)
Summary
![Page 5: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/5.jpg)
The Digital Battlefield
![Page 6: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/6.jpg)
At the heart of ALL threatsWhen Opportunity Meets Motivation… Meets Ability…
Bots, BotnetsDDOS networks
Spyware,Adware, PUPs
User-propagatedviruses, Trojans,
PW stealers
Spam, mass-mailers,phishing, pharming
Vulnerabilities,Exploits,
Scripted attacks
Targetedattacks
PDA,cell phone,
wireless
Social Engineering
POOR COMMON SENSE
MALICIOUSINTENT
MISUSEDFUNCTIONALITY
DESIGNFLAWS
![Page 7: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/7.jpg)
ThreatsThe land of opportunity…
• Misused functionality– File sharing
– Usernames/passwords
– Autorun
– BHO
• Design flaws– Operating system (Windows RPC
MS08-067)
– Adobe Flash, Windows Media Player, Quicktime
– Java
– Web Applications• Google, MSN, Hotmail
– Network
– Database
• Malicious Intent— Direct/Targeted attack— Malware attack network ports— Botnets
• Poor common sense— Executing email attachments
— .exe, .doc, .xls, etc.— Click on untrusted web links in:
— Email— IM/IRC— Web sites (install plug-ins)— Texting
![Page 8: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/8.jpg)
Digital Battlefield
7
![Page 9: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/9.jpg)
Our Mission
• Primary Goal:– Complete Compromise of the PDC
• Secondary Goal:– Compromise CEO Laptop
• Tertiary Goal:– Sell more books the evil way!
• What we know about the network
– Firewall with restrictive rules in place
– Ingress: Ports 80, 443 open to the web server
– Egress: Ports 21, 53(TCP/UDP), 80, 4438
![Page 10: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/10.jpg)
The Hack
![Page 11: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/11.jpg)
Cross-Site Request Forgery - CSRF
• Let’s start with selling more books!
• CSRF also known as one-click attack and session riding
• CSRF exploits the trust a user has with their browser
• Cross Site Scripting (XSS) – exploits the trust a user has with a particular site
• The following characteristics are common to CSRF:– Site must rely on a user's identity
– Trick the user's browser into sending malicious requests to a target site
– Exploit the site's trust in that identity
– Abuse the established session – have the browser do the dirty work and pass the authentication cookie
10
![Page 12: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/12.jpg)
Have to get that Amazon rank up…
• The Hacking Exposed Boys need some new Lappies!– We can’t hack on old hardware
• Our Goal - ratchet up the Amazon.com ranking and sell some books!
• Abuse one-click “book ordering” while people visit our Hacking Exposed Blog
11
![Page 13: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/13.jpg)
Digital Battlefield
12
CSRF
Authentication Cookie
![Page 14: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/14.jpg)
DEMO
13 13
![Page 15: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/15.jpg)
And the Results are in…
14 14
![Page 16: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/16.jpg)
Drive By Shooting - Spear Phishing Style
• Email to CEO
• Obfuscate URL
• Drive by Shooting– IE 7 MS09-002 (Feb 09)
– Memory Corruption Vuln
• Shovel a shell to Attack Linux port 80
• One click Attack – Download packed hack kit
• a.exe15
Note: A real attack would download a Bot/trojan/rootkit,etc
![Page 17: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/17.jpg)
Digital Battlefield
16
Remote Shell (443)
Phish Website
Evil Payload
![Page 18: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/18.jpg)
DEMO
17
![Page 19: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/19.jpg)
Inflicting Some Damage on Windows
• Enumerate PDC
• Dump local hashes
• Dump Windows Zero Config
• Life is good!
18
![Page 20: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/20.jpg)
DEMO
19
![Page 21: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/21.jpg)
First You Steal the Hash –Then You Steal the Cash
• Password hashes are password equivalents
• So… why can’t we simply use the hash as the password?
• Load password hash of target account into memory on our compromised system
• We “become” the target account– Beats trying to crack passwords!
20
![Page 22: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/22.jpg)
Passing Hash
• There is no need to crack the password!
• This process was developed by folks at Foundstone and never publicly released
• Recently publicly available code has been released by Marcus Murray at Trusec.de
21
![Page 23: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/23.jpg)
Passing Hash
I want my Hash - Goal: Gain Access To Sensitive Shares on the PDC
• We compromise one server/workstation using a remote/local exploit
• We extract logged on hashes and find a domain admin or other user account hashes
• We use the hash to log on to a domain controller or other targetsystem
• If an Active Directory database is compromised, the attacker cannow impersonate any account in the domain
22
![Page 24: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/24.jpg)
Digital Battlefield
23
Remote Shell (443)
Passed Hash
Evil Payload
Remote Shell (backupadmin) 80
![Page 25: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/25.jpg)
DEMO
24
![Page 26: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/26.jpg)
Where Did Mr. CEO Go?
• Oops the CEO has just left the building!
25
![Page 27: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/27.jpg)
26
25,00025,001
There’s an App for Pwning Too!
The fastest way to Pwn Windows
![Page 28: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/28.jpg)
Iphone Pwnage
• Shell out
• Ping PDC
• Nmap PDC
• Pop PDC – shovel shell out to Attack Linux
• Stu will be command line challenged – but he will have to deal with it
27
![Page 29: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/29.jpg)
Digital Battlefield
28
Server Services (MS-08-067) Exploit
Remote Shell (443)
Connect with CEO Credentials
![Page 30: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/30.jpg)
29
![Page 31: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/31.jpg)
30
![Page 32: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/32.jpg)
Countermeasures: Apply
![Page 33: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/33.jpg)
CSRF Countermeasures
• Root cause– Poor web design
• Insufficient re-authentication– Require authentication in GET and POST parameters, don’t rely only on
cookies– Checking the HTTP Referrer header– Restrict crossdomain.xml usage, granting unintended access to Flash movies– Limit the lifetime of authentication cookies
– Poor user common sense
• Users should not click on links they don’t know or trust!!
• Detection/Prevention– Web Application Firewall (WAF)
• Commercial Options (including HIPS), or
• Free or Open Source: Breach Security’s ModSecurity, OWASP Stinger Project (Java/J2EE) [limited], AQTRONIX WebKnight, SQLGuard (Java)
32
POOR COMMON SENSE
MALICIOUSINTENT
MISUSED FUNCTIONALITY
DESIGNFLAWS
![Page 34: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/34.jpg)
Spear Phishing Countermeasures
• Root cause– Poor common sense
– It’s a feature, not a bug!• Invisible iFRAMEs need to go away…
• Unlikely…
• Detection/Prevention– User Education/Awareness
• DON’T CLICK ON WEB LINKS!!!
– Web filtering gateways/firewalls (blacklisting/whitelisting)
– Email/SPAM gateways
33
POOR COMMON SENSE
MALICIOUSINTENT
MISUSEDFUNCTIONALITY
DESIGNFLAWS
![Page 35: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/35.jpg)
Passing Hash Countermeasures
• Root cause– It’s a feature, not a bug!
• Need to remove the “feature” in the MS SAM
• Unlikely…
• Detection/Prevention– Two-factor authentication
– Eliminate password reuse (John the Ripper)
– Don’t let a bad guy get Admin and dump the SAM!
– Don’t backup the SAM and leave it lying about…
– Control your running processes: HIPS, Whitelisting products
• Free or Open Source: AntiHook (Win), Winsonar (Win), Samurai (Win), ProcessGuard (Win), OSSEC - Linux
34
POOR COMMON SENSE
MALICIOUSINTENT
MISUSEDFUNCTIONALITY
DESIGNFLAWS
![Page 36: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/36.jpg)
iPhone Hack Countermeasures
• Root cause– It’s a feature, not a bug!
• Ability to Jailbreak the iPhone…
• Detection/Prevention– Secure your WAPs (WPA2, MAC address restrictions, etc.)
– Fix your vulnerabilities!
– Deploy HIPS/NIPS:
• Free or Open Source: AntiHook (Win), Winsonar (Win), Samurai (Win), ProcessGuard (Win), OSSEC - Linux
35
POOR COMMON SENSE
MALICIOUSINTENT
MISUSEDFUNCTIONALITY
DESIGNFLAWS
![Page 37: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/37.jpg)
Summary• It’s a jungle out there….but you need to
prepare yourself
• Secure coding and penetration reviews are a must
• Understand the level of vulnerabilities in your own network and applications
– Leverage Policy Compliance and Vulnerability Management tools
– Software must be kept up to date
– Images must be hardened (best practices)
• Education is critical
• Defense-in-Depth– Integrated Endpoint protection (AV, HIPS, process
whitelisting)
– Network Protection (IPS, Firewalls, DLP)
36
![Page 38: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/38.jpg)
Special Thanks
• Ryan Permeh
• Tom Lee
• Brian Holub
• Robin Kier
• All of the high IQ boys @ AVERT Labs and Foundstone Consulting!
• The Phishme Team
37
![Page 39: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/39.jpg)
Special Thanks To:
38
![Page 40: Hacking Exposed: Live 2009 - McAfee€¦ · wireless Social Engineering POOR COMMON SENSE MALICIOUS INTENT MISUSED FUNCTIONALITY DESIGN FLAWS. Threats The land of opportunity ...](https://reader034.fdocuments.net/reader034/viewer/2022050400/5f7e51ff4da6055d350ea006/html5/thumbnails/40.jpg)
Think Evil – Do Good!
39
Achtung baby!!!