1 / 117

It’s 2011,Why do you keep getting hacked?

It’s 2011,Why do you keep getting hacked?. BRKSEC-2006. Who are we and why should you listen to us?. Kurt Grutzmacher -- kgrutzma@cisco.com 10+ years penetration testing Federal Reserve System, Pacific Gas & Electric SPA Team Technical Lead Joaquin Berrios -- joberrio@cisco.com

hagop
Download Presentation

It’s 2011,Why do you keep getting hacked?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. It’s 2011,Why do you keep getting hacked? BRKSEC-2006

  2. Who are we and why should you listen to us? • Kurt Grutzmacher -- kgrutzma@cisco.com • 10+ years penetration testing • Federal Reserve System, Pacific Gas & Electric • SPA Team Technical Lead • Joaquin Berrios -- joberrio@cisco.com • 10+ years penetration testing • State of Texas, Northrop Grumman • SPA Team Master

  3. What We’re Doing Here • This talk covers many of the threats we have seen throughout our years of testing • We’ll talk about some solutions but we are really focused on showing you the risks and the methods • VENDOR AGNOSTIC • Our team will break into anything with an IP address • A lot of slides and videos ahead but feel free to ask questions at any time.

  4. Session Objectives What You Should Take Away…. • Understand that there are no mystical security keys • Everything we discuss can or should have been remediated by now. • Security is more of a people problem, than a technology problem • Policies, procedures and the gaps within them may be your downfall • If there is a patch, use it.

  5. Security Posture Assessment History • Cisco acquires Wheel Group in 1998 • Wheel Group founded by ex-USAF officers from AFIWC • Cisco Advanced Services SPA Team • Engineers from USAF / enterprise / SP / big four consulting • On-going security vulnerability research (exploit development) • Global coverage with resources in US / EU / APAC / EM Cisco Advanced Services SPA 1995 1998 2002

  6. Security Posture Assessment Defined The goal of the Security Posture Assessment is to measure the extent to which vulnerabilities in a customer’s environment can be utilized to achieve unexpected or unauthorized access to the OS or applications on an IP-connected host or device • SPA is more than just a fancy term for penetration test or ethical hacking although it incorporates elements of both of these concepts • Any active testing must inform the customer’s attempts to measure and assess risk – otherwise it is merely a sterile technical exercise

  7. Perimeter SPA Internal SPA Wireless SPA Physical SPA • Models attack from the perspective of an Internet-based threat source • Identify and exploit vulnerabilities in both Internet-facing systems and applications and client-side applications running on end-user workstations • Models attack from the perspective of a threat source with some level of organizational access • Identify and exploit vulnerabilities in systems and applications accessible from a user with some degree of connectivity and IP network reachability Security Posture Assessment Flavors • Models attack from the perspective of a threat source in physical proximity to access 802.11 • Determine encryption/authentication types used by authorized 802.11 networks and exploit if possible. Identify and locate rogue access points • Models attack from the perspective of a threat source willing to penetrate physical perimeter • Attempts to bypass physical security controls in order possibility of gaining access to physical

  8. Cisco SPA Lessons Learned What We Have Learned Through Ten Years of Testing • Discrete vulnerabilities are merely symptomatic of larger failings in security policy / process / procedure • Technical countermeasures are often ineffective without an associated policy / process / procedure • Security is more of a people than a technical problem • Sometimes one small entry point is all it takes

  9. What is the State of Security today? • In the past 12 months what used to be discussed behind closed doors has become public • Public disclosure of breaches has increased • Hackers boasting/taunting more (Anonymous, Lulzsec) • Buffer overflows in Operating Systems have decreased • Applications and client-side attacks are still on the rise

  10. Latest Security Breaches

  11. Who are behind these? http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf • Kids? Companies? Governments? • Large increase in smaller external attacks • Insiders still a huge threat to business

  12. How do they occur? • In general, a hole was found and exploited!

  13. Hacking Methods by percent of breaches

  14. Most incidents of unauthorized access originating from Internet-based attackers involve some form of social engineering Both external agents as well as malicious insiders are common threat sources 92% of attacks in 2010/2011 (to date) that resulted in unauthorized access or information disclosure were not technically sophisticated 96% of incidents in 2010/2011 (to date) that resulted in unauthorized access of information disclosure were avoidable through simple or intermediate controls “Amateurs hack systems. Professionals hack people.”- Bruce Schneier

  15. The Artichoke of Attack Passwords Client-side Attacks Databases Web Applications Buffer Overflows Network Devices

  16. Why Not an Onion? • The typical “Onion Layer” of security has worked for a quite some time and should not be thrown out yet • Attacks have always been targeted to where the data is • Attackers just ride the leaves • Borderless Networks, SaaS, Clouds … this is a different world Passwords Client-side Attacks Databases Web Applications Buffer Overflows Network Devices Security is made up of layers but these layers don’t always overlap!

  17. About This Artichoke… • The heart is where the data sits • Each leaf provides a layer of protection • …but also a perfect avenue to attack • Not every leaf needs to be removed in order to get at the heart of the artichoke • All I need is a little taste

  18. Artichoke Example • A server is hosting your company’s blog • It’s behind firewalls, intrusion prevention modules, tiered infrastructure, secured servers etc. • An SQL Injection vulnerability is found in Wordpress, the software running the blog • SQL Injection leaf bypasses other leaves and executes commands directly on the database tier • When the attacker is inside the database tier, what else can they see?

  19. Old Skool Attacks

  20. Old Skool Still Getz Uz Ur Warez • Brute Force accounts/password • Phreaking, Wardialing • Social Engineering

  21. Botnets, Worms and Viruses Oh My! • The Olden Days Have Passed On • Code Red, Slammer, etc • The More Things Change the More They Stay The Same • E-mail viruses, Phishing, CD/USB Flash Worms • Intentional and Accidental COTS Issues • Default passwords • Autorun viruses/worms • Oddly installed programs – Energizer USB Software • Hidden Backdoors – Borland Interbase LOCKSMITH

  22. Let’s Get Physical • Lock Picking • Every Good Hacker Should Know How • Shimming Locks and Lock Prying with Credit Cards • Bump and Skeleton Keys • Lock Picks, Paper Clips, and Rolled-up Post-It Notes??! • Maglock/Electronic Doors? • Motion Sensor Auto-Unlocks at Exit Points • Credit Cards and Maglocks? • Do You Really Need to Pick That Lock? • Tailgate While Looking Busy or Important • Hop Over The Wall • Ask Nicely!

  23. Let’s Get Metaphysical • Wireless! • WEP cracking – Flawed encryption, Weak IVs • WPA Weaknesses and Password attacks • WPA-PSK TKIP key recovery (coWPAtty, aircrack-ng) • LEAP weaknesses • GPGPU accelerated attacks • Cloud-based Cracking Suite by Thomas Roth • Moxie Marlinspike’s wpacracker.com • Aircrack-ng-cuda / pyrit • Workstation associations (Karma exploitation)

  24. Demo: Wireless Key Recovery

  25. Overflows – Yup They’re Still Around

  26. Shifting tides of Overflows • In the past few years there have been fewer OS-level buffer overflows • Many COTS/3rd Party apps have increased • Novell, HP, Cisco, IBM/Lotus, CA, Sybase, etc • Client-side overflows are where it’s at today: • Internet Explorer • Mozilla Firefox • Adobe Acrobat • Adobe Flash

  27. Commonly Exploited Vulnerabilities • MS06-040 Netapi • MS04-012 DCOM – Still around • PNP Vulnerabilities (MS08-067) • Solaris SADMIND • Local kernel overflows • These are just a few…. • Why are these still around?

  28. Some Stats • Total Number of IP’s in sample data: 6,216 • 9 Hosts vulnerable to MS06-040 (Netapi) • 16 Hosts vulnerable to MS04-012 (DCOM) • 8 Hosts vulnerable to SADMIN Overflow • 57 Hosts vulnerable to MS05-047 (PNP) • 49 Hosts vulnerable to MS05-039 (PNP)! May not seem like large numbers, but it only takes one host to give up the keys to the kingdom!

  29. Hacking the Gibson, Network Edition

  30. Layer 3 Is the Key • Network devices make business work • Firewalls • Routers • Switches • Own layer 3 own pretty much everything • Network Administrators can be lazy…

  31. Network-Based Attacks • 5 IOS HTTP Auth bypasses • 16 Default passwords • 160 Weak or easily guessed passwords • 230 Weak SNMP community strings • Why is this bad? • Why TACACS doesn’t matter with a SNMP Write String • SNMP ACL Bypass (UDP Issue, not just a Cisco Problem)

  32. Solaris/UNIX Issues (TTYPrompt) What? This Ain’t No Network Device…. • Administrators can be lazy • Vulnerability is not network specific, but commonly provides access to network configurations stored on UNIX hosts • Compromised configs == device “pwnage” • VERY old vulnerability and should be patched

  33. Monkey in the Middle • ARP Poisoning/Spoofing • The basis of most Network-focused MITM attacks • Focused on a Layer 2 broadcast domain • Difficult but not impossible to protect • Packet Interception and Misdirection • Cleartext protocol sniffing • Encrypted protocol negotiation interception • Secure SHell, Secure Socket Layer, etc.

  34. Distributed Denial of Service • Anyone can be a target or an attacker • Anonymous’ Low Orbit Ion Cannon (LOIC) agent is pretty simple to detect and defend against • https://tools.cisco.com/security/center/viewAlert.x?alertId=22056 • Other attacks can be mitigated using similar techniques

  35. Sometimes it’s not from the network…

  36. Demo: IOS SNMP ACL Bypass Demo

  37. NONE SHALL PASS(words)!

  38. “Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.” Clifford Stoll Author

  39. Passwords? We Know This Already! • True, but it’s STILL one of the biggest ways we get in! • User level access usually leads to privilege escalation • Buffer overflows • Application errors • Passwords in configuration files • SNMP Community Strings

  40. DEFCON “Crack Me If You Can” https://contest.korelogic.com/ • Contest started in 2010 by KoreLogic, Inc • Created to help push the envelope of password cracking techniques and methodologies • KoreLogic creates a “realistic” list of passwords and encrypts them with real-world encryption algorithms • Teams are all given the list at the same time and awarded points for recovering the cleartext • Teams had 48 HOURS to work in • Results were closely aligned to real-world scenarios

  41. 2010 Statistics

  42. 2010 Winner’s Points/Time Graph

  43. Some Recent Password Breaches • Sony Online Entertainment (SOE) • 100 million accounts with <unknown> hashes (estimated) • Sony Pictures • 1 million accounts (cleartext!!!), coupons and music codes • PBS.org • 2,200 accounts, most cleartext some MySQL hashed • Rootkit.com (HBGary) • 42,000 accounts w/ MD5 hashes (unsalted) • Gawker Media • 1.3 million accounts w/ DES-based crypt(3) hashes • RockYou • 32 million accounts w/ MD5 hashes (unsalted)

  44. Top 10 “rockyou.com” Passwords …out of 32,603,388 • 123456 • 12345 • 123456789 • password • iloveyou • princess • 1234567 • rockyou • 12345678 • abc123

  45. What We Use to Find Bad Passwords • A list of “default” usernames and passwords • An ever increasing list of known usernames learned through enumeration exploits (finger, smb null session, /etc/passwd access, previously exploited systems, etc) • “Joe” accounts: • Accounts whose passwords are the same as the username • Feed into brute force tools like Medusa, Metasploit Auxiliary modules, internally written tools, etc. • Password cracking

  46. Some of OUR Password Stats What We’ve Found to Be True…. • Total Passwords: 2,745,373 • Alphanumeric Passwords: 39,925 • Lowercase alpha characters only: 83,789 • Uppercase alpha characters only: 14,761 • Average password length: 8 characters • Password cracking coming in later slides …

  47. Databases – Not Just for Storing Data!

  48. Databases! • Two main types: • Structured Query Language (SQL) • No Structured Query Language (NoSQL) • Open Source • Postgres, MySQL, CouchDB, MongoDB. . . • Off-The-Shelf • MicrosoftSQL, IBM DB2, Oracle, IMS. . .

  49. Default Database Admin Accounts • Microsoft SQL • sa – full access to all databases/tables • MySQL • root – full access to all databases/tables • Oracle • Multiple variations (will deal with this one later) • IBM DB2 • db2admin – full access to all databases/tables, also created as a local user on the OS the administration server is installed on. Administrators group for Windows (!!!!)

  50. Attacking Microsoft SQL • Buffer overflows • SQL Slammer (MS02-039) • SQL Hello (MS02-056) • Sp_replwritetovarbin (MS09-004) • XP_Cmdshell • Tried and true and still valuable • Runs commands with the privilege of the SQL Server • Typically this is SYSTEM • Sometimes it’s a Domain User or Administrator • Typically leads to greater levels of access

More Related