Hacking Demystified

Transcript

1. Hacking Demystified Johnny Vestergaard – 1 / 57 HACKING DEMYSTIFIED

   No magic or funny hats involved Held at EAL Odense Johnny Vestergaard 15. februar 2012

2. Introduction • Introduction • Disclaimer • Ethics and purpose •

   Terminology The opponent Attack demonstration Mitigation Hacking Demystified Johnny Vestergaard – 2 / 57 LINKEDIN.COM/IN/JOHNNYKV [email protected]

3. Agenda • Introduction • Disclaimer • Ethics and purpose •

   Terminology The opponent Attack demonstration Mitigation Hacking Demystified Johnny Vestergaard – 3 / 57 1. Introduction 2. The opponent 3. Attack demonstration (a) SQL Injection (b) Client side browser attack 4. Attack summary 5. Mitigation 6. The end

4. Disclaimer • Introduction • Disclaimer • Ethics and purpose •

   Terminology The opponent Attack demonstration Mitigation Hacking Demystified Johnny Vestergaard – 4 / 57 The views and opinions expressed in this presentation are the personal views of the speaker and do not necessarily reflect the views, policies or procedures of present or past employers. All information tactics techniques and procedures used or mentioned during this presentation are based solely on open and public accessable sources.

5. Ethics and purpose • Introduction • Disclaimer • Ethics and

   purpose • Terminology The opponent Attack demonstration Mitigation Hacking Demystified Johnny Vestergaard – 5 / 57 «So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself.» -Sun Tzu

6. Terminology Hacking Demystified Johnny Vestergaard – 6 / 57 •

   Vulnerability ◦ A weakness in a piece of software which can compromise the security of the computer system involved. • Exploit ◦ A piece of code or a technique which allows an attacker to exploit a vulnerability. • Zero day exploit / vulnerability ◦ Exploiting or having knowledge of a vulnerability before it is publicly announced.

7. The opponent • Introduction • Disclaimer • Ethics and purpose

   • Terminology The opponent • Opponent types • The hacktivist • Attack timeline • Plain old (digital) criminal • State actors Attack demonstration Mitigation Hacking Demystified Johnny Vestergaard – 7 / 57

8. Opponent types • Introduction • Disclaimer • Ethics and purpose

   • Terminology The opponent • Opponent types • The hacktivist • Attack timeline • Plain old (digital) criminal • State actors Attack demonstration Mitigation Hacking Demystified Johnny Vestergaard – 8 / 57 This presentation will have focus on the following types of opponents: • The hacktivist • Plain old (digital) criminal • State and state-sponsored actors

9. The hacktivist Hacking Demystified Johnny Vestergaard – 9 / 57

   • Promote a political message or agenda. • Loosly organized, a few lone wolves. • Terrorism or activism? Depends on the observer... • Defacement, Doxing, DoS, Data dumps, etc • Tend to use old and well-proven techniques • Anonymous, The Jester, Cyber Hezbollah.

10. Case Study - OpMegaupload • Introduction • Disclaimer • Ethics

    and purpose • Terminology The opponent Attack demonstration • Tools of the trade • Case information • Penetrate through VPN • Password hashing • Jump to classified side • Summary Mitigation Hacking Demystified Johnny Vestergaard – 10 / 57

11. Media Hacking Demystified Johnny Vestergaard – 11 / 57

12. Message from Anonymous Hacking Demystified Johnny Vestergaard – 12 /

    57

13. Attack timeline Hacking Demystified Johnny Vestergaard – 13 / 57

14. AnonOps IRC Chat Hacking Demystified Johnny Vestergaard – 14 /

    57

15. High Orbin Ion Cannon Hacking Demystified Johnny Vestergaard – 15

    / 57 t

16. Browser based attacks Hacking Demystified Johnny Vestergaard – 16 /

    57

17. Browser based attack tool (javascript) Hacking Demystified Johnny Vestergaard –

    17 / 57

18. Plain old (digital) criminal Hacking Demystified Johnny Vestergaard – 18

    / 57 • Motivated by money. • Maximum revenue - Minimal effort. • Mixed organization. • Heavy use of crimeware. ◦ Blackhole, Spy Eye, Zeus, etc. • Spamming, botnet hearding, extortion • Identity theft, credit cards, bank account details, • Corporate espionage.

19. Crimeware Example Hacking Demystified Johnny Vestergaard – 19 / 57

20. Crimeware Example: Blackhole Hacking Demystified Johnny Vestergaard – 20 /

    57

21. The Nitro Attack (July 2011) Hacking Demystified Johnny Vestergaard –

    21 / 57 Source: Symantec - The Nitro Attacks

22. The Nitro Attack (July 2011) Hacking Demystified Johnny Vestergaard –

    22 / 57 Source: Symantec - The Nitro Attacks

23. State actors Hacking Demystified Johnny Vestergaard – 23 / 57

    • Intelligence agencies, Law enforcement, Military «Cyber» units • Sabotage, espionage, subversion, information warfare • Skilled Personnel • Highly organized • Extremely resourcefull

24. Finfisher Hacking Demystified Johnny Vestergaard – 24 / 57

25. Stuxnet - in 30 seconds Hacking Demystified Johnny Vestergaard –

    25 / 57 Corporate LAN Source: Symantec - W32.Stuxnet Dossier

26. Stuxnet - in 30 seconds Hacking Demystified Johnny Vestergaard –

    26 / 57 Source: http://www.isssource.com/

27. Attack demonstration • Introduction • Disclaimer • Ethics and purpose

    • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 27 / 57

28. Typical Modus Operandi for the experienced attacker • Introduction •

    Disclaimer • Ethics and purpose • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 28 / 57

29. Tools of the trade • Introduction • Disclaimer • Ethics

    and purpose • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 29 / 57 Værktøjer brugt under angrebet: • Backtrack (http://www.backtrack-linux.org) • Arpspoof (http://arpspoof.sourceforge.net) • John the ripper (http://www.openwall.com/john/) • Metasploit (http://metasploit.com/)

30. Case information • Introduction • Disclaimer • Ethics and purpose

    • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 30 / 57 Target: A small privately held research company on the verge of a breakthrough within development of an effective HIV vaccine. Goal: Collect scientific information in such a degree that our customer will be able to recreate ACME’s new vaccine.

31. ACME Attack - Overview • Introduction • Disclaimer • Ethics

    and purpose • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 31 / 57

32. ACME Attack - The Grand scheme • Introduction • Disclaimer

    • Ethics and purpose • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 32 / 57

33. Penetrate through VPN • Introduction • Disclaimer • Ethics and

    purpose • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 33 / 57

34. Penetrate through VPN • Introduction • Disclaimer • Ethics and

    purpose • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 34 / 57

35. SQL Injection • Introduction • Disclaimer • Ethics and purpose

    • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 35 / 57

36. SQL Injection • Introduction • Disclaimer • Ethics and purpose

    • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 36 / 57

37. The SQL Query from hell • Introduction • Disclaimer •

    Ethics and purpose • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 37 / 57     SELECT ∗ FROM a r t i c l e WHERE content LIKE ’%ELVIS%’ OR 1=convert ( int , ’ H i l l b i l l y ’ )

38. The SQL Query from hell • Introduction • Disclaimer •

    Ethics and purpose • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 37 / 57     SELECT ∗ FROM a r t i c l e WHERE content LIKE ’%ELVIS%’ OR 1=convert ( int , ’ H i l l b i l l y ’ ) Conversion failed when converting the varchar value ’Hillbilly’ to data type int.

39. Demo, SQL injection Hacking Demystified Johnny Vestergaard – 38 /

    57

40. Password hashing Hacking Demystified Johnny Vestergaard – 39 / 57

41. Password hashing Hacking Demystified Johnny Vestergaard – 39 / 57

    Pseudo code to identify the cleartext which goes with the digest above:     possibleWords = [ " Horse " , " Cat " , " Closet " , " Automobile " . . . ] for word in possibleWords i f (md5( word ) == " d910eb044a857f9ee . . . " ) return word

42. Demo, Password cracking Hacking Demystified Johnny Vestergaard – 40 /

    57

43. SQL Injection - Real world stories • Introduction • Disclaimer

    • Ethics and purpose • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 41 / 57 • HBGary Federal, Feb 2011 ◦ SQL Injection • http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27 ◦ Extract of login, emails and hashes. ◦ Used for intrusion on HBGary’s servers, twitter account, etc. ◦ Publication of internal data. • Barracuda Networks, April 2011 ◦ During maintenance of the application firewall a hacker conducted his attack. • How did he know the firewall was down at this exact time? ◦ Extract of login, emails og hashes. ◦ Used for? • A1 on OWASP Top 10 Application Security Risks.

44. Jump to classified side • Introduction • Disclaimer • Ethics

    and purpose • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 42 / 57

45. Jump to classified side • Introduction • Disclaimer • Ethics

    and purpose • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 43 / 57

46. Jump to classified side - Normal • Introduction • Disclaimer

    • Ethics and purpose • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 44 / 57

47. Jump to classified LAN - Attack • Introduction • Disclaimer

    • Ethics and purpose • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 45 / 57

48. ARP poisioning • Introduction • Disclaimer • Ethics and purpose

    • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 46 / 57

49. ARP poisioning • Introduction • Disclaimer • Ethics and purpose

    • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 47 / 57

50. Demo, client side attack Hacking Demystified Johnny Vestergaard – 48

    / 57

51. Client-side attacks - real world stories. • Introduction • Disclaimer

    • Ethics and purpose • Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 49 / 57 • RSA, March 2011 ◦ Pretty simple mail attack to create bridgehead into RSA’s network. Attached to the mail was a excel document with an embedded zero-day Flash exploit, payload used was Poison Ivy. ◦ Purpose of the hack was to collect classified information on secureID (!!).

52. Summary • Introduction • Disclaimer • Ethics and purpose •

    Terminology The opponent Attack demonstration Mitigation • SQL Injection • Secure storage of passwords • ARP Poisioning • Client-side angreb • The End Hacking Demystified Johnny Vestergaard – 50 / 57

53. Mitigation • Introduction • Disclaimer • Ethics and purpose •

    Terminology The opponent Attack demonstration Mitigation Hacking Demystified Johnny Vestergaard – 51 / 57

54. SQL Injection • Introduction • Disclaimer • Ethics and purpose

    • Terminology The opponent Attack demonstration Mitigation Hacking Demystified Johnny Vestergaard – 52 / 57 • Input validation (Server-side!) • Separation of code and data ◦ C#: SQLParameter.     SqlCommand cmd = new SqlCommand ( "SELECT ∗ FROM a r t i c l e s WHERE content LIKE %@searchString%" , connection ) ; cmd . Parameters .Add(new SqlParameter { ParameterName = " @searchString " , Value=searchString } ) ; • Værktøjer ◦ SQLMap (http://sqlmap.sourceforge.net/) ◦ Skipfish (http://code.google.com/p/skipfish/)

55. Finding SQL injection vulnerabilities - the easy way Hacking Demystified

    Johnny Vestergaard – 53 / 57 bit.ly/tQYODm (Pulp Google Hacking - Hacker Halted 2011)

56. Secure storage of passwords • Introduction • Disclaimer • Ethics

    and purpose • Terminology The opponent Attack demonstration Mitigation Hacking Demystified Johnny Vestergaard – 54 / 57 • Do not store plaintext passwords - store a hash of the password! • Hashing != encryption • Goal: Maximise the time a opponent must use (waste) to crack our passwords. ◦ SALTing. ◦ Password length and complexitity. • ...dont use passwords?

57. ARP Poisioning • Introduction • Disclaimer • Ethics and purpose

    • Terminology The opponent Attack demonstration Mitigation Hacking Demystified Johnny Vestergaard – 55 / 57 • Static arp tables on each and every host. • Restrict switch ports to specific MAC addresses. • Detection of suspect ARP traffic (arpwatch). • 802.1X.

58. Client-side angreb • Introduction • Disclaimer • Ethics and purpose

    • Terminology The opponent Attack demonstration Mitigation Hacking Demystified Johnny Vestergaard – 56 / 57 • Keep updated! • Security awareness.

59. The End Hacking Demystified Johnny Vestergaard – 57 / 57

    Slides: http://www.slideshare.net/JohnnyKV/ LINKEDIN.COM/IN/JOHNNYKV [email protected]