Slide 1

Slide 1 text

Las Vegas – August 2007 Tactical Exploitation Tactical Exploitation “ “the other way to pen-test “ the other way to pen-test “ hdm / valsmith hdm / valsmith

Slide 2

Slide 2 text

Las Vegas – August 2007 who are we ? who are we ? H D Moore BreakingPoint Systems || Metasploit Valsmith Offensive Computing || Metasploit

Slide 3

Slide 3 text

Las Vegas – August 2007 why listen ? why listen ? • A different approach to pwning • New tools, fun techniques • Real-world tested :-)

Slide 4

Slide 4 text

Las Vegas – August 2007 what do we cover ? what do we cover ? • Target profiling • Discovery tools and techniques • Exploitation • Getting you remote access

Slide 5

Slide 5 text

Las Vegas – August 2007 the tactical approach the tactical approach • Vulnerabilites are transient • Target the applications • Target the processes • Target the people • Target the trusts • You WILL gain access.

Slide 6

Slide 6 text

Las Vegas – August 2007 the tactical approach the tactical approach • Crackers are opportunists • Expand the scope of your tests • Everything is fair game • What you dont test... • Someone else will!

Slide 7

Slide 7 text

Las Vegas – August 2007 the tactical approach the tactical approach • Hacking is not about exploits • The target is the data, not r00t • Hacking is using what you have • Passwords, trust relationships • Service hijacking, auth tickets

Slide 8

Slide 8 text

Las Vegas – August 2007 personnel discovery personnel discovery • Security is a people problem • People write your software • People secure your network • Identify the meatware first

Slide 9

Slide 9 text

Las Vegas – August 2007 personnel discovery personnel discovery • Identifying the meatware • Google • Newsgroups • SensePost tools • www.Paterva.com

Slide 10

Slide 10 text

Las Vegas – August 2007 personnel discovery personnel discovery • These tools give us • Full names, usernames, email • Employment history • Phone numbers • Personal sites

Slide 11

Slide 11 text

Las Vegas – August 2007 personnel discovery personnel discovery CASE STUDY

Slide 12

Slide 12 text

Las Vegas – August 2007 personnel discovery personnel discovery • Started with just a name and title • Found online personnel directory • Found people / email addresses • Email name = username = target

Slide 13

Slide 13 text

Las Vegas – August 2007 personnel discovery personnel discovery DEMO

Slide 14

Slide 14 text

Las Vegas – August 2007 network discovery network discovery • Identify your target assets • Find unknown networks • Find third-party hosts • Dozens of great tools... • Lets stick to the less-known ones

Slide 15

Slide 15 text

Las Vegas – August 2007 network discovery network discovery • The overused old busted • Whois, Google, zone transfers • Reverse DNS lookups

Slide 16

Slide 16 text

Las Vegas – August 2007 network discovery network discovery • The shiny new hotness • Other people's services • CentralOps.net, DigitalPoint.com • DomainTools.com, Paterva.com • RevHosts PIG/VHH modules: • http://revhosts.net/

Slide 17

Slide 17 text

Las Vegas – August 2007 network discovery network discovery • What does this get us? • Proxied DNS probes, transfers • List of virtual hosts for each IP • Port scans, traceroutes, etc • Gold mine of related info

Slide 18

Slide 18 text

Las Vegas – August 2007 network discovery network discovery • Active discovery techniques • Trigger SMTP bounces • Brute force HTTP vhosts • Watch outbound DNS • Just email the users!

Slide 19

Slide 19 text

Las Vegas – August 2007 network discovery network discovery CASE STUDY

Slide 20

Slide 20 text

Las Vegas – August 2007 network discovery network discovery DEMO

Slide 21

Slide 21 text

Las Vegas – August 2007 firewalls and ips firewalls and ips • Firewalls have gotten snobby • Content filtering is now common • Intrusion prevention is annoying • Identify and fingerprint • Increase your stealthiness • Customize your exploits

Slide 22

Slide 22 text

Las Vegas – August 2007 firewalls and ips firewalls and ips • Firewall identification • NAT device source port ranges • Handling of interesting TCP • IPS identification • Use “drop with no alert” sigs • Traverse sig tree to find vendor

Slide 23

Slide 23 text

Las Vegas – August 2007 firewall and ips firewall and ips CASE STUDY

Slide 24

Slide 24 text

Las Vegas – August 2007 firewall and ips firewall and ips DEMO

Slide 25

Slide 25 text

Las Vegas – August 2007 application discovery application discovery • If the network is the toast... • Applications are the butter. • Each app is an entry point • Finding these apps is the trick

Slide 26

Slide 26 text

Las Vegas – August 2007 application discovery application discovery • Tons of great tools • Nmap, Amap, Nikto, Nessus • Commercial tools

Slide 27

Slide 27 text

Las Vegas – August 2007 application discovery application discovery • Slow and steady wins the deface • Scan for specific port, one port only • IDS/IPS can't handle slow scans • Ex. nmap -sS -P0 -T 0 -p 1433 ips

Slide 28

Slide 28 text

Las Vegas – August 2007 application discovery application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS • One port slow scan never detected • Know OS based on 1 port (139/22)

Slide 29

Slide 29 text

Las Vegas – August 2007 application discovery application discovery • Some new tools • W3AF for locating web apps • Metasploit 3 includes scanners

Slide 30

Slide 30 text

Las Vegas – August 2007 application discovery application discovery CASE STUDY

Slide 31

Slide 31 text

Las Vegas – August 2007 application discovery application discovery DEMO

Slide 32

Slide 32 text

Las Vegas – August 2007 client app discovery client app discovery • Client applications are fun! • Almost always exploitable • Easy to fingerprint remotely • Your last-chance entrance

Slide 33

Slide 33 text

Las Vegas – August 2007 client app discovery client app discovery • Common probe methods • Mail links to the targets • Review exposed web logs • Send MDNs to specific victims • Abuse all, everyone, team aliases

Slide 34

Slide 34 text

Las Vegas – August 2007 client app discovery client app discovery • Existing tools • BEEF for browser fun • Not much else...

Slide 35

Slide 35 text

Las Vegas – August 2007 client app discovery client app discovery • Shiny new tools • Metasploit 3 SMTP / HTTP • Metasploit 3 SMB services

Slide 36

Slide 36 text

Las Vegas – August 2007 client app discovery client app discovery CASE STUDY

Slide 37

Slide 37 text

Las Vegas – August 2007 client app discovery client app discovery DEMO

Slide 38

Slide 38 text

Las Vegas – August 2007 process discovery process discovery • Track what your target does • Activity via IP ID counters • Last-modified headers • FTP server statistics

Slide 39

Slide 39 text

Las Vegas – August 2007 process discovery process discovery • Look for patterns of activity • Large IP ID increments at night • FTP stats at certain times • Web pages being uploaded

Slide 40

Slide 40 text

Las Vegas – August 2007 process discovery process discovery • Existing tools? • None :-( • New tools • Metasploit 3 profiling modules • More on exploiting this later...

Slide 41

Slide 41 text

Las Vegas – August 2007 process discovery process discovery CASE STUDY

Slide 42

Slide 42 text

Las Vegas – August 2007 process discovery process discovery DEMO

Slide 43

Slide 43 text

Las Vegas – August 2007 15 Minute Break 15 Minute Break • Come back for the exploits!

Slide 44

Slide 44 text

Las Vegas – August 2007 re-introduction re-introduction • In our last session... • Discovery techniques and tools • In this session... • Compromising systems!

Slide 45

Slide 45 text

Las Vegas – August 2007 external network external network • The crunchy candy shell • Exposed hosts and services • VPN and proxy services • Client-initiated sessions

Slide 46

Slide 46 text

Las Vegas – August 2007 attacking file transfers attacking file transfers • FTP transfers • Active FTP source ports • Passive FTP servers • NFS transfers • TFTP transfers

Slide 47

Slide 47 text

Las Vegas – August 2007 attacking mail services attacking mail services • Four different attack points • The mail relay servers • The antivirus gateways • The real mail server • The users mail client • File name clobbering...

Slide 48

Slide 48 text

Las Vegas – August 2007 attacking web servers attacking web servers • Brute force files and directories • Brute force virtual hosts • Standard application flaws • Load balancer fun... • Clueless users cgi-bin's are often the Achilles heel

Slide 49

Slide 49 text

Las Vegas – August 2007 attacking dns servers attacking dns servers • Brute force host name entries • Brute force internal hosts • XID sequence analysis • Return extra answers...

Slide 50

Slide 50 text

Las Vegas – August 2007 attacking db servers attacking db servers • Well-known user/pass combos • Business apps hardcode auth • Features available to anonymous • No-patch bugs (DB2, Ingres, etc)

Slide 51

Slide 51 text

Las Vegas – August 2007 authentication relays authentication relays • SMB/CIFS clients are fun! • Steal hashes, redirect, MITM • Remote shell, no vuln needed • NTLM relay between protocols • SMB/HTTP/SMTP/POP3/IMAP

Slide 52

Slide 52 text

Las Vegas – August 2007 social engineering social engineering • Give away free toys • CDROMs, USB keys, N800s • Replace UPS with OpenWRT • Cheap and easy to make

Slide 53

Slide 53 text

Las Vegas – August 2007 internal network internal network • The soft chewy center • This is the fun part :) • Easy to trick clients

Slide 54

Slide 54 text

Las Vegas – August 2007 file services file services • SMB is awesome • Look for AFP exports of SMB data • NAS storage devices • Rarely, if ever, patch Samba :-)

Slide 55

Slide 55 text

Las Vegas – August 2007 file services file services • NFS is your friend • Dont forget its easy cousin NIS • Scan for port 111 / 2049 • showmount -e / showmount -a • Whats exported, whose mounting?

Slide 56

Slide 56 text

Las Vegas – August 2007 file services file services • Exported NFS home directories • Important target! • If you get control • Own every node that mounts it

Slide 57

Slide 57 text

Las Vegas – August 2007 file services file services • If you are root on home server • Become anyone (NIS/su) • Harvest known_hosts files • Harvest allowed_keys • Modify .login, etc. + insert trojans

Slide 58

Slide 58 text

Las Vegas – August 2007 file services file services • Software distro servers are fun! • All nodes access over NFS • Write to software distro directories • Trojan every node at once • No exploits needed!

Slide 59

Slide 59 text

Las Vegas – August 2007 file services file services CASE STUDY

Slide 60

Slide 60 text

Las Vegas – August 2007 netbios services netbios services • NetBIOS names are magic • WPAD • CALICENSE

Slide 61

Slide 61 text

Las Vegas – August 2007 dns services dns services • Microsoft DNS + DHCP = fun • Inject host names into DNS • Hijack the entire network • dhcpcd -h WPAD -i eth0

Slide 62

Slide 62 text

Las Vegas – August 2007 wins services wins services • Advertise your WINS service • Control name lookups • Attack other client apps

Slide 63

Slide 63 text

Las Vegas – August 2007 license servers license servers • A soft spot in desktop apps • Computer Associates • Bugs and simple to spoof • FlexLM network services

Slide 64

Slide 64 text

Las Vegas – August 2007 remote desktops remote desktops • RDP • Great for gathering other targets • Domain lists available pre-auth • If not available, start your own: • net start “terminal services”

Slide 65

Slide 65 text

Las Vegas – August 2007 remote desktops remote desktops • VNC • The authentication bug is great :) • MITM attacks are still viable • Install your own with Metasploit 3 • vncinject payloads

Slide 66

Slide 66 text

Las Vegas – August 2007 trust relationships trust relationships • The target is unavailable to YOU • Not to another host you can reach... • Networks may not trust everyone • But they often trust each other :) •

Slide 67

Slide 67 text

Las Vegas – August 2007 trust relationships trust relationships CASE STUDY

Slide 68

Slide 68 text

Las Vegas – August 2007 Hijacking SSH Hijacking SSH CASE STUDY

Slide 69

Slide 69 text

Las Vegas – August 2007 Hijacking Kerberos Hijacking Kerberos CASE STUDY

Slide 70

Slide 70 text

Las Vegas – August 2007 Hijacking NTLM Hijacking NTLM CASE STUDY

Slide 71

Slide 71 text

Las Vegas – August 2007 Conclusion Conclusion • Compromise a “secure” network • Determination + creativity wins • Tools cannot replace talent.