Hálózatbiztonság a gyakorlatban Mixed;Assassment 2. 2015. május 22. Budapest Dr. Bencsáth Boldizsár adjunktus BME Híradástechnikai Tanszék bencsath@crysys.hit.bme.hu
News 2013 http://www.java-0day.com/ (11 days since last 0-day for java) Pwn2own / http://cansecwest.com/ http://dvlabs.tippingpoint.com/blog/2013/01/17/pwn2own-2013 Everything cracked, but chromeos Sam.gov hacked Sudo vulnerability (in 2013!) TeamSpy 2
Stri.pe CTF https://stripe.com/blog/capture-the-flag 6 levels to crack You can begin Stripe's CTF challenge by running ssh level01@ctf.stri.pe from your shell and entering the password e9gx26yeb2. We will cover the challenges week-by-week Description and hints on 1 st challenge 3
Stri.pe how it works ls la /levels total 96 drwxr-xr-x 2 root root 4096 2012-02-23 22:44. drwxr-xr-x 15 root root 4096 2012-02-23 22:44.. -r-sr-x--- 1 level02 level01 8617 2012-02-23 22:44 level01 -r--r----- 1 level01 level01 152 2012-02-23 22:44 level01.c -r-sr-x--- 1 level03 level02 8467 2012-02-23 22:44 level02 -r--r----- 1 level02 level02 204 2012-02-23 22:44 level02.c -r-sr-x--- 1 level04 level03 10079 2012-02-23 22:44 level03 -r--r----- 1 level03 level03 1708 2012-02-23 22:44 level03.c -r-sr-x--- 1 level05 level04 7273 2012-02-23 22:44 level04 -r--r----- 1 level04 level04 303 2012-02-23 22:44 level04.c -r--r----- 1 level05 level06 6576 2012-02-23 22:44 level05 -r-sr-x--- 1 the-flag level06 13132 2012-02-23 22:44 level06 -r--r----- 1 level06 level06 1550 2012-02-23 22:44 level06.c As You can see, most level has a script that can be executed from a lower level and gets rights by setuid to the next level 4
Stri.pe ctf 12 L01 #include <stdio.h> #include <stdlib.h> int main(int argc, char **argv) { printf("current time: "); fflush(stdout); system("date"); return 0; } The CTF games are a bit misleading as it is much easier to find errors, if You exactly know that the exists And You exactly know where they reside This is an easy one 5
Related topic Security is not just about a program. It s about a system Security problems arise not just from programming errors inside one component But there can reside nasty things between the program and the environment (envrionment variables: badly formatted parameters, $PATH, ld_preload etc.; DLL injection from the current directory (windows); security features and parameters: -PIE (position independent executable), executable stack, stack protectors) Between multiple programs or programs and OS (memory limits, open file limits, error handling, inter-process communications, race conditions) 6
Web page with links to lot of hackable OS live CDs http://r00tsec.blogspot.com/2011/02/pentest-lab-vulnerable-servers.html Holynix Similar to the de-ice Cd s and pwnos, holynix is an ubuntu server vmware image that was deliberately built to have security holes for the purposes of penetration testing. More of an obstacle course than a real world example. http://pynstrom.net/index.php?page=holynix.php WackoPicko WackoPicko is a website that contains known vulnerabilities. It was first used for the paper Why Johnny Can t Pentest: An Analysis of Black-box Web Vulnerability Scanners found: http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf https://github.com/adamdoupe/wackopicko De-ICE PenTest LiveCDs The PenTest LiveCDs are the creation of Thomas Wilhelm, who was transferred to a penetration test team at the company he worked for. Needing to learn as much about penetration testing as quickly as possible, Thomas began looking for both tools and targets. He found a number of tools, but no usable targets to practice against. Eventually, in an attempt to narrow the learning gap, Thomas created PenTest scenarios using LiveCDs. http://de-ice.net/hackerpedia/index.php/de-ice.net_pentest_disks Thanks to Tamas Paulik 7
How many fixes can be combine to a single patch? = How many problems have we survived without attention?! - 2011 ====================================================== ===== Ubuntu Security Notice USN-1083-1 March 03, 2011 linux-ltsbackport-maverick vulnerabilities CVE-2009-4895, CVE-2010-0435, CVE-2010-2066, CVE-2010-2226, CVE-2010-2248, CVE-2010-2478, CVE-2010-2495, CVE-2010-2521, CVE-2010-2524, CVE-2010-2537, CVE-2010-2538, CVE-2010-2798, CVE-2010-2942, CVE-2010-2943, CVE-2010-2946, CVE-2010-2954, CVE-2010-2955, CVE-2010-2960, CVE-2010-2962, CVE-2010-2963, CVE-2010-3015, CVE-2010-3067, CVE-2010-3078, CVE-2010-3079, CVE-2010-3080, CVE-2010-3084, CVE-2010-3296, CVE-2010-3297, CVE-2010-3298, CVE-2010-3301, CVE-2010-3310, CVE-2010-3432, CVE-2010-3437, CVE-2010-3442, CVE-2010-3477, CVE-2010-3705, CVE-2010-3848, CVE-2010-3849, CVE-2010-3850, CVE-2010-3858, CVE-2010-3861, CVE-2010-3904, CVE-2010-4072, CVE-2010-4165, CVE-2010-4169, CVE-2010-4249 ====================================================== ===== A security issue affects the following Ubuntu releases: Ubuntu 10.04 LTS Ubuntu 10.04 LTS: linux-image-2.6.35-25-generic 2.6.35-25.44~lucid1 linux-image-2.6.35-25-generic-pae 2.6.35-25.44~lucid1 linux-image- 2.6.35-25-server 2.6.35-25.44~lucid1 linux-image-2.6.35-25-virtual 2.6.35-25.44~lucid1 8
A n O n Y m O u S a real story 9
The Anonymous group case 12/2010 Julian Assange s arrest Operation:Payback by a previously unknown group called Anonymous 08/12 http://isitup.org/www.visa.com IT'S DOWN! KEEP FIRING!!! #DDOS #PAYBACK #WIKILEAKS 09/21/2010 BBC NEWS: Anonymous hacktivists say Wikileaks war to continue Earlier the BBC was contacted by a payment firm linked to Mastercard [mastercard.com] that said its customers had "a complete loss of service". 10
(Anonymous to scientology) http://www.youtube.com/watch?v=jcbkv9yiliq (local) Fox11 news Westboro on-show crack link 11
HBGary Federal is a private company selling security tools etc. to private customers and to government http://arstechnica.com/tech-policy/news/2011/02/black-ops-howhbgary-wrote-backdoors-and-rootkits-for-the-government.ars/2 CEO Aaron Barr tried to figure out who-is-who in Anonymous He used novel techniques, such as digging correlation between timestamps of twitter, facebook comments and IRC messages. He might have (not precisely) figured out real names of Anonymous participants He wanted to prove that Anonymous has a leader (vs. no leader) and that it consits of only some (4-5) members. He tried to modify the source code of the Low-Orbit Ion Cannon (DoS tool) to identify members -> questionable by law and ethics. Fake persons were used to get into Anonymous (IRC) Once some member even tried to hire him up for an attack against his own company. 12
13
14
HBGary kept a stockpile of 0-day exploits. A slide from one of the company's internal presentations showed that the company had 0-day exploits for which no patch yet existed but these 0-day exploits had not yet even been published. No one knew about them. The company had exploits "on the shelf" for Windows 2000, Flash, Java, and more; because they were 0-day attacks, any computer around the world running these pieces of software could be infiltrated. One of the unpublished Windows 2000 exploits, for instance, can deliver a "payload" of any size onto the target machine using a heap exploit. "The payload has virtually no restrictions" on what it can do, a document notes, because the exploit secures SYSTEM level access to the operating system, "the highest user-mode operating system defined level" available. These exploits were sold to customers. One email, with the subject "Juicy Fruit," contains the following list of software: VMware ESX and ESXi * Win2K3 Terminal Services Win2K3 MSRPC Solaris 10 RPC Adobe Flash * Sun Java * Win2k Professional & Server XRK Rootkit and Keylogger * Rootkit 2009 * 15
16
anonymous Anonymous hacked the company called HBGary The group submitted the full email archive of the CEO as a torrent archive (40 000+ emails) Info about this company made rootkits for private companies for $60 000. (nasty) They tried to modify the Low-Orbit Ion Cannon to identify attackers Fake identities Tried to tell FBI real names of members One owner of the company (HBGary) had to talk with the group through IRC step down the CEO and we re happy Some emails seem to be proof for criminal activity of the company (with others) For HBGARY, Had to withdraw from security conferences (e.g. RSA Conference) 17
Anonymous logos / Huge media attention Note: some persons were taken into custodity with probable connections to group Anonymous. 18
28/02/2011 HBGary Federal CEO Aaron Barr Steps Down Summary: Don t attack hackers. ( see http://www.youtube.com/watch?v=u4ob28ksiio ) You don t have to be a hacker or bad guy to be famous. To be on the right side will worth to do so. There is no GOOD, as there is no BAD in most cases. No ultimate truth. Who knows when it will end A bunch of hackers sometimes are harder than a bunch of lawyers Ethics and law should be a control of activities Check http://www.h-online.com/security/features/anonymousmakes-a-laughing-stock-of-hbgary-1198176.html too. 19
http://arstechnica.com/tech-policy/news/2011/02/virtuallyface-to-face-when-aaron-barr-met-anonymous.ars http://pastebin.com/x69akp5l http://arstechnica.com/techpolicy/news/2011/02/anonymous-to-security-firm-workingwith-fbi-youve-angered-the-hive.ars http://arstechnica.com/tech-policy/news/2011/02/how-onesecurity-firm-tracked-anonymousand-paid-a-heavyprice.ars/3 http://arstechnica.com/techpolicy/news/2011/02/anonymous-speaks-the-inside-storyof-the-hbgary-hack.ars 20
Information sources on target systems Many public sources tell information on Network topology Used software/hardware elements Configuration settings Other systems/elements related to the target systems Some examples: DNS (name server) information Whois information Named version information SSH protocol header 21
Security through obscurity Security through obscurity (!!! There s a long-long debate about that!!!) = we don t even tell how the system/configuration/software looks like, someone thinks that hiding information makes the system secure. Harder to find bugs Insider information -> higher risk to find flaws as the system is not yet known for most of the experts Obscurity is just a tool to have more time to solve problems Time is crucial for the system administrator but not on the global level E.g traditional locks are all about time not about absolute protection However, Obscurity might hide problems that ought to be solved Audits can help to find out problems even if security-through-obscurity mechanisms are in use Hiding unnecessary information is a general tool of protection, but in fact, it is security through obscurity 22
DNS as information source 1 basic query [2010-noDNSSec] boldi@hbgyak:~$ dig crysys.hu ; <<>> DiG 9.5.1-P3 <<>> crysys.hu ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6960 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;crysys.hu. IN A ;; ANSWER SECTION: crysys.hu. 3000 IN A 152.66.249.135 ;; Query time: 33 msec ;; SERVER: 10.105.1.254#53(10.105.1.254) ;; WHEN: Tue Feb 23 14:04:04 2010 ;; MSG SIZE rcvd: 43 23
DNS get the MX record for mails boldi@hbgyak:~$ dig crysys.hu in mx ; <<>> DiG 9.5.1-P3 <<>> crysys.hu in mx ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42586 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;crysys.hu. IN MX ;; ANSWER SECTION: crysys.hu. 3000 IN MX 50 eternal.datacontact.hu. crysys.hu. 3000 IN MX 10 shamir.crysys.hu. ;; Query time: 32 msec ;; SERVER: 10.105.1.254#53(10.105.1.254) ;; WHEN: Tue Feb 23 14:04:48 2010 ;; MSG SIZE rcvd: 86 24
Getting list of DNS servers boldi@hbgyak:~$ dig crysys.hu in ns ; <<>> DiG 9.5.1-P3 <<>> crysys.hu in ns ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39280 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;crysys.hu. IN NS ;; ANSWER SECTION: crysys.hu. 2681 IN NS ns1.crysys.dc.hu. crysys.hu. 2681 IN NS ns2.crysys.dc.hu. ;; Query time: 42 msec ;; SERVER: 10.105.1.254#53(10.105.1.254) ;; WHEN: Tue Feb 23 14:09:23 2010 ;; MSG SIZE rcvd: 73 25
So?? DNS servers give the basic information about what servers are we connecting to The attacker will do these firsts steps as well Of course, sometimes this is not interesting But the attacker can learn which hosts are in duty for specific means (MX,NS,WEB, etc.) Multiple adresses might be used for a service (round-robin hosts for Web, multiple DNS servers (round-robin), MX records (priority based list + RR) Not to much to gain, but much to loose if You avoid to check this. 26
Finding out bind version information boldi@hbgyak:~$ dig version.bind @ns2.crysys.dc.hu txt ch ; <<>> DiG 9.5.1-P3 <<>> version.bind @ns2.crysys.dc.hu txt ch ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51978 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;version.bind. CH TXT ;; ANSWER SECTION: version.bind. 0 CH TXT "4.9.3-P1-plus-CA-98.05-patches" 27
The named version of BME DNS server boldi@hbgyak:~$ dig version.bind @ns.bme.hu txt ch ; <<>> DiG 9.5.1-P3 <<>> version.bind @ns.bme.hu txt ch ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18923 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;version.bind. CH TXT ;; ANSWER SECTION: version.bind. 0 CH TXT "9.5.1-P3" ;; AUTHORITY SECTION: version.bind. 0 CH NS version.bind. 28
Version.bind So You can check the version of bind But You cannot be sure it is not faked As sysadmin, You might want to set this to something fake That will be security-through-obscurity But If You are lazy to upgrade whenever it is needed- at least, fake the version info 29
Zone transfer if allowed boldi@hbgyak:~$ dig crysys.hu @ns2.crysys.dc.hu in axfr ; <<>> DiG 9.5.1-P3 <<>> crysys.hu @ns2.crysys.dc.hu in axfr ;; global options: printcmd crysys.hu. 3000 IN SOA ns1.crysys.dc.hu. netadmin.ns1.crysys.dc.hu. 2003030439 43200 14400 2592000 3000 crysys.hu. 3000 IN NS ns1.crysys.dc.hu. crysys.hu. 3000 IN NS ns2.crysys.dc.hu. crysys.hu. 3000 IN A 152.66.249.135 crysys.hu. 3000 IN MX 10 shamir.crysys.hu. crysys.hu. 3000 IN MX 50 eternal.datacontact.hu. crysys.hu. 3000 IN TXT "Datacontact - your nameserver..." aggregator.crysys.hu. 3000 IN A 195.228.45.178 albifrons.crysys.hu. 3000 IN A 10.105.1.95 clamav.crysys.hu. 3000 IN A 152.66.249.132 cypio.crysys.hu. 3000 IN A 152.66.249.135 db.crysys.hu. 3000 IN A 152.66.249.139 deserecprj.crysys.hu. 3000 IN A 152.66.249.132 deserecvclt1.crysys.hu. 3000 IN A 152.66.249.131 deserecvclt2.crysys.hu. 3000 IN A 152.66.249.133 deserecvhost1.crysys.hu. 3000 IN A 152.66.249.130 deserecvirtclt1.crysys.hu. 3000 IN A 152.66.249.131 deserecvirtclt2.crysys.hu. 3000 IN A 152.66.249.133. 30
Zone transfer authorization boldi@fw:~$ dig crysys.hu @ns1.crysys.dc.hu in axfr ; <<>> DiG 9.5.1-P1 <<>> crysys.hu @ns1.crysys.dc.hu in axfr ;; global options: printcmd ; Transfer failed. Limiting zone transfer in named.conf: allow-transfer { 195.228.45.175; 152.66.249.135; ) 31
Setting fake bind version in named.conf more /etc/bind/boldi@shamir:~ $ more /etc/bind/named.conf /* sample configuration file for BIND 8.1 or later * should be installed as /etc/named.conf * * Author: Florian La Roche */ # # overall options of the server # options { version "4.9.3-P1-plus-CA-98.05-patches"; 32
boldi@hbgyak:~$ whois 152.66.249.135 OrgName: RIPE Network Coordination Centre OrgID: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL ReferralServer: whois://whois.ripe.net:43 NetRange: 152.66.0.0-152.66.255.255 CIDR: 152.66.0.0/16 NetName: RIPE-ERX-152-66-0-0 NetHandle: NET-152-66-0-0-1 Parent: NET-152-0-0-0-0 NetType: Early Registrations, Transferred to RIPE NCC Comment: These addresses have been further assigned to users in Comment: the RIPE NCC region. Contact information can be found in Comment: the RIPE database at http://www.ripe.net/whois RegDate: 2004-03-03 Updated: 2004-03-03 33
inetnum: 152.66.0.0-152.66.255.255 netname: BMENET descr: Budapest University of Technology and Economics descr: Budapesti Muszaki es Gazdasagtudomanyi Egyetem country: HU org: ORG-BME1-RIPE admin-c: GR1029-RIPE tech-c: IOS2-RIPE tech-c: GOYA-RIPE tech-c: THU-RIPE remarks: rev-srv: nic.bme.hu remarks: rev-srv: ns.bme.hu status: ASSIGNED PI mnt-by: AS2547-MNT source: RIPE # Filtered remarks: rev-srv attribute deprecated by RIPE NCC on 02/09/2009 34
DNS AXFR AXFR is a zone transfer, that means, a DNS server copies all available data in a specific zone to another DNS server (the secondary downloads all data to be served). Anyone, who can download zone transfer data knows all the hosts, or subdomains that are defined in the zone E.g. all.ca domain entries could be downloaded by AXFR Why is it a problem? E.g. info@domain.hu type spams. Spammer can easily collect a list Is it a problem? Hard to answer see above S.b.Obscurity. 35
Whois Whois is a general internet-wide database protocol It is typically used for IP address look, DNS owner look At many places it is no longer used directly for.hu it is redirected to web-based service http://www.domain.hu/domain/domainsearch/ (who know how ethical it is) TEST THIS: whois -h asn.shadowserver.org origin 152.66.249.135 36
37
38
2011 domain: bme.hu domain-használó: Budapest University of Technology and Economics domain-használó: Budapesti Muszaki és Gazdaságtudományi Egyetem cím: Pf 91 cím: H-1521 Budapest cím: HU telefon: +36 1 4631111 telefax: +36 1 4631110 hun-id: 1000215059 admin-kontakt: 2001296914 tech-kontakt: 2001292652 zone-kontakt: 2000226497 névszerver: nic.bme.hu[152.66.115.1] névszerver: ns2.pantel.net névszerver: ns.bme.hu[152.66.116.1] regisztrálva: 1993-03-03 14:24:46 módosítva: 2010-03-02 15:28:56 regisztrátor: 1960215001 admin-kontakt: Remzső Gábor cím: Pf 91 cím: H-1521 Budapest cím: HU telefon: +36 1 4632421 telefax: +36 1 4631110 hun-id: 2001296914 39
tech-kontakt: BMENET hostmaster cím: Pf 91 cím: H-1521 Budapest cím: HU telefon: +36 1 4631616 telefax: +36 1 4632420 e-mail: hostmaster@bme.hu hun-id: 2001292652 zone-kontakt: DNS Admin HUNGARNET cím: Pf. 498 cím: 1396 Budapest 62 cím: HU telefon: dns-admin@hungarnet.hu telefax: +36 1 350-6750 hun-id: 2000226497 regisztrátor: HUNGARNET Association regisztrátor: HUNGARNET Egyesület (Registrar) cím: Victor Hugo u. 18-22. cím: H-1132 Budapest cím: HU telefon: +36 1 4503070 telefax: +36 1 3506750 hun-id: 1960215001 40
2010 record (archive) person: Gabor Remzso address: Budapest University of Technology and Economics address: Center of Information Systems address: Muegyetem rkp. 9. R310 address: H-1111 Budapest address: Hungary phone: +36 1 4632421 fax-no: +36 1 4632420 nic-hdl: GR1029-RIPE org: ORG-BME1-RIPE mnt-by: AS2547-MNT source: RIPE # Filtered person: Istvan Ostrosits address: Invitel address: Puskas Tivadar u. 8-10. address: H-2040 Budaors address: Hungary phone: +36 1 8883583 nic-hdl: IOS2-RIPE source: RIPE # Filtered 41
2010 record /2 person: Andras Jako address: Budapest University of Technology and Economics address: Center of Information Systems address: Muegyetem rkp. 9. R310 address: H-1111 Budapest address: Hungary phone: +36 1 4631672 fax-no: +36 1 4632420 nic-hdl: GOYA-RIPE org: ORG-BME1-RIPE source: RIPE # Filtered person: Imre Simon address: Budapest University of Technology and Economics address: Center of Information Systems address: Muegyetem rkp. 9. R310 address: H-1111 Budapest address: Hungary phone: +36 1 4631616 fax-no: +36 1 4632420 nic-hdl: THU-RIPE source: RIPE # Filtered 42
2010 record /3 % Information related to '152.66.0.0/16AS2547' route: 152.66.0.0/16 descr: BMENET org: ORG-BME1-RIPE origin: AS2547 mnt-by: AS2547-MNT source: RIPE # Filtered organisation: ORG-BME1-RIPE org-name: BME remarks: Budapest University of Technology and Economics remarks: Budapesti Muszaki es Gazdasagtudomanyi Egyetem org-type: OTHER address: Muegyetem rkp. 9. H-1111 Budapest Hungary phone: +36 1 4632421 fax-no: +36 1 4632420 remarks: ========================================================= abuse-mailbox: abuse@bme.hu remarks: --------------------------------------------------------- remarks: Reporting guidelines can be found at http://net.bme.hu/abuse/?lang=en Reports not conforming to these guidelines may be discarded silently. Thanks for your cooperation. remarks: --------------------------------------------------------- 43
2010 record /4 remarks: Bejelentest kerjuk az alabbiak szerint tegyen: http://net.bme.hu/abuse/ Az itt leirtaknak meg nem felelo bejelentesekkel nem all modunkban foglalkozni. Koszonjuk szives egyuttmukodeset! remarks: ========================================================= mnt-ref: AS2547-MNT mnt-by: AS2547-MNT source: RIPE # Filtered 44
Some practical examples, tools 1. SSH protocol header modification VIDEO ssh_debian_header_removal-1.avi 05:30 45
Kérdések? KÖSZÖNÖM A FIGYELMET! Dr. Bencsáth Boldizsár adjunktus BME Híradástechnikai Tanszék bencsath@crysys.hit.bme.hu 46