Hálózatbiztonság a gyakorlatban Terms, backdoors, first steps with nessus 2015. május 22. Budapest Dr. Bencsáth Boldizsár adjunktus BME Hálózati Rendszerek és Szolgáltatások Tanszék bencsath@crysys.hit.bme.hu
Targeted attacks they are everywhere Tools, Techniques, Procedures of the RSA Hackers Revealed Posted by timothy on 06:51 AM February 12th, 2012 from the more-links-than-a-sausage-factory dept. An anonymous reader writes "Details of the tools, techniques and procedures used by the hackers behind the RSA security breach have been revealed in a research paper (PDF) published by Australian IT security company Command Five. The paper also, for the first time, explains links between the RSA hack and other major targeted attacks. This paper is a vendor-neutral must-read for any network defenders concerned by the hype surrounding 'Advanced Persistent Threats.' http://www.commandfive.com/papers/c5_apt_c2inthefift hdomain.pdf 2
3
Java/PHP number handling problem Newly found bug in Java 31/01/2011 class compilehang { public static void main(string[] args) { double d = 2.2250738585072012e-308; System.out.println("Value: " + d); } } C:\>javac -version javac 1.6.0_17 Result: Compile hangs The same for run-time hang: class runhang { public static void main(string[] args) { System.out.println("Test:"); double d = Double.parseDouble("2.2250738585072012e-308"); System.out.println("Value: " + d); } } Readers found two bug reports that describe the same problem (although not in terms of the magic number 2.2250738585072012e- 308): bug number 100119 from 2009, and bug number 4421494 from 2001. (But don t bother clicking on that last one the link is now dead, as of 2/3/11.) On 2/8/2011, Oracle released a fix. 4
Similar problem in PHP <?php $d = 2.2250738585072011e-308;?> Results in an infinite loop in PHP (03/01/2011 e.g. PHP Version 5.3.2-1ubuntu4.5 ) What s Special About 2.2250738585072011e-308? 2.2250738585072011e-308 represents the largest subnormal double-precision floating-point number; written as a hexadecimal floating-point constant, it s 0x0.fffffffffffffp-1022. 2.2250738585072011e-308 is one of five 17-digit decimal values that convert (correctly) to 0x0.fffffffffffffp-1022: 2.2250738585072007e-308 2.2250738585072008e-308 2.2250738585072009e-308 2.2250738585072010e-308 2.2250738585072011e-308 Only 2.2250738585072011e-308 causes the problem. It happens to be the largest of the five decimal values, so I guess that matters somehow. http://www.exploringbinary.com/php-hangs-on-numeric-value-2-2250738585072011e-308/ 5
How to learn things in practice? Be prepared! Do not test in live environment Sandboxing: Typically a virtual environment is the best to practice. Easy to backup, to maintain, to stop, etc. Don t trust in anything. Exploit code can contain anti-script kiddie code. Downloaded virus, trojan horse, malware can really harm Your environment. There are well prepared systems to run Your own tests: A good example is the Metasploitable virtual environment Metasploit Framework (MSF) is an open source project containing tools, exploits for many security vulnerabilities, ideal for penetration testing (pen-test) 6
Metasploitable / VM One of the questions that we often hear is "What systems can i use to test against?" Based on this, we thought it would be a good idea throw together an exploitable VM that you can use for testing purposes. Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql. You can use most VMware products to run it, and you'll want to make sure it's configured for Host-only networking unless it's in your lab - no need to throw another vulnerable machine on the corporate network. It's configured in non-persistent-disk mode, so you can simply reset it if you accidentally 'rm -rf' it. http://www.metasploit.com/documents/express/metasploitable.zip.torren t 7
Metasploit Framework screenshots 8
9
What can be vulnerable on a system? Nearly everything, but the top list is: Known web application errors: PHPBB, PHPMyAdmin, chat programs, mailing programs, log analysers, etc. Web applications (remote code injection, SQL injection, cross-site scripting) especially: file upload, remote administration related stuff Linux Kernel mostly exploitable only by local users Database related stuff: Oracle, bad password/no password with MySQL, etc. Configuration, passwords, etc. (specialities: default passwords, bad passwords, enabled root login, etc.) Server programs (Java, Tomcat, Apache, SSH, etc.) not so common Everything else (incl. OS errors) 10
So then what is the art of hacking? There are lot of possible vulnerable points, thousands of software, configuration The system is not transparent the hacker cannot identify all of the software version, etc., it should be guessed The exploitation of the vulnerabilities learned is not trivial, even with downloaded exploits. The exact combination, what exploit to use on what vulnerability on which system part is not a trivial choice. The art of hacking is to combine knowledge, experience, tools, creativity etc. to be successful 11
Attackers Internal attackers Script kiddies Internet-wide scans (botnets, worms, etc.) Targeted attackers (with low budget) Professional targeted attackers (high budget) Differences: What tools can they use (budget, knowledge) What time constraint they have How much computing, network resources they have How targeted is the attack What (how deep, sophisticated) is the main goal of an attack (e.g. just have a proxy -> ransom, multi-million dollar theft, obtaining millions of credit cards) 12
Point-of-View of the attacker The attacker focuses on errors rather than what is working Tries to find the weakest point Finds new ways to attack This is why security testing, audits are important! If You learned security, You can avoid typical errors However, It is hard to identify system-wide problems at the first glance, during a large-scale development And nobody has enough time to do everything in a secure fashion It is not impossible to do security testing against Your own work just take a different hat and a bit different thinking, 13
How a typical hacker compromises a system Teljes integritás Információgyűjtés Információ a rendszerről kijutott Már próbálkoztak Már próbálkoztak (b) Egyik próba sikeres Adminisztrátori jogok és infó kijutás Hiba kiaknázáspróba Információk a rendszer belsejéről További célpontok és infogyűjtés Hiba kiaknázáspróba Információszerzés a gép belső Rendszer veszélyben rendszeréről Hiba által shellhez jutás Támadó bejutott Egész rendszer feltörése Minden feltörve 14
Simple attacks with high risk Internal attacker (employee) copies secret information before leaving company Social engineering: Employee gives credentials to attackers (e.g. phone call, dumpster diving) Near impossible to avoid Passwords on stickers near the computer Sometimes these problems lead to higher risks than a missing update, a vulnerable kernel or a bad password (-> risk analysis is important!) 15
Network security Network security is the implementation of security devices, policies, and processes to prevent the unauthorized access to network resources or the alteration or destruction of resources or data. There is no 100% security Security is a management problem acceptable security by acceptable costs and methods Three steps to implement network security: Preparation (general-usage statements, risk analysis) Prevention Response 16
Dictionary first words Vulnerability - a flaw or weakness in a system s design, implementation, or operation and management Threat - a possible way to exploit vulnerabilities Attack - a deliberate attempt to compromise a system Exploit - is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer Rootkit Backdoor - a method of bypassing normal authentication, securing remote access to a computer by an attacker 0-day (zero day) (exploit) - a computer threat that tries to exploit computer application vulnerabilities that are unknown to others DoS Denial of Service - an attempt to make a computer resource unavailable to its intended users Spoofing - a situation in which one person or program successfully masquerades as another by falsifying data 17
Security terms 2. Sniffing - intercepts and log traffic passing over a digital network Scanner tries numerous hosts angainst a vulnerability or to find open services Portscan only scans for open TCP/UDP ports of a system to identify potential targets Fingerprinting find characteristic information of a system or tool, e.g. find out what operating system is in use, or what tool has been used. Cracker - a Black-hat computer hacker, a person who breaks security Hacker - who makes innovative customizations or combinations of retail electronic and computer equipment (but often used as a synonym of cracker) Ethical hacker - computer security experts, who specialize in penetration testing, and other testing methodologies, to ensure that a company's information systems are secure 18
Security terms 3. Forensics recover, analyze or gather data, evidence from computer systems to be used in court law Black-box test (vs. crystal-box) testing with no knowledge of the test object's internal structure Penetration test - a method of evaluating the security of a computer system or network by simulating an attack from a malicious source Security assessment - an explicit study to locate IT security vulnerabilities and risk Script kiddie - a non-expert who breaks into computer systems by using pre-packaged automated tools written by other 19
Some practical examples, tools 0. A simple backdoor VIDEO backdoor.simple.2b.avi 13:10 1. Downloading and installing Nessus VIDEO nessus_inst1.avi 02:15 2. Installing Nessus plugins, activation VIDEO nessus_inst2.avi 03:47 20
Kérdések? KÖSZÖNÖM A FIGYELMET! Dr. Bencsáth Boldizsár adjunktus BME Hálózati Rendszerek és Szolgáltatások Tanszék bencsath@crysys.hit.bme.hu 21