Your SlideShare is downloading. ×
Hacking Demystified Odense, February 2012
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Hacking Demystified Odense, February 2012

915
views

Published on

Published in: Technology, News & Politics

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
915
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. H ACKING D EMYSTIFIED No magic or funny hats involved Held at EAL Odense Johnny Vestergaard 15. februar 2012Hacking Demystified Johnny Vestergaard – 1 / 57
  • 2. Introduction• Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstrationMitigation LINKEDIN . COM / IN / JOHNNYKV JKV @ UNIXCLUSTER . DKHacking Demystified Johnny Vestergaard – 2 / 57
  • 3. Agenda• Introduction• Disclaimer 1. Introduction• Ethics and purpose 2. The opponent• Terminology 3. Attack demonstrationThe opponentAttack demonstration (a) SQL InjectionMitigation (b) Client side browser attack 4. Attack summary 5. Mitigation 6. The endHacking Demystified Johnny Vestergaard – 3 / 57
  • 4. Disclaimer• Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstration The views and opinions expressed in this presentation are the personalMitigation views of the speaker and do not necessarily reflect the views, policies or procedures of present or past employers. All information tactics techniques and procedures used or mentioned during this presentation are based solely on open and public accessable sources.Hacking Demystified Johnny Vestergaard – 4 / 57
  • 5. Ethics and purpose• Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstrationMitigation «So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself.» -Sun TzuHacking Demystified Johnny Vestergaard – 5 / 57
  • 6. Terminology • Vulnerability ◦ A weakness in a piece of software which can compromise the security of the computer system involved. • Exploit ◦ A piece of code or a technique which allows an attacker to exploit a vulnerability. • Zero day exploit / vulnerability ◦ Exploiting or having knowledge of a vulnerability before it is publicly announced.Hacking Demystified Johnny Vestergaard – 6 / 57
  • 7. • Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponent• Opponent types• The hacktivist• Attack timeline• Plain old (digital) criminal• State actorsAttack demonstrationMitigation The opponentHacking Demystified Johnny Vestergaard – 7 / 57
  • 8. Opponent types• Introduction• Disclaimer This presentation will have focus on the following types of opponents:• Ethics and purpose• Terminology • The hacktivistThe opponent • Plain old (digital) criminal• Opponent types• The hacktivist • State and state-sponsored actors• Attack timeline• Plain old (digital) criminal• State actorsAttack demonstrationMitigationHacking Demystified Johnny Vestergaard – 8 / 57
  • 9. The hacktivist • Promote a political message or agenda. • Loosly organized, a few lone wolves. • Terrorism or activism? Depends on the observer... • Defacement, Doxing, DoS, Data dumps, etc • Tend to use old and well-proven techniques • Anonymous, The Jester, Cyber Hezbollah.Hacking Demystified Johnny Vestergaard – 9 / 57
  • 10. • Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstration• Tools of the trade• Case information• Penetrate through VPN• Password hashing• Jump to classified side• Summary Case Study - OpMegauploadMitigationHacking Demystified Johnny Vestergaard – 10 / 57
  • 11. MediaHacking Demystified Johnny Vestergaard – 11 / 57
  • 12. Message from AnonymousHacking Demystified Johnny Vestergaard – 12 / 57
  • 13. Attack timelineHacking Demystified Johnny Vestergaard – 13 / 57
  • 14. AnonOps IRC ChatHacking Demystified Johnny Vestergaard – 14 / 57
  • 15. t High Orbin Ion CannonHacking Demystified Johnny Vestergaard – 15 / 57
  • 16. Browser based attacksHacking Demystified Johnny Vestergaard – 16 / 57
  • 17. Browser based attack tool (javascript)Hacking Demystified Johnny Vestergaard – 17 / 57
  • 18. Plain old (digital) criminal • Motivated by money. • Maximum revenue - Minimal effort. • Mixed organization. • Heavy use of crimeware. ◦ Blackhole, Spy Eye, Zeus, etc. • Spamming, botnet hearding, extortion • Identity theft, credit cards, bank account details, • Corporate espionage.Hacking Demystified Johnny Vestergaard – 18 / 57
  • 19. Crimeware ExampleHacking Demystified Johnny Vestergaard – 19 / 57
  • 20. Crimeware Example: BlackholeHacking Demystified Johnny Vestergaard – 20 / 57
  • 21. The Nitro Attack (July 2011) Source: Symantec - The Nitro AttacksHacking Demystified Johnny Vestergaard – 21 / 57
  • 22. The Nitro Attack (July 2011) Source: Symantec - The Nitro AttacksHacking Demystified Johnny Vestergaard – 22 / 57
  • 23. State actors • Intelligence agencies, Law enforcement, Military «Cyber» units • Sabotage, espionage, subversion, information warfare • Skilled Personnel • Highly organized • Extremely resourcefullHacking Demystified Johnny Vestergaard – 23 / 57
  • 24. FinfisherHacking Demystified Johnny Vestergaard – 24 / 57
  • 25. Stuxnet - in 30 seconds Corporate LAN Source: Symantec - W32.Stuxnet DossierHacking Demystified Johnny Vestergaard – 25 / 57
  • 26. Stuxnet - in 30 seconds Source: http://www.isssource.com/Hacking Demystified Johnny Vestergaard – 26 / 57
  • 27. • Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstrationMitigation• SQL Injection• Secure storage ofpasswords• ARP Poisioning• Client-side angreb Attack demonstration• The EndHacking Demystified Johnny Vestergaard – 27 / 57
  • 28. Typical Modus Operandi for the experienced attacker• Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstrationMitigation• SQL Injection• Secure storage ofpasswords• ARP Poisioning• Client-side angreb• The EndHacking Demystified Johnny Vestergaard – 28 / 57
  • 29. Tools of the trade• Introduction• Disclaimer Værktøjer brugt under angrebet:• Ethics and purpose• Terminology • Backtrack (http://www.backtrack-linux.org)The opponent • Arpspoof (http://arpspoof.sourceforge.net)Attack demonstration • John the ripper (http://www.openwall.com/john/)Mitigation • Metasploit (http://metasploit.com/)• SQL Injection• Secure storage ofpasswords• ARP Poisioning• Client-side angreb• The EndHacking Demystified Johnny Vestergaard – 29 / 57
  • 30. Case information• Introduction• Disclaimer Target:• Ethics and purpose A small privately held research company on the verge of a breakthrough• TerminologyThe opponent within development of an effective HIV vaccine.Attack demonstrationMitigation• SQL Injection• Secure storage ofpasswords Goal:• ARP Poisioning• Client-side angreb Collect scientific information in such a degree that our customer will be able• The End to recreate ACME’s new vaccine.Hacking Demystified Johnny Vestergaard – 30 / 57
  • 31. ACME Attack - Overview• Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstrationMitigation• SQL Injection• Secure storage ofpasswords• ARP Poisioning• Client-side angreb• The EndHacking Demystified Johnny Vestergaard – 31 / 57
  • 32. ACME Attack - The Grand scheme• Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstrationMitigation• SQL Injection• Secure storage ofpasswords• ARP Poisioning• Client-side angreb• The EndHacking Demystified Johnny Vestergaard – 32 / 57
  • 33. Penetrate through VPN• Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstrationMitigation• SQL Injection• Secure storage ofpasswords• ARP Poisioning• Client-side angreb• The EndHacking Demystified Johnny Vestergaard – 33 / 57
  • 34. Penetrate through VPN• Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstrationMitigation• SQL Injection• Secure storage ofpasswords• ARP Poisioning• Client-side angreb• The EndHacking Demystified Johnny Vestergaard – 34 / 57
  • 35. SQL Injection• Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstrationMitigation• SQL Injection• Secure storage ofpasswords• ARP Poisioning• Client-side angreb• The EndHacking Demystified Johnny Vestergaard – 35 / 57
  • 36. SQL Injection• Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstrationMitigation• SQL Injection• Secure storage ofpasswords• ARP Poisioning• Client-side angreb• The EndHacking Demystified Johnny Vestergaard – 36 / 57
  • 37. The SQL Query from hell• Introduction • Disclaimer• Ethics and purpose SELECT ∗ FROM a r t i c l e WHERE c o n t e n t LIKE ’%ELVIS% ’ OR• Terminology 1=convert ( i n t , ’ H i l l b i l l y ’ ) The opponentAttack demonstrationMitigation• SQL Injection• Secure storage ofpasswords• ARP Poisioning• Client-side angreb• The EndHacking Demystified Johnny Vestergaard – 37 / 57
  • 38. The SQL Query from hell• Introduction • Disclaimer• Ethics and purpose SELECT ∗ FROM a r t i c l e WHERE c o n t e n t LIKE ’%ELVIS% ’ OR• Terminology 1=convert ( i n t , ’ H i l l b i l l y ’ ) The opponentAttack demonstrationMitigation• SQL Injection• Secure storage ofpasswords• ARP Poisioning• Client-side angreb• The End Conversion failed when converting the varchar value ’Hillbilly’ to data type int.Hacking Demystified Johnny Vestergaard – 37 / 57
  • 39. Demo, SQL injectionHacking Demystified Johnny Vestergaard – 38 / 57
  • 40. Password hashingHacking Demystified Johnny Vestergaard – 39 / 57
  • 41. Password hashing Pseudo code to identify the cleartext which goes with the digest above: possibleWords = [ Horse , Cat , C l o s e t , Automobile . . . ] f o r word i n possibleWords i f (md5( word ) == d910eb044a857f9ee . . . ) r e t u r n word Hacking Demystified Johnny Vestergaard – 39 / 57
  • 42. Demo, Password crackingHacking Demystified Johnny Vestergaard – 40 / 57
  • 43. SQL Injection - Real world stories• Introduction• Disclaimer • HBGary Federal, Feb 2011• Ethics and purpose• Terminology ◦ SQL InjectionThe opponentAttack demonstration • http://www.hbgaryfederal.com/pages.php?pageNav=2page=27Mitigation• SQL Injection ◦ Extract of login, emails and hashes.• Secure storage ofpasswords ◦ Used for intrusion on HBGary’s servers, twitter account, etc.• ARP Poisioning ◦ Publication of internal data.• Client-side angreb• The End • Barracuda Networks, April 2011 ◦ During maintenance of the application firewall a hacker conducted his attack. • How did he know the firewall was down at this exact time? ◦ Extract of login, emails og hashes. ◦ Used for? • A1 on OWASP Top 10 Application Security Risks.Hacking Demystified Johnny Vestergaard – 41 / 57
  • 44. Jump to classified side• Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstrationMitigation• SQL Injection• Secure storage ofpasswords• ARP Poisioning• Client-side angreb• The EndHacking Demystified Johnny Vestergaard – 42 / 57
  • 45. Jump to classified side• Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstrationMitigation• SQL Injection• Secure storage ofpasswords• ARP Poisioning• Client-side angreb• The EndHacking Demystified Johnny Vestergaard – 43 / 57
  • 46. Jump to classified side - Normal• Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstrationMitigation• SQL Injection• Secure storage ofpasswords• ARP Poisioning• Client-side angreb• The EndHacking Demystified Johnny Vestergaard – 44 / 57
  • 47. Jump to classified LAN - Attack• Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstrationMitigation• SQL Injection• Secure storage ofpasswords• ARP Poisioning• Client-side angreb• The EndHacking Demystified Johnny Vestergaard – 45 / 57
  • 48. ARP poisioning• Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstrationMitigation• SQL Injection• Secure storage ofpasswords• ARP Poisioning• Client-side angreb• The EndHacking Demystified Johnny Vestergaard – 46 / 57
  • 49. ARP poisioning• Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstrationMitigation• SQL Injection• Secure storage ofpasswords• ARP Poisioning• Client-side angreb• The EndHacking Demystified Johnny Vestergaard – 47 / 57
  • 50. Demo, client side attackHacking Demystified Johnny Vestergaard – 48 / 57
  • 51. Client-side attacks - real world stories.• Introduction• Disclaimer • RSA, March 2011• Ethics and purpose• Terminology ◦ Pretty simple mail attack to create bridgehead into RSA’s network.The opponent Attached to the mail was a excel document with an embeddedAttack demonstration zero-day Flash exploit, payload used was Poison Ivy.Mitigation• SQL Injection ◦ Purpose of the hack was to collect classified information on• Secure storage ofpasswords secureID (!!).• ARP Poisioning• Client-side angreb• The EndHacking Demystified Johnny Vestergaard – 49 / 57
  • 52. Summary• Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstrationMitigation• SQL Injection• Secure storage ofpasswords• ARP Poisioning• Client-side angreb• The EndHacking Demystified Johnny Vestergaard – 50 / 57
  • 53. • Introduction• Disclaimer• Ethics and purpose• TerminologyThe opponentAttack demonstrationMitigation MitigationHacking Demystified Johnny Vestergaard – 51 / 57
  • 54. SQL Injection• Introduction• Disclaimer • Input validation (Server-side!)• Ethics and purpose • Separation of code and data• TerminologyThe opponent ◦ C#: SQLParameter.Attack demonstrationMitigation SqlCommand cmd = new SqlCommand ( SELECT ∗ FROM a r t i c l e s WHERE c o n t e n t LIKE %@searchString% , connection ) ; cmd . Parameters . Add( new SqlParameter { ParameterName = @searchString , Value= s e a r c h S t r i n g } ) ; • Værktøjer ◦ SQLMap (http://sqlmap.sourceforge.net/) ◦ Skipfish (http://code.google.com/p/skipfish/)Hacking Demystified Johnny Vestergaard – 52 / 57
  • 55. Finding SQL injection vulnerabilities - the easy way bit.ly/tQYODm (Pulp Google Hacking - Hacker Halted 2011)Hacking Demystified Johnny Vestergaard – 53 / 57
  • 56. Secure storage of passwords• Introduction• Disclaimer • Do not store plaintext passwords - store a hash of the password!• Ethics and purpose • Hashing != encryption• Terminology • Goal: Maximise the time a opponent must use (waste) to crack ourThe opponentAttack demonstration passwords.Mitigation ◦ SALTing. ◦ Password length and complexitity. • ...dont use passwords?Hacking Demystified Johnny Vestergaard – 54 / 57
  • 57. ARP Poisioning• Introduction• Disclaimer • Static arp tables on each and every host.• Ethics and purpose • Restrict switch ports to specific MAC addresses.• Terminology • Detection of suspect ARP traffic (arpwatch).The opponentAttack demonstration • 802.1X.MitigationHacking Demystified Johnny Vestergaard – 55 / 57
  • 58. Client-side angreb• Introduction• Disclaimer • Keep updated!• Ethics and purpose • Security awareness.• TerminologyThe opponentAttack demonstrationMitigationHacking Demystified Johnny Vestergaard – 56 / 57
  • 59. The End Slides: http://www.slideshare.net/JohnnyKV/ LINKEDIN . COM / IN / JOHNNYKV JKV @ UNIXCLUSTER . DKHacking Demystified Johnny Vestergaard – 57 / 57