Network Vulnerability Assessments: Lessons Learned


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Network Vulnerability Assessments: Lessons Learned

  1. 1. Network Vulnerability Assessments Lessons Learned Chris Goggans [email_address]
  2. 2. What are Vulnerability Assessments? <ul><li>Internal and external attacks </li></ul><ul><li>Validation of existing security mechanisms </li></ul><ul><li>Detailed analysis of all networked devices and services </li></ul><ul><li>Audits for policy compliance and deficiencies in existing policies </li></ul><ul><li>Prioritized recommendations for improving security posture </li></ul>
  3. 3. Vulnerability Assessments: WHY? <ul><li>Only realistic way to determine vulnerabilities </li></ul><ul><li>Get a baseline of vulnerability state </li></ul><ul><li>Prioritize remedial actions </li></ul><ul><li>Correct serious problems quickly </li></ul><ul><li>Assure that policies address real vulnerabilities </li></ul><ul><li>Industry best practice </li></ul>
  4. 4. Vulnerability Assessments: H OW ? <ul><li>External Assessment </li></ul><ul><ul><li>Internet </li></ul></ul><ul><ul><li>Modems </li></ul></ul><ul><ul><li>Wireless </li></ul></ul><ul><ul><li>Partner Connectivity </li></ul></ul><ul><li>In-briefing </li></ul><ul><li>Internal Assessment </li></ul><ul><li>Out-briefing </li></ul><ul><li>Report preparation and delivery </li></ul><ul><li>Executive briefing </li></ul>
  5. 5. Government Contractor <ul><li>Unpassworded TELNET access into print server </li></ul><ul><li>SNMP Read/Write community string exposed in printer configuration menu </li></ul><ul><li>Community string also used on devices such as routers, switches, etc. </li></ul><ul><li>“ Level 7” hashes in Cisco config files exposed the password “mbhafnitsoscar” </li></ul><ul><li>This password also used by Domain Administrator on Windows PDC </li></ul><ul><li>Windows Domain also tied to NetWare eDirectory, sharing account names and passwords </li></ul><ul><li>In total, compromise of nearly 15,000 accounts and 99.99% of all systems and network devices…all from one insecure printer </li></ul>
  6. 6. Government Contractor Lessons Learned: <ul><li>Even the most insignificant network device can provide information that uncovers a major attack path </li></ul><ul><ul><li>Always examine everything connected to your networks! </li></ul></ul><ul><li>Always utilize the greatest password protection possible </li></ul><ul><ul><li>MD5 vs Level7 </li></ul></ul><ul><li>In situations where accounts and passwords are shared across platforms, a single compromise of the weakest platform can lead to massive compromise </li></ul><ul><ul><li>Rainbow Tables & NTLMv1 </li></ul></ul>
  7. 7. Civilian Government Agency <ul><li>Development WWW server running with default cold fusion scripts that allow remote viewing of web source </li></ul><ul><li>Attack Path 1 </li></ul><ul><ul><li>ODBC setup in web page source code exposed z/OS RACF account and password used for DB2 queries </li></ul></ul><ul><ul><li>Account found to have “system programmer” access on IBM Mainframe </li></ul></ul><ul><li>Attack Path 2 </li></ul><ul><ul><li>MS-SQL “sa” account and password in web source </li></ul></ul><ul><ul><li>SQL “XP_CMDSHELL” stored procedure gave remote “SYSTEM” access to Windows OS </li></ul></ul><ul><ul><li>Local SAM file exposed Domain Administrator account </li></ul></ul><ul><ul><li>SAM file on PDC had roughly 50,000 accounts </li></ul></ul><ul><ul><li>Certain users used same password on Windows as they did on very large High Performance Computing cluster </li></ul></ul>
  8. 8. Civilian Government Agency Lessons Learned: <ul><li>Passwords embedded in web applications are never a good thing </li></ul><ul><li>Web Application Vulnerability Assessments have become as important as Network Vulnerability Assessments </li></ul><ul><li>Database security is also critical and often left unchecked </li></ul>
  9. 9. Another Government Agency <ul><li>Large network of Solaris and Windows systems </li></ul><ul><li>All machines and applications patched </li></ul><ul><li>Many important UNIX services are TCP-wrapped </li></ul><ul><ul><li>NFS, NIS, etc. </li></ul></ul><ul><li>Customer had recently deployed new KVM switches in their racks </li></ul><ul><li>In addition to 3 rd party software, KVM Switch also had HTTPS based management interface with a default “Admin” account with no password </li></ul><ul><li>HTTPS-based access also provided JAVA-based remote console program </li></ul><ul><li>Open consoles found on Windows system (as Administrator) and Solaris system (as root) </li></ul><ul><li>NIS passwd-byname tables and Windows SAM and locally cached account hashes pulled </li></ul><ul><li>All systems compromised </li></ul>
  10. 10. Another Government Agency Lessons Learned: <ul><li>Every host on a network must undergo some level of security hardening before being allowed to connect to the production network </li></ul><ul><li>Every console should be forced to either screen-lock or auto-logout when not in use </li></ul>
  11. 11. Managed Service Provider <ul><li>Customer had limited Internet exposure, primarily HTTP traffic allowed to “Hosting” LAN (primarily only TCP 80 & 443) </li></ul><ul><li>Web server compromised with Apache “Chunked-code vulnerability” </li></ul><ul><li>Server had 3 interfaces (2 for normal access, 3 rd interface leading to NOC management-LAN for “out of band” SNMP) </li></ul><ul><li>System on NOC network compromised with common Windows vulnerability </li></ul><ul><li>NOC network had visibility into entire corporate network, as well as other hosted customers </li></ul>
  12. 12. Managed Service Provider Lessons Learned: <ul><li>It only takes one vulnerable service to give attackers a strong foothold into your network </li></ul><ul><li>Management networks or VLANs are often excellent points to bridge between networks without direct connectivity </li></ul><ul><li>Systems hosted by 3 rd parties are often compromised by attacks originating from less secure customers at the same hosting facility </li></ul>
  13. 13. Telecommunications <ul><li>Large US telephone company </li></ul><ul><li>Dial-ups found with unpassworded pcAnywhere </li></ul><ul><li>pcAnywhere system used primarily for access into security camera monitoring of unmanned facilities </li></ul><ul><li>Full access to internal network, including switching systems, billing, etc. </li></ul>
  14. 14. Telecommunications Lessons Learned: <ul><li>Modems can still be a major external threat! </li></ul><ul><li>Critical systems should be firewalled against general network access </li></ul>
  15. 15. Emergency Response <ul><li>Organization responsible for state-wide emergency medical services </li></ul><ul><li>Internet connectivity shared with major university </li></ul><ul><li>Organization tied to other state-run networks through dedicated lines </li></ul><ul><li>Firewall rules allowed certain hosts on University network & State Government networks into EMS network using insecure protocols (MS-SQL, SMB) </li></ul><ul><li>Common exploits led to massive compromise </li></ul>
  16. 16. Emergency Response Lessons Learned: <ul><li>All inbound partner connections should be examined as part of a vulnerability assessment </li></ul><ul><li>Firewall rules should likewise be examined to uncover any potential weak points for permitted communications </li></ul><ul><li>Your network is ultimately only as secure as the weakest host connected to you </li></ul>
  17. 17. Law Enforcement <ul><li>Compromised Windows Workstation through un-patched IIS Web server – obtained local SAM file with domain accounts </li></ul><ul><li>Compromised Windows PDC by escalating privileges with access gained from previous machine </li></ul><ul><li>Compromised Investigator’s workstation with Domain Admin rights </li></ul><ul><li>Workstation had VNC remote control software – password retrieved from Windows registry </li></ul><ul><li>Logged in using remote control GUI </li></ul><ul><li>Icon on desktop for MILES/NCIC </li></ul><ul><ul><li>Just a keystroke capture program away from access to the FBI </li></ul></ul>
  18. 18. Law Enforcement Lessons Learned: <ul><li>Users should not be allowed to install random applications on their workstations </li></ul><ul><ul><li>Especially those that facilitate remote control! </li></ul></ul><ul><li>Applications that utilize proprietary authentication are usually easily broken </li></ul><ul><li>Any system with multiple Network Connections can be used as a gateway to bridge secure networks to insecure networks </li></ul><ul><ul><li>The same holds true for VPNs, PPP connections, Wireless LAN access, etc. </li></ul></ul><ul><li>Even one of the most “secure” systems in the US can be compromised if accessed in an insecure fashion </li></ul>
  19. 19. Uncovering Attacks During Assessment <ul><li>Many assessments will reveal existing evidence of prior attack activity </li></ul><ul><li>Some attacks may be more serious than others </li></ul><ul><li>Most attack information found on Internet-based hosts are from random hacker groups running scripts </li></ul><ul><li>Attacks found on internal machines are usually much more serious </li></ul>
  20. 20. Real Incident – Local Government <ul><li>Internet assessment found that IIS server was vulnerable to attack </li></ul><ul><li>Several strange files found in the “SCRIPTS” directory </li></ul><ul><li>Files were backdoor CMD shells and host scanning scripts </li></ul><ul><li>Web log analysis showed that the host had been compromised by at least two separate groups: one in USA, one in Korea </li></ul><ul><li>Host was patched and files were removed </li></ul>
  21. 21. Real Incident – Service Provider <ul><li>Customer had servers hosted at Tier-1 internet provider </li></ul><ul><li>Poor password on MSSQL server led to compromise of machine </li></ul><ul><li>Customer noticed that the server was losing disk space </li></ul><ul><li>Hidden directories had over 30GB of movies and music </li></ul><ul><li>Netstat output showed that server was connecting to IRC server </li></ul><ul><li>Ethernet Sniffing revealed IRC channel and channel key being used </li></ul><ul><li>IRC Channel was being used by German software pirates </li></ul><ul><li>We joined the channel and surprised the pirate group. They apologized and told us we could keep copies of the movies. </li></ul>
  22. 22. Real Incident - Telephone Company <ul><li>Systems Administrator making threats about taking down Telephone switches </li></ul><ul><li>Multiple root-shell files found on critical UNIX servers throughout the enterprise </li></ul><ul><li>Backdoor access to switching systems found through X.29 PADs </li></ul><ul><li>Administrator’s contract was terminated </li></ul>
  23. 23. Real Incident – Web Services <ul><li>Systems administrator fired for sexual harassment </li></ul><ul><li>Windows machines began experiencing problems </li></ul><ul><li>False accounts discovered on Internet accessible machine </li></ul><ul><li>Trojan Horse discovered on internal workstations </li></ul><ul><li>Real motive was intellectual property theft, and administrator was arrested </li></ul>
  24. 24. Real Incident - Banking <ul><li>Vulnerability assessment conducted against bank network </li></ul><ul><li>Trojan Horse discovered on workstation </li></ul><ul><li>Workstation used primarily as database for all customer credit-card data </li></ul><ul><li>No data available to identify how Trojan Horse was delivered </li></ul><ul><li>All credit cards on server had to be re-issued </li></ul>
  25. 25. Common Assessment Problems <ul><li>Customer Perception </li></ul><ul><li>Misconfigured Hosts </li></ul><ul><li>Bad Programming </li></ul>
  26. 26. Problem – Customer Perception <ul><li>Customer knew that we had gained access to all UNIX systems </li></ul><ul><li>Administrator complained that TACACS server no longer worked, and thought our assessment caused the issue </li></ul><ul><li>Review of TACACS config file showed that it had been recently modified by the Administrator </li></ul><ul><li>We discovered that the Administrator had put in an additional # in file that caused the problem </li></ul><ul><li>Administrator was very embarrassed </li></ul>
  27. 27. Problem – Misconfigured Hosts <ul><li>Solaris file system became full and caused kernel panic </li></ul><ul><li>Problem occurred when the server was port scanned, starting somewhere above 30000 </li></ul><ul><li>/var/log/messages file showed that “Inetd” process was failing and writing hundreds of errors per minute to file, causing the disk usage </li></ul><ul><li>Analysis of /etc/inetd.conf file showed that a process (kcms_server) was allowed to spawn by inetd on port 32774 </li></ul><ul><li>Examination of files showed that the kcms_server program (and many other unused programs) had been erased by system integrator during original install </li></ul><ul><li>Addition of a single # in inetd before the program name corrected the problem </li></ul>
  28. 28. Problem – Bad Programming <ul><li>Port scans of a host indicated multiple unknown applications running on database server </li></ul><ul><li>When connecting to these services with netcat or telnet to obtain banner and protocol information, the service crashed </li></ul><ul><li>Analysis of the source code indicated that application programmers did not put in any error handling routines for TCP connections </li></ul><ul><li>Programmers were able to fix the issue very quickly </li></ul>
  29. 29. Final Thoughts <ul><li>Insecure Web Applications have become one of the biggest targets for attackers. </li></ul><ul><li>Modems (authorized and unauthorized) are still not receiving the attention they deserve as potential threats. </li></ul><ul><li>Patch & Configuration management are consistently neglected, or only applied to Core OS (not applications). </li></ul><ul><li>The concepts of Internal and External access have begun to blur: </li></ul><ul><ul><li>Partner connections </li></ul></ul><ul><ul><li>Inbound “Phishing” emails and Web Pages downloading malicious code that open up outbound “shell” access </li></ul></ul><ul><li>Poor passwords are the number one mechanism to gain host-level access. </li></ul>