When the tables turn


Published on

Presentation by Roelof Temmingh, Haroon Meer and Charl van der Walt at BlackHat USA in 2004.

This presentation is about improving network security to turn the tables on would be attackers. Various tools and techniques to achieve this are discussed.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

When the tables turn

  1. 1. Agenda–Thinking about the concept–Introduction–Types of defensive technology–Raising the bar–Typical assessment methodology–Attacks–Examples–Conclusion
  2. 2. Thinking about the conceptWe’re from South Africa: –Robbery on Atterbury Road in Pretoria –Electric fencing around my houseFrom the insect world: –Acid bugs – “I don’t taste nice” –Electric eelSpy vs. spy: –Disinformation
  3. 3. IntroductionCurrent trends in “assessment” space: –Technology is getting smarter –People are getting lazy –Good “hacker” used to be technically clever –Tool/scanner for every level of attackPerceptions: –Administrators are dumb, “hackers” are clever –Skill = size of your toolboxIn many cases the mechanic’s car is always broken.
  4. 4. Types of defensive technology Robbery analogy:–Firewalls: Amour plated windows–IDS: Police–IPS: Driving away–Back Hack: Carry a gun in the car Fence analogy:–Firewalls: Walls–IDS: Police–IPS: Armed response–Back Hack: Trigger happy wife…
  5. 5. Raising the barRaising the “cost” of an “assessment”: Attacking the technology, not the people Attacking automation; “lets move to the next target”Used to be: “Are you sure it’s not a honey pot?”Now: –Is YOUR network safe? –Are YOUR tools safe from attack? –Do YOU have all the service packs installed? –Do you measure yourself as you measure your targets?
  6. 6. Typical assessment methodology • Foot printing • Vitality • Network level visibility • Vulnerability discovery • Vulnerability exploitation • Web application assessment
  7. 7. AttacksTypes: -Avoiding/Stopping individual attacks -Creating noise/confusion -Stopping/Killing the tool -Killing the attacker’s host/networkLevels: -Network level -Network application level -Application level
  8. 8. AttacksAttack vectors:All information coming back to the attacker is under OUR control: – Packets (and all its features) – Banners – Forward & reverse DNS entries – Error codes, messages – W eb pagesUsed in the tool/scanner itselfUsed in rendering of data, databasesUsed in secondary scanners, reporters
  9. 9. Examples Foot printing:Avoiding DNS obfuscationNoise: “Eat my zone!”Stopping: Endless loop of forward entriesKilling: Eeeevil named…reverse entries
  10. 10. Examples Foot printing:Tools:Very basic – host, nslookup, digDomains: not a lot we can do there..DNS entries: forward, reverse, axfr, nsSensePost has some interesting foot printing tools…
  11. 11. Examples
  12. 12. Examples Network level:Avoiding FirewallNoise: honeyd & transparent reverse proxies – Random IPs alive – Random ports open – Traceroute interception/misdirection – Fake network broadcast addressesStopping: ?Killing: nmap with banner display??
  13. 13. Examples Network level:Tools:Ping sweeps / vitality checkersPort scanners nmap, paketto/pulse, superscan, visualroute, some custom scripts, etc. etc.
  14. 14. Examples Network level:Tools:Ping sweeps / vitality checkersPort scanners nmap, paketto/pulse, superscan, visualroute, some custom scripts, etc. etc.
  15. 15. Examples
  16. 16. Examples Network application levelAvoiding Patches, patchesNoise: – Fake banners – Combined banners – NASL (reverse) interpreterStopping: – Tar pitsKilling: – Buffer overflows – Rendering of data – malicious code in HTML – Where data is inserted into databases – Scanners that use other scanners (e.g. using nessus,nmap)
  17. 17. Examples Network application levelTools:Shareware: Nessus, amap, httpprint, Sara & friends?Commercial: ISS, Retina, Typhon, Foundscan, Qualys, Cisco
  18. 18. Examples Application level & (web server assessment)Avoiding Application level firewallNoise: – On IPs not in use: • Random 404,500,302,200 responses • Not enough to latch “friendly 404”, or intercept 404 checking – Within the application • Bogus forms, fields • Pages with “ODBC ….”Stopping: Spider traps, Flash, Human detectorsKilling: – “You are an idiot!” – Bait files.. Admintool.exe and friends in /files,/admin etc.
  19. 19. ExamplesTools:Shareware: Nikto, Nessus, Whisker?, WebScarab, Exodus, Pharos, Spike, Httrack, Teleport proCommercial: Sanctum Appscan, Cenzic Hailstorm, Kavado Scando, SPI Dynamics WebInspect, @stake webproxy
  20. 20. Examples IncomingArmpit1 connection Back to client Back to client Valid Relay yes no cookie? connection Valid Send valid no request yes cookie and string? redirect Build and send Flash
  21. 21. Examples
  22. 22. ExamplesArmpit2 Incoming connectionWith IPS Bad cookie Back to client jar Valid cookie? yes no Back to client BlackList Relay Evil Cookie & no yes connection request? close connection Send valid Build and Valid request no yes cookie and send Flash string? redirect
  23. 23. Combining with IPS
  24. 24. Conclusion• These techniques do not make your network safer?• IPS is getting smarter – The closer to the application level they go, the more accurate they become.• IPS can easily switch on “armpits”• It’s a whole new ballgame…