The document describes a "candy shell" security assessment performed by CandyShell Security on an example infrastructure. It identifies numerous common security problems found in the target infrastructure such as privileged accounts, weak passwords, lack of logging and monitoring. It then details how an attacker could potentially compromise various systems by exploiting these issues and gain escalating levels of access. Finally, it discusses some high-level solutions that could help strengthen security.

1. CandyShell Security
The mess it makes

2. • Aaron Bishop
• CISSP
•
• Sys Admin - 2 years
• Developer - 2 years
• Pen Tester - 2 years
• Michael Monsivais
• CISSP
•
• Sys Admin - 2 years
• Pen Tester - 4 years

3. Purpose

4. Purpose
• Candy Security - “A term coined by Bellovin and Cheswick of Bell
Labs to describe a security scenario where the outer perimeter,
such as firewall, is strong, but the infrastructure behind it is weak.
The term refers to M&M candy, which has a hard outer shell and
soft center. ” - Kevin Mitnick, The Art of Deception pg.77

5. Purpose
• Candy Security - “A term coined by Bellovin and Cheswick of Bell
Labs to describe a security scenario where the outer perimeter,
such as firewall, is strong, but the infrastructure behind it is weak.
The term refers to M&M candy, which has a hard outer shell and
soft center. ” - Kevin Mitnick, The Art of Deception pg.77
• Examine the “gooey” center of an example infrastructure

6. Purpose
• Candy Security - “A term coined by Bellovin and Cheswick of Bell
Labs to describe a security scenario where the outer perimeter,
such as firewall, is strong, but the infrastructure behind it is weak.
The term refers to M&M candy, which has a hard outer shell and
soft center. ” - Kevin Mitnick, The Art of Deception pg.77
• Examine the “gooey” center of an example infrastructure
• Provide Sys Admins an attackers point of view

7. Purpose
• Candy Security - “A term coined by Bellovin and Cheswick of Bell
Labs to describe a security scenario where the outer perimeter,
such as firewall, is strong, but the infrastructure behind it is weak.
The term refers to M&M candy, which has a hard outer shell and
soft center. ” - Kevin Mitnick, The Art of Deception pg.77
• Examine the “gooey” center of an example infrastructure
• Provide Sys Admins an attackers point of view
• Increase emphasis on security

8. Common Problems
• Services running as privileged user
• Services pointed to home directories
• Data not segregated by role
• Incorrect file permissions
• Incorrect script/executable permissions
• Root login enabled
• Password-less SSH keys
• Password-less Sudo
• Privileged accounts logged in
• Password reuse
• Passwords stored in files
• Public git repositories
• Mystery services
• Mystery servers
• Magic
• Multipurpose servers
• One off solutions/ quick fixes (No change control)
• Lack of Documentation
• Lack of/Ignored Logging & Monitoring
• Lack of/Misconfigured IDS/IPS

9. Common Problems
• Services running as privileged user
• Services pointed to home directories
• Data not segregated by role
• Incorrect file permissions
• Incorrect script/executable permissions
• Root login enabled
• Password-less SSH keys
• Password-less Sudo
• Privileged accounts logged in
• Password reuse
• Passwords stored in files
• Public git repositories
• Mystery services
• Mystery servers
• Magic
• Multipurpose servers
• One off solutions/ quick fixes (No change control)
• Lack of Documentation
• Lack of/Ignored Logging & Monitoring
• Lack of/Misconfigured IDS/IPS

10. The Target

11. The Target
DMZ
Emp VLAN Admin VLANAdmin VLAN

12. The “Attack”
DMZ
Emp VLAN

13. FSLog Wiki TM APPLEWeb
The “Attack”
DMZ
Emp VLAN

14. Log
The “Attack”
FSWiki TM APPLEWeb

15. Log
The “Attack”
• IPMI service
FSWiki TM APPLEWeb

16. Log
The “Attack”
• IPMI service
• Root was logged in
FSWiki TM APPLEWeb

17. Log
The “Attack”
• IPMI service
• Root was logged in
• SSH Session Hijacking
FSWiki TM APPLEWeb

18. Log
The “Attack”
• IPMI service
• Root was logged in
• SSH Session Hijacking
FSWiki TM APPLEWeb

19. The “Attack”
Log FSWiki TM APPLEWeb

20. The “Attack”
• Open Account Creation
Log FSWiki TM APPLEWeb

21. The “Attack”
• Open Account Creation
• No ACL’s
Log FSWiki TM APPLEWeb

22. The “Attack”
• Open Account Creation
• No ACL’s
• Server Documentation available
Log TM APPLEWebWiki FS

23. Wiki
The “Attack”
Log TM APPLEWebFS

24. Wiki
The “Attack”
• Share mounted by web server
Log TM APPLEWebFS

25. WebWiki
The “Attack”
• Share mounted by web server
• Uploaded a PHP shell to Fileserver
Log TM APPLEFS

26. The “Attack”
WebWikiLog TM APPLEFS

27. The “Attack”
• Apache password Hashes
WebWikiLog TM APPLEFS

28. The “Attack”
• Apache password Hashes
• SQL Dump Ticketing System
WebWikiLog TM APPLEFS

29. The “Attack”
• Apache password Hashes
• SQL Dump Ticketing System
WebWikiLog FS TM APPLE

30. APPLETM
The “Attack”
WebWikiLog FS

31. APPLETM
The “Attack”
• Incorrect Permissions
WebWikiLog FS

32. APPLETM
The “Attack”
• Incorrect Permissions
• Unprotected SSH Keys
WebWikiLog FS

33. APPLETM
The “Attack”
• Incorrect Permissions
• Unprotected SSH Keys DMZ
WebWikiLog FS

34. APPLETM
The “Attack”
• Incorrect Permissions
• Unprotected SSH Keys
• Password-less sudo
DMZ
WebWikiLog FS

35. APPLETM
The “Attack”
• Incorrect Permissions
• Unprotected SSH Keys
• Password-less sudo
DMZ
WebWikiLog FS

36. APPLETM
The “Attack”
• Incorrect Permissions
• Unprotected SSH Keys
• Password-less sudo
DMZ
WebWikiLog FS

37. The “Attack”
APPLETMWebWikiLog FS

38. The “Attack”
• Download 802.1x config
APPLETMWebWikiLog FS

39. The “Attack”
• Download 802.1x config
Admin VLAN
APPLETMWebWikiLog FS

40. The “Attack”
• Download 802.1x config
Admin VLAN
APPLETMWebWikiLog FS

41. Admin VLAN
The “Attack”
DMZ
Emp VLAN

42. Admin VLAN
The “Attack”
DMZ
Emp VLAN Admin VLAN

43. The “Attack”
Admin VLAN

44. PM
The “Attack”
SSHSSH
Admin VLAN
SSH

45. PM
The “Attack”
SSHSSH SSH

46. PM
The “Attack”
SSHSSH SSH
• Username and Password Reuse

47. PM
The “Attack”
SSHSSH SSH
• Username and Password Reuse
• Active Session

48. PM
The “Attack”
SSHSSH SSH
• Username and Password Reuse
• Active Session
• Unprotected SSH key

49. Admin VLAN
PM
The “Attack”
SSHSSH SSH
• Username and Password Reuse
• Active Session
• Unprotected SSH key
• Root SSH

50. PM
The “Attack”
SSHSSH SSH
• Username and Password Reuse
• Active Session
• Unprotected SSH key
• Root SSH

51. Admin VLAN
The “Attack”
DMZ
Emp VLAN Admin VLAN

52. Admin VLAN
The “Attack”
DMZ
Emp VLAN Admin VLAN
VOIP
Development
Datacenter

53. Self assessment
• What would change? What did change?
• Who should have access (rwx)? What is the lowest
privilege that could access (rwx)?
• Is it the easy answer or the right answer (is it kindling
for a future fire)?
• Has it been documented and tested?
• Has it been peer reviewed? Is it sane?

54. The “Solution”
SSHSSH SSHPM
• Username and Password Reuse
• Active Session
• Unprotected SSH key
• Root SSH

55. The “Solution”
SSHSSH SSHPM
• Username and Password Reuse
• Active Session
• Unprotected SSH key
• Root SSH

56. The “Solution”
SSHSSH SSHPM
• Username and Password Reuse
• Active Session
• Unprotected SSH key
• Root SSH

57. The “Solution”
• Download 802.1x config
Admin VLAN
APPLETMWebWikiLog FS APPLE

58. The “Solution”
• Download 802.1x config
Admin VLAN
APPLETMWebWikiLog FS APPLE

59. The “Solution”
• Download 802.1x config
Admin VLAN
TMWebWikiLog FS APPLE

60. Admin VLAN
The “Solution”
DMZ
Emp VLAN Admin VLAN
VOIP
Development
Datacenter

61. Admin VLAN
The “Solution”
DMZ
Emp VLAN Admin VLAN
VOIP
Development
Datacenter

62. The “Solution”
• Incorrect Permissions
• Unprotected SSH Keys
• Password-less sudo DMZ
APPLETMWebWikiLog FS

63. The “Solution”
• Incorrect Permissions
• Unprotected SSH Keys
• Password-less sudo DMZ
APPLETMWebWikiLog FS

64. The “Solution”
• Incorrect Permissions
• Unprotected SSH Keys
• Password-less sudo DMZ
APPLETMWebWikiLog FS

65. The “Solution”
• Incorrect Permissions
• Unprotected SSH Keys
• Password-less sudo DMZ
APPLETMWebWikiLog FS

66. Admin VLAN
The “Solution”
DMZ
Emp VLAN Admin VLAN
VOIP
Development
Datacenter

67. Admin VLAN
The “Solution”
DMZ
Emp VLAN Admin VLAN
VOIP
Development
Datacenter

68. The “Solution”
• Apache password Hashes
• SQL Dump Ticketing System
APPLETMWebWikiLog FS

69. The “Solution”
• Apache password Hashes
• SQL Dump Ticketing System
APPLETMWebWikiLog FS

70. The “Solution”
• Apache password Hashes
• SQL Dump Ticketing System
APPLETMWebWikiLog FS

71. The “Solution”
• Share mounted by web server
• Uploaded a PHP shell to Fileserver
APPLETMWebWikiLog FS

72. The “Solution”
• Share mounted by web server
• Uploaded a PHP shell to Fileserver
APPLETMWebWikiLog FS

73. The “Solution”
• Share mounted by web server
• Uploaded a PHP shell to Fileserver
APPLETMWebWikiLog FS

74. The “Solution”
• Open Account Creation
• No ACL’s
• Server Documentation available
APPLETMWebWikiLog FSWiki

75. The “Solution”
• Open Account Creation
• No ACL’s
• Server Documentation available
APPLETMWebWikiLog FSWiki

76. The “Solution”
• Open Account Creation
• No ACL’s
• Server Documentation available
APPLETMWebLog FSWiki

77. The “Solution”
• IPMI service
• Root was logged in
• SSH Session Hijacking
APPLETMWebWikiLog FSWikiLog

78. The “Solution”
• IPMI service
• Root was logged in
• SSH Session Hijacking
APPLETMWebWikiLog FSWikiLog

79. The “Solution”
• IPMI service
• Root was logged in
• SSH Session Hijacking
APPLETMWebFSWikiLog

80. The “Solution”
DMZ
Emp VLAN Admin VLANAdmin VLAN

81. The “Solution”
DMZ
Emp VLAN Admin VLANAdmin VLAN

82. aaron@securitymetrics.com
mike@securitymetrics.com