blackhat @stake, inc. presenter: networks 2004
Post on 03-Feb-2022
4 Views
Preview:
TRANSCRIPT
Insecure IP Storage Insecure IP Storage NetworksNetworks
Presenter:Presenter:Himanshu DwivediHimanshu Dwivedi
Regional Technical DirectorRegional Technical Director@stake, Inc.@stake, Inc.
BlackHatBlackHat 20042004
AgendaAgenda
►►Insecure Network Attached Storage (NAS)Insecure Network Attached Storage (NAS)�� IntroductionIntroduction�� NAS ProtocolsNAS Protocols�� NAS AttacksNAS Attacks�� ConclusionConclusion
IntroductionIntroduction
►► Network Attached Storage (NAS)Network Attached Storage (NAS)�� Remote network storage supporting a local file system.Remote network storage supporting a local file system.�� File systems are accessed over IP networks via NFS, CIFS, FTP, oFile systems are accessed over IP networks via NFS, CIFS, FTP, or r
HTTPHTTP
CIFS Client
NFS Client
Exports/Shares on NAS device:
CIFS Shares:� C$� software
NFS Exports:� vol/vol1/HR� vol/vol2/Marketing
c:\net use D: \\nas\software “” /u:””
mount nas:/vol/vol2/Marketing /mktg
C:\ <local files on local machine>D:\ <remote files of NAS device>
/etc <local files on local machine>/mktg <remote files on NAS device> NAS Device
IntroductionIntroduction
►► Default NAS Appliances Default NAS Appliances �� Default installations of most systems are usually weak in Default installations of most systems are usually weak in
term of security….term of security….….NAS storage appliances are no different….NAS storage appliances are no different
►► Nothing new hereNothing new here�� NAS storage appliances that support NFS and CIFS NAS storage appliances that support NFS and CIFS
*also* support their weaknesses *also* support their weaknesses
►► Assumptions of Storage DevicesAssumptions of Storage Devices�� NAS storage appliances don’t fix the problems with NFS NAS storage appliances don’t fix the problems with NFS
or CIFS, but rather inherit themor CIFS, but rather inherit them
NAS ProtocolsNAS Protocols
►► NFSNFS�� Platform: Client/Server architecture for *nix systems Platform: Client/Server architecture for *nix systems �� Purpose: Remote file sharing over IP networksPurpose: Remote file sharing over IP networks�� Weakness: Authentication, Authorization, EncryptionWeakness: Authentication, Authorization, Encryption
►► CIFSCIFS�� Platform: Client/Server architecture for Windows Platform: Client/Server architecture for Windows
systems systems �� Purpose: Remote file sharing over IP networksPurpose: Remote file sharing over IP networks�� Weakness: Authentication, Authorization, EncryptionWeakness: Authentication, Authorization, Encryption
NAS AttacksNAS Attacks
►►NAS: NFS and CIFSNAS: NFS and CIFS�� ScanningScanning�� EnumerationEnumeration�� Anonymous AccessAnonymous Access�� Subvert PermissionsSubvert Permissions�� SniffingSniffing
NAS Scanning: NFS and CIFSNAS Scanning: NFS and CIFS
►►NAS: ScanningNAS: Scanning�� Scan the NAS DeviceScan the NAS Device�� NFS and CIFS (SMB) ports are openNFS and CIFS (SMB) ports are open
NAS Scanning: NFS and CIFSNAS Scanning: NFS and CIFS
►►NAS: ScanningNAS: Scanning�� Information Gained:Information Gained:
►►Listening PortsListening Ports►►Data Services (NFS, CIFS, FTP, HTTP)Data Services (NFS, CIFS, FTP, HTTP)►►Management Services (Telnet, SSH, HTTPS) Management Services (Telnet, SSH, HTTPS)
NAS Enumeration: NFS and CIFSNAS Enumeration: NFS and CIFS
►►NAS: EnumerationNAS: Enumeration�� Enumerate the NFS Mounts and CIFS SharesEnumerate the NFS Mounts and CIFS Shares
►►CIFS: CIFS: c:c:\\winfowinfo <<ipaddressipaddress> > --nn►►NFS: #NFS: #showmountshowmount ––e <e <ipaddressipaddress>>
�� Enumerate NAS usernamesEnumerate NAS usernames►►CIFS: CIFS: c:c:\\enumenum ––U <U <ipaddressipaddress>>
NAS Enumeration: NFS and CIFSNAS Enumeration: NFS and CIFS
►►NAS: EnumerationNAS: Enumeration�� Information Gained:Information Gained:
►►NAS Exports (e.g. /dev/dsk/server2fs3)NAS Exports (e.g. /dev/dsk/server2fs3)►►NAS Access (e.g. All Machines)NAS Access (e.g. All Machines)►►NAS Shares (C$, ETC$)NAS Shares (C$, ETC$)►►NAS usernames (e.g. administrator, root, etc)NAS usernames (e.g. administrator, root, etc)
NAS Anonymous Access: NFSNAS Anonymous Access: NFS
►►NAS: Anonymous AccessNAS: Anonymous Access�� Connect to a NFS export with anonymous privilegesConnect to a NFS export with anonymous privileges
►►NFS: mount NFS: mount ––o anon o anon IP:volumeIP:volume drive:drive:
NAS Anonymous Access: CIFSNAS Anonymous Access: CIFS
►►NAS: Anonymous AccessNAS: Anonymous Access�� Connect to a CIFS share with anonymous privilegesConnect to a CIFS share with anonymous privileges
►►CIFS: c:CIFS: c:\\net use * net use * \\\\<<ipaddressipaddress>>\\share “” /user:””share “” /user:””
NAS Anonymous Access: NFSNAS Anonymous Access: NFS
►►NAS: Anonymous AccessNAS: Anonymous Access�� Mount the admin NFS export (vol0)Mount the admin NFS export (vol0)
►►NFS: mount NFS: mount ––o anon o anon IP:volumeIP:volume drive:drive:
NAS Anonymous AccessNAS Anonymous Access
►►NAS: Anonymous AccessNAS: Anonymous Access�� Access Gained:Access Gained:
►►Anonymous access to NFS ExportsAnonymous access to NFS Exports�� Data VolumesData Volumes�� Management Volumes Management Volumes
►►Anonymous access to CIFS sharesAnonymous access to CIFS shares�� Data VolumesData Volumes
NAS DemoNAS Demo
►►NAS DemoNAS Demo�� ScanningScanning
►►Scan a NAS Storage DeviceScan a NAS Storage Device
�� EnumerationEnumeration►►Enumerate Accounts, Shares, and MountsEnumerate Accounts, Shares, and Mounts
�� Anonymous InformationAnonymous Information►►Gain anonymous access inside shares and mountsGain anonymous access inside shares and mounts
NAS Subvert PermissionsNAS Subvert Permissions
►►NAS: Subvert PermissionsNAS: Subvert Permissions�� Subvert CIFS or NFS file permissions with NFS Subvert CIFS or NFS file permissions with NFS
weaknesses weaknesses ►►Data:Data:
�� Subvert permissions to access data files and foldersSubvert permissions to access data files and folders
NAS Subvert Permissions: NFSNAS Subvert Permissions: NFS
►► NAS: UID/GID (Data)NAS: UID/GID (Data)�� Subvert CIFS file permissions with NFS weaknessesSubvert CIFS file permissions with NFS weaknesses
►► ExampleExample�� A large hospital uses multiple NAS filers for storageA large hospital uses multiple NAS filers for storage�� Medical records for patients are stored on the NAS filerMedical records for patients are stored on the NAS filer
►►By default, the filer supports both CIFS (Windows) and NFS By default, the filer supports both CIFS (Windows) and NFS (Unix)(Unix)
�� The IT department has placed file permissions on all The IT department has placed file permissions on all patient folders, restricting access to authorized users patient folders, restricting access to authorized users onlyonly►►User named ‘User named ‘himanshuhimanshu’ should have ’ should have fullfull accessaccess►►User named ‘User named ‘hdwivedihdwivedi’ should have ’ should have nono accessaccess
NAS Subvert Permissions : NFSNAS Subvert Permissions : NFS
FILER
hdwivedi himanshu
Internal Medicine
Patient Information
Pharmacology
Genetic Research
IT Support
NAS Subvert Permissions : NFSNAS Subvert Permissions : NFS
►► The IT department grants access to the “Patient The IT department grants access to the “Patient Information” folder to the ‘Information” folder to the ‘himanshuhimanshu’ account’ account
NAS Subvert Permissions : NFSNAS Subvert Permissions : NFS
►► A second user, named ‘A second user, named ‘hdwivedihdwivedi’, attempts to access the ’, attempts to access the “Patient Information” folder under the CIFS“Patient Information” folder under the CIFS
NAS Subvert Permissions : NFSNAS Subvert Permissions : NFS
►► Since the filer supports both NFS and CIFS, any user can Since the filer supports both NFS and CIFS, any user can access the filers using NFS alsoaccess the filers using NFS also
NAS Subvert Permissions: NFSNAS Subvert Permissions: NFS
►► The second user (The second user (hdwivedihdwivedi) attempts to access “Patient ) attempts to access “Patient Information” under NFS and gets denied againInformation” under NFS and gets denied again
NAS Subvert Permissions : NFSNAS Subvert Permissions : NFS
►► By typing “ls By typing “ls ––al”, notice the Patient Information folder is al”, notice the Patient Information folder is restricted to the owner of that folder, who is the user restricted to the owner of that folder, who is the user ‘‘himanshuhimanshu’, with a Unix UID of 6161 and GID of 30’, with a Unix UID of 6161 and GID of 30
NAS Subvert Permissions : NFSNAS Subvert Permissions : NFS
►► User ‘User ‘hdwivedihdwivedi’ SUs (switch user) to root on their local ’ SUs (switch user) to root on their local machine, changing their UID to 0 and GID to 0 (god rights) machine, changing their UID to 0 and GID to 0 (god rights) and still get denied to the folderand still get denied to the folder
NAS Subvert Permissions : NFSNAS Subvert Permissions : NFS
►► User ‘User ‘hdwivedihdwivedi’ edits their local /etc/passwd file and ’ edits their local /etc/passwd file and changes their UID to 6161 and GID to 30changes their UID to 6161 and GID to 30
NAS Subvert Permissions : NFSNAS Subvert Permissions : NFS
►► User ‘User ‘hdwivedihdwivedi’ now attempts to access the folder called ’ now attempts to access the folder called “Patient Information” and is now granted access!“Patient Information” and is now granted access!
NAS Subvert Permissions : NFSNAS Subvert Permissions : NFS
►►NAS DemoNAS Demo�� Subvert PermissionSubvert Permission
►►Subvert CIFS permissions with NFS weaknessesSubvert CIFS permissions with NFS weaknesses�� Demo 1: Setting CIFS permissionsDemo 1: Setting CIFS permissions�� Demo 2: Subvert CIFS permissions via NFSDemo 2: Subvert CIFS permissions via NFS
NAS SniffingNAS Sniffing
►►NAS: SniffingNAS: Sniffing�� CIFSCIFS
►►NTLM (downgrade attack)NTLM (downgrade attack)►►Kerberos TicketsKerberos Tickets
�� ManagementManagement►►RSH, TelnetRSH, Telnet
�� NFSNFS►►ClearClear--text mountingtext mounting
NAS Sniffing: CIFSNAS Sniffing: CIFS
►►NAS: SniffingNAS: Sniffing�� Downgrade to NTLMDowngrade to NTLMvv11
NAS Sniffing: CIFSNAS Sniffing: CIFS
►►NAS: SniffingNAS: Sniffing�� Kerberos TicketsKerberos Tickets
NAS Sniffing: NFSNAS Sniffing: NFS
►►NAS: SniffingNAS: Sniffing�� ClearClear--text of RSHtext of RSH
ConclusionConclusion
►► Security should not overlook NAS DevicesSecurity should not overlook NAS Devices►► Supporting CIFS and NFS also means support their security Supporting CIFS and NFS also means support their security
issuesissues►► Secure storage devicesSecure storage devices
�� Disable ClearDisable Clear--text managementtext management►► Telnet, RSH, HTTPTelnet, RSH, HTTP
�� Disable anonymous enumerationDisable anonymous enumeration►► Disable share enumeration under CIFSDisable share enumeration under CIFS►► Use aliases for NFS exports clients in /etc/hosts Use aliases for NFS exports clients in /etc/hosts
�� Require strong authentication by CIFS and NFS clientsRequire strong authentication by CIFS and NFS clients�� Enable inEnable in--line and/or at rest encryptionline and/or at rest encryption
►► Many NAS devices support Many NAS devices support IPSecIPSec►► 33rdrd party encryption devices can encrypt data at restparty encryption devices can encrypt data at rest
QuestionsQuestionsHimanshu DwivediHimanshu Dwivedi►► hdwivedi@stake.comhdwivedi@stake.com
Security Books Authored by presenter:Security Books Authored by presenter:►► Storage Security HandbookStorage Security Handbook
�� ((http://www.neoscale.com/English/Downloads/Storage_Security_Handbhttp://www.neoscale.com/English/Downloads/Storage_Security_Handbook/SSH_ToC.htmlook/SSH_ToC.html))
►► Implementing SSH (Wiley Publishing)Implementing SSH (Wiley Publishing)
►► The Complete Storage Reference, Chapter 25 (McGrawThe Complete Storage Reference, Chapter 25 (McGraw--Hill)Hill)
Storage Security Whitepaper coStorage Security Whitepaper co--authored by presenter:authored by presenter:►► www.@stake.com/research/reports/index.htmlwww.@stake.com/research/reports/index.html
Special Thanks:Special Thanks:►► Andy, Joel, Andy, Joel, KusumKusum, , SudhanshuSudhanshu, and , and NeerajaNeeraja
ReferencesReferences
�� NmapNmap►►Written by Fyodor (Written by Fyodor (www.insecure.org/nmapwww.insecure.org/nmap))
�� WinfoWinfo►►Written by Arne Written by Arne VindstromVindstrom ((www.ntsecurity.nuwww.ntsecurity.nu))
�� EnumEnum►►Written by Jordan Ritter (Written by Jordan Ritter (www.bindview.com/razor/utilitieswww.bindview.com/razor/utilities) )
�� LC5LC5►►Produced by @stake R&D (Produced by @stake R&D (www.@stake.comwww.@stake.com))
�� Kerbsniff/KerbcrackKerbsniff/Kerbcrack►►Written by Arne Written by Arne VindstromVindstrom ((www.ntsecurity.nuwww.ntsecurity.nu))
�� Ethereal Ethereal ►►Produced by Ethereal (Produced by Ethereal (www.ethereal.comwww.ethereal.com) )
top related