guevara noubir northeastern university [email protected] · 2016-05-12 · –...
TRANSCRIPT
Lesson Outcomes: you need to be able to
• Describeanddiscussthevarioussecuritythreatstocomputernetworks– Recon&Infogathering,Probes&Scans,NetworkVulnerabilities,Applications/OSVulnerabilities
• Describewellknownandcommonlyusedtechniquesforeachofthethreats
• Describeanddiscussdefenses
• Practicethetoolswithinlaboratoryassignments
G. Noubir Tools 22
Reading
• Too many books, forums, websites!
• Counter Hack Reloaded, Ed Skoudis, 2006, Prentice-Hall• Old but the approach & principles remain the same• Many of the techniques or variants still work against
many systems specially older technologies recently bridged to the Internet
G. Noubir Tools 3
DiscussionPoints
• Threats:BasicNetworkReconandInfoGathering• Threats:MoreIntrusiveProbesandScans• Threats:NetworkVulnerabilities
– NetworkArchitectureVulnerabilities– DenialofService(DoS)
• Threats:Application/OSVulnerabilities– RemotetoLocal(R2L)Attacks– UsertoRoot(U2R)akaPrivilegeEscalation– AttackerAccessMaintenance(rootkits,etc)
• DefensesReviewed– Firewalls,IntrusionDetection,etc.
G. Noubir Tools 4
ThreatstoCommunicationNetworks• Securitywasanadd-ontomanynetworkprotocols• Wiredandwirelessnetworksstillhavemajorvulnerabilities
– Motivationevolvedfrompursuitoffametofinancialandpolitical– BGPhijacking(e.g.,2005google hijackingbycogent,2008youtube hijackingtoPakistan,
2008USUniversitiestoIndonesia,2010ChinaTelecom,201422x30secondsx19ISPstostealBitcoins)
– Viruses,wormsandbotsaremorestealthytoday• 2008-20015 conficker infected2-15millionwindowsservers• Stuxnet, Flametargetedworms;RedOctober
– Malwareledtoanundergroundeconomy“MPack issoldascommercialsoftware(costing$500to$1,000US), andisprovidedbyitsdeveloperswithtechnicalsupport andregularupdatesofthesoftwarevulnerabilities itexploits.”
– Ransomeware (CryptoLocker)innovateusingBitcoin andTorhiddenservices– Embeddedsystems:AccessPoints,TargetPointofSale,Cars
G. Noubir Tools 5
Recon&InfoGathering
• SocialEngineering:“theweakestlink”,– Physicalorautomated(e.g.,phishing)– Defenses:userawarenesshttp://www.darkreading.com/security/news/208803583/banking-on-security.html
• PhysicalSecurity– Physicalaccess,theft,dumpsterdiving– Defenses:locks,policies (access,screensavers,etc.),encryptedfilesystems,
papershreddershttp://gizmodo.com/5056749/mi6-camera-with-secret-images-bought-on-ebay-for-30
• WebSearchingandOnlineRecon– Checkcompanywebsite,getcontactnames,lookforcommentsinhtml,etc.– UseSearchEngines:Google!, forums todiscovertechnologies inuse,
employeenames,etc.– Defenses:“SecurityThroughObscurity”,Policies
G. Noubir Tools 6
Recon&InfoGathering
• Physicalsecurityandpoliciesarestillamajorconcern
G. Noubir Tools 7
Recon&InfoGathering• whois databaseviaInternic (.com,.net,.org)
– Publicly-availablestartingplacefordeterminingcontacts,nameservers,etc.
– Querylistedregistrarfordetailedwhoisentriesincludingcontacts,postaladdress,nameservers,emails(andformatsofemail)
– E.g.,useInternic,NetworkSolutions– Also:UseARINtofindIPblocksfororganizations!Howaboutmobile?
http://www.arin.net/index.shtml– Whois toolunderUNIX
• whois infoisnecessarybutshouldbelimitedtorequiredminimum
G. Noubir Tools 8
Recon&InfoGathering• DNSInterrogation
– Tools:nslookup,dig,host,axfr– Usingthenameserver,doazonetransfer(type=any)tolistallpublic
hostsinadomainandmore(ls -d x.com.)– Defenses:Don’tleakunnecessaryinfo
• Don’tuseHINFO,TXTrecordsatall,limithostnames• Restrictzonetransfers!Limittoonlysomelocalmachinesand/orsecondaryDNSserversthatneedit(allow-transferdirectiveinBIND)• Configure firewalltoblockTCP53excepttothesehosts(UDPusedforlookups, TCPforzonetransfers)• TransactionSignatures (TSIGsecurity)fortrustedhosts• SplitDNStodiscriminatebetweeninternalandexternalhosts
–Externalnodesonlyneedtobeabletoresolveasubset ofnames
G. Noubir Tools 9
IntrusiveScansandProbes
• FromInsecureModemstoInsecureAccessPoints– Past:WarDialers(ToneLoc,THC-Scan),DemonDialers,RogueRAS– Today:WarDriving - RogueandinsecureWirelessAccessPoints[detectRF
signal2Kmawayusinghigh-gainantennas,NetStumbler,Wellenreiter,kismet,ESSID-Jacktools]
•ScanofInternetUncoversThousands ofVulnerableEmbeddedDevices•https://www.infosecisland.com/articleview/1567-Scan-of-Internet-Uncovers-Thousands-of-Vulnerable-Embedded-Devices.html
– Defenses:Conductperiodic sweeps/checks,createpolicies,cryptoWPA2/802.1x,VPN,explicitlyprohibiting behavior (WEP,TKIParebroken)
• DetermineifaNetworkedHostisAlive– ICMP(Ping, EchoRequest/Reply)Sweeps– TCP/UDPPacketSweeps(“TCPPing”)– Defenses:Configure firewalls,borderrouterstolimitICMP,UDPtrafficto
specificsystems.MonitorwithIDS– Problemswiththeseproposed defenses?
G. Noubir Tools 10
WirelessSpreadingofInfections
• Wi-FiProtectedSetup(WPS)Flaw
11
VulnerabilityAssessmentaWardriving Experiment
WPS+WEPAPsgivesawirelesslyconnectedgraph! 12
•
13
IntrusiveScans&Probes• PortScanningusingnmapTCPConnect,TCPSYNScans
– TCPACK,UDPScanning– TCPFIN,XmasTree,NullScans(ProtocolViolations)– Somesneakierthanothers• Ex:TCPSYNdoesn’tcompletehandshakesoconnectisn’tloggedby
manyapps(ifopenwegetSYN-ACKresponse,ifclosedwegetaRESETorICMPunreachableornoresponse)
• Ex:ACKscancantricksomepacketfilters.IfwegetaRESET,packetgotthroughfilteringdevice==“unfiltered”.IfnoresponseorICMPunreachable,portispossibly“filtered”
• Setsourceportsoitlooksmore“normal”e.g.TCPport20• Usedecoystoconfuse,idlescanning,TimingOptions,Basic
Fragmentation
G. Noubir Tools 14
IntrusiveScans&Probes
• Nmap (continued)– CombinationsofthesescansallowNMAPtoalsoperformActiveOS
Fingerprinting/Identification• BasedonadatabaseofOScharacteristics• AlsomeasuresISNpredictability (IPspoofattacks)
– Defenses:tweakloggingandmonitoring• Firewalls/routersshould logthings likethis(e.g.SYNscans)andIDSshouldnotepatternsofbehavior• Useofstateful firewallsforpacketfiltering?• Scanyourownsystemsbeforeattackersdo• Closeportsandremoveunnecessaryapplications:netstat –nao
• All-PurposeVulnerabilityScanners– Automatetheprocessofconnectingandcheckingforcurrent
vulnerabilitiese.g.,OpenVAS,Nesssus
G. Noubir Tools 15
IntrusiveScans&Probes• RudimentaryNetworkMapping
– Usetraceroute todetermineanaccesspathdiagram• DifferentpacketsmaytakedifferentroutesthroughdifferentinterfaceswithdifferentACLs• UDP(UNIX)vs.ICMPTimeExceeded(Windows)
– Cheops,VisualRoute,NeoTrace,Cacti,Nagios,Icinga– Defenses: Limitping(e.g.,webserverbutnotmailserver orhosts?), filterICMPTTL
exceeded,etc.
G. Noubir
Tools
16
NetworkAttacks:TrafficSniffing
• Sniffing– Stilllotsofunencryptedprotocolsincommonuse
•E.g.,predatordrones/skygrabber:http://online.wsj.com/article/SB126102247889095011.html– SnifferslikeTcpDump,wireshark,cain &abel– Defenses:Useencryptedprotocolreplacements
•E.g.IPSEC,SSH,HTTPS,SFTP,PGPformail,etc
– TargetedSnifferslikeDsniff understandspecificprotocolsandcanpickoutcertaintypesoftraffic
•PasswordsinFTP,Telnetsessions,etc• SniffingonSwitchedNetworks
– MACFloodingresultsinsomeswitchesforwardingpacketstoalllinksafteritsmemoryisexhausted
– SpoofARPs fromlegitimatehoststoreceivetheirpackets,constructaMan-In-The-Middlescenario
– Dsniff toolswitharpspoof,dnsspoof,webmitm,sshmitm– Ettercap tool:portstealing
G. Noubir Tools 17
NetworkAttacks
• SniffingonSwitchedNetworks(cont’d)– Defenses:nohubs,staticARPtableswherenecessary(difficultto
manage),arppoisoningdetection,e.g.,DMZs,ArpON,DHCPsnooping,arpwatch
• DNSSpoofing– Multiplepurposes:blackholingandset-upformitmattacksorsite
redirectstoattackerreplica• DoSSH/HTTPSPreventtheseattacks?
– Notnecessarily;builtontrustrelationships•UsersmustbecarefultouseonlyHTTPSsiteswithvalidcertificates•MustwatchoutforSSHwarningmessagesifkeysdon’tmatchpreviouslyrecordedkeys
– Theseproblemsallowforman-in-the-middlescenarios
G. Noubir Tools 18
NetworkAttacks:RemoteIPSniffing• IPAddressSpoofing
– Simplespoofing:justchangethepacket’sIPaddress– Moredangerous:underminingUNIXr-commands(rsh,rhosts),
exploitingtrustrelationships• MustbeabletopredictsequencenumberssinceattackerneverseesSYN-ACK(differentLANs)• DoS thelegitimatehostsoitcan’tsendRESET
– Defenses:Makesuresequencenumbersarenotpredictable(vendorpatches,etc)don’tuser-commands,don’tuseIPaddressesfor“authentication”
– Also:ingress/egressfiltering,denysource-routedpackets
G. Noubir Tools 19
R2L,U2RAttacks
• Remote2LocalAttacks:MostlyBufferOverflowsinOSandnetworkedapplications– ProcessorandOS-specific– Overflowstack,injectshellcodetodosomething
•Alsoheap,array,integeroverflows,etc.– R2L=remotetolocal;
•Exploitflawonremotelisteningapplicationtoobtainlocaluserprivileges– U2R=usertoroot;
•Exploitflawonsystem(ex:setuid) forprivilegeescalation– Often,backdoorscreatedviaNetcat,TFTP,Inetd
• In-depthdiscussionoutofscopeforthispresentation,unfortunatelybutdothelabs!
G. Noubir Tools 20
Web-basedAttacks
• Web-basedflawsimportanttobewaryof– Ex:IISunicode flawsallowattackertoescapewebrootdirectoryandrunacommand
asIUSRtouploadacopyofnetcat andsendbackashell...(vendorR2L)• Accountharvesting(differentmessages forincorrectusername/password),
sessiontracking(tools:Achiles,Paros),• SQLInjection
– Injectunexpectedmishandleddataintowebapps,expandedinsidethequeryforsurprisingresults
– Example:PoorlyconstructedSQLqueriesallowattackerto“piggyback”aquerymodifierinaPOST,I.e.listmyinfo.asp?ID=0;deletefromusers
• Cross-SiteScripting(XSS)– Insertscripteddataintowebapps,whichprocessandreturncontentcontainingthe
scripting(sendcookiestoamaliciousthirdparty,etc.)– Persistent(e.g., savedonserverandservedtousers)vs.non-persistentXSSattacks
(e.g., scriptembeddedinurl sentthroughphishing,notsanitizedbyserver,executedonbrowserclient)
G. Noubir Tools 21
ExampleSQLInjection• C#codetoformsql query
string query = "SELECT * FROM items WHERE user = ”’" + userName + ”’ AND itemname = ‘" + ItemName.Text + ”’";
sda = new SqlDataAdapter(query, conn);
• IfuserTomenters"name' OR ‘1’=’1"
• Queryexpandsto
SELECT * FROM itemsWHERE user = ’Tom’AND itemname = ‘name’ OR ‘1’=‘1’;
G. Noubir Tools 22
R2L/U2RandWebAppVulnerabilties
– Defenses:Beawareofstandardsolutionstotheseproblems,relyon“whathascomebefore”
– Defenses:Patch,patch,patch,patch,anddetecttoo• Practiceresponsible coding forsecurityawareness
–Bewarestrcpy!– Defenses:Practiceresponsible(“safe”)codingforsecurityawareness
• BufferOverflows:(Example)bewarestrcpy,monitormailing lists(e.g.,bugtraq),usenonexecutable stackdmesg | grep '[NX|DX]*protection’sysctl -w kernel.randomize_va_space=1• WebApplications: (Example)Don’trelyonhidden fields fordatasecurity,usedstoredprocedureswithinputvalidation(e.g.,quotesescaping)
– Wheredoattackersgofromhere?• Usethisinformation togetto“thenextstep”• Oncerooted, installationofrootkits,logcleaners,etc.
G. Noubir Tools 23
PasswordCracking
• GuessingPasswordsviaLoginScripting• Better:ObtainWindowsSAMorUNIX/etc/password
(/etc/shadow,/etc/secure)– Crackers:JohntheRipper(UNIX),Cain&Abel
• DictionaryvsBrute-ForcevsHybridmethods• Defenses:
– Strongpasswordpolicy,password-filteringsw– Conductyourownaudits– Useauthenticationtoolsinsteadifpossible– Protectencryptedfiles(shadowing,getridofMSLMreps,etc.)
G. Noubir Tools 24
AdobeBreach(October2013)
– Passwordsencryptedwith64bits3DESinECB• Nothashed,notsalted,notinCBC,notAES
25Source: Naked Security
AdobeBreach(October2013)
• ECB,nosaltingÞ samepasswordresultsinthesamehashÞ combiningthehintsmakesheguesseseasy
26
DenialofService• Remotelystoppingservice
– land(usessameip src anddst),jolt2(ip fragmentbadlystructuredno0offset),teardrop(overlappingfragments),etc.
– Mostlyolderexploits,preyonflawsinTCPstack– Defenses:patcheverything,keepuptodate
• Remotelyexhaustingresources– Synflood:sendlotsofSYNs– Smurf:directedbroadcastattack– Defenses:
• Adequatebandwidth, redundantpaths,failoverstrategies• Increasesizeofconnectionqueue ifnecessary• Trafficshapingcanhelp• Ingress/Egressfilteringatfirewall,border routers• SYNcookieseliminateconnectionqueue
G. Noubir Tools 27
DistributedDenialofService• BotnetsDDoS (butalsoadware,scareware,spam,spyware,
ransomware)– Takesadvantageofdistributednatureofthe‘Net,useamplifiersand
bouncers– Botsliveonnumeroushosts,remotelycontrolledthroughpublicIRC
channels,DGA,fastflux,twitter,etc.• Examples:conficker,mariposa,TDL4• Bandwidthcapabilityofhundreds ofgbps (2014NTPreflectionattack,2015wirelessrouters)
– Newerthreatsfeatureencryptedclient-servercommunication(sometimesstealthyviaICMP,etc.),decoycapabilities,built-inupdaters,andavarietyofattacktypes
• Harderandhardertotracesources:subvertingprivacyinfrastructure->OnionBot
– Defenses:Considerallpreviousadvice.Also,doyourparttokeepzombiesoffsystems
• DetectandRemove– Bestdefenseisrapiddetection;workwithyourISPtohelpeliminate
floodwithupstreamfiltersG. Noubir Tools 28
DenialofService
• DoS(allforms)sometimesusedasdiversionstohide“real”attacks– Floodingbehaviorcanhelptoconcealsomethingmuchmoreseriouse.g.,DNSpoisoning
– Bealert!
G. Noubir Tools 29
Defenses
• It’sanarmsraceandthereisnobulletproofsolutiontoday
• Defenseindepth– A bestpracticestrategydevisedbytheNSA– Amulti-layereddefenseapproach– People,Technology,Operation– https://www.nsa.gov/ia/_files/support/defenseindepth.pdf
30
All-PurposeDefenses1• StayuptodatewithOSservicepatchesandsecurity-listmailings[most
important!]• Followprincipleofleastprivilegewithuseraccounts• Hardenyoursystems
– Closeallunused ports,don’t runservicesyoudon’tneed– DoyoureallyneedaCcompileronyourwebserver?
• Findyourvulnerabilitiesbeforeattackersdoandcheckregularly– ProbingTools,VulnerabilityScanners,etc.
• Centrallylogallrelevantinformationandmonitorasappropriate– Networkmonitoring packages,IntrusionDetectionincluding fileintegrity
checksforsystemexecutables– E.g.snort,AIDE,tripwire
G. Noubir Tools 31
All-PurposeDefenses2
• UseofEncryptionwherepossibleforcommunication– Non-snakeoilcertificatesforproductionsystems
• GoodSolidPolicies,RecoveryPlans– Scriptedpost-mortemsimportantsonoon-the-spot-decisions
• Ofcourse…RegularBackupsofcrucialdata!– Beabletorecovercriticalsystemswithlittlenotice,thinkaboutdatamirroringandredundancy
G. Noubir Tools 32
Defenses:Firewalls1
• StatefulPacketFilters– Rememberearlierpackets– Allownewpacketsoriginatingfromoutsideinonlyiftheyareassociatedwithearlierpackets
• Proxy-BasedFirewalls– Operatesattheapplicationlevel,soit“knowswhenasessionispresent”
– “Safer”butoperatedifferently;lowerperformanceandyoumayneedfeaturesofpacketfilter
G. Noubir Tools 33
Defenses:Firewalls2• AudityourFirewallwithadequatetools
– Determinewhichpacketsareallowedthroughafirewallorrouter– UtilizesTTLfieldofIPheader,giventwoIPaddresses– Responsefrom“onehopbeyond”indicatesportisopen– Usethisinformationtohardenyourfirewall,configureitforaminimal
setofrules!– IsitworthfilteringICMPtimeexceededmessages?Wouldcripple
attacker’sbutmaypresentadministrativeproblems
G. Noubir Tools 34
Defenses:IntrusionDetection
• DeployanIDSto“watch”forsuspicioustrafficonyournetwork– Equivalentofanetworkwatchguard,“headsup”– Mustkeepituptodate– NIDSvs.HIDS
• Problems:InformationCorrelation– Howtocorrelatetoprovide“scenarioviews”?– Mustcarefullytunetofindrelevantinformation,limitfalsepositivesandwastedtime
G. Noubir Tools 35
Defenses:IntrusionDetection2
• Problems:IDSEvasion– Attackersmesswiththeappearanceoftrafficsoitdoesn’tmatcha
signature•Fragmentation
–Somecan’thandleitatall,otherscanquicklybecomeexhaustedwithafloodoffragments-- failopenorclosed?–TinyFragmentAttack(IDSlooksforportnumbertomakefilteringdecisions,firstpacketissosmallitdoesn’t haveit)–FragmentOverlapAttack(secondfragmentoverlapsandwritesover“okay”portnumberwith“sneaky”one)–FragRouter Tool
•Minormodifications topopularattacks(ex:overflowstrings)–WhiskerandNikto CGIscannertoolsprovides:URLencoding(unicode),directoryinsertion,fakeparameter,sessionsplicing,manymoreatapplicationlevel(ex:HTTP)
G. Noubir Tools 36
Moreon…
• SessionHijackingMechanisms• Netcatusage,othercommontools
– ngrep,LSOF,LogAnalyzers,MonitoringTools• MuchmoreinthewayofR2L,U2Rmethodsanddefenses
– BufferOverflows,PrivilegeEscalation,XSS• WirelessSecurity• Backdoors/Rootkits/Trojans
– VulnerabilityMaintenance,logcleaners
G. Noubir Tools 37
SomeTools• JohnTheRipper,L0phtCrack(LC4/5),Cain&Abel• Ethereal,wireshark,tcpdump,snoop• Ettercap,hunt,arpwatch• IPFW,IPTables,IPF,firewalk,nmap,etc.• Dsniff• FragRouter• Snort,ACID,• AIDE,Tripwire• OpenVAS,Nessus,Whisker• Netcat,Nagios,Cacti
G. Noubir Tools 38
WebLinks• www.securityfocus.com(inc.BugTraq)• cve.mitre.org• icat.nist.gov• www.cert.org• www.packetstormsecurity.org• www.packetfactory.net• www.phrack.org• www.honeynet.org• www.owasp.org
G. Noubir Tools 39