Hacking Exposed: Live 2009

George Kurtz – SVP/GM Risk and Compliance BU

Stuart McClure – VP Operations / Strategy Risk and Compliance BU

McAfee04/21/09 | Session ID: HT2-105

Please Download The Most Current Slides At:

www.foundstone.com/hackingexposedrsa2009.pdf

Hacking Exposed: LIVE – RSA 2009

www.foundstone.com/hackingexposedrsa2009.zip

With Flash (.swf) file…

1

A little about us…George Kurtz

• Former CEO and Co-founder of Foundstone

• Co-Author of Best-Selling Hacking Exposed and Other Security Texts

• Voted Conde Nast Most High-Maintenance Traveler of the Year by my Co-workers at McAfee

• Stuart McClure• Former President/CTO and co-

founder of Foundstone

• Lead-Author of Best-Selling Hacking Exposed, Web Hacking, HE: Windows

• Better known as: Stu “I never met a GUI I didn’t like” McClure

3

Agenda

The Hack

The Digital Battlefield

Countermeasures (Apply)

Summary

The Digital Battlefield

At the heart of ALL threatsWhen Opportunity Meets Motivation… Meets Ability…

Bots, BotnetsDDOS networks

Spyware,Adware, PUPs

User-propagatedviruses, Trojans,

PW stealers

Spam, mass-mailers,phishing, pharming

Vulnerabilities,Exploits,

Scripted attacks

Targetedattacks

PDA,cell phone,

wireless

Social Engineering

POOR COMMON SENSE

MALICIOUSINTENT

MISUSEDFUNCTIONALITY

DESIGNFLAWS

ThreatsThe land of opportunity…

• Misused functionality– File sharing

– Usernames/passwords

– Autorun

– BHO

• Design flaws– Operating system (Windows RPC

MS08-067)

– Adobe Flash, Windows Media Player, Quicktime

– Java

– Web Applications• Google, MSN, Hotmail

– Network

– Database

• Malicious Intent— Direct/Targeted attack— Malware attack network ports— Botnets

• Poor common sense— Executing email attachments

— .exe, .doc, .xls, etc.— Click on untrusted web links in:

— Email— IM/IRC— Web sites (install plug-ins)— Texting

Digital Battlefield

7

Our Mission

• Primary Goal:– Complete Compromise of the PDC

• Secondary Goal:– Compromise CEO Laptop

• Tertiary Goal:– Sell more books the evil way!

• What we know about the network

– Firewall with restrictive rules in place

– Ingress: Ports 80, 443 open to the web server

– Egress: Ports 21, 53(TCP/UDP), 80, 4438

The Hack

Cross-Site Request Forgery - CSRF

• Let’s start with selling more books!

• CSRF also known as one-click attack and session riding

• CSRF exploits the trust a user has with their browser

• Cross Site Scripting (XSS) – exploits the trust a user has with a particular site

• The following characteristics are common to CSRF:– Site must rely on a user's identity

– Trick the user's browser into sending malicious requests to a target site

– Exploit the site's trust in that identity

– Abuse the established session – have the browser do the dirty work and pass the authentication cookie

10

Have to get that Amazon rank up…

• The Hacking Exposed Boys need some new Lappies!– We can’t hack on old hardware

• Our Goal - ratchet up the Amazon.com ranking and sell some books!

• Abuse one-click “book ordering” while people visit our Hacking Exposed Blog

11

Digital Battlefield

12

CSRF

Authentication Cookie

DEMO

13 13

And the Results are in…

14 14

Drive By Shooting - Spear Phishing Style

• Email to CEO

• Obfuscate URL

• Drive by Shooting– IE 7 MS09-002 (Feb 09)

– Memory Corruption Vuln

• Shovel a shell to Attack Linux port 80

• One click Attack – Download packed hack kit

• a.exe15

Note: A real attack would download a Bot/trojan/rootkit,etc

Digital Battlefield

16

Remote Shell (443)

Phish Website

Evil Payload

DEMO

17

Inflicting Some Damage on Windows

• Enumerate PDC

• Dump local hashes

• Dump Windows Zero Config

• Life is good!

18

DEMO

19

First You Steal the Hash –Then You Steal the Cash

• Password hashes are password equivalents

• So… why can’t we simply use the hash as the password?

• Load password hash of target account into memory on our compromised system

• We “become” the target account– Beats trying to crack passwords!

20

Passing Hash

• There is no need to crack the password!

• This process was developed by folks at Foundstone and never publicly released

• Recently publicly available code has been released by Marcus Murray at Trusec.de

21

Passing Hash

I want my Hash - Goal: Gain Access To Sensitive Shares on the PDC

• We compromise one server/workstation using a remote/local exploit

• We extract logged on hashes and find a domain admin or other user account hashes

• We use the hash to log on to a domain controller or other targetsystem

• If an Active Directory database is compromised, the attacker cannow impersonate any account in the domain

22

Digital Battlefield

23

Remote Shell (443)

Passed Hash

Evil Payload

Remote Shell (backupadmin) 80

DEMO

24

Where Did Mr. CEO Go?

• Oops the CEO has just left the building!

25

26

25,00025,001

There’s an App for Pwning Too!

The fastest way to Pwn Windows

Iphone Pwnage

• Shell out

• Ping PDC

• Nmap PDC

• Pop PDC – shovel shell out to Attack Linux

• Stu will be command line challenged – but he will have to deal with it

27

Digital Battlefield

28

Server Services (MS-08-067) Exploit

Remote Shell (443)

Connect with CEO Credentials

29

30

Countermeasures: Apply

CSRF Countermeasures

• Root cause– Poor web design

• Insufficient re-authentication– Require authentication in GET and POST parameters, don’t rely only on

cookies– Checking the HTTP Referrer header– Restrict crossdomain.xml usage, granting unintended access to Flash movies– Limit the lifetime of authentication cookies

– Poor user common sense

• Users should not click on links they don’t know or trust!!

• Detection/Prevention– Web Application Firewall (WAF)

• Commercial Options (including HIPS), or

• Free or Open Source: Breach Security’s ModSecurity, OWASP Stinger Project (Java/J2EE) [limited], AQTRONIX WebKnight, SQLGuard (Java)

32

POOR COMMON SENSE

MALICIOUSINTENT

MISUSED FUNCTIONALITY

DESIGNFLAWS

Spear Phishing Countermeasures

• Root cause– Poor common sense

– It’s a feature, not a bug!• Invisible iFRAMEs need to go away…

• Unlikely…

• Detection/Prevention– User Education/Awareness

• DON’T CLICK ON WEB LINKS!!!

– Web filtering gateways/firewalls (blacklisting/whitelisting)

– Email/SPAM gateways

33

POOR COMMON SENSE

MALICIOUSINTENT

MISUSEDFUNCTIONALITY

DESIGNFLAWS

Passing Hash Countermeasures

• Root cause– It’s a feature, not a bug!

• Need to remove the “feature” in the MS SAM

• Unlikely…

• Detection/Prevention– Two-factor authentication

– Eliminate password reuse (John the Ripper)

– Don’t let a bad guy get Admin and dump the SAM!

– Don’t backup the SAM and leave it lying about…

– Control your running processes: HIPS, Whitelisting products

• Free or Open Source: AntiHook (Win), Winsonar (Win), Samurai (Win), ProcessGuard (Win), OSSEC - Linux

34

POOR COMMON SENSE

MALICIOUSINTENT

MISUSEDFUNCTIONALITY

DESIGNFLAWS

iPhone Hack Countermeasures

• Root cause– It’s a feature, not a bug!

• Ability to Jailbreak the iPhone…

• Detection/Prevention– Secure your WAPs (WPA2, MAC address restrictions, etc.)

– Fix your vulnerabilities!

– Deploy HIPS/NIPS:

• Free or Open Source: AntiHook (Win), Winsonar (Win), Samurai (Win), ProcessGuard (Win), OSSEC - Linux

35

POOR COMMON SENSE

MALICIOUSINTENT

MISUSEDFUNCTIONALITY

DESIGNFLAWS

Summary• It’s a jungle out there….but you need to

prepare yourself

• Secure coding and penetration reviews are a must

• Understand the level of vulnerabilities in your own network and applications

– Leverage Policy Compliance and Vulnerability Management tools

– Software must be kept up to date

– Images must be hardened (best practices)

• Education is critical

• Defense-in-Depth– Integrated Endpoint protection (AV, HIPS, process

whitelisting)

– Network Protection (IPS, Firewalls, DLP)

36

Special Thanks

• Ryan Permeh

• Tom Lee

• Brian Holub

• Robin Kier

• All of the high IQ boys @ AVERT Labs and Foundstone Consulting!

• The Phishme Team

37

Special Thanks To:

38

Think Evil – Do Good!

39

Achtung baby!!!

Questions

40

Contact Info:

george_kurtz@mcafee.com

Stuart_mcclure@mcafee.com

www.hackingexposed.com