when the tables turn
DESCRIPTION
Presentation by Roelof Temmingh, Haroon Meer and Charl van der Walt at BlackHat USA in 2004. This presentation is about improving network security to turn the tables on would be attackers. Various tools and techniques to achieve this are discussed.TRANSCRIPT
![Page 1: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/1.jpg)
![Page 2: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/2.jpg)
Agenda
–Thinking about the concept–Introduction–Types of defensive technology–Raising the bar–Typical assessment methodology–Attacks–Examples–Conclusion
![Page 3: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/3.jpg)
Thinking about the concept
We’re from South Africa:–Robbery on Atterbury Road in Pretoria–Electric fencing around my house
From the insect world:–Acid bugs – “I don’t taste nice”–Electric eel
Spy vs. spy:–Disinformation
![Page 4: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/4.jpg)
IntroductionCurrent trends in “assessment” space:
–Technology is getting smarter–People are getting lazy–Good “hacker” used to be technically clever–Tool/scanner for every level of attack
Perceptions: –Administrators are dumb, “hackers” are clever–Skill = size of your toolbox
In many cases the mechanic’s car is always broken.
![Page 5: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/5.jpg)
Types of defensive technologyRobbery analogy:
–Firewalls: Amour plated windows–IDS: Police–IPS: Driving away–Back Hack: Carry a gun in the car
Fence analogy:–Firewalls: Walls–IDS: Police–IPS: Armed response–Back Hack: Trigger happy wife…
![Page 6: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/6.jpg)
Raising the barRaising the “cost” of an “assessment”:
Attacking the technology, not the peopleAttacking automation; “lets move to the next target”
Used to be: “Are you sure it’s not a honey pot?”Now:
–Is YOUR network safe?–Are YOUR tools safe from attack?–Do YOU have all the service packs installed?
–Do you measure yourself as you measure your targets?
![Page 7: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/7.jpg)
Typical assessment methodology
• Foot printing• Vitality• Network level visibility• Vulnerability discovery• Vulnerability exploitation
• Web application assessment
![Page 8: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/8.jpg)
AttacksTypes:
-Avoiding/Stopping individual attacks-Creating noise/confusion-Stopping/Killing the tool-Killing the attacker’s host/network
Levels:-Network level-Network application level-Application level
![Page 9: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/9.jpg)
AttacksAttack vectors:All information coming back to the attacker is under OUR
control:– Packets (and all its features)– Banners– Forward & reverse DNS entries– Error codes, messages– Web pages
Used in the tool/scanner itselfUsed in rendering of data, databasesUsed in secondary scanners, reporters
![Page 10: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/10.jpg)
ExamplesFoot printing:
AvoidingDNS obfuscation
Noise:“Eat my zone!”
Stopping:Endless loop of forward entries
Killing: Eeeevil named…reverse entries
![Page 11: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/11.jpg)
ExamplesFoot printing:
Tools:Very basic – host, nslookup, digDomains: not a lot we can do there..DNS entries: forward, reverse, axfr, ns
SensePost has some interesting foot printing tools…
![Page 12: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/12.jpg)
Examples
![Page 13: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/13.jpg)
ExamplesNetwork level:
AvoidingFirewall
Noise: honeyd & transparent reverse proxies
– Random IPs alive– Random ports open– Traceroute interception/misdirection– Fake network broadcast addresses
Stopping: ?
Killing: nmap with banner display??
![Page 14: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/14.jpg)
Examples
Network level:Tools:Ping sweeps / vitality checkersPort scanners
nmap, paketto/pulse, superscan, visualroute, some custom scripts, etc. etc.
![Page 15: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/15.jpg)
Examples
Network level:Tools:Ping sweeps / vitality checkersPort scanners
nmap, paketto/pulse, superscan, visualroute, some custom scripts, etc. etc.
![Page 16: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/16.jpg)
Examples
![Page 17: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/17.jpg)
ExamplesNetwork application level
AvoidingPatches, patches
Noise:– Fake banners– Combined banners– NASL (reverse) interpreter
Stopping: – Tar pits
Killing:– Buffer overflows– Rendering of data – malicious code in HTML– Where data is inserted into databases– Scanners that use other scanners (e.g. using nessus,nmap)
![Page 18: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/18.jpg)
Examples
Network application level
Tools:Shareware: Nessus, amap, httpprint, Sara &
friends?Commercial: ISS, Retina, Typhon,
Foundscan, Qualys, Cisco
![Page 19: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/19.jpg)
ExamplesApplication level & (web server assessment)
Avoiding Application level firewall
Noise:– On IPs not in use:
• Random 404,500,302,200 responses• Not enough to latch “friendly 404”, or intercept 404 checking
– Within the application• Bogus forms, fields• Pages with “ODBC ….”
Stopping: Spider traps, Flash, Human detectors
Killing:– “You are an idiot!” – Bait files.. Admintool.exe and friends in /files,/admin etc.
![Page 20: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/20.jpg)
Examples
Tools:Shareware: Nikto, Nessus, Whisker?,
WebScarab, Exodus, Pharos, Spike, Httrack, Teleport pro
Commercial: Sanctum Appscan, Cenzic Hailstorm, Kavado Scando, SPI Dynamics WebInspect, @stake webproxy
![Page 21: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/21.jpg)
Examples
Armpit1
Validcookie?
Validrequeststring?
no
noSend validcookie and
redirectyes
Build andsend Flash
yes Relayconnection
Incomingconnection
Back to client
Back to client
![Page 22: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/22.jpg)
Examples
![Page 23: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/23.jpg)
ExamplesArmpit2 With IPS
Validcookie?
Valid requeststring?
no
noSend validcookie and
redirectyesBuild and
send Flash
Relayconnection
Incomingconnection
Back to client
Back to client
Badcookie
jar
Evilrequest?
yes
BlackListCookie &
closeconnection
no yes
![Page 24: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/24.jpg)
Combining with IPS
![Page 25: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/25.jpg)
Conclusion
• These techniques do not make your network safer?
• IPS is getting smarter– The closer to the application level they go, the more
accurate they become.
• IPS can easily switch on “armpits”• It’s a whole new ballgame…
![Page 26: When the tables turn](https://reader038.vdocument.in/reader038/viewer/2022110114/5455b5e7af7959d8748b827c/html5/thumbnails/26.jpg)
QUESTIONS??COMMENTS??FLAMES??