Parity-violating electron scattering experiments @ JLAB Juliette Mammei.
Cyber Attack - UPR-RPccom.uprrp.edu/~jortiz/cyber/hscamp/71-SummerCampCybersecurit… · HS Summer...
Transcript of Cyber Attack - UPR-RPccom.uprrp.edu/~jortiz/cyber/hscamp/71-SummerCampCybersecurit… · HS Summer...
Cybersecurity HS Summer Camp
Cyber Attack
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
Is any type of offensive maneuver employed by individuals or whole organizations that targets computer information systems, infrastructures, computer networks, and/or personal computer devices by various means of malicious acts usually originating from an anonymous source that either steals, alters, or destroys a specified target by hacking into a susceptible system.
Cyber attack
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
Violating one of the pillars of information assurance.
Cyber attack
Attacker goal Pillar violated
steal information confidentiality
deface a web page integrity
bring down a DNS or any service availability
send a Malicious email from someone else’ account non repudiation
steal login credentials authentication
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
• Network Barrier • Perimeter Firewall• NAT
• Host Barrier• Authentication• Host Firewall
• System Barrier• ACL (user privileges)• FS Encryption
Security Barriers
USNA pic
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
• Network Barrier• Compromising a service or host that is out of the Firewall, like a
public webserver• Compromising a service or host inside a NAT that is accessible
from the network.• Host Barrier
• password cracking tools, packet-sniffing for credentials, exploiting a service vulnerability
• System Barrier• Escalating privileges with password cracking tools, and
exploiting a service or application vulnerability.
Bypassing Barriers
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
Generally there are more hosts on the target host’s network.
Those other hosts might have different services running, thus allowing different potential paths in from the outside.
Pivoting to Target Host
USNA pic
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
The target computer only has the SSH service open, but it is protected from the network with a firewall.
There is another host that has a public web server not protected by the firewall.
Pivoting to Target Host
USNA pic
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
The attacker would try to exploit a vulnerability on the web server that would allow to SSH internally from the web server to the target host.
Pivoting to Target Host
USNA pic
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
• Reconnaissance - The attacker scans the target network to learn what traffic the firewall (if any) lets through, the host on the network, and the services by host.
• Vulnerability Assessment - Based on the recon results an analysis of possible vulnerabilities on the hosts and their services is performed.
• Exploitation - The attacker exploits vulnerabilities in the services and gets access to the system.
• Post Exploitation - The attacker takes the action that violates one of the pillars of IA, and takes whatever steps necessary to cover his tracks.
Phases of an Attack
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
Dedicate resources and time to observe and probe the target computer or network to find entry points and possible weaknesses.
In this phase information is gathered about the target.
Reconnaissance
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
• IP Addresses
• Subnet mask
• Network topology
• Domain names
Reconnaissance - Network Info
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
• usernames
• group names
• architecture type (e.g. x86 vs SPARC)
• operating system family and version
• TCP and UDP services running with versions
Reconnaissance - Host Info
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
• password complexity requirements
• password change frequency
• expired/disabled account retention
• physical security (e.g. locks, ID badges, etc.)
• firewalls
• intrusion detection systems
Reconnaissance - Security Policy
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
• address
• telephone number
• frequent hangouts (physical and online)
• computer knowledge (expertise)
• hobbies and interests
Reconnaissance - Human Info
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
Gathering information, often indirectly, in a manner unlikely to alert the subject of the surveillance.
Minimizes any interaction with the target network which may raise flags in the computer, firewalls, and IDS logs.
Accessing the target web page may leave a record in the server logs, but it would likely look like a regular access to a web server.
In the other hand accessing the web server frequently that might cause the service to be overloaded, it might alert the target.
Passive Reconnaissance
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
Use it to find information on the target. You might find files with user information, maybe even passwords, addresses, social security numbers.
Webpage that give you information on how to gather vulnerability information using search engines.https://www.exploit-db.com/google-hacking-database/
Google is not only your friend
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
Network information can be obtained freely via public records online.
Every IP Address and Domain Name must be registered in a public database.
Pages like:http://network-tools.com/
provide target domain's IP Address range, DNS servers, and a contact address and telephone number.
Public Network Information
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
Try for instance:http://network-tools.com/default.asp?prog=whois&host=136.145.181.50
Public Network Information
Whois is also available in the terminal.
$ whois 136.145.181.10
NetRange: 136.145.0.0 - 136.145.255.255CIDR: 136.145.0.0/16NetName: UPRNetHandle: NET-136-145-0-0-1Parent: NET136 (NET-136-0-0-0-0)NetType: Direct AssignmentOriginAS:
Organization: University of Puerto Rico (UPR-7)RegDate: 1989-08-29Updated: 2011-10-13Comment: http://www.upr.edu
Public Network Information
Ref: http://whois.arin.net/rest/net/NET-136-145-0-0-1
OrgName: University of Puerto RicoOrgId: UPR-7Address: Jardin Botanico Sur. 1187Address: Calle FlamboyanCity: San JuanStateProv: Puerto RicoPostalCode: 00926Country: PR
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
Gathering information while interacting with the subject directly, in a way that usually can be discovered.
Use tools that can be used for active network recon:
• ping can tell you which IPs are used by Hosts in a network.
• traceroute to figure out the topology of the network: i.e. where the routers are with respect to the hosts
• netcat (nc) can be used to determine which ports are open with servers listening on them.
Active Reconnaissance - scanning
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
$ nc ccom.uprrp.edu 80
GET / HTTP/1.1
HTTP/1.1 400 Bad Request
Date: Tue, 28 Apr 2015 21:29:02 GMT
Server: Apache/2.2.15 (CentOS)
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1
Probing versions with nc
$ nc lists.ccom.uprrp.edu 25
220 lists.ccom.uprrp.edu ESMTP Postfix
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
Nmap is a very powerful network scanner that attempts a TCP connection with every port number of a specific IP Address to determine which ports are open and, therefore, which services are running on the host at that IP Address.
Based on different tests, can also probe version of the services running and even the operating system running on the hosts.
Active Reconnaissance - nmap
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
nmap -A -T4 xxx.uprrp.edu
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2015-04-28 17:56 AST
Interesting ports on 136.145.181.66:
Not shown: 1668 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
80/tcp open http Apache httpd 2.2.23 ((CentOS))
111/tcp open rpc
443/tcp open ssl/http Apache httpd 2.2.23 ((CentOS))
Probing versions with nmap
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
The goal of the vulnerability assessment, after finding possible entry points in the reconnaissance phase, to find if there are vulnerabilities on the target.
Tools such as openVAS:http://www.openvas.org/
The main component of the OpenVAS is the security scanner, which only can run in Linux. It does the actual work of scanning and receives a feed updated daily of Network Vulnerability Tests (NVT), more than 33,000 in total.
Vulnerability Assessment
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
OpenVAS report
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
The ultimate goal of this phase is to gain control of a host on the target's network.
This is typically done by gaining remote access to a shell or terminal as the administrator on that host.
Knowing a weakness is not enough to infiltrate the target; an attacker must discover a way to take advantage of that weakness.
Exploitation (Infiltration)
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
This does not necessarily require advanced knowledge and skill of computer programming.
Anyone can guess weak passwords to gain access, but developing a custom made program to exploit poorly written code in software requires advanced programming knowledge and skill.
Exploitation (Infiltration)
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
If an exploit exists for an identified vulnerability, the exploit is applied with hope to gain control of a host.
There are many automated tools for exploitation of known computer weaknesses freely available on the Internet. The most popular exploitation program is actually a framework, or collection of programs called Metasploit.
http://www.metasploit.com/http://www.offensive-security.com/metasploit-unleashed/Main_Page
Exploitation (Infiltration)
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
In this phase the attacker wants to achieve the intended objective and back out leaving no trace of the trespass.
In practice, this is very difficult because computers keep records of every logon, logoff, startup, shutdown, network connection, program execution, and error received.
Finally, the attacker may either terminate the connection, if no further access is required, or create a backdoor for future access to the target.
Post Exploitation
Metasploit
Metasploit
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
Two VMs
• Kali• Virtual Machine with Metasploit• username/password root/toor o root/ccom4088
• Metasploitable• from the Metasploit project• a vulnerable Ubuntu VM• username/password msfadmin/msfadmin
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
#ifconfig
Get the IP address of the machine to obtain the network
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
#msfconsole
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
Scanning
Either use nmap or metasploit’s own port scanners.
Machines scanned with msf will be stored in db.
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
1. use module 2. show module options3. set module variables4. run
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
A computer just like we wanted!
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
Some Utils
• #services -u • will display the open ports\
• #hosts -R • set the RHOSTS options to the hosts in the database
• #? • will give you available command options
• #search keyword• search keyword in the ms fs.
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
Service scanning (ftp)
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
• Follow the steps used for ftp to find the default password of the vnc server.
• Connect to the VNC server with• #vncviewer Metasploitable:5900
Service scanning (vnc)
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
Service scanning (tomcat)
1. Look at the list of open ports. Find the one that is running Apache Tomcat. Try the ones that are more likely. 8000 up.
2. Similar to the previous examples find a suitable tomcat login scanner.
3. Setup the scanner and run. Take a careful look in the results.
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
Service scanning (tomcat)
1. search a Tomcat exploit
2. set the exploit options with the information gathered in the previous steps.
3. exploit
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
Service scanning (tomcat)
Exploit options
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
Service scanning (tomcat)
Meterpreter - interpretador de comandos
Play for sometime with it. #?
HS Summer Camp | Computer Science Department | University of Puerto Rico - RP
References
• Metasploit Unleashed • http://www.offensive-security.com/metasploit-unleashed/
• Armitage presentation BSidesPR 2013