Introduction to Information

SecurityNetwork Traversal

nirkrako at post.tau.ac.ilitamargi at post.tau.ac.il

Network Traversal - Introduction

• We now move from discussing the act of hacking a single machine or device, to discuss the act of traversing through an entire network:o How organized networks are structured.o How hackers penetrate organized networks, usually administered by a

single person, or team of administrators.o How hackers traverse the network to gain access to more resources

and data.

Victim NetworkVertical

Horizontal/Lateral

First Target: Patient 0• Hackers will try to infect one computer, by

different methods:o Chance / statistical Luck!o Spear-phishing or human error.o Social engineeringo Pure hacking.

• After infecting patient 0. Hackers can attempt to launch different types of attacks which can now depend on the internal network structure.

• By using information and access readily available on the hacked machine, hackers can attempt to laterally traverse the network.

Spearphishing• “Spear phishing is an e-mail spoofing fraud

attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by "random hackers" but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.” -- http://searchsecurity.techtarget.com/definition/spear-phishing

An email I received• True story: I received this email last year. Can you

spot the fail?

Network-wide Users• In an organized network , each user is given a

single user/password credential, this password is used to authenticate the user against all machines in the network which the user should have access to.

• Example: TAU. Your user and password is used to login to the *n?x machines as well as the video website.

• If a computer used by one of the users is compromised. you can use his credentials if gained to login to all machines in the network.

Sniffing for passwords• By local example• .bashrc << __EOF__• alias ‘sudo’ ‘/tmp/sudo.sh’• __EOF__• /tmp/sudo.sh << __EOF__• #!/bin/bash• echo “Enter password:”• read PASS• echo $PASS > /tmp/.password.log• sudo $1 $2 $3 $4 $5 $6• __EOF__

Sniffing for passwords• On windows and other GUI based applications:

key logging is used to record credentials being entered.

• By actually sniffing the network, looking for “telnet” or other unencrypted communication ways – communication where passwords are given in clear text format.

• Sniffing the network traffic looking for hashes which can later be cracked (More in next slide).

Cracking passwords• Gaining root access to /etc/shadow (previously

/etc/passwd) leads to obtaining password hashes• John the Ripper or other password brute forcing

techniques can then be used to retrieve the clear text password.

• The clear text password can be used to login to other computers.

• Users tend to use the same password for all computers and services, making it easy to gain access to other resources.

rlogin/rsh - history• Instead of logging in all the time – rlogin/rsh is used to

authenticate a user without the need to enter a password.• Once a connection is received from a trusted machine and

it declares that the user remotely connecting is the user, the user automatically gains remote machine access with the same credentials.

• Many hacking techniques employ:o echo “+ +” > ~root/.rhostso This lets anybody from any host connect to the computer.

• IP spoofing can be used to gain remote access as well. And this poor authentication is still being used in some dark corners of the world.

• NFS V < 4 has also utilizes the same bad authentication by only comparing host/port(using identd) to identify the user.

Domain of computers

Unix NIS (Network Information Service)

• The NIS (formerly known as Yellow Pages/YP) protocol is and old protocol used to sync passwords across a network.

• The NIS passwords are used to spread credential of a network of computers.

• From each of the servers in the network access is given to a virtual directory which contains files such as “passwd”/ “shadow”, etc.

• By using shell: # ypcat passwdo You can get the network hashes of ALL users!o In a secure network scheme this does not include the root account,

however local account access can be gained on all computers sharing the passwd file.

Pass the hash• Passing the hash is an original way of authentication

for SSO (Single Sign On) which is easily exploitable.• In windows based systems, by simply passing the

hash, a user is able to proove that he has the credentials needed to gain access to a resource (such as a network share).

• Once hackers log in to a system, they can use locally existing network hashes to pass them to other systems by this process:o Gain local administrator privilegeso View locally logged in accounts.o Impersonate a user locally.o Use regular windows operations to access network resources.o Gain more access and run remote code using psexec (sysinternals utility).

LSASS

• Slide was taking from “WCE Internals by Amplia Security”

Hash harvesting• On windows computers, hashes are saved locally even after a

logon session is terminated in case access to the domain is no longer available.

• Several tools are in the wild used to do this hash harvesting, such as:o WCE – Windows Credential Editoro Pass The Hash Toolkit.o gsecdumpo Maybe more.o pwdump - hash dumping is also possible localy by dumping the SAM file (Security Accounts

Manager)

• WCE and its like:o User ProcessReadMemory() to read the memory of LSASS for harvestingo Inject code to implement the impersonation of users.

• Side Note – cracking NTLM hashes:o NTLM aka NT LanMan (Lan Manager) hashes are DES based hashes of max 14 byte passwords:

Each 7 bytes of the password is hashed seperately making it easier instead of 256^14 we get 256^7 * 2. Therefore a rainbow table can be easily created.

Unix NFS (Network File System)

• The Unix NFS comparable to windows “Sharing”. Is a method of sharing directories by allowing other to locally mount a remote directory as if it was their own.

• As we previously learned using u+s and o+x to a file that hands us root privileges we are able to escalate our privileges:o echo "main(){setuid(0);setgid(0);system("/bin/sh");}" > a.co gcc –o a a.c

• Misconfigured NFS, allows mounted directory to contain suid files, therefore allowing root on one machine the ability to gain

o http://packetstorm.wowhacker.com/mag/faith/faith8.txt

Shared binaries patching

• Administrators or users share binaries on network shares / NFS. (Usually installation files).

• If those network shares are writable by a hacker he can modify them and then wait for other users to execute them.

• Example at TAU:user@nova:~$ mount | grep '/ type'netapp1:/vol/vol0/linux-root/precise/common/ on / type nfs(rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,nolock,proto=tcp,port=65535,timeo=70,retrans=3,sec=sys,local_lock=all,addr=132.67.192.53)

More Misc Subjects• Network based anti-viruses• Passive DNS

Network based anti-viruses

• Network anti-viruses aim to catch malware at end-points by analyzing aspects of network traffic.

• Companies that provide this service reverse engineer malware and collect intelligence on how malwares operate from a network perspective.

• Input is made into blacklist rules such as:o Command and Control Domainso Command and control Ipso Specific looking URLs

Passive DNS• Security researchers have been collecting IP-Host pairs for a few

years now.• This is done using instrumented programs installed by ISPs at their

DNSs.• The Host-IP pairs can be used to back-track hackers’ resources.• For example, if hacker A uses domain blblbfizzly.com , we can now

blacklist it.• we look it up in passive dns to find ip pairs we find it matches the

following IPs: 8.8.8.8 and 8.8.4.4.• We can look up in th e same database for pairs with 8.8.4.4 we find

it matches gogogofizzly.com and bijo888rocks.com• Now without much more information, you would educatedly guess

that gogogofizzly.com is being used by the same hacker A, therfeore we can blacklist it to.

• Virustotal.com has a publicly query-able passive database but it is an incomplete one.

Random Practical Subjects Not Covered

• Honey potso File basedo Computer basedo Network based

• Penetration testingo Metasploito Nessus

• SIEM/SOC Systemso Sinkholes.

• Security Resources:o CVEo Virustotal

• Security Patcheso 0-Day Gap.

• Command and Control Channels• Many more…

Questions?

Good Luck in the Test!• The test is hard.• You will need to prepare a folder with this

semesters material and bookmarks for subjects!• Hopefully, there will be a 3 hour rehearsal

exercise before the test.• Feel free to drop by us questions and ask for help.

• No homework for you, come back 1 year!