It’s Cats vs. Rats in - cisco.com · Manufacturing enterprise with Internet of Things run by cats...
Transcript of It’s Cats vs. Rats in - cisco.com · Manufacturing enterprise with Internet of Things run by cats...
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
The Challenge
Attackers are skilled and motivated
Attackers are engineers
Learn from others, reuse code or write your own
Test before putting in production:
– Will it bypass Anti-Virus?
– Will it bypass IPS?
– Will it bypass NGFW?
– Will it bypass Sandboxing?
There is no Silver Bullet!
It’s a Cat-and-Mouse Game!
3
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
The Target: Labrats
Manufacturing enterprise with Internet of Things run by cats
Public and Internal Servers
Clients in a Microsoft Active Directory Environment
BYOD
Defenense
Internet Labrats.se IoT
Public
Servers Active
DirectoryInternal
Servers
Clients
4
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
The cats are the good guys- Cat symbol means: Detection or response
The rats are evil intruders
In this session
5
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Modified Kill Chain
Note that attackers are not legally bound to follow the exact model ….
– E.g. may establish persistence before lateral movement…
Recon
Gain Foothold- Attack Delivery
- Exploitation
Local Compromise
Command and Control
Lateral Movement
Establish Persistence
Exfiltration
9
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Reconnaissance
Business, organization….
Servers, Applications, Infrastructure
Employees
– Email addresses, organization, friends, interests….
Objective: Learn about the targetRecon
Gain Foothold- Attack Delivery
- Exploitation
Local Compromise
Command and Control
Lateral Movement
Establish Persistence
Exfiltration
11
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Reconnaissance: Scanning
Use (automated) scanning to find out about target’s public servers
– Operating systems, versions, vulnerabilities
– Applications, versions, vulnerabilities
12
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Reconnaissance: Public Sources
Hi Currently have an issue with PEAP and and iPAD using NPS…
Friends
Family
Interests
Email-addresses
Skills, technology?
Looking for new jobs?
Detailed Info on
Infrastructure
Tech Forums
IP addresses
Domain Names
13
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Google Hacking
Google provides a rich syntax for searching
https://www.exploit-db.com/google-hacking-database/
Find filetypes that are
Excels that are on
labrats.se
Find pages with text
scratchy that are not
on site labrats.se
14
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
So what has Itchy found out?
Tech Forums
Scratchy (CFO) is
looking for a new job.
He also likes tuna fish.
Mordiac is ex-Unix.
Since 6 months now
doing Active Directory.
Clueless?
Found a few Excels on
Labrats public site with
macros.
Itchy.
Evil.
15
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Gain Foothold
Physical Attacks
Attack Public Web Servers
Attack Client
– Exploiting bugs in clients
– Social Engineering
Recon
Gain Foothold- Attack Delivery
- Exploitation
Local Compromise
Command and Control
Lateral Movement
Establish Persistence
Exfiltration
16
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Physical Attack – Insert a Device to the Network Many organizations have open areas with open (wired) network access
– Lobbys, Conference Rooms,….
– Healthcare: All across the hospital including patient rooms
Pwnplug: https://www.pwnieexpress.com/
Rasperry PI 2 (http://docs.kali.org/kali-on-arm/install-kali-linux-arm-raspberry-pi)
Labrats.se
Active
DirectoryInternal
Servers
Clients
17
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Mitigating Device Insertion
Better physical security
– Not always desirable, e.g. “we don’t want to make hospitals into prisons”
– Difficult to protect against “legitimate” visitors, consultants etc.
Network Access Control : Don’t let anybody connect anything to network!
– Authenticate all network access everywhere!
Labrats.se
Active
DirectoryInternal
Servers
Clients
No access to unknown
devices
Limited access to known
devices
18
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Attack Wifi Protected with Passwords
Many orgs use WPA2 Enterprise with passwords for Wireless authentication
– PEAP-MSCHAPv2 with Active Directory passwords
– Dangerous even if passwords complexity is good and passwords changed often!
– Spear-phishing emails enticing user to logon to website is one way….
Labrats.se
Active
DirectoryInternal
Servers
Clients
All I need is a username
and a password
19
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Mitigation: Time to Consider Client Certificates?
SSID = Corporate (802.1X)
No cert,
No Access.
Sorry.
I know his
password, I still
cannot get access
to the network
20
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Exploiting Client Side Vulnerabilities
Use email, social media….
Get a user to open attachment or click on a link
…... to run vulnerable application or plugin
21
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Attacking the Client with Executable Malware
Use email, social media…. Get a user to open attachment
... to run executable malware
– .exe, .msi, .vbs, .ps1, .dmg , ....
– Office with Macros (may require social engineering to have end user allow Macros)
No vulnerability needed! It is an executable file (it is supposed to execute!)
22
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
But my Anti-Virus is Updated, so I am OK?
Malware source code freely available
– Easy to write in high-level scripting languages (Python, PowerShell, VBS)
"Write-Your-Own-Penetration-Testing-Code" tutorials, books...
Copy-paste source code for key-logging, Man-in-the Browser, persistence, CnC communication...
PE-
header
Original Program
(e.g putty.exe)FEEDDEEDBEEDAEEDFEFFFF
AV does not know
what to look for
23
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Before Attack: Check if malware would get past AV
Online scanner: http://virustotal.com will share sample with AV vendors
Other online scanners will not share samples...
Targeted attacks may use dedicated AV test systems
Test before Attack
I can be patient.
I only have to strike once.
24
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
But we use Sandboxing, so we are OK?
Sandboxing: Technology that uses Dynamic Analysis to let code run inside virtual machine
Detect potentially malicious behavior:
– network activity
– persistence (registry writes, service creation)
– spreading
– anti-debugging
– reading password files
– Key-logging
– ….
25
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Malware Sandbox Detection
Check machine characteristics
– registry keys, MAC address, processes, services
– Check browser cache, ….
– execute code with different timing/result in VMs
– Wait for 10 reboots, ... for 1000 mouse-clicks…
Malware just sleeps for X hours
– sandbox cannot keep file for ever
– countermeasure: fast forward clock in sandbox, catch sleep() function…
– counter-countermeasure: ... <insert your own>
Red
Pill
Blue
Pill
27
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Keeping Track of Files: Retrospection
Most of the files are of unknown disposition first time we see them
– Neither known benign files nor known malware
Possible to keep track of files (by fingerprint: e.g. SHA256, MD5)
– In case disposition changes at a later time (further down the attack chain)…
Time/Attack Chain
File: 256…AB
File: CD2A…
File: 256…AB
“Unknown” “Malware”
(sandboxing, AV updates,
machine learning…)
0 2 mins 20 mins
downloads File: CD2A…
28
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Mitigating Client Side Attacks!
Use state-of-art perimeter defense
– Email security
– Web security
Ensure browsers and all plugins are up-to-date
– Disable specifically dangerous plugins like Java, Flash
Client side security
– Personal FW/IPS
– Keep track of files/retrospection
Best practice: Do not let the users be local administrators
User Training
– “don’t click on everything”
29
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Command and Control (CnC)
Objective: Control compromised clientRecon
Gain Foothold- Attack Delivery
- Exploitation
Local Compromise
Command and Control
Lateral Movement
Establish Persistence
Exfiltration
31
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Command and Control (CnC)
Typically use protocols allowed outbound : HTTP, HTTPS, (SMTP, DNS)
– If using HTTP the CnC may still be encrypted at application level
Multiple proxy layers (in different countries) to make blocking and law enforcement more difficult…
32
Internet Labrats.se IoT
Public
Servers
Active
DirectoryInternal
Servers
Clients
NGFW
32
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Malware often use DNS to find CnC
Malware prefer DNS!
– 91.3% of malware use DNS*
Malware may not know the IP of its C2C server
– Dynamic IP (home computer)
– May not have compromised it yet!
Internet
NGFW
InsideDNS
Server
DNS
Server
Register
evilcnc.xyz.xyz
74.63.17.18
*Cisco Annual Security Report 2016
http://www.cisco.com/go/asr
.
.18
.
.20
Calling home to
evilcnc.xyz.xyz
Q:
evilcnc.xyz.xyz
33
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
CnC and DNS (Fast Flux)
Setting a short time-to-live (TTL) in DNS response allows for changing ip/host
…in case it is down/taken down/blocked
Internet
NGFW
InsideDNS
Server
DNS
Server
Calling home to
evilcnc.xyz.xyz
.
.18
.
.20
A:
IP 85.231.1.18
TTL: 5 min
34
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
CnC and Domain Generation Algorithms (DGAs)
Objective: Avoid blocking of static DNS names
Malware writer creates “his” algorithm to generate future DNS requests
Then registers domain just-in-time
18 Feb sk0s21blrp.aial33.com
Encoder Internet
NGFW
Inside
DNS
Server
Calling home to
sk0s21blrp.aial33.com
Register
wwgs9djz.fdlsf.com
74.63.17.20
19 Feb20 Feb dr3nszxvp.igdz.com
Calling home to
dr3nszxvp.igdz.com
Calling home to
wwgs9djz.fdlsf.com
wwgs9djz.fdlsf.com
Possible Detections:• Long “weird” names (high entropy)
• Negative DNS responses (NXDOMAIN)
35
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Detecting CnC: Known Bad
IPS Signatures on known bad CnC data content
IP based reputation (destination is known CnC server)
DNS based reputation (destination name is known CnC server)
36
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Local Compromise
Objective: Get System Privileges
Privilege Escalation
Recon
Gain Foothold- Attack Delivery
- Exploitation
Local Compromise
Command and Control
Lateral Movement
Establish Persistence
Exfiltration
37
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
LABRATS\scratchy
May read/write
schratchy’s files
May NOT
- Install software
- Modify drivers
- Install sniffer
Mitigating Client Attacks: Users are not Admins!
On a machine, users may have different privileges
Best Practice: Don’t let normal users have local admin/superuser Privileges
Administrator/Superuser
Can do anything on local machine
- Install software
- Modify drivers
- Install sniffers
- Read any memory locations
38
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Attackers want to become admins
Without it, attacker still be able to read/write all Scratchy’s files, emails etc.
But he may want to move laterally in the network: attack other machines
– Install (malicious) software
– Sniffing network traffic with ARP poisoning
– Reading passwords and hashes from memory
39
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
How to do Local Privilege Escalation?
Exploit humans: Social Engineering
Exploit applications and services: Vulnerabilities and Misconfigurations
– Bugs…
– Directories with insecure permissions
– Insecure Paths
– Race Conditions
– …..
Exploit OS: Vulnerabilities and Misconfigurations
40
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Exploiting Vulnerable Applications and Services
3rd party applications may contain vulnerabilities too….
– If they run with systems/administrator privileges
43
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Lateral Movement
Objective: Take control of other clients, servers, IoTs
and the Active Directory Domain Controllers
Recon
Gain Foothold- Attack Delivery
- Exploitation
Local Compromise
Command and Control
Lateral Movement
Establish Persistence
Exfiltration
Labrats.se IoT
Active
DirectoryInternal
Servers
Clients
BRK44
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
A Note on Pivoting
With system privileges on the compromised client, attacker can now access everything that the compromised client can reach
– At the Internet Firewall this will be be seen as outgoing HTTP(S) traffic from the client
– Any internal firewall logs or server access logs will show the IP of client
IoT
Active
Directory
Clients
Internet NGFW
Permit outgoing HTTPClient ip is
192.168.1.2
192.168.1.2
45
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Lateral Movement in the Active Directory Domain
Huge Topic! A lot of information available!
Attacker hunts for vulnerabilities, misconfigurations and bad practices
Attacker wants to accumulate passwords and password hashes
Ultimate target is Domain Controller
Domain
Controller
46
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Internal Recon: Scanning?
Noisy scanning typically not necessary for internal recon
Attacker can just ask Active Directory politely to find out:
– What machines are in the domain?
– Which machines are the domain controllers?
– On what machines are domain admins logged on?
– Which machines run Exchange, SQL servers?
– Which machines are file servers?
– ….and much more
48
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
What is a Hash?
One-way function to convert password to hash
– For NT hash, MD4 is used
So we don’t have to store clear-text-passwords or send them over the network
Instead we use the hash to store credentials (and authenticate)
Crypto
stuff
Hash
Password
Stuff
Tunafish!
Crypto
stuff
d41d8cd..
49
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Understanding NTLMv2
NTLMv2 is a common network authentication method in Microsoft Active Directory for Net logons,FileShares, Web Sites etc.
Client requests auth
Server sends challenge
Client sends response to challenge
Server validates (with help of Active Directory)
Auth Request
Challenge(random no)
Response ✔
✔
50
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Understanding NTLMv2
If client sends correct response to challenge it is authenticated
Response is calculated from hash that is calculated from password
Auth Request
Challenge(random no)
Response
Username
Timestamp
Other stuff
Crypto
stuff
Crypto
stuff
Hash
Password
✔
Challenge(random no)
51
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Pass-the-Hash
If attacker has the hash, he does not need the password
He can use a modified client that supplies the hash without calculating it from password
Auth Request
Challenge(random no)
Response
Hash
Username
Timestamp
Other stuff
Crypto
stuffResponse
Crypto
stuffPassword✖ ✖
✔
Challenge(random no)
52
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Overview: Hoarding Hashes
Domain
Admin?
Try
Next Host
w credentials.
On new compromised host
Grab local hashes
Grab hashes of logged in users/services
N
Y
Partytime!Passwords/Hashes
53
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Mimikatz – Grab from LSASS
It has nothing to do with cats!
A tool run on compromised host that can (among many things) grab credentials from logged on users and services from memory
http://blog.gentilkiwi.com/mimikatz
User Password Hash
scratchy S3cret! aad3db5…
Mini-
catz?
LSASS (Credentials cache)
Grab hashes of logged in users/services
55
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Why is the Password/Hash Cached?
In Active Directory Domain, the user logs in once to his computer
… and can then access domain resources without any further logon
User-friendly! And Single-Sign-On is good for security too!
…but client has to cache hash of password to authenticate transparently
File Server
Web Server
NGFW Security
ApplianceUser Password Hash
Authenticate
many times
Scratchy
Logs in
Once
Credentials cache
Scratchy S3cret! aad3db5…
56
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
One Possible Attack Vector
1. Email Mordiac (IT admin) that something is wrong with Scratchy’s PC
2. Wait for to Mordiac log on
3. Grab his/her credentials
User Password Hash
Mordiac
Credentials cache
bdaf38d…Mordiac TopS3cret!
BRK57
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Mitigating AD Lateral Movement
https://technet.microsoft.com/en-us/dn785092.aspx
https://www.blackhat.com/docs/us-15/materials/us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection.pdf
Must Read:
Both papers highlight the need for containment/segmentation
(also in the network)
Summarized on next slide
60
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Detecting AD Lateral Movement with Netflow
Netflow allows for tracking East-West traffic (incl. same subnet!)
Netflow allows for long retention: Possible to go back a long time
Search for/Alarm On
192.168.0.0/16 to 192.168.0.0/16 to
WMI/Powershell : 135, 5985, 5986
61
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Establish Persistence
Objective: Be there, Stay there…Recon
Gain Foothold- Attack Delivery
- Exploitation
Local Compromise
Command and Control
Lateral Movement
Establish Persistence
Exfiltration
62
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
So let’s consider Kerberos
In Greek mythology, Cerberus was the Three-headed Monster Dog that guarded the underworld.
Kerberos is the preferred authentication mechanism in Active Directory (used in Unix Environments before Microsoft adopted it).
Note that it may be difficult to fully replace NTMLv2 with Kerberos due to legacy OS, appliances etc. so most AD domains use both methods!
Rosemary,
CISO
Monster
dog?
64
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
So all is fine?
Kerberos is well-proven (20 years old), used in Unix environments before Microsoft adopted it
The big issue: All security depends on the master key (KRBTGT hash)!
– That typically changes very rarely, at domain functional level upgrades
If Domain Controller is compromised, it is disastrous!
Very good white paper (explaining next attack)
https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf
BRK70
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
But Hey! Our Domain Controller was compromised
So by dumping hashes Itchy (the attacker) got the KRBGT hash!
This is like being able to print his own passport!
Now Itchy can create his own TGTs! = Golden Tickets
Crypto
KRBTGT
hash
Username: supercat
Groups: x,y, z
Lifetime: 10 years
TGT
Krbtgt :$NT$e27385934250848521eda994a585b79c:::
71
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Persistence after Reboot
Upload executable
– exe, DLL, vbs….
Make executable run after reboot/login/scheduled
– create service
– registry: Run, RunAs, …
– startup folder
– scheduled tasks
– …………….
BRK72
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Exfiltration
Objective: Steal DataRecon
Gain Foothold- Attack Delivery
- Exploitation
Local Compromise
Command and Control
Lateral Movement
Establish Persistence
Exfiltration
74
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Exfiltration/Hoarding
With the domain hashes and/or the Golden Ticket the attacker can impersonate any domain user and access any file share, web server
Defense
Hoarding
Exfiltration
75
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Detecting Exfiltration (and Hoarding)
Traffic Patterns:
– How much?
– At what time?
– From what server?
– To what user?
Where to collect traffic patterns
– North-South
– East-West: Netflow
76
15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija
Key Point: Integrate Your Defenses
Avoid Silos!
Cooperation between: departments
– Security
– Network
– Desktop/Clients
– Active Directory
– IoT
– Training
– …
BRK77