It’s Cats vs. Rats in - cisco.com · Manufacturing enterprise with Internet of Things run by cats...

It’s Cats vs. Rats in the Attack Kill Chain!

Szilard Csordas

Cisco

15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija

The Challenge

Attackers are skilled and motivated

Attackers are engineers

Learn from others, reuse code or write your own

Test before putting in production:

– Will it bypass Anti-Virus?

– Will it bypass IPS?

– Will it bypass NGFW?

– Will it bypass Sandboxing?

There is no Silver Bullet!

It’s a Cat-and-Mouse Game!

3


The Target: Labrats

Manufacturing enterprise with Internet of Things run by cats

Public and Internal Servers

Clients in a Microsoft Active Directory Environment

BYOD

Defenense

Internet Labrats.se IoT

Public

Servers Active

DirectoryInternal

Servers

Clients

4


The cats are the good guys- Cat symbol means: Detection or response

The rats are evil intruders

In this session

5


Modified Kill Chain

Note that attackers are not legally bound to follow the exact model ….

– E.g. may establish persistence before lateral movement…

Recon

Gain Foothold- Attack Delivery

- Exploitation

Local Compromise

Command and Control

Lateral Movement

Establish Persistence

Exfiltration

9


Reconnaissance

Business, organization….

Servers, Applications, Infrastructure

Employees

– Email addresses, organization, friends, interests….

Objective: Learn about the targetRecon


- Exploitation

Local Compromise

Command and Control

Lateral Movement


Exfiltration

11


Reconnaissance: Scanning

Use (automated) scanning to find out about target’s public servers

– Operating systems, versions, vulnerabilities

– Applications, versions, vulnerabilities

12


Reconnaissance: Public Sources

Hi Currently have an issue with PEAP and and iPAD using NPS…

Friends

Family

Interests

Email-addresses

Skills, technology?

Looking for new jobs?

Detailed Info on

Infrastructure

Tech Forums

IP addresses

Domain Names

13


Google Hacking

Google provides a rich syntax for searching

https://www.exploit-db.com/google-hacking-database/

Find filetypes that are

Excels that are on

labrats.se

Find pages with text

scratchy that are not

on site labrats.se

14


So what has Itchy found out?

Tech Forums

Scratchy (CFO) is

looking for a new job.

He also likes tuna fish.

Mordiac is ex-Unix.

Since 6 months now

doing Active Directory.

Clueless?

Found a few Excels on

Labrats public site with

macros.

Itchy.

Evil.

15


Gain Foothold

Physical Attacks

Attack Public Web Servers

Attack Client

– Exploiting bugs in clients

– Social Engineering

Recon


- Exploitation

Local Compromise

Command and Control

Lateral Movement


Exfiltration

16


Physical Attack – Insert a Device to the Network Many organizations have open areas with open (wired) network access

– Lobbys, Conference Rooms,….

– Healthcare: All across the hospital including patient rooms

Pwnplug: https://www.pwnieexpress.com/

Rasperry PI 2 (http://docs.kali.org/kali-on-arm/install-kali-linux-arm-raspberry-pi)

Labrats.se

Active

DirectoryInternal

Servers

Clients

17

http://docs.kali.org/kali-on-arm/install-kali-linux-arm-raspberry-pi


Mitigating Device Insertion

Better physical security

– Not always desirable, e.g. “we don’t want to make hospitals into prisons”

– Difficult to protect against “legitimate” visitors, consultants etc.

Network Access Control : Don’t let anybody connect anything to network!

– Authenticate all network access everywhere!

Labrats.se

Active

DirectoryInternal

Servers

Clients

No access to unknown

devices

Limited access to known

devices

18


Attack Wifi Protected with Passwords

Many orgs use WPA2 Enterprise with passwords for Wireless authentication

– PEAP-MSCHAPv2 with Active Directory passwords

– Dangerous even if passwords complexity is good and passwords changed often!

– Spear-phishing emails enticing user to logon to website is one way….

Labrats.se

Active

DirectoryInternal

Servers

Clients

All I need is a username

and a password

19


Mitigation: Time to Consider Client Certificates?

SSID = Corporate (802.1X)

No cert,

No Access.

Sorry.

I know his

password, I still

cannot get access

to the network

20


Exploiting Client Side Vulnerabilities

Use email, social media….

Get a user to open attachment or click on a link

…... to run vulnerable application or plugin

21


Attacking the Client with Executable Malware

Use email, social media…. Get a user to open attachment

... to run executable malware

– .exe, .msi, .vbs, .ps1, .dmg , ....

– Office with Macros (may require social engineering to have end user allow Macros)

No vulnerability needed! It is an executable file (it is supposed to execute!)

22


But my Anti-Virus is Updated, so I am OK?

Malware source code freely available

– Easy to write in high-level scripting languages (Python, PowerShell, VBS)

"Write-Your-Own-Penetration-Testing-Code" tutorials, books...

Copy-paste source code for key-logging, Man-in-the Browser, persistence, CnC communication...

PE-

header

Original Program

(e.g putty.exe)FEEDDEEDBEEDAEEDFEFFFF

AV does not know

what to look for

23


Before Attack: Check if malware would get past AV

Online scanner: http://virustotal.com will share sample with AV vendors

Other online scanners will not share samples...

Targeted attacks may use dedicated AV test systems

Test before Attack

I can be patient.

I only have to strike once.

24


But we use Sandboxing, so we are OK?

Sandboxing: Technology that uses Dynamic Analysis to let code run inside virtual machine

Detect potentially malicious behavior:

– network activity

– persistence (registry writes, service creation)

– spreading

– anti-debugging

– reading password files

– Key-logging

– ….

25


Sandboxing Example

26


Malware Sandbox Detection

Check machine characteristics

– registry keys, MAC address, processes, services

– Check browser cache, ….

– execute code with different timing/result in VMs

– Wait for 10 reboots, ... for 1000 mouse-clicks…

Malware just sleeps for X hours

– sandbox cannot keep file for ever

– countermeasure: fast forward clock in sandbox, catch sleep() function…

– counter-countermeasure: ... <insert your own>

Red

Pill

Blue

Pill

27


Keeping Track of Files: Retrospection

Most of the files are of unknown disposition first time we see them

– Neither known benign files nor known malware

Possible to keep track of files (by fingerprint: e.g. SHA256, MD5)

– In case disposition changes at a later time (further down the attack chain)…

Time/Attack Chain

File: 256…AB

File: CD2A…

File: 256…AB

“Unknown” “Malware”

(sandboxing, AV updates,

machine learning…)

0 2 mins 20 mins

downloads File: CD2A…

28


Mitigating Client Side Attacks!

Use state-of-art perimeter defense

– Email security

– Web security

Ensure browsers and all plugins are up-to-date

– Disable specifically dangerous plugins like Java, Flash

Client side security

– Personal FW/IPS

– Keep track of files/retrospection

Best practice: Do not let the users be local administrators

User Training

– “don’t click on everything”

29


Mitigation User Training

BRK30


Command and Control (CnC)

Objective: Control compromised clientRecon


- Exploitation

Local Compromise

Command and Control

Lateral Movement


Exfiltration

31


Command and Control (CnC)

Typically use protocols allowed outbound : HTTP, HTTPS, (SMTP, DNS)

– If using HTTP the CnC may still be encrypted at application level

Multiple proxy layers (in different countries) to make blocking and law enforcement more difficult…

32

Internet Labrats.se IoT

Public

Servers

Active

DirectoryInternal

Servers

Clients

NGFW

32


Malware often use DNS to find CnC

Malware prefer DNS!

– 91.3% of malware use DNS*

Malware may not know the IP of its C2C server

– Dynamic IP (home computer)

– May not have compromised it yet!

Internet

NGFW

InsideDNS

Server

DNS

Server

Register

evilcnc.xyz.xyz

74.63.17.18

*Cisco Annual Security Report 2016

http://www.cisco.com/go/asr

.

.18

.

.20

Calling home to

evilcnc.xyz.xyz

Q:

evilcnc.xyz.xyz

33


CnC and DNS (Fast Flux)

Setting a short time-to-live (TTL) in DNS response allows for changing ip/host

…in case it is down/taken down/blocked

Internet

NGFW

InsideDNS

Server

DNS

Server

Calling home to

evilcnc.xyz.xyz

.

.18

.

.20

A:

IP 85.231.1.18

TTL: 5 min

34


CnC and Domain Generation Algorithms (DGAs)

Objective: Avoid blocking of static DNS names

Malware writer creates “his” algorithm to generate future DNS requests

Then registers domain just-in-time

18 Feb sk0s21blrp.aial33.com

Encoder Internet

NGFW

Inside

DNS

Server

Calling home to

sk0s21blrp.aial33.com

Register

wwgs9djz.fdlsf.com

74.63.17.20

19 Feb20 Feb dr3nszxvp.igdz.com

Calling home to

dr3nszxvp.igdz.com

Calling home to

wwgs9djz.fdlsf.com

wwgs9djz.fdlsf.com

Possible Detections:• Long “weird” names (high entropy)

• Negative DNS responses (NXDOMAIN)

35


Detecting CnC: Known Bad

IPS Signatures on known bad CnC data content

IP based reputation (destination is known CnC server)

DNS based reputation (destination name is known CnC server)

36


Local Compromise

Objective: Get System Privileges

Privilege Escalation

Recon


- Exploitation

Local Compromise

Command and Control

Lateral Movement


Exfiltration

37


LABRATS\scratchy

May read/write

schratchy’s files

May NOT

- Install software

- Modify drivers

- Install sniffer

Mitigating Client Attacks: Users are not Admins!

On a machine, users may have different privileges

Best Practice: Don’t let normal users have local admin/superuser Privileges

Administrator/Superuser

Can do anything on local machine

- Install software

- Modify drivers

- Install sniffers

- Read any memory locations

38


Attackers want to become admins

Without it, attacker still be able to read/write all Scratchy’s files, emails etc.

But he may want to move laterally in the network: attack other machines

– Install (malicious) software

– Sniffing network traffic with ARP poisoning

– Reading passwords and hashes from memory

39


How to do Local Privilege Escalation?

Exploit humans: Social Engineering

Exploit applications and services: Vulnerabilities and Misconfigurations

– Bugs…

– Directories with insecure permissions

– Insecure Paths

– Race Conditions

– …..

Exploit OS: Vulnerabilities and Misconfigurations

40


Exploiting Vulnerable Applications and Services

3rd party applications may contain vulnerabilities too….

– If they run with systems/administrator privileges

43


Lateral Movement

Objective: Take control of other clients, servers, IoTs

and the Active Directory Domain Controllers

Recon


- Exploitation

Local Compromise

Command and Control

Lateral Movement


Exfiltration

Labrats.se IoT

Active

DirectoryInternal

Servers

Clients

BRK44


A Note on Pivoting

With system privileges on the compromised client, attacker can now access everything that the compromised client can reach

– At the Internet Firewall this will be be seen as outgoing HTTP(S) traffic from the client

– Any internal firewall logs or server access logs will show the IP of client

IoT

Active

Directory

Clients

Internet NGFW

Permit outgoing HTTPClient ip is

192.168.1.2

192.168.1.2

45


Lateral Movement in the Active Directory Domain

Huge Topic! A lot of information available!

Attacker hunts for vulnerabilities, misconfigurations and bad practices

Attacker wants to accumulate passwords and password hashes

Ultimate target is Domain Controller

Domain

Controller

46


Internal Recon: Scanning?

Noisy scanning typically not necessary for internal recon

Attacker can just ask Active Directory politely to find out:

– What machines are in the domain?

– Which machines are the domain controllers?

– On what machines are domain admins logged on?

– Which machines run Exchange, SQL servers?

– Which machines are file servers?

– ….and much more

48


What is a Hash?

One-way function to convert password to hash

– For NT hash, MD4 is used

So we don’t have to store clear-text-passwords or send them over the network

Instead we use the hash to store credentials (and authenticate)

Crypto

stuff

Hash

Password

Stuff

Tunafish!

Crypto

stuff

d41d8cd..

49


Understanding NTLMv2

NTLMv2 is a common network authentication method in Microsoft Active Directory for Net logons,FileShares, Web Sites etc.

Client requests auth

Server sends challenge

Client sends response to challenge

Server validates (with help of Active Directory)

Auth Request

Challenge(random no)

Response ✔

✔

50


Understanding NTLMv2

If client sends correct response to challenge it is authenticated

Response is calculated from hash that is calculated from password

Auth Request


Response

Username

Timestamp

Other stuff

Crypto

stuff

Crypto

stuff

Hash

Password

✔


51


Pass-the-Hash

If attacker has the hash, he does not need the password

He can use a modified client that supplies the hash without calculating it from password

Auth Request


Response

Hash

Username

Timestamp

Other stuff

Crypto

stuffResponse

Crypto

stuffPassword✖ ✖

✔


52


Overview: Hoarding Hashes

Domain

Admin?

Try

Next Host

w credentials.

On new compromised host

Grab local hashes

Grab hashes of logged in users/services

N

Y

Partytime!Passwords/Hashes

53


Mimikatz – Grab from LSASS

It has nothing to do with cats!

A tool run on compromised host that can (among many things) grab credentials from logged on users and services from memory

http://blog.gentilkiwi.com/mimikatz

User Password Hash

scratchy S3cret! aad3db5…

Mini-

catz?

LSASS (Credentials cache)

Grab hashes of logged in users/services

55


Why is the Password/Hash Cached?

In Active Directory Domain, the user logs in once to his computer

… and can then access domain resources without any further logon

User-friendly! And Single-Sign-On is good for security too!

…but client has to cache hash of password to authenticate transparently

File Server

Web Server

NGFW Security

ApplianceUser Password Hash

Authenticate

many times

Scratchy

Logs in

Once

Credentials cache

Scratchy S3cret! aad3db5…

56


One Possible Attack Vector

1. Email Mordiac (IT admin) that something is wrong with Scratchy’s PC

2. Wait for to Mordiac log on

3. Grab his/her credentials

User Password Hash

Mordiac

Credentials cache

bdaf38d…Mordiac TopS3cret!

BRK57


Mitigating AD Lateral Movement

https://technet.microsoft.com/en-us/dn785092.aspx

https://www.blackhat.com/docs/us-15/materials/us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection.pdf

Must Read:

Both papers highlight the need for containment/segmentation

(also in the network)

Summarized on next slide

60

https://technet.microsoft.com/en-us/dn785092.aspx

https://www.blackhat.com/docs/us-15/materials/us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection.pdf


Detecting AD Lateral Movement with Netflow

Netflow allows for tracking East-West traffic (incl. same subnet!)

Netflow allows for long retention: Possible to go back a long time

Search for/Alarm On

192.168.0.0/16 to 192.168.0.0/16 to

WMI/Powershell : 135, 5985, 5986

61



Objective: Be there, Stay there…Recon


- Exploitation

Local Compromise

Command and Control

Lateral Movement


Exfiltration

62


So let’s consider Kerberos

In Greek mythology, Cerberus was the Three-headed Monster Dog that guarded the underworld.

Kerberos is the preferred authentication mechanism in Active Directory (used in Unix Environments before Microsoft adopted it).

Note that it may be difficult to fully replace NTMLv2 with Kerberos due to legacy OS, appliances etc. so most AD domains use both methods!

Rosemary,

CISO

Monster

dog?

64


So all is fine?

Kerberos is well-proven (20 years old), used in Unix environments before Microsoft adopted it

The big issue: All security depends on the master key (KRBTGT hash)!

– That typically changes very rarely, at domain functional level upgrades

If Domain Controller is compromised, it is disastrous!

Very good white paper (explaining next attack)

https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf

BRK70

https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf


But Hey! Our Domain Controller was compromised

So by dumping hashes Itchy (the attacker) got the KRBGT hash!

This is like being able to print his own passport!

Now Itchy can create his own TGTs! = Golden Tickets

Crypto

KRBTGT

hash

Username: supercat

Groups: x,y, z

Lifetime: 10 years

TGT

Krbtgt :$NT$e27385934250848521eda994a585b79c:::

71


Persistence after Reboot

Upload executable

– exe, DLL, vbs….

Make executable run after reboot/login/scheduled

– create service

– registry: Run, RunAs, …

– startup folder

– scheduled tasks

– …………….

BRK72


Exfiltration

Objective: Steal DataRecon


- Exploitation

Local Compromise

Command and Control

Lateral Movement


Exfiltration

74


Exfiltration/Hoarding

With the domain hashes and/or the Golden Ticket the attacker can impersonate any domain user and access any file share, web server

Defense

Hoarding

Exfiltration

75


Detecting Exfiltration (and Hoarding)

Traffic Patterns:

– How much?

– At what time?

– From what server?

– To what user?

Where to collect traffic patterns

– North-South

– East-West: Netflow

76


Key Point: Integrate Your Defenses

Avoid Silos!

Cooperation between: departments

– Security

– Network

– Desktop/Clients

– Active Directory

– IoT

– Training

– …

BRK77

It’s Cats vs. Rats in - cisco.com · Manufacturing enterprise with Internet of Things run by cats...

Documents

Transcript of It’s Cats vs. Rats in - cisco.com · Manufacturing enterprise with Internet of Things run by cats...