offensive technologies fall 2017
TRANSCRIPT
27/09/17
1
OffensivetechnologiesFall2017
Lecture1-IntrusionFabioMassacci
27/09/17 FabioMassacci-OffensiveTechnologies 1
CourseObjecAve• Offensive(IT)technologiesare
– apermanentcharacterisAcsofatechnologicalsociety.– Duetotheverysame“features”thatmakeoursocietyadvanced.
• Thepurposeofthecourseistogivestudents– anhands-onapproachtounderstandthemaintechnologicaldriversbehindsecurityaNacks
– AeNerunderstandingofaNackssothatwecouldbeNeridenAfymethodstodefendourselves
• Offensivetechnologiesareadangeroustoolsà“withgreatpowerscomegreatresponsibility”
27/09/17
2
EthicalIssues
Reminder
EthicalAcceptance• YouareboundbythetermsandcondiAonsofthiscourse
– Youtryoffensivetechnologiesonlyinthelab– YouarenotallowedtodiscloseinformaAonaboutanyindividualthatyoufindduringtheanalysis
– Yourfinaldeliverable,asapprovedbytheprofessoristheonlypublicdeliverableyouareallowedtodisclosetothirdparAes
• Anyuseoutsidetheagreedframeworkofthecoursemaybepenallyrelevant(i.e.acrime)– Everythingisisolatedfromrestofinfrastructureàyoumustdeliberatelyexfiltratematerialàcannotclaimthat“happenedbymistake”
– ThesameconsideraAonsapplyifyougivematerialtootherstudentswhohavenotsignedtheagreementàaidingandabeWng=samepenalresponsibilityasifyoudidityourself.
27/09/17
3
WhatProsecutorscando• Youdidsome“innocentprank”
– plustweeted“I’mgoingtodestroyAmericaanddigupMarilynMonroe”• Theycangiveyouslaponthewrist
– Assumingyour“prank”wasreally“innocent”…• TheycanalsogiveyoureallybutreallyreallyhardAmes,
– Charging“AggravatedThe^”or“Assaultwithdangertopeople”or– “OrganizedCrime”or/and
• Exchangedemailwithsomebody– “Collusionwithforeignpowers”or/and
• ThissomebodyisnotoftherightnaAonality– “Terrorism”
• PossiblyplanningdisrupAveacAons• AgoodlawyercantakeyououtofjailBUTinthemeanwhile
– Theysendyoutoasecurityprisonwithoutbail• Don’tthink“ThiscanhappeninUzbekistanbutnot<here>”
– Where<here>in{US,IT,FR,DE,etc.etc.}
Whytheyaregoingtodoit?• Truediscussionwitha(former)JudgefromItalianSupremeCourt
– IFaprosecutorwanttoinvesAgateacomputercrime(e.g.your“prank”)s/heneedsaccesstoemails/internettracesetc.etc.
– BUTemailisprotected(thisisnotNorthKoreaa^erall)– UNLESSthereisaveryseriouscrimegoingon– SOprosecutorclaims“thisisaveryseriouscrime(egOrganizedCrime)”– THENjudgegrantsaccesstoyouremails(theywritetoGoogleandGoogle
givesthemeverythingaboutyourlife)– OBVIOUSLYduringthetrialallaccusaAonswillfailasyouhavejustdonea
prank(anyhowneedtopayagoodlawyer,technicalcounsel)– HENCEProsecutorconscienceisclean:noinnocentpeoplewillfinallybe
injustlycondemnedwhilsthecaninvesAgatethebadguys• SideEffects…
– WISELY“chargesofseriouscrimes”gohandinhandwithmeasureslimiAngoffenders(egyouwon’tletamafiosgoaroundandkillmorepeople)
– BUTNOWyouarechargedwiththesamecrimesofthedangerousmafioso…– SOpolicesendsyouinasecurityprisonwithoutbailaspotenAaloffender...
27/09/17
4
Youdon’tbelieveit,doyou?• Leigh,fromCoventry,andEmily,24,
fromBirmingham,werethenquizzedforfivehoursatLAXbeforetheywerehandcuffedandputintoavanwithillegalimmigrantsandlockedupovernight.
– “WhenwearrivedattheprisonIwasshovedinacellonmyownbuta^eranhourtwohugeMexicanmencoveredintaNooscameinandstartedaskingmewhoIwas.
– 'Theytoldmethey'dbeenarrestedfortakingcocaineovertheborder.
– 'Whenthefoodarrivedonthetraytheytookitallandjustle^mewithacartonofapplejuice.’”
• Theyspent12hoursinseparateholdingcellsbeforebeingdrivenbacktotheairportwheretheywereputonaplanehomeviaParis.
WhyOffTechsareheretostay
FourquesAonstobeNerunderstandthemoderncontext
27/09/17
5
DoyoutrusttheseorganisaAons?• S-TRUSTAuthenAcaAonand
EncrypAonRoot– DeutscherSparkassenVerlag
GmbH,StuNgart,Baden-WuerNemberg(DE)
• NetLockKozjegyzoiTanusitvanykiado– Tanusitvanykiadok,NetLock
HalozatbiztonsagiK^.,Budapest,Hungary
• TÜRKTRUSTElektronikSerAfikaHizmetSağlayıcısı– BilgiİleAşimveBilişimGüvenliği
HizmetleriA.Ş.ANKARA,Turkey• CA沃通根证书
– WoSignCALimited,China
• Toguaranteethatawebsiteisreallywhatitclaimstobe?
27/09/17 FabioMassacci-OffensiveTechnologies 9
So,what’sthat?
• Itisjustsomewebsiteswithoutanytrouble
• justpictures,videos,andtext
27/09/17 FabioMassacci-OffensiveTechnologies 10
27/09/17
6
What’sthis?
• ONEwebpage– Plentyofads
• Process– WeDON’Tlookattheads
– Onlyclickonmail
• Anddownloadtheprogramoftheinfosecconference
27/09/17 FabioMassacci-OffensiveTechnologies 11
What’sthis?
• ONEPDFfile,essenAallyanimage
• Whathappensifweopenit?– Nothing– AcrobatReadershowstheimageonthemonitor
27/09/17
7
What’sthis?
• Aphotocopier• Aprinter• Yousendafile,anditprints
27/09/17 FabioMassacci-OffensiveTechnologies 13
Whatreallyisthis?Justlikethat!Xeroxcomputertojustprintafile:IntelCeleron-733MHZ–128MB
NASAcomputertolandApollo16totheMoonAGC–1MHz–4KBRAM
27/09/17 FabioMassacci-OffensiveTechnologies 14
27/09/17
8
Whatreallyisthis?• That’saprogramcontaining
– atleast1682instrucAons• Whathappenswhenwe
openit?– AllinstrucAonsareexecuted– Notnecessarilytruethatthe
resultisdisplayed• PDFlanguageisTuring
Complete– ANYfuncAoncanbewriNen
inPDFlanguage– OpeningaPDFfilecan
seamlesslydisplayanimageandsimultaneouslysolveFermat’sliNletheorem
27/09/17 FabioMassacci-OffensiveTechnologies 15
Whatreallyisthis?• Whenwetypewww.libero.iton
thebrowser,YOURcomputerwill:
• Execute– 186localfuncAons– 15funcAonsfromexternalsites
• AggregatestaAccontentsfrom– 676websitesofwhich– 370externalwebsites– 193maybejustimages
• Aggregatedynamiccontentfrom– 8adverAsers(atleast)
• ArealloftheseacAons“good”ones?
27/09/17 FabioMassacci-OffensiveTechnologies 16
27/09/17
9
Cyberlifeisneverwhatitseems-UK• WhatitREALLYis• ItisONEwebsitewithoutany
troublejustpictureandtext• 12webtrackersforadverAsing• 72javascriptsnipsexecutedbyyour
browserwhileyouloadit• Morethan100referencesto
differentsites,someofthemexecuAngcode
– hNp://player.ooyala.com– hNp://widget.cloud.opta.net– Someofthemdynamicallycreatedon
theflye.g.byb.scorecardresearch.com• >100errors/warningsinprocessing• Howcanyoutellwhat’sgoodwhat’s
bad?
27/09/17 FabioMassacci-OffensiveTechnologies 17
Cyberlifeisneverwhatitseems-US• WhatitREALLYis• ItisONEwebsitewithoutany
troublejustpictureandtext• 8webtrackersforadverAsing• 122javascriptsnipsexecutedby
yourbrowserbeforeyouseeanything
• Morethan500referencestoexternalsites,manyexecuAngcode
– Garretn-cdn.com– Brightcove.com– Tags.Aqcdn.com
• >164errors/warningsprocessingwebpage
• Howcanyoutellgoodfrombad?• AndIdidn’tloadFlash,sorry…
27/09/17 FabioMassacci-OffensiveTechnologies 18
27/09/17
10
Cyberlifeisneverwhatitseems-NL• WhatitREALLYis• ItisONEwebsitewithoutany
troublejustpictureandtext• 13webtrackersforadverAsing• 207javascriptsnipsexecutedby
yourbrowserbeforeyouseeanything!
• >200referencestodifferentsites,someofthemexecuAngcode
– Easypoll– Hotjar– Tiq
• >100errors/warningsinprocessingthewebpage
• Howcanyoutellgoodvsbad?• Andtheywantedmetodisablethe
adblocker!Sorrymates…
27/09/17 FabioMassacci-OffensiveTechnologies 19
Whotruststhese?Everybody.• S-TRUSTAuthenAcaAonand
EncrypAonRoot– DeutscherSparkassenVerlag
GmbH,StuNgart,Baden-WuerNemberg(DE)
• NetLockKozjegyzoiTanusitvanykiado– Tanusitvanykiadok,NetLock
HalozatbiztonsagiK^.,Budapest,Hungary
• TÜRKTRUSTElektronikSerAfikaHizmetSağlayıcısı– BilgiİleAşimveBilişimGüvenliği
HizmetleriA.Ş.ANKARA,Turkey• 沃通根证书
– WoSignCALimited,China
27/09/17 FabioMassacci-OffensiveTechnologies 20
27/09/17
11
Aretheyreliable?
• Read– AxelArnbak,HadiAsghari,MichelVanEeten,andNicoVanEijk“SecurityCollapseintheHTTPSMarket”.CommunicaAonsoftheACM57,no.10(2014):47-55.
– hNp://queue.acm.org/detail.cfm?id=2673311
• OrListento– hNps://www.youtube.com/watch?v=uTWqV47QZZw#acAon=share
27/09/17 FabioMassacci-OffensiveTechnologies 21
WhyareOffTechTheretoStay?• OursystemsareBeyond-over-provisionedforthetasksweusethem– Therightimageisaparent,withthedrivinglicenseforaFiat500,bringingkidstotheelementaryschooltwoblocksdowntheroadbytaxingaAirbusA340
• Beingverycomplexsystemsitispossiblethattheyhavebugs– RememberRice’stheorem
• Andtherealwaysbesomepeoplewhowillmaketheirpersonalprioritytomakesuchbugshappeninother’speoplecomputers.
27/09/17
12
OffensiveApproaches
TargetedA\ack• Reconnaissance• Scanningsurface• Gainingaccess
– Somebodyletyouin– Breakthrough
• Maintainingaccess• Coveringtracks
UntargetedA\ack• …• DistribuAngtraps• Gainingaccess
– Somebodyletyouin– Breakthrough
• Maintainingaccess• Coveringtracks
TargetedANacks
ReconnaissanceandScanning
27/09/17
13
Phase1:Reconnaissance• LearnInformaAonaboutintendedtarget:
– Howitsnetworkisorganized– AnyspecificsaboutOSandapplicaAonsrunning– AnypotenAalinformaAonaboutusers
• PhysicalGathering– Veryhumanintensive,highriskofbeingcaught,valuable
• SocialWebGathering– Humanintensive,noriskofbeingcaught,potenAallyvaluable
• TechnicalWebGathering– Fullyautomated,sometracesmaybele^inlogs,technicalvaluedependsontarget
“Physical”Reconnaissance
• Socialengineering– CallemployeesandaskdetailsàInstructtheemployeesnot
todivulgesensiAveinformaAononthephone• SomeAmesverydifficultasyourbusinesspurposemaybeactually
togiveinformaAon(egApple’shelpdeskaNack)• Physicalbreak-in
– TailgaAngàInsistonusingbadgesforaccess,everyonemusthaveabadge,locksensiAveequipment
– Shouldersurfing,cleaningladyaNacksàCleandeskpolicy– Howaboutwirelessaccess?
• Dumpsterdiving– orcollectreceiptle^bypreviouscustomeràShred
importantdocuments
27/09/17
14
“SocialWeb”Reconnaissance
• SearchorganizaAon’swebsite– EmployeemaypostsomethingsensiAve(thinkingitistransientornotaccessible)
– Bewareofmailerslogsandtransientlinks(searchenginesmightpickthemup)
• Searchvariousmailinglistarchivesandinterestgroups– EmployeesmaynotpostinfoonthemselvesasemployeebutprivateinformaAonmightbeclue
• SearchWebtofindalldocumentsmenAoningcompanyX– Findoutwhatispostedaboutyou
InternetisForever• Context:
– ProfFabioandDeptAssistantMirtaarelookingforCSalumnitoinvitetotheAlumniEvent(2017/09/27).SearchedtheinternetwithAlice’Name
• DialogueforFabioandMirtatosee– Alice:Icandoeverythingdarling...YouknowI’monschooltriptoXinmarch?
See,ifyouwenttouniversityinXinsteadofY…[smile]• (DDMonthYYathoursH:MM)
– Bob:theseguysbouncingbackthesethingstome,tse…I’mfinewhereIamdarling!!!u_u
– Alice:pff...-.-"cooldownmysweethusband!Isissofunnytoteaseyou!!=)comeon,nowI’mgoingtobed!!!!!!!!!Nightnight!...bigkiss!
– Bob:night[smile]ahardhardkiss[heart]• DDMonthYYathoursHH:MM+10minutes
• Whatdoweknownow?– BobYearscanbeagoodpasswordcandidate,– CanwesendAliceanimagewithname“School_Trip_X_March_YY.jpg”froma
egafriend’snamemispelled?Wouldthisbeacredibileemail?
27/09/17
15
“Technical”Gathering
• Lookattheplumbingoftheinternet– Whois/ARIN– DNS
• Lookattheplumbingofthecompany– Scanthenetwork– Probethefirewall(firewalking)– Probetheindividualmachines
WhoisandARINDatabases
• WhenanorganizaAonacquiresdomainnameitprovidesinformaAontoaregistrar
• Publicregistrarfilescontain:– Registereddomainnames– Domainnameservers– Contactpeoplenames,phonenumbers,
E-mailaddresses– hNp://www.networksoluAons.com/whois/
• ARINdatabase– RangeofIPaddresses– hNp://whois.arin.net/ui/
27/09/17
16
DomainNameSystem
• WhatdoesDNSdo?• HowdoesDNSwork?• TypesofinformaAonanaNackercangather:
– Rangeofaddressesused– Addressofamailserver– Addressofawebserver– OSinformaAon– Comments
• Severaltypeofqueries(A,CH,HS,MX,SRV,etc.)
InterrogaAngDNS–ZoneTransfer$ nslookup Default server:evil.attacker.com Address: 10.11.12.13
server 1.2.3.4 Default server:dns.victimsite.com Address: 1.2.3.4
set type=any ls –d victimsite.com
system1 1DINA 1.2.2.1 1DINHINFO “Solaris 2.6 Mailserver” 1DINMX 10 mail1
web 1DINA 1.2.11.27 1DINHINFO “NT4www”
27/09/17
17
SampleStrategy
• whoismassacci.org• whoisunisi.it• [email protected]• [email protected]
ProtecAngDNS
• ProvideonlynecessaryinformaAon– NoOSinfoandnocomments
• Restrictzonetransfers– Allowonlyafewnecessaryhosts
• Usesplit-horizonDNSInternalDNS
Employees
ExternalDNS
Externalusers
WebserverMailserver
InternalDB
27/09/17
18
AtTheEndOfReconnaissance• ANackerhas
– alistofIPaddressesassignedtothetargetnetwork– someadministraAveinformaAonaboutthetargetnetwork– Namesofindividuals!– few“live”addresses– someideaaboutfuncAonaliAesoftargetcomputers
• Tools– integrateWhois,ARIN,DNSinterrogaAonandmanymoreservices:
– ApplicaAons– Web-basedportals
• hNp://www.network-tools.com
Phase2:Scanning
• DetecAnginformaAonusefulforbreak-in– Livemachines– Networktopology– FirewallconfiguraAon– ApplicaAonsandOStypes– VulnerabiliAes
27/09/17
19
NetworkMapping
• Findinglivehosts– Pingsweep– TCPSYNsweep
• Mapnetworktopology– Traceroute
• SendsoutICMPorUDPpacketswithincreasingTTL• GetsbackICMP_TIME_EXCEEDEDmessagefrom
intermediaterouters
Traceroute
A R1 R2 R3 db
www
1.ICMP_ECHOtowww.vicAm.comTTL=1
1a.ICMP_TIME_EXCEEDEDfromR1
vicAm.com
A:R1ismyfirsthoptowww.vicAm.com!
27/09/17
20
A R1 R2 R3 db
www
2.ICMP_ECHOtowww.vicAm.comTTL=2
2a.ICMP_TIME_EXCEEDEDfromR2
vicAm.com
A:R1-R2ismypathtowww.vicAm.com!
Traceroute
A R1 R2 R3 db
www
3.ICMP_ECHOtowww.vicAm.comTTL=3
3a.ICMP_TIME_EXCEEDEDfromR3
vicAm.com
A:R1-R2-R3ismypathtowww.vicAm.com!
Traceroute
27/09/17
21
A R1 R2 R3 db
www
4.ICMP_ECHOtowww.vicAm.comTTL=4
4a.ICMP_REPLYfromwww.vicAm.com
vicAm.com
A:R1-R2-R3-wwwismypathtowww.vicAm.com
Traceroute
A R1 R2 R3 db
www
Repeatfordbandmailservers
vicAm.com
A:R1-R2-R3-wwwismypathtowww.vicAm.comR1-R2-R3-dbismypathtodb.vicAm.comR1-R2-R3-mailismypathtomail.vicAm.comè Victim network is a star with R3 at the center
Traceroute
27/09/17
22
NetworkMappingTools• Cheops
– LinuxapplicaAon– hNp://cheops-ng.sourceforge.net/– AutomaAcallyperformspingsweepandnetwork
mappinganddisplaysresultsinaGUI
DefensesAgainstNetworkMappingAndScanning
• FilteroutoutgoingICMPtraffic– MaybeallowforyourISPonly
• UseNetworkAddressTranslaAon(NAT)
NATbox
A
B
CD
Internalhostswith192.168.0.0/16
1.2.3.48.9.10.11
Request1.2.3.4
Request1
92.168.13.
73
Reply192.
168.13.73
Reply1.2.3.4
27/09/17
23
HowNATsWork• Forinternalhoststogoout
– Bsendstraffictowww.google.com
– NATmodifiestheIPheaderofthistraffic• SourceIP:BèNAT
• Sourceport:B’schosenportYèrandomportX– NATremembersthatwhatevercomesforitonportX
shouldgotoBonportY
– Googlereplies,NATmodifiestheIPheader• DesAnaAonIP:NATèB• DesAnaAonport:XèY
HowNATsWork• adverAseyourwebserverAatNAT’saddress(1.2.3.4andport80)
• NATremembersthatwhatevercomesforitonport80shouldgotoAonport80– Externalclientssendtrafficto1.2.3.4:80– NATmodifiestheIPheaderofthistraffic
• DesAnaAonIP:NAT⎝A• DesAnaAonport:NAT’sport80⎝A’sserviceport80
– Areplies,NATmodifiestheIPheader• SourceIP:A⎝NAT• Sourceport:80⎝80
27/09/17
24
HowNATsWork• WhatifyouhaveanotherWebserverC
– YouadverAseyourwebserverAatNAT’saddress(1.2.3.4andport55)–notastandardWebserverportsoclientsmustknowtotalktoadiff.port
– NATremembersthatwhatevercomesforitonport55shouldgotoConport80
– Externalclientssendtrafficto1.2.3.4:55– NATmodifiestheIPheaderofthistraffic
• DesAnaAonIP:NAT⎝C• DesAnaAonport:NAT’sport55⎝C’sserviceport80
– Creplies,NATmodifiestheIPheader• SourceIP:C⎝NAT,sourceport:80⎝55
PortScanning
• FindingapplicaAonsthatlistenonports• Sendvariouspackets:
– EstablishandteardownTCPconnecAon– Half-openandteardownTCPconnecAon– SendinvalidTCPpackets:FIN,Null,Xmasscan– SendTCPACKpackets–findfirewallholes– Obscurethesource–FTPbouncescans– UDPscans– FindRPCapplicaAons
27/09/17
25
PortScanning
• Setsourceportandaddress– Toallowpacketstopassthroughthefirewall– Tohideyoursourceaddress
• UseTCPfingerprinAngtofindoutOStype– TCPstandarddoesnotspecifyhowtohandleinvalidpackets
– ImplementaAonsdifferalot• Tools:Nmap(hNp://nmap.org/)
– UnixandWindowsNTapplicaAonandGUI– Variousscantypes+adjustableAming
DefensesAgainstPortScanning
• IFyou(AsSysAdmin)cantamperwithtargets– Closeallunusedports– Removeallunnecessaryservices– Filteroutallunnecessarytraffic– FindopeningsbeforetheaNackersdo– Usesmartfiltering,basedonclient’sIP
• Ifyoucannottamperwithtarget– PutafirewallinbetweentodropalltheunwantedconnecAon
27/09/17
26
FirewallFlavors
• Packetfilters– Stateless
• Allowalltraffictoport80– Statefull
• Allowalltraffictoport80onestablishedconnecAons
• Proxies– CapturealltrafficandreissueitwithsourceIPofthefirewall–normalizestraffic
Firewalk:DeterminingFirewallRules• FindoutfirewallrulesfornewconnecAons• Wedon’tcareabouttargetmachine,justabout
packettypesthatcangetthroughthefirewall– Findoutdistancetofirewallusingtraceroute– PingarbitrarydesAnaAonseWngTTL=distance+1– IfyoureceiveICMP_TIME_EXCEEDED
message,thepingwentthrough
27/09/17
27
DefensesAgainstFirewalking• FilteroutoutgoingICMPtraffic• Usefirewallproxies
– ThisdefenseworksbecauseaproxyrecreateseachpacketincludingtheTTLfield
– ThedesAnaAonhostwouldhavetobesetuptoignoremessagesthatarenotallowed
VulnerabilityScanning
• TheaNackerknowsOSandapplicaAonsinstalledonlivehosts– ShecannowfindforeachcombinaAon
• Vulnerabilityexploits• CommonconfiguraAonerrors• DefaultconfiguraAon
• VulnerabilityscanningtoolusesadatabaseofknownvulnerabiliAestogeneratepackets
• Vulnerabilityscanningisalsousedforsysadmin
27/09/17
28
DefensesAgainstVulnerabilityScanning
• Closeyourportsandkeepsystemspatched• FindyourvulnerabiliAesbeforetheaNackersdo• Tools
– SARA• hNp://www-arc.com/sara
– SAINT• hNp://www.saintcorporaAon.com
– Nessus• hNp://www.nessus.org
AtTheEndOfScanningPhase• ANackerhas
– alistof“live”IPaddresses– OpenportsandapplicaAonsatlivemachines– SomeinformaAonaboutOStypeandversionoflivemachines
– SomeinformaAonaboutapplicaAonversionsatopenports
• InformaAon– networktopology– firewallconfiguraAon– So^warevulnerabiliAes