offensive security - macadmins conference at penn...

Offensive SecurityLearn to think as an attacker

The aim of this talk is to discover why and how you can use OS X and vSphere together

Yoann GiniSystem & Network Administrator

SmartCard Services

OS X ServerReverse Engineering

Network ArchitectureSecurity

Hacking

As a system and network administrator, I work a lot on topics related to OS X, OS X Server, security and scaling.

You can usually find my in the usual suspects for topics related to OS X Server like Security, Network Architecture, SmartCard Services, Reverse Engineering and Hacking.

Yoann GiniSoftware Developer

Radius Admin Tools

Hello ITVPN Admin Tools

ARD InspectorMobile Certificates

DockServiceManager

I’m also a hobbyist software developer. I’ve created tools like Hello IT, ARD Inspector, Mobile Certificates and Radius/VPN Admin Tools.

OverviewWhat we won’t cover

Workshop goals and restrictions

Overview of an Information System

Big steps and tasks during an offensive

Funny hands-on

This workshop will be focused on offensive security. During the whole day you will discover how to think as an attacker.

The first part is dedicated to talks between all of us, to draw a common picture of what’s an offensive can be. So, during this part, feel free to grab a mic and interrupt me. I expect this workshop to be a exchange between all of us.

The second part will be a more tech and funny part, we will try to hack an OS X VM specially crafted for this workshop.

This whole workshop is an introduction. We wont cover everything.

What we won’t coverI said ‘Offensive Security,’ nothing else…

This workshop wont be a list of attack and counter. The goal is to understand how to think as an attacker.

We won’t talk about

• Brands

• Antivirus

• IDS/IPS/NG Firewall

So don’t except or ask anything related to which brand is better, if AV is working or not, or even what if we have an IDS/IPS/NGFW.

All security tools are here to increase the cost of an intrusion, not make it impossible. So what ever the cost of your fancy security product, you must be able to understand how to break, what it cost in time, info and money, and what happen to you when it will be broken.

We won’t talk about

• Countermeasures

• Defensive patterns

Also, we won’t cover subjects related to counter mesure and defensive patterns. Everything we can tell on this subject is highly related to the security level you’re looking for. Depending of your value your defense and counter will change.

Some company don’t really care if something is stollen as long as they are still able to use their IS, they only real risk is related to cryptovirus. Some other are too valuable and will face trained attacker hired by private company or governments.

Defense depend of who you are, way to break into your IS depend of the attacker and common pattern can be found. Discovering those attack pattern will help you to make your choice in the defensive arsenal.

Workshop goalsI see weakness, weakness everywhere

Workshop goals

• Train your mind to see weakness in structure

• Think about hacking opportunities first

• Understand patterns and steps involved in an attack

My goal is simple, at the end of the day you should be able to start thinking about hacking opportunities in everything you see. In every other session you will see this week, you should think first about how what you will learn can be used against you.

You will also learn big steps linked to an attack. This will help you to protect your informations by giving you the capability to judge the value of an information for an attacker.

Don’t expect anything nice to show to your boss from this workshop.

In resumé, I won’t show anything to be a nice guy.

Don’t expect anything nice to show to your boss from this workshop.

RestrictionsIf you stay, you agree

As you’ve understand now, we won’t speak about harmless things. So some restrictions apply if you want to follow this workshop.

Restrictions

• Practice only against provided VM

• Don’t ‘play’ with and on the PSU WiFi

• Don’t break into attendees’ systems

Hands-on must be practiced only against provided VM and nothing else.

You must not do anything against the PSU network or other devices connected to the PSU network.

You must not do anything against other attendees devices.

Restrictions

• Report all security issues discovered on a live system

• And be prepared to explain why you discovered that…

If you find a security issue during this workshop, report immediately. And you will have to explain why, by the hell, you’ve found it.

If you don’t agree with that, please leave the room now.

Most of time, offensive course lead to unacceptable behavior after the session. PSU team has been nice enough to accept to host this kind of workshop, so I expect good behavior from all of you.

Information System OverviewSources of weaknesses since 1970

During this part we will talk about common IS setup and what does it means for an attacker

Information System Overview

• Common Network Area

• Internet

• Remote users over VPN

• Internal users

• Servers

Internet: some services might be publicly exposed, this can be a potential weakness leading to remote shell. A lot of example exist with Joomla and Wordpress for example. Business related service might have even more weaknesses.

Remote users via VPN: common security practices imply VPN access for remote users, but common mistake exist, like allowing access to the whole private network for remote users. Getting access to users credentials for VPN services mean most of time full access to everything, even router and switch admin interface with default password.

Internal users: common security mistake is to consider internal resources as secure, because they are on LAN. Social engineering against internal users might lead attacker to easily gain access to internal services. Also, people using laptop might be infected while they are outside the company and then, give access to the full network when they are back.

Servers: they might be on a separate network zone with dedicated security access list, or maybe not. It’s not uncommon to see admin services available from the whole private network. Or even worst, exposed directly to the internet.

A mix of all those scenario can be used to pivot from one computer to an other an finally reach the goal.


• Less Common Network Area

• Internal users by access level

• Servers by security level

• Internal users over VPN

In a more secure setup, servers and internal users can be grouped by access level. Users can be authenticated via 802.1x then to be sorted in VLAN per departments. Then, internal routers can apply security restriction, allowing departments to reach on the IP level only authorized services on authorized servers.

In advanced security scenario, some internal services might be accessible only after an internal VPN authentication. This would allow a bridge between two isolated networks and still protect the secure area from network scan started from the common area.


• Common Services

• File Sharing

• E-mail, contacts and calendars

• IP Phone

Share points are the common target during an attack. It contain most of the valuable informations in the company. Common mistake is related to access right. Too many company consider that CEO and director boards must access to all data. And most of time, the same list of people are the most unskilled people, with weakest password, unable to detect fraud and social engineering. In resumé, they have access to every informations in company and are the less capable to defend themselves.

File Sharing can also be used as source for propagation for malware. Cryptovirus can be run on the internet, targeting anything they can and asking for money in exchange of the decryption key.

E-mail and other collaboration services are valuable targets too. E-mail contains secrets, contracts and orders. Collecting them allow an attacker to understand the chain of subordination in the company. If the company is used to transmit important order (like secret disclosure, wire transfer, account creation…) by e-mail with S/MIME or GPG signature, it can be easily spoofed.

IP Phone on shared network are really interesting, we can wiretap the whole company communication with them.


• Close to be Common Services

• Cloud services

• On premises services

Business services hosted « on the cloud » are really interesting, especially those specialized on a specific business market. It’s a trend nowadays to develop fancy new tools and provide it only as a service and hosted by the editor. Customer need to pay every month to keep access to they data and it’s supposed to be more reliable.

In 2015 we’ve seen many big player like LinkedIn or Adobe being hacked, with all they account stollen. So, can we expect that a new player, smaller, seeking for incomes will have better security team? And can we expect that this new player, making buzz, rising money and hosting valuable data from many customers won’t be a valuable target?

If we assume that everything always have weaknesses, what’s the most secure? Centralize everything in the same safe room and expect that the guard will do their job? Or spread the values in multiple location with ad-hoc security services?

On permise servies seems to be interesting because, even if the service is weak, internal hosting allow additional security services around it. But that mean money and team to manage it everyday. The risk is big to setup things correctly at the beginning and never touch it again.


• Computer based/related informations not linked to IS

• Social network profiles from employees

• Public code repo from employees

• Tech related afterwork (i.e.: CocoaHeads)

Good people speak too much!

If you’ve value in your company, odds are good that your employee are good, and if they are good that mean they exchange a lot with other people doing the same work, they may share personal projects on github or present topics at tech conferences.

Steps & Tasks for an OffensiveProceed with caution

Now we will speak about steps and tasks involved in an offensive. I’ve written some example and I expect you give others.

So, what’s the first thing you’ve to do when you attack someone?

Passive Information Gathering

First step: passive information gathering. Your goal is to collect as much informations as possible on your target without touching the target.

Give me some source you can use to collect informations and why it can be useful.


• Employee profiles: Tech used by the company

• Job offers: Point of entry, missing resources

• Device on public Wi-Fi: Naming convention

• Pub close to office: Listen to employees’ talks


• Employees habits: Get closer to vulnerable people

• Internet Registers: IP range used

• Building entrance: Identify recurring contractors

• Road warriors: Shoulder surfing

Active Information Gathering

Second step: active information gathering. Your goal is to complete the knowledge you’ve on your target by connecting to target services.

Give me some things you can do on a target to improve your knowledge.


• Device on public Wi-Fi: Sniff for services used remotely

• Device on public Wi-Fi: Scan for management services

• IP Range: Scan for live servers and services

• Dumpster diving: Old docs, contracts, e-mails…


• Pub / Employees habits: Make them talk about IT

• Job offer: Talk with CTO and team, look for weakness

• Contractors: Weakest IS? Important turnover?

• Road warriors: Access to devices (train, coffee…)

Gaining Access

So, now you’ve as much informations as possible.

What kind of operation you can do?

Gaining Access

• Social engineering (CEO fraud, fake IT call)

• Device access on a train

• Default or weak password on public services

Don’t jump directly on the tech things, humans are weakest than everything else. So start by that.

Gaining Access

• Install hidden

• Wireless Access Point

• MicroPC with VPN over 4G

• Software weakness to break into

If humans don’t expose the weakness you needs, maybe you can try to gain access to target office during public visits or job interview and plant a remote access tool.

And of course, you can run into hacking scenario and target software weakness.

Gaining Access

• Install remote access tools to maintain access

And don’t forget, when you’ve break into your target, you need to plant a permanent remote access tool.

The weakness you’ve use might be corrected in the futur, so find a creative way to get access to your target even.

Cover your tracks

If you don’t get caught during the offensive, try to avoid being caught after, when the forensic team will try to found what you did and how you did it.

Cover your tracks

• Remove all installed tools and accounts

• Clear logs

So, this might mean, break into the syslog server

Hands-onLet’s write payloads and break into a Mac!

Hands-on

• Write a reverse shell

Your first goal today will be to write a reverse shell. It must run at load and call your hacking server (your Mac) to give you a shell.

Reverse Shell

• Target must call your server to avoid firewall

Reverse Shell

⛔IN ✅OUT

Reverse Shell

from: 2001:db8::ff00:42:8329 to: 2001:db8:0:85a3::ac1f:8001

« Give me a shell »

2001:db8:0:85a3::ac1f:8001

2001:db8::ff00:42:8329

Reverse Shell

from: 2001:db8:0:85a3::ac1f:8001 to: 2001:db8::ff00:42:8329 « I want to give you a shell »

2001:db8:0:85a3::ac1f:8001

2001:db8::ff00:42:8329

Reverse Shell

• Listen on your server

• Start a program on the target to send a shell

Hands-on

• Write a privilege escalation script for 10.10.3

Now you need a way to move from a standard user to a root one.

Hopefully the target use a old and weak system :)

Privilege Escalation

• From standard user to root




Standard UserRoot

Service Running as

Root

Command with sticky bit

Request form standard user




• Find a breach in a process run as root

• Execute code from this process



Hands-on

• You’re on a train

• Target starts computer and goes to bathroom

• You want the user’s password

Get User’s Password

• Auto Login

• Open the session and unlock the keychain

• Password must be accessible in clear text

Get User’s Password

• Understand auto login

• Find password storage

• Reverse the encoding

Hands-on

• Target comes to a conference, collect USB key with commercial docs inside

• Fool the target to run a script and create an admin user

Fake PDF

• When malicious things are done, clear your tracks

• Use developer skills to forge a fake PDF to run script

• User must read a PDF in the end

Hands-on

• You’re on a public Wi-Fi with the target

• Identify target IP

• Spoof the munki server to install your payload

Spoof Munki Server

DNS

« Who is munki.acme.com? »

Spoof Munki Server

• Start MiTM attack

• Analyse trafic to find munki’s URL

• Can use DNS, mDNS or direct IP addressing

• Interact with target to redirect munki’s URL

Related talks

Subject Presenter Room Date

Blue Team 101: Building Defensible

Systems Daniel Griggs 206 Tuesday

10:45

Security Apple 207 Wednesday09:00

Building Defensible OS X Systems

(Advanced)Daniel Griggs Deans Hall I Wednesday

10:45

Additional resources

• Story of the Hacking Team takedown

• https://ghostbin.com/paste/6kho7

• Kevin Mitnick books:

• The Art of IntrusionThe Art of Deception

https://ghostbin.com/paste/6kho7

Thank you !http://j.mp/psumac2016-WS01-01

http://j.mp/psumac2016-WS01-01

offensive security - macadmins conference at penn...

Documents