27/09/17

1

OffensivetechnologiesFall2017

Lecture1-IntrusionFabioMassacci

27/09/17 FabioMassacci-OffensiveTechnologies 1

CourseObjecAve•  Offensive(IT)technologiesare

–  apermanentcharacterisAcsofatechnologicalsociety.– Duetotheverysame“features”thatmakeoursocietyadvanced.

•  Thepurposeofthecourseistogivestudents–  anhands-onapproachtounderstandthemaintechnologicaldriversbehindsecurityaNacks

– AeNerunderstandingofaNackssothatwecouldbeNeridenAfymethodstodefendourselves

•  Offensivetechnologiesareadangeroustoolsà“withgreatpowerscomegreatresponsibility”

27/09/17

2

EthicalIssues

Reminder

EthicalAcceptance•  YouareboundbythetermsandcondiAonsofthiscourse

–  Youtryoffensivetechnologiesonlyinthelab–  YouarenotallowedtodiscloseinformaAonaboutanyindividualthatyoufindduringtheanalysis

–  Yourfinaldeliverable,asapprovedbytheprofessoristheonlypublicdeliverableyouareallowedtodisclosetothirdparAes

•  Anyuseoutsidetheagreedframeworkofthecoursemaybepenallyrelevant(i.e.acrime)–  Everythingisisolatedfromrestofinfrastructureàyoumustdeliberatelyexfiltratematerialàcannotclaimthat“happenedbymistake”

–  ThesameconsideraAonsapplyifyougivematerialtootherstudentswhohavenotsignedtheagreementàaidingandabeWng=samepenalresponsibilityasifyoudidityourself.

27/09/17

3

WhatProsecutorscando•  Youdidsome“innocentprank”

–  plustweeted“I’mgoingtodestroyAmericaanddigupMarilynMonroe”•  Theycangiveyouslaponthewrist

–  Assumingyour“prank”wasreally“innocent”…•  TheycanalsogiveyoureallybutreallyreallyhardAmes,

–  Charging“AggravatedThe^”or“Assaultwithdangertopeople”or–  “OrganizedCrime”or/and

•  Exchangedemailwithsomebody–  “Collusionwithforeignpowers”or/and

•  ThissomebodyisnotoftherightnaAonality–  “Terrorism”

•  PossiblyplanningdisrupAveacAons•  AgoodlawyercantakeyououtofjailBUTinthemeanwhile

–  Theysendyoutoasecurityprisonwithoutbail•  Don’tthink“ThiscanhappeninUzbekistanbutnot<here>”

–  Where<here>in{US,IT,FR,DE,etc.etc.}

Whytheyaregoingtodoit?•  Truediscussionwitha(former)JudgefromItalianSupremeCourt

–  IFaprosecutorwanttoinvesAgateacomputercrime(e.g.your“prank”)s/heneedsaccesstoemails/internettracesetc.etc.

–  BUTemailisprotected(thisisnotNorthKoreaa^erall)–  UNLESSthereisaveryseriouscrimegoingon–  SOprosecutorclaims“thisisaveryseriouscrime(egOrganizedCrime)”–  THENjudgegrantsaccesstoyouremails(theywritetoGoogleandGoogle

givesthemeverythingaboutyourlife)–  OBVIOUSLYduringthetrialallaccusaAonswillfailasyouhavejustdonea

prank(anyhowneedtopayagoodlawyer,technicalcounsel)–  HENCEProsecutorconscienceisclean:noinnocentpeoplewillfinallybe

injustlycondemnedwhilsthecaninvesAgatethebadguys•  SideEffects…

–  WISELY“chargesofseriouscrimes”gohandinhandwithmeasureslimiAngoffenders(egyouwon’tletamafiosgoaroundandkillmorepeople)

–  BUTNOWyouarechargedwiththesamecrimesofthedangerousmafioso…–  SOpolicesendsyouinasecurityprisonwithoutbailaspotenAaloffender...

27/09/17

4

Youdon’tbelieveit,doyou?•  Leigh,fromCoventry,andEmily,24,

fromBirmingham,werethenquizzedforfivehoursatLAXbeforetheywerehandcuffedandputintoavanwithillegalimmigrantsandlockedupovernight.

–  “WhenwearrivedattheprisonIwasshovedinacellonmyownbuta^eranhourtwohugeMexicanmencoveredintaNooscameinandstartedaskingmewhoIwas.

–  'Theytoldmethey'dbeenarrestedfortakingcocaineovertheborder.

–  'Whenthefoodarrivedonthetraytheytookitallandjustle^mewithacartonofapplejuice.’”

•  Theyspent12hoursinseparateholdingcellsbeforebeingdrivenbacktotheairportwheretheywereputonaplanehomeviaParis.

WhyOffTechsareheretostay

FourquesAonstobeNerunderstandthemoderncontext

27/09/17

5

DoyoutrusttheseorganisaAons?•  S-TRUSTAuthenAcaAonand

EncrypAonRoot–  DeutscherSparkassenVerlag

GmbH,StuNgart,Baden-WuerNemberg(DE)

•  NetLockKozjegyzoiTanusitvanykiado–  Tanusitvanykiadok,NetLock

HalozatbiztonsagiK^.,Budapest,Hungary

•  TÜRKTRUSTElektronikSerAfikaHizmetSağlayıcısı–  BilgiİleAşimveBilişimGüvenliği

HizmetleriA.Ş.ANKARA,Turkey•  CA沃通根证书

–  WoSignCALimited,China

•  Toguaranteethatawebsiteisreallywhatitclaimstobe?

27/09/17 FabioMassacci-OffensiveTechnologies 9

So,what’sthat?

•  Itisjustsomewebsiteswithoutanytrouble

•  justpictures,videos,andtext

27/09/17 FabioMassacci-OffensiveTechnologies 10

27/09/17

6

What’sthis?

•  ONEwebpage–  Plentyofads

•  Process– WeDON’Tlookattheads

–  Onlyclickonmail

•  Anddownloadtheprogramoftheinfosecconference

27/09/17 FabioMassacci-OffensiveTechnologies 11

What’sthis?

•  ONEPDFfile,essenAallyanimage

•  Whathappensifweopenit?– Nothing– AcrobatReadershowstheimageonthemonitor

27/09/17

7

What’sthis?

•  Aphotocopier•  Aprinter•  Yousendafile,anditprints

27/09/17 FabioMassacci-OffensiveTechnologies 13

Whatreallyisthis?Justlikethat!Xeroxcomputertojustprintafile:IntelCeleron-733MHZ–128MB

NASAcomputertolandApollo16totheMoonAGC–1MHz–4KBRAM

27/09/17 FabioMassacci-OffensiveTechnologies 14

27/09/17

8

Whatreallyisthis?•  That’saprogramcontaining

–  atleast1682instrucAons•  Whathappenswhenwe

openit?–  AllinstrucAonsareexecuted–  Notnecessarilytruethatthe

resultisdisplayed•  PDFlanguageisTuring

Complete–  ANYfuncAoncanbewriNen

inPDFlanguage–  OpeningaPDFfilecan

seamlesslydisplayanimageandsimultaneouslysolveFermat’sliNletheorem

27/09/17 FabioMassacci-OffensiveTechnologies 15

Whatreallyisthis?•  Whenwetypewww.libero.iton

thebrowser,YOURcomputerwill:

•  Execute–  186localfuncAons–  15funcAonsfromexternalsites

•  AggregatestaAccontentsfrom–  676websitesofwhich–  370externalwebsites–  193maybejustimages

•  Aggregatedynamiccontentfrom–  8adverAsers(atleast)

•  ArealloftheseacAons“good”ones?

27/09/17 FabioMassacci-OffensiveTechnologies 16

27/09/17

9

Cyberlifeisneverwhatitseems-UK•  WhatitREALLYis•  ItisONEwebsitewithoutany

troublejustpictureandtext•  12webtrackersforadverAsing•  72javascriptsnipsexecutedbyyour

browserwhileyouloadit•  Morethan100referencesto

differentsites,someofthemexecuAngcode

–  hNp://player.ooyala.com–  hNp://widget.cloud.opta.net–  Someofthemdynamicallycreatedon

theflye.g.byb.scorecardresearch.com•  >100errors/warningsinprocessing•  Howcanyoutellwhat’sgoodwhat’s

bad?

27/09/17 FabioMassacci-OffensiveTechnologies 17

Cyberlifeisneverwhatitseems-US•  WhatitREALLYis•  ItisONEwebsitewithoutany

troublejustpictureandtext•  8webtrackersforadverAsing•  122javascriptsnipsexecutedby

yourbrowserbeforeyouseeanything

•  Morethan500referencestoexternalsites,manyexecuAngcode

–  Garretn-cdn.com–  Brightcove.com–  Tags.Aqcdn.com

•  >164errors/warningsprocessingwebpage

•  Howcanyoutellgoodfrombad?•  AndIdidn’tloadFlash,sorry…

27/09/17 FabioMassacci-OffensiveTechnologies 18

27/09/17

10

Cyberlifeisneverwhatitseems-NL•  WhatitREALLYis•  ItisONEwebsitewithoutany

troublejustpictureandtext•  13webtrackersforadverAsing•  207javascriptsnipsexecutedby

yourbrowserbeforeyouseeanything!

•  >200referencestodifferentsites,someofthemexecuAngcode

–  Easypoll–  Hotjar–  Tiq

•  >100errors/warningsinprocessingthewebpage

•  Howcanyoutellgoodvsbad?•  Andtheywantedmetodisablethe

adblocker!Sorrymates…

27/09/17 FabioMassacci-OffensiveTechnologies 19

Whotruststhese?Everybody.•  S-TRUSTAuthenAcaAonand

EncrypAonRoot–  DeutscherSparkassenVerlag

GmbH,StuNgart,Baden-WuerNemberg(DE)

•  NetLockKozjegyzoiTanusitvanykiado–  Tanusitvanykiadok,NetLock

HalozatbiztonsagiK^.,Budapest,Hungary

•  TÜRKTRUSTElektronikSerAfikaHizmetSağlayıcısı–  BilgiİleAşimveBilişimGüvenliği

HizmetleriA.Ş.ANKARA,Turkey•  沃通根证书

–  WoSignCALimited,China

27/09/17 FabioMassacci-OffensiveTechnologies 20

27/09/17

11

Aretheyreliable?

•  Read– AxelArnbak,HadiAsghari,MichelVanEeten,andNicoVanEijk“SecurityCollapseintheHTTPSMarket”.CommunicaAonsoftheACM57,no.10(2014):47-55.

– hNp://queue.acm.org/detail.cfm?id=2673311

•  OrListento– hNps://www.youtube.com/watch?v=uTWqV47QZZw#acAon=share

27/09/17 FabioMassacci-OffensiveTechnologies 21

WhyareOffTechTheretoStay?•  OursystemsareBeyond-over-provisionedforthetasksweusethem–  Therightimageisaparent,withthedrivinglicenseforaFiat500,bringingkidstotheelementaryschooltwoblocksdowntheroadbytaxingaAirbusA340

•  Beingverycomplexsystemsitispossiblethattheyhavebugs–  RememberRice’stheorem

•  Andtherealwaysbesomepeoplewhowillmaketheirpersonalprioritytomakesuchbugshappeninother’speoplecomputers.

27/09/17

12

OffensiveApproaches

TargetedA\ack•  Reconnaissance•  Scanningsurface•  Gainingaccess

–  Somebodyletyouin–  Breakthrough

•  Maintainingaccess•  Coveringtracks

UntargetedA\ack•  …•  DistribuAngtraps•  Gainingaccess

–  Somebodyletyouin–  Breakthrough

•  Maintainingaccess•  Coveringtracks

TargetedANacks

ReconnaissanceandScanning

27/09/17

13

Phase1:Reconnaissance•  LearnInformaAonaboutintendedtarget:

–  Howitsnetworkisorganized–  AnyspecificsaboutOSandapplicaAonsrunning–  AnypotenAalinformaAonaboutusers

•  PhysicalGathering–  Veryhumanintensive,highriskofbeingcaught,valuable

•  SocialWebGathering–  Humanintensive,noriskofbeingcaught,potenAallyvaluable

•  TechnicalWebGathering–  Fullyautomated,sometracesmaybele^inlogs,technicalvaluedependsontarget

“Physical”Reconnaissance

•  Socialengineering–  CallemployeesandaskdetailsàInstructtheemployeesnot

todivulgesensiAveinformaAononthephone•  SomeAmesverydifficultasyourbusinesspurposemaybeactually

togiveinformaAon(egApple’shelpdeskaNack)•  Physicalbreak-in

–  TailgaAngàInsistonusingbadgesforaccess,everyonemusthaveabadge,locksensiAveequipment

–  Shouldersurfing,cleaningladyaNacksàCleandeskpolicy–  Howaboutwirelessaccess?

•  Dumpsterdiving–  orcollectreceiptle^bypreviouscustomeràShred

importantdocuments

27/09/17

14

“SocialWeb”Reconnaissance

•  SearchorganizaAon’swebsite–  EmployeemaypostsomethingsensiAve(thinkingitistransientornotaccessible)

–  Bewareofmailerslogsandtransientlinks(searchenginesmightpickthemup)

•  Searchvariousmailinglistarchivesandinterestgroups–  EmployeesmaynotpostinfoonthemselvesasemployeebutprivateinformaAonmightbeclue

•  SearchWebtofindalldocumentsmenAoningcompanyX–  Findoutwhatispostedaboutyou

InternetisForever•  Context:

–  ProfFabioandDeptAssistantMirtaarelookingforCSalumnitoinvitetotheAlumniEvent(2017/09/27).SearchedtheinternetwithAlice’Name

•  DialogueforFabioandMirtatosee–  Alice:Icandoeverythingdarling...YouknowI’monschooltriptoXinmarch?

See,ifyouwenttouniversityinXinsteadofY…[smile]•  (DDMonthYYathoursH:MM)

–  Bob:theseguysbouncingbackthesethingstome,tse…I’mfinewhereIamdarling!!!u_u

–  Alice:pff...-.-"cooldownmysweethusband!Isissofunnytoteaseyou!!=)comeon,nowI’mgoingtobed!!!!!!!!!Nightnight!...bigkiss!

–  Bob:night[smile]ahardhardkiss[heart]•  DDMonthYYathoursHH:MM+10minutes

•  Whatdoweknownow?–  BobYearscanbeagoodpasswordcandidate,–  CanwesendAliceanimagewithname“School_Trip_X_March_YY.jpg”froma

egafriend’snamemispelled?Wouldthisbeacredibileemail?

27/09/17

15

“Technical”Gathering

•  Lookattheplumbingoftheinternet– Whois/ARIN– DNS

•  Lookattheplumbingofthecompany– Scanthenetwork– Probethefirewall(firewalking)– Probetheindividualmachines

WhoisandARINDatabases

•  WhenanorganizaAonacquiresdomainnameitprovidesinformaAontoaregistrar

•  Publicregistrarfilescontain:–  Registereddomainnames–  Domainnameservers–  Contactpeoplenames,phonenumbers,

E-mailaddresses–  hNp://www.networksoluAons.com/whois/

•  ARINdatabase–  RangeofIPaddresses–  hNp://whois.arin.net/ui/

27/09/17

16

DomainNameSystem

•  WhatdoesDNSdo?•  HowdoesDNSwork?•  TypesofinformaAonanaNackercangather:

–  Rangeofaddressesused–  Addressofamailserver–  Addressofawebserver–  OSinformaAon–  Comments

•  Severaltypeofqueries(A,CH,HS,MX,SRV,etc.)

InterrogaAngDNS–ZoneTransfer$ nslookup Default server:evil.attacker.com Address: 10.11.12.13

server 1.2.3.4 Default server:dns.victimsite.com Address: 1.2.3.4

set type=any ls –d victimsite.com

system1 1DINA 1.2.2.1 1DINHINFO “Solaris 2.6 Mailserver” 1DINMX 10 mail1

web 1DINA 1.2.11.27 1DINHINFO “NT4www”

27/09/17

17

SampleStrategy

•  whoismassacci.org•  whoisunisi.it•  dig@corallo.unisi.itwww.dii.unisi.itany•  dig@corallo.unisi.itCHwww.dii.unisi.itversion.bindTXT

ProtecAngDNS

•  ProvideonlynecessaryinformaAon–  NoOSinfoandnocomments

•  Restrictzonetransfers–  Allowonlyafewnecessaryhosts

•  Usesplit-horizonDNSInternalDNS

Employees

ExternalDNS

Externalusers

WebserverMailserver

InternalDB

27/09/17

18

AtTheEndOfReconnaissance•  ANackerhas

–  alistofIPaddressesassignedtothetargetnetwork–  someadministraAveinformaAonaboutthetargetnetwork–  Namesofindividuals!–  few“live”addresses–  someideaaboutfuncAonaliAesoftargetcomputers

•  Tools–  integrateWhois,ARIN,DNSinterrogaAonandmanymoreservices:

–  ApplicaAons–  Web-basedportals

•  hNp://www.network-tools.com

Phase2:Scanning

•  DetecAnginformaAonusefulforbreak-in–  Livemachines–  Networktopology–  FirewallconfiguraAon–  ApplicaAonsandOStypes–  VulnerabiliAes

27/09/17

19

NetworkMapping

•  Findinglivehosts–  Pingsweep–  TCPSYNsweep

•  Mapnetworktopology–  Traceroute

•  SendsoutICMPorUDPpacketswithincreasingTTL•  GetsbackICMP_TIME_EXCEEDEDmessagefrom

intermediaterouters

Traceroute

A R1 R2 R3 db

www

mail

1.ICMP_ECHOtowww.vicAm.comTTL=1

1a.ICMP_TIME_EXCEEDEDfromR1

vicAm.com

A:R1ismyfirsthoptowww.vicAm.com!

27/09/17

20

A R1 R2 R3 db

www

mail

2.ICMP_ECHOtowww.vicAm.comTTL=2

2a.ICMP_TIME_EXCEEDEDfromR2

vicAm.com

A:R1-R2ismypathtowww.vicAm.com!

Traceroute

A R1 R2 R3 db

www

mail

3.ICMP_ECHOtowww.vicAm.comTTL=3

3a.ICMP_TIME_EXCEEDEDfromR3

vicAm.com

A:R1-R2-R3ismypathtowww.vicAm.com!

Traceroute

27/09/17

21

A R1 R2 R3 db

www

mail

4.ICMP_ECHOtowww.vicAm.comTTL=4

4a.ICMP_REPLYfromwww.vicAm.com

vicAm.com

A:R1-R2-R3-wwwismypathtowww.vicAm.com

Traceroute

A R1 R2 R3 db

www

mail

Repeatfordbandmailservers

vicAm.com

A:R1-R2-R3-wwwismypathtowww.vicAm.comR1-R2-R3-dbismypathtodb.vicAm.comR1-R2-R3-mailismypathtomail.vicAm.comè Victim network is a star with R3 at the center

Traceroute

27/09/17

22

NetworkMappingTools•  Cheops

–  LinuxapplicaAon–  hNp://cheops-ng.sourceforge.net/–  AutomaAcallyperformspingsweepandnetwork

mappinganddisplaysresultsinaGUI

DefensesAgainstNetworkMappingAndScanning

•  FilteroutoutgoingICMPtraffic–  MaybeallowforyourISPonly

•  UseNetworkAddressTranslaAon(NAT)

NATbox

A

B

CD

Internalhostswith192.168.0.0/16

1.2.3.48.9.10.11

Request1.2.3.4

Request1

92.168.13.

73

Reply192.

168.13.73

Reply1.2.3.4

27/09/17

23

HowNATsWork•  Forinternalhoststogoout

–  Bsendstraffictowww.google.com

–  NATmodifiestheIPheaderofthistraffic•  SourceIP:BèNAT

•  Sourceport:B’schosenportYèrandomportX–  NATremembersthatwhatevercomesforitonportX

shouldgotoBonportY

–  Googlereplies,NATmodifiestheIPheader•  DesAnaAonIP:NATèB•  DesAnaAonport:XèY

HowNATsWork•  adverAseyourwebserverAatNAT’saddress(1.2.3.4andport80)

•  NATremembersthatwhatevercomesforitonport80shouldgotoAonport80–  Externalclientssendtrafficto1.2.3.4:80– NATmodifiestheIPheaderofthistraffic

•  DesAnaAonIP:NAT⎝A•  DesAnaAonport:NAT’sport80⎝A’sserviceport80

– Areplies,NATmodifiestheIPheader•  SourceIP:A⎝NAT•  Sourceport:80⎝80

27/09/17

24

HowNATsWork•  WhatifyouhaveanotherWebserverC

–  YouadverAseyourwebserverAatNAT’saddress(1.2.3.4andport55)–notastandardWebserverportsoclientsmustknowtotalktoadiff.port

– NATremembersthatwhatevercomesforitonport55shouldgotoConport80

–  Externalclientssendtrafficto1.2.3.4:55– NATmodifiestheIPheaderofthistraffic

•  DesAnaAonIP:NAT⎝C•  DesAnaAonport:NAT’sport55⎝C’sserviceport80

–  Creplies,NATmodifiestheIPheader•  SourceIP:C⎝NAT,sourceport:80⎝55

PortScanning

•  FindingapplicaAonsthatlistenonports•  Sendvariouspackets:

– EstablishandteardownTCPconnecAon– Half-openandteardownTCPconnecAon– SendinvalidTCPpackets:FIN,Null,Xmasscan– SendTCPACKpackets–findfirewallholes– Obscurethesource–FTPbouncescans– UDPscans– FindRPCapplicaAons

27/09/17

25

PortScanning

•  Setsourceportandaddress–  Toallowpacketstopassthroughthefirewall–  Tohideyoursourceaddress

•  UseTCPfingerprinAngtofindoutOStype–  TCPstandarddoesnotspecifyhowtohandleinvalidpackets

–  ImplementaAonsdifferalot•  Tools:Nmap(hNp://nmap.org/)

– UnixandWindowsNTapplicaAonandGUI–  Variousscantypes+adjustableAming

DefensesAgainstPortScanning

•  IFyou(AsSysAdmin)cantamperwithtargets– Closeallunusedports– Removeallunnecessaryservices– Filteroutallunnecessarytraffic– FindopeningsbeforetheaNackersdo– Usesmartfiltering,basedonclient’sIP

•  Ifyoucannottamperwithtarget– PutafirewallinbetweentodropalltheunwantedconnecAon

27/09/17

26

FirewallFlavors

•  Packetfilters– Stateless

•  Allowalltraffictoport80– Statefull

•  Allowalltraffictoport80onestablishedconnecAons

•  Proxies– CapturealltrafficandreissueitwithsourceIPofthefirewall–normalizestraffic

Firewalk:DeterminingFirewallRules•  FindoutfirewallrulesfornewconnecAons•  Wedon’tcareabouttargetmachine,justabout

packettypesthatcangetthroughthefirewall–  Findoutdistancetofirewallusingtraceroute–  PingarbitrarydesAnaAonseWngTTL=distance+1–  IfyoureceiveICMP_TIME_EXCEEDED

message,thepingwentthrough

27/09/17

27

DefensesAgainstFirewalking•  FilteroutoutgoingICMPtraffic•  Usefirewallproxies

–  ThisdefenseworksbecauseaproxyrecreateseachpacketincludingtheTTLfield

–  ThedesAnaAonhostwouldhavetobesetuptoignoremessagesthatarenotallowed

VulnerabilityScanning

•  TheaNackerknowsOSandapplicaAonsinstalledonlivehosts–  ShecannowfindforeachcombinaAon

•  Vulnerabilityexploits•  CommonconfiguraAonerrors•  DefaultconfiguraAon

•  VulnerabilityscanningtoolusesadatabaseofknownvulnerabiliAestogeneratepackets

•  Vulnerabilityscanningisalsousedforsysadmin

27/09/17

28

DefensesAgainstVulnerabilityScanning

•  Closeyourportsandkeepsystemspatched•  FindyourvulnerabiliAesbeforetheaNackersdo•  Tools

–  SARA•  hNp://www-arc.com/sara

–  SAINT•  hNp://www.saintcorporaAon.com

– Nessus•  hNp://www.nessus.org

AtTheEndOfScanningPhase•  ANackerhas

–  alistof“live”IPaddresses– OpenportsandapplicaAonsatlivemachines–  SomeinformaAonaboutOStypeandversionoflivemachines

–  SomeinformaAonaboutapplicaAonversionsatopenports

•  InformaAon–  networktopology–  firewallconfiguraAon–  So^warevulnerabiliAes