Offensive Security. Learn to think as an attacker. The aim of this talk is to discover why and how you can use OS X and vsphere together

Transcription

1 Offensive Security Learn to think as an attacker The aim of this talk is to discover why and how you can use OS X and vsphere together

2 Yoann Gini System & Network Administrator Security OS X Server Network Architecture SmartCard Services Reverse Engineering Hacking As a system and network administrator, I work a lot on topics related to OS X, OS X Server, security and scaling. You can usually find my in the usual suspects for topics related to OS X Server like Security, Network Architecture, SmartCard Services, Reverse Engineering and Hacking.

3 Yoann Gini Software Developer Mobile Certificates Radius Admin Tools Hello IT ARD Inspector VPN Admin Tools DockServiceManager I m also a hobbyist software developer. I ve created tools like Hello IT, ARD Inspector, Mobile Certificates and Radius/VPN Admin Tools.

4 Overview What we won t cover Workshop goals and restrictions Overview of an Information System Big steps and tasks during an offensive Funny hands-on This workshop will be focused on offensive security. During the whole day you will discover how to think as an attacker. The first part is dedicated to talks between all of us, to draw a common picture of what s an offensive can be. So, during this part, feel free to grab a mic and interrupt me. I expect this workshop to be a exchange between all of us. The second part will be a more tech and funny part, we will try to hack an OS X VM specially crafted for this workshop. This whole workshop is an introduction. We wont cover everything.

5 What we won t cover I said Offensive Security, nothing else This workshop wont be a list of attack and counter. The goal is to understand how to think as an attacker.

6 We won t talk about Brands Antivirus IDS/IPS/NG Firewall So don t except or ask anything related to which brand is better, if AV is working or not, or even what if we have an IDS/IPS/NGFW. All security tools are here to increase the cost of an intrusion, not make it impossible. So what ever the cost of your fancy security product, you must be able to understand how to break, what it cost in time, info and money, and what happen to you when it will be broken.

7 We won t talk about Countermeasures Defensive patterns Also, we won t cover subjects related to counter mesure and defensive patterns. Everything we can tell on this subject is highly related to the security level you re looking for. Depending of your value your defense and counter will change. Some company don t really care if something is stollen as long as they are still able to use their IS, they only real risk is related to cryptovirus. Some other are too valuable and will face trained attacker hired by private company or governments. Defense depend of who you are, way to break into your IS depend of the attacker and common pattern can be found. Discovering those attack pattern will help you to make your choice in the defensive arsenal.

8 Workshop goals I see weakness, weakness everywhere

9 Workshop goals Train your mind to see weakness in structure Think about hacking opportunities first Understand patterns and steps involved in an attack My goal is simple, at the end of the day you should be able to start thinking about hacking opportunities in everything you see. In every other session you will see this week, you should think first about how what you will learn can be used against you. You will also learn big steps linked to an attack. This will help you to protect your informations by giving you the capability to judge the value of an information for an attacker.

10 In resumé, I won t show anything to be a nice guy. Don t expect anything nice to show to your boss from this workshop.

11 Don t expect anything nice to show to your boss from this workshop.

12 Restrictions If you stay, you agree As you ve understand now, we won t speak about harmless things. So some restrictions apply if you want to follow this workshop.

13 Restrictions Practice only against provided VM Don t play with and on the PSU WiFi Don t break into attendees systems Hands-on must be practiced only against provided VM and nothing else. You must not do anything against the PSU network or other devices connected to the PSU network. You must not do anything against other attendees devices.

14 Restrictions Report all security issues discovered on a live system And be prepared to explain why you discovered that If you find a security issue during this workshop, report immediately. And you will have to explain why, by the hell, you ve found it.

15 If you don t agree with that, please leave the room now. Most of time, offensive course lead to unacceptable behavior after the session. PSU team has been nice enough to accept to host this kind of workshop, so I expect good behavior from all of you.

16 Information System Overview Sources of weaknesses since 1970 During this part we will talk about common IS setup and what does it means for an attacker

17 Information System Overview Common Network Area Internet Remote users over VPN Internal users Servers Internet: some services might be publicly exposed, this can be a potential weakness leading to remote shell. A lot of example exist with Joomla and Wordpress for example. Business related service might have even more weaknesses. Remote users via VPN: common security practices imply VPN access for remote users, but common mistake exist, like allowing access to the whole private network for remote users. Getting access to users credentials for VPN services mean most of time full access to everything, even router and switch admin interface with default password. Internal users: common security mistake is to consider internal resources as secure, because they are on LAN. Social engineering against internal users might lead attacker to easily gain access to internal services. Also, people using laptop might be infected while they are outside the company and then, give access to the full network when they are back. Servers: they might be on a separate network zone with dedicated security access list, or maybe not. It s not uncommon to see admin services available from the whole private network. Or even worst, exposed directly to the internet. A mix of all those scenario can be used to pivot from one computer to an other an finally reach the goal.

18 Information System Overview Less Common Network Area Internal users by access level Servers by security level Internal users over VPN In a more secure setup, servers and internal users can be grouped by access level. Users can be authenticated via 802.1x then to be sorted in VLAN per departments. Then, internal routers can apply security restriction, allowing departments to reach on the IP level only authorized services on authorized servers. In advanced security scenario, some internal services might be accessible only after an internal VPN authentication. This would allow a bridge between two isolated networks and still protect the secure area from network scan started from the common area.

19 Information System Overview Common Services File Sharing , contacts and calendars IP Phone Share points are the common target during an attack. It contain most of the valuable informations in the company. Common mistake is related to access right. Too many company consider that CEO and director boards must access to all data. And most of time, the same list of people are the most unskilled people, with weakest password, unable to detect fraud and social engineering. In resumé, they have access to every informations in company and are the less capable to defend themselves. File Sharing can also be used as source for propagation for malware. Cryptovirus can be run on the internet, targeting anything they can and asking for money in exchange of the decryption key. and other collaboration services are valuable targets too. contains secrets, contracts and orders. Collecting them allow an attacker to understand the chain of subordination in the company. If the company is used to transmit important order (like secret disclosure, wire transfer, account creation ) by with S/MIME or GPG signature, it can be easily spoofed. IP Phone on shared network are really interesting, we can wiretap the whole company communication with them.

20 Information System Overview Close to be Common Services Cloud services On premises services Business services hosted «on the cloud» are really interesting, especially those specialized on a specific business market. It s a trend nowadays to develop fancy new tools and provide it only as a service and hosted by the editor. Customer need to pay every month to keep access to they data and it s supposed to be more reliable. In 2015 we ve seen many big player like LinkedIn or Adobe being hacked, with all they account stollen. So, can we expect that a new player, smaller, seeking for incomes will have better security team? And can we expect that this new player, making buzz, rising money and hosting valuable data from many customers won t be a valuable target? If we assume that everything always have weaknesses, what s the most secure? Centralize everything in the same safe room and expect that the guard will do their job? Or spread the values in multiple location with ad-hoc security services? On permise servies seems to be interesting because, even if the service is weak, internal hosting allow additional security services around it. But that mean money and team to manage it everyday. The risk is big to setup things correctly at the beginning and never touch it again.

21 Information System Overview Computer based/related informations not linked to IS Social network profiles from employees Public code repo from employees Tech related afterwork (i.e.: CocoaHeads) Good people speak too much! If you ve value in your company, odds are good that your employee are good, and if they are good that mean they exchange a lot with other people doing the same work, they may share personal projects on github or present topics at tech conferences.

22 Steps & Tasks for an Offensive Proceed with caution Now we will speak about steps and tasks involved in an offensive. I ve written some example and I expect you give others. So, what s the first thing you ve to do when you attack someone?

23 Passive Information Gathering First step: passive information gathering. Your goal is to collect as much informations as possible on your target without touching the target. Give me some source you can use to collect informations and why it can be useful.

24 Passive Information Gathering Employee profiles: Tech used by the company Job offers: Point of entry, missing resources Device on public Wi-Fi: Naming convention Pub close to office: Listen to employees talks

25 Passive Information Gathering Employees habits: Get closer to vulnerable people Internet Registers: IP range used Building entrance: Identify recurring contractors Road warriors: Shoulder surfing

26 Active Information Gathering Second step: active information gathering. Your goal is to complete the knowledge you ve on your target by connecting to target services. Give me some things you can do on a target to improve your knowledge.

27 Active Information Gathering Device on public Wi-Fi: Sniff for services used remotely Device on public Wi-Fi: Scan for management services IP Range: Scan for live servers and services Dumpster diving: Old docs, contracts, s

28 Active Information Gathering Pub / Employees habits: Make them talk about IT Job offer: Talk with CTO and team, look for weakness Contractors: Weakest IS? Important turnover? Road warriors: Access to devices (train, coffee )

29 Gaining Access So, now you ve as much informations as possible. What kind of operation you can do?

30 Gaining Access Social engineering (CEO fraud, fake IT call) Device access on a train Default or weak password on public services Don t jump directly on the tech things, humans are weakest than everything else. So start by that.

31 Gaining Access Install hidden Wireless Access Point MicroPC with VPN over 4G Software weakness to break into If humans don t expose the weakness you needs, maybe you can try to gain access to target office during public visits or job interview and plant a remote access tool. And of course, you can run into hacking scenario and target software weakness.

32 Gaining Access Install remote access tools to maintain access And don t forget, when you ve break into your target, you need to plant a permanent remote access tool. The weakness you ve use might be corrected in the futur, so find a creative way to get access to your target even.

33 Cover your tracks If you don t get caught during the offensive, try to avoid being caught after, when the forensic team will try to found what you did and how you did it.

34 Cover your tracks Remove all installed tools and accounts Clear logs So, this might mean, break into the syslog server

35 Hands-on Let s write payloads and break into a Mac!

36 Hands-on Write a reverse shell Your first goal today will be to write a reverse shell. It must run at load and call your hacking server (your Mac) to give you a shell.

37 Reverse Shell Target must call your server to avoid firewall

38 Reverse Shell IN OUT

39 Reverse Shell 2001:db8::ff00:42:8329 from: 2001:db8::ff00:42:8329 to: 2001:db8:0:85a3::ac1f:8001 «Give me a shell» 2001:db8:0:85a3::ac1f:8001

40 Reverse Shell 2001:db8::ff00:42:8329 from: 2001:db8:0:85a3::ac1f:8001 to: 2001:db8::ff00:42:8329 «I want to give you a shell» 2001:db8:0:85a3::ac1f:8001

41 Reverse Shell Listen on your server Start a program on the target to send a shell

42 Hands-on Write a privilege escalation script for Now you need a way to move from a standard user to a root one. Hopefully the target use a old and weak system :)

43 Privilege Escalation From standard user to root Now you need a way to move from a standard user to a root one. Hopefully the target use a old and weak system :)

44 Privilege Escalation Service Running as Root Root Standard User Command with sticky bit Request form standard user Now you need a way to move from a standard user to a root one. Hopefully the target use a old and weak system :)

45 Privilege Escalation Find a breach in a process run as root Execute code from this process Now you need a way to move from a standard user to a root one. Hopefully the target use a old and weak system :)

46 Hands-on You re on a train Target starts computer and goes to bathroom You want the user s password

47 Get User s Password Auto Login Open the session and unlock the keychain Password must be accessible in clear text

48 Get User s Password Understand auto login Find password storage Reverse the encoding

49 Hands-on Target comes to a conference, collect USB key with commercial docs inside Fool the target to run a script and create an admin user

50 Fake PDF When malicious things are done, clear your tracks Use developer skills to forge a fake PDF to run script User must read a PDF in the end

51 Hands-on You re on a public Wi-Fi with the target Identify target IP Spoof the munki server to install your payload

52 Spoof Munki Server DNS «Who is munki.acme.com?»

53 Spoof Munki Server Start MiTM attack Analyse trafic to find munki s URL Can use DNS, mdns or direct IP addressing Interact with target to redirect munki s URL

54 ?

55 Subject Presenter Room Date Blue Team 101: Building Defensible Systems Related talks Daniel Griggs 206 Security Apple 207 Building Defensible OS X Systems (Advanced) Daniel Griggs Deans Hall I Tuesday 10:45 Wednesday 09:00 Wednesday 10:45

56 Additional resources Story of the Hacking Team takedown Kevin Mitnick books: The Art of Intrusion The Art of Deception

57 Thank you!