Vulnerability Summary October 2005

Transcription

1 Vulnerability Summary October 2005 Bill Landreth Known as "the Cracker", Bill was a member of the Inner Circle, an exclusive cracking club of the early 1980's. He began cracking when he was fouteen and retired at the ripe old age of 18 when FBI agents busted him and the Inner Circle in By then they had broken into computer systems of banks, newspapers, schools, the phone company, and credit card bureaus. The Inner Circle was indicted for computer fraud after they were caught tapping into the GTE Tel Computer Network in Vienna, Virginia. Landreth was convicted and received three years probation. He now has a job in computer security. acker/whocrack.html Paul Asadoorian, GCIA, GCIH Lead IT Security Specialist Brown University 1

2 DISCLAIMER All tools and techniques discussed in this presentation are for educational and demonstration purposes only. DO NOT USE THE TOOLS OR TECHNIQUES DISCUSSED WITHOUT FIRST GETTING PERMISSION. Or you may get a visit from a three letter government agency... 7-Oct-05 Paul Asadoorian - Brow n University 2 2

3 Vulnerabilities Zone Alarm Bypass Linksys WRT54G vulnerabilities Next Generation Worms WifiTap RDP MITM 7-Oct-05 Paul Asadoorian - Brow n University 3 3

4 Zone Alarm Bypass Allows an untrusted program to execute through a trusted program I can call Internet Explorer (or other browser) and communicate via the web IE is the program that executes, which is usually a trusted program 7-Oct-05 Paul Asadoorian - Brow n University 4 The zone alarm exploit actually works with IE or Firefox during our tests. It implements a trojan horse concept of sorts, riding on the credentials of another program. 4

5 Zone Alarm Bypass ZoneAlarm Pro Version 6.0 or later automatically protect against this attack by default ZoneAlarm Pro version 5.5 are protected by enabling the "Advanced Program Control" feature. ZoneAlarm free versions lack the "Advanced Program Control" feature and are unable to stop this attack 7-Oct-05 Paul Asadoorian - Brow n University 5 5

6 6

7 Zone Alarm Bypass Zone Labs - Bypassing Personal Firewall Using "DDE-IPC" - Bypassing Personal Firewall (ZoneAlarm Pro) Protection Oct-05 Paul Asadoorian - Brow n University 7 7

8 Linksys WRT54G Vulnerabilities 5 vulnerabilities were released for the WRT54G platform It runs Linux and is vulnerable to web manipulation exploits Must have access to the web management GUI 7-Oct-05 Paul Asadoorian - Brow n University 8 8

9 Linksys WRT54G Vulnerabilities The ezconfig.asp does not properly validate authentication credintials The apply.cgi script contains a buffer overflow in the POST command The restore.cgi and upgrade.cgi scripts allow unauthenticated configuration changes Web server is vulnerable to DoS in POST method 7-Oct-05 Paul Asadoorian - Brow n University 9 9

10 Linksys WRT54G Vulnerabilities You should not let your WRT54G get #0wn3d because: - Attackers may install other versions of Linux on it - Attackers could sniff your traffic - Reconfigure it to allow anyone to connect - Reconfigure your firewall 7-Oct-05 Paul Asadoorian - Brow n University 10 10

11 Linksys WRT54G Vulnerabilities Solution: - Upgrade to the latest firmware, Disable the web management GUI for wireless & WAN interfaces - Use a different version of firmware Oct-05 Paul Asadoorian - Brow n University 11 11

12 Linksys WRT54G Vulnerabilities Remote Administration Fixed Encryption Key Vulnerability - es&flashstatus=true Remote Administration apply.cgi Buffer Overflow Vulnerability - es 7-Oct-05 Paul Asadoorian - Brow n University 12 12

13 Linksys WRT54G Vulnerabilities 'restore.cgi' Configuration Modification Design Error Vulnerability - es&flashstatus=true 'upgrade.cgi' Firmware Upload Design Error Vulnerability - es Management Interface DoS Vulnerability - es 7-Oct-05 Paul Asadoorian - Brow n University 13 13

14 Wifi-Worm Wifi-Worm - A worm that uses wireless network connected computers to propagate. Does it exist? Could it use WRT54G vulnerabilities to its advantage? 7-Oct-05 Paul Asadoorian - Brow n University 14 14

15 Wifi-Worm Links Original posting - Eweek - ISC Oct-05 Paul Asadoorian - Brow n University 15 15

16 Good Worms - Nematodes Nematode is a phylum of primitive worm-like organisms often used to get rid of other pests - Dave Aitel, Immunity, Inc. A good attacker can reliably create a worm that appears before your half-baked IDS signature does 7-Oct-05 Paul Asadoorian - Brow n University 16 16

17 WifiTap Allows packets to be injected on wireless network Does not require association to AP A stealthier way to hack wireless networks 7-Oct-05 Paul Asadoorian - Brow n University 17 17

18 WifiTap Useful for: - Bypassing AP restrictions (i.e. Cisco PSPF) - Injecting packets - Hijacking clients 7-Oct-05 Paul Asadoorian - Brow n University 18 18

19 WifiTap Requires: - Prism,atheros,Ralink, or Realtek chipset - Support for monitor mode - Python 7-Oct-05 Paul Asadoorian - Brow n University 19 19

20 WifiTap Homepage: 7-Oct-05 Paul Asadoorian - Brow n University 20 20

21 RDP MITM Always thought to be possible Not seen too often in general practice We always knew RDP used weak encryption 7-Oct-05 Paul Asadoorian - Brow n University 21 21

22 RDP MITM Theory becomes practice Remote Desktop Protocol, the Good the Bad and the Ugly by Massimiliano Montoro Published May, 28, 2005 and implemented in Cain & Abel Works with current version of Windows XP 7-Oct-05 Paul Asadoorian - Brow n University 22 22

23 RDP MITM What you need: - A connection on the same subnet as the client or server - A computer running windows - The IP address of the client (victim) - Cain & Abel Version Oct-05 Paul Asadoorian - Brow n University 23 23

24 The above screencap is Cain & Abel. There was some initial setup, such as choosing the interface, enabling the sniffer, and turning on APR (Arp Poison Routing) that happened previous to this screenshot. To arp poison a host simply click the blue plus symbol in the upper left hand corner. You are then presented with the New Arp Poison Routing Window. On the left hand side choose the client address you want to poison, then on the right hand side choose the address you want to spoof. Once you click OK you notice the entry in the table with the status of Poisoning, along with the client IP address, Mac address, and the number of packets that have been redirected through you. At this point the client should have your Mac address in the arp table listed as the MAC address of the RDP server. 24

25 Once the client makes an RDP connection you will see it listed in the APR-RDP tab. While a connection is established the status will be listed as decrypting, once the connection is terminated it will list the status as closed. It stores the results in a file. 25

26 Above is a sample of the file created when performing an RDP MITM. You will notice the Key pressed statements that will indicate which key was pressed on the client. 26

27 RDP MITM Key pressed client-side: 0xe - 'backspace' Key pressed client-side: 0x2a - 'shift' Key pressed client-side: 0x14 - 't' Key released client-side: 0x14 - 't' Key pressed client-side: 0x23 - 'h' Key released client-side: 0x23 - 'h' Key pressed client-side: 0x12 - 'e' Key released client-side: 0x12 - 'e' Key pressed client-side: 0x20 - 'd' Key released client-side: 0x20 - 'd' Key pressed client-side: 0x16 - 'u' Key released client-side: 0x16 - 'u' Key pressed client-side: 0x20 - 'd' Key released client-side: 0x20 - 'd' Key pressed client-side: 0x12 - 'e' Key released client-side: 0x12 - 'e' Key pressed client-side: 0x1c - 'enter' Key released client-side: 0x1c - 'enter' 7-Oct-05 Paul Asadoorian - Brow n University 27 Extracting these statements from the file you can get a snapshot of what the user was typing, in the case thedude. You notice that you get an entry for each time a key is pressed and each time it is released. 27

28 RDP MITM Use an alternative such as Radmin ( Tunnel RDP over SSH protocol version 2 or stunnel Use static Arp entries for default gateway (limited) 7-Oct-05 Paul Asadoorian - Brow n University 28 28

29 RDP MITM Use a VPN connection - Client VPN (Cisco) - Windows Built-in VPN Windows XP instructions: - Server Client Oct-05 Paul Asadoorian - Brow n University 29 29

30 RDP MITM Microsoft RDP Man in the Middle Vulnerability - 0KG0G.html Remote Desktop Protocol, the Good the Bad and the Ugly Oct-05 Paul Asadoorian - Brow n University 30 30

31 Other Interesting Stuff Online MD5 cracker (rainbow table) - Wireless Zero Configuration Info Disclosure - Advisory: - Exploit: THC Tools Update ( - THC-Hydra (Password Brute Forcer) - THC-Amap (Application Mapper) - THC-Scan (Wardialer/Scanner) 7-Oct-05 Paul Asadoorian - Brow n University 31 Run your favorite MD5 hashes through a rainbow table of over 12 million words, including Japanese and Swedish WZC represents that facility in windows that provides wireless network connectivity (WPA, WEP, etc...). It contains a flaw that allows for a local user to read the SSID listing and WEP keys. Could this too contribute to a new Wifi-Worm? THC (The Hackers Choice) has released new versions of some of their popular security testing tools. New features include PC-Anywhere and VOIP password attacking, bugfixes, and new fingerprints for Amap. 31

32 IPAudit - The Next Generation Using IPAudit data we can grab port statistics Useful for trends Thoughts? Ideas? 7-Oct-05 Paul Asadoorian - Brow n University 32 32

33 New features on the table: - Top ten ports report - Logging TCP flag values - Indexing for faster searching - Migration to Python - Client/Server using SSH - Running IPAudit as a real daemon (not cron) - Suggestions? 7-Oct-05 Paul Asadoorian - Brow n University 33 33

34 /* End */ Paul Asadoorian Homepage: Presentation: oshean.pdf Kung Fu Learned Skill 7-Oct-05 Paul Asadoorian - Brow n University 34 34