Inside-Out Attacks. Security Event April 28, 2004 Page 1. Responses to the following questions

Transcription

1 Inside-Out Attacks Security Event April 28, 2004 Page 1 Goals of this presentation Responses to the following questions What are inside-out attacks Who will use this technique? How can you prevent or mitigate? Security Event April 28, 2004 Page 2 1

2 Definition Inside-Out attacks try to initiate network connections from the trusted (corporate) to the untrusted (Internet) network. Synonym Inside-Out Network Subversion Inside-Out Attack Covert Channel Attack Security Event April 28, 2004 Page 3 Definition Inside-Out Variants 1. Implementing hacker-code within the optional fields of an internet-allowed protocol tunnel, tunnel 2. Tunneling hacker-payload within the request and response of an internet allowed protocol HTTP tunnel, tunnel 3. Running other protocols on the desired ports than normally assigned For example running IRC on port 80 (http) 4. Misusing internet-allowed protocols Proxy connect method Security Event April 28, 2004 Page 4 2

3 Definition Covert Channel A Covert channel is a mechanism for sending and receiving information data between machines without alerting any firewalls and IDS s on the network. The technique derives its stealthy nature by virtue of the fact that it sends traffic through ports that most firewalls will permit through. Security Event April 28, 2004 Page 5 Direct Inside-Out Attacks Simple Inside-Out Attack Corporate LAN Internet Direct Channels ACK tunnel TCP tunnel (pop, telnet, ssh) UDP tunnel (syslog, snmp) tunnel IPSEC, PPTP Security Event April 28, 2004 Page 6 3

4 Proxified Inside-Out Attacks Advanced Inside-Out Attack LAN Proxy Corporate LAN Internet Proxified Channels DMZ Proxy Socks tunnel HTTP/S tunnel (payload of http = tunnel) HTTP/S proxy CONNECT method tunnel tunnel FTP tunnel Mail tunnel Security Event April 28, 2004 Page 7 Reverse Shell RAT Remote Administration Standard Connection (telnet, ssh, etc) Hacker Victim Server Network Flow (Connectivity) Data Flow Security Event April 28, 2004 Page 8 4

5 Reverse Shell RAT Remote Administration Reverse Shell (Reverse Telnet) Hacker Victim Server Network Flow (Connectivity) Data Flow Security Event April 28, 2004 Page 9 Remote Control Session Motivation of a Remote Control Session? Gaining user credentials. Accessing other systems Using the compromised host as source for further attacks Implementing the whole hacker attack into a virus is almost impossible (time, cost) Who wants to have a remote control? White-collar crime Script kiddies Security Event April 28, 2004 Page 10 5

6 Installation of RAT Direct Attack Buffer Overflow, Code Execution Hacker establishes remote access of victim (rat) Inside Out Attack PASSED Arbitrary Webserver Request Hacker controlled host Security Event April 28, 2004 Page 11 Installation of RAT Indirect Attack BLOCKED (port denied) Hacker establishes remote access of victim (rat) Inside Out Attack (port allowed) Hacker controlled host Security Event April 28, 2004 Page 12 6

7 Installation of RAT Indirect Attacks (Attachments, HTML social engineering) Webdownload CDROM ZIP USB-Stick BLOCKED Inside Out Attack Execution by Manual Client vulnerabilities Autostart cdrom Hacker controlled host Security Event April 28, 2004 Page 13 Reverse Shell Compass Top6 Covert Channel Attacks tunnel reverse tunnel HTTP/S tunnel proxy CONNECT method tunnel tunnel Security Event April 28, 2004 Page 14 7

8 Data General Data General RAT Security Event April 28, 2004 Page 15 RAT Covert Channel using Tunneling Internal (DHCP, AD) ROOT NS Corporate LAN Internet DMZ Problem: domain name lookup is allowed by any internal client Hacker Security Event April 28, 2004 Page 16 8

9 RAT Covert Channel using Tunneling Client POLL Server POLL POLL Commands 1. POLL 2. GET FILE TO CLIENT 3. PUT FILE TO SERVER EXIT CLIENT Execute commands Commands Command File Security Event April 28, 2004 Page 17 Remediation Steps Mitigation Conceptual: Separate internal from external Firewall: Allow from internal http proxy Firewall: Allow from special sources only Anti-Virus VPN clients Firewall: Deny all other packets Zone-Concept Potential Problems Internal applications which do not support http proxy (anti-virus pattern update,...) VPN clients from the corporate LAN to foreign adresses Security Event April 28, 2004 Page 18 9

10 Data General Data General Data General Data General RAT Covert Channel using (Simple) TCP/IP Gender Changer 1: Standard Citrix Server (Windows Terminal Server) Corporate LAN 2: Connection Internet 3: Reverse Connection Requirement: port allowed by firewall Hacker on port 22 Security Event April 28, 2004 Page 19 RAT Covert Channel using (Advanced) TCP/IP Gender Changer 1: Standard Citrix Server (Windows Terminal Server) Corporate LAN Internet 2: over Connect HTTP Proxy (http, ftp, https) HTTP/S Proxy Content-Filter 3: Reverse Connection Hacker on port 443 Requirement: allowed for any destinations Security Event April 28, 2004 Page 20 10

11 RAT Covert Channel using (Advanced) Proxy Connect-Method Security Event April 28, 2004 Page 21 RAT Covert Channel using (Advanced) Proxy Connect-Method Security Event April 28, 2004 Page 22 11

12 Data General Data General Remediation Steps Mitigation Firewall: Whitelisting of trusted https destinations Proxy: Whitelisting of trusted https destinations Firewall: Whitelisting of trusted ssh destinations Zone-Concept Comment Content-Filter does not help () Security Event April 28, 2004 Page 23 RAT HTTP/S Tunneling Attack Using POST requests Implementing own service via POST requests POST data are in binary form 1: http + applet HTTP Proxy (http, ftp, https) Corporate LAN Internet Webserver HTTP/S Proxy Content-Filter 2: ssh Server Security Event April 28, 2004 Page 24 12

13 RAT Mitigation HTTP/S Tunneling Attack Whitelisting https destinations Content-filter http payload Implementations hts, htc cctt (covert channel tunneling testing) Security Event April 28, 2004 Page 25 RAT Covert Channel using ishell BO2K (putt-plugin) Security Event April 28, 2004 Page 26 13

14 Demo Victim Hacker Security Event April 28, 2004 Page 27 Covert Channel Portal At present, we've developed some projects that allow to establish Covert Channels inside TCP (HTTP,, MSN) and UDP protocols : Active Port Forwarder - secure packet tunneling; CCTT - arbitrary TCP and UDP data transfers through TCP,UDP and HTTP POST messages; Firepass - arbitrary TCP and UDP data transfers through HTTP POST messages; MsnShell - remote Linux shell through the MSN protocol; Wsh - remote Unix/Win shell through HTTP and protocols. Security Event April 28, 2004 Page 28 14

15 Using forbidden Internet Applications Bypass Firewall Policy Security Event April 28, 2004 Page 29 Bypassing Firewall Policy Motivation of a Firewall Bypass? Surfing to filtered websites (e.g. Listening Internet radio Chatting to Internet friends Administration of home webservers via Up- and download of special files (EXE, ZIP) which are filtered by the corporate content filter policy Using peer-to-peer technique or other kind of shared medium (music, programs, video,...) Who wants to bypass the firewall policy? Advanced users from the internal network Freaks and individuals Security Event April 28, 2004 Page 30 15

16 Example RealPlayer Bypassing Firewall Policy LAN Proxy Corporate LAN Internet DMZ Proxy Security Event April 28, 2004 Page 31 Hackers View Prevention (yellow) Bypass Firewall Policy Close RealPlayer port in firewall configuration Internet port for RealPlayer open? NO Deny RealPlayer Content-Type in HTTP Filter HTTP version of RealPlayer allowed? NO connect open to any Internet dest.? YES Whitelisting of enabled Internet dest. Deny direct TCP/ NO IP connections to any Internet dest. Other port open to NO Internet dest.? From any client YES YES Installation of client tunnel softrware YES Other protocol open to Internet dest.? (IPSEC) Whitelisting of IPSEC to desired IPSEC partners Installation of portforwarder or GW software to desired RealPlayer server YES Enjoy Internet Internet Music not Music possible Security Event April 28, 2004 Page 32 16

17 Bypassing Firewall Policy Summary Who Trojan Horse Virus / Spyware Hacker Software Frustrated Employee What Want to deliver content to the Internet? Want to use forbidden Internet applications? Want to establish a remote control session? Want to upload more Trojans to the victim? How Use some kind of standard API s (mail, http) or covert channels Use some kind of covert channels Use some kind of Reverse Shell Use some kind of FTP Security Event April 28, 2004 Page 33 Remediation Steps Mitigation Firewall: deny any to any rules Content-Filter: deny unwanted content-type Firewall: restrict http/s locations Firewall: restrict ipsec locations Content-Filter: deny anonymizer websites Zone-concept Whitelisting versus Blacklisting Listing of the allowed resources = whitelisting Listing of the denied resources = blacklisting Whitelisting is more secure Blacklisting is easier to handle (conveniance) Security Event April 28, 2004 Page 34 17

18 Summary Security Event April 28, 2004 Page 35 Motivation Who What How Who Trojan Horse Virus / Spyware Hacker Software Frustrated Employee What Want to deliver content to the Internet? Want to use forbidden Internet applications? Want to establish a remote control session? Want to upload more Trojans to the victim? How Use some kind of standard API s (mail, http) or covert channels Use some kind of covert channels Use some kind of Reverse Shell Use some kind of FTP Security Event April 28, 2004 Page 36 18

19 Background Goals of an Inside-Out attack File transfer from victim to hacker File transfer from hacker to victim Execution of binaries at victim computer Interactive access from hacker to victim = RAT (Remote Administration Toolkit) Accessing any Internet service (bypass corporate firewall and content-filter policy) Security Event April 28, 2004 Page 37 Attacker Profile Scope of Covert Channels Frustrated Employees Trojan Horse Buffer Overflow Bypassing Firewall Policy, ICQ, NetMeeting, RealPlayer, Special Websites, emule, Kazzaa, edonkey Installation of RAT (Remote Admin Toolkit) Reverse Shell Security Event April 28, 2004 Page 38 19

20 Summary (I) Covert Channels Direct ACK tunnel TCP tunnel (pop, telnet, ssh) UDP tunnel (syslog, dns) tunnel IPSEC, PPTP Proxified Socks tunnel HTTP/S tunnel HTTP/S CONNECT Method tunnel tunnel FTP tunnel Mail tunnel Security Event April 28, 2004 Page 39 Summary (II) Mitigation Zone-Concept Separate zones Deny any direct connections from intranet to internet Whitelisting http/s destinations Content filtering http traffic Security Event April 28, 2004 Page 40 20

21 Data General Solution Zone-Concept Corporate LAN Internet Webserver Terminal Server (Citrix Server) (Tarantella Server) 1: RDP, ICA, AIP Remote Desktop Images 2: HTTP / Security Event April 28, 2004 Page 41 Appendix Security Event April 28, 2004 Page 42 21

22 Links References Security Event April 28, 2004 Page 43 22