Ethical Hacking. Alex Loffler Sept 2013

Transcription

1 Ethical Hacking Alex Loffler Sept 2013

2 What is a Hacker? Originally, a hacker was anybody who tinkered with any kind of system, mechanical or electrical, in order to better understand how it worked. Today hackers are persons who create or modify computer software, typically with the goal of using software in a manner not intended by the original computer programmer Wikipedia A person who enjoys exploring the details of programmable systems and stretching their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. Wikipedia

3 Hacker Ethics The Hacker Manifesto An essay written by The Mentor (born Loyd Blankenship) after his arrest in Jan 1986 Considered a cornerstone of hacker culture by hackers across the globe. States: Hacking is an alternative way to learn Often out of frustration/boredom created by the limitations of current society Expresses the satori of a hacker realizing his potential Hacking supersedes the selfish desire to exploit or harm other people Technology should be used to expand our horizons and to keep the world free Hacker ethics are concerned primarily with sharing, openness, collaboration, and engaging in the Hands-On Imperative

4 The Reality in 2012 Malicious activity is increasing in: Volume Sophistication (TTP) Intensity and focus (APT) day week Initial Penetration 91% of breaches led to data compromise within days or less 79% of breaches took weeks or more to discover Source: Verizon 2012 Data Breach Investigations Report

5 The Reality in 2012 Response after compromise creates an undesirable foot-race The damage has already been done Accept that we will never keep 100% of the attackers out The fortress mentality is becoming obsolete Move backwards in the Kill Chain to move the defensive wall out Requires rapid analysis of huge, real-time data sets Recon Weaponize Deliver Exploit Install C2 Action Detection Response The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him. - Sun Tzu, The Art of War

6 Hacking Methodology Phase 1 Passive Reconnaissance Phase 2 Active Reconnaissance 80% Phase 3 Vulnerability Research Phase 4 Penetration Phase 5 Going Deeper 20% Phase 6 Covering Your Tracks

7 Phase 1 & 2 - Reconnaissance Phase 1 Passive Recon Locations Policies, processes/attitudes Press releases, public sentiment Technology preferences/standards Financial information Phase 2 Active Recon (Scanning) Social engineering Network perimeter scans Topology mapping DNS Zone transfers Fire-walking Port Scanning Dumpster Diving Gather anything and everything about the target

8 Phase 3 Vulnerability Research Use Well Known Vulnerabilities Useful to an extent Typically already patched Buy 0-days from white- or black-market sources Expensive No Guarantees Can backfire! Roll your own 0-day Time consuming Requires Highly Skilled Resources Creates a Dilemma

9 Responsible Disclosure aka Now What? Discover a new Vulnerability Accidental discovery Directed Research Develop an exploit Usually build a proof of concept to verify and classify the vulnerability Now What? 1. Sell the exploit to the highest bidder 2. Use the exploit 3. Full Disclosure 4. Inform CERT/CC 5. Sell the exploit to a white market vendor Disclosure Debate Security through Transparency - Full public disclosure enables informed choice and keeps vendors on their toes wrt admitting to flaws and patching them. Security through Obscurity - Full public disclosure does not give anyone time to react to a security flaw who s details are now available to even the least sophisticated of attackers. Responsible Disclosure attempts to find a middle ground

10 Phase 4 & Phase 5 Penetration Phase 4 Penetration Initial targets are typically low value assets Web servers VPN end points DMZ Networks Phase 5 Going Deeper Pivot and move up the food chain Start attacking peers and higher value internal targets Admin credentials Password hash cracking Network devices routers/switches/ap s Peripheral devices Printers, etc.

11 Phase 6 Covering Your Tracks Entrench and consolidate position Hidden accounts Back doors Robust C2 side channels Root Kits Stenography

12 The ARP protocol Address Resolution Protocol (ARP) is a telecommunications protocol used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access networks. ARP was defined by RFC 826 in It is Internet Standard STD 37. When computers communicate across a network, the sender sends an ARP packet asking who has or knows a particular IP address. This request is broadcast to everyone on the LAN and assumes the only response will be coming from the true owner of the IP address. The protocol has no ability to validate the authenticity of the response. Additionally, there is nothing in the ARP protocol that says one has to wait for a request before sending a response!

13 MITM: Before

14 MITM: After

15 Rogue Devices

16 NewsTweek

17 NewsTweek

18 NewsTweek

19 NewsTweek

20 IPv6 Timeline: 1998 IPv6 standard is published (RFC2460) 2008 Study indicates IPv6 penetration < 1% of internet enabled hosts The last top level (/8) block of IPv4 addresses is assigned in Feb th June, World IPv6 Day. Over 1000 websites participated in a 24-hour test-flight th June. 2 nd event 10x the participation 2013 Total global 1.35% IPv4 = 2 32 ~4.2 billion (4,294,967,296) IPv6 = ~340 undecillion (3.4x10 38 ) Separated by colons 2 octets each 2a01:2b3:4:a::1 Leading zeros omitted or 340,282,366,920,938,463,463,374,607,431,768,211,456 Longest chain of :0:0: replaced with :: Subnets are /64-4,294,967,296 x the size of the internet good luck scanning for hosts! No broadcasts. Multicasts, but they are local only. IPv6 was designed using security models that are over 14 years old...

21 IPv6 Headers IPv6 is much simpler than IPv4... No Header Length No Identification No Checksum No Fragmentation No Options Every option is an extension header Fragmentation, IPSEC, Src Routing, Dest Options.... In theory What happens if I repeat a header extension? What happens if I define conflicting options? Packets can include all, some, or none of the extension headers.

22 Known IPv6 Vulnerabilities 30 IPv6 Vulnerabilities (CVE)

23 Same old problems, and some new ones... ARP Spoofing => ND Spoofing Attacker claims to be every system on the LAN DHCP => Auto configuration Attacker can set any IP as the default route, define new network prefixes, DNS servers, etc. Duplicate address detection DOS Attacker answers every NS query Kick the default router Attacker spoofs an RA from the default router with 0 lifetime & sends their own RA. All hosts now use the attackers IP Many 3 rd party firewall solutions fail open (do not support IPv6) Most new OS s have IPv6 enabled by default (Vista and above, Linux, OSX, etc) If both stacks are configured, most OS s will route traffic over IPv6 in preference to the IPv4 stack Configuring an IPv6 stack is as simple as sending out an RA multicast packet to the local LAN RA Flooding DOS attack Attacker floods the network with RA packets. Cisco ASA, Windows -Vista, -7, -2008, Cisco ASAs, Cisco IOS (Recently Fixed CSCti24526, CSCti33534), Linux (pre ) are vulnerable Little to no IPv6 monitoring on LANs Detected 17 IPv6 devices at my local coffee shop, not bad given the company does not officially support IPv6! IPv6 is a side channel today IPv6 is still an immature technology!

24 Trends Industry Trends Increasing rates of product & service delivery Increasing rate of new potential attack surfaces Diminishing product & service lifespan Lower tolerance for hardening (security testing & controls) Dissolving network boundaries Partners, cloud services, mobile devices, BYOD programs, etc. Signature based controls are rapidly becoming ineffective (IPS, AV, etc). TELUS 7.5M Mobile & 1.4M HSIA Customers Poor endpoint security + High-speed networks + High end CPUs + Personal Data = High value Targets Super Data Centers 24 03/12/2013

25 TELUS SDC Module 25 03/12/2013

26 TELUS SDC Site 26 03/12/2013

27 What s Next? Ultra high density, on demand compute fabric Cloud Computing High-speed mobile devices LTE (4G) cellular network 326Mb/s down, 85 Mb/s up Cloud based mobile thin clients Advanced Persistent Threats High stealth, sophisticated attack vectors Nation-state, criminal organizations Low-speed, high stealth, stenographic data egress Intelligent Threat Mitigation Platforms Big Data based threat detection and prevention Static code analysis & execution watchdogs Anomaly detection engines Behavioural Modelling Global Threat Intelligence Communities

28 Questions?