Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Transcription

1 Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

2 What infrastructure security really means?

3 Infrastructure Security is Making sure that your system services are always running Giving and tracking access to systems in your organization Permitting only authorized traffic to your system resources Enforcing the organization's security policy on every member Logging infrastructure events to track the status of your system Long story short, if you missed one point from the previously mentioned points you'll be jeopardizing the integrity of your whole system by being vulnerable to infrastructure attacks which can get very nasty, why? Accomplishing the right balance between the previously mentioned points can get very tricky and that's probably why there's no 100% hack proof system but we can always enhance the infrastructure security by applying different layers of security to ensure a solid defense

4 Availability Control Logging Defense Policy

5 Types of Threats That May Affect Your Infrastructure Script-Kiddie Attacks Performed by amateurs who know nothing about your setup or any setup, they just happen to know how to use some tools that does everything for them and if their tools fail to give them access to the networks they desire, they typically move on to another target and so on Threat Risk: 40% Automated Attacks Performed by automated scripts wrote by black-hat hackers to own the world 1) If they preformed by black-hat hackers then they're probably random 2) They mostly focus on brute-forcing attempts to escalate privileges to own the system and then turn it into a zombie Threat Risk: 20% Black-Hat Attacks Performed by elites who may know your setup more than you do, they wait until the perfect moment then they hit you when you're not expecting, they're barley noticeable because they barley use any tools and if they did, they use their own to only automate the PWN Threat Risk: 90% Note: Script-Kiddie and Automated attacks can be easily neutralized and stopped only if you're willing to let go of the defaults, Automated attacks at some point can get very dangerous if they're carrying a zero-day payload which affects your system, that's when their risk rises to more than 90%

6 How Black-Hat Hackers Attack Your Infrastructure? They discover your available services and locate a weak point They keep it low because they know that everything is logged They evade defenses to hit the weak point they discovered They own your system and modify the logging mechanism They may backdoor your system and obfuscate it's presence Consequences They get full Control of the Availability of your infrastructure resources, manipulate your organization Policy and most of the times you don't even know about it till they do something very stupid and believe me they rarely do! Availability Logging Defense Logging Control Policy

7 How Black-Hat Hackers Evade Your Infrastructure Defenses? Because nothing we do is perfect especially when it comes to defense mechanisms, there always will be flaws and there always will be master minds who will exploit those flaws and cause serious damage Lets play with Firewalls today for the sake of time Firewall Different Types Circuit Level Gateway They work at the Session Layer of the OSI model They monitor TCP hand-shake between the packets to determine if a requested session is legitimate There's no way for a remote computer to determine the internal private ip addresses Packet Filtering They work in the Network Layer of the OSI model They compare each packet passing through the firewall to a set of rules before it's allowed to pass through Packet filtering can be done at the router level, providing an additional layer of security Application Level Gateway They work in the Application Layer of the OSI model They examine packets at higher level and can filter application specific commands such as and get Incoming or outgoing packets can't access services for which there's no proxy The Best Firewall Type is Yet to Come!

8 Stateful Multilayer Inspection They combine the aspects of the other three types as they filter packets at the Network, Transport and Application Layers and allow packets to pass though only if they pass them all Discovering The Existence of a Firewall Sometimes firewalls show their presence and you don't have to perform miracles to detect them but most of the time they're configured to blend into the infrastructure to make it harder on the intruders to detect them Detecting The Existence of a Hidden Firewall Can Accomplished by Scanning the ports of your target then analyzing the response using tools like Nmap or Scappy for example Using Firewalking which is similar to traceroute and works by sending TCP or UDP packets that have TTL set at one hop greater than the targeted firewall Now Lets Try to Bypass This Sneaky Firewall ICMP Tunneling ACK Tunneling HTTP Tunneling MITM Attack

9 Bypassing Firewalls Using ICMP Tunneling According to RFC 792 which delineates ICMP operation, the data portion of ICMP echo requests and responses are unimportant to the protocol and may legally contain anything Malicious payload gets injected in the data portion of an ICMP packet Most of firewalls won't examine the data portion of ICMP packet The payload passes through and exploits the identified weak point Malicious payload toke advantage of the data portion, evaded the firewall and affected the private network users Firewall Affected Victim Private Network Public Network

10 Bypassing Firewalls Using ACK Tunneling Some firewalls don't check packets that has the ACK flag set because packets with the ACK flag set are supposed to be a response to a legitimate traffic that's already allowed through Malicious payload gets injected in a TCP packet that has the ACK flag set Most of firewalls won't examine packets that has the ACK flag set The payload passes through and exploits the identified weak point Malicious payload toke advantage of the ACK flag, evaded the firewall and affected the private network users Firewall Affected Victim Private Network Public Network

11 Bypassing Firewalls Using HTTP Tunneling Many firewalls don't examine the payload of an HTTP packet because it's already allowed through that's why it's possible to tunnel traffic through port 80 in-case there's a web web-server Malicious payload gets tunneled through the unfiltered TCP port 80 Most of firewalls won't examine the payload of an HTTP packet The payload passes through and exploits the identified weak point Malicious payload toke advantage of the unfiltered port 80, evaded the firewall and affected the private network users Firewall Affected Victim Private Network Public Network

12 Bypassing Firewalls Using MITM Attack Private network hosts can be directed to malicious servers by poisoning their DNS server, if the attacker passed the traffic to the legitimate server then he's in between, the victim and the server The attacker injects his malicious payload into the requested web-page Most of firewalls won't detect the payload because it's already permitted The payload passes through and exploits the identified weak point Malicious payload toke advantage of the MITM attack, evaded the firewall and affected the private network users Firewall Malicious Server Legitimate Server Affected Victim

13 Best Practices and Countermeasures Customs are harder to predict so make sure to lose all defaults Terminate any unused services to decrease the attack surface Disable file execution permanently in TMP partition using fstab Don't give permissions more than needed to complete the job Enforce security policy for all devices across your network Track legitimate activity to predict problems before they occur Deploy layers of DDOS traps even if they're not that effective Chroot jail dangerous services that may get exploited or abused Manage, monitor and process your infrastructure services Secure services that may get brute-forced like SSH, Dovecot Monitor socket connections and filter all unused open ports Think of the failing factor and apply different layers of security Log all infrastructure events and automate result monitoring Maintain security vulnerability awareness and patch ASAP Try to trap hackers in honeybots to learn their attack patterns That's Not All, There's Still More

14 Thanks and Have a Good Day