Web security. Live hacking demo. Rick van Tol Arthur Donkers Paul van Maaren Eilko Bos.

Transcription

1 Web security Live hacking demo Rick van Tol Arthur Donkers Paul van Maaren Eilko Bos 1

2 Overview Introduction Disclaimer (cover our...) Hackers (what are we up against?) Shift of emphasis (what do they look for?) Target assessment (how do they do it?) Demo (Show Me The Demo!) 2

3 Introduction Rick van Tol (account manager) Arthur Donkers (yours truly) Paul van Maaren (top security engineer) Eilko Bos (another top security engineer) 3

4 Introduction And Le Reseau is Microsoft owerpoint Presentatio 4

5 Disclaimer Hacking gaining unauthorized access to systems and/or data is illegal in most countries in the world. The goal of this presentation is NOT to teach you to become a criminal. Do only use the information and knowledge learned during this presentation to verify the security on your own systems and NEVER without management agreement!! 5

6 Demo setup Hacking laptop (paul) Server IIS MSSQL 6

7 Hackers? 7

8 Who are they? The kid down the street? A professional, working for criminals? A foreign intelligence agency? A disgruntled ex-employee? Your competitor? The categories overlap... 8

9 9

10 How do they work? In plain sight (script kiddies) Stealthily (be afraid, be really afraid ) From the outside From the inside By phone, internet or modem All of the above. 10

11 How do they do it Penetrationtesting Target acquisition Host discovery Portscanning Banner retrieval Intrusive techniques Exploit Securing the enterprise 11

12 With a little help and a lot of tools High Complexity Exploits Low

13 With a little help and a lot of tools High Technical skills most hackers (Script Kiddies) Low

14 With a little help and a lot of tools High Volume of attacks Low

15 Hackingdemo Step by step Using the following flowchart: 15

16 Footprinting Scanning Enumeration Gathering broad, publicly available info ARIN, IANA, Web sites Using footprint, seeing what services, ports, OS, etc. are being used From scanning results using specific OS/service techniques to gather user account/shared/exported info Penetration First real attack phase Penetration Failed Penetration Successful Either: Denial of Service attack -tactic of last resort (good job on your part) -relatively un-skilled attacker Elevation of Privileges Pilfering Data Cover Tracks Leave Back 16 Doors Attempt to become Admin/root/super-user Changing, adding, removing, copying of data Edit/erase audit logs Come back any time

17 Hackingdemo Step #0: Selecting a victim (Depends on type of hacker) Former employer ($$$/revenge??) Bad image (lot s of h4x0r credits) Well known (lot s of h4x0r credits) Visible in media (free publicity) Just browsing. 17

18 Footprinting Scanning Enumeration Gathering broad, publicly available info ARIN, IANA, Web sites Using footprint, seeing what services, ports, OS, etc. are being used From scanning results using specific OS/service techniques to gather user account/shared/exported info Penetration First real attack phase Penetration Failed Penetration Successful Either: Denial of Service attack -tactic of last resort (good job on your part) -relatively un-skilled attacker Elevation of Privileges Pilfering Data Cover Tracks Leave Back 18 Doors Attempt to become Admin/root/super-user Changing, adding, removing, copying of data Edit/erase audit logs Come back any time

19 Hackingdemo Step #1: Footprinting (Un)obtrusive information gathering using WHOIS Google DNS 19

20 Hackingdemo Step #1: Footprinting DEMO WHOIS.org WHOIS.nl 20

21 21

22 Hackingdemo Step #1: Footprinting DEMO Google 22

23 23

24 Hackingdemo Step #1: Footprinting DEMO DNS 24

25 25

26 Footprinting Scanning Gathering broad, publicly available info ARIN, IANA, Web sites Using footprint, seeing what services, ports, OS, etc. are being used Enumeration From scanning results using specific OS/service techniques to gather user account/shared/exported info Penetration First real attack phase Penetration Failed Penetration Successful Either: Denial of Service attack -tactic of last resort (good job on your part) -relatively un-skilled attacker Elevation of Privileges Pilfering Data Cover Tracks Leave Back 26 Doors Attempt to become Admin/root/super-user Changing, adding, removing, copying of data Edit/erase audit logs Come back any time

27 Portscanning In the earlier days, simply scanning one or more IP addresses for a lot of services was enough (no firewalls or hardened servers) Nowadays, firewalls are (almost) an off the shelf commodity, so network is reasonably secure, however... 27

28 Portscanning... most firewalls have holes for web applications that are running behind the firewall. So hackers target web servers and their applications, also because there may be userinformation or other interesting data to be had on, or via, the web server(s). 28

29 Portscanning This means that they scan a lot of systems for a small number of services, in stead of a small number of systems for a lot of services 29

30 Portscanning DEMO 30

31 Typical Web server set-up HTTP(S) request cleartext (encrypted) Firewall Web Client Web Server HTTP reply (HTML, Javascript, VBscript, etc) 31 Apache IIS Netscape etc

32 Potential victims September 2002: 37,585,233 sites Developer Aug-02 Percent Sep-02 Percent Apache Microsoft Zeus iplanet Source: As you can see, this is a lot of potential victims! 32

33 Potential victims Netcraft provides some information for free: OS Server IP address Linux Apache/ (Unix) (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b Source: OS, Web Server and Hosting History for This information is valuable to potential hackers, it gives them a good starting point. 33

34 Web server identification Use HEAD method! RFC 2068 states: The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response 34

35 Potential victims Obtain it in realtime at your potential victim: DEMO server info 35

36 Some SSL Myths We are secure because we use SSL! Strong 128 bit crypto being used We use Digital Certificates signed by VeriSign 36

37 SSL Hacking Using a simple perl script and stunnel it is possible to create a simple SSL Proxy Listen on port 80 on a host and redirect requests to port 443 on a remote host through SSL web client script openssl SSL web server 37

38 Footprinting Scanning Gathering broad, publicly available info ARIN, IANA, Web sites Using footprint, seeing what services, ports, OS, etc. are being used Enumeration From scanning results using specific OS/service techniques to gather user account/shared/exported info Penetration First real attack phase Penetration Failed Penetration Successful Either: Denial of Service attack -tactic of last resort (good job on your part) -relatively un-skilled attacker Elevation of Privileges Pilfering Data Cover Tracks Leave Back 38 Doors Attempt to become Admin/root/super-user Changing, adding, removing, copying of data Edit/erase audit logs Come back any time

39 Enumeration (or homing in) Look for vulnerabilities in web server software or its configuration, like: OpenSSL bufferoverflow (Apache) (Double) Unicode (IIS) ISAPI Printing buffer overflow (IIS) Buggy sample applications (both) 39

40 Enumeration You can test for these vulnerabilities by hand (difficult, errorprone, easy to spot) or use some automated tools like whisker, nikto, stealth. These tools offer extra options like IDS evasion to remain undetected. 40

41 Enumeration DEMO with nikto 41

42 Footprinting Scanning Enumeration Gathering broad, publicly available info ARIN, IANA, Web sites Using footprint, seeing what services, ports, OS, etc. are being used From scanning results using specific OS/service techniques to gather user account/shared/exported info Penetration First real attack phase Penetration Failed Penetration Successful Either: Denial of Service attack -tactic of last resort (good job on your part) -relatively un-skilled attacker Elevation of Privileges Pilfering Data Cover Tracks Leave Back 42 Doors Attempt to become Admin/root/super-user Changing, adding, removing, copying of data Edit/erase audit logs Come back any time

43 Penetration (Hitting the jackpot) If even the web server is safe, there is only one option left. Attack the web application served up by the webserver. This may be the most rewarding, as a web application may contain interesting stuff like CC#. 43

44 Web Applications Firewalls (and sometimes IDS) do not help!!! Most common mistakes are: Inadequate input validation Buffer overflows Wrong cookie handling Relying on SSL for a false sense of security 44

45 Typical Web Application set-up Web Client HTTP request (cleartext or SSL) Firewall Web Server Web app Web app Web app Web app SQL Database DB DB HTTP reply (HTML, Javascript, VBscript, etc) Apache IIS Netscape etc 45 Plugins: Perl C/C++ JSP, etc Database connection: ADO, ODBC, etc.

46 What firewalls cannot prevent Web Client Web Server URL Interpretation Attacks. web server misconfiguration 46

47 What firewalls cannot prevent Web app Web Client Input Validation attacks. 47 Web Server URL Interpretation attacks Web app Web app Web app poor checking of user inputs

48 What firewalls cannot prevent Web Client Web Server Web app Web app Web app Web app DB DB SQL Query Poisoning URL Interpretation attacks 48 Input Validation attacks Extend SQL statements

49 What firewalls cannot prevent Web Client Reverseengineering HTTP cookies. HTTP session hijacking. 49 Web Server Impersonation. URL Interpretation attacks Web app Web app Web app Web app Input Validation attacks DB DB SQL query poisoning

50 What firewalls (and SSL) cannot prevent DEMO SQL injection 50

51 Hacking laptop (paul) Server IIS MSSQL cmd. exe netcat (server) netcat (client) 51

52 Footprinting Scanning Enumeration Gathering broad, publicly available info ARIN, IANA, Web sites Using footprint, seeing what services, ports, OS, etc. are being used From scanning results using specific OS/service techniques to gather user account/shared/exported info Penetration First real attack phase Penetration Failed Penetration Successful Either: Denial of Service attack -tactic of last resort (good job on your part) -relatively un-skilled attacker Elevation of Privileges Pilfering Data Cover Tracks Leave Back 52 Doors Attempt to become Admin/root/super-user Changing, adding, removing, copying of data Edit/erase audit logs Come back any time

53 Things to do once you re in Once a hacker gets access he or she can do what he or she likes. First of all, elevate privileges (make sure you can access everything all of the time ) by using local system exploits, like NetDDE, HK.EXE etc.. 53

54 Things to do once you re in DEMO NetDDE exploit on W2K 54

55 Things to do once you re in Once you re Administrator (or even better, Local System), the world s your oister Copy data, delete logs, install backdoors etc. 55

56 Footprinting Scanning Enumeration Gathering broad, publicly available info ARIN, IANA, Web sites Using footprint, seeing what services, ports, OS, etc. are being used From scanning results using specific OS/service techniques to gather user account/shared/exported info Penetration First real attack phase Penetration Failed Penetration Successful Either: Denial of Service attack -tactic of last resort (good job on your part) -relatively un-skilled attacker Elevation of Privileges Pilfering Data Cover Tracks Leave Back 56 Doors Attempt to become Admin/root/super-user Changing, adding, removing, copying of data Edit/erase audit logs Come back any time

57 Make sure you can come back Hackers often leave little programs behind that make sure they can come back (so called backdoor programs) Sometimes these programs are hidden using rootkits (for Unix and Windows!) 57

58 Make sure you can come back A rootkit is a piece of software that hides itself and a number of other files on the system by catching systemcalls and modifying the data that is presented to the user. All rootkit related data is skipped so it is virtually invisible 58

59 Make sure you can come back There are a lot of rootkits, for Linux, Solaris, Windows 2000 etc Adore NT rootkit LRK5 59

60 Make sure you can come back All done so you can come back, using different RAT s (Remote Administration Tools), like sub7 60

61 Make sure you can come back DEMO sub7 61

62 Defenses Don t activate functionality in your web server that you don t need Keep your software up to date Follow the directions from vendor: Use the IIS lockdown tool: Perform regular vulnerability scans 62

63 References Hacking Exposed Windows 2000 Hacking Exposed Web Applications Le Reseau experience and knowledge base 63

64 Meer informatie Voor meer informatie en/ of vragen kunt u uiteraard altijd bij ons terecht. Le Reseau BV Bieslookstraat HH GRONINGEN Tel.: Fax: [email protected]

65 65 VRAGEN? QUESTIONS?