Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant



Similar documents
CS5008: Internet Computing

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Firewalls and Intrusion Detection

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Firewall Firewall August, 2003

CMPT 471 Networking II

Firewall Design Principles Firewall Characteristics Types of Firewalls

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Firewall Design Principles

Security threats and network. Software firewall. Hardware firewall. Firewalls

Lecture 23: Firewalls

Firewalls. Network Security. Firewalls Defined. Firewalls

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

8 steps to protect your Cisco router

Security Technology: Firewalls and VPNs


Network and Services Discovery

Firewalls, Tunnels, and Network Intrusion Detection

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

CYBERTRON NETWORK SOLUTIONS

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

A S B

Chapter 8 Security Pt 2

Second-generation (GenII) honeypots

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Fig : Packet Filtering

Networking for Caribbean Development

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

NETWORK SECURITY WITH OPENSOURCE FIREWALL

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Internet Security Firewalls

Host Discovery with nmap

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Remote Network Analysis

SECURING APACHE : DOS & DDOS ATTACKS - II

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Firewalls. Chapter 3

Linux Network Security

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Internet Security and Acceleration Server 2000 with Service Pack 1 Audit. An analysis by Foundstone, Inc.

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

PROFESSIONAL SECURITY SYSTEMS

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Barracuda Intrusion Detection and Prevention System

Metasploit The Elixir of Network Security

Firewalls. Pehr Söderman KTH-CSC

Implementing Secure Converged Wide Area Networks (ISCW)

Security vulnerabilities in the Internet and possible solutions

Network Security CS 192

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Lab Objectives & Turn In

First Line of Defense to Protect Critical Infrastructure

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Solution of Exercise Sheet 5

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Secure Software Programming and Vulnerability Analysis

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Chapter 9 Firewalls and Intrusion Prevention Systems

Network Security and Firewall 1

Tools for penetration tests 1. Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus.

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Intro to Firewalls. Summary

Certified Ethical Hacker Exam Version Comparison. Version Comparison

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Malicious Network Traffic Analysis

Divide and Conquer Real World Distributed Port Scanning

Learn Ethical Hacking, Become a Pentester

IBM. Vulnerability scanning and best practices

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

allow all such packets? While outgoing communications request information from a

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

co Characterizing and Tracing Packet Floods Using Cisco R

CMS Operational Policy for Firewall Administration

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Chapter 20. Firewalls

Firewalls 1 / 43. Firewalls

Attack and Defense Techniques

Transcription:

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

What infrastructure security really means?

Infrastructure Security is Making sure that your system services are always running Giving and tracking access to systems in your organization Permitting only authorized traffic to your system resources Enforcing the organization's security policy on every member Logging infrastructure events to track the status of your system Long story short, if you missed one point from the previously mentioned points you'll be jeopardizing the integrity of your whole system by being vulnerable to infrastructure attacks which can get very nasty, why? Accomplishing the right balance between the previously mentioned points can get very tricky and that's probably why there's no 100% hack proof system but we can always enhance the infrastructure security by applying different layers of security to ensure a solid defense

Availability Control Logging Defense Policy

Types of Threats That May Affect Your Infrastructure Script-Kiddie Attacks Performed by amateurs who know nothing about your setup or any setup, they just happen to know how to use some tools that does everything for them and if their tools fail to give them access to the networks they desire, they typically move on to another target and so on Threat Risk: 40% Automated Attacks Performed by automated scripts wrote by black-hat hackers to own the world 1) If they preformed by black-hat hackers then they're probably random 2) They mostly focus on brute-forcing attempts to escalate privileges to own the system and then turn it into a zombie Threat Risk: 20% Black-Hat Attacks Performed by elites who may know your setup more than you do, they wait until the perfect moment then they hit you when you're not expecting, they're barley noticeable because they barley use any tools and if they did, they use their own to only automate the PWN Threat Risk: 90% Note: Script-Kiddie and Automated attacks can be easily neutralized and stopped only if you're willing to let go of the defaults, Automated attacks at some point can get very dangerous if they're carrying a zero-day payload which affects your system, that's when their risk rises to more than 90%

How Black-Hat Hackers Attack Your Infrastructure? They discover your available services and locate a weak point They keep it low because they know that everything is logged They evade defenses to hit the weak point they discovered They own your system and modify the logging mechanism They may backdoor your system and obfuscate it's presence Consequences They get full Control of the Availability of your infrastructure resources, manipulate your organization Policy and most of the times you don't even know about it till they do something very stupid and believe me they rarely do! Availability Logging Defense Logging Control Policy

How Black-Hat Hackers Evade Your Infrastructure Defenses? Because nothing we do is perfect especially when it comes to defense mechanisms, there always will be flaws and there always will be master minds who will exploit those flaws and cause serious damage Lets play with Firewalls today for the sake of time Firewall Different Types Circuit Level Gateway They work at the Session Layer of the OSI model They monitor TCP hand-shake between the packets to determine if a requested session is legitimate There's no way for a remote computer to determine the internal private ip addresses Packet Filtering They work in the Network Layer of the OSI model They compare each packet passing through the firewall to a set of rules before it's allowed to pass through Packet filtering can be done at the router level, providing an additional layer of security Application Level Gateway They work in the Application Layer of the OSI model They examine packets at higher level and can filter application specific commands such as http:post and get Incoming or outgoing packets can't access services for which there's no proxy The Best Firewall Type is Yet to Come!

Stateful Multilayer Inspection They combine the aspects of the other three types as they filter packets at the Network, Transport and Application Layers and allow packets to pass though only if they pass them all Discovering The Existence of a Firewall Sometimes firewalls show their presence and you don't have to perform miracles to detect them but most of the time they're configured to blend into the infrastructure to make it harder on the intruders to detect them Detecting The Existence of a Hidden Firewall Can Accomplished by Scanning the ports of your target then analyzing the response using tools like Nmap or Scappy for example Using Firewalking which is similar to traceroute and works by sending TCP or UDP packets that have TTL set at one hop greater than the targeted firewall Now Lets Try to Bypass This Sneaky Firewall ICMP Tunneling ACK Tunneling HTTP Tunneling MITM Attack

Bypassing Firewalls Using ICMP Tunneling According to RFC 792 which delineates ICMP operation, the data portion of ICMP echo requests and responses are unimportant to the protocol and may legally contain anything Malicious payload gets injected in the data portion of an ICMP packet Most of firewalls won't examine the data portion of ICMP packet The payload passes through and exploits the identified weak point Malicious payload toke advantage of the data portion, evaded the firewall and affected the private network users Firewall Affected Victim Private Network Public Network

Bypassing Firewalls Using ACK Tunneling Some firewalls don't check packets that has the ACK flag set because packets with the ACK flag set are supposed to be a response to a legitimate traffic that's already allowed through Malicious payload gets injected in a TCP packet that has the ACK flag set Most of firewalls won't examine packets that has the ACK flag set The payload passes through and exploits the identified weak point Malicious payload toke advantage of the ACK flag, evaded the firewall and affected the private network users Firewall Affected Victim Private Network Public Network

Bypassing Firewalls Using HTTP Tunneling Many firewalls don't examine the payload of an HTTP packet because it's already allowed through that's why it's possible to tunnel traffic through port 80 in-case there's a web web-server Malicious payload gets tunneled through the unfiltered TCP port 80 Most of firewalls won't examine the payload of an HTTP packet The payload passes through and exploits the identified weak point Malicious payload toke advantage of the unfiltered port 80, evaded the firewall and affected the private network users Firewall Affected Victim Private Network Public Network

Bypassing Firewalls Using MITM Attack Private network hosts can be directed to malicious servers by poisoning their DNS server, if the attacker passed the traffic to the legitimate server then he's in between, the victim and the server The attacker injects his malicious payload into the requested web-page Most of firewalls won't detect the payload because it's already permitted The payload passes through and exploits the identified weak point Malicious payload toke advantage of the MITM attack, evaded the firewall and affected the private network users Firewall Malicious Server http://www.evil.com Legitimate Server http://www.ask.com Affected Victim

Best Practices and Countermeasures Customs are harder to predict so make sure to lose all defaults Terminate any unused services to decrease the attack surface Disable file execution permanently in TMP partition using fstab Don't give permissions more than needed to complete the job Enforce security policy for all devices across your network Track legitimate activity to predict problems before they occur Deploy layers of DDOS traps even if they're not that effective Chroot jail dangerous services that may get exploited or abused Manage, monitor and process your infrastructure services Secure services that may get brute-forced like SSH, Dovecot Monitor socket connections and filter all unused open ports Think of the failing factor and apply different layers of security Log all infrastructure events and automate result monitoring Maintain security vulnerability awareness and patch ASAP Try to trap hackers in honeybots to learn their attack patterns That's Not All, There's Still More

Thanks and Have a Good Day

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information