Web security. Live hacking demo. Rick van Tol Arthur Donkers Paul van Maaren Eilko Bos. http://www.reseau.nl/

Web security Live hacking demo Rick van Tol Arthur Donkers Paul van Maaren Eilko Bos 1 http://www.reseau.nl/

Overview Introduction Disclaimer (cover our...) Hackers (what are we up against?) Shift of emphasis (what do they look for?) Target assessment (how do they do it?) Demo (Show Me The Demo!) 2

Introduction Rick van Tol (account manager) rick@reseau.nl Arthur Donkers (yours truly) arthur@reseau.nl Paul van Maaren (top security engineer) paul@reseau.nl Eilko Bos (another top security engineer) eilko@reseau.nl 3

Introduction And Le Reseau is Microsoft owerpoint Presentatio 4

Disclaimer Hacking gaining unauthorized access to systems and/or data is illegal in most countries in the world. The goal of this presentation is NOT to teach you to become a criminal. Do only use the information and knowledge learned during this presentation to verify the security on your own systems and NEVER without management agreement!! 5

Demo setup Hacking laptop (paul) Server IIS MSSQL 6

Hackers? 7

Who are they? The kid down the street? A professional, working for criminals? A foreign intelligence agency? A disgruntled ex-employee? Your competitor? The categories overlap... 8

9

How do they work? In plain sight (script kiddies) Stealthily (be afraid, be really afraid ) From the outside From the inside By phone, internet or modem All of the above. 10

How do they do it Penetrationtesting Target acquisition Host discovery Portscanning Banner retrieval Intrusive techniques Exploit Securing the enterprise 11

With a little help and a lot of tools High Complexity Exploits Low 1975 1980 1985 1990 1995 2000 12

With a little help and a lot of tools High Technical skills most hackers (Script Kiddies) Low 1975 1980 1985 1990 1995 2000 13

With a little help and a lot of tools High Volume of attacks Low 1975 1980 1985 1990 1995 2000 14

Hackingdemo Step by step Using the following flowchart: 15

Footprinting Scanning Enumeration Gathering broad, publicly available info ARIN, IANA, Web sites Using footprint, seeing what services, ports, OS, etc. are being used From scanning results using specific OS/service techniques to gather user account/shared/exported info Penetration First real attack phase Penetration Failed Penetration Successful Either: Denial of Service attack -tactic of last resort (good job on your part) -relatively un-skilled attacker Elevation of Privileges Pilfering Data Cover Tracks Leave Back 16 Doors Attempt to become Admin/root/super-user Changing, adding, removing, copying of data Edit/erase audit logs Come back any time

Hackingdemo Step #0: Selecting a victim (Depends on type of hacker) Former employer ($$$/revenge??) Bad image (lot s of h4x0r credits) Well known (lot s of h4x0r credits) Visible in media (free publicity) Just browsing. 17

Footprinting Scanning Enumeration Gathering broad, publicly available info ARIN, IANA, Web sites Using footprint, seeing what services, ports, OS, etc. are being used From scanning results using specific OS/service techniques to gather user account/shared/exported info Penetration First real attack phase Penetration Failed Penetration Successful Either: Denial of Service attack -tactic of last resort (good job on your part) -relatively un-skilled attacker Elevation of Privileges Pilfering Data Cover Tracks Leave Back 18 Doors Attempt to become Admin/root/super-user Changing, adding, removing, copying of data Edit/erase audit logs Come back any time

Hackingdemo Step #1: Footprinting (Un)obtrusive information gathering using WHOIS Google DNS 19

Hackingdemo Step #1: Footprinting DEMO WHOIS.org WHOIS.nl 20

21

Hackingdemo Step #1: Footprinting DEMO Google 22

23

Hackingdemo Step #1: Footprinting DEMO DNS 24

25

Footprinting Scanning Gathering broad, publicly available info ARIN, IANA, Web sites Using footprint, seeing what services, ports, OS, etc. are being used Enumeration From scanning results using specific OS/service techniques to gather user account/shared/exported info Penetration First real attack phase Penetration Failed Penetration Successful Either: Denial of Service attack -tactic of last resort (good job on your part) -relatively un-skilled attacker Elevation of Privileges Pilfering Data Cover Tracks Leave Back 26 Doors Attempt to become Admin/root/super-user Changing, adding, removing, copying of data Edit/erase audit logs Come back any time

Portscanning In the earlier days, simply scanning one or more IP addresses for a lot of services was enough (no firewalls or hardened servers) Nowadays, firewalls are (almost) an off the shelf commodity, so network is reasonably secure, however... 27

Portscanning... most firewalls have holes for web applications that are running behind the firewall. So hackers target web servers and their applications, also because there may be userinformation or other interesting data to be had on, or via, the web server(s). 28

Portscanning This means that they scan a lot of systems for a small number of services, in stead of a small number of systems for a lot of services 29

Portscanning DEMO 30

Typical Web server set-up HTTP(S) request cleartext (encrypted) Firewall Web Client Web Server HTTP reply (HTML, Javascript, VBscript, etc) 31 Apache IIS Netscape etc

Potential victims September 2002: 37,585,233 sites Developer Aug-02 Percent Sep-02 Percent Apache 22859123 63.51 21421748 59.91 Microsoft 9139785 25.39 10433095 29.18 Zeus 765115 2.13 742781 2.08 iplanet 486868 1.35 485818 1.36 Source: http://www.netcraft.com/survey/ As you can see, this is a lot of potential victims! 32

Potential victims Netcraft provides some information for free: OS Server IP address Linux Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b 193.78.174.91 Source: http://www.netcraft.com/ OS, Web Server and Hosting History for www.reseau.nl This information is valuable to potential hackers, it gives them a good starting point. 33

Web server identification Use HEAD method! RFC 2068 states: The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response 34

Potential victims Obtain it in realtime at your potential victim: DEMO server info 35

Some SSL Myths We are secure because we use SSL! Strong 128 bit crypto being used We use Digital Certificates signed by VeriSign 36

SSL Hacking Using a simple perl script and stunnel it is possible to create a simple SSL Proxy Listen on port 80 on a host and redirect requests to port 443 on a remote host through SSL web client script openssl SSL web server 37

Footprinting Scanning Gathering broad, publicly available info ARIN, IANA, Web sites Using footprint, seeing what services, ports, OS, etc. are being used Enumeration From scanning results using specific OS/service techniques to gather user account/shared/exported info Penetration First real attack phase Penetration Failed Penetration Successful Either: Denial of Service attack -tactic of last resort (good job on your part) -relatively un-skilled attacker Elevation of Privileges Pilfering Data Cover Tracks Leave Back 38 Doors Attempt to become Admin/root/super-user Changing, adding, removing, copying of data Edit/erase audit logs Come back any time

Enumeration (or homing in) Look for vulnerabilities in web server software or its configuration, like: OpenSSL bufferoverflow (Apache) (Double) Unicode (IIS) ISAPI Printing buffer overflow (IIS) Buggy sample applications (both) 39

Enumeration You can test for these vulnerabilities by hand (difficult, errorprone, easy to spot) or use some automated tools like whisker, nikto, stealth. These tools offer extra options like IDS evasion to remain undetected. 40

Enumeration DEMO with nikto 41

Footprinting Scanning Enumeration Gathering broad, publicly available info ARIN, IANA, Web sites Using footprint, seeing what services, ports, OS, etc. are being used From scanning results using specific OS/service techniques to gather user account/shared/exported info Penetration First real attack phase Penetration Failed Penetration Successful Either: Denial of Service attack -tactic of last resort (good job on your part) -relatively un-skilled attacker Elevation of Privileges Pilfering Data Cover Tracks Leave Back 42 Doors Attempt to become Admin/root/super-user Changing, adding, removing, copying of data Edit/erase audit logs Come back any time

Penetration (Hitting the jackpot) If even the web server is safe, there is only one option left. Attack the web application served up by the webserver. This may be the most rewarding, as a web application may contain interesting stuff like CC#. 43

Web Applications Firewalls (and sometimes IDS) do not help!!! Most common mistakes are: Inadequate input validation Buffer overflows Wrong cookie handling Relying on SSL for a false sense of security 44

Typical Web Application set-up Web Client HTTP request (cleartext or SSL) Firewall Web Server Web app Web app Web app Web app SQL Database DB DB HTTP reply (HTML, Javascript, VBscript, etc) Apache IIS Netscape etc 45 Plugins: Perl C/C++ JSP, etc Database connection: ADO, ODBC, etc.

What firewalls cannot prevent Web Client Web Server URL Interpretation Attacks. web server misconfiguration 46

What firewalls cannot prevent Web app Web Client Input Validation attacks. 47 Web Server URL Interpretation attacks Web app Web app Web app poor checking of user inputs

What firewalls cannot prevent Web Client Web Server Web app Web app Web app Web app DB DB SQL Query Poisoning URL Interpretation attacks 48 Input Validation attacks Extend SQL statements

What firewalls cannot prevent Web Client Reverseengineering HTTP cookies. HTTP session hijacking. 49 Web Server Impersonation. URL Interpretation attacks Web app Web app Web app Web app Input Validation attacks DB DB SQL query poisoning

What firewalls (and SSL) cannot prevent DEMO SQL injection 50

Hacking laptop (paul) Server IIS MSSQL cmd. exe netcat (server) netcat (client) 51

Footprinting Scanning Enumeration Gathering broad, publicly available info ARIN, IANA, Web sites Using footprint, seeing what services, ports, OS, etc. are being used From scanning results using specific OS/service techniques to gather user account/shared/exported info Penetration First real attack phase Penetration Failed Penetration Successful Either: Denial of Service attack -tactic of last resort (good job on your part) -relatively un-skilled attacker Elevation of Privileges Pilfering Data Cover Tracks Leave Back 52 Doors Attempt to become Admin/root/super-user Changing, adding, removing, copying of data Edit/erase audit logs Come back any time

Things to do once you re in Once a hacker gets access he or she can do what he or she likes. First of all, elevate privileges (make sure you can access everything all of the time ) by using local system exploits, like NetDDE, HK.EXE etc.. 53

Things to do once you re in DEMO NetDDE exploit on W2K 54

Things to do once you re in Once you re Administrator (or even better, Local System), the world s your oister Copy data, delete logs, install backdoors etc. 55

Footprinting Scanning Enumeration Gathering broad, publicly available info ARIN, IANA, Web sites Using footprint, seeing what services, ports, OS, etc. are being used From scanning results using specific OS/service techniques to gather user account/shared/exported info Penetration First real attack phase Penetration Failed Penetration Successful Either: Denial of Service attack -tactic of last resort (good job on your part) -relatively un-skilled attacker Elevation of Privileges Pilfering Data Cover Tracks Leave Back 56 Doors Attempt to become Admin/root/super-user Changing, adding, removing, copying of data Edit/erase audit logs Come back any time

Make sure you can come back Hackers often leave little programs behind that make sure they can come back (so called backdoor programs) Sometimes these programs are hidden using rootkits (for Unix and Windows!) 57

Make sure you can come back A rootkit is a piece of software that hides itself and a number of other files on the system by catching systemcalls and modifying the data that is presented to the user. All rootkit related data is skipped so it is virtually invisible 58

Make sure you can come back There are a lot of rootkits, for Linux, Solaris, Windows 2000 etc Adore NT rootkit LRK5 59

Make sure you can come back All done so you can come back, using different RAT s (Remote Administration Tools), like sub7 60

Make sure you can come back DEMO sub7 61

Defenses Don t activate functionality in your web server that you don t need Keep your software up to date Follow the directions from vendor: www.microsoft.com/technet/security/prodtech/iissec.asp Use the IIS lockdown tool: www.microsoft.com/technet/security/tools/locktool.asp Perform regular vulnerability scans 62

References Hacking Exposed Windows 2000 Hacking Exposed Web Applications http://www.microsoft.com/technet/security/current.asp Le Reseau experience and knowledge base 63

Meer informatie Voor meer informatie en/ of vragen kunt u uiteraard altijd bij ons terecht. Le Reseau BV Bieslookstraat 31 9731 HH GRONINGEN Tel.: 050-5492701 Fax: 050-5492310 info@reseau.nl www.reseau.nl www.esecure.nl 64

65 VRAGEN? QUESTIONS?