The Anonymous attack on HBGary. Jarib Rahman March 19 th, 2012

Similar documents
CNT4406/5412 Network Security Introduction

Cloud Security Lecture

Securing PostgreSQL From External Attack

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Oracle post exploitation techniques. László Tóth

Criteria for web application security check. Version

Password Manager with 3-Step Authentication System

Web Application Security

Penetration Testing - a way for improving our cyber security

Data Breaches and Web Servers: The Giant Sucking Sound

NETWORK SECURITY: How do servers store passwords?

Thick Client Application Security

SQL Injection January 23, 2013

Penetration: from Application down to OS

RFG Secure FTP. Web Interface

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Five Steps to Improve Internal Network Security. Chattanooga Information security Professionals

A Tokenization and Encryption based Multi-Layer Architecture to Detect and Prevent SQL Injection Attack

Sichere Software- Entwicklung für Java Entwickler

Windows passwords security

Still Aren't Doing. Frank Kim

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

Internal Penetration Test

Application Security Testing. Generic Test Strategy

Datasäkerhet och integritet

Automated vulnerability scanning and exploitation

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

Penetration Testing with Kali Linux

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Louis Luke

Ethical Hacking and Information Security. Foundation of Information Security. Detailed Module. Duration. Lecture with Hands On Session: 90 Hours

Hack Your SQL Server Database Before the Hackers Do

Serious Threat. Targets for Attack. Characterization of Attack. SQL Injection 4/9/2010 COMP On August 17, 2009, the United States Justice

Security in the Sauce Labs Cloud. Practices and protocols used in Sauce s infrastructure and Sauce Connect

Windows Attack - Gain Enterprise Admin Privileges in 5 Minutes

Absorb Single Sign-On (SSO) V3.0

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

OpenSSL (lab notes) Definition: OpenSSL is an open-source library containing cryptographic tools.

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions


Web Application Guidelines

WEB FOR PENTESTER II By Louis Nyffenegger

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Web Application Report

Cyber Security. Maintaining Your Identity on the Net

Penetration Testing Report Client: Business Solutions June 15 th 2015

Protecting against modern password cracking

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Application Design and Development

FORBIDDEN - Ethical Hacking Workshop Duration

Enterprise Application Security Workshop Series

Post Exploitation. n00bpentesting.com

Pentests: Exposing real world attacks

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Penetration Testing: Advanced Oracle Exploitation Page 1

RACK911 Labs. Year in Review. May 6, 2014

Smartphone Pentest Framework v0.1. User Guide

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

What is Web Security? Motivation

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Attack Frameworks and Tools

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Penetration Testing: Lessons from the Field

More about Continuous Integration:

WebCruiser Web Vulnerability Scanner User Guide

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

SQL Injection for newbie

Improved Penetration Testing of Web Apps and Databases with MatriXay

Hacking the WordpressEcosystem


White Paper BMC Remedy Action Request System Security

Security Controls for the Autodesk 360 Managed Services

Discovering passwords in the memory

Improving Web Vulnerability Scanning. Daniel Zulla

Passing PCI Compliance How to Address the Application Security Mandates

Where every interaction matters.

INTRODUCTION: SQL SERVER ACCESS / LOGIN ACCOUNT INFO:

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Penetration Test JSPLC. Contact: James, APS (CCNA, CEH) mail.biz

by Debasis Mohanty (Orissa, India)

SETTING UP REMOTE ACCESS ON EYEMAX PC BASED DVR.

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Web Applications Security: SQL Injection Attack

Penetration Testing Lessons Learned. Security Research

Transcription:

The Anonymous attack on HBGary Jarib Rahman March 19 th, 2012

Backg round December 2010: Anonymous takes down corporate websites of Bank of America, MasterCard, Visa, Paypal and others. This is retaliation for these companies deciding to freeze donations/not provide services to Wikileaks. HBGary Inc. is a security firm that provides security software and services, including malware detection and analysis, secure networking, pentesting, etc. February 5, 2011: Then CEO of HBGary Federal, Aaron Barr, tells Financial Times that he managed to uncover some information i regarding Anonymous. He claims to have done this using fake identities on social networking sites. February 5-6, 2011: In retaliation, Anonymous breaks into HBGary servers, destroys its data, publishes its email, hacks into Aaron Barr's twitter account and posts his personal information, publishes his emails, takes down a website owned by HBGary owner Greg Hoglund rootkit.com, publishes its user reg istration ti database.

The Attack 1. SQL Injection to obtain user database.

Basic SQL Injection Forms which ask for information are turned into sql queries: SELECT * FROM users WHERE name = '$username' and password = '$password'; Badly written code to parse sql queries can be exploited to extract information from the database. Let's say the following code is not checked for escape characters: SELECT * FROM users WHERE name = 'admin' -- and password = ' '; This query can be generated with an input of admin'-- in the username field, with the password blank.

Basic SQL Inject tion (Continued) SELECT * FROM users WHERE name = 'admin' -- and password = ' '; -- is a comment, hence after 'admin', rest of query is commented out. Thus, there are no password checks. If the code does not check for characters such as -- then there will be no password check. Another example: SELECT * FROM users WHERE name = 'anything' or '1'='1'; If the input is anything' or '1'='1, the last ' makes the query evaluate to a boolean statement with OR in the middle, and '1'='' 1' as the second part of the statement. Always evaluates to TRUE. Queries can be generated as such by specifi ic inputs, or writing specific URLs in the case of forms using the POST method.

The Attack 1. SQL Injection to obtain user database. Specific query that was used to break into database: http://www.hbgaryfederal.com/pages.php?pagenav=2&page=27 Usernames, email addresses and password hashes were obtained.

The Attack 2. Rainbow tables to crack password hashes.

RainbowTables Used to crack password hashes to obtain password. Cryptographic hashes for common password ds are precomputed and stored in a table. Hashes of all possible passwords must be computed. If set of all passwords is S, the size of this table will be O( S n), where n is th he number of bits in the hash. This requires a lot of space, but reduction functions can be used to reduce storage significantly. ifi

Salt ting Add a bit of 'salt' to password before generating its cryptographic hash. The salt is usually a random value. This ensures that the same password used by different people will result in different hashes for each person.

Iterative Hashing Output of hash function is also hashed with the hash function, and this is repeated about a thousand times. Simple example: key = hash(password + salt) for 1 to 65536 do key = hash(key + password + salt)

The Attack 2. Rainbow tables to crack password hashes. Salting and Iterative Hashing were not use ed in HBGary database. It used MD5. CEO Aaron Barr and COO Ted Vera used very simple passwords: 6 lowercase letters and 2 numbers.

The Attack 3. Exploit password reuse. Aaron Barr and Ted Vera used same passw words for email, twitter, etc. Ted Vera's password was used to ssh into passwords. HBGary machine. Ssh did not use keys, but Ted was only a regular user. In order to escalate his privilege level to that of a superuser, a known exploit involving system libraries was used, for which patch came out in October 2010.

Refere ences [2] http://www.ft.com/intl/cms/s/0/87dc140e-3099-11e0-9de3-00144feabdc0.html#axzz1pshfw6fm [3] http://www.v3.co.uk/v3-uk/news/2030767/researcher-claims-infiltrated-anonymous-command [5] http://en.wikipedia.org/wiki/rainbow_table [6] http://kestas.kuliukas.com/rainbowtables/ kuliukas [1] http://abcnews.go.com/technology/wikileaks-anonymous-cyber- attacks/story?id=12355960&page=2#.t2wtwtu1ru0 [4] http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the- hbgary-hack.ars/ hack.ars/ [7] http://www.cisco.com/web/about/security/intelligence/sql_injection.html [8] http://www.unixwiz.net/techtips/sql-injection.htm net/techtips/sql injection htm ml

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information