Insecure IP Storage Insecure IP Storage NetworksNetworks

Presenter:Presenter:Himanshu DwivediHimanshu Dwivedi

Regional Technical DirectorRegional Technical Director@stake, Inc.@stake, Inc.

BlackHatBlackHat 20042004

AgendaAgenda

►►Insecure Network Attached Storage (NAS)Insecure Network Attached Storage (NAS)�� IntroductionIntroduction�� NAS ProtocolsNAS Protocols�� NAS AttacksNAS Attacks�� ConclusionConclusion

IntroductionIntroduction

►► Network Attached Storage (NAS)Network Attached Storage (NAS)�� Remote network storage supporting a local file system.Remote network storage supporting a local file system.�� File systems are accessed over IP networks via NFS, CIFS, FTP, oFile systems are accessed over IP networks via NFS, CIFS, FTP, or r

HTTPHTTP

CIFS Client

NFS Client

Exports/Shares on NAS device:

CIFS Shares:� C$� software

NFS Exports:� vol/vol1/HR� vol/vol2/Marketing

c:\net use D: \\nas\software “” /u:””

mount nas:/vol/vol2/Marketing /mktg

C:\ <local files on local machine>D:\ <remote files of NAS device>

/etc <local files on local machine>/mktg <remote files on NAS device> NAS Device

IntroductionIntroduction

►► Default NAS Appliances Default NAS Appliances �� Default installations of most systems are usually weak in Default installations of most systems are usually weak in

term of security….term of security….….NAS storage appliances are no different….NAS storage appliances are no different

►► Nothing new hereNothing new here�� NAS storage appliances that support NFS and CIFS NAS storage appliances that support NFS and CIFS

*also* support their weaknesses *also* support their weaknesses

►► Assumptions of Storage DevicesAssumptions of Storage Devices�� NAS storage appliances don’t fix the problems with NFS NAS storage appliances don’t fix the problems with NFS

or CIFS, but rather inherit themor CIFS, but rather inherit them

NAS ProtocolsNAS Protocols

►► NFSNFS�� Platform: Client/Server architecture for *nix systems Platform: Client/Server architecture for *nix systems �� Purpose: Remote file sharing over IP networksPurpose: Remote file sharing over IP networks�� Weakness: Authentication, Authorization, EncryptionWeakness: Authentication, Authorization, Encryption

►► CIFSCIFS�� Platform: Client/Server architecture for Windows Platform: Client/Server architecture for Windows

systems systems �� Purpose: Remote file sharing over IP networksPurpose: Remote file sharing over IP networks�� Weakness: Authentication, Authorization, EncryptionWeakness: Authentication, Authorization, Encryption

NAS AttacksNAS Attacks

►►NAS: NFS and CIFSNAS: NFS and CIFS�� ScanningScanning�� EnumerationEnumeration�� Anonymous AccessAnonymous Access�� Subvert PermissionsSubvert Permissions�� SniffingSniffing

NAS Scanning: NFS and CIFSNAS Scanning: NFS and CIFS

►►NAS: ScanningNAS: Scanning�� Scan the NAS DeviceScan the NAS Device�� NFS and CIFS (SMB) ports are openNFS and CIFS (SMB) ports are open

NAS Scanning: NFS and CIFSNAS Scanning: NFS and CIFS

►►NAS: ScanningNAS: Scanning�� Information Gained:Information Gained:

►►Listening PortsListening Ports►►Data Services (NFS, CIFS, FTP, HTTP)Data Services (NFS, CIFS, FTP, HTTP)►►Management Services (Telnet, SSH, HTTPS) Management Services (Telnet, SSH, HTTPS)

NAS Enumeration: NFS and CIFSNAS Enumeration: NFS and CIFS

►►NAS: EnumerationNAS: Enumeration�� Enumerate the NFS Mounts and CIFS SharesEnumerate the NFS Mounts and CIFS Shares

►►CIFS: CIFS: c:c:\\winfowinfo <<ipaddressipaddress> > --nn►►NFS: #NFS: #showmountshowmount ––e <e <ipaddressipaddress>>

�� Enumerate NAS usernamesEnumerate NAS usernames►►CIFS: CIFS: c:c:\\enumenum ––U <U <ipaddressipaddress>>

NAS Enumeration: NFS and CIFSNAS Enumeration: NFS and CIFS

►►NAS: EnumerationNAS: Enumeration�� Information Gained:Information Gained:

►►NAS Exports (e.g. /dev/dsk/server2fs3)NAS Exports (e.g. /dev/dsk/server2fs3)►►NAS Access (e.g. All Machines)NAS Access (e.g. All Machines)►►NAS Shares (C$, ETC$)NAS Shares (C$, ETC$)►►NAS usernames (e.g. administrator, root, etc)NAS usernames (e.g. administrator, root, etc)

NAS Anonymous Access: NFSNAS Anonymous Access: NFS

►►NAS: Anonymous AccessNAS: Anonymous Access�� Connect to a NFS export with anonymous privilegesConnect to a NFS export with anonymous privileges

►►NFS: mount NFS: mount ––o anon o anon IP:volumeIP:volume drive:drive:

NAS Anonymous Access: CIFSNAS Anonymous Access: CIFS

►►NAS: Anonymous AccessNAS: Anonymous Access�� Connect to a CIFS share with anonymous privilegesConnect to a CIFS share with anonymous privileges

►►CIFS: c:CIFS: c:\\net use * net use * \\\\<<ipaddressipaddress>>\\share “” /user:””share “” /user:””

NAS Anonymous Access: NFSNAS Anonymous Access: NFS

►►NAS: Anonymous AccessNAS: Anonymous Access�� Mount the admin NFS export (vol0)Mount the admin NFS export (vol0)

►►NFS: mount NFS: mount ––o anon o anon IP:volumeIP:volume drive:drive:

NAS Anonymous AccessNAS Anonymous Access

►►NAS: Anonymous AccessNAS: Anonymous Access�� Access Gained:Access Gained:

►►Anonymous access to NFS ExportsAnonymous access to NFS Exports�� Data VolumesData Volumes�� Management Volumes Management Volumes

►►Anonymous access to CIFS sharesAnonymous access to CIFS shares�� Data VolumesData Volumes

NAS DemoNAS Demo

►►NAS DemoNAS Demo�� ScanningScanning

►►Scan a NAS Storage DeviceScan a NAS Storage Device

�� EnumerationEnumeration►►Enumerate Accounts, Shares, and MountsEnumerate Accounts, Shares, and Mounts

�� Anonymous InformationAnonymous Information►►Gain anonymous access inside shares and mountsGain anonymous access inside shares and mounts

NAS Subvert PermissionsNAS Subvert Permissions

►►NAS: Subvert PermissionsNAS: Subvert Permissions�� Subvert CIFS or NFS file permissions with NFS Subvert CIFS or NFS file permissions with NFS

weaknesses weaknesses ►►Data:Data:

�� Subvert permissions to access data files and foldersSubvert permissions to access data files and folders

NAS Subvert Permissions: NFSNAS Subvert Permissions: NFS

►► NAS: UID/GID (Data)NAS: UID/GID (Data)�� Subvert CIFS file permissions with NFS weaknessesSubvert CIFS file permissions with NFS weaknesses

►► ExampleExample�� A large hospital uses multiple NAS filers for storageA large hospital uses multiple NAS filers for storage�� Medical records for patients are stored on the NAS filerMedical records for patients are stored on the NAS filer

►►By default, the filer supports both CIFS (Windows) and NFS By default, the filer supports both CIFS (Windows) and NFS (Unix)(Unix)

�� The IT department has placed file permissions on all The IT department has placed file permissions on all patient folders, restricting access to authorized users patient folders, restricting access to authorized users onlyonly►►User named ‘User named ‘himanshuhimanshu’ should have ’ should have fullfull accessaccess►►User named ‘User named ‘hdwivedihdwivedi’ should have ’ should have nono accessaccess

NAS Subvert Permissions : NFSNAS Subvert Permissions : NFS

FILER

hdwivedi himanshu

Internal Medicine

Patient Information

Pharmacology

Genetic Research

IT Support

NAS Subvert Permissions : NFSNAS Subvert Permissions : NFS

►► The IT department grants access to the “Patient The IT department grants access to the “Patient Information” folder to the ‘Information” folder to the ‘himanshuhimanshu’ account’ account

NAS Subvert Permissions : NFSNAS Subvert Permissions : NFS

►► A second user, named ‘A second user, named ‘hdwivedihdwivedi’, attempts to access the ’, attempts to access the “Patient Information” folder under the CIFS“Patient Information” folder under the CIFS

NAS Subvert Permissions : NFSNAS Subvert Permissions : NFS

►► Since the filer supports both NFS and CIFS, any user can Since the filer supports both NFS and CIFS, any user can access the filers using NFS alsoaccess the filers using NFS also

NAS Subvert Permissions: NFSNAS Subvert Permissions: NFS

►► The second user (The second user (hdwivedihdwivedi) attempts to access “Patient ) attempts to access “Patient Information” under NFS and gets denied againInformation” under NFS and gets denied again

NAS Subvert Permissions : NFSNAS Subvert Permissions : NFS

►► By typing “ls By typing “ls ––al”, notice the Patient Information folder is al”, notice the Patient Information folder is restricted to the owner of that folder, who is the user restricted to the owner of that folder, who is the user ‘‘himanshuhimanshu’, with a Unix UID of 6161 and GID of 30’, with a Unix UID of 6161 and GID of 30

NAS Subvert Permissions : NFSNAS Subvert Permissions : NFS

►► User ‘User ‘hdwivedihdwivedi’ SUs (switch user) to root on their local ’ SUs (switch user) to root on their local machine, changing their UID to 0 and GID to 0 (god rights) machine, changing their UID to 0 and GID to 0 (god rights) and still get denied to the folderand still get denied to the folder

NAS Subvert Permissions : NFSNAS Subvert Permissions : NFS

►► User ‘User ‘hdwivedihdwivedi’ edits their local /etc/passwd file and ’ edits their local /etc/passwd file and changes their UID to 6161 and GID to 30changes their UID to 6161 and GID to 30

NAS Subvert Permissions : NFSNAS Subvert Permissions : NFS

►► User ‘User ‘hdwivedihdwivedi’ now attempts to access the folder called ’ now attempts to access the folder called “Patient Information” and is now granted access!“Patient Information” and is now granted access!

NAS Subvert Permissions : NFSNAS Subvert Permissions : NFS

►►NAS DemoNAS Demo�� Subvert PermissionSubvert Permission

►►Subvert CIFS permissions with NFS weaknessesSubvert CIFS permissions with NFS weaknesses�� Demo 1: Setting CIFS permissionsDemo 1: Setting CIFS permissions�� Demo 2: Subvert CIFS permissions via NFSDemo 2: Subvert CIFS permissions via NFS

NAS SniffingNAS Sniffing

►►NAS: SniffingNAS: Sniffing�� CIFSCIFS

►►NTLM (downgrade attack)NTLM (downgrade attack)►►Kerberos TicketsKerberos Tickets

�� ManagementManagement►►RSH, TelnetRSH, Telnet

�� NFSNFS►►ClearClear--text mountingtext mounting

NAS Sniffing: CIFSNAS Sniffing: CIFS

►►NAS: SniffingNAS: Sniffing�� Downgrade to NTLMDowngrade to NTLMvv11

NAS Sniffing: CIFSNAS Sniffing: CIFS

►►NAS: SniffingNAS: Sniffing�� Kerberos TicketsKerberos Tickets

NAS Sniffing: NFSNAS Sniffing: NFS

►►NAS: SniffingNAS: Sniffing�� ClearClear--text of RSHtext of RSH

NAS Sniffing: NFSNAS Sniffing: NFS

►►NAS: SniffingNAS: Sniffing�� ClearClear--text NFStext NFS

ConclusionConclusion

►► Security should not overlook NAS DevicesSecurity should not overlook NAS Devices►► Supporting CIFS and NFS also means support their security Supporting CIFS and NFS also means support their security

issuesissues►► Secure storage devicesSecure storage devices

�� Disable ClearDisable Clear--text managementtext management►► Telnet, RSH, HTTPTelnet, RSH, HTTP

�� Disable anonymous enumerationDisable anonymous enumeration►► Disable share enumeration under CIFSDisable share enumeration under CIFS►► Use aliases for NFS exports clients in /etc/hosts Use aliases for NFS exports clients in /etc/hosts

�� Require strong authentication by CIFS and NFS clientsRequire strong authentication by CIFS and NFS clients�� Enable inEnable in--line and/or at rest encryptionline and/or at rest encryption

►► Many NAS devices support Many NAS devices support IPSecIPSec►► 33rdrd party encryption devices can encrypt data at restparty encryption devices can encrypt data at rest

QuestionsQuestionsHimanshu DwivediHimanshu Dwivedi►► hdwivedi@stake.comhdwivedi@stake.com

Security Books Authored by presenter:Security Books Authored by presenter:►► Storage Security HandbookStorage Security Handbook

�� ((http://www.neoscale.com/English/Downloads/Storage_Security_Handbhttp://www.neoscale.com/English/Downloads/Storage_Security_Handbook/SSH_ToC.htmlook/SSH_ToC.html))

►► Implementing SSH (Wiley Publishing)Implementing SSH (Wiley Publishing)

►► The Complete Storage Reference, Chapter 25 (McGrawThe Complete Storage Reference, Chapter 25 (McGraw--Hill)Hill)

Storage Security Whitepaper coStorage Security Whitepaper co--authored by presenter:authored by presenter:►► www.@stake.com/research/reports/index.htmlwww.@stake.com/research/reports/index.html

Special Thanks:Special Thanks:►► Andy, Joel, Andy, Joel, KusumKusum, , SudhanshuSudhanshu, and , and NeerajaNeeraja

ReferencesReferences

�� NmapNmap►►Written by Fyodor (Written by Fyodor (www.insecure.org/nmapwww.insecure.org/nmap))

�� WinfoWinfo►►Written by Arne Written by Arne VindstromVindstrom ((www.ntsecurity.nuwww.ntsecurity.nu))

�� EnumEnum►►Written by Jordan Ritter (Written by Jordan Ritter (www.bindview.com/razor/utilitieswww.bindview.com/razor/utilities) )

�� LC5LC5►►Produced by @stake R&D (Produced by @stake R&D (www.@stake.comwww.@stake.com))

�� Kerbsniff/KerbcrackKerbsniff/Kerbcrack►►Written by Arne Written by Arne VindstromVindstrom ((www.ntsecurity.nuwww.ntsecurity.nu))

�� Ethereal Ethereal ►►Produced by Ethereal (Produced by Ethereal (www.ethereal.comwww.ethereal.com) )