View
218
Download
3
Tags:
Embed Size (px)
Citation preview
DC Phone Home
Defcon, Las Vegas 2002
Chris Davis, CISSP
RedSirenReston, VA
Aaron Higbee, CISSP
FoundstoneWashington DC
Overview
180-Degree HackingPhone Home
Developed PlatformsSega DreamcastCompaq iPAQx86 Bootable CD
DemonstrationsRemedies
www.dcphonehome.com
This PresentationSega Dreamcast DistributioniPAQ Distributionx86 Bootable CD-Rom
Assumptions
LinuxGeneral Computer ArchitectureTCP/IPGeneral Information Security ConceptsFirewalls / NAT / Private AddressingVPN’sProxiesCommon hax0r toolz
Conventional Enterprise Security
FirewallNetwork Address TranslationPrivate Addressing – RFC1918DMZ
Higher End Enterprise Security
IDS (managed?)VPNs, Remote Access
Strong Authentication
Proxies, URL filtering
Content-checking (email virus)Security PersonnelSecurity Consulting
Hard Crunchy Outside
Soft CHEWY Center
The Problem
Networks go both ways: in and outThe focus is on perimeter network security instead of the data contained withinEven hackers are focused on the perimeter instead of the data
ApacheOpenSSH
Firewalls
What can they do?Enforcing inbound connection policiesDMZNATAuthenticationVPN Gateways for remote usersRestricting some outbound traffic
Proxies
Used to enhance network performanceLimited content-checking featuresMostly have to allow outbound tcp/80
SoapDAVHTTP-U30+ in development
Network Intrusion Detection
Exists to help identify and respond to hack attempts in a timely manner
Mostly focused on listening for incoming attacks
Signature-based detectionMust be aware of particular attack to identify itAnomaly protocol detection only detects anomalies
WTF is that!?
The Soft Chewy Center
Outbound connections are believed to be initiated by employeesCompanies need their employees to use the InternetPhysical security is ‘good enough’ Outside =Bad, Inside = Good
The “Computer” Concept
Fits on a desk or in your lapRuns Windows
WRONG!A “Computer” is a general purpose architecture
TivoCell PhonesPrintersCable BoxesPrintersCopiersGame ConsolesVending Machines
180-Degree Hacking
Why hack the network? Bring it home!Based on the following principles
FIREWALLS ARE POINTLESSDelivery
Physical accessZero-day sploit
The InternetStupid user tricks
Firewalls Are Worthless
In 180-degree hacking, firewalls are transparent
Data is tunneled through an authorized protocol or via encrypted transportFirewalls are two-wayThey can’t block ALL traffic
Physical Access
Physical access is trivial to obtain (seriously)
Especially for short periods of time [5 min]
Creativity and planning is the only limiting factor
Super Stealth Method
Creativity Continued…
The Smoke Screen
Piggy Back
0-day sploit
Same-ole Same-oleBoringAnybody, and Everybody
ApacheOpenssh
BNC and dDoS… is the best you can do!? Get Creative!
180-Degree Hacking: Post-Delivery
Discover networkEnumerate outbound trafficPhone Home
180-Degree Hacking: Similar Concepts
P2P File-sharing
WinMXBearshare
Chat AppzAim
Remote Desktops
GoToMyPC.com
180-Degree Hacking: Network Discovery
NetworkAuto-Configuration
DHCP
EnumerateAllowed Outbound
Traffic
Write ResultsTo /dcph_info.txt
80 443 u53 ICMP Etc...
180-Degree Hacking: Analysis
Analyzedcph_info.txt
80open?
443open?
53open?
ICMPopen?
StartVTun
StartVTun
StartcIPe Start
icmptunnel
Yes No
GotoProxyFinder
180-Degree Hacking: Proxy Finder
ProxyFinder
ZoneTransfer
DNS
ReverseLookupRange
Grepproxy, pxy
squid ?
Http-tunnel
180-Degree Hacking: Delivery Types
Drop-n-go hardwareSEGA DreamcastCompaq iPAQ
SoftwareBootable x86 CD-Rom
Remote Exploitduh
DC Phone Home
Why the hell did we pick a Dreamcast!?
Innocuous: doesn’t it just play games?Cheap: under $100 for everything10/100 Ethernet: made just for hackingPowerful processorRumors of a Linux portCrazy Taxi got boring
Dreamcast Architecture
Hitachi SH4 Core Processor @200MHz16MB RAMCD-ROM10/100 RTL-8931 EthernetKeyboard (pretty useful)
Dreamcast Development
Building the distroRPMs from www.sh-linux.orgX-Compile ToolchainKernel patching and compiling
Experimental support in recent 2.4 kernels
Linux development waning since DC was discontinued
Compiling ToolzLimited RAM prevents native compilation
Compaq iHACK Architecture
Compaq iPAQ 3765StrongARM 206MHz core processor64MB RAM32MB Flash ROMDual-Slot PCMCIA Expansion PackUSB/Serial Interface10/100 Ethernet and 802.11b capable
Compaq iHACK Development
Linux SupportARM proc support in kernel since 2.2.xLarge group of Linux developers
www.handhelds.org
Functional distribution availableUsed Familiar v0.5.2
Native compilerIndependent development platform
x86 Bootable CD
TrinuxSupport’s many types of hardwareRuns on virtually any PC20meg ISOKernel 2.4.5Easily modified
Toolz
Network Autoconfig
DHCP
Scanningnetcatnmap
SniffingPHossngreptcpdump
TunnelingVTunCIPEhttptunnelicmptunnelstunnelpppssh
Common Tools
hostnslookupshell scriptingsedcuttr
Phoning Home Simplified
DeliveryBootingNetwork autoconfigurationNetwork discoveryEnumerationTunneling
Demos
Enough chit-chat! Let’s see it work!
Demo Summary
How is this stopped?
To sum it up: constriction, not prevention.
Limited egress pathsAs many proxies as possible
HTTPDNSEmail
Full-mesh intranet VPN topologyAuthentication between all endpoints, including gatewaysOnly prevents drop-n-go hardware
More Security Measures…
Switch Port SecurityPre-registration of MAC addresses
Superfine Granular IDSProtocols must adhere to strict specifications
Protocol-analyzing proxiesCan deconstruct sessions to detect misuse
Wireless JammingPrevents rouge Access-Points
But…
Covert channels will ALWAYS be possibleSmaller devices make detection and removal more difficultTargeted attacks are based on research of your organizationLike most information security, the only true protection is the air-gap
Linkshttp://www.dcphonehome.comhttp://trinux.sourceforge.nethttp://www.sh-linux.orghttp://sites.inka.de/sites/bigred/devel/cipe.htmlhttp://www.phenoelit.dehttp://vtun.sourceforge.nethttp://www.nocrew.org/software/httptunnel.htmlhttp://www.detached.net/icmptunnel/http://www.stunnel.orghttp://www.buildinglinuxvpns.nethttp://www.foundstone.comhttp://www.redsiren.comhttp://www.realultimatepower.net