HT2-105

Hacking Exposed: Live 2009 George Kurtz – SVP/GM Risk and Compliance BU Stuart McClure – VP Operations / Strategy Risk and Compliance BU M AfMcAfee 04/21/09 | Session ID: HT2-105 Please Download The Most Current Slides At: www.foundstone.com/hackingexposedrsa2009.pdf 1 A little about me… George Kurtz • Former CEO and Co-founder of Foundstone • Co-Author of Best-Selling Hacking Exposed and Other Security Texts • Voted Conde Nast Most High- Maintenance Traveler of the Year by my Co-workers at McAfee • Stuart McClure • Former President/CTO and co- founder of Foundstone • Lead-Author of Best-Selling HackingLead Author of Best Selling Hacking Exposed, Web Hacking, HE: Windows Agenda The Digital Battlefield The HackThe Hack C t (A l )Countermeasures (Apply) Summary 3 The DigitalThe Digital Battlefield Digital Battlefield 5 Our Mission • Primary Goal: C i CEO L t– Compromise CEO Laptop • Secondary Goal: C l C i f h PDC– Complete Compromise of the PDC • Tertiary Goal: – Sell more books the evil way! • What we know about the t knetwork – Firewall with restrictive rules in place – Ingress: Ports 80, 443 open to the web server 6 – Egress: Ports 21, 53(TCP/UDP), 80, 443 The HackThe Hack Cross-Site Request Forgery - CSRF • Better known as one-click attack, session riding or XSRF • CSRF exploits the trust a user has with their browser • Cross Site Scripting (XSS) – exploits the trust a user hasCross Site Scripting (XSS) exploits the trust a user has with a particular site • The following characteristics are common to CSRF: – Site must rely on a user's identity – Trick the user's browser into sending malicious requests to a target site – Exploit the site's trust in that identity – Abuse the established session – have the browser do the dirty work and pass the authentication cookie Have to get that Amazon rank up… • Mama needs some new shoes for the kids… • Our Goal - ratchet up the Amazon.com ranking and sell some books! • Abuse one-click “book ordering” while people visit our Hacking Exposed Blog PAGE 9 DEMODEMO Title of presentation10 And the Results are in… Title of presentation11 Web Server Attack • SQL InjectionSQL Injection – Oldie but a goodie… • Can we own the• Can we own the Hackme Bank and get access to the Corpnet? 12 DEMODEMO Title of presentation13 Drive By Shooting - Spear Phishing Style • Email to CEO • Obfuscate URL • Drive by Shooting • Shovel a shell to Attack Windows port 80 • ftp toolkit from Attack Linux – Dump hashes – Dump Windows Zero Config 14 DEMODEMO Title of presentation15 First You Steal the Hash – Then You Steal the Cash • Pass word word文档格式规范word作业纸小票打印word模板word简历模板免费word简历 hashes are password equivalents • So… why can’t we simply use the hash as the password?! • Password hash of target account must be loaded into memory on our own attack machine • We “become” the target account Passing Hash • There is no need to crack the password! • This process was developed by folks at Foundstone and never publicly released • Recently publicly available code has been released by Marcus Murray at Trusec dereleased by Marcus Murray at Trusec.de Passing Hash I want my Hash - Goal: Compromise remote system with Admin privilegessystem with Admin privileges W i / k t ti i t /l l• We compromise one server/workstation using a remote/local exploit • We extract logged on hashes and find a domain admin or other user account hashes • We use the hash to log on to a domain controller or other target systemy • If an Active Directory database is compromised, the attacker can now impersonate any account in the domain PAGE 18 DEMODEMO Title of presentation19 There an App for PwningToo!PwningToo! 25 00025 00025 001 20 25,00025,00025,001 Iphone Pwnage • Shell out • Ping PDC • Nmap PDC • Pop PDC – shovel shell out to Attack Windows 21 DEMODEMO Title of presentation22 23 Countermeasures:Countermeasures: Apply SQL Injection/CSRF Countermeasures • Root cause – Poor web design • Insufficient input sanitization (SQL Injection) • Insufficient re-authentication (CSRF) – Require authentication in GET and POST parameters, don’t rely only on cookies – Checking the HTTP Referrer header – Restrict crossdomain.xml usage, granting unintended access to Flash movies – Limit the lifetime of authentication cookies – Poor user common sense (CSRF) • Users should not click on links they don’t know • Detection/Prevention – Web Application Firewall (WAF) • Commercial Options (including HIPS), or • Free or Open Source: Breach Security’s ModSecurity,Free or Open Source: Breach Security s ModSecurity, OWASP Stinger Project (Java/J2EE) [limited], AQTRONIX WebKnight, SQLGuard (Java) 25 Passing Hash Countermeasures • Root cause – It’s a feature not a bug!It s a feature, not a bug! • Need to remove the “feature” in the MS SAM • Quite unlikely… • Detection/Prevention – Don’t let a bad guy get Admin! • Follow best-practices hardening HIPS– HIPS • Commercial: HIPS • Free or Open Source: AntiHook (Win), Winsonar (Win), p ( ) ( ) Samurai (Win), ProcessGuard (Win), OSSEC - Linux Title of presentation26 Summary • It’s a jungle out there….but you need to prepare yourself • Secure coding and penetration reviews are a tmust • Understand the level of vulnerabilities in your own network and applications L V l bilit M t t l– Leverage Vulnerability Management tools – Software must be kept up to date • Education is critical • Defense-in-Depth – Integrated Endpoint protection (AV, HIPS, etc) – Network Protection (IPS, Firewalls, DLP)