Hacking Exposed:
Live 2009
George Kurtz – SVP/GM Risk and
Compliance BU
Stuart McClure – VP Operations /
Strategy Risk and Compliance BU
M AfMcAfee
04/21/09 | Session ID: HT2-105
Please Download The Most Current Slides At:
www.foundstone.com/hackingexposedrsa2009.pdf
1
A little about me…
George Kurtz
• Former CEO and Co-founder of
Foundstone
• Co-Author of Best-Selling Hacking
Exposed and Other Security Texts
• Voted Conde Nast Most High-
Maintenance Traveler of the Year by
my Co-workers at McAfee
• Stuart McClure
• Former President/CTO and co-
founder of Foundstone
• Lead-Author of Best-Selling HackingLead Author of Best Selling Hacking
Exposed, Web Hacking, HE:
Windows
Agenda
The Digital Battlefield
The HackThe Hack
C t (A l )Countermeasures (Apply)
Summary
3
The DigitalThe Digital
Battlefield
Digital Battlefield
5
Our Mission
• Primary Goal:
C i CEO L t– Compromise CEO Laptop
• Secondary Goal:
C l C i f h PDC– Complete Compromise of the PDC
• Tertiary Goal:
– Sell more books the evil way!
• What we know about the
t knetwork
– Firewall with restrictive rules in place
– Ingress: Ports 80, 443 open to the web server
6
– Egress: Ports 21, 53(TCP/UDP), 80, 443
The HackThe Hack
Cross-Site Request Forgery - CSRF
• Better known as one-click attack, session riding or
XSRF
• CSRF exploits the trust a user has with their browser
• Cross Site Scripting (XSS) – exploits the trust a user hasCross Site Scripting (XSS) exploits the trust a user has
with a particular site
• The following characteristics are common to CSRF:
– Site must rely on a user's identity
– Trick the user's browser into sending malicious requests to a target site
– Exploit the site's trust in that identity
– Abuse the established session – have the browser do the dirty work and pass the
authentication cookie
Have to get that Amazon rank up…
• Mama needs some new shoes for the kids…
• Our Goal - ratchet up the Amazon.com ranking
and sell some books!
• Abuse one-click “book ordering” while people
visit our Hacking Exposed Blog
PAGE 9
DEMODEMO
Title of presentation10
And the Results are in…
Title of presentation11
Web Server Attack
• SQL InjectionSQL Injection
– Oldie but a goodie…
• Can we own the• Can we own the
Hackme Bank and get
access to the Corpnet?
12
DEMODEMO
Title of presentation13
Drive By Shooting - Spear Phishing Style
• Email to CEO
• Obfuscate URL
• Drive by Shooting
• Shovel a shell to Attack
Windows port 80
• ftp toolkit from Attack
Linux
– Dump hashes
– Dump Windows Zero Config
14
DEMODEMO
Title of presentation15
First You Steal the Hash –
Then You Steal the Cash
• Pass
word
word文档格式规范word作业纸小票打印word模板word简历模板免费word简历
hashes are password equivalents
• So… why can’t we simply use the hash as the
password?!
• Password hash of target account must be
loaded into memory on our own attack machine
• We “become” the target account
Passing Hash
• There is no need to crack the password!
• This process was developed by folks at
Foundstone and never publicly released
• Recently publicly available code has been
released by Marcus Murray at Trusec dereleased by Marcus Murray at Trusec.de
Passing Hash
I want my Hash - Goal: Compromise remote
system with Admin privilegessystem with Admin privileges
W i / k t ti i t /l l• We compromise one server/workstation using a remote/local
exploit
• We extract logged on hashes and find a domain admin or other
user account hashes
• We use the hash to log on to a domain controller or other target
systemy
• If an Active Directory database is compromised, the attacker can
now impersonate any account in the domain
PAGE 18
DEMODEMO
Title of presentation19
There an App for
PwningToo!PwningToo!
25 00025 00025 001
20
25,00025,00025,001
Iphone Pwnage
• Shell out
• Ping PDC
• Nmap PDC
• Pop PDC – shovel shell
out to Attack Windows
21
DEMODEMO
Title of presentation22
23
Countermeasures:Countermeasures:
Apply
SQL Injection/CSRF Countermeasures
• Root cause
– Poor web design
• Insufficient input sanitization (SQL Injection)
• Insufficient re-authentication (CSRF)
– Require authentication in GET and POST parameters, don’t rely only on
cookies
– Checking the HTTP Referrer header
– Restrict crossdomain.xml usage, granting unintended access to Flash movies
– Limit the lifetime of authentication cookies
– Poor user common sense (CSRF)
• Users should not click on links they don’t know
• Detection/Prevention
– Web Application Firewall (WAF)
• Commercial Options (including HIPS), or
• Free or Open Source: Breach Security’s ModSecurity,Free or Open Source: Breach Security s ModSecurity,
OWASP Stinger Project (Java/J2EE) [limited], AQTRONIX
WebKnight, SQLGuard (Java)
25
Passing Hash Countermeasures
• Root cause
– It’s a feature not a bug!It s a feature, not a bug!
• Need to remove the “feature” in the MS SAM
• Quite unlikely…
• Detection/Prevention
– Don’t let a bad guy get Admin!
• Follow best-practices hardening
HIPS– HIPS
• Commercial: HIPS
• Free or Open Source: AntiHook (Win), Winsonar (Win), p ( ) ( )
Samurai (Win), ProcessGuard (Win), OSSEC - Linux
Title of presentation26
Summary
• It’s a jungle out there….but you need to
prepare yourself
• Secure coding and penetration reviews are a
tmust
• Understand the level of vulnerabilities in your
own network and applications
L V l bilit M t t l– Leverage Vulnerability Management tools
– Software must be kept up to date
• Education is critical
• Defense-in-Depth
– Integrated Endpoint protection (AV, HIPS, etc)
– Network Protection (IPS, Firewalls, DLP)