API tools faq
paste
Advertisement
xdxdxd123

Untitled

xdxdxd123
May 24th, 2017
114
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.23 KB | None | 0 0
raw download clone embed print report
  1. 1
  2. They’re Hacking Our Clients!
  3. Why Are We Only Vuln Assessing Servers?
  4. Jay Beale
  5. Creator - Bastille UNIX
  6. Co-Founder - Intelguardians, Inc.
  7. Copyright 2007 Jay Beale Intelguardians, Inc)
  8. 2 Copyright 2007 Jay Beale Intelguardians, Inc.
  9. A Curious Trend in Ethical Hacking
  10. I working for Intelguardians, a security consulting firm. I
  11. get to do and lead a fair bit of network and application
  12. penetration testing.
  13. A penetration test usually focuses on the compound
  14. question: could a “hacker” break in from the Internet
  15. and how far could he go?
  16. The hard part is getting into the “internal” network.
  17. Once you’re inside, things get far, far easier.
  18. 3 Copyright 2007 Jay Beale Intelguardians, Inc.
  19. A Curious Trend in Ethical Hacking
  20. Over the last year, we’re finding that breaching the
  21. perimeter and DMZ networks has gotten far more
  22. difficult under traditional attack models.
  23. Increasingly, we’ve been getting to the internal network via
  24. client-side attack, hacking the Security or IT staff’s
  25. workstations via vulnerabilities in their browsers, mail
  26. clients, Acrobat and Office programs.
  27. These attacks have gotten easier for anyone with a copy of
  28. Core IMPACT, Metasploit, or hostile attacker toolkits.
  29. 4 Copyright 2007 Jay Beale Intelguardians, Inc.
  30. Professional Hackers Started Years Ago
  31. Real attackers moved to client-side attack years ago.
  32. There’s so much money in hacking the clients that it’s
  33. become a great business for organized crime.
  34. And it was so successful, the attackers’ chief problem
  35. became creating a centrally-controlled, scalable
  36. means of controlling all the systems they’ve
  37. compromised.
  38. And so they brought us the botnet.
  39. 5 Copyright 2007 Jay Beale Intelguardians, Inc.
  40. Workstation Control is Powerful
  41. Most botnet owner so many machines that they don’t
  42. ever inventory them and figure out what companies
  43. and organizations they’ve compromised.
  44. As highly-targeted attackers, penetration testing teams
  45. use these machines as a foothold to hit the internal
  46. organization. We get access to file shares, cached
  47. credentials, and applications that have never been
  48. designed or audited for security.
  49. Further, even across their worldwide WAN, even the
  50. largest organizations have no filters.
  51. 6 Copyright 2007 Jay Beale Intelguardians, Inc.
  52. Isn’t this Social Engineering?
  53. In the security community, we initially write off these attacks to social
  54. engineering. We blame the user.
  55. Not all exploits require user interaction. And if they do, we’ll always have
  56. some users get fooled. Even if that’s 1/100 of 1%, it’s bad.
  57. But blaming the non-IT user isn’t fair. Your grandmother shouldn’t have to
  58. understand vulnerabilities to read e-mail. You can’t expect her to
  59. unless you really make a driver’s license for computing.
  60. It’s our responsibility as IT architects to train the user, but to protect them
  61. from attack anyway.
  62. Think about your mortgage broker’s computer? Or your dentists? High
  63. value target, no IT staff and little training. They’ve been owned.
  64. 7 Copyright 2007 Jay Beale Intelguardians, Inc.
  65. Why is this difficult?
  66. Most organizations’ security has been focused primarily on the perimeter
  67. and on firewalls. That over-focus is decreasing, but only so fast.
  68. Most security efforts are focused on the servers, particularly those
  69. accessible from the Internet.
  70. This focus really has started to achieve its goal. Hacking organizations,
  71. from the Internet, through their servers, is finally getting difficult.
  72. But the attackers have moved to attacking the workstation PCs. And few
  73. organizations have kept up with that change in focus. It’s a difficult
  74. problem…
  75. 8 Copyright 2007 Jay Beale Intelguardians, Inc.
  76. Why is this difficult?
  77. First, the numbers are much tougher. As an attacker, I only need to find
  78. one workstation or laptop that has a vulnerable client out of the 10,000
  79. you have.
  80. And you thought protecting 150 servers was difficult!
  81. Second, your users can stay disconnected from the network or have their
  82. machines powered off for extended periods, or even retire systems that
  83. get pulled out of retirement six months later when a position is filled
  84. again.
  85. Patching has always been a race condition!
  86. 9 Copyright 2007 Jay Beale Intelguardians, Inc.
  87. What about Patch Management?
  88. The next thing we all think is…this is where patch management products
  89. should make the problem irrelevant.
  90. But:
  91. 1) Not every organization has a commercial patch management tool.
  92. 2) Patch management tools may rely on a host inventory that isn’t
  93. accurate. Here are some hosts commonly left off:
  94. a) Old hosts that aren’t part of the domain or inventory.
  95. b) Dedicated scanning / machine control systems.
  96. c) Hosts brought to the office from partner companies.
  97. d) Legacy systems of any kind!
  98. 3) Patch mgmt tools rarely track patches for every third-party product.
  99. 10 Copyright 2007 Jay Beale Intelguardians, Inc.
  100. The State of Internal Patching
  101. Actually, most organizations don’t patch consistently or frequently enough
  102. to avoid this threat.
  103. Even if they can do consistent and frequent patching, they tend to only get
  104. there for Microsoft software.
  105. Even those will have trouble keeping organization or user-installed browser
  106. plug-ins up to date.
  107. Well if we’re not solving this problem via patching, what about our regular
  108. vulnerability assessments?
  109. 11 Copyright 2007 Jay Beale Intelguardians, Inc.
  110. Vulnerability Assessments
  111. First, most organizations don’t appear to do better than quarterly
  112. vulnerability assessments.
  113. Second, the vulnerability assessments focus on the servers.
  114. That’s natural: servers actually answer you when you probe them and
  115. usually give you their version/patch level fairly easily.
  116. Clients aren’t quite so helpful…or are they?
  117. 12 Copyright 2007 Jay Beale Intelguardians, Inc.
  118. Clients Identify Themselves Too
  119. A whole lot of client-side software identifies itself often, if you only know
  120. to listen…or sniff…or read the logs…
  121. First, web browsers tell every server they talk to what version they are:
  122. HTTP_USER_AGENT = Mozilla/5.0
  123. (Macintosh; U; Intel Mac OS X;
  124. en-US; rv:1.8.1.4)
  125. Gecko/20070515 Firefox/2.0.0.4
  126. 13 Copyright 2007 Jay Beale Intelguardians, Inc.
  127. Mail Clients Too…
  128. Mail clients send their version string with every single message. I once
  129. had a friend e-mail me to tell me that my Thunderbird version was
  130. old and vulnerable.
  131. Here’s a string from an e-mail I got from another speaker here:
  132. User-Agent: Thunderbird 2.0.0.6
  133. (Windows/20070728)
  134. 14 Copyright 2007 Jay Beale Intelguardians, Inc.
  135. Watching without Sniffing
  136. If I stick to just watching all the browser user agent strings as people on
  137. my network browse, I could easily give you a list of vulnerable
  138. browsers.
  139. But what if I don’t want to sniff the network?
  140. Many/most large organizations use transparent web proxies to decrease
  141. their Internet bandwidth costs - why download the same CNN
  142. graphics 2,000 times today?
  143. Squid proxies, among others, easily log browser user agent strings. I can
  144. watch these for malware and vulnerable browsers.
  145. Sendmail can be configured to log mail client user agent strings as well.
  146. 15 Copyright 2007 Jay Beale Intelguardians, Inc.
  147. Sniffing
  148. Alternatively, sniff the internal links to your outbound mail relays and
  149. outbound transparent web proxies.
  150. But, either way, we’re missing something in the browsers, aren’t we?
  151. Can anyone tell me what it is?
  152. 16 Copyright 2007 Jay Beale Intelguardians, Inc.
  153. Browser Plugins!
  154. Browser exploitability relies on third party code that may not even ship
  155. with the browser.
  156. People add their own plug-ins, often automagically when they try to use a
  157. website that needed it.
  158. They don’t necessarily know they need to look for patches. They may not
  159. even know what site they got the plug-in from, since the site they
  160. were using sent them to the plug-in.
  161. IT Departments can find it difficult to track these plug-ins, especially when
  162. they didn’t install them!
  163. Just to look at a couple examples…
  164. 17 Copyright 2007 Jay Beale Intelguardians, Inc.
  165. Adobe Acrobat Reader
  166. The Adobe Acrobat Reader Plugin hasn’t been doing well lately:
  167. Adobe Acrobat Reader Browser Plug-in for MSIE Malformed PDF
  168. Request DoS Dec 27, 2006
  169. Adobe Acrobat Reader Plugin for Microsoft IE Microsoft.XMLHTTP
  170. ActiveX CLRF Injection Dec 27, 2006
  171. Adobe Acrobat Reader Browser Plug-in PDF XSS Dec 27, 2006
  172. Adobe Acrobat Reader Browser Plug-in PDF CSRF Dec 27,
  173. 2006
  174. Adobe Acrobat Reader Browser Plug-in PDF Handling Memory
  175. Corruption Dec 27, 2006
  176. 18 Copyright 2007 Jay Beale Intelguardians, Inc.
  177. Macromedia Flash Plug-in
  178. The Macromedia Flash Plugin hasn’t had it easy either:
  179. Adobe Macromedia Flash Player Plug-in Multiple Browser Remote Keystroke Disclosure
  180. Apr 11, 2007
  181. Macromedia Flash Flash8b.ocx Flash8b.AllowScriptAccess Method DoS Dec 29, 2006
  182. Macromedia Flash Player swf Processing Multiple Unspecified Code Execution Mar 14, 2006
  183. Macromedia Flash Player Flash.ocx ActionDefineFunction Function Arbitrary Code Execution
  184. Nov 7, 2005
  185. Macromedia Flash Player Flash.ocx Unspecified Function Arbitrary Code Execution
  186. Nov 4, 2005
  187. 19 Copyright 2007 Jay Beale Intelguardians, Inc.
  188. Detecting Plug-ins
  189. Rsnake announced an excellent tool for this at Toorcon Seattle:
  190. Master Reconnaissance Tool
  191. Visit this URL to see what your browser’s plug-ins are:
  192. http://ha.ckers.org/mr-t/
  193. Here are some of the highlights from my browser:
  194. Java Embedding Plugin 0.9.6.2
  195. Shockwave Flash 9.0 r28
  196. QuickTime Plug-in 7.1.5
  197. Move-Media-Player.plugin npmnqmp 07074032
  198. JoostPlugin.plugin
  199. 20 Copyright 2007 Jay Beale Intelguardians, Inc.
  200. Master Recon Tool
  201. Rsnake announced an excellent tool for this at Toorcon Seattle:
  202. Master Reconnaissance Tool
  203. Visit this URL to see what your browser’s plug-ins are:
  204. http://ha.ckers.org/mr-t/
  205. Here are some of the highlights from my browser:
  206. Java Embedding Plugin 0.9.6.2
  207. Shockwave Flash 9.0 r28
  208. QuickTime Plug-in 7.1.5
  209. Move-Media-Player.plugin npmnqmp 07074032
  210. JoostPlugin.plugin
  211. 21 Copyright 2007 Jay Beale Intelguardians, Inc.
  212. What about Non-network Clients?
  213. The applications most commonly targeted are
  214. browsers, mail clients, browser plug-ins, and
  215. Microsoft Office.
  216. The PaulDotCom podcast recently highlighted the
  217. Metagoofill tool by Christian Martorella.
  218. http://www.edge-security.com/soft.php
  219. It searches a website in Google for public
  220. documents, including PDF, DOC, XLS, PPT, SDW,
  221. MDB, and SDC.
  222. It then parses out metadata, including creator,
  223. creation time, and version of the client.
  224. 22 Copyright 2007 Jay Beale Intelguardians, Inc.
  225. Metadata
  226. If we can pull newly-saved/sent documents from
  227. file shares or sniff them on the wire, we can
  228. parse them for metadata.
  229. If you just created this Word document five
  230. minutes ago, with a vulnerable version of
  231. Word, on a given system, that system’s Word
  232. program is probably still vulnerable!
  233. 23 Copyright 2007 Jay Beale Intelguardians, Inc.
  234. Looking Up Version Strings
  235. So we’ve got version strings accessible to anyone who
  236. can read certain logs. You can get more if you
  237. sniff the network. And still more if you
  238. potentially inject a MR-T iframe in each person’s
  239. browser once per day.
  240. If you put it together with a nightly database update
  241. from OSVDB (http://www.osvdb.org), you’ve got
  242. client-side vulnerability assessment via a new
  243. tool we’re building called ClientVA.
  244. http://www.clientva.org
  245. But we can go further than this - we can redirect some
  246. clients to a captive portal to patch.
  247. 24 Copyright 2007 Jay Beale Intelguardians, Inc.
  248. Simple Client-side IPS?
  249. If I see your browser ask the Squid cache for an
  250. external website while revealing that you have a
  251. vulnerable version, why not keep it off the
  252. Internet?
  253. We’re working on a Squid plug-in that can deny that
  254. single request right then and there, re-directing
  255. you to a captive portal with patches for your
  256. particular browser.
  257. You can take this further. If you really want to win
  258. the race, deny the user access to their mailbox if
  259. their mail client is vulnerable. Send the next
  260. web request to a captive portal explaining what’s
  261. going on.
  262. 25 Copyright 2007 Jay Beale Intelguardians, Inc.
  263. Simple Client-side IPS?
  264. If I see your browser ask the Squid cache for an
  265. external website while revealing that you have a
  266. vulnerable version, why not keep it off the
  267. Internet?
  268. We’re working on a Squid plug-in that can deny that
  269. single request right then and there, re-directing
  270. you to a captive portal with patches for your
  271. particular browser.
  272. You can take this further. If you really want to win
  273. the race, deny the user access to their mailbox if
  274. their mail client is vulnerable. Send the next
  275. web request to a captive portal explaining what’s
  276. going on.
  277. 26 Copyright 2007 Jay Beale Intelguardians, Inc.
  278. About the Speaker
  279. Jay Beale is a information security specialist, well known for his work on threat
  280. avoidance and mitigation technology. He's written two of the most popular security
  281. hardening tools: Bastille Unix, a system lockdown and audit tool that introduced a vital
  282. security-training component, and the Center for Internet Security's Unix Scoring Tool.
  283. Both are used worldwide throughout private industry and government. Through Bastille
  284. and his work with the Center, Jay has provided leadership in the Linux system
  285. hardening space, participating in efforts to set, audit, and implement standards for
  286. Linux/Unix security within industry and government. Jay also contributed to the OVAL
  287. project and the Honeynet Project.
  288. Jay has served as an invited speaker at a variety of conferences worldwide as well as
  289. government symposia. He's written for Information Security Magazine, SecurityFocus,
  290. and SecurityPortal. Jay has co-authored or edited nine books in the Information
  291. Security space. Six of these make up his Open Source Security Series, while two are
  292. technical works of fiction in the "Stealing the Network" series.
  293. Jay makes his living as a security consultant with the firm Intelguardians, Inc, which he
  294. co-founded with other industry leaders Ed Skoudis, Mike Poor, Bob Hillery and Jim
  295. Alderson. His work in network and web application penetration testing, as well as
  296. security architecture review, allows him to maintain deep understanding of current
  297. threats and defenses. Prior to consulting, Jay served as the Security Team Director for
  298. MandrakeSoft, helping set company strategy, design security products, and pushing
  299. security into the then third largest retail Linux distribution.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!