790 likes | 969 Vues
MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.net http://es-es.net. Wireless & Device Attack Vectors: Hands-on Workshop. http://es-es.net/. The Disclaimer!.
E N D
MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.nethttp://es-es.net Wireless & Device Attack Vectors: Hands-on Workshop http://es-es.net/
The Disclaimer! In attending this session you agree that any software demonstrated comes absolutely with NO WARRANTY. Use entirely at your own risk. Ernest or Eric, & the other 3rd party vendors whose software is demonstrated as part of this session are not responsible for any subsequent loss or damage whatsoever! Legal advice– I am not a lawyer for legal advice please seek a trained lawyer in the field you have a question.
Ethernet Threats Ethernet issues Related issues Using Network as a Medium Network Scanning Break-Ins Topology Discovery Protocols Redundancy and Aggregation Protocols Other Security Related Issues Configuration and Installation Issues Implementation Issues Issues with Legacy Technology Architectural Issues Freely available Software for Attacks and Exploits • Network and System Access • Unauthorized Join • Unauthorized Expansion of the Network • VLAN Join • VLAN Tagging • Spoofing and Address Capture • Traffic Confidentiality • Passive Eavesdropping • Active Eavesdropping • Traffic Integrity • ARP Poisoning and Rogue DHCP Server • Man in the Middle • Session Hijacking • Replay • Availability of Service • Denial of Service • Switch Control
Ethernet Vulnerabilities • A switch learns the MAC address/port pairings and stores them in limited memory • Easy to generate bogus frames and get the memory to owerflow • If a MAC address is unknown the switch broadcasts it out of all its ports • Makes eavesdropping possible • Spanning Tree Protocol is used to define the logical topology for an Ethernet segment • Any host can claim to be the STP root and direct large parts of traffic to go through itself • Man in the Middle attack (MitM) • STP can also be used for Denial of Service (DoS)
Layer 3 Interaction Vulnerabilities • DHCP poisoning • A new host on LAN broadcasts a request for IP and router information • Any host can pretend to be the DHCP server and tell that it is the router • Enables a Man in the Middle attack • ARP poisoning • Any host on LAN can broadcast a gratuitous ARP message claiming to have any IP address (including the router) at its MAC address • ARP poisoning can be used to hijack an ongoing session
More Vulnerabilities • Frames can hop from one Virtual LAN to another with "double tagging" • VLANs supposedly bring security • VLAN management protocols enable all kinds of attacks • Frame padding and MAC table timeouts leak information • With persistance the attacker can passively wait for HTTP cookies • All attacks can be (and are being) made to software • Ettercap for MitM, http://ettercap.sourceforge.net/ • Sniffers for eavesdropping: Wireshark, ngrep, tcpdump, snoop • Packet crafting tools: packETH, Bit-Twist, Mausezahn, Hping, Nemesis, Scapy, Yersinia, THC Parasite, macof • Packetsquare for capture, edit and replay
Security Solutions • Access Control and Node Authentication • Physical Protection of the Network • Segmentation and VLANs • Access Control Lists • Authentication based Access Control • IEEE 802.1X • Network Access Control • Network Integrity Protection • Securing ARP • Port Security • Control and Management Plane Overload Protection (CoPP) • Control and Management Plane Logical Protection • STP BPDU and root guard • Deep Packet Inspection • Proper Configuration • Traffic (Payload) Integrity and Confidentiality Protection • Traffic Encryption and Integrity Verification • IEEE 802.1AE MACsec • Replay Protection • Intrusion Detection and Prevention Systems • Hiding or Obfuscating Network Topology • Future solutions • Automated Key Management Policies • Cryptographically generated addresses • Removing ARP broadcasts • OpenFlow or DHT/TRILL
IEEE Solutions • IEEE has no architectural solutions, except VLAN • 802.1X adds authentication, does not protect from misuse • Authenticated entities may misbehave • 802.1AE MACsec adds confidentiality (encryption) • Based on 802.1X authentication • Not end to end, but host to switch • 802.1X and MACsec require administration activities per node • Software installation, identity management • High cost, little flexibility
Vendor Solutions • Vendor solutions can make Ethernet fairly secure, but require configuration • Configuring each switch with knowledge of topology • Port Security, Root Guard, BPDU Guard... • Effectively these are ACLs with fancy names to separate user and control (and management) planes • Good administration practices • Knowledge of vendor-specific quirks of the switches
Road Ahead • Ethernet architecture is flawed from security point of view • It is a nice and simple LAN architecture • But it is "fail open" by design • If you don't know how to handle a frame, send it to everybody • Trusting everybody is implicit • Vendor solutions require active management • Mainly to tell the switches the topology (trunk ports and leaf node ports) • Potential new solutions • Deduct topology information automatically (low management overhead) then use Intrusion Prevention Systems and ACLs to protect the network • Get rid of ARP and broadcasts (with e.g. DHT-Trill)
CHARACTERISTICS OF WIRELESS NETWORKS • 1. SHARED, UNCONTROLLED MEDIA: • Invisible & Airborne Threats are Hard To Control vs. Wired Network • 2. SELF-DEPLOYING & TRANSIENT NETWORKS • Simplicity of Self Discovery Create Security Challenges • Mobile Nature of Wireless LAN Devices and Users Require In-depth • Forensics capability to Address Security Breaches • 3. USER INDIFFERENCE • Invisible Connectivity & True Distributed Nature Gives a Faulty Sense of Security • 4. EASIER TO ATTACK • Lax WLAN Security is the Lowest Hanging Fruit for Hackers • Dozens of Tools Readily Available to Exploit these Holes
ATTACK VECTORS ADMINISTRATION • From a System management terminal, someone could: • Add non-dedicated machines for administration • Install new programs and new vulnerabilities • Forget to update the management application when updating other LMR machines • Remote into the management application from outside the LMR network • Connect LMR to existing management functions • Protect, Detect, Respond • Physically secure the management terminals • Ensure system managers are authenticated • Ensure appropriate privileges for users • Update patches and manage administrator terminals
ATTACK VECTORS - RADIOS • With the Radios, someone could: • Use a radio purchased from eBay • Steal an existing radio from storage • Send invalid data packets from the radio and terminals • Infect the radios with viruses • What else could be done? • Protect, Detect, Respond • Ensure subscribers are authorized and authenticated • Ensure that alerts are generated when unauthorized radios attempt to access the system • Implement firewalls and Router Access Control Lists to ensure only valid packets are passed • Close unnecessary ports and protocols
WIFI THREATS • Network Edge blurred – another access into your mission critical network • Rogues, hackers, mis-configured devices • Organized crime – hacking for profit • Interfacing with other systems • Access control • Combination of public and private network connectivity • Multiple agency access
SIDE-JACKING • OPEN AP‟S • Let‟s all play nice • COOKIE SESSION IDS • SSL login, and then? • EDIT COOKIES • Sniff and edit • FERRET AND HAMSTER • http://erratasec.blogspot.com/sidejacking.zip
DHCP & DNS CLIENT ATTACKS • DHCP Attack • Exploit attacks a client and loads creates a Admin User on device • DHCP Broadcast Attack (MS06-036) • http://www.milw0rm.com/sploits/07212006-MS06_036_DHCP_Client.tar.gz • DNS ATTACK/MANIPULATION • Can offer anything to you and you believe it • Sites: Banking, Hotel, Airlines, Work (Exchange, Oracle, SQL) • TORNADO • Web-based attack tool which exploits up to 14 browser vulnerabilities and installs malware on the user's system
DATA SEEPAGE • YOUR NOTEBOOK IS: • 1. Not location-aware • Office • Home • Hotspot • 2. Wants to always connect to something
VLANs • Virtual Local Area Networks • A logical grouping of devices or users • Users can be grouped by function, department, application, regardless of physical segment location • VLAN configuration is done at the switch (Layer 2) • VLAN's are not security! They are obscurity, they are great forsegmentation and traffic management
VLAN Membership • Static VLAN Assignment - Port based membership: Membership is determined by the port on the switch on not by the host. • Dynamic VLAN Assignment - Membership is determined by the host’s MAC address. Administrator has to create a database with MAC addresses and VLAN mappings
VLAN Communication • VLANS cannot communicate with each other even when they exist on the same switch • For VLANS to communicate they must pass through a router • Each VLAN is required to have at least one gateway to route packets in and out of the network
VLAN Trunking • Trunking allows us to cascade multiple switches using the trunk ports to interconnect them • Trunk ports act as a dedicated path for each VLAN between switches • The trunk port is a member of all configured VLANs
VLAN Hopping Attacks • These attacks are designed to allow the attacker to bypass the Layer 3 device • The attack takes advantage of incorrectly configured trunk ports on network switches
VLAN Hopping Attacks • Basic VLAN Hopping Attack 1. Attacker fools switch into thinking that he is a switch that needs trunking 2. The attack needs a trunking favorable setting such as Auto to succeed 3. The attacker is now a member of all trunked VLANs on the switch and he send and receive data on those VLANs
VLAN Hopping Attacks • Double Encapsulated VLAN Hopping Attack 1. Switches perform only one level of IEEE 802.1q decapsulation 2. This allows the attacker to specify a .1q tag inside the frame, allowing the frame to go to a VLAN that the outer tag did specify. 3. This attack works even if Trunk ports are set to OFF
Configuration best practice • Use dedicated VPAN for all trunk ports. • Avoid using VLAN 1. • Deploy port security. • Set users ports to non trunking. • Use ARP security options. • Use BPDU guard, Root guard. • Use PVLANs. • Disable CDP. • Disable unused ports and put them in an unused vlan. • Ensure DHCP attack prevention.
Lab2Armitage against local winXP DriftnetWep CrackingMiniPwer Hands on
MiniPwner & Ipad software • Listed in Lab manual starting on Page 11 • MiniPwner Here is a list of some of the software that comes installed: • Nmap network scanner • Tcpdump sniffer • Netcat Hacker’s swiss army knife • aircrack Wireless network analysis • kismet Wireless network analysis • perl Perl Scripting Language • openvpn VPN Client and Server • dsniff suite of sniffing and spoofing tools, including arpspoof • nbtscan NetBIOS Network Scanner • snort Sniffer, Packet Logger, Intrusion Detection System • samba2-client Windows File Sharing Client • elinks Text Based Web Browser • yafc FTP Client • openssh-sftp-client Secure File Transfer Client
Pwn Plug • Fully loaded. Wireless, 3G/GSM, & NAC/802.1x bypass! • Includes 3G, Wireless, & USB-Ethernet adapters • Fully-automated NAC/802.1x/RADIUS bypass! • Out-of-band SSH access over 3G/GSM cell networks! • One-click Evil AP, stealth mode, & passive recon • Maintains persistent, covert, encrypted SSH access to your target network • Tunnels through application-aware firewalls & IPS • Supports HTTP proxies, SSH-VPN, & OpenVPN
Understand RISK! Analyze risk risk = (cost of an exploit)*(likelihood it will occur) Mobile devices make this inexpensive and very possible (BeetleJuice) inside of “Flame” Demos: Bypass DLP (Safepod) ANTI FaceNif WIFI Kill
Security Challenges • Inherent trust. “It’s MY PHONE.” • Portability is a benefit and a risk • Controls if lost • Lock/Erase? Implications of erasing personal data • PIN security – secure or easy to do 1 handed • What is resident in memory? • Malware – whole new breed of malware and products • Malicious apps • Increasing • How do you write secure apps? • Social engineering providers – value of OOB communication • Where did my app come from ? What is a trusted source?
Booting to BackTrack • Username: root • Password: toor • startx
The Layout Tools organized by category in the typical order of a penetration test. Main collection of tools by category
Network Scanning and Mapping • Sweet and Simple • ICMP: Ping • Fping- quickly check an IP range. • Not very reliable; many servers and firewalls can turn off ICMP replies.
Finding Live Hosts • TCP and UDP- More than ICMP Replies • Nping • TCP • UDP • IP ranges • Many others for Internal and External • Applications> Backtrack> Information Gathering> Network Analysis> Identify Live Hosts
nping • Nping --tcp –p 8080 66.110.218.68
Mapping and Routing • Linux: tracerouteWin: tracert • Seeing hops and routers in between. • Zenmap • The all-in-one GUI for nmap • Hop and routing maps • Save findings for later • Extremely easy
What is a Port? • “doors” on the system where info is sent out from and received • When a server app is running on a port, it listens for packets • When there is nothing listening on a port, the port is closed • TCP/IP Stack • 65,536 TCP Ports
Port Status Types • Open – port has an application listening on it, and is accepting packets. • Closed – port is accessible by nmap, but no application is listening on it. • Filtered – nmap can’t figure out if the port is open or closed because the packets are being filtered. (firewall) • Unfiltered – Ports are accessible, but nmap can’t figure out if it is open/closed.
Typical Ports to know • Any port can be configured to run any service. • But major services stick to defaults • Popular TCP ports/services: • 80 – HTTP (web server) • 23 – Telnet • 443 – HTTPS (ssl-encrypted web servers) • 21 – FTP • 22 – SSH (shell access) • 25 – SMTP (send email) • 110 – POP3 (email retreival)ecure shell, replacement for Telnet)
More Ports that you need to know • 445 – Microsoft –DS (SMB communication w/ MS Windows Services • 139 – NetBIOS-SSN (communication w/ MS Windows • services • – 143 – IMAP (email retreival) • – 53 – Domain (DNS) • – 3306 – MYSQL (database)
nmap • Nmap ("Network Mapper") is a great tool that we have in both the portable apps and in BT • Extremely powerful. • Simple use: Nmap –v –A ‘v’ for verbosity and ‘A’ for OS/version Detection
Zenmap • Scan one target or a range • Built-in profiles or make your own for personal ease.
Zenmap • Visual Map • Hop Distance • Router Information • Group Hosts by Service Using a quite traceroute
Using Zenmap • Here are some IPs open to be scanned. Be careful! • 66.110.218.68 • 66.110.220.87 • Hackerinstitute.net • 66.110.218.106 • moodle.gcasda.org • Just in case • 192.168.2.254 • 192.168.2.240
Simple DNS Lookups • Host name to IP lookup:nslookup www.es-es.net • Reverse lookup:nslookup 74.208.95.36
Diggin’ Up DNS Entries • dig [domain] any • dig es-es.net any • The ‘any’ switch is used to show all DNS entries.
DNS Record Types • Just a few record types cribbed from: http://en.wikipedia.org/wiki/List_of_DNS_record_types