Pwn'ing You(r) Cyber Offenders
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 112 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/38972 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON 2132 / 112
3
6
8
9
13
14
15
16
17
22
23
24
25
29
32
33
36
37
39
42
45
47
49
53
60
61
64
65
66
71
76
79
80
82
89
103
106
108
00:00
CybersexRechenschieberBesprechung/Interview
00:15
ComputersicherheitHackerCoxeter-GruppePhasenumwandlungVektor <Datentyp>KorrelationskoeffizientSharewareMereologieComputersicherheitEDV-BeratungSharewareSoftwareProfil <Aerodynamik>Physikalisches SystemResultanteRechenschieberSpider <Programm>Coxeter-GruppePortscannerInformationWeb SitePOKEZeitzoneInternetworkingComputeranimation
01:27
PhasenumwandlungDienst <Informatik>Physikalisches SystemStandardabweichungFirewallPhasenumwandlungMereologiePortscannerDienst <Informatik>InstantiierungInformationPhysikalisches SystemMAPComputeranimation
02:18
Ideal <Mathematik>ImplementierungTaskDienst <Informatik>Dienst <Informatik>Physikalisches SystemSichtenkonzeptCASE <Informatik>MereologieRechter WinkelGerichteter GraphComputeranimation
02:52
PhasenumwandlungPhysikalisches SystemStatistikDienst <Informatik>Arithmetische FolgeSichtenkonzeptUnrundheitBeweistheorieDienst <Informatik>MultiplikationsoperatorRPCMereologieMAPComputeranimation
04:11
StatistikDienst <Informatik>Metropolitan area networkFunktion <Mathematik>sinc-FunktionDienst <Informatik>Portscanner
04:28
Kartesische KoordinatenHausdorff-DimensionNabel <Mathematik>TelnetPunktServerClientFirewallDienst <Informatik>OISCGatewayMittelwertPhysikalisches SystemProtokoll <Datenverarbeitungssystem>SimulationDienst <Informatik>Automatische DifferentiationMailing-Liste
04:50
Message-PassingDienst <Informatik>Message-PassingBitAuthentifikationResultanteComputeranimationVorlesung/Konferenz
05:14
Dichte <Stochastik>ServerRouterInformationSpezielle unitäre GruppeMultiplikationMeta-TagTechnische InformatikDienst <Informatik>Ideal <Mathematik>InformationsspeicherungWebcamResultanteSystemidentifikationBitMereologieReelle ZahlBetriebssystemExploitSoftwareDatenfeldBildschirmfensterCoxeter-GruppePartikelsystemMAPComputeranimation
05:44
TelnetMenütechnikMetropolitan area networkMIDI <Musikelektronik>Protokoll <Datenverarbeitungssystem>KraftResultanteDienst <Informatik>BitGeometrische FrustrationPortscannerEinfach zusammenhängender RaumGenerator <Informatik>Digitales ZertifikatComputeranimation
06:33
ComputersicherheitProgrammierumgebungKraftThreadZustandsdichteRechnernetzParallele SchnittstelleParametersystemZählenWurzel <Mathematik>Minkowski-MetrikSoftwareKernel <Informatik>Modul <Datentyp>InstantiierungSmith-DiagrammPunktComputersicherheitMinkowski-MetrikInstantiierungProtokoll <Datenverarbeitungssystem>ParametersystemBimodulProxy ServerSoftwareTabelleElektronische UnterschriftKernel <Informatik>Wurzel <Mathematik>RechnernetzE-MailProgrammEinfach zusammenhängender RaumSoftwaretestMereologieFahne <Mathematik>Computeranimation
08:14
SoftwarekonfigurationsverwaltungInformationPunktInjektivitätVersionsverwaltungDatenfeldGleitendes MittelExploitMereologieVersionsverwaltungSoftwareAutorisierungVektorraumFunktion <Mathematik>RichtungInternetworkingMAPGamecontrollerDatenfeldGoogol
08:52
Open SourceSkriptspracheBenutzeroberflächeNormierter RaumResultanteDatenverarbeitungssystemBrowserElektronische PublikationVerkehrsinformationVektorraumKontextbezogenes SystemPhysikalisches SystemMAPOrtsoperatorCodeExploitPartikelsystemComputeranimation
09:52
VererbungshierarchiePartielle DifferentiationPortscannerExploitMultiplikationsoperatorPartikelsystemBeweistheorieInjektivitätKontextbezogenes SystemAlgorithmische ProgrammierspracheStichprobenumfangCodeVerkehrsinformationWeb SiteVererbungshierarchieBrowserPhysikalisches SystemComputeranimation
10:28
ExploitContent ManagementInjektivitätSkriptspracheCodeInternetworkingInformationsspeicherungInhalt <Mathematik>GeradeExpertensystemElektronische PublikationComputeranimation
10:49
InjektivitätCodeWurm <Informatik>SkriptspracheFunktion <Mathematik>ExploitWurm <Informatik>ExpertensystemZellularer AutomatInjektivitätWurzel <Mathematik>Kontextbezogenes SystemPhysikalisches SystemComputeranimation
11:25
InjektivitätWurm <Informatik>SkriptspracheComputerunterstützte ÜbersetzungAdressraumWärmeausdehnungCodierung <Programmierung>Materialisation <Physik>VersionsverwaltungLeistungsbewertungGeradeElektronische PublikationResultanteInhalt <Mathematik>UnrundheitMinkowski-MetrikDatenflussComputeranimation
12:00
InjektivitätCodeSkriptspracheExploitFunktion <Mathematik>Flash-SpeicherResultanteVerzeichnisdienstWurzel <Mathematik>MultiplikationsoperatorWurm <Informatik>SystemaufrufPhysikalisches System
12:19
InjektivitätCodeSkriptspracheCookie <Internet>SpielkonsoleWurm <Informatik>Reelle ZahlSoftwareschwachstelleGeradeSkriptspracheWurm <Informatik>InjektivitätCASE <Informatik>Innerer PunktCodePartikelsystemComputeranimation
13:00
SoftwareVerkehrsinformationSkriptspracheComputersicherheitAggregatzustandTypentheorieDifferenteSkriptspracheInternetworkingSoftwareWurm <Informatik>Physikalisches SystemPortscannerExploitSchlüsselverwaltungFolge <Mathematik>Computeranimation
13:39
SoftwareVerkehrsinformationMIDI <Musikelektronik>SkriptspracheDifferenteFolge <Mathematik>Wurm <Informatik>Computeranimation
13:55
SoftwareGoogolSoftwareSkriptspracheGoogolWurm <Informatik>CASE <Informatik>EinsComputeranimation
14:20
SharewareSkriptspracheSkriptspracheSharewareBeweistheorie
14:39
Hill-DifferentialgleichungHIP <Kommunikationsprotokoll>Chi-Quadrat-VerteilungMIDI <Musikelektronik>BenutzeroberflächeBildschirmfensterMenütechnikNeumann-ProblemComputeranimationVorlesung/Konferenz
14:59
Hill-DifferentialgleichungHIP <Kommunikationsprotokoll>Vorlesung/KonferenzComputeranimation
15:15
VerkehrsinformationCASE <Informatik>SkriptspracheRPCPublic-domain-SoftwareElektronische PublikationVersionsverwaltungTouchscreenPhysikalisches SystemPasswortMultiplikationsoperator
17:28
Hill-DifferentialgleichungMultiplikationsoperatorReverse EngineeringResultanteRPCSkriptsprachePartikelsystemParametersystemDruckspannungFunktion <Mathematik>
18:02
Web SiteVorlesung/KonferenzComputeranimation
18:20
SharewareSkriptspracheURLExploitDokumentenserverMultiplikationsoperatorComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:00
My name is Piotr Duszynski and this topic is about active defense in practice. I will go quite rapidly through the slides because I have quite a lot of them. So keep your shoes on and, okay, let's start. So basically shortly about me, I'm a security consultant with spider labs.
00:22
Basically I enjoy security and among other things, but let's move to another slide. So this presentation is about the results of my private research of using active defense in practice. The first part will be about the new technique that I have developed to basically to slow
00:45
down your attackers, to keep them from staying, keep them out from staying low profile while they analyze your system and providing them as little information as possible. Second part will be example based and I will present to you new attacks for the software
01:08
that I have taken from the Internet, the software that's used for scanning and exploiting your systems. So basically at the end, there will be a demo for one of the well known scanners, I hope
01:26
you like it. So basically we can start with the first part. This part is mainly focused on the reconnaissance phase. So basically the most important part of every reconnaissance phase is the port scanner. I have taken on my targets and map because we know it's the most popular tool, so basically
01:47
it's quite possible that somebody will be using to scan your system. Here we have a typical example where somebody is trying to scan your system, he gets all of the information of the running services within an instance and yeah, that's not exactly
02:02
what you would like to share with our, let's say, offenders. Basically this information can be used as another step to carry out some more sophisticated attacks. So I thought what would be the most, the worst case scenario for a person scanning
02:25
or trying to get a view of running, of your running services on your system. So basically what if, for example, all of the ports were open and what if on every port there was actually a valid or it appears to be a valid service.
02:44
And your attacker has to basically as usual get a view of all the running valid services on your remote system. So basically I wrote this tool which is a proof of concept and still a work in progress that basically implements that idea.
03:02
So when you want to get a full view of the remote system, like, you know, you go through all of the ports, try to get all of the services identified, your attacker will need a lot of patience because as I've seen basically as I've tested, all of the ports will be open, he will have to send like about 120 megabytes of data and scan will
03:25
take approximately ‑‑ Stop talking. So we have a tradition at DEF CON. First time speakers need to give a shot on stage, let's give him a round of applause for getting selected.
03:46
Cheers, everyone. Thanks. Now we have to see if he can pick up where he left off in the technical talk.
04:00
You guys judge how well he does. I'm from Poland, come on. So coming back here. So basically you get ‑‑ our attackers get nice juicy output, 65,000 or more services identified by the map.
04:22
Of course, I focus on the map, but basically it can be any other port scanner, but since it's so popular, so why not that tool. If you go through the listing, you can see different services. Like Telnet, there's even a back door if you can see. So basically, among that, there's somewhere probably your service running, which is valid
04:45
and could be possibly exploited, but yeah, try to find it. It's not so easy, I guess. And somewhere in the ‑‑ when the attackers go through the service scan, they can find a hidden message.
05:02
So basically, yeah, you can put any ASCII art there. So also the authentication results are a bit strange.
05:20
For example, you can see that the real operating system was actually Linux 3.2. Here you have like ‑‑ plus, you know, UNIX, Linux, you don't know what it is. Additionally, which is actually the part ‑‑ the second part of the presentation, you can also control certain fields which can help you with exploitation of a particular
05:43
software. So yeah, AMAP, there are similar results. All of the ports are open. Some of them are unidentified. Yeah, so what are the conclusions? Basically, the stealth scans are no longer helpful with this technique because if all
06:01
of the ports are open, then basically you can make a connection. If there's an open port, then there's a service running. All of them are open. So yeah, all of the notifications are a bit more challenging. Yeah, it's ‑‑ it also forces your attackers to generate a huge amount of traffic.
06:21
So basically you can easily detect them or easier ‑‑ it's easier. Yeah, for service probes and of course it adds some frustration to your vendors. Some might say that it's a security by obscurity, but as far as ‑‑ if only it works, you know, it's ‑‑ that is the point.
06:41
I don't know if you can see the fish there, but it's there. Yeah, so ‑‑ but I'm sure that also we are thinking like, okay, fine. But I'm sure I can find some kind of bypass. So that's also the way I was thinking. So basically answering maybe some of your questions, there's no trivial way to detect false signatures
07:02
apart from using some kind of protocol probes. IP fragmentation and other network innovation techniques will not work because it goes through the kernel to the user space program that I have written. So basically you can fragment ‑‑ use fragmentation for any layer that you want. It will anyhow be assembled at the end.
07:22
The only thing that will work is actually the full connect TCP DOS, but it's not a mistake in the ID. It's just that every software is actually vulnerable to this. I've made some tests. You can always try to mitigate this by using some of the ‑‑ of these two parameters or just try to use IP tables with traffic shaper.
07:44
Also if you have any ideas, you know, for the bypass, send them to the mailing list. I'll try to fix the software or, I don't know, implement your ID. Just shortly about the ports pool, it's a user space software. It doesn't require any root privileges, no kernel modules.
08:00
Just binds to one port per instance and then later just configurates through IP tables by redirecting some of the ports that you want to, I don't know, spoof to local host. Yeah. Okay. Let's go to the good part, which is practical exploitation of your offender's toolbox.
08:24
I don't know if you have noticed, maybe the output here is not very clear, but with Nmap you can control certain fields, like, for example, the version fields, host fields. That gives you basically a nice attack vector possibilities.
08:44
So it went to the Internet, looked for Google, with Google for some software that could be exploited with that. And basically, the first example is still anonymous because the author hasn't responded to me. Basically, if you set up a particle payload, like on any port, and somebody will use
09:06
Nmap to scan your system, then generate a report and basically you are able to inject some of the JavaScript code into his browser, let's say context, when he will be browsing
09:21
the report on his computer. There is actually a nice thing about it because, for example, if he launches Safari and goes through the results, and basically the same policy doesn't apply for file delivery handlers. Actually, my friend told me this one.
09:44
So there is a simple exploitation vector for this one, like port 17, you can have one of them. The next example is like Nmap, so we don't stick to Nmap all the time, it's just a proof of concept.
10:00
You can exploit, for example, the McAfee super scan, it was fixed, I think, a few days ago. But basically, if anyone would scan your system with this particular tool, later generate a report, and then you will be able also to inject JavaScript code into his browser context.
10:20
Later, you can, for example, use B for any other tool to do some post exploitation, it really depends on you what you are going to do. Yeah, this is actually a real exploit from the internet. So I don't know if you can see the exact line, but it's here, basically we control
10:41
the content of the storage file, which actually is retrieved from one of the ports. So what happens here is if we set up a payload, for example, who am I on port 80, which is actually the ‑‑ to which the export will connect, well, if somebody will launch
11:04
the exploit against your system, he will get an additional context, which is root, so basically you are able to execute or to do command injection in somebody's shell, if somebody is launching, for example, an exploit against your system, it's nice about this.
11:27
You can also create, for example, a weaponized version of this payload, but I won't go through all of the details here, because, I mean, for example, if you want to exploit this
11:41
particular line that you have an evaluation of the file content, and basically you have to go around some issues, like you cannot use spaces, you cannot use upper stroke, so basically you should be in the conference materials if you want to use it later, but the result is that basically if you set up such payload on one of the ports, yeah,
12:06
next time when somebody will launch the exploit against your system, he won't only get a who am I output, but you will be able to, for example, download his whole root directory.
12:20
Another example is taken from the Autopone script, which is nice because Autopone scripts go usually through all of the ports, they try to exploit all of the possibilities, so basically if you have like different payloads on every port, some of them might hit that particular vulnerability and you will be able to exploit your attackers too.
12:43
In this case, we have again, and this is a real line of code, I don't know if you see the vulnerability, it's rather pretty obvious, yeah, and again, what a surprise, who am I will work, which will result in OS command injection again.
13:01
What you can do with this and what are the conclusions for the current state of the security tools, because from what I've seen on the internet in different tools, different scanning software, most of them, not all, but most of them are exploitable with simple payloads,
13:22
like for example, who am I, or any other escaping sequences, especially Autopone tools used by script kiddies, or I don't know who, but yeah, if they launch the type of script against your system, then basically you can also try to create an aggressive honeypot,
13:43
because you can create different payloads for every port with different escaping sequences, then it's up to you which command you will inject, and if you want to find, for example, more vulnerable software, just go to Google, use your Google skills,
14:03
the ones that I found actually on top of an ice mountain, I mean, many scripts are vulnerable, you can use just your imagination while creating some payloads, so in this case, I'm sure you'll find something, yeah, and in the end, I wanted to show you a nice
14:24
proof of concept demo for NMMAP, official NSE script, which again, proves the concept, it's nothing against the tool itself, okay, let's, can you see it, yeah,
15:33
right in front here, you can see it, amazing, yeah, okay, then I'll tell you,
16:01
so basically, first screen, you might not see, we set up a port spoof tool, along with a meterpreter, second one, we scanned the remote system,
16:21
we want to check actually what's on the port 80, you can see that there is an Apache, HTTP, IBM, lotus domino, in the old version, that's exploitable, so basically what we can do, so yeah, here is a reverse handler on the exploit,
16:40
there, this is the latest NMMAP version, 6.25, so you have that, if you have that, still vulnerable, and this is the exact HTTP domino password script,
17:02
which basically will result in a remote arbitrary file upload, so if you launch that against, for example, the system running port spoof, you'll be able to upload an arbitrary file, overwrite any file that's accessible with NMMAP
17:21
privileges, in this case, I have written the script itself, so next time, because someone might think that it's strange that there is some strange results in NMMAP output, so next time somebody will launch that particular script with the same parameters,
17:44
yeah, you'll get a remote reverse meterpreter, I know the quality is a bit low,
18:07
but if you want to just go to the main website, you can view it online, I'll change, I'll upload it in a second, sorry for this, I thought it would be visible,
18:20
at the end, yeah, so yeah, thank you for your time and for coming, hope you enjoyed it.