cyber attack - upr-rpccom.uprrp.edu/~jortiz/cyber/hscamp/71-summercampcybersecurit… · hs summer...

Cybersecurity HS Summer Camp

Cyber Attack

HS Summer Camp | Computer Science Department | University of Puerto Rico - RP

Is any type of offensive maneuver employed by individuals or whole organizations that targets computer information systems, infrastructures, computer networks, and/or personal computer devices by various means of malicious acts usually originating from an anonymous source that either steals, alters, or destroys a specified target by hacking into a susceptible system.

Cyber attack


Violating one of the pillars of information assurance.

Cyber attack

Attacker goal Pillar violated

steal information confidentiality

deface a web page integrity

bring down a DNS or any service availability

send a Malicious email from someone else’ account non repudiation

steal login credentials authentication


• Network Barrier • Perimeter Firewall• NAT

• Host Barrier• Authentication• Host Firewall

• System Barrier• ACL (user privileges)• FS Encryption

Security Barriers

USNA pic


• Network Barrier• Compromising a service or host that is out of the Firewall, like a

public webserver• Compromising a service or host inside a NAT that is accessible

from the network.• Host Barrier

• password cracking tools, packet-sniffing for credentials, exploiting a service vulnerability

• System Barrier• Escalating privileges with password cracking tools, and

exploiting a service or application vulnerability.

Bypassing Barriers


Generally there are more hosts on the target host’s network.

Those other hosts might have different services running, thus allowing different potential paths in from the outside.

Pivoting to Target Host

USNA pic


The target computer only has the SSH service open, but it is protected from the network with a firewall.

There is another host that has a public web server not protected by the firewall.


USNA pic


The attacker would try to exploit a vulnerability on the web server that would allow to SSH internally from the web server to the target host.


USNA pic


• Reconnaissance - The attacker scans the target network to learn what traffic the firewall (if any) lets through, the host on the network, and the services by host.

• Vulnerability Assessment - Based on the recon results an analysis of possible vulnerabilities on the hosts and their services is performed.

• Exploitation - The attacker exploits vulnerabilities in the services and gets access to the system.

• Post Exploitation - The attacker takes the action that violates one of the pillars of IA, and takes whatever steps necessary to cover his tracks.

Phases of an Attack


Dedicate resources and time to observe and probe the target computer or network to find entry points and possible weaknesses.

In this phase information is gathered about the target.

Reconnaissance


• IP Addresses

• Subnet mask

• Network topology

• Domain names

Reconnaissance - Network Info


• usernames

• group names

• architecture type (e.g. x86 vs SPARC)

• operating system family and version

• TCP and UDP services running with versions

Reconnaissance - Host Info


• password complexity requirements

• password change frequency

• expired/disabled account retention

• physical security (e.g. locks, ID badges, etc.)

• firewalls

• intrusion detection systems

Reconnaissance - Security Policy


• address

• telephone number

• frequent hangouts (physical and online)

• computer knowledge (expertise)

• hobbies and interests

Reconnaissance - Human Info


Gathering information, often indirectly, in a manner unlikely to alert the subject of the surveillance.

Minimizes any interaction with the target network which may raise flags in the computer, firewalls, and IDS logs.

Accessing the target web page may leave a record in the server logs, but it would likely look like a regular access to a web server.

In the other hand accessing the web server frequently that might cause the service to be overloaded, it might alert the target.

Passive Reconnaissance


Use it to find information on the target. You might find files with user information, maybe even passwords, addresses, social security numbers.

Webpage that give you information on how to gather vulnerability information using search engines.https://www.exploit-db.com/google-hacking-database/

Google is not only your friend

https://www.exploit-db.com/google-hacking-database/

https://www.exploit-db.com/google-hacking-database/


Network information can be obtained freely via public records online.

Every IP Address and Domain Name must be registered in a public database.

Pages like:http://network-tools.com/

provide target domain's IP Address range, DNS servers, and a contact address and telephone number.

Public Network Information

http://network-tools.com/

http://network-tools.com/


Try for instance:http://network-tools.com/default.asp?prog=whois&host=136.145.181.50


http://network-tools.com/default.asp?prog=whois&host=136.145.181.50

http://network-tools.com/default.asp?prog=whois&host=136.145.181.50

Whois is also available in the terminal.

$ whois 136.145.181.10

NetRange: 136.145.0.0 - 136.145.255.255CIDR: 136.145.0.0/16NetName: UPRNetHandle: NET-136-145-0-0-1Parent: NET136 (NET-136-0-0-0-0)NetType: Direct AssignmentOriginAS:

Organization: University of Puerto Rico (UPR-7)RegDate: 1989-08-29Updated: 2011-10-13Comment: http://www.upr.edu


Ref: http://whois.arin.net/rest/net/NET-136-145-0-0-1

OrgName: University of Puerto RicoOrgId: UPR-7Address: Jardin Botanico Sur. 1187Address: Calle FlamboyanCity: San JuanStateProv: Puerto RicoPostalCode: 00926Country: PR


Gathering information while interacting with the subject directly, in a way that usually can be discovered.

Use tools that can be used for active network recon:

• ping can tell you which IPs are used by Hosts in a network.

• traceroute to figure out the topology of the network: i.e. where the routers are with respect to the hosts

• netcat (nc) can be used to determine which ports are open with servers listening on them.

Active Reconnaissance - scanning


$ nc ccom.uprrp.edu 80

GET / HTTP/1.1

HTTP/1.1 400 Bad Request

Date: Tue, 28 Apr 2015 21:29:02 GMT

Server: Apache/2.2.15 (CentOS)

Content-Length: 226

Connection: close

Content-Type: text/html; charset=iso-8859-1

Probing versions with nc

$ nc lists.ccom.uprrp.edu 25

220 lists.ccom.uprrp.edu ESMTP Postfix


Nmap is a very powerful network scanner that attempts a TCP connection with every port number of a specific IP Address to determine which ports are open and, therefore, which services are running on the host at that IP Address.

Based on different tests, can also probe version of the services running and even the operating system running on the hosts.

Active Reconnaissance - nmap


nmap -A -T4 xxx.uprrp.edu

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2015-04-28 17:56 AST

Interesting ports on 136.145.181.66:

Not shown: 1668 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 4.3 (protocol 2.0)

80/tcp open http Apache httpd 2.2.23 ((CentOS))

111/tcp open rpc

443/tcp open ssl/http Apache httpd 2.2.23 ((CentOS))

Probing versions with nmap


The goal of the vulnerability assessment, after finding possible entry points in the reconnaissance phase, to find if there are vulnerabilities on the target.

Tools such as openVAS:http://www.openvas.org/

The main component of the OpenVAS is the security scanner, which only can run in Linux. It does the actual work of scanning and receives a feed updated daily of Network Vulnerability Tests (NVT), more than 33,000 in total.

Vulnerability Assessment

http://www.openvas.org/

http://www.openvas.org/


OpenVAS report


The ultimate goal of this phase is to gain control of a host on the target's network.

This is typically done by gaining remote access to a shell or terminal as the administrator on that host.

Knowing a weakness is not enough to infiltrate the target; an attacker must discover a way to take advantage of that weakness.

Exploitation (Infiltration)


This does not necessarily require advanced knowledge and skill of computer programming.

Anyone can guess weak passwords to gain access, but developing a custom made program to exploit poorly written code in software requires advanced programming knowledge and skill.



If an exploit exists for an identified vulnerability, the exploit is applied with hope to gain control of a host.

There are many automated tools for exploitation of known computer weaknesses freely available on the Internet. The most popular exploitation program is actually a framework, or collection of programs called Metasploit.

http://www.metasploit.com/http://www.offensive-security.com/metasploit-unleashed/Main_Page


http://www.metasploit.com/

http://www.metasploit.com/

http://www.offensive-security.com/metasploit-unleashed/Main_Page

http://www.offensive-security.com/metasploit-unleashed/Main_Page


In this phase the attacker wants to achieve the intended objective and back out leaving no trace of the trespass.

In practice, this is very difficult because computers keep records of every logon, logoff, startup, shutdown, network connection, program execution, and error received.

Finally, the attacker may either terminate the connection, if no further access is required, or create a backdoor for future access to the target.

Post Exploitation

Metasploit

Metasploit


Two VMs

• Kali• Virtual Machine with Metasploit• username/password root/toor o root/ccom4088

• Metasploitable• from the Metasploit project• a vulnerable Ubuntu VM• username/password msfadmin/msfadmin


#ifconfig

Get the IP address of the machine to obtain the network


#msfconsole


Scanning

Either use nmap or metasploit’s own port scanners.

Machines scanned with msf will be stored in db.


1. use module 2. show module options3. set module variables4. run


A computer just like we wanted!


Some Utils

• #services -u • will display the open ports\

• #hosts -R • set the RHOSTS options to the hosts in the database

• #? • will give you available command options

• #search keyword• search keyword in the ms fs.


Service scanning (ftp)


• Follow the steps used for ftp to find the default password of the vnc server.

• Connect to the VNC server with• #vncviewer Metasploitable:5900

Service scanning (vnc)


Service scanning (tomcat)

1. Look at the list of open ports. Find the one that is running Apache Tomcat. Try the ones that are more likely. 8000 up.

2. Similar to the previous examples find a suitable tomcat login scanner.

3. Setup the scanner and run. Take a careful look in the results.



1. search a Tomcat exploit

2. set the exploit options with the information gathered in the previous steps.

3. exploit



Exploit options



Meterpreter - interpretador de comandos

Play for sometime with it. #?


References

• Metasploit Unleashed • http://www.offensive-security.com/metasploit-unleashed/

• Armitage presentation BSidesPR 2013

http://www.offensive-security.com/metasploit-unleashed/

http://www.offensive-security.com/metasploit-unleashed/

cyber attack - upr-rpccom.uprrp.edu/~jortiz/cyber/hscamp/71-summercampcybersecurit… · hs summer...

Documents