Embed Size (px)
Citation preview
OperatingSystemsSecurity
AndWhyIt(Mostly)Doesn'tMatter
PatrickHof-RedTeamPentestingGmbHpatrick.hof@redteam-pentesting.de
https://www.redteam-pentesting.de/
RadboudUniversity,Nijmegen,19December2016
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Foundedin2004atRWTHAachenUniversity
9penetrationtesters
Conductingpenetrationtestsworld-wide
Specialisationexclusivelyonpenetrationtests
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
RedTeamPentesting,Dates&Facts
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Targetsandattacker-modeldefinedinpreliminarymeeting
Conductedfromtheattacker'sperspective→Samemethodsas“badguys”
Individualisedsearchforsecurityvulnerabilities
Detaileddocumentation
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Pentest–Introduction
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Ifyoulookatthesecurity-relatedheadlinesin2016,we'reprettymuchdoomed
Largedatabreaches2016(justtonameafew):Dec14th,Yahoo:Morethan1B(!)useraccounts(fromAugust2013)
Nov23rd,AdultFriendFinder:421Museraccounts
Sep2nd,Dropbox:68Museraccounts(from2012)
May17th,LinkedIn:117Museraccounts(from2012)
andthelistgoeson...1
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
DataBreaches2016
1:Source:https://www.identityforce.com/blog/2016-data-breaches
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
CVE-2016-5195
CVE-2016-0800
CVE-2016-3714
CVE-2015-0235
CVE-2014-6271
CVE-2014-0160
Weevenhavelogosnow!Finally,peoplewillunderstandtheseverityofthesituation!
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
BrandedSecurityVulns
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Whydoweseesomanyincidents?
Thereseemtobemoresecurity-relatedincidentsthanever
Inourpentests,weusuallycanachievewhatweagreedbeforeshouldnothappen,whyisthat?
ItriedtofindthecheesiestimageIcouldget...
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
SecurityIncidentsWhereverYouLook
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
IDS/IPS
Trafficanalysisuptoapplicationlayer
Antivirus
Securityappliancescombiningalloftheabove
Operatingsystemssecurity(ASLR,DEP/NXetc.)
2FA
Centralizedsecurity,e.g.grouppoliciesonWindows
...
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
DefenseMechanismsAreGettingMoreAdvanced
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Whenwestarted10yearsago,“pentests”werenotwidelyknown
Now,companiesareinvestingmorethaneverinITsecurity(searchfor“HotCybersecurityStocks2016”onGoogle,Idareyou)
Shouldn'tthisreducetheamountofincidents?
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
InvestmentsinITSecurityareRising
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Ok,somaybethingsarenotasbadasImakeitlooklike.
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
WhysoManyIncidents?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Theory:Workingasapentesteronlyshowsveryvulnerablecompanies,everyoneelseissecureandthereforedoesn'tdopentests.
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
WhysoManyIncidents?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Theory:Workingasapentesteronlyshowsveryvulnerablecompanies,everyoneelseissecureandthereforedoesn'tdopentests.
Answer:No,thosewhodopentestsarerathersecurity-aware,otherwisetheywouldn'tbother.
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
WhysoManyIncidents?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Theory:Themediaaregivingaskewedviewonthingsforthesakeofmakingscaryheadlinesabout“thecybers”,thereforemakingitseemworsethanitactuallyis.
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
WhysoManyIncidents?
Sowehavetogetvery,verytoughoncyberandcyberwarfare.Itisa,itisahugeproblem.Ihaveason.He's10yearsold.Hehascomputers.Heissogoodwiththesecomputers,it'sunbelievable.Thesecurityaspectofcyberisvery,verytough.–AbrahamLincoln
“”
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Theory:Themediaaregivingaskewedviewonthingsforthesakeofmakingscaryheadlinesabout“thecybers”,thereforemakingitseemworsethanitactuallyis.
Answer:Mightbepartlytrue,butapartfromtheusualmediasensationalism,manyhacksarereal.Wedoseealotofvulnerablesystemsinourworkandwealsogetfeedbackfromclientsaboutbreachestheyhadthatwereneverreportedtoanyone.
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
WhysoManyIncidents?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Theory:Thereissomuchmoneyinthesecurityindustrythateveryoneisinterestedinscaringpeopleintobuyingasmuch“security”aspossible.
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
WhysoManyIncidents?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Theory:Thereissomuchmoneyinthesecurityindustrythateveryoneisinterestedinscaringpeopleintobuyingasmuch“security”aspossible.
Answer:Partlytrue,there'salotofveryquestionablestuffouttherethatmakesmillionsinprofits,butasIalreadysaid:wedoseealotofveryinsecuresystemsinourwork,andifyoulookattherecentsecurityresearch,othersdotoo.
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
WhysoManyIncidents?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Someideaswhattherealproblemscouldbe:
Everythingisonlinethesedays,orintheprocessofgoingonline:Banking,shopping,socialinteraction...
ITismoreandmoreprevalentineverycompany,(almost)nobodyworkswithoutITortheInternet
Employeesshouldbeabletoworkfromanywhere(andbeavailable24/7),soremoteaccessisneededevenfromprivatehardware(BYOD)
Thingschangefast,companiesaretryingtokeepupwiththelatesttrends
Thereisahugemarketforcheapgadgetsandthe“InternetofThings”
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
TheRealProblems
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Complexitybreedsbugs,bugsarevulnerabilitieswaitingtobeexploited
Companiesaddmorefeaturesinsteadofsecuringthealreadyavailable
Attackersareinterestedindata,notnecessarilyarootshell
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
TheRealProblems
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Malvertising:Adnetworkscurrentlyhaveahugemalwareproblem
ContentDeliveryNetworks(CDN):Onehack,millionsofvictims
Hidebehindthe“bigname”whendeliveringmalware
JavaScriptbloat
March2016:The“left-padfiasco”1:2.486.696downloadsinFebruaryaloneforamodulethatleft-padsstrings!
Again:hackonedeveloper,targetloadsofapplications
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
TheRealProblems
1:http://www.haneycodes.net/npm-left-pad-have-we-forgotten-how-to-program/
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
MoreBuzzwords:
InternetofThings(IoT)
TheCloud
Antivirus
Smartphones
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
TheRealProblems
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
9.12.2016:Netgear,8modelscanbeexploitedlikeit's'99:
http://<router_IP>/cgi-bin/;COMMAND
ThisishowIexploitedmyLinksysWRT54GWi-firoutertoinstallLinux,in2002!Eventhen,commandinjectionswerealreadyawell-knownvulnerability.
Thereareexploitkitsusedbymalvertiserstoopenuphomerouterswithvulnerabilitieslikethisone.
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
Example:HomeRouters
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Antivirussoftwareisoftenindistinguishablefromakernelrootkit
Embedsitselfdeeplyintothesystem,hookingkernelfunctions
CheckoutTavisOrmandy'sworkatGoogleProjectZeroExploitsforSymantecandNorton,Avast,TrendMicro...
Recentresearch(12.12.2016)byAndrewFasano:McAfeeVirusScanforLinux,10vulnerabilitiesthatcanbe
chainedtoachieveremotecommandexecutionasroot1
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
Example:Antivirus
1:https://nation.state.actor/mcafee.html
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Problem:Transparentlysendingobjectsbackandforthblursthedistinctionbetweenuntrustedclientandtrustedserverforprogrammers
Oneofthenewertools(released2015):ysoserial1
ObjectInputStream.readObject()AnnotationInvocationHandler.readObject()[...]Runtime.getRuntime()InvokerTransformer.transform()Method.invoke()Runtime.exec()
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
Example:SerializationConsideredHarmful
1:https://github.com/frohoff/ysoserial
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
OperatingSystemsSecurity:
MostlyPostExploitationaka:wealreadygotthedata,butwhilewe'reatit...
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
WhatElse?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Inmanycases:Onceyouarepartofthedomain,itisjustamatteroftimeuntilyouaredomainadmin
Getlocaluserhashes/ticketsfrommemory
Ifnotalreadydomainadmin:Accessothermachineswithcredentials/hashes/ticketsfounduntilyouhaveadomainadminaccount
Gameover,connecttodomaincontrollerandcreateforexampleagoldenticket
mimikatz1implementsallthis
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
OperatingSystemsSecurity:Windows
1:https://github.com/gentilkiwi/mimikatz
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Linuxisfoundmostlyonservers
There,youhavetheusualproblem:Onlyfewinstalltheirpatchesontime→Outdatedkernel,glibcetc.
Uselocalprivilegeescalationtogetroot
Morefragmented,ratherindividualhowyoucangetaccesstomoresystems
E.g.passwordsinthe.bash_history,privateSSHkeys,weakpasswords,openshares,configfileswithcredentials...
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
OperatingSystemsSecurity:Linux
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Westarttoseethatconsumersdemandsecurity,butonlywhenithurts(e.g.Ransomware)
Nobodycaresifthey'repartofabotnet,everyonecaresiftheirfamilyphotosareencrypted(orforcompanies:theirpreciousExcelreports)
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
AreWeReallyDoomed?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Reducecomplexity(KISS)insteadofincreasingit
Makesecuritypartofthedevelopmentcycle
Patchyoursystemsregularly!
NoteverythingneedstobeconnectedtotheInternet
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
AreWeReallyDoomed?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Thankyouforlistening!
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
Questions?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
