Friday, October 24, 2008

Selling security via ethical hacking

I had the pleasure recently in my organization to receive a directive similar to this. "Please develop a presentation that shows people why they need to be a participant in our new higher security network service".

Ok, calling to all you creative geeks out there - wow... did I just get an order to "ethically hack"? My thinking was "yes" and this turned out to be one of the most fun assignments I had come across in a while.

My first response was to get my "get out of jail free" card signed. (kudos to our friend Ed Skoudis for this one:

I then went away for 2 weeks to develop a quick and scary hacking demo that I could present in 45 minutes as a pure sales job for higher security. The structure of the demo ended up being a combination of some powerpoint slides, and some real live Metasploit fun.

The powerpoint slides went as follows.
  • Describe the process of penetrating an enterprise network (scanning, recon, gaining access, keeping access, covering tracks). My colleague did a little google hacking show in the process.
  • Describe the C programming language and its flaws, paying special attention to how sub-routines in "C" are being exploited due to poor programming practices with respect to unbounded arrays.
  • Describe how sub-routines in "C" are embedded in just about all of the computing devices in use today
  • Show a Metasploit Demo!

So, without further ado, lets talk about the Metasploit demo. First of all, I have to admit upfront that this was a time limited (canned) demo and I decided in the interests of keeping my job, not to find targets on our live network. (Although I may have done so if I had obtained enough advance recon. time)

Here is what I did:
  1. Setup a laptop with two virtual machines on it. One of the two had an unpatched WinXP host with no service packs, the second of the two was WinXP with service pack 2.

  2. Using a second MacBook, I scripted two flavors of MetaSploit attacks. I called them "direct network attacks", and "indirect network attacks". The exploits used for either flavor were basically the same, it simply depended on whether I attacked the target directly over a local network (back to back cable) or had the target come to my local web service.

  3. Direct network attack exploits used were as follows:

    • MS03-026: RPC-DCOM buffer overflow
    • MS03-049: Workstation Service NetAPI buffer overflow
    • MS04-007: Abstract Syntax Notation Library (ASN.1) buffer overflow
    • MS04-011: LSASS buffer overflow

  4. InDirect (phishing style) exploits used were as follows:

    • MS07-?: Browser LoadAniIcon() in User32.dll
    • MS07/08-?: Browser generic activex overflow
    • MS06-001: GDI Library WMF SetAbortProc()

  5. Payloads used were either the VNC DLL injection, Shellcode, or Meterpreter

  6. Finally, both laptops were at the front of the room with two projectors showing each screen. Sort of a "bad guy" and "innocent victim" approach.
Starting with the unpatched WinXP machine, I did the most simple RPC DCOM buffer overflow, and pushed the reverse VNC DLL payload onto the target. On the MacBook, I then simply connected to the VNC server localhost addressed and displayed a mirror image of the screen.

I had a fake looking file called "WIDGET-SALES.TXT" on the desktop which I displayed on the screen to show that the goal was all about gaining access to data (not necessarily about gaining root/system).

I then moved onto the second virtual machine to show a typical phishing attempt. Between my colleague and I, we faked up a google mail page with a URL link in it as the browser home page. On the MacBook, I launched my MetaSploit web listener with the LoadAniIcon() sploit as the payload, and MeterPreter as the payload.

On the WinXP-SP2 virtual, I showed the user clicking on the "phishing URL" within the google email page (from IE). The buffer overflow transpired, and we launched Meterpreter.

Using a meterpreter script, I did the following:
  • created a hidden directory
  • uploaded netcat.exe
  • poked a hole in the Windows firewall on port 8888 with a service name of "msc".
  • tweaked the "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" registry key to start my backdoor netcat listener on port 8888.
While still using Meterpreter, I killed a few processes (like Symantec AV), executed notepad, calculator, solitaire to truly show the level of control I had over the victim.

I then simply booted the machine from Meterpreter. After the reboot, I showed how I could use netcat from the MacBook to reconnect to the target multiple times, gaining Windows shell access each time.

All of this was accomplished in 45 minutes and let me tell you, I scared the wits out of everyone in the room. The weirdest part for me was that remotely rebooting the victim machine from Meterpreter seemed to have the highest impact. (*sigh* - sometimes you just have to take what you can get....)

However, the bottom line was outrageous success. In one short session, we built demand for more institutional network security implementation than we ever had experienced before. It actually turned into a case of "be careful what you wish for".

No comments: