Next Gen Tactical Attacks
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Next Gen Tactical Attacks as PDF for free.
More details
- Words: 1,736
- Pages: 4
Next generation tactical attacks Hacking has evolved from direct exploitation to multi-stage tactical attacks. Client side exploitation, application level attacks, complex social engineering are the threats of the day. Does the conventional threat definition work anymore? Are the conventional security solutions geared to face the emerging attacks? How has hacking changed? With the technological advancements in existing security measures like firewall, IPS, anti-virus etc., attacker’s approach is also changing significantly. As direct exploitation of the network devices, operating systems, and applications is getting tougher, attackers are increasingly turning to exploiting employees and users, finding multi-stage attack paths, attacking client software and attacking rich internet applications. Organizations often miss out vulnerabilities resulting out of this “tactical approach” and live in a false sense of security. Anyone who thinks that security products alone can offer true security is settling for the illusion of security.
Hacking has moved beyond exploitation Hacking has ceased to be only about exploits. This is because the vulnerabilities are transient. A newly discovered vulnerability will be patched in the next cycle rendering the exploit totally useless. In a typical penetration test only one or two real exploits may be successfully used. The rest of the time is spent obtaining passwords, abusing trust
relationships, tricking authentication systems and hijacking services to gain access to more systems. This is also true for attackers looking beyond exploits to gain access and control of confidential information. Attackers are now opportunists: attacking the opportunity of applications, people and process for successful break-ins. H D Moore & Valsmith’s paper- "Random Pwning Fun Bag” first gave a good glimpse of the various tactical approaches of the current day attacker. Below we describe some of those next generation tactical attacks and iViZ’s own experience that are successfully used to find out unknown and newer vulnerabilities:
“Attackers are now opportunists: attacking the opportunity of weak applications, people and process for successful break-ins” Attacking Data in Motion Contrary to attacking the vulnerable software directly, attackers are interested in exploiting the opportunity of intercepting data in motion. Attackers are interested in gaining access to the data, not in gaining 09
administrative privileges. So even though you might have a very secure system, a sophisticated attacker can steal your data without attacking your secure system!
File Transfers Traditional attacks involved exploiting the FTP server software. However, in tactical approach, attackers focus on the data transfer: the opportunity of actual transfer in process. File transfers attacked in this process could be FTP or NFS which lead to significant confidential data disclosure. This is also a premium attack vector as most organizations, small or large, use file transfers in some form or the other.
Mail services Unencrypted email can be read easily while it is making its way to your friend's inbox! A typical mail system is composed of one or more relay systems, some form of antivirus / spam filter, the real mail server itself and finally the user’s email client. Traditionally attackers focused only on the intermediate systems; however, in tactical approach they target the mail clients as well. For example, in older versions of some mail clients, if two email messages containing the same attachment name are received, the newer message can overwrite the previous message’s attachment. This can be used to replace a trusted attachment with a backdoor within the user’s mailbox.
“Gaining access to the data in transit may be easier and more attractive for a hacker rather than gaining root privilege”
10
domains and host names to determine whether those entries exist. Many DNS servers are mis-configured to allow reverse DNS lookups of private addresses, exposing the names and addresses of important servers on the internal network. A successful attack can lead to false DNS records injection into the cache and a potential hijack of internal and external domains. Dan Kamisky’s famous and shocking DNS attack is an example of this attack.
Att acking Trust Based Relationships Trust is one of the easily exploitable things to attack and leverage in a tactical approach. iViZ, while conducting many penetration tests has found that exploiting trust based relationships can offer attackers easy access to even the most secure systems! An example of tactically exploiting trust based relationship is the use of custom software meant for system administration running in all the computers inside a network with administrative privileges. This means that this application is trusted by every computer in the network. By reverse engineering the software for the hardcoded username and password, attackers can compromise every host inside the network. Any resource trusted by more than one user or computer is a potential leverage point for the attacker.
“Exploiting trust based relationships can offer attackers easy access to even the most secure systems!”
Attacking DNS services
Attack chaining through Multistage attack paths
With moderate security level, most DNS servers are configured to reject zone transfers from unauthorized hosts. However, in tactical approach, attackers use brute force on possible
Conventional wisdom suggests that it is important to focus on critical assets only. But there are severe vulnerabilities in less critical assets that can be used by attackers as a
launching pad for breaking into the network. As a recent example of a famous security breach, a hacker broke into the entire network by using vulnerability in an administrator's desktop. Possibilities and combinations of such similar attacks are huge and are important to mitigate. Unfortunately, multistage attacks are complex and it is beyond the capacity of human minds to find out all possible attack paths. Situation gets more complex when an attacker breaks into several such less critical hosts and chains attack payload through them before reaching the final secure critical server.
Dangerous low threat vulnerabilities and harmless high threat vulnerabilities There are many low threat vulnerabilities in hosts that appear harmless because of their low severity rating. However, these often lead to severe vulnerabilities in a system. Attackers are increasingly exploiting this opportunity. Security managers focus mostly on eliminating high threat vulnerabilities leaving the low threat ones open – falsely assuming that they pose little or no threat at all!
“What may appear as a benign or low-priority vulnerability on a host may be used as a launching point for an attacker to penetrate other devices on the network” Client Side Exploitation Attackers are exploiting client side software like browsers, word processors, document readers to gain access to victim's system. Since users are trusted within a network, attackers can now easily bypass perimeter security devices. Browsers and email clients are the most popular targets since they are prevalent in
any desktop/laptop. There have been a lot of vulnerability disclosures in IE, Firefox, Opera, Safari, MS word, Adobe, MS outlook etc.
“A hacker can send you a link or a file. Opening them could easily trigger a trojan download on your system in spite of your firewall.” ARP poisoning with software updates ARP poisoning combined with Man-in-the Middle attacks have long been a known technique for attackers to intercept and steal confidential information. Tactical approach uses this technique and goes one step beyond by combining it with automatic fake software updates. Attackers can fool users by forcing their traffic to pass through a rouge gateway setup by ARP poisoning and push malicious software updates from a fake update server. As an example, when a fake or trojan infected update of “Microsoft word 2007” pops up on the user’s screen, an unsuspecting user may install the update believing that it is actually from Microsoft. Every user’s workstation can potentially be compromised this way.
Social Engineering Social engineering hackers exploit the users’ credulity, laziness, good manners, or even their enthusiasm. Therefore it is challenging to defend against socially engineered attacks because the targets may not even realize that they have been duped, or may prefer not to admit it to others. Advanced social engineering techniques have surfaced in recent times combined with client side att acks, phishing, and system exploitation. This form of attack is not only effective but also has devastating impact. 11
Tactical social engineering is deadly when combined with client side attacks even for fairly security conscious individuals. Attacking SSH Software supporting encrypted protocols like SSH can be used to gather information about other possible targets on the network. Every time users connect to a system using SSH, a file is created in “/.ssh/” called known hosts. This file lets an attacker see other hosts that trust the user. In newer versions, the Master mode can be used with good leverage to hijack SSH connections. Master mode lets the user set up a tunnel which allows multiple sessions over the s a m e S S H c o n n e c t i o n w i t h o u t re authentication. This essentially implies that when one SSH connection is setup to a host using master mode, an attacker can spawn other sessions over this same connection without having to know the password or have access to a key!
Advanced Web 2.0 attacks AJAX, RIA and Web services are three important technological vectors in the Web 2.0 application space. These technologies are promising and bring new equations to the table, empowering overall effectiveness and efficiency of Web applications. Mail applications, social networking, document sharing, business utilities are increasingly using Web 2.0 technologies to add newer features and increase application responsiveness. However, these technologies
12
also bring with them a new class of sophisticated threats which are not easily detectable by normal application vulnerability scanners. Some of the latest attacks that hackers are increasingly exploiting are: • AJAX Cross-site scripting XML poisoning • Malicious AJAX code execution • RSS / Atom injection • Client side validation attack in AJAX routines • Web services routing attack • Parameter manipulation with SOAP • XPATH injection in SOAP message To stay ahead in this game of tactical security, conventional ways must be discarded. A laundry list of vulnerabilities generated by automated tools is good but not good enough. Instead, organizations should evolve to building and testing security systems from the perspective of tactical attack vectors along with human vulnerabilities. In the game of security its all about who runs faster. Is it you or the hacker? There is no end to this race. Just staying one step ahead is the name of the game.
Organizations should evolve to building and testing security systems from the perspective of tactical attack vectors along with human vulnerabilities.
Hacking has moved beyond exploitation Hacking has ceased to be only about exploits. This is because the vulnerabilities are transient. A newly discovered vulnerability will be patched in the next cycle rendering the exploit totally useless. In a typical penetration test only one or two real exploits may be successfully used. The rest of the time is spent obtaining passwords, abusing trust
relationships, tricking authentication systems and hijacking services to gain access to more systems. This is also true for attackers looking beyond exploits to gain access and control of confidential information. Attackers are now opportunists: attacking the opportunity of applications, people and process for successful break-ins. H D Moore & Valsmith’s paper- "Random Pwning Fun Bag” first gave a good glimpse of the various tactical approaches of the current day attacker. Below we describe some of those next generation tactical attacks and iViZ’s own experience that are successfully used to find out unknown and newer vulnerabilities:
“Attackers are now opportunists: attacking the opportunity of weak applications, people and process for successful break-ins” Attacking Data in Motion Contrary to attacking the vulnerable software directly, attackers are interested in exploiting the opportunity of intercepting data in motion. Attackers are interested in gaining access to the data, not in gaining 09
administrative privileges. So even though you might have a very secure system, a sophisticated attacker can steal your data without attacking your secure system!
File Transfers Traditional attacks involved exploiting the FTP server software. However, in tactical approach, attackers focus on the data transfer: the opportunity of actual transfer in process. File transfers attacked in this process could be FTP or NFS which lead to significant confidential data disclosure. This is also a premium attack vector as most organizations, small or large, use file transfers in some form or the other.
Mail services Unencrypted email can be read easily while it is making its way to your friend's inbox! A typical mail system is composed of one or more relay systems, some form of antivirus / spam filter, the real mail server itself and finally the user’s email client. Traditionally attackers focused only on the intermediate systems; however, in tactical approach they target the mail clients as well. For example, in older versions of some mail clients, if two email messages containing the same attachment name are received, the newer message can overwrite the previous message’s attachment. This can be used to replace a trusted attachment with a backdoor within the user’s mailbox.
“Gaining access to the data in transit may be easier and more attractive for a hacker rather than gaining root privilege”
10
domains and host names to determine whether those entries exist. Many DNS servers are mis-configured to allow reverse DNS lookups of private addresses, exposing the names and addresses of important servers on the internal network. A successful attack can lead to false DNS records injection into the cache and a potential hijack of internal and external domains. Dan Kamisky’s famous and shocking DNS attack is an example of this attack.
Att acking Trust Based Relationships Trust is one of the easily exploitable things to attack and leverage in a tactical approach. iViZ, while conducting many penetration tests has found that exploiting trust based relationships can offer attackers easy access to even the most secure systems! An example of tactically exploiting trust based relationship is the use of custom software meant for system administration running in all the computers inside a network with administrative privileges. This means that this application is trusted by every computer in the network. By reverse engineering the software for the hardcoded username and password, attackers can compromise every host inside the network. Any resource trusted by more than one user or computer is a potential leverage point for the attacker.
“Exploiting trust based relationships can offer attackers easy access to even the most secure systems!”
Attacking DNS services
Attack chaining through Multistage attack paths
With moderate security level, most DNS servers are configured to reject zone transfers from unauthorized hosts. However, in tactical approach, attackers use brute force on possible
Conventional wisdom suggests that it is important to focus on critical assets only. But there are severe vulnerabilities in less critical assets that can be used by attackers as a
launching pad for breaking into the network. As a recent example of a famous security breach, a hacker broke into the entire network by using vulnerability in an administrator's desktop. Possibilities and combinations of such similar attacks are huge and are important to mitigate. Unfortunately, multistage attacks are complex and it is beyond the capacity of human minds to find out all possible attack paths. Situation gets more complex when an attacker breaks into several such less critical hosts and chains attack payload through them before reaching the final secure critical server.
Dangerous low threat vulnerabilities and harmless high threat vulnerabilities There are many low threat vulnerabilities in hosts that appear harmless because of their low severity rating. However, these often lead to severe vulnerabilities in a system. Attackers are increasingly exploiting this opportunity. Security managers focus mostly on eliminating high threat vulnerabilities leaving the low threat ones open – falsely assuming that they pose little or no threat at all!
“What may appear as a benign or low-priority vulnerability on a host may be used as a launching point for an attacker to penetrate other devices on the network” Client Side Exploitation Attackers are exploiting client side software like browsers, word processors, document readers to gain access to victim's system. Since users are trusted within a network, attackers can now easily bypass perimeter security devices. Browsers and email clients are the most popular targets since they are prevalent in
any desktop/laptop. There have been a lot of vulnerability disclosures in IE, Firefox, Opera, Safari, MS word, Adobe, MS outlook etc.
“A hacker can send you a link or a file. Opening them could easily trigger a trojan download on your system in spite of your firewall.” ARP poisoning with software updates ARP poisoning combined with Man-in-the Middle attacks have long been a known technique for attackers to intercept and steal confidential information. Tactical approach uses this technique and goes one step beyond by combining it with automatic fake software updates. Attackers can fool users by forcing their traffic to pass through a rouge gateway setup by ARP poisoning and push malicious software updates from a fake update server. As an example, when a fake or trojan infected update of “Microsoft word 2007” pops up on the user’s screen, an unsuspecting user may install the update believing that it is actually from Microsoft. Every user’s workstation can potentially be compromised this way.
Social Engineering Social engineering hackers exploit the users’ credulity, laziness, good manners, or even their enthusiasm. Therefore it is challenging to defend against socially engineered attacks because the targets may not even realize that they have been duped, or may prefer not to admit it to others. Advanced social engineering techniques have surfaced in recent times combined with client side att acks, phishing, and system exploitation. This form of attack is not only effective but also has devastating impact. 11
Tactical social engineering is deadly when combined with client side attacks even for fairly security conscious individuals. Attacking SSH Software supporting encrypted protocols like SSH can be used to gather information about other possible targets on the network. Every time users connect to a system using SSH, a file is created in “/.ssh/” called known hosts. This file lets an attacker see other hosts that trust the user. In newer versions, the Master mode can be used with good leverage to hijack SSH connections. Master mode lets the user set up a tunnel which allows multiple sessions over the s a m e S S H c o n n e c t i o n w i t h o u t re authentication. This essentially implies that when one SSH connection is setup to a host using master mode, an attacker can spawn other sessions over this same connection without having to know the password or have access to a key!
Advanced Web 2.0 attacks AJAX, RIA and Web services are three important technological vectors in the Web 2.0 application space. These technologies are promising and bring new equations to the table, empowering overall effectiveness and efficiency of Web applications. Mail applications, social networking, document sharing, business utilities are increasingly using Web 2.0 technologies to add newer features and increase application responsiveness. However, these technologies
12
also bring with them a new class of sophisticated threats which are not easily detectable by normal application vulnerability scanners. Some of the latest attacks that hackers are increasingly exploiting are: • AJAX Cross-site scripting XML poisoning • Malicious AJAX code execution • RSS / Atom injection • Client side validation attack in AJAX routines • Web services routing attack • Parameter manipulation with SOAP • XPATH injection in SOAP message To stay ahead in this game of tactical security, conventional ways must be discarded. A laundry list of vulnerabilities generated by automated tools is good but not good enough. Instead, organizations should evolve to building and testing security systems from the perspective of tactical attack vectors along with human vulnerabilities. In the game of security its all about who runs faster. Is it you or the hacker? There is no end to this race. Just staying one step ahead is the name of the game.
Organizations should evolve to building and testing security systems from the perspective of tactical attack vectors along with human vulnerabilities.
Related Documents
Next Gen Tactical Attacks
May 2020 4
Next Gen Assembly Workshop
June 2020 4
Next Gen Sequencing 2008
November 2019 12
Tactical-operations
December 2019 11
Next
May 2020 37