Session Recording: https://vimeo.com/245383910 (Available 12/1-12/7)
Next Week’s Registration: https://networkdefense.clickmeeting.com/cuckoos-egg-4
This week, we reviewed chapters 9-14.
Cliff observes the attacker logging in again via the Sventek account. Sventek uses Kermit to copy a file over. The file is an application that solicits users to enter their password before redirecting them back to a legitimate application. The purpose of the tool is clearly to steal user passwords, but the attacker fails at deploying it successfully and it never executes.
Realities of Password Theft
We use this opportunity to talk about password theft and the dramatic impact it can have. I posed the question to the group, which of these is worse?
- An attacker having root privileges on a single system without a clear text user password?
- An attacker having user privileges no a single system with a clear text user password?
Of course, the answer is “it depends.” The nightmare scenario for prevention and detection is an attacker with clear text credentials for a user with great power.
I highlighted four realities of password theft:
- If I can authenticate to a machine as you, the machine gives me the privileges assigned to you.
- An attacker doesn’t have to attack vulnerabilities in software if they have legitimate credentials.
- An attacker who can access a network with legitimate credentials will almost always do so.
- Many long-term attacks involve the use of legitimate credentials.
It’s also important to keep in mind that a user account is not equivalent to a user, it only represents them. An attacker can authenticate as a user, but can never be that user. It is that distinction that we must leverage to detect and prevent attackers who would seek to impersonate.
Clear Text Password Theft
Clear text passwords primarily exist in three places: the user’s head, in transit on the network, in limited places on the operating system. There are techniques attackers can use to steal passwords from all three locations. I performed a demo of each one of these attacks.
Harvesting from the Human: We used the Social Engineering Toolkit to replicate legitimate sites. These are delivered to the victim via some form of social engineering (like a phishing e-mail). The attacker inputs their password, which is covertly sent to the attacker.
Harvesting from the Network: Some protocols perform submission of credentials over clear text. Anyone with a packet sniffer in the right location can intercept these credentials. I demonstrated extracting web application credentials that were transmitted over HTTP.
Harvesting from the OS: While passwords most often exist as file hashes on the local system, there are methods that can be used to extract their clear text representation. One of the most common techniques on Windows systems is the use Mimikatz to take advantage of the LSASS process. I demonstrated the execution of Mimikatz on a Windows 7 system.
- Social Engineering Toolkit: https://github.com/trustedsec/social-engineer-toolkit
- Lehigh University Phishing Examples: https://lts.lehigh.edu/phishing/examples/all
- ARP Cache Poisoning for Packet Analysis: http://chrissanders.org/2008/04/using-arp-cache-poisoning-for-packet-analysis/
- Mimikatz: https://github.com/gentilkiwi/mimikatz
- ADSecurity Unofficial Guide to Mimikatz: https://adsecurity.org/?page_id=1821
- Mimikatz Overview, Defenses, and Detection: https://www.sans.org/reading-room/whitepapers/detection/mimikatz-overview-defenses-detection-36780
Dig Deeper Exercises:
- Level 1: Download the Social Engineering Toolkit and use the credential collection feature that will clone an existing website. Consider how you might compose a phishing e-mail that tricks a victim to inputting their credentials (don’t actually send it)
- Level 2: Perform a packet capture while browsing to applications you authenticate to on a regular basis. Assess whether your credentials are submitted in the clear, or over an encrypted channel.
Sandy, a colleague of Cliff finds a computer lab in the library setup to auto-dial Tymnet when students login. It seems logical that an internal attacker (like a student) might be using these terminals to attack the network. Cliff and Sandy work with local law enforcement to post someone in the lab. Cliff monitors for the next time the attacker logs in and calls the lab. Unfortunately, nobody is logged into any of the terminals. The theory that the attacker was coming from the lab is debunked.
Insider vs. Outsider Threat
We briefly discussed the source of threats. The insider threat has potential to be much more damaging and hard to detect. However, the hype surrounding insider threat is dramatically overblown. Insider threat accounts for an incredibly small percentage of actual breaches.
Cliff begins going through his attacker logs in more depth. He eventually discovers more compromised accounts. A portion of the attacker’s tradecraft is revealed. The attacker will search for old, unused accounts and edit the password file to reactivate them. The attacker would also clear their password so it could be reset, making the accounts perfectly suitable for use again. This was all made possible by the same emacs bug.
Password Hash Theft
In most places, passwords are stored as hashes rather than in clear text. A hash is a one-way cryptographic function that creates a representation of a password. This is used by the operating system for authentication and storage because it’s more secure than keeping the plaintext password in multiple places. While a password hash is less valuable than a clear text password, it can still be leveraged by attackers to gain access.
I discussed two techniques relating to password hashes.
Password Cracking: An attacker who desires the clear text password associated with a user can attempt to crack the password. I used John the Ripper to demonstrate this process.
Pass the Hash: Sometimes, all you need is the hash. I discussed the Pass the Hash toolkit and how an attacker could use this to gain access as the user whose password hash they’ve stolen.
- John the Ripper: http://www.openwall.com/john/
- Password Cracking Class from Kentuckiana ISSA: http://www.irongeek.com/i.php?page=videos/password-cracking-class-hfc-louisville-issa
- Dump Windows Password Hashes Efficiently: http://bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html
- The Linux Password and Shadow File Format: http://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
- How Passwords are Stored in Linux: https://www.slashroot.in/how-are-passwords-stored-linux-understanding-hashing-shadow-utils
Dig Deeper Exercises:
- Level 1: Create a user account on a Windows system. Extract the hash and use John to attempt to crack the password.
- Level 2: Increase the complexity of the password minimally, and perform the same task again. Keep increasing the complexity and take note of how much longer it takes to crack the password.
Cliff observes the attacker using the LBL connection to connect to White Sands Missile Range (WSMR). The attacker fails to get in. Cliff notifies the FBI of what he’s seen, but they don’t care enough to investigate it. He also notifies the AF OSI. They start looking into it but don’t provide any immediate significant response.
The next time the attacker dials in, Cliff initiates another trace. The local phone company traces it to a telco in Virginia who is able to trace it to the next hop. Unfortunately, they can’t share the results with Cliff. The telco works with the police, not individuals. Furthermore, that would require a warrant in Virginia and Cliff’s warrant is only good for California. For now, Cliff’s stuck.
Should this crime have warranted closer inspection by the FBI?
- Why or why not?
- How do you determine the threshold for a crime worthy of investigation? Think about this from a macro (FBI) and micro (your company) scale. What is worth the expenditure of resources to pursue?
December 7th 7:30PM ET
Read Chapters 15-23
Register/Attend Here: https://networkdefense.clickmeeting.com/cuckoos-egg-4