###How Target Blew It Normally, I stick to more technical articles, but this article from Businessweek is a very interesting read on how, despite doing most of the right things technically, company procedures and humans can still be the weak link in your security infrastructure.
Imagine this scenario:
One of your employees visits a site offering a program to download videos from a popular video site. Because they’d like to throw some videos on their phone, they download and install it, but it comes with a hitchhiker: a RAT, or remote access trojan. So Trudy, an attacker, has a foothold, but the user isn’t an administrator, so she starts looking at the network for a place to pivot. Scanning a private subnet, she finds a number of consecutive IP addresses all offering webservers, FTP servers, and even telnet! Connecting to one, the attacker suddenly realizes she has just found her golden ticket…
Dell calls it iDRAC; IBM refers to it as RSA or IMM; HP likes iLO; and Intel goes with AMT. Whatever the name, most servers offer an out-of-band management option, and those are an oft-overlooked potential backdoor into your network. Generally these devices use their own network connection, are powered even if the server is shut down (so long as the power supplies are on), and offer a number of powerful features:
- Remote console (most often a Java applet)
- Attach remote drives (ISOs or disk images)
- Reboot server
- Update firmware
- Control boot and BIOS/EFI settings
What can our attacker do with this? These devices are intended to provide system administrators with access roughly equivalent to physical access, and for attackers, they do the same.
Connecting to the out-of-band controller, Trudy hopes that whoever racked the server hooked up the controller but did no more configuration, such as changing the passwords. Almost all use a static password, so upon seeing the logo on the login screen, she immediately knew to try PASSW0RD, and was presented with the admin interface moments later. Launching the Java-based remote console, she was delighted to see a Windows Server 2012 interface with the hostname “DC2”, indicating the server was probably a Domain Controller, but was slightly disappointed to see that someone hadn’t done her the favor of leaving it logged in.
No matter, she had her bag full of tricks. She mounted an ISO of Kali Linux and, hoping the failover would work properly, clicked the reboot icon. After the system booted, she mounted the hard drives and replaced a few less-critical service executables with binaries that had some extra functionality. As she disconnected her ISO and power-cycled the server again, she fired up Metasploit on her laptop and started listening for connections. Shortly after the server booted, she saw an incoming connection pop up on her screen.
1 2 3 4 5 [*] Sending stage (748032 bytes) to 192.168.9.9 [*] Meterpreter session 1 opened (10.3.13.37:4444 -> 192.168.9.9:1051) [*] Starting interaction with 1... meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
Due to an insecure Lights-Out Management device, Trudy now has SYSTEM on a domain controller at her target. Even with servers configured to best practices and fully patched, the network is now wide open. Trudy is free to pivot throughout the network, extract sensitive data, and whatever else she’d like. In short, you’ve been pwn3d.
####Securing Out of Band Management
Not all hope is lost, however. While these devices pose a risk, they are also very useful. We can secure the controllers, but it takes planning.
- If you’re not going to use them, don’t connect them. If it’s not on the network, it’s not the way in.
- Maintain inventory of these devices, and include them in your patch management lifecycle. Patch them now.
- Like any server, disable unneeded services. Are you really going to use the telnet service on it? Ideally, only leave encrypted services around so passive sniffers aren’t a risk.
- Change the passwords. Nearly all of these devices have a default password that is the same across the board, so it doesn’t take much to get in if you haven’t changed the passwords.
Watch out for the machine within the machine!
I’ve been using Workflowy for a while as an organizational tool. It self describes as thus:
WorkFlowy is an organizational tool that makes life easier. It can help you organize personal to-dos, collaborate on large team projects, take notes, write research papers, keep a journal, plan a wedding, and much more.
I’ve been using Workflowy for about 6 months now, and so I think I’ve developed a good feeling for what’s working for me and what’s not, but I think it’s important to recognize that everyone will have different needs and expectations out of an organizational tool.
- Workflowy’s hierarchical/tree view is its best feature. I very much think of problems in categories, and then subdivided into other problems. I start at the top level with “Priority TODO”, “Life”, “Security Research”, “Blogging”, etc., and then break each of those down into smaller areas.
- You can blow up any bullet level to be a top-level page, so you can limit your focus to the information in this category. Likewise, each branch node and be collapsed to hide information you don’t need to see at the moment.
- You can star these pages for quick access to your most frequently used areas.
- Deadlines or date prioritization. I’d like to be able to find things that need to be done in, say, the next week. Workflowy suggests using tags for deadlines, but this still makes it hard to filter on “next 7 days”.
- Orthogonal views. I wish I could categorize entries to look at them in different ways. I can get close with tagging and search, but it’s not as nice as, say, GMail style labels.
###What else I’ve tried For comparison, I’ve tried a number of other tools that didn’t work as well for me.
- Remember the Milk
If you’re looking for a better way to get organized, give Workflowy a try.
###On XTS Mode for Disk Encryption Thomas Ptacek writes You Don’t Want XTS, and suggests that though XTS works well enough in practice, it is far from ideal for Full Disk Encryption, and should not be used at all for other encryption operations (i.e., anything that doesn’t resemble FDE). XTS is useful only in that it makes “random access” encryption more secure, as you need for a disk. For encryption of whole blocks of data at rest, you probably want CBC mode, and for anything on the wire, AES-GCM is the new hotness.
###The Six Dumbest Ideas in Computer Security mjr has a post on The Six Dumbest Ideas in Computer Security. I actually disagree with several of his points (but, of course, I work on a Red Team doing, among other things, penetration testing), but I think it’s good and important to hear about opposing views, and if nothing else, they make you think. Specifically, he seems to think penetration testing is about finding holes to be fixed. It’s not, though that is a nice outcome. Penetration testing is about seeing how an attacker moves through your network, understanding the interconnections, the lateral movement, the mindset of the attacker.
###Fishing for Hackers Draios has an interesting post on what attackers do on a system. To me, the most interesting part was not actually the actions, but a tool sysdig that I’d never heard of before. Looks like an interesting tool I’ll need to play with and see how useful it is in analyzing software behavior.
In addition to my primary interest in the technical aspects of information security, I’m also a big fan of wargames & CTFs as educational tools, so a while back, I decided I wanted to build a web-based wargame and CTF scoreboard system. Today I am releasing the results of that, dubbed PwnableWeb, under the Apache 2.0 License. It includes web-based wargame-style challenges and an accompanying scoreboard.
###The Framework Each vulnerable site is built on top of a small framework that provides common functionality, and also provides a framework for building a client for interactive exploitation. (It provides a target to exploit XSS and XSRF against.)
The current framework is written in Python, using Flask and SQLAlchemy for speed of development. The vulnerable apps so far run just fine with a sqlite DB, but I usually use MySQL. This isn’t for load, but because SQLi is more interesting against the sort of DBs that are commonly used in the “real world”.
###The Games Currently, there are 2 games with a total of about a dozen vulnerabilities. One is a shopping cart system and the other is a microblogging platform. I do have plans to add a couple of more games in the near future, and will probably include new platforms (PHP being the top priority) to demonstrate new classes of vulnerabilities (LFI/RFI, serialize, preg ‘/e’, etc.) and provide variety.
Obviously, to a certain extent, open sourcing these games makes them less useful for a “real” CTF: players can easily have seen these before and become aware of where the vulnerabilities are. (And what the default flags are.) However, I believe they are still useful for practice for CTF teams, for use in educating developers, or even for internal CTFs where people are unlikely to have seen this before or you just don’t care.
GitHub repository: https://github.com/Matir/pwnableweb
###The Scoreboard The scoreboard resides in its own git repository because, though released as part of the PwnableWeb “suite”, it is completely independent and is designed to be usable for any CTF scoreboard. Currrent features include:
- Unlockable hints
- Locked/unlocked question state
- Support for Teams and Individuals
Future development priorities:
- File management for pwnables
- Real-time updates via push messaging
GitHub repository: https://github.com/Matir/pwnableweb-scoreboard
###Notes on Running It Do not run these on a server shared with anything else. The vulnerable applications contain, well, vulnerabilities. Some of these vulnerabilities may lead to RCE as the user running the application. Run them in a dedicated VM or physical machine. In the near future, I plan to provide a VM image for super-easy-setup.
###Conclusion/Contributing There will be quite a bit of polish being applied to the current release over the next few days; it’s admittedly very raw and could use better documentation and configuration examples, but I’m happy to be able to release it at this point.
If you end up using this for something, I’d love to hear about it, and hear about your experience using it. I’m also quite open to pull requests, suggestions, and feedback.