Exploitation and Security
Thead Owner : Houga,
Category : Everything Coding,
0 Comment,
82 Read
Viewers:
3 Guest(s)
08-12-2014, 11:35 AM
In order to complete a penetration test, simple chaos and network destruction is not enough; you MUST have a working understanding of all aspects of the network to which your attacks are targeted and knowledge on how to secure them!
1. Updated software and drivers
Keeping your operating system updated is very crucial to security. As you cannot protect against unknown attacks and 0days (since that is the very definition of 0day), you can, at least, detect and protect against known attacks. As updated security software comes out, it is the best hope to protect your software. For example, Windows Server 2003 is infamously vulnerable to the MS08_067_NETAPI attack. This attack is not only less than useless in a modern setting, but is very easily detectable.
2. Host/Network IDS
I will talk about using SNORT (popular and incredible IDS) as a detection and prevention measure in a network in a later section. An IDS is crucial to your network environment. It allows the administrator to monitor its users and detect which ones, if any, have malicious intent. It is actually fairly common for an IDS to detect 0days allowing an administrator or security professional to review source code and perform the necessary security.
3. Honeypots
Honeypots are tools that resemble vulnerable applications, but are actually monitoring any attacks they receive. Along with IDSes, they work very well together when detecting (and even preventing) security breaches. This is an awesome addition to security as it will allow you, as an administrator, to view common attacks. For example, if you see that one or multiple attacks are targeting a group SMB usershare or a FTP server, you can assume that it is possible that the FTP server is vulnerable, perform your own testing, and update your security accordingly.
Even though both are running the same software, the attacker will send his payload to the honeypot. The administrator can then update the actual SomeFTP v1.1 server to v1.2 (obviously this is a hypothetical server, but the same process applies).
4. ASLR, Canaries, DEP/NX, and AVs
ASLR randomizes data point locations in memory. Canaries [can] detect buffer overflow attacks and, if detected, will subsequently respond with a structured exception. DEP and NX will prevent data execution on the stack and mark pages in memory as non-executable. Another very important software for any server or host on the network is updated AntiVirus, AntiMalware, and Anti- Rootkit programs. Antiviruses and web security suites have become only more secure as time goes on. They are not, nor will the ever be, perfect, but they only help in network security.
5. Wireless Security
Wireless security is very important in a business setting. There was recently a Defcon talk regarding the MSChapV2 and PEAP protocol vulnerabilities in BYOD networks. It‟s quite interesting and I highly recommend it. Wiresless security is not as simple as keeping a password or MAC filtering. I recommend using WPA-ENT (Enterprise) which will require a RADIUS server (Remote Authentication Dial In User Service) wherein each employee or user will need a username and a password (kept in the RADIUS server) which will then generate an encryption key on-the-fly (which is actually not kept locally). The main differences between WPA2 and WPA are relatively subtle but the introduction of CCMP/AES replacing TKIP was a huge upgrade.
6. VLANs, ACLs, and DMZs
If we have a secure server on a separate VLAN, it will not be accessible to anyone on the other VLANs. This obviously allows for higher security. However, if no one is able to remotely access the server, this means that even a network administrator wouldn‟t be able to either. This is where ACLs come in. Access Control Lists will block/allow certain traffic going towards certain machines. For example, if an administrator has a static IP 192.168.1.1, we can write an ACL on our device (router or multilayer switch) that will block all other traffic except in the case of it originating from 192.168.1.1. A DMZ would only provide more security. It will protect against users outside the network from accessing internal devices. Any servers that can be accessed from the outside (such as email servers so the employee can log on from home or a file server) are placed in a DMZ and access is cut from accessing internal devices directly.
7. Device and Port Security
I‟ve already discussed port security, but again, I‟d like to go over it in terms of security. Things to look out for in router and port security are:
Encrypted Passwords - be sure that all passwords are encrypted on all routing devices. If a user got ahold of a router configuration, they could log into the router and cause massive havoc to the network. They can disable port security and allow for many more attacks.
Encrypted Routing Tables - If you are using a routing protocol such as EIGRP, OSPF, or RIPv2, it is very important to enable encryption, especially on interfaces accessible by other users who could potentially inject their own routing tables. Also, you should make sure that any access ports (ports to which a client is connected; not a router or switch) do not broadcast the routing tables. This is done by making them “passive”.
Dynamic ARP Inspection - Keeping tabs on which source MAC address enter/exit ports definitely aids in security. It will allow an administrator to only allow a certain number of devices to be connected to one port. This will stop ARP spoofing as you will not be able to change the source MAC address (or, rather, the switch will simply drop the packets).
DHCP Snooping - DHCP Snooping allows for DHCP servers on only specifically set interfaces. This will protect against DHCP spoofing attacks as clients will not be allowed to use rogue DHCP servers.
Secure Remote Access - Be sure to use SSH with at least 1024 bit encryption keys. Telnet is obviously a plain-text protocol so if an administrator logs in remotely, even if he has a password enabled, the traffic is easily captured and viewed. SSH will eliminate this attack. My recommendation is to completely turn off Telnet and only allow SSH.
Enable HTTPS Web Interfaces - Some routers support an interactive GUI via a web browser. If it has the ability to use HTTPS, use it! Not only should you use HTTPS, but you should disable HTTP. Do not allow unencrypted traffic when you don‟t have to!
8. Physical Security
This one is often, overlooked. Any devices out in the open are as good as exploited! Anyone can walk it and steal a router. Even if they can‟t log on and cause damage to the network‟s security, they can render it unusable and bring workflow to a halt! This is detrimental to any business network. The key is redundancy and keeping your network devices in locked rooms!
9. Firewalls, WAFs, and DPI
There are firewalls such as Cisco‟s ASA firewall that can be used to mitigate denial of service attacks. Other FWs are used to detect anomalous traffic (not necessarily an IDS) or volumetric traffic (such as a network denial of service attack). Other firewalls work only at the application layer and block certain traffic over select L7 protocols such as HTTP, FTP, or DNS. Others like WAFs (web application firewalls) will protect against things like unauthorized access or inappropriate code execution through web applications. DPI (Deep Packet Inspection) is something about which I, personally, have mixed feelings. On one hand, it is a great way to keep your network secure from employees downloading malicious or illegal content (either maliciously or not). On the other hand, it is a violation of internet freedoms which is something of which I am a huge proponent.
10. Site-to-Site and Personal VPNs
A VPN (Virtual Private Network) is simply an encrypted tunnel used to remotely access a network. Some VPNs can be between routers as a Serial connection, but this often requires extra payments to phone companies and specialized hardware. A more common implementation of a VPN is utilizing the internet. This way, any employee can access their network via an encrypted tunnel on the public internet without extraneous fees.
11. Redundancy, Backups, and Redundancy
If your network has any data that can be considered „highly important‟, it‟s very important to keep redundant backups of said data. Hardware failures are commonplace in networks since technology simply isn‟t perfect. Mirroring and backing up hard drives and using RAID arrays will allow you to securely store data and have the ability to recover it if one or more hard disks fail (depending on the RAID set up).
12. Secure Authentication Protocols
Using NTLM/v2 authentication to a SMB User-Share is similar to the use of WEP. It provides very little, if any, protection and causes more problems for security than it can ever hope to solve! There are several attacks utilizing NTLM weaknesses like NTLM relay and Pass the Hash. Kerberos is a new authentication protocol that can, and should, replace NTLM in a windows environment.
-H
Houga@entropy.cat
1. Updated software and drivers
Keeping your operating system updated is very crucial to security. As you cannot protect against unknown attacks and 0days (since that is the very definition of 0day), you can, at least, detect and protect against known attacks. As updated security software comes out, it is the best hope to protect your software. For example, Windows Server 2003 is infamously vulnerable to the MS08_067_NETAPI attack. This attack is not only less than useless in a modern setting, but is very easily detectable.
2. Host/Network IDS
I will talk about using SNORT (popular and incredible IDS) as a detection and prevention measure in a network in a later section. An IDS is crucial to your network environment. It allows the administrator to monitor its users and detect which ones, if any, have malicious intent. It is actually fairly common for an IDS to detect 0days allowing an administrator or security professional to review source code and perform the necessary security.
3. Honeypots
Honeypots are tools that resemble vulnerable applications, but are actually monitoring any attacks they receive. Along with IDSes, they work very well together when detecting (and even preventing) security breaches. This is an awesome addition to security as it will allow you, as an administrator, to view common attacks. For example, if you see that one or multiple attacks are targeting a group SMB usershare or a FTP server, you can assume that it is possible that the FTP server is vulnerable, perform your own testing, and update your security accordingly.
Code:
[Attacker] - - - - - - - [Honeypot] ***
------- [Server]Even though both are running the same software, the attacker will send his payload to the honeypot. The administrator can then update the actual SomeFTP v1.1 server to v1.2 (obviously this is a hypothetical server, but the same process applies).
4. ASLR, Canaries, DEP/NX, and AVs
ASLR randomizes data point locations in memory. Canaries [can] detect buffer overflow attacks and, if detected, will subsequently respond with a structured exception. DEP and NX will prevent data execution on the stack and mark pages in memory as non-executable. Another very important software for any server or host on the network is updated AntiVirus, AntiMalware, and Anti- Rootkit programs. Antiviruses and web security suites have become only more secure as time goes on. They are not, nor will the ever be, perfect, but they only help in network security.
5. Wireless Security
Wireless security is very important in a business setting. There was recently a Defcon talk regarding the MSChapV2 and PEAP protocol vulnerabilities in BYOD networks. It‟s quite interesting and I highly recommend it. Wiresless security is not as simple as keeping a password or MAC filtering. I recommend using WPA-ENT (Enterprise) which will require a RADIUS server (Remote Authentication Dial In User Service) wherein each employee or user will need a username and a password (kept in the RADIUS server) which will then generate an encryption key on-the-fly (which is actually not kept locally). The main differences between WPA2 and WPA are relatively subtle but the introduction of CCMP/AES replacing TKIP was a huge upgrade.
6. VLANs, ACLs, and DMZs
If we have a secure server on a separate VLAN, it will not be accessible to anyone on the other VLANs. This obviously allows for higher security. However, if no one is able to remotely access the server, this means that even a network administrator wouldn‟t be able to either. This is where ACLs come in. Access Control Lists will block/allow certain traffic going towards certain machines. For example, if an administrator has a static IP 192.168.1.1, we can write an ACL on our device (router or multilayer switch) that will block all other traffic except in the case of it originating from 192.168.1.1. A DMZ would only provide more security. It will protect against users outside the network from accessing internal devices. Any servers that can be accessed from the outside (such as email servers so the employee can log on from home or a file server) are placed in a DMZ and access is cut from accessing internal devices directly.
7. Device and Port Security
I‟ve already discussed port security, but again, I‟d like to go over it in terms of security. Things to look out for in router and port security are:
Encrypted Passwords - be sure that all passwords are encrypted on all routing devices. If a user got ahold of a router configuration, they could log into the router and cause massive havoc to the network. They can disable port security and allow for many more attacks.
Encrypted Routing Tables - If you are using a routing protocol such as EIGRP, OSPF, or RIPv2, it is very important to enable encryption, especially on interfaces accessible by other users who could potentially inject their own routing tables. Also, you should make sure that any access ports (ports to which a client is connected; not a router or switch) do not broadcast the routing tables. This is done by making them “passive”.
Dynamic ARP Inspection - Keeping tabs on which source MAC address enter/exit ports definitely aids in security. It will allow an administrator to only allow a certain number of devices to be connected to one port. This will stop ARP spoofing as you will not be able to change the source MAC address (or, rather, the switch will simply drop the packets).
DHCP Snooping - DHCP Snooping allows for DHCP servers on only specifically set interfaces. This will protect against DHCP spoofing attacks as clients will not be allowed to use rogue DHCP servers.
Secure Remote Access - Be sure to use SSH with at least 1024 bit encryption keys. Telnet is obviously a plain-text protocol so if an administrator logs in remotely, even if he has a password enabled, the traffic is easily captured and viewed. SSH will eliminate this attack. My recommendation is to completely turn off Telnet and only allow SSH.
Enable HTTPS Web Interfaces - Some routers support an interactive GUI via a web browser. If it has the ability to use HTTPS, use it! Not only should you use HTTPS, but you should disable HTTP. Do not allow unencrypted traffic when you don‟t have to!
8. Physical Security
This one is often, overlooked. Any devices out in the open are as good as exploited! Anyone can walk it and steal a router. Even if they can‟t log on and cause damage to the network‟s security, they can render it unusable and bring workflow to a halt! This is detrimental to any business network. The key is redundancy and keeping your network devices in locked rooms!
9. Firewalls, WAFs, and DPI
There are firewalls such as Cisco‟s ASA firewall that can be used to mitigate denial of service attacks. Other FWs are used to detect anomalous traffic (not necessarily an IDS) or volumetric traffic (such as a network denial of service attack). Other firewalls work only at the application layer and block certain traffic over select L7 protocols such as HTTP, FTP, or DNS. Others like WAFs (web application firewalls) will protect against things like unauthorized access or inappropriate code execution through web applications. DPI (Deep Packet Inspection) is something about which I, personally, have mixed feelings. On one hand, it is a great way to keep your network secure from employees downloading malicious or illegal content (either maliciously or not). On the other hand, it is a violation of internet freedoms which is something of which I am a huge proponent.
10. Site-to-Site and Personal VPNs
A VPN (Virtual Private Network) is simply an encrypted tunnel used to remotely access a network. Some VPNs can be between routers as a Serial connection, but this often requires extra payments to phone companies and specialized hardware. A more common implementation of a VPN is utilizing the internet. This way, any employee can access their network via an encrypted tunnel on the public internet without extraneous fees.
11. Redundancy, Backups, and Redundancy
If your network has any data that can be considered „highly important‟, it‟s very important to keep redundant backups of said data. Hardware failures are commonplace in networks since technology simply isn‟t perfect. Mirroring and backing up hard drives and using RAID arrays will allow you to securely store data and have the ability to recover it if one or more hard disks fail (depending on the RAID set up).
12. Secure Authentication Protocols
Using NTLM/v2 authentication to a SMB User-Share is similar to the use of WEP. It provides very little, if any, protection and causes more problems for security than it can ever hope to solve! There are several attacks utilizing NTLM weaknesses like NTLM relay and Pass the Hash. Kerberos is a new authentication protocol that can, and should, replace NTLM in a windows environment.
-H
Houga@entropy.cat