This document discusses how Mike O'Leary of Towson University will demonstrate how hackers break into systems and what can be done to reduce risks. It begins by covering physical attacks on Windows systems by booting from alternative media or exploiting features like "Sticky Keys" to bypass logins. It then discusses password attacks like brute force cracking and vulnerabilities in stored passwords. Application-level attacks targeting software like Adobe Reader, Microsoft Office and Adobe Flash are also outlined. Throughout, countermeasures like encryption and using unique, long passwords for accounts are recommended to help secure systems.
St. Louise de Marillac: Animator of the Confraternities of Charity
Fall 2012 Badolato Presentation: When Bad Things Happen to Computer Networks
1. When Bad Things Happen to Computer Networks
A demonstration of how hackers break into systems,
and what we can all do to reduce our risks
Mike O’Leary
School of Emerging Technologies
Towson University
Edward V. Badolato Distinguished Speaker Series
September 7, 2012
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 1 / 81
2. Physical Attacks
Suppose you have physical access to a fully patched Windows 7
machine, but don’t have the password.
Can you log on?
Sure!
What happens when you press the blue and white button on the
bottom left of a Windows logon screen?
What happens if you change that program?
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 2 / 81
3. Physical Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 3 / 81
4. Physical Attacks- Demo
Rather than boot to the hard drive, we will boot to a CD-ROM; say
Backtrack 5.
BIOS passwords can prevent this, but physical access also lets me
reset BIOS passwords, usually via jumper settings on the motherboard.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 4 / 81
5. Physical Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 5 / 81
6. Physical Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 6 / 81
7. Physical Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 7 / 81
8. Physical Attacks- Others
The “Sticky Keys” feature can be attacked in the same fashion; the
program is c:WindowsSystem32sethc.exe
To log in as a particular user (rather than as System), one can use a
hex editor to modify c:WindowsSystem32msv1 0.dll. Changing
two bytes in that file allows you to log on to any account without a
password.
Kon-Boot.
Boot to the CD, and let the tool do the work for you.
The tool is picked up as a virus by many anti-virus tools, so careful
downloading!
Bart’s PE
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 8 / 81
9. Physical Attacks- Countermeasures
Protect the phyisical device
Encrypt important data.
Bitlocker
Windows 7 component, but required Windows 7 Enterprise or Windows 7
Ultimate.
TrueCrypt: http://www.truecrypt.org/
Free software
Let’s you encrypt a volume of files; the volume is treated as a separate
hard drive in Windows.
Encrypted volumes can take on any name, and can be nested.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 9 / 81
11. Passwords
Why attack passwords?
They give authenticated access, meaning that they will not trip intrusion
detection systems.
How are passwords stored?
Plain text (disaster!)
Hashed (terrible!)
Salted & Hashed (Might be OK)
How can you attack a stored password?
Brute force attacks
Word lists
Rainbow tables
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 11 / 81
12. Passwords
The speed of a brute force attack depends on the underlying hashing
algorithm.
A PC with a high end graphics card using an older algorighm (SHA1)
can try roughly one billion password guesses per second.
Amazon’s cloud service would let a user try roughly 100,000
passwords on 400,000 accounts each day, for a cost of roughly $3501
m3g9tr0n claims to have cracked 122 million passwords (MD5, SHA1)
in five months2
1
http://arstechnica.com/security/2012/08/hacked-blizzard-passwords-not-hard-to-crack/
2
http://blog.thireus.com/cracking-story-how-i-cracked-over-122-million-sha1-and-md5-hashed-passwords
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 12 / 81
13. Password Attacks
In 2009, RockYou.com was compromised, leading to the loss of 32
million passwords.
These passwords were in plain text.
Attackers have used this as starting point to generate word lists.
In 2010, Gawker lost 1.5 million unsalted hashed passwords
On June 6, LinkedIn lost 6.46 million unsalted password hashes
LinkedIn has 160 million accounts.
More than 90% of these hashes have been cracked.
On June 6, eHarmony lost 1.5 million unsalted password hashes.
On July 12, Yahoo! voices lost 400,000 plain text passwords and
email addresses.
On July 23, Gamigo (a German gaming company) lost 11 million
hashed passwords.
They also lost 8.2 million email addresses
On August 10, Blizzard lost an unknown number of password hashes,
including all of the accounts from their North American servers.
The number of Blizzard accounts runs well into the millions, just in
North America.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 13 / 81
14. Password Attacks
Do you re-use your passwords?
Could an attacker guess your account name?
What would happen?
Ask Mat Honan. After an hour-long attack on August 3, he discovered
that3
His Google account was taken over, then wiped.
His Twitter account was compromised and used to spread vitriol
His AppleID account was hacked
All of the data on his iPhone, iPad, and MacBook was wiped.
Why? They wanted to use his Twitter account.
3
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 14 / 81
15. Password Attacks- Demo
We can perform a live attack on a password protected service by
simply trying various combinations.
This is often noticeable to intrusion detection systems, but if it is
spread across multiple attacker machines, it is difficult to stop.
In this first example, we attack a simple e-commerce site.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 15 / 81
16. Password Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 16 / 81
17. Password Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 17 / 81
18. Password Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 18 / 81
19. Password Attacks- Demo
Looking at the source, we see that the request to log in is
A request made via SSL
Target page is http://shop.index.php
GET parameters include
main page = login
action = process
zenid = 65dsqnj1qs9hn8h57ij6dkk22veopsul
POST parameters include
password, specified by the user
securityToken = d597db5e25bda24bb43c65307d9c21ca as a hidden
field.
We build a corresponding request using Hydra.
We specify a list of user names (-L)
We specify a list of passwords (-P)
We specify what we expect to see in an error page (the text “Error”)
We specify the number of threads (-t)
We specify the timeout (-w)
We specify where we dump the resulrs (-o)
We use verbose output (-vV)
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 19 / 81
20. Password Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 20 / 81
21. Password Attacks- Demo
These attacks can also be performed against domain controllers.
Suppose that the domain UNSEEN has the domain controller
ephebe.unseen.disc.tu located at the address 192.168.1.30.
We again use hydra
The method is now smb
The address is specified as well
Other parameters are chosen as in the previous example.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 21 / 81
22. Password Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 22 / 81
23. Passwords Attacks- Countermeasures
Lots of folks have given you lots of advice on passwords
Use an uncommon word
Inlude some captial letters
Make some substitutions- say replace an “a” with an “4”
Include a number
Include a symbol
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 23 / 81
25. Password Attacks- Countermeasures
There is no substitute for length in your passwords.
If you are using random symbols & characters, then at least 12
characters.
If you use word(s), then double this.
Attackers already know the common tricks for making passwords
more “complex”; they use wordlists and then permute them with all of
these common tricks.
Use different passwords for different accounts
How can I manage different passwords?
Use PasswordSafe, a free program available at
http://passwordsafe.sourceforge.net/
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 25 / 81
30. Application Attacks
Most computer attacks rely on software vulnerabilities
These are mistakes in a program that can be exploited to violate a
security policy
When found, these are classified and given a common CVE name &
number (http://cve.mitre.org)
Some vulnerabilities allow a third-party access to a system
Others allow a user a greater level of access to a system than
intented (privilege escalation)
Some vulnerabilities do not require user action
Vulnerabilities in the core operating system can be particularly
problematic.
Microsoft patches are numbered by year and patch number.
MS08-067 (CVE 2008-4250)- Microsoft Server Service Vulnerability
Windows 2000, 2003, XP
MS03-026 (CVE 2003-0352)- Microsoft RPC DCOM.
Affects Windows NT, 2000, 2003.
Root cause of Blaster worm, Nachi worm.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 30 / 81
31. Application Attacks
Attackers have turned their attention to application level atacks
These focus on
Web browsers
Active content for web browsers
Java
Flash
Documents
Microsoft Word
Microsoft Excel
Adobe Reader
Browser attacks require the user to visit a web page hosting the
malicious content
Document attacks require the user to open the malicious document
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 31 / 81
32. Application Attacks
Suppose you knew that the target was running Adobe Reader.
1/2012 CVE 2011-2462 Adobe Reader U3D Memory Corruption 9.4.6, 10.1.1
9/2010 CVE 2010-2883 Adobe CoolType SING Table uniqueName 8.2.4, 9.3.4
Stack Buffer Overflow
3/2010 CVE 2010-0188 Adobe Acrobat Bundled LibTIFF Integer 8.2, 9.3
Overflow
12/2009 CVE 2009-4324 Adobe Doc.media.newPlayer Use After 9.2
Free Vulnerability
12/2009 CVE 2009-3459 Adobe FlateDecode Stream Predictor 02 9.2
Integer Overflow
11/2009 CVE 2009-2990 Adobe U3D CLODProgressiveMeshDecla- 7.1.4, 8.1.7, 9.2
ration Array Overrun
3/2009 CVE 2009-0927 Adobe Collab.getIcon() Buffer Overflow 7.1.1, 8.1.3, 9.1
3/2009 CVE 2009-0658 Adobe JBIG2Decode Heap Corruption 9.0
12/2008 CVE 2008-2992 Adobe util.printf() Buffer Overflow 8.1.3
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 32 / 81
33. Application Attacks
Suppose you knew that the target was running Microsoft Office:
6/2012 CVE 2012-0013 MS12-005 Microsoft Office ClickOnce Un- Word 07, 10
safe Object Package Handling Vulnerability
4/2012 CVE 2012-0158 MS12-027 MSCOMCTL ActiveX Buffer Word 07, 10
Overflow
12/2011 CVE 2010-3333 MS10-087 Microsoft Word RTF pFrag- Word 03, 07, 10
ments Stack Buffer Overflow
11/2011 CVE 2010-0822 MS11-038 Excel Malformed OBJ Record Excel 02
Handling Overflow
11/2011 CVE 2011-0105 MS11-021 Excel .xlb Buffer Overflow Excel 07
5/2010 CVE 2010-0033 MS10-004 PowerPoint Viewer TextByte- PowerPoint Viewer 03
sAtom Stack Buffer Overflow
2/2010 CVE 2009-3129 MS09-067 Excel Malformed FEATHEADER Excel 02, 03, 07
Record Vulnerability
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 33 / 81
34. Application Attacks
Suppose you knew that the target was running Adobe Flash Player:
8/20/2012 CVE 2012-1535 Adobe Flash Player 11.3 Font 11.3.300.271 (8/14/2012)
Parsing Code Execution
6/25/2012 CVE 2012-0779 Adobe Flash Player Object Type 11.2.202.235 (5/3/2012)
Confusion
6/20/2012 CVE 2011-2110 Adobe Flash Player AVM Ver- 10.3.181.23 (11/11/2011)
ification Logic Array Indexing
Code & Execution
4/20/2012 CVE 2008-5499 Adobe Flash Player ActionScript 10.0.12.36 (10/4/2008)
Launch Command Execution
Vulnerability
3/8/2012 CVE 2012-0754 Adobe Flash Player .mp4 ’cprt’ 11.1.102.55 (11/11/2011)
Overflow
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 34 / 81
35. Application Attacks
How does an application attack work?
Let’s demonstrate an attack based on CVE 2012-1889, MS12-043
Microsoft XML Core Services MSXML Uninitialized Memory
Corruption
This is a vulnerability in how Windows handles XML, and is of critical
importance for Internet Explorer.
Code to exploit this vulnerability was publicly released on June 15 (via
Metasploit); it is likely that this vulnerability was being exploited by
others privately before this time.
Microsoft did not patch this vulnerability until they released MS12-043,
on July 10.
Anyone using Internet Explorer prior to the release of the patch would
have been vulnerable.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 35 / 81
36. Application Attacks- Demo
The attacking machine will be using Backtrack 5 R3.
The victim machine will be a Windows 7 workstation, running Service
Pack 1 (the latest), but not patched with MS12-043.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 36 / 81
37. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 37 / 81
38. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 38 / 81
39. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 39 / 81
40. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 40 / 81
41. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 41 / 81
42. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 42 / 81
43. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 43 / 81
44. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 44 / 81
45. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 45 / 81
46. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 46 / 81
47. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 47 / 81
48. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 48 / 81
49. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 49 / 81
50. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 50 / 81
51. Application Attacks
Another common attack target, especially lately has been Java.
8/27/2012 CVE 2012-4681 Java 7 Applet Remote Code Execution Java 7U6
7/9/2012 CVE 2012-1723 Java Applet Field Bytecode Verifier Java 6U32, Java 7U5
Cache Remote Code Execution
3/29/2012 CVE 2012-0507 Java AtomicReferenceArray Type Vio- Java 6U30, Java 7U2
lation Vulnerability
11/29/2011 CVE 2011-3544 Java Applet Rhino Script Engine Re- Java 6U27, Java 7
mote Code Execution
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 51 / 81
52. Application Attacks
We demonstrate the use of the July Java attack (CVE 2012-1723,
Java Applet Field Bytecode Verifier Cache Remote Code Execution)
on a system.
The target will be a Windows 7 machine, but this time it will not be
patched up to Service Pack 1.
After compromising the target, we will use CVE 2010-3338,
(MS10-092 Windows Escalate Task Scheduler XML Privilege
Escalation) which is one of the vulnerabilties exploited by Stuxnet.
This will allow us to gain full control over the system at the SYSTEM
level.
We will grab the password hashes and crack them.
We will add a new administrator to the system (us!)
We will ensure that the system connects back to us, even if the system
is subsequently rebooted.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 52 / 81
53. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 53 / 81
54. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 54 / 81
55. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 55 / 81
56. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 56 / 81
57. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 57 / 81
58. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 58 / 81
59. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 59 / 81
60. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 60 / 81
61. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 61 / 81
62. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 62 / 81
63. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 63 / 81
64. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 64 / 81
65. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 65 / 81
66. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 66 / 81
67. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 67 / 81
68. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 68 / 81
69. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 69 / 81
70. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 70 / 81
71. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 71 / 81
72. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 72 / 81
73. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 73 / 81
74. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 74 / 81
75. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 75 / 81
76. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 76 / 81
77. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 77 / 81
78. Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 78 / 81
79. Application Attacks- Countermeasures
Be sure all of your software is up to date.
Pay special attention to:
Browsers (IE, Chrome, Firefox, Safari)
MS Office
Adobe Flash, Reader
Java
Don’t install software if you do not need it!
The attacks on IE succeeded in part because we leveraged the existing
Java install!
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 79 / 81
80. Application Attacks- Countermeasures
The final attack succeded because the user:
Clicked on a malicious link
Was running an outdated version of Java
Was running an unpatched version of Windows
This attack required multiple failures in multiple places!
Don’t be fearful that your security posture is imperfect; instead make it
difficult for an attacker to exploit you by being aware and resposive to
the threats.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 80 / 81
81. Questions?
Mike O’Leary
School of Emerging Technologies
Towson University
moleary@towson.edu
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 81 / 81