ISTS – Defense

578244_10151316002980060_639846740_n

ISTS X

More info on the ISTS event here http://ists.sparsa.org

Some tips/tricks from a Red team members point of view on improving defense.

You need to start this event keeping two important concepts in mind.

1.  You will get hacked.

2.  Your systems have multiple vulnerabilities by design.

Default Credentials

All passwords on all systems will be in some weak or default configuration changing these immediately will help stop automated attacks.

Common System Misconfigurations

It’s common for a lot of teams to not have an understanding of the current services running on their Linux machines issuing a quick “netstat -anp | grep LISTEN” as root will show open ports and related process/program name.

netstat

VNC with no password
q8KPSbc (1)

Red team viewing blue team machine over VNC

VNC can be configured with no password and give complete console access to the machine.  In addition to no password there have also been authentication bypass expliots and often times its configured with a weak password.

Web Based Management Tools

Webmin(Port 10000) and PHPMyAdmin are often used to remotely administer Linux machines they can be configured with various authentication mechanisms this is another great place to look for default credentials.

Sudoers file

During the competition and even at the beginning be mindful of /etc/sudoers this file controls who has access to sudo and the ability to run commands as root.

FTP Configuration Issues

FTP is often configured with anonymous FTP enabled, Versions that have known exploits, or allowing access to sensitive files.

During this years competition it was configured to serve up / and combined with the weak permissions it made accessing /etc/shadow and other sensitive files trivial.

MySQL root no password

MySQL configured with a root account and no password is a common configuration mistake but can lead to all kinds of fun things.

2ZtqRax

Incorrect permissions

Permissions on /etc/shadow allowed any user to view this file and allowed access to all the hashes.

These were dumped by a PHP backdoor with the user account www-data

bNEhfbq

Insecure Web Applications

There were a number of web vulnerabilities including local file inclusion and multiple backdoors such  as the c99 shell in shell.php.

This is an area that might take some work using grep and other tools to look for insecure functions and obvious backdoors in web applications.

c99

get

seashell1

Scoring Engine Checks

The scoring engine checks the availability of many services by logging in with SSH/FTP.  Depending on the configuration of these accounts they usually had access to ssh and interactive login.

Even with normal user privileges there was still attack surface for denial of service attacks including filling up the hard drive with random files or launching a fork bomb.

perl -e “fork while fork” &

:(){ :|:& };:

cat /dev/urandom > randomfile &

These attacks can be mitigated by using the ulimit command and making changes to /etc/security/limits.conf

Windows Security

Patching

This shouldn’t need mentioning but if you’re doing a CTF style even and you see an XP/2003 box there is a very good chance its vulnerable to MS08-067 or if you come across Vista SP1/SP2 or server 2008 might want to look for MS09-050

these exploits get popped quickly and you will be fighting a battle to remove any level of persistance by the red team or other teams.

Firewall

Enabling the windows firewall to block 139/445 and other services that don’t need remote access will be critical.

Passwords

Once compromised its trivial to dump cleartext windows passwords out of memory keep this in mind if you’re reusing the same admin password or password style across multiple machines.

It’s also extremely easy to dump the password hashes even if you used a complex password teams can regain access by launching psexec over 445 and using the password hash to login.

What now?

A few tips to get you started

Familiarize your self with the various locations commands get launched from on boot.  An example of this would be HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Be mindful of all temp directories and odd looking files.

Learn how to use the sysinternals tools to detect backdoors.  There are a number of great articles on detecting malware process explorer, tcpview, and other sysinternals tools.

Log files are your friend unless someone deletes them 🙂

If you detect compromise remember to rotate your windows passwords quickly.

The last point is make sure you’re having fun

More details from another ISTS Redteam member can be found here – http://www.antitree.com/ists-x/

ISTS Redteam Reddit – http://www.reddit.com/r/istsredteam

Advertisements
Tagged with: , , , ,
Posted in InfoSec
2 comments on “ISTS – Defense
  1. You forgot to mention NFS was sharing / to the world. It was as user “nobody” but that was enough to read out the shadow file (when combined with the bad permissions) and write to the web directory, which combined should have eventually allowed escalation of privilege.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: