Subverting Security

July 13, 2016
#security #offense #hacking #pentest #penetration testing #pentesting #infosec |
| | Share on Google+

Let's look at some of the common attack vectors and methods used to work around security measures. I use the "pentesting" tag a bit loosely here and will be covering many methods to subvert security measures in a "no holds barred", top-down/higher level style.

Attack Process

If you've spent any time working for corporations you'll likely be very familiar with the phrase "business process". This is just a generic way of describing structured tasks or workflow that leads to an end goal - think microwavable food instructions.

Simple Example:

Step 1 - Request is logged by customer service rep along with details of problem
Step 2 - Request is forwarded to appropriate team
Step 3 - New team member signs off on ticket to acknowledge transfer
Step 4 - Team member has 15 minutes to diagnose problem before escalating
Step 5 - Escalate until solved; solution is logged for future reference.

One of the better "processes" to be aware of when engineering customer service representatives is call handle times. Some call centers are brutal when it comes to handling a call within X amount of time in order to help keep call volume under control and this stat often gets used in performance reviews. If they work somewhere like that keeping them on longer may encourage them to "cut corners" but can backfire if you dawdle. Typically they want to hit their targets or at least avoid getting more shit from their boss. Also keep in mind that many call centers don't pay well, have high turnover/burnout, and generally have low motivation/morale among the staff so it makes them even more likely to cut corners. Again though - the culture is certainly different at some places and you can likely find out which is which by poking/prodding around on some internet forums (like Glassdoor).

Another common one is a "new employee on-boarding" process - new employees have all sorts of accounts that need created, passwords that need set, access permissions granted, gear assigned to them etc etc. Many times this process will be automated as much as possible by IT staff which could be as simple as a script that imports information from an Excel/CSV and creates the necessary accounts based on the details provided. Hijacking the script or making a bogus request could lead to interesting places.

Many companies give multiple password reset routes to customers (ex: by phone, SMS, IM/chat, email, automated web systems etc) and are another great process to get familiar with that can often be a little too "convenient" to make things easier on people. Occasionally you'll find that these routes, policies, and procedures will even tell you partial/full email account names, card numbers on account, phone numbers, or allow a complete bypass of account security entirely, example:

Combine a free Spokeo people search with a website that shows the last 4 digits of the phone/SMS number on account to get the full one (Spokeo hides the last 4 in the free search). The first few numbers on credit cards are always the same to show what kind of card it is (Visa, MC, AMEX etc) as well. You could ask a service representative for the numbers of the credit card on account etc; say something like "I just want to verify which one I have on there.. so many to keep track of".

Warranty fraud (especially with Amazon whose flexible return policy is well-known) relies very heavily on attacking business process - some even go so far as to figure out the algorithms that generate RMA/warranty numbers.

Attack Convenience

Security or convenience - pick one because you typically can't have both (though convenient security should be the end-goal). Companies and corporations often prefer the "quick and convenient" method not only for their customers sake but also internally as well to help manage their large empire; Amazon's return policy is a good example of this from the customer side. Some places will even have "bare bones" staff taking care of things which can lead to more "cut corners"; say an excel spreadsheet with all the IT department's passwords in it or default passwords left on devices. Employees will often pick convenience by making all of their passwords to various sites (personal and business) the same or some variation of the same one every time it needs changed. Even IT staff and some of the "most elite hackers" can be guilty of it. Similarly you should always try to look for a corporate customer list - preferably with account/support numbers or other unique identifiers. Often times password/account information and record keeping etc will be tied to these "unique identifiers" to help organize things.

Firewall rules may be lax as well due to a particularly annoying VIP/C-level or a troublesome application from a 3rd party vendor that no one has time to troubleshoot. "Turn off the firewall" is a fairly common line from low-level vendor support and some don't know the specifics of how their product communicates.

"Secret" or "industry insider" methods that rely on security through obscurity for easy maintenance, training, and record keeping can also be frighteningly simplistic - think something along the lines of a "konami code" type hack but for ATMs or altering traffic light patterns and all other kinds of systems thanks to default passwords. Also - attack "IoT" devices from baby monitors and fridges to security products like these cameras or these easily exploited alarm systems. Even medical devices can be used against you to gain access to your accounts and can also give up very detailed and often very personal information about you. Shodan does a great job of showing the massive security issues with default passwords and insecure IoT devices. According to a fairly recent BI study many corporations and industries are adopting IoT devices to help them gather more and more data (data is king these days after all) - not to mention the increasing popularity of BYOD in the workplace. You can even target "key" employees (C-levels, secretaries, IT staff) home networks since these are likely not as well secured (think default passwords, poor encryption protocols, unpatched router vulns etc) and may still contain sensitive corporate information/access.

The Mirai IoT botnet, which produced the largest recorded DDoS attack, is another great example. Long story short: your twitter/instagram connected washing machine could be part of some script kiddies botnet or worse.

Attack Physical Security

Some good yet simple physical security examples would be how easy most locks are to pick and breaking into cars (either keyless or with a good old wedge and slim jim etc). There is even a commonly used key called "CH751" that will open a frightening amount of the more common locks. The first time you call a locksmith after locking yourself out of the car can be fairly eye-opening - especially when you get the bill for their 45 seconds of work! Again many security systems (such as alarm systems) rely on that awful "insider info/security through obscurity" principle and can be much easier to "hack" or bypass then you may first think.

A good book to check out on the subject might be "A Burglar's Guide to the City" and I love referring to the hilariously notorious criminal "Roofman" who gained fame by breaking into places from, you guessed it, the roof. Architecture can be invaluable in terms of giving you safe/secret passage, a safe hiding spot from security patrols/cameras, knowing "bottleneck" areas with higher foot traffic so you can blend better or avoid them, and having access to critical systems (power, telephone, internet, fire alarms etc). When security consultants are brought in to beef up building design they can often times be overruled by the architect or owner for aesthetic/style or convenience purposes. Deviant Ollam is a great resource and there are many others as well

Attack 3rd Party Vendors, Legacy, and Known Vulnerabilities

Bigger companies may have better security practices and OPSEC but there are myriads of third party vendors and ancient/dated software being used everywhere. Banks are one of many industries running on dated technology and the fairly recent Home Depot breach was accomplished via 3rd party vendors (which is a growing threat as well)

Even when big companies do genuinely care about security and trying to stay vigilant it can be a daunting and downright difficult task. Many companies have at least 2 or 3 dated applications running on old operating systems/machines or using old versions of software (such as Java) for some core legacy application they simply don't want to pay for an upgrade to yet. Patching the myriad of different devices and keeping up with the necessary support contracts can be a pain - in fact it's been speculated that close to 44% of breaches are achieved with already known vulnerabilities. Sometimes even doing basic Nessus scans or using code fuzzers can get you where you need.

Going back to Project Zero's font bug legacy issues can cause massive problems as well as seen in the SS7 cellular network exploit and these industrial control systems. Many products still communicate without encryption or lack user/message authentication and user input sanitation (as seen in SQLi attacks). The WannaCry ransomware is another prime example as it used an ancient (20+ years old) protocol (SMBv1) that was exposed to the internet and caused the NHS and others some massive headaches.

You can also exfiltrate software polling data off machines to get information on software versions to better hunt for known vulnerabilities and get a better idea for the use of the machine or it's part in the business process. Ripping out the user profile and various form data from the different browsers to grab their "auto-complete" and saved usernames/passwords can be helpful as well.

One final example is attacking wifi. Many wifi security settings are outdated and riddled with known vulnerabilities or otherwise easy to "break into" and some even have known problems with remote admin panels or simply don't hide the panel at all/have hardwired backdoors.

Attack People

This is an SE/Security blog after all - time and time again experts warn that the weakest link in the security chain is almost always people. Whether you choose planning "chance meetups" for elicitation, targeted phishing campaigns, "watering hole" attacks leveraging ad networks, or just plan on using some poor sap in a call/support center to bypass standard security practices like the fairly recent twitter "N" fiasco people still remain the largest liability to company security. This video may help to better illustrate the point.

Gathering information on people such as the birthdays of loved ones, pet names, important phrases/movies/dates etc can be useful for dictionary password attacks, phishing, and SE all the same. I've known many people whose 4 digit cell phone password is also their debit/credit pin and I've "hacked" an iPhone backup for a CEO from a prior employer by using a simple 200 word dictionary brute force attack (with his knowledge/approval of course since he forgot his encrypted backup password).

Some of the best people to "get cozy with", bug their machine/phone, or phish etc are HR representatives and secretaries. Not only is this group typically bad with technology they are also massive information hubs. HR has access to information about people that even IT may not have and secretaries are often the gossip mills/information hubs of the office. Many personal secretaries run most of their C-level or VIP's life and may even have all their passwords/account information as well.

Abusing human curiosity by dropping an infected machine ( like "badUSB" (github) or duckyscripts) by your targets car/office can have great results - a fair amount will plug it in/turn it on "to see what's on it or whose it is" without a second thought. For more on SE tactics in general I recommend reading my "SE Foundations" series for a quick jump-start and work your way up from there.

Related post: The State of Security

July 13, 2016
#security #offense #hacking #pentest #penetration testing #pentesting #infosec |
| | Share on Google+