Performance Objective

At the conclusion of the course the student will be able to:

  1. Identify at least three types of attack vectors.
  2. Identify a piece of software that can be used to execute a brute force attack.
  3. Identify what the main concept of Two-Factor authentication is.
  4. Identify a Linux OS that is used for penetration testing.
  5. Identify a product used to manage two-factor authentication.
  6. Identify a training ethos that will make users more likely to stay safe.
{: itemprop="associatedMedia" itemscope itemtype="http://schema.org/VideoObject"}

Introduction

This discussion will be on actual attacks, their methods, and the mitigation techniques that can go into protecting a user from these attacks. The vast majority of online attacks are opportunistic and designed to take advantage of user ignorance, fear, and laziness. If you are unaware of an attack, you are an easy target. If you are afraid of the consequences of the attack, you may fall victim to scams that prey on lack of confidence. Finally, many users find themselves infected or attacked because they fail to keep up to date with software and security updates, best practices, and methodology.

If you train like you fight, you will fight like you train. You must learn how the opposing force is scheming and educating themselves to gain access to your data. If you do not understand the attacks user, the techniques, and the why, you will not be able to defend yourself adequately. You must practice continuing education that is focused on real life scenarios if you expect to be able to protect yourself.

Brute Force

Brute force cracking is a method by which an individual attempts to enumerate the login credentials for a service or application through the exhaustive effort of trial and error. A brute force attack can also cause a denial of service issue for legitimate users due to the number of attempts being made in series.

Some individuals will differentiate a Brute Force attack and a dictionary attack. The dictionary attack is a method by which an individual will use a list of suspected passwords against a service in order to reduce the number of attempts made. Legitimate passwords used in other products are often the fuel that feeds a dictionary attack.

Bulk Passwords

Individuals work around the clock and around the globe to find leaked passwords, usernames, emails, and more on a consistent basis. You can find these curated lists on GitHub, private websites, the darkweb, and through torrent. A small collection is presented here.

SecLists GitHub is populated with an extensive number of passwords.

10 million passwords are available in a torrent file as well. These also include usernames and will require minor editing for use with some of the tools below.

Checksums:

sha1: dabaeb7877ad55af75207cd22af05e4b93041830

sha256: 1d52f82e462679f6755dc7565caa193a5c2ce58cd14199b45261d1b6e213e82f

sha512: 3949199cc74287265092a875bcf9dadaaaf37b5eb68a5c80e85

wpscan

The WPSCAN application is designed to work as a vulnerability scanner as well as provide some ability to conduct attack against WordPress websites. It provides methods to scan for usernames, vulnerable plugins, vulnerabilities in the code, and works as a brute forcer for cracking logins.

Install the Docker Machine for WPSCAN -

$ docker pull wpscanteam/wpscan

Enumerate Users For A WordPress Blog -

$ docker run wpscanteam/wpscan --url https://yourblog.com --enumerate u

Use a wordlist to brute force a WordPress account -

$ docker run -v ~/wordlists:/wordlists wpscanteam/wpscan --url https://yourblog.com --wordlist /wordlists/cracks.txt --username admin

ncrack

Ncrack is a gold standard tool for cracking network authentication. It can be used to attack SSH, RDP, and more. This tool is extremely powerful and comes from the same peoples who brought you Nmap.

Install ncrack with Docker -

$ docker run -v ~/hackerfiles:/hackerfiles -it hihouhou/docker-ncrack

Enumerate passwords with ncrack -

$ ncrack -p 22 --user root -P /hackerfiles/pwd.txt 10.10.10.10

Mitigation

Mitigating the dangers of a brute force attack is relatively trivial. A properly configured system can provide all of the tools necessary to prevent the general and continuous brute force attack that is normally run over the internet and targeted at any machine willing to accept a connection attempt.

Two-Factor

Two factor authentication can be used for SSH, SFTP, WordPress, and almost every connection that requires a login. You can add two-factor authentication to a server and then require a device to allow access. This helps mitigate some threat actors because they will still be unable to login even with a username and password if they do not have the one-time pass required. The two-factor authentication device will generate a key that must be used for login. The main concept of two-factor authentication is ‘something you have’ in the device and ‘something you know’ in your password.

SSH Keys

Any user who is going to log into a server over SSH, SFTP, or similar should do so using an SSH key that they generated and managed. They may also wish to add a password to the SSH key as well as use a strong password for using sudo. A server that requires all users to deploy an SSH key does much to mitigate dictionary attacks. You can also combine this with a OTP solution in order to further harden the system.

Strong Passwords

Use a password manager. You should be using very strong passwords that include a random jumble of letters, numbers, and symbols. Every password should be unique and no two accounts should share a password. It is very easy to use something like SAASPASS or KeePassX to manage your accounts. If you are using your phone for OTP purposes, a tool like SAASPASS or KeePass will allow you to manage all of your other accounts. You can also install these programs on your hardware so that you have local access to the passwords from your computer or server as appropriate. Strong passwords that have been randomly generated and that are original are almost impossible to brute force and will most likely not be useful in a dictionary attack in the event of a database breach.

Fail2Ban

Fail2Ban is a log parser that works by monitoring common services to recognize patters in authentication and mitigate attacks. Fail2Ban will look at the log, identify a problem, and then add rules to the firewall that block an attacker. Fail2Ban is usually used to monitor for attacks on SSH and then to block individuals executing those attacks but it can also be employed to block individuals attacking WordPress, Drupal, or other web applications.

IP Access Control

Limiting access to the server by IP address is also a viable alternative. Some individuals will employ a country based list. This is usually a black list that consists of IP addresses that cannot access the system. A black list will often grow exponentially if properly tended. This style is known as the ‘American’ style of access control. (Every thing is permitted until otherwise countermanded.) It is often more effective to employ the ‘Soviet’ style of access control. (Nothing is permitted until otherwise countermanded) This is a white list. The white list consists of a very small number of carefully controlled addresses with access to the box and no other IP may connect. It is also possible to use a VPN to manage access. If a user cannot connect to the VPN hosted on the box, they may not connect to the server. All viable alternatives that will be controlled based on your risk tolerance and specific risk management plan.

American Style Security: Everything is permitted except that which is not. The perfect example is the black list. Any one can connect to a computer unless strictly forbidden.

Soviet Style Security: Nothing is permitted unless otherwise allowed. The perfect example is the white list. No one can use the computer unless given explicit permission.

Man In The Middle

A man in the middle attack is the method by which an individual is able to receive traffic intended for another party, build and sustain a connection with said party, and then act as a gateway between the party and their traffic. If you can successfully gain a foothold between a user and their traffic, you can tamper with their data and they will normally be unaware of your presence.

ARP Poisoning

An attack on the lookup table of a router that changes the contents and remaps IP addresses to MAC addresses is called an ARP Poisoning attack. If you are able to modify the entries in the table you can then receive all of the traffic intended for another party.

An ARP attack will generate an increased amount of traffic and can be spotted easily by active monitoring solutions. If you target has an IDS in place, they will quickly discover your attack. You should also be cautious if you try to ARP spoof an entire subnet as your hardware must be able to handle the increased traffic.

ettercap

Ettercap is a tool used for performing MITM attacks. There are numerous tools that can each be used for this purpose but ettercap is one of the best known.

Install the tool with -

sudo apt-get install zlib1g zlib1g-dev build-essential
sudo apt-get install ettercap-graphical

Start the tool with -

$ sudo ettercap -G
  1. sniff -> Unified Sniffing -> interface choice (EN0) -> ok
  2. Hosts -> Scan For Hosts -> Hosts List (Select and add to target 1)
  3. Mitm -> ARP poisoning -> Sniff Remote Connections -> ok

Test the attack (Attacking Machine) -

$ arp -a

Docker can be used with ettercap and the supporting tools necessary but all current images seemed too shady for my liking and do require that you run in privileged mode due to needing access to the hardware. Make your own image if you want to use this in Docker.

Web Application Security

Web Application Security is an intricate dance between availability and security. There are some best practices that can lend a level of security to your site. One issue that many web sites runs into is SQL injection. Any application you write should be designed to take advantage of best practices in SQL to prevent SQL injection. An example of SQL injection is available below.

SQL Injection

$unclean_input = $_POST['user_input_id'];
$sql_query = 'SELECT * FROM Users WHERE ID = ' . $unclean_input;

The user could input a true statement like 1 = 1 into the query. This would allow the user to return the entire Users table.

$sql_query = 'SELECT * FROM Users WHERE ID = 1 OR 1=1';

Social Engineering

Social engineering is the use of deception or manipulative behavior in order to force an individual to reveal confidential information that can be used for fraudulent purposes. Frank William Abagnale, Jr spent time in the 1960s pretending to be a pediatrician. Kevin Mitnick spent time in prison and was believed to be able to whistle and make missiles launch. The best social engineer in recorded history is Mark Zuckerburg. You have nearly 400 million people providing you with their most intimate data. Good job.

Social Engineering Toolkit

The Social Engineering Toolkit is an open-source penetration framework specifically for assisting the user in performing Social Engineering. There are numerous tools included in the framework that can be used to create an attack in short order.

Docker Image -

$ docker run -it -p 5432:80 warch/social-engineering-toolkit

OR

Download with -

$ git clone https://github.com/trustedsec/social-engineer-toolkit/ set/

Install with -

$ cd set; sudo python setup.py; sudo python setoolkit;

Launch with -

$ setoolkit

You can use the SETOOLKIT to launch attacks, clone web sites, and generally perform all of the leg work necessary for a successful attack. If you can use a Chinese food menu, you can successfully use the tool kit.

Digital Extortion

Digital Extortion is a relative new comer that is sweeping the world when it comes to crime. Individuals are able to demand payment in return for access to services and data from anywhere in the world. Regardless of Operating System, there are a multitude of attacks that can be executed in order to find financial gain in others suffering or loss. Some of these scams do not even require a successful attack. A little ingenuity and a well worded email or advertisement and some people will pay out of fear or shame without complaint.

Distributed Denial Of Service

DDOS is being used for ransom and this attack is on the rise. Many companies are unwilling to reveal the threat and regularly try to hide any mention of an attack. This means that these companies are regularly paying big bucks in secret to extortion teams who are keen to get on the payroll. Companies are regularly the target of nefarious actors willing to turn undefended infrastructure into a weapon.

Sextortion

Digital Blackmail or sextortion is on the rise as well. Individuals use applications like Tinder or Skype, meet “someone” for an online hook up, and later are contacted for a cash payout or their images and videos will be released to their friends and relatives. This crime is prevalent in the Philippines. A woman was recently arrested after running a ring that earned millions of dollars and employed girls as young as 12. The criminals filmed and snapped shots of thousands of foreigners and then extorted them for money.

Ransomware

Ransomware is software that can encrypt files and also work as a control system to force users to contact the locker in order to receive the unlock credentials for payment. Most Ransomware works using bitcoin as the intermediary tool for financial transactions between the criminal and the victim.

WARNING - This is a link to a GitHub with an actual functional attack

  • Locky is a strain of ransomware for Windows based operating systems.

WARNING - This is a link to a GitHub with an actual functional attack

  • Linux.Encoder.1 is a strain of ransomware for Linux based operating systems.

  • There also exists varying strains of this infection in IOS, Android, and Mac OS flavors.

Mitigation

  1. Talk to your datacenter. Inform them of the threat and prepare for the worst.

  2. Don’t pay the ransom.

  3. Contact others in your field.

  4. Contact law enforcement. FBI Cyber Crime

  5. Employ DDOS mitigation tools. Cloudflare is a good potential start.

  6. Don’t pay the ransom.

  7. Back up your files.

  8. Protect those back ups. Don’t make backups available from your potentially infected computers. Most attacks are opportunistic, don’t make it easy on them.

Kali Linux

BackTrack Linux is no longer maintained. Kali Linux is the operating system of choice for individuals looking for a system that is preconfigured for executing attacks. The Kali Linux project is an open source operating system that is maintained and funded by Offensive Security. The Kali Linux OS is based on Debian. It is my opinion that users should use Kali Linux as an example of what is possible but should not rely on the system as a crutch. Everything installed in BackTrack or Kali is available to an Ubuntu or Debian user.

Answers

  1. Brute Force Attacks, Man in the middle attacks, social engineering, and DNS poisoning are some attacks.
  2. wpscan can be used to brute force a Wordpress site.
  3. Two-Factor’s main concept is ‘something you have’ and ‘something you know’.
  4. Kali Linux is an OS that can be used for penetration testing.
  5. SAASPASS is a product that provides acceptable two-factor management.
  6. Train like you fight and you will fight like you train is an ethos practiced by cyber security experts and others.

Conclusion

No software or tool is free of vulnerabilities. We as security professionals, programmers, or end users must manage the risk as we see fit or to standard as appropriate for our position. It is impossible to plan for every contingency or weakness but we can plan to provide ourselves with the greatest number of security layers. You should employ best practices, appropriate user management, and monitor for threats on a regular basis. You must also be prepared to react when a system is attacked and a database or other data is compromised. We can manage our security. We cannot manage the security of the products we use. Prepare for the worst.

Final Recommendations

  1. Regularly test for vulnerabilities or exploits.
  2. Contribute to the community by creating reduced size docker images for tools.

Glossary

  • OS - Operating System
  • Brute Force - Enumeration of password and or user name for gaining illicit access
  • OTP - One Time Password
  • ARP - Address Resolution Protocol / The protocol for mapping MAC addresses to IP addresses
  • IDS - Intrusion Detection System