10/16/08

Local Attacks

gRemote code execution is a statement that always gets a lot of press and attention from computer security professionals. Remotely compromising a computer is not the only threat posed to a network. What about a local attack carried out by a trusted, or otherwise, individual?

Local attacks

We are becoming pretty much used to reading about new remote code execution exploits associated with various programs and operating systems. It is normally the goal of any hacker to obtain a means of executing their own code on the victim computer. This is a rather obvious goal really for why else would you attack a computer if not for the end state of being able to control it in some way. This also does affect exploits which will result in a denial of service condition. Though a denial of service is generally regarded by most as less critical then having an exploit, which results in remote code execution.

What do remote code execution and a denial of service attack have in common though? Well normally they are linked with someone attacking you remotely i.e. they are not in the same physical space as you. This is not the only means of attacking a computer though. There is also the ever present threat of the trusted employee. I won’t bother regurgitating the statistics, but it seems many groups and federal agencies believe that half of all computer breaches result from the acts of a trusted insider. That is indeed a high number and is probably open to debate. One thing that can be taken for granted though is that there are attacks mounted by those with physical access to a computer network.

Let’s put it into perspective

With the above said just what kind of attack is likely to see if a person with malicious intent has physical access to a computer on a network? To answer that really depends on the security put in place for that computer network. Typically there is really very little security in place on most computers in a corporate network. So I shall just go ahead and list some attacks that can take place.

First off an attacker sees that the computer is prompting them for the usual username and password combination. What does the attacker do? Well they can simply drop in their favorite live Linux distro or other such tool. Once they have recycled the power of the computer it will boot off the media and the admin password is changed shortly thereafter. Once the attacker has system administrator credentials there is potential for all kinds of nastiness.

Though the intent of the attacker may not necessarily be to log on as the sys admin, once again the allure of using a live Linux distro is very compelling. These tools contain a treasure trove of attack tools waiting to be invoked once the computer has booted off of it. Now the attacker can go about trying to do privilege escalation by sniffing the traffic on the network and hopefully snarf some passwords. The attacker could also be on the lookout for emails that are flying about the network. There is often rather sensitive data contained in corporate emails.

Another vital area of a computer network that can also be exploited via a live Linux distro are the SNMP messages flying about the network. There is an incredible amount of information available via these SNMP exchanges. You can gauge the uptimes of various servers for one. That type of server information is key in determining whether or not a server has been patched for a specific exploit or not. Seen below is an example of an SNMP packet as seen “on the wire”.

The bolded and underlined parts of the packet reflect the OID’s or object identifiers. It is these OID’s that convey specific system information for a device such as say an IIS. The below noted OID’s could be one that reflects the IIS servers uptime, server load, or NIC card throughput. It is by decoding these OID’s that you can glean critical information about a network. That said you would ideally have the software to do it with. Ethereal will do a pretty good job of decoding them, but you would preferably have the actual s/w used to send them in order to decrypt them. An example would be say WhatsupGold, or other management software.

01:31:26.631025 192.168.1.200.161 > 192.168.1.100.40274: { SNMPv1 C=testnet-pub { GetResponse(90) R=1546751089.1.3.6.1.2.1.2.2.1.10.24=3936973547 .1.3.6.1.2.1.2.2.1.16.24=3178 267035 .1.3.6.1.2.1.1.3.0=4268685032 .1.3.6.1.2.1.1.5.0="G"} } (ttl 255, id41656, len 148)
0x0000 4500 0094 a2b8 0000 ff11 151c c0a8 01c8 E...............
0x0010 c0a8 0164 00a1 9d52 0080 3f43 3076 0201 ........R..?C0v..
0x0020 0123 0123 0123 6574 2d70 7562 a266 0204 ..testnet-pub.f..
0x0030 5c31 8c71 0201 0002 0100 3058 3013 060a \1.q......0X0...
0x0040 2b06 0102 0102 0201 0a18 4105 00ea a972 +.........A....r
0x0050 eb30 1306 0a2b 0601 0201 0202 0110 1841 ..0...+.........A
0x0060 0500 bd70 819b 3011 0608 2b06 0102 0101 ....p..0...+.....
0x0070 0300 4305 00fe 6ef6 e830 1906 082b 0601 ...C...n..0...+..
0x0080 0201 0105 0004 0d47 .......G

So we have seen that physical access to a computer can be disastrous should an attacker boot off of a cd such as the one described above. There is not only that though. The same attack can be done via USB drives as well. These portable devices have gained in popularity and storage size. You can easily fit a Linux distribution on one of these devices. Restricting access to USB drives and booting off of cd-drives needs to be restricted. This can be done with relative ease and can be read about here.

Beyond live CD’s and USB sticks

Well when it comes to local attacks pulled off due to physical access there is more to it than the aforementioned. One of the craftier ones that I have seen is the hardware keylogger. Think about this now, and any system administrators that may also be reading this, just how often do you actually visually inspect system components like the keyboard and mouse? Odds are that you check them rarely if at all. This is why a hardware keylogger is so effective. You simply need to attach it and walk away from it. It will rarely if ever be detected. After all it leaves no footprint on the affected computer, nor will anti-virus software detect it. Rather ideal if you ask me. Once you are physically in a network it would take mere seconds to install this.

Along the lines of the Live linux distros mentioned above is a suite of tools that have been porter to the world of win32. The dsniff suite is a very powerful one indeed. Built into this toolset is the ability to intercept emails, see sites being surfed to, and also do packet sniffing to get those much desired passwords. The only caveat for use of this tool is the need for winpcap to be installed. That though can be easily and quickly done by an attacker.

Of Trojans and LSP’s

Having physical access to a computer also gives one the ability to install trojans, and the stealthy LSP trojan i.e. layered service provider. Both of these malware specimens can be written so that they evade detection by all anti-virus vendors’ signatures. That would infer that someone with programming ability has written custom code. This is not as far fetched as you would think. It happens all the time in the world of corporate espionage. I hope you will read the last hyperlink I just provided, as it will certainly sink home the fact that corporate espionage does happen. It is a heck of a lot cheaper to pay some programmer a five figure sum of money, which in turn will allow you to gain say untold millions in terms of corporate research. That math is not difficult to figure out.

The wrap up

While I have only listed some of the physical attacks that a computer could fall prey to there are many others. There are also variations of the ones listed as well. All you can do is tighten down your network as best you can, and that includes leveraging the power of GPO’s, restricting physical access to your computer resources and other preventative measures. Each network will have its own quirks. You must sit down and give your security needs some sober thought. Once you have charted out your weaknesses, you will be well on your way to securing them. Please remember that not all attacks are done remotely. There will always be the ever present threat of attacks performed by those with physical access. I sincerely hope that this article was of interest to you, and as always I welcome your feedback. Till next time!

How to Change JKS KeyStore Private Key Password

Use following keytool command to change the key store password >keytool  -storepasswd  -new [new password ]  -keystore  [path to key stor...