Thursday, March 4, 2010
Tutorial: Real Life HTTP Client-side Exploitation Example
This section illustrates an example of a real life attack conducted against an organization that resulted in loss of critical data for the organization.
In this attack, Acme Widgets Corporation suffered a major breach from attackers who were able to compromise their entire internal network infrastructure using two of the most powerful and common attack vectors today: Exploitation of client-side software and pass-the-hash attacks against Windows machines.
Step 0: Attacker Places Content on Trusted Site
In Step 0, the attacker begins by placing content on a trusted third-party website, such as a social networking, blogging, photo sharing, or video sharing website, or any other web server that hosts content posted by public users. The attacker's content includes exploitation code for unpatched client-side software.
Step 1: Client-Side Exploitation
In Step 1, a user on the internal Acme Widgets enterprise network surfs the Internet from a Windows machine that is running an unpatched client-side program, such as a media player (e.g., Real Player, Windows Media Player, iTunes, etc.), document display program (e.g., Acrobat Reader), or a component of an office suite (e.g., Microsoft Word, Excel, Powerpoint, etc.). Upon receiving the attacker's content from the site, the victim user's browser invokes the vulnerable client-side program passing it the attacker's exploit code. This exploit code allows the attacker to install or execute programs of the attacker's choosing on the victim machine, using the privileges of the user who ran the browser. The attack is partially mitigated because this victim user does not have administrator credentials on this system. Still, the attacker can run programs with those limited user privileges.
Step 2: Establish Reverse Shell Backdoor Using HTTPS
In Step 2, the attacker's exploit code installs a reverse shell backdoor program on the victim machine. This program gives the attacker command shell access of the victim machine, communicating between this system and the attacker using outbound HTTPS access from victim to attacker. The backdoor traffic therefore appears to be regular encrypted outbound web traffic as far as the enterprise firewall and network is concerned.
Steps 3 & 4: Dump Hashes and Use Pass-the-Hash Attack to Pivot
In Step 3, the attacker uses shell access of the initial victim system to load a local privilege escalation exploit program onto the victim machine. This program allows the attacker to jump from the limited privilege user account to full system privileges on this machine. Although vendors frequently release patches to stop local privilege escalation attacks, many organizations do not deploy such patches quickly, because such enterprises tend to focus exclusively on patching remotely exploitable flaws. The attacker now dumps the password hashes for all accounts on this local machine, including a local administrator account on the system.
In Step 4, instead of cracking the local administrator password, the attacker uses a Windows pass-the-hash program to authenticate to another Windows machine on the enterprise internal network, a fully patched client system on which this same victim user has full administrative privileges. Using NTLMv1 or NTLMv2, Windows machines authenticate network access for the Server Message Block (SMB) protocol based on user hashes and not the passwords themselves, allowing the attacker to get access to the file system or run programs on the fully patched system with local administrator privileges. Using these privileges, the attacker now dumps the password hashes for all local accounts on this fully patched Windows machine.
Step 5: Pass the Hash to Compromise Domain Controller
In Step 5, the attacker uses a password hash from a local account on the fully patched Windows client to access the domain controller system, again using a pass-the-hash attack to gain shell access on the domain controller. Because the password for the local administrator account is identical to the password for a domain administrator account, the password hashes for the two accounts are identical. Therefore, the attacker can access the domain controller with full domain administrator privileges, giving the attacker complete control over all other accounts and machines in that domain.
Steps 6 and 7: Exfiltration
In Step 6, with full domain administrator privileges, the attacker now compromises a server machine that stores secrets for the organization. In Step 7, the attacker exfiltrates this sensitive information, consisting of over 200 Megabytes of data. The attacker pushes this data out to the Internet from the server, again using HTTPS to encrypt the information, minimizing the chance of it being detected.