SystemsSec 2016W Lecture 5: Difference between revisions
Line 6: | Line 6: | ||
=== Group 2 === | === Group 2 === | ||
Kyle T. | * Kyle T. | ||
Tarek K. | * Tarek K. | ||
Jakub L. | * Jakub L. | ||
Stefan C. | * Stefan C. | ||
Matt G. | * Matt G. | ||
Remi G. | * Remi G. | ||
Ibrahim M. | * Ibrahim M. | ||
==Remote attacker, authenticated== | ==Remote attacker, authenticated== |
Revision as of 16:39, 21 January 2016
Class discussion: threat models and attacker goals
Local attacker
Administrative attacker
Group 2
- Kyle T.
- Tarek K.
- Jakub L.
- Stefan C.
- Matt G.
- Remi G.
- Ibrahim M.
Remote attacker, authenticated
Group 3
Members
- Dania Ghazal
- Ankush Varshneya
- Olivier Hamel
- Michael Aaya
- Ryan Morfield
- Daniel Vanderveen
- Jess Johnson
Example Scenario
Targeted System
- CIA database - find out who killed Kennedy?
Attackers
- remote authenticators
- contractors (non CIA)
Goals
- “exfiltrating data”
- exfiltrate the CIA database to find out who killed Kennedy
Means
- someone at the CIA left a node.js server running in the background :)
- ssh credentials
- use outdated emacs (implementing a root privileged mail daemon) to inject a password into etc/passwd to escalate attacker’s privileges
- look around the system for more vulnerable/outdated services to exploit
- generate a race condition to create a file that you know a root user would create, then let the root user put their “sensitive data” into attacker’s file (such as files in /temp)
- social engineering - submit a help ticket to someone within the CIA to gain higher privileges for a seemingly innocent reason
Attack Strategies
Where are the Accessible Weaknesses?
- outdated services
- any service that lets attacker execute a task as another user
How Do You Attack Them?
- user privilege escalation
- abusing service vulnerabilities
Physical attacker, authenticated
Physical attacker, unauthenticated
Remote attacker, unauthenticated
- Samuel Prashker
- Daniel Lehman
- Roman Chametka
- Derek Aubin
- Gilbert Lavergne-Shank
- Xiusan Zhou
Scenarios
- #1 - DDOS
- Scenario
- Targeted System: Web servers, or any machine connected to a network
- Attackers: Angry trolls, political warriors
- Goals: Denials of service, anger your target, hurt their financials, prove a point
- Means: LOIC, Chinese Botnet with Bitcoin
- Attack strategies
- Accessible weaknesses
- Exploitable communication paths (example: ping, login spam)
- In the case of a router, overpowering a signal by replacing it with your own higher powered signal
- How do you access them?
- Over the network
- Over the air (wireless signals)
- Accessible weaknesses
- Scenario
- #2 - Packet Sniffing
- Scenario
- Targeted System: Phones, servers, any networked device that can be sniffed
- Attackers: Exfiltrators who want getting data, corrupting data
- Goals: Exfiltration of data, snooping for data over the air
- Means: Packet sniffing tools, Wireshark,
- Attack strategies
- Accessible weaknesses
- Wireless signals would be easy to monitor
- Mission security (Msec)
- How do you access them?
- Wireless: Network cards, monitoring tools for over the air analysis
- Wired: Anywhere along the line to be able to hook in a middleman
- Accessible weaknesses
- Scenario
- #3 - Remote program already running on their service/server
- Scenario
- Targeted System: People (social engineering), known exploits (0days)
- Attackers: Blackhat hackers, whitehat hackers
- Goals: Exfiltrate, corrupt, deny access, destroy, ransomware, (whitehat only: protect!)
- Means: Exploitable software, social engineering
- Attack strategies
- Accessible weaknesses?
- Stupid people, exploitable equipment known to be accessible to 0days, leveraging bugs
- How do you access them?
- Social networks, email, phone calls, deployed payload
- Accessible weaknesses?
- Point is you're trying to get someone to install software for you, or exploit software to inject the payload on the targeted system
- Scenario