SystemsSec 2016W Lecture 5

From Soma-notes
Revision as of 16:36, 21 January 2016 by Sam (talk | contribs) (Remote attacker, unauthenticated (group 6))

Class discussion: threat models and attacker goals

Local attacker

Administrative attacker

Remote attacker, authenticated

Group 3

Members

  • Dania Ghazal
  • Ankush Varshneya
  • Olivier Hamel
  • Michael Aaya
  • Ryan Morfield
  • Daniel Vanderveen
  • Jess Johnson

Example Scenario

Targeted System

  • CIA database - find out who killed Kennedy?

Attackers

  • remote authenticators
  • contractors (non CIA)

Goals

  • “exfiltrating data”
  • exfiltrate the CIA database to find out who killed Kennedy

Means

  • someone at the CIA left a node.js server running in the background :)
  • ssh credentials
  • use outdated emacs (implementing a root privileged mail daemon) to inject a password into etc/passwd to escalate attacker’s privileges
  • look around the system for more vulnerable/outdated services to exploit
  • generate a race condition to create a file that you know a root user would create, then let the root user put their “sensitive data” into attacker’s file (such as files in /temp)
  • social engineering - submit a help ticket to someone within the CIA to gain higher privileges for a seemingly innocent reason

Attack Strategies

Where are the Accessible Weaknesses?

  • outdated services
  • any service that lets attacker execute a task as another user

How Do You Attack Them?

  • user privilege escalation
  • abusing service vulnerabilities

Physical attacker, authenticated

Physical attacker, unauthenticated

Remote attacker, unauthenticated

  • Samuel Prashker
  • Daniel Lehman
  • Roman Chametka
  • Derek Aubin
  • Gilbert Lavergne-Shank
  • Xiusan Zhou

Scenarios

  • #1 - DDOS
    • Scenario
      • Targeted System: Web servers, or any machine connected to a network
      • Attackers: Angry trolls, political warriors
      • Goals: Denials of service, anger your target, hurt their financials, prove a point
      • Means: LOIC, Chinese Botnet with Bitcoin
    • Attack strategies
      • Accessible weaknesses
        • Exploitable communication paths (example: ping, login spam)
        • In the case of a router, overpowering a signal by replacing it with your own higher powered signal
      • How do you access them?
        • Over the network
        • Over the air (wireless signals)
  • #2 - Packet Sniffing
    • Scenario
      • Targeted System: Phones, servers, any networked device that can be sniffed
      • Attackers: Exfiltrators who want getting data, corrupting data
      • Goals: Exfiltration of data, snooping for data over the air
      • Means: Packet sniffing tools, Wireshark,
    • Attack strategies
      • Accessible weaknesses
        • Wireless signals would be easy to monitor
        • Mission security (Msec)
      • How do you access them?
        • Wireless: Network cards, monitoring tools for over the air analysis
        • Wired: Anywhere along the line to be able to hook in a middleman
  • #3 - Remote program already running on their service/server
    • Scenario
      • Targeted System: People (social engineering), known exploits (0days)
      • Attackers: Blackhat hackers, whitehat hackers
      • Goals: Exfiltrate, corrupt, deny access, destroy, ransomware, (whitehat only: protect!)
      • Means: Exploitable software, social engineering
    • Attack strategies
      • Accessible weaknesses?
        • Stupid people, exploitable equipment known to be accessible to 0days, leveraging bugs
      • How do you access them?
        • Social networks, email, phone calls, deployed payload
    • Point is you're trying to get someone to install software for you, or exploit software to inject the payload on the targeted system