I found the following articles a fascinating read. The main takeways I thought revolved around what an attacker may do once inside. In these cases, it seemed they spied on sysadmins until they have enough information to exploit a management tools like Nagios. And hey, it makes sense, why go after 1 individual system at a time when you could compromise the system that has access to and monitors the entire organization. There are some great lessons learned in these articles that I reference below.
Anitian (A Pen Tester) who exploited Nagios
Most interesting lines from the blog:
1.) "Good system hardening should not only including keeping all the patches up-to-date, but also disabling all unnecessary services." The pen tester found a nagios server with directory indexes enabled, meaning the attacker could browser folders and directories on the nagios server thru a web browser. Some of those files contained sensitive info, such as some nagios configuration files. Further poking around exposed that there was essentially and "upload config" php page that wasn't doing proper validation and thus allowed the attacker to upload a web shell and literally within minutes gain access to the shell prompt of the nagios server.
2.) "Being a monitoring system it had some handy tools installed, such as nmap. I was able to use that to scan the network looking for other hosts to pivot too." Imagine if an attacker controls your management server such as Nagios. He can perform scans, recon, monitoring, etc. without ever being noticed, because who's going to question an nmap scan coming from your nagios server? Not likely, that's probably been ignored.
3.) "web script containing database credentials ... another script containing LDAP credentials ... had access to client login scripts". If your the nagios system administrator, I'm sure you write awesome perl and python scripts that connect to various systems, automate various administration tasks, etc. All those scripts probably have juicy information such as credentials, server names, and other gory details.
lessons - sensitive scripts and directories must be restricted to authorized users only , configuration of the system (nagios) and software is vital to the overall security, hardening, while boring, is extremely important
My key lessons learned from this blog:
1.) A management system like Nagios must treated as a prime target and critical system and thus hardened as such. As a sysadmin, don't be lazy, step up your game, especially when it comes to your system.
2.) Web indexing should be turned off. There's no reason I can think of to enable web directory indexing on your nagios server, view that stuff locally only.
3.) Secure those scripts. As sysadmin you write all those great scripts that save you hours of manual work. Ensure the permissions are strong. Your tomcat service account shouldn't have access to them. They should be locked down, not even read-access to anybody, except a handful of your sysadmin elevated privilege accounts.
Hacking Team post mortem
Most interesting lines from the blog:
1.) "(Hacking Team) was able to exploit a known vulnerability within the network management system Nagios". That means the sysadmin failed to patch his own system. As a sysadmin, you may concentrate a lot on patching other people's systems, but don't , don't, don't forget to patch your own management systems. Schedule it, get it on the calendar, and make it a habit.
2.) "attacker became aware of the Nagios system ... after they "spied" on the sysadmins". As a sysadmin be aware that you are a prime target. Organizations are inevitably going to get breached. Nefarious characters are going to be snooping around inside your network. Keep your eyes open, don't get complacement, take good care of your elevated privilege accounts and systems, and if something looks off, report suspicious activity.
3.) "attack was possible because backup and management networks that should have been segregated were not". Network segmentation is critical. There are many layers you can apply to this concept, including actual network firewalling/vlans, but also local firewalls on each system, as well as simply account permissions and making sure you're applying least privilege to which accounts can access what. Who needs access to your system? Who should take to it? Who should it talk to? Take all those into consideration and then make the appropriate configuration changes on the local box or send requests to the network team that keep the communication paths as locked down as possible.
My key lessons learned from this blog:
1.) Patch the patching system! Don't forget.
2.) Sysadmins, you are being hunted by attackers. Be conscious of that both at work and at home. They're going to be phishing you, they're going to be spying on you, so be vigilant.
Hacking Team dump breach details.
Most interesting lines from the blog:
1.) "One of my favorite hobbies is hunting sysadmins. Spying on Christian Pozzi (one of Hacking Team's sysadmins) gave me access to a Nagios server which gave me access to the rete sviluppo (development network with the source code of RCS). With a simple combination of Get-Keystrokes and Get-TimedScreenshot from PowerSploit [13], Do-Exfiltration from nishang [14], and GPO, you can spy on any employee, or even on the whole domain."
2.) " --[ 14 - Hunting Sysadmins ]----------------------------------------------------Reading their documentation about their infrastructure [1], I saw that I was still missing access to something important - the "Rete Sviluppo", an isolated network with the source code for RCS. The sysadmins of a company always have access to everything, so I searched the computers of Mauro Romeo and Christian Pozzi to see how they administer the Sviluppo network, and to see if there were any other interesting systems I should investigate. It was simple to access their computers, since they were part of the windows domain where I'd already gotten admin access. Mauro Romeo's computer didn't have any ports open, so I opened the port for WMI [2] and executed meterpreter [3]. In addition to keylogging and screen scraping with Get-Keystrokes and Get-TimeScreenshot, I used many /gather/ modules from metasploit, CredMan.ps1 [4], and searched for interesting files [5]. Upon seeing that Pozzi had a Truecrypt volume, I waited until he'd mounted it and then copied off the files. Many have made fun of Christian Pozzi's weak passwords (and of Christian Pozzi in general, he provides plenty of material [6][7][8][9]). I included them in the leak as a false clue, and to laugh at him. The reality is that mimikatz and keyloggers view all passwords equally."
My key lessons learned from this blog:
1.) Attackers are looking for lazy sysadmins. Don't be one of them. Harden your system, your personal devices, your accounts, and thus at a minimum make the attacker have to work harder to get what they need.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment