On the way to creating a secure (web) resource. Part 3 - office, staff

Typical work of an employee through the eyes of the employee and the eyes of the security department

The first two parts of this topic were mainly devoted to web resources. This part is more general and does not have as such a binding to the project profile (with the exception of a couple of points). It covers possible, popular vectors of attacks on employees and on the technical support of the company's office (ps initially wanted to write about security testing, but decided to “jump over” this topic for various reasons).

The author does not bear any responsibility for the illegal use of the described techniques and / or tools.

Below I will return to my more familiar style of presentation of the material (consideration of the situation from the side of the attack, not of the defense). And I will list the possible (taken from real life) attack vectors that could lead to the compromising of internal data (the proposed solutions are not exactly solutions, but rather ways to reduce risks)
')

1 vector. Plugin Vulnerabilities

One of the most popular (and successful?) Attack vectors. Quote news on securitylab.ru from February 25, 2013:

Microsoft reported that the company fell victim to a hacker attack similar to those faced by Facebook and Apple.

“During our investigation, we found that a small number of computers, including those involved in the Mac unit, were infected with malware that other organizations reported,” Microsoft said in a statement.
...
Microsoft is not the first company that has been the victim of unknown hackers over the past few weeks. In particular, Apple, Facebook, Twitter, as well as the major editions of The New York Times and The Wall Street Journal announced cyber attacks earlier.

Attacks on Facebook and Apple were carried out through the exploitation of vulnerabilities in the Java platform from Oracle. Microsoft said that the attack on their systems was carried out in the same way.

Do not think that similar attacks necessarily require highly skilled specialists. Currently, a lot of exploits for browsers and plugins for them are available in metasploit, and there is also a simple module - Browser Autopwn, which runs the web server on the port we need and in turn tries to exploit all sorts of vulnerabilities in the client browser. Typical startup:

use server/browser_autopwn set LHOST <ip address> set URIPATH / run

Browser Autopwn in action ( image source )

Solution: disable the most vulnerable plug-ins from employees (at least java).

2 vector. Vulnerabilities on the project site

"Captain Vector". Quite obvious, but true, as soon as the attacker received an RCE, the resource and its data are compromised. But I would like to consider the case when, for example, I managed to divert only the admin / moderator / tech account. support through (for example) XSS and there is access to the admin area. Here (in the admin) there should not be any functionality for arbitrary uploading of files. You can google a cloud of themes (drupal | wordpress | phpbb fill the shell) when the attacker has an admin account, and the shell does not have the ability.

Solution: security testing, review-code, regular pentest and limited functionality even for the “most important” admins.

3 vector. Attacks on employees through vulnerabilities on third-party resources

Employee logins are collected (from the forum, technical support correspondence, etc.) and all the services where they are registered are found out (for example, through a search with quotes on the login). The most vulnerable hacking resources are selected, hacked, passwords merge and in case of success we get the password of the employees (employee) we need. We try this password to his mail / work account, etc.

Solution: there is no solution as such, but you can implement a feature on a project that prohibits employees from using a password, for example, from this database (2.2 million passwords, 19.2 mb). Or try using this wordlist (176.6 mb, based on password leaks from LinkedIN, Gamigo, Adobe, Blizzard, eHarmony, Geissens, NVidia, Stratfor, Project Whitefox, and various leaks published on Pastebin).

Although it may be easier?

4 vector. Attachments in letters

We set a goal - infect the employee's computer. One option is to look who is looking for a job (already another job) or just waiting to receive a letter. We make the necessary text, we say - in the attachment test task. But no, do not think, there will not be a banal executable file, there will be a .doc document, at the opening of which the necessary binary will be downloaded and executed (if lucky, of course). And you can generate such a .doc file, for example, using an exploit available in public - www.exploit-db.com/exploits/24526 (or something similar).

5 vector. WiFi

We select the employee, we make the list of cafe / institutions where he goes with the laptop / tablet, etc. device and uses wifi. We come with him to drink coffee (and sit randomly closer) or wait until he leaves the restaurant and takes a bus / subway. We sit down not with empty hands, with an access point, the signal of which will be higher than that of the one that works in the institution. And we set the same SSID to which the employee is now connected. Disconnecting the employee from the WiFi network is not such a problem in order for him to reconnect to us (since our signal will be higher). Well, all his traffic in the hands of the attacker. Or try MitM directly inside the WiFi network, if possible (and most often possible). Or we scan its device and try to find vulnerabilities in network services. For these purposes, perfect hacker tablet based on the Nexus 7 .

Pwn pad

6 vector. WiFi in the office

Hacking a WiFi network is a fairly popular affair and most often does not require specific skills from the attacker. If this is WEP, then everything is simple. If this is WPA / WPA2 with WPS, then the sequence of actions for this article . Well, if this is WPA / WPA2 without WPS, then we’ll “remove” handshake and either deploy infrastructure for brute force, or you can use ready services (300 million passwords in 20 minutes and for $ 17). So we mean the situation that the office has WiFi (you rarely see offices where it isn’t) and it’s already hacked.

6.1 The first is the “common” MitM: passwords, mail, correspondence, etc. You can protect yourself from arp-spoofing by checking the settings of the router:

6.2 If a router is used to distribute WiFi, you can try to exploit vulnerabilities in it (http://routerpwn.com) and swap DNS's for your own, which will allow traffic to pass through “its own” servers, remaining unnoticed for a long time.
6.3 Targeted attack on one of the employees in order not to make a lot of noise. Make a redirect and sfishit one of the pages (VKontakte / mail) and get the necessary data.

7 vector. Angry SMS

Many thought - I do not use WiFi, except at home! Only mobile Internet. But it is not difficult to craft SMS with the configuration of the Internet and send it to the employee’s phone. Many people just click “save” automatically. And there are already foreign gateways, foreign DNS'y.

8 vector. We attack from the outside

Trying to get into the office network from the outside is quite possible (a good example is Valve hacking ). There is no specific algorithm, it all depends on the knowledge of the attacker. But for some kind of template, you can take my article almost 2 years ago - Audit. "Black box" .

9 vector. Hacking devices

If there is an opportunity to directly interact with any employee device, then you can use quite affordable " Teensy ". A programmable device that, when connected, will perform what we need. Since it is recognized as a HID, then there will be no problems with the system recognizing the device.

Tulkit Kautilya, which will help generate the necessary payload for Teensy

10 vector. USB drives with viruses

Let us recall the story of Stuxnet , which successfully reached the Iranian nuclear projects through flash drives. Tossing in the office, transport or something else, this is a matter of social engineering.

Above, I cited what I could remember when writing this article. Naturally, these are not all the options; many of the options above can be combined, changed, adapted to the current conditions. But, I hope, you were able to evaluate the most diverse aspects of security in the sphere of the topic under consideration, as well as understand that, in general, many technically complex attacks do not require high qualifications from the attacking side.

And lastly a small video that demonstrates:

MitM (ARP spoofing) within the WiFi network and interception of the Vkontakte account (neglect of https usage);
Hacking the D-Link DIR-320 router with the latest firmware via Fing and routerpwn.com;

Both demonstrations are recorded from the budget android for ~ 5 thousand. The emphasis on the fact that the attacks under consideration does not require any knowledge of information security and everything is available out of the box.