1 00:00:03,840 --> 00:00:07,350 Another hazard relates to the lack of regular system updates. 2 00:00:08,810 --> 00:00:12,120 Also other software installed in their computer is often left out. 3 00:00:12,120 --> 00:00:20,020 David this issue has a bearing on security as computer holes and vulnerabilities are being detected 4 00:00:20,020 --> 00:00:22,120 practically on a daily basis. 5 00:00:23,190 --> 00:00:26,170 There is no piece of software that's perfectly secure. 6 00:00:27,670 --> 00:00:32,410 A while back a certain developer announced that he'd pay a hundred dollars out of his own pocket if 7 00:00:32,410 --> 00:00:34,440 a bug is found on his program. 8 00:00:35,890 --> 00:00:42,210 This is the only known case when someone publicly claimed that they created a perfect application. 9 00:00:42,380 --> 00:00:46,690 The program in question was quite basic and this happened 25 years ago. 10 00:00:47,150 --> 00:00:52,120 The reality is that programs do and will have bugs. 11 00:00:52,200 --> 00:01:01,390 Some of these bugs can put the program or the entire system and perhaps even the user in jeopardy. 12 00:01:01,400 --> 00:01:04,460 It's essential to remember about regular software updates 13 00:01:09,120 --> 00:01:13,880 software developers take different approaches to detecting and eliminating known vulnerabilities 14 00:01:17,140 --> 00:01:19,270 as far as Microsoft is concerned. 15 00:01:19,300 --> 00:01:24,190 The company treats this issue with considerable respect. 16 00:01:24,240 --> 00:01:30,390 Keep in mind a simple security rule we've mentioned earlier if you don't install security updates and 17 00:01:30,390 --> 00:01:34,950 patches regularly you practically give up control over your network. 18 00:01:38,810 --> 00:01:41,670 The next presentation will show why this is so crucial. 19 00:01:45,760 --> 00:01:51,560 We'll see how easy it is to take over a system that has known vulnerabilities or known security holes. 20 00:01:56,360 --> 00:02:00,700 We'll switch to the meadow split environment and run the program. 21 00:02:00,710 --> 00:02:07,800 The framework was used before and one or two case studies met us it as broadly speaking a tool a framework 22 00:02:07,830 --> 00:02:12,340 used for testing software a security. 23 00:02:12,570 --> 00:02:20,190 The basis of the program is a database that contains no security holes with descriptions exploits programs 24 00:02:20,190 --> 00:02:24,120 that automated attacks have been developed for many of the vulnerabilities 25 00:02:26,800 --> 00:02:30,560 but a splays database also contains exploits in their descriptions. 26 00:02:32,620 --> 00:02:38,430 A framework user only needs to choose a target computer that is potentially outdated next. 27 00:02:38,440 --> 00:02:42,770 An exploit has to be selected using it. 28 00:02:42,770 --> 00:02:50,190 You can execute the exploit remotely and attack the system. 29 00:02:50,240 --> 00:02:55,840 One of the most popular exploits makes use of a security hole in Windows file server. 30 00:02:55,920 --> 00:03:02,460 The list of exploits in this version of Maeder spoilt the program hasn't been updated for 11 days. 31 00:03:03,190 --> 00:03:07,840 Includes a vulnerability that exploits a stack buffer overflow in Windows SMB 32 00:03:16,060 --> 00:03:20,920 Merritt's Floyd allows you to view the provider of the exploit and includes a list of susceptible operating 33 00:03:20,920 --> 00:03:26,240 systems note that one Windows system comes in many language versions 34 00:03:30,010 --> 00:03:35,410 because this exploit uses a buffer overflow it has to know the memory address is used for some system 35 00:03:35,410 --> 00:03:36,280 libraries. 36 00:03:38,730 --> 00:03:42,280 The addresses can be different depending on the language version of the system. 37 00:03:53,030 --> 00:03:56,770 Our attack is universal and covers most of the language versions. 38 00:03:57,660 --> 00:04:01,380 Let's see now if the computer we want to connect to is vulnerable to the attack 39 00:04:05,940 --> 00:04:07,870 we'll use the presented exploit. 40 00:04:13,040 --> 00:04:21,540 We've gone through the first part of the attack we've selected a vulnerability and a corresponding exploit. 41 00:04:21,570 --> 00:04:27,490 Now it's time to specify the targeted computer and set up the address of our computer the address we 42 00:04:27,490 --> 00:04:28,960 want our victim to connect to 43 00:04:31,790 --> 00:04:35,380 the address will be configured globally as a local host global variable 44 00:04:38,280 --> 00:04:40,360 will need our own IP address. 45 00:04:45,920 --> 00:04:54,370 It can be obtained for example by typing the IP config command in the command line interface. 46 00:04:54,400 --> 00:05:04,970 Our address is 1 9 2 1 6 8 0 that 56 1 variable is already set. 47 00:05:04,970 --> 00:05:07,790 The second will be the address of a remote computer. 48 00:05:08,270 --> 00:05:10,870 All attacks are run on computers we control. 49 00:05:11,210 --> 00:05:16,550 So it's not a problem to check the address of a remote computer by typing the IP config in a computer's 50 00:05:16,550 --> 00:05:18,010 command line interface. 51 00:05:27,030 --> 00:05:37,320 The IP address of the remote computer is 1 9 2 1 6 8 0 5 5. 52 00:05:37,380 --> 00:05:38,790 Let's set a local variable. 53 00:05:38,790 --> 00:05:41,690 Since it's possible that we'll be changing targets. 54 00:05:42,180 --> 00:05:47,450 Let's now view the configuration of the attack. 55 00:05:47,610 --> 00:05:57,460 The attack is launched on a computer with the IP address of 1 9 2 1 6 8 0 5 5 on the port 4 4 5 which 56 00:05:57,460 --> 00:06:00,740 is the default port used by SNB. 57 00:06:00,780 --> 00:06:03,050 It seems that so far so good. 58 00:06:05,020 --> 00:06:10,450 The second part of the attack is selecting a payload the actions that you want to execute after you 59 00:06:10,450 --> 00:06:13,760 break into a remote computer. 60 00:06:13,790 --> 00:06:18,010 Let's assume that the payload is making a remote machine connect to us. 61 00:06:18,170 --> 00:06:23,180 This would be proof that we've taken over the computer. 62 00:06:23,200 --> 00:06:26,760 Let's use one of the predefined code snippets. 63 00:06:26,820 --> 00:06:28,920 We're almost ready to begin. 64 00:06:28,950 --> 00:06:41,660 Let's see if we can manage to takeover a remote system. 65 00:06:41,670 --> 00:06:43,540 It seems that we've succeeded. 66 00:06:43,590 --> 00:06:50,060 The session is opened with a 1 9 2 1 6 8 0 5 6 host. 67 00:06:50,070 --> 00:06:54,200 This means that the attack has been launched successfully. 68 00:06:54,250 --> 00:06:56,550 We can now check if we can connect to the computer 69 00:06:59,210 --> 00:07:02,360 as you can see a connection can be made. 70 00:07:02,450 --> 00:07:07,370 You can now launch remote programs of your choice in the system. 71 00:07:07,380 --> 00:07:13,480 Let's go back to the command line interface and execute a code remotely for example start a calculator 72 00:07:18,570 --> 00:07:25,310 a process has been launched because we physically control both computers we're able to check if the 73 00:07:25,310 --> 00:07:27,430 remote system really runs a calculator 74 00:07:30,410 --> 00:07:32,990 as you can see in the Windows Task Manager. 75 00:07:33,260 --> 00:07:34,700 The calculator has launched 76 00:07:37,510 --> 00:07:39,730 what were the actual attackers do on our place 77 00:07:42,560 --> 00:07:47,940 the attackers would probably be interested in sensitive data and take a snapshot of log in details and 78 00:07:47,940 --> 00:07:51,140 other confidential data being provided on a forum or a Web site 79 00:07:57,340 --> 00:08:01,410 and attacker could also acquire additional information on the remote computer. 80 00:08:09,000 --> 00:08:13,570 Scraper is one of the scripts that gather system data during the reading of registry keys. 81 00:08:15,430 --> 00:08:20,380 After a scraper is launched the program will try to gather information in the session that was declared 82 00:08:21,070 --> 00:08:29,720 session id one if the program succeeds all configurations will be written to a file and sent to us the 83 00:08:29,730 --> 00:08:39,990 attack will probably succeed registry keys are being exported this process takes quite long. 84 00:08:39,990 --> 00:08:46,000 This is because a computer retargeted has a low processing power. 85 00:08:46,010 --> 00:08:51,470 If we had malicious intent after the process is completed we would also need to hide the fact that we 86 00:08:51,470 --> 00:08:58,260 had broken into the system and harvested some data the information on intrusion is probably recorded 87 00:08:58,260 --> 00:09:08,560 in system logs in the system security log in particular also other logs can contain traces of the attack. 88 00:09:08,600 --> 00:09:12,410 In that case let's try to wipe all system logs. 89 00:09:12,470 --> 00:09:17,090 If a victim browses through the logs from time to time they'll notice that a deletion event has been 90 00:09:17,090 --> 00:09:21,580 logged which could be a problem. 91 00:09:21,580 --> 00:09:30,810 This would be the sole information that points to a successful attack having been run. 92 00:09:30,880 --> 00:09:34,620 The last thing we want to do is exactly that clearing event logs 93 00:09:37,340 --> 00:09:45,850 as you probably all know Windows has 3 event logs applications system and security event logs as you 94 00:09:45,850 --> 00:09:48,430 can see all entries in the logs have been deleted 95 00:09:51,220 --> 00:09:53,120 using several Meadow's split commands. 96 00:09:53,260 --> 00:09:57,970 We've managed to take over a machine that wasn't updated regularly. 97 00:09:58,150 --> 00:10:02,730 We were able to monitor the process is launched on a victim's computer. 98 00:10:02,770 --> 00:10:08,660 We also run our own processes and gathered system configuration information. 99 00:10:08,670 --> 00:10:13,460 This could be beneficial for example if we wanted to break into another computer on the same network 100 00:10:15,740 --> 00:10:16,390 at the end. 101 00:10:16,400 --> 00:10:20,740 We also wiped the security logs. 102 00:10:20,770 --> 00:10:22,180 That's it for this case study.