2017 - Breaking Into The Data Centre by Greg Smith

good afternoon everyone and I'm Greg gets the first line on this one and so about me I've worked in civil service and in government and my whole career first of all with Ministry of Defense and then the National Crime Agency and I work for the Ministry of Justice and I still work for the National Crime Agency as a cyber special and so I kind of quite enjoy working in government because you get to see lots of interesting things and so my talk today is really a little bit I'm walking you through the scenarios about how you can break into a data center and avoiding the standard kind of really going fraidy credentials and look at different attack

vectors to get in into into the systems and kind of walking through how we could go about doing that and working with a vendor at a moment as well to disclose from the issues within this I can't go into too much technical well company-owned to the technical details of I went with it and but the scenario is built around two fictional companies we've got here so got a very big Corporation of America which is kind of our ultimate target where we want to get to now they're a big conglomerate they've got lots of small companies beneath them they care about security because it's part of their business model and they don't want to be compromised

but as a large enterprise they rely on lots of smaller service providers and so we've actually tech which provides services for them as one of those providers now there and their main part within this is is to provide them with a voice in video services and conferencing facilities in this scenario so that's kind of a tear companies we've got there and we want to break into the big corporation here and as anyone know the reference to a very big Corporation of America it's a target but but if anyone's seen the minute of life and this is a company was featured in that one so how do we find a route in and so it's most likely

in the big big corporation they're going to use on their own physical datacenters now for a physical perspective they're pretty well protected we could try and break into the state senator but that's kind of quite messy to do that we've got to go through the game policies we've got all the CCTV there and quite a high risk strategy to try and use that French gain and if we want to get into the data until we get caught doing something and the chances are we're gonna be arrested and we don't have we caught hands on the equipment so we need to find a different route in which is where our emotive attack will come in and this is kind of your typical red

team type scenario so they only went along to Vincent and Dom's talk this morning this is kind of sort of similar in natures to what you'll be trying to do so how can we target them can be fired away how can we find a way into these environments and find a way to target target the the big corporation but use the smaller company to leverage away in and give us a way to pivot into the organization so we don't to be using our traditional so I think - traditionally about how we're gonna get through so we've got to think a bit more creatively about how we can break in so we know actually tech is a service

provider for them so how can we find out more to leverage our way in so we can sort of observe how those employees work and their company could we get some physical access into Acme tech because if there are smaller couple of smaller provider are they basing this more office location either based in the city centre could we get access to their premises to put an implant in there or have some way of breaking in that way to get an initial initial foothold or gather some further intelligence and committed to their social media presence and their job adverts are online and find out what technologies they're using internally and start to look at as we

start to build up more knowledge around them if using tools like I've mentioned anyone with harvester for gathering and the credentials around their social media profiles and understanding how they operate so can we start to think about building up potential password and this customized password list that we could use to break into those organizations and in Queens that cuts their company website of some passive recon to work out how we could break through into their organization and work out what who we should be targeting whether it be from like LinkedIn profiles and try to understand how they work and then we can start to look a bit more in the DNS records behind it so

understanding what's exposed they've got their systems on the internet and how we can find out more about that so it might be quite they've got their company website there they are right but is there information you get from new DNS so you can start to pivot across and identify other services they're running which may not be public facing an effect so could you identify some of their remote management portals could you import them identify our management routes so you can use things like showdown and scans Daioh and the rapid seven DNS database to start or for both DNS database to start looking at how these records tie up and using passive DNS records potentially to

find some this sort stuff out and you can move on to your passive passive recon from that perspective before you start doing more active work so the the other ones that people probably don't think about so much is using tender documents that companies are put out so whether where they're advertising in company journals to say we need you to come and supplies this system when it's built on this this stack and we need you to do this for any other so Mike you really intricate details around how their company works what technologies are using where their systems are located and how they are operating and for the commercials perspective they have to give this information out and it

has to be available to people to companies to tender for it and so can be quite a good goldmine of information from that perspective so we've done this passive recon and we're starting to work through and understand what what we can do in that environment so we need to start finding and finding the needle in within all that information and find our initial route in so as I said at the start like break into the datacenter isn't practical and it's pretty high risk strategy to undo that so can we identify the administrator and an illustrator in that environment or someone that we can use to print escalate privileges or in that environment coming identify a backup

service where we can access to the backups I've got on there if they're back up backing up into say I was an s3 are they protecting their backups well coming coming download and access those by doing a passive recon or as they been max with their coding and published API keys and to get help or giving away some their secrets so we can get access in and also the remote access functions are having their the administration portals so with a lot of servers now have H or have I lo or idrac type management on dosent machines so that you can remote it in to have access the physical machine and maintain the firmware it's on there the BIOS and other networking

and look and suchlike so if they've got a way of managing that out-of-band can we get accessing via that route and take over the tin rather than try to go in via a user account route so we can we've got that our passive recon so we can use something like a phishing email 10 she's break into one of the user accounts and get an initial access in and we've little plug now to the Nessa challenge next which is this is kind of based around of get an initial access in and so if you're not going on to that one I'll certainly recommend it and then we need to try and want to go access into

Acme so in this situation was assume that we've got a level of access into that company and we've got access in within the economy environment and we'll review so the traditional routes of using ID with an environment which isn't our main target so Acme tech there's ever an SME of not necessary as a failure on the security practices and have as much budget to do that so what could we do from there so we we need to try and pivot through Acme into into big tech Corp so as I said at the start I came providing the voice and video services for a number of different customers not just a computer and not just a big tech Corp so they have access

into these customer systems to maintain those environments and do the configuration on behalf of the big tech core so within that environment they're going to have access into some their networking equipment which will be separated off and their main networks so how could we use up to leverage our our access and move further through the systems and I have a little bit of a sort of a segue throw into a different area now because and today I don't go to the Cisco IOS I talked this morning no oh yeah so talk about the heap overflows in the talk was falling but vendor the Jeff generally Marketing driven and sales led so if someone in the marketplace over here

does this new busy feature they want to have that busy feature in their new product as well and they'll probably the time to market is the most important thing for them so that the security is gonna be bypassed it'll be at that point or they'll say well we'll come back and revisit that this is this is where a lot of weakness is coming from a security perspective and it's quite common across the industry that this will be the case and it's generally the sales and marketing side will win out over necessarily having the technical controls and at the start and it'll be okay we can add that bit in later on because doesn't apply now so let's

assume we've got the access there so this how look up what controls are in there brother in there with that vendor so the the big technology called we've got there we've got an access into Acme so we can start to orientate ourselves in that environment and I understand what technologies are using and what equipment they're using it now in that environment so we can start to do our passive recon now they've moved to the next stage and we can start to look at and we're with them to farm tential vulnerabilities now in this case um looking more towards the networking perspective as opposed to a Windows environment so we're managing there a videoconference in their voice phones so

we're not necessarily Windows environment or domain joined environment at this point so how can we go on and find a route into escalate our access within their networks so from the perspective of the networking side the the maturity of network operations is nowhere near as good as the DevOps approach so in DevOps people were understanding structure was code now understand doing doing the testing behind the scenes when they're building well in general when they're building new software and putting it together always been the network operations I this is quite new and the network vendors are necessary as ëifí in those types of practices in the software development work that goes on so from that perspective they're adding these

new features into the core networking equipment without necessarily understanding what the implications are in that environment and how they'd secure up so if you think of things things like puppet an answer ball and share these features are all coming into the network and equip they can start so you can start to automate how he configured all your networks in the software-defined network approach which has its benefits as well but it means that there's another attack vector within that network environment and you're starting to so blur the boundaries between the network and device and the server or your application code as well so this is where we need to start doing some more research again so we've got access into

our environment and we've got access to one of the networks which is for the aministration we're doing so well the chances that they're using similar network credentials and other devices can we use that as a potential route to pivot across in the network and find access further into their environments can we look at and using VLAN hoping to break out of those environments and get on to other segments within there within their networks and start to its be able to intercept the traffic that's going across the networks or using the network routing protocols so like ERG RP or OSPF to redirect where the traffic is being routed within the environments so at this point you need to start doing a lot

more research and understanding how that I could put lemons put together so within the Aquatech we've got access to one of their core networks which is to manage the the configuration for their network devices so within a date since you'll typically have a core network switch in the center and then you have different top-of-rack types which is within those environment that you'll use for the route in the traffic between the data center and where it needs to go for the end user devices and within those I'll have the if they showed ACLs and network routing configurations I know we separated out and most likely in different into different VLANs so we know that this is available to us so we

can start to understand and enumerate where we could potentially explode out sort of the data center switch excuse me this is where when you start doing some more research about how that switch functions so look at the vendor documentation and the rfcs behind behind those standards and how they operate in this game does get rid of low-level about the detail of how they operate and trying to find a way of breaking in and if you get access to the firmware for the switch so go to the vendors site and download a copy of where they can start to inspect it and try and understand what vulnerabilities a lay within that firmware and so if you

get access that firmware you can then use tools like bin walk to look through the binary to understand how it's packed so the next step is then start doing some analysis about how that firmware operates what binary is it uses and potential routes into the environment you can use to escalate your privileges on that switch bolt only these switches are just most of the limits underneath ultimately the ASA's run on run minutes underneath as do many other vendors who likes of cisco brocade and HP and juniper all build switches of these types of functions in them I have a virtualization layer built into them so you can in effect have one single physical switch with multiple virtual

instances of switches within it and the same with firewall context on the IFA taking a virtual firewall context so one physical device the virtualized operating systems windows as well in much the same way that you would do with with traditional virtualization so this kind of gives you kind of a bit of an illustration so shamelessly stolen the diagram from the venom CrowdStrike venom exploit which the diagram part well illustrates kind of what we're trying to achieve so if you imagine this is a data center switch as opposed to a virtual environment the traditional like virtualized server we've got access to one of these VMs and we were just gonna break out that and take over the

networking environment within the datacenter and start to be able to sniff all the traffic is going through and be quick over an X will trade data out so this is kind of an approach you want to take for a long term access so as we got access to our firmware we can start to do some static analysis of the binaries of a work out what it's using so are there typical suid or GUI binaries on there that you can use to escalate your privileges on that on that switch if you can run those commands can you find ways of breaking out of the vendors command shell because I'll typically have a lockdown set of commands that you can

run within their environment but that's ultimately just a sandbox around the over soft rating system is running within so can we find a way of breaking out of that environment and getting through so what I was doing this work I found it was like when Lou and gns3 which are a couple of core moves based on captive Kremlin KBO Merck quartz and the virtualization technologies their Forks or one another and gns3 is a tool that you can use to run network in love so you can spin up and different instances and switches or firewalls to look at how the command lines work and how those networks operate and build your own virtual environment to work in

so I use those to understand how these systems work and how they're built and they're not probably featured but it helps you understand how they're put together so I also took the firmware and extract it out there the binaries from that amounted it locally on my machine so I have to take the binary is in bin walk to extract out the firmware and then identify how it's put together so within the the images I was looking out you had to kick-start images in there and then you have the the various binaries that made up that kickstart through the boot so you could use that and was using BIM walk to identify the file offsets over those different parts

images were you could then mount those fire a loop back on a minutes machine to then mount the file system that you could then examine and by looking through that you can understand which where the binaries were within that system what the commands were and the soft look at the elf binaries within it and understand what the commands or high-level understand what the commands do and how they operate - so getting to know where your attack routes might be and you can also understand if they've gone in vulnerable or old versions of code at that point as well because you've got the actual firmware there you can see if they're running old versions of Linux kernels or if they've run in

volatile versions of software in harbin you also then have the opportunity to look at the typical and HTTP chavo files and the password files to see if you're not into fire vulnerable account or accounts would have the rentals you could use to break in so from that perspective I was able to use that to to leverage an exploit which enabled me to break out from this VM the virtualization layer here into the hypervisor context here and by breakdowns that hypervisor I was then able to have access across the different environments and view the files within those but that initial export that I had didn't give me a privileged level of access on the machine so I was still restricted to the

look and the controller I had in this VM here but I could see the other users files and see the phone which is over there so when the attack went so could have there is to drop in a different firmware room each or and keep an eye on when an administrator connected into the machine and subvert where the files are put within the environment so I could any trick an administrator mode in a malicious firmware onto that machine and gain a higher level of park access that way but and also you can look at potentially see if you can break back into these other virtual machines and have access to those VMs and take over

that environment which that means you can potentially get the star get access to other other customers areas and other pass the business that you shouldn't have access to which that means you can start to and observe an export rate data potentially and get that out from the environment and it's relatively high level at the moment kind of due to the nature of working with a vendor I can't go into the technical details with something how to do it this is kind of an overview of sort of the attack approach I use which is very similar to what they did in there sort of a venom approach here so once you access to the network environment and you can access

for the administrative control over the switch you can take over the entire network and start to look at all the traffic and export right day to a well really so yourself a covert channel out and start to exfiltrate data and slower time so that's kind of gives a really high-level overview where we are so some that where we've got to we've gained access into Acme tech via and some weak credentials or efficient email to the administrator and have been helped to use access to break throw into the buckets bigger corporation as is an assumed level of trust between those tools to corporations so the the big tech corporation will have a hard exterior which a lot of controlled

around it but it's SMEs because of the nature of doing business with them again have softer boundaries so you can find another route into those environments and then we can then start to leverage that access to pivot around that organization and get further through and so what can we do next so we could take over other companies within a trustee environment as well so if we our access in the center of the environment can install to you start to pivot out to other companies though working with them as well but tension use on to leverage access across a wider range of a wider range of businesses and we think for exfiltrate trade secrets or we could

just completely take over organization and destroy their business by taking them down or doing a really bad record to a reputational damage if you think of something like the Sony hacks however the damage was done there so that kind of sums up where we've got C and I'm hoping that the vulnerability with the vendor will be disclosed in the next and to two to three months in which time I'll be able to start doing and whine up some details of how I go about doing this and what I found out doing it and kind of what I've learned along the way with it with a vulnerability disclosure is that the companies aren't that proactive it so when these types of

things until they're pushed initially when I was closest to the company they weren't there were reluctance doing thing about it and they denied that it was in a shake and it was only with some persistence so they took it for one slide for the fix in it but what I have learned from from this as well as don't use limit yourself to look into that current version of code so if they've got multiple brand like multiple code branches and you find is exploits or vulnerabilities and other code branches try those in the in the other version branches as well because the chances are they may not have fix those branches the experience I found on this one is that

they're fixing it in another code branch and they were version but they're not fixing the code branch the vulnerability was actually discovered on and it's not obvious when you when you have until you actually go through this process with them just how they work so that's kind of what I've learned from this and that brings me to the end there any questions

so part of what I did was that defense you know enormously so and the reason that his vulnerability was found in the first places we were taking we put in place to an assessment on this environment to understand what the risks were that environment reward is deployed in a new new configuration so by doing this testing we were able to provide advice to the teams were going to deploy it to say we'll actually use these features these are the risks were there new controls they need to put there so things you can do to try and defend against this particular type of compromise is having strong access controls in their using to apply authentications limiting administrative

access controlling your changes monitoring your networks and just how in Germany could good controls and the hygiene around your environments and and segregation our suppliers perspective yeah I mean the supplier perspective are they ultimately I think bug balance has been quite good and for that perspective in the responsible disclosure I think Google's Project zero with the 90 day before was published is quite a good approach and it incentivizes companies to take taken seriously and do something about it yeah and I think with we've worked under the lens fix it because it required quite a lot of change to their code base to fix it it was reasonable to wait a bit longer for them to fix it

rather than for hire in the wild and I'm still not going to fix it stop me I don't think it's uncommon issue across the board but I don't there's an easy answer to it but I think things like bug bounce is a good at essentializing it and if there's more emphasis put on when a vulnerability is found the one that actually means in reality to business rather than saying are we found this 8.8 vulnerability in Product X that's doesn't mean that that much to a layman in layman's terms so how do you get that into the business language to say to an executive like this is what it means this is the impact on your business

that's why it matters rather than say no we found this technical vulnerability in is really bad you've got to get it translated into the right business

it's not something I've done myself but if it's certain interests have been done they will be management perspective and will management systems were not specifically a type Center what do is a case of testament yeah I'm sure it's a routine so if you could disrupt it today I mean what you probably start to think about doing is see anything getting to the substations outside of the dive center to disrupt it that way because they probably have less protection from our point of view the SCADA system yeah hey you got you're doing a talk next year there anymore for anymore oh thanks