Between You and Me and the Network Security Boundary

the besides DC 2017 videos are brought to you by threat quotient introducing the industry's first threat intelligence platform designed to enable threat operations and management and data tribe a new kind of startup studio co building the next generation of commercial cyber security analytics and big data product companies this is when you mean the network security boundary roughly this is the talk you expected my name is Patrick Fussell please take a minute to look me up on internet I always enjoy here of people or meet connecting with new people on Twitter I work for 4 PSC my role within PSC is as a penetration tester PSC is primarily a PCI company I've been in this role for about I think

about four years now it's sort of a dream pen test gig just because I'm the methodology that we use I get to do lots of fun post exploitation work which is really cool and I've had the chance to work with lots of people who are smarter than me so I've had a chance to learn lots of new stuff sort of a full disclosure I think none of the concepts I'm presenting here are original I'm just presenting them in a sort of a different light now a lot of these ideas are inspired by some of my teammates or you know some other friends I've made in the community I'm just putting them in the different context here so just a

quick agenda points I want to go over a couple of concepts a little bit of terminology then I'm going to review some of the common implementations for separating security zones that I've seen I just experienced was talk about some of the bypasses and weaknesses that are connected to those and then wrap up talking about what I'll just call sort of secure design concepts or some things I've seen in the wild that worked very well for for creating good security boundaries just terminology wise I know that probably anybody in this room is already experienced InfoSec is rife with terminology and concepts that you used in different ways depending on who is you're talking to you whether you're

Red Team purple team blue team of whatever it is you do I think this causes a little bit of confusion so I'm not suggesting that the anything I present here is the the right way it's just the way I'm gonna be using the terms and while I was called it didn't show up at all imagine some circles that just came together all right I don't move on cool so I might like I mentioned PSC is primarily a pci company so often our goal for a penetration test is the cardholder data environment often called the Cee our pin tests tend to take the the form of starting from some portion of the network that you might consider

to be unprivileged I like Wireless then we gain some sort of foothold escalate so we can access the portion of the network that has our target data and and then and trying to move from there so lots of organizations get hacked and just because somebody asked me the last time I went over this side deck this is a real book you can go buy this at Barnes & Noble so lots of organizations get hacked those organizations probably at the time that they were secure or somebody in the organization and thought that they were totally secure I think if you were to speak to most networker sysadmin they won't tell you that their network is impenetrable or the systems

are impenetrable they there's an understanding that things can be hacked given that information it's kind of strange to me then that there still seems to be this buy-in and to I think what some people call the Eminem security model where we pretend like we're secure just because we have a next-gen firewall so the point of this is that systems get hacked we all know that taking into account the high rate of success that we have in college escalation just within my team and apparently the high rate of success the actual bad guys are having and gaining for hold in networks I think it's fair for the purpose of this talk to push that sort of initial

system compromise bit out of scope of the presentation and we're just going to sort of assume compromise and some of these and kind of move from there okay so just common paradigm we label things summon data resources might be classified differently than others we exit designate systems based on what is they're doing so in your network maybe it's qaid of staging something like that depending on what kind of organization we're working for you might have an organization our segment represents marketing and one for HR in terms of creating security zone Stratus own the question I think that gets asked is do the resources in marketing need to be able to access those in an HR or to

continue on with that thought does everything in IT need to be able to access everything in the call center probably yes but it's the question that needs to be asked when you're thinking about designing the zone so I just want to note here that for the purposes of this talk ins presentation we are talking about environments where divisions exist that have security requirements of varying degrees so essentially it's just saying everybody in your network does it need to access everything if that is your network then cool this informations you're not going to help you at all and you probably have an easier life than most people so finally production is going to be our label for the zone that contains our

high-value asset we might also think of this just as a high security zone I just chose production because I felt like it would be the thing that make the most sense to everybody when we're talking about we want a strict access to some some piece of the network and and sort of lastly we just have to consider you know the boundaries and access between zones it's logical to imagine that you do have some privileged users in your say list of your IT department that do need to access that production network this talk is going to investigate some of the barriers that are implemented so that only those intended users are getting to and intended places or

intended systems all right so jumping into some of the the common common implementations flaws and bypasses just a quick note before I start on the first one I'm going to be focusing on a very simplified version of these technologies but I understand that I have a you know limited amount of time and I don't want to dive too deep into any one so as you're looking needs to sort of understand water'd these down for the purposes of talking about of compromise and and just sort of lateral and vertical escalation exploit wise so the first solution i'm going to touch on i'm calling fire call i've heard lots of terminology sort of describing this idea or maybe you think

of it just as just the way that you guys are set up broadly you might describe what I'm going for here as any method to provide temporary emergency access to a secure system what I want to focus on for for for this presentation is implementations where an organization allows or deny access through a network boundary through some sort of manual or automated change the network access controls this might take the form of submitting requests to ite to change the network ACLs for a system where you might have something little bit fancier where you have some sort of application that makes dynamic firewall rule changes whatever it is it's it's it's that something in between those processes so

the first issue to consider I think in this situation is where the organization relies on manual firewall rule manipulation it's the complexity of management over time it can be a real beast so network started out with their design looking something like this with lots of great charts and network flow diagrams and really will define barriers because of the challenges of management of these complex environments over time something that starts out clean and sort of looking like that the again the colors are going off there it looks a little bit more like this so I think the thing to consider here is having even one exception that permits access into a controlled network environment that you

aren't aware of presents a pretty significant risk though even more broadly when you consider some of the exploitation scenarios the security flaws present in the solution or they even make more inherent to just its functionality because those exceptions create a bridge between zones so when there is a so I keep checking the color to make sure at least you guys could see the arrows otherwise it's not gonna make any sense at all when there is a dried direct bridge between the two zones an attacker only needs to compromise a host that is the beneficiary of any of the modified rules this bridge is easily traversed by an attacker like would commonly refer to this as as pivoting so what does that

mean compromise of the lowest rezone gives a direct path to the high-security zone just a quick example of how we might leverage this in the context of a penetration test this is a pretty simple version but it's something that works regularly we start off by detecting those those sort of pokes Network holes by collecting network connection data from a range of target systems like we're showing here and then use the super hacker tool grep to detect the the network's we're looking for so once we've identified the exceptions we just fall back to hacking 101 might use a some sort of post exploitation show im using meterpreter in this demo just because I feel like it's ubiquitous most

people will know what it is that's pretty straightforward and we can forward traffic through our compromised system to the production network or our target network I think when somebody brought this up when I was demoing the the slide deck to them I think it's a good point if this is the kind of solution that you're using another situation that to consider is if an attacker has compromised a machine they no can or will access the target system it really just becomes a matter for the attacker of inducing a situation where we know the fire call is going to be leveraged and now we have access so sometimes it's just sort of timing and distance as far as actually exploiting

this so making this a secure implementation can be a pretty complex undertaking I think just because the building characteristics make make it pretty prone to attacks a couple of thoughts the smaller you can make the window of exposure the better off you are this setup seems the best for organizations where there are a very limited number of systems for people accessing those those high-value assets so hopefully you can press place very strict controls around those users and systems you may wonder they do things like restricting client to client communication on those network where they reside so do your workstations need to be able to talk to each other any holes that you poke build in automated closed if

possible shorter and more specific time wise is the best regular testing and confirmation of segmentation and and maybe just one of the thought I'm consider doing any sort of administration through some sort of air gap if you have a separate system for managing those those high-value assets you really limit the the complexity of this and you give a secure Channel that's the sort of built in alright next up is VPN I mean that looks kinda silly there's some other words in there we'll get though so VPN I think everybody probably has an idea of what a VPN is but just real briefly virtual private network it's we're creating a tunnel between our private network and some

remote private network over the Internet this is a pretty common we're talking about connecting something like a production network and like a remote data center I like this one for this talk just because I've seen an increase of use of this for production networks especially when more organizations are putting data in things like AWS and then they use the VPN to connect to to those resources or do something like trace some sort of site to site so the first implement implementation issue one touch on here is the split tunnel so with the split tunnel we start out with the network interface on the book land that's pretty straightforward then we add the interface that connects to

the remote network this effectively creates a bridge between local and remote network now this is useful because it allows access to local network network resources or maybe if you need to do internet browsing but your remote network doesn't allow any sort of outbound traffic well the view this this can provide that sort of functionality but from the attacker standpoint this is very easy to detect and exploitation scenario is identical to that of a network where there is no network boundary so with the the follow-on to that the full the full tunnel VPN this ensures that when the VPN connection is active the host no longer has connectivity on the local network eliminating the bridge security

wise this is definitely a superior situation to the the split tunnel for instance if we had some sort of post occupation shell live on a host and we see that full tunnel go up we should see connectivity drop because there now no owner effectively on on the same land as us so that's great but that does make bypassing more difficult if we see that full tunnel it's still reasonably possible to get around it the one perspective for us considering for this is is that of malware you know for a pen tester we might save some from a specially crafted post expectation payload that can do things like detect changes in network interfaces before firing off a connection something you

know maybe to another network that we know is reachable from that that that targeted zone so in this scenario we just need to target a user that we know is accessing that secure environment via VPN maybe doing something like reviewing running processes or checking ad group membership trap some sort of exploit and get it running on the on the target system and one effective way to accomplish this is to run the binary as a service on the on the target host so it's just sitting around and watching and then we wait for that instance they happened will trigger the loading of our our evil code so I think a theme that we see here once

the attacker has administrative access to the system the rest of the bypass is really just limited by creativity just like with fire our call if at all possible we really want to limit any sort of local network exposure of users that have VPN access to their high security environments but we want to avoid creating direct bridges between zones definitely rely on full tunnel multi-factor authentication without a bank how information is also a great perspective to consider we're touch a little more on and Fae in the next section thanks up talking about a jump box so jump box for our purposes here is any device that spans two dissimilar security zones for the purpose of access

typically I think we see that this is leverage or something like SSH or a remote desktop provides a nice way to implement a network boundary by restricting connections between the zones to you know one target host or just a couple of jump boxes and it also gives us a place to implement an authentication boundary so you have given that this is definitely a great security posture touching on the sort of first implementation issue is stale sessions so-called stale sessions at least so essentially we're thinking that once we compromise a user that has a session open was in this cases remote desktop they leave their workstation the session is open I'm an attacker I'm just monitoring that system once they leave I

can log in and take advantage of that open Remote Desktop session

the next the common implementation flaw I found is that what I think of as a single authentication zone so maybe you have two networks that are just somewhere you have some sort of segmentation between them but they're both using the same 880 so they're the obvious problem here is that if you're authenticating with same credentials to two zones or they are they're really two zones I would say probably not now I think the attack surface here can vary greatly based on exactly what the implementation looks like but even the use of even if the use of the jump occupies an effective network boundary if there's some host that's spanning those those two zones that's providing

some sort of authentication then the attacker can leverage that

one way the attacker might leverage this is shared infrastructure in Active Directory something like the user man user logged on scripts so this is actually if you can imagine for just a second that they're looking at the user logon script in Active Directory here if in case you're not familiar user logon scripts gives you a way to assign task that would be performed when a user logs on so we can design a script that will execute or run a you know some sort of binary of our choosing so that when we target a particular user when they log on it runs some code and we can gain access to it otherwise a foreign element a multi-factor comes in pretty pretty

often in this jump box architecture it's definitely strengthened strengthens the authentication boundary between the zones by making an exploit process far more complex but definitely recommend using this it's a it's a great technology to put into place but it certainly comes with its own set of implementation challenges like everything emif a can be deployed in a way that makes it prone to attack or bypass one miss configuration I've seen making the MFA server accessible in the lower security zone

so just for example one port that I or a set of ports that I'd like to look for or anything that might be related to that that MFA server and this could be something like SSH or something very telling like specific a web service running on a specific port that's related to something like our RSA the management console so if the management console is accessible from the lower security zone which is typically where we're running our testing from we just need a way to log into that server so part of the the another part of the implementation problem is allowing log on to the MFA console using just regular domain credentials so that makes it very

simple once we've compromised that lower security zone and the domain that's associated with it we maybe will do something like dump NCS that dit and we've got the domain and admin credentials and it's very likely then that we can log in to the RSA console and we'll have full administrative access there's some other really great ways to work around this if you if you don't have just demand credentials but that that's a pretty likely scenario once we have our credentials we log in we can do lots of interesting things like issue ourselves a soft token to get us to the two that that higher security zone and you know control logs make it harder for for

anybody to stop us if you're interested in talking a little more about attacks against multi-factor I definitely recommend taking a look by a co-worker of mine josh stone he doesn't really great deep dive into a multi-factor bypass it's from Derby Con 2015 and I hope if you guys don't catch this link and you're interested just just ping me afterwards I'll get that to you so a couple of takeaways here consider technical controls around the how users access to high security zones for instance session timeouts on remote desktop sessions consider the implications of compromise for critical systems if you're not thinking about this from the assumed compromise perspective or assume breach perspective you're missing a lot of opportunities to

harden your systems and the access methods alright next up is a VDI so VDI or virtual desktop infrastructure when used to deliver a desktop environment for the purposes of accessing a separate security zone essentially is working like a jump box so it sits somewhere a lot of ways to the to the last implementation just like the jump box design VDI typically violates something called the clean force principle which I'm gonna jump out in a minute but I've already sort of hinted at and we'll see just a moment the next section and the first issue I want to address is abandoned sessions so without screen locks just like in the the previous section we can take advantage of

somebody left a desktop logged in and I know that that sounds very sort of of silly and non-technical but I love the attack because because it's sort of non-technical and it almost always works for in an environment we know that people are accessing that that the high security zone we want to take advantage of those left open we can just wait for them to go to lunch and look for something that indicates that they've logged out of their system and just locked the screen and and now we have access another so the next issue is that insecure session brokers if you can sort of just use your imagination a little bit on this under the the image didn't

come up great there's actually showing one of the configuration screens from VMware is a horizon client which is a VDI client if you're not familiar with it it's essentially it's just a software that lets you log into a desktop remote created desktop for you so one of the the configuration options here is as a the text actually reads do not verify server identity certificates so this the scenario that I'm trying to sort of hint at here is is if we've compromised the host you see is connecting to the secure environment via the with the horizon client one of the the settings is we can have it ignore bad certificates so how might we leverage that we know users we know

right off the bat that we can't rely on users to pay attention to something like and well some of the colors came out there like HTTP warnings people will just sort of click through this even if even if previously we know that there was a good certificate here pretty you can be pretty confident that somebody's gonna continue to to log in even if they see that warning show up so the again the user imagination a little bit one of the other configuration screens on the horizon client it lets you set the gate wave that the the client has pointed at so as the bad guy I'll probably want to make that point to me I wait for the

user to walk away change the setting you can also do this without interact directly with the user session by doing something like modifying the the windows dredge registry so setting yourself or setting myself as the as the bet as the the Gateway don't we just have to attack together a little bit of code that will run a listener that capture the credentials and completes the connection when the user hits that log on button so now assuming that even if that that VDI session has RSA I think pretty pretty common in that authentication scenario that the token is just types of part of the password so once they hit the login button we capture this will see the

whole will have everything will have their password and we'll have that token that we can obviously there's a timing element there but then we just have to hack together one more script that finishes the connection on our end and we were able to log in as that user and they might never be the wiser to the situation one other example of a flaw configuration here the highlights that sync the challenge of sort of the complex complexity of managing networks during a scanning portion on an engagement if we we've detected so this is two separate user imagination again is to separate VDI login screens one of them when you can see the little RSA logo there is is configured to enforce

multi-factor so you have to type in the RSA but these are both running in the same network so if we're able to detect that there's two of them one of them doesn't have the RSA screen guess which one I'm gonna go after as the bad guy the one that's missing multi-factor which is exactly the same thing is not having multi-factor at all I think this seems like an obvious flaw if you're designing a network yeah you shouldn't do this but it really kind of highlights the sorts of mistakes that we tend to like to exploit as penetration testers so just like other implementations that we've covered dissolution violates that that clean source principle will damage and we're

gonna touch on in just a moment essentially just requires that any security dependencies are as trustworthy as the object being secured which we haven't really accomplished here it's probably worth enforcing the use of science certificates where possible making your users aware that they exist if again you can let them know please don't click through those things alright in the last the last bit I just called it cloud and I sort of cringed its use that term but if it's well for we're talking about here so bear with me so what we're really talking about here is organisations we're see most of that organizations that offload everything to cloud service providers so I've been really fortunate in the past year or so

I've had the chance to do pen tests for several smaller companies some of them you might classify as startups in comparison to our standard larger enterprises it requires a really different approach as far as the the pen test goes many these organizations are in sort of small offices that have very little local infrastructure but have a very large production networks so the users are essentially just connecting from an office that is more or less serving as an internet connection point but they still have to do things like manage user accounts email and they do this by leveraging third-party providers and so one of these ran into recently on an internal opponent penetration test was a single sign-on application and I

think the one that I'm showing here is it's called one logon or have one login this is a really great it's kind of a neat application so the user logs in one time and using something like a blip Sam will they provide access to a dashboard that then gives you access to all your other applications this is really handy for your users because they only have to log in once it's a it's exposed over to the Internet this is also really great for bad guys because now we have one login page that we like we have to attack as well so just real quickly I'm gonna walk through the attack path that I took in

this particular scenario this is an email header if you can use your imagination a little bit on this image so obviously in a penetration test when the first thing I want to do is some sort of intelligence gathering gathering email addresses figure out who their email provider is which I'm highlighting in the here you just take a look at if you can get somebody from the organization to email you just take a look at their email header one handy tip here if you're using Google Apps the Gmail login page is a really great place to vet to validate email addresses so if I have a list of potential ones I can I can build some sort of semi automation

around checking to see if they're there really mail addresses so once I have a list of of what I believe our email addresses this is a screenshot from from burp suite which is just running a login attack using those enumerated email addresses once I get a hit I open up there I can log into their one login page as that user this is where the sort of privilege escalation or maybe this is you think of this as lateral movement in terms of the the penetration test but essentially I'm just digging for data and depending on what kind of applications that particular user has access to you can get really creative maybe they have github is one of the applications that

might be exposed here which is great because you'll find source code you'll find credentials you'll find API keys in particular my attack path here was they were using AWS but they've you're using identity manager and and some multi-factor but if you had the API key you could use the AWS tool to pull down copies of things like they're running you see two instances and store data so now I have an effective bypass to their to their multi-factor and this is just showing the you know example of pulling down that that AWS key that was stored in one of their their github repositories and and this would be success criteria I think in this situation so just a couple of

thoughts on this that the balanced view become very fuzzy darn hard to define when an organization is leveraging these sorts of technologies if you're relying on these services you make sure you're applying the same rigor to separating zones you would and the more like just like in a more traditional enterprise network be very aware of where that authentication boundary is if you're exposing it to the Internet all right so just to wrap up I have a couple of sure design concepts the first one that I mentioned briefly before is the clean source principle there's a sort of long-winded technical explanation that you can get from Microsoft if you if you want to go google it but the sort of

shorter version is if an adversary can control anything that's an effective control of a target object they control that target object because of this you have to ensure that the assurances for all dependencies are at or above the desired security level of the object that you're trying to to take care of in practice it basically is an attacker control of an operating system has numerous ways to illicitly gain access to all the activity on that workstation do things like impersonate legitimate user accounts practically for me this means that if an attacker controls the system they control any system that system is controlling this is simple in principle but I think applying this requires a pretty in-depth understanding

of all of the control relationships of an asset which I think anybody who's ever managed Windows network can tell you that that's a they can get pretty hairy so that the modern threat environment requires the organization's adopt this assume breach security posture when designing protections for high-value assets when we approach to some security from their perspective that we're already compromised we just haven't discovered that compromise you always consider the ramifications from the perspective of the privileged users and workstations so if you've logged into a user's workstation with domain admin threads then an attacker has compromised that system you've created a potential for those credentials to be stolen so the question I think you have to ask is can someone

leverage those credentials then to gain access to some resource that I wouldn't want them to be able to consider any systems that have high by the access high value assets as a special class of system so you can avoid cross contaminating access privileges and zones one way you might go about this provide a high security workstation for privileged users this could be a separate physical machine like I mentioned earlier one other thing you do is leverage virtualization we also talked a little bit about that I think in the case of virtualization it's also important to think about we're never logging into the lower security system to access our higher security system because then we have cross-contaminated

and we're no longer a clean of in terms of source administrative privileges the security of most are all businesses a business assets and an organization depends on the integrity of the privileges accounts that administer and managed IT systems so securing privileged access is a critical step to establishing security lots of admin credentials and admin credential used means lots of chances for an attacker to capture those pillage accounts know where your administrative privileges are being used limit role privileges to the minimum required I know that's sort of like security day 101 but it's seems like it's rarely implemented limit the number of hosts on which the Ministry of credentials are exposed and ensure administrative tasks are not performed

on a host they're using used for standard activities like email and web browsing poking holes to your high-value assets another critical piece to consider in any design is the complexity of Management juggling the demands of environments can be a massive challenge so the lot of the flaws or us maybe even most of the flaws that I find during a pen test tie back to this one changed I made this one time from that one guy in marketing and then we never put back because we forgot and we didn't have a change request in place so those exceptions add up and bad guys part of the bad guys skillset is finding those holes so if there there's a good chance

that they're gonna be able to find them create strictly defined programmatic methods for managing system systems and service configurations ensure that even if you change something to some configuration you know it's less secure there's something that's built in to automatically put it back to the way that you think it should be one one way I've had this described to me is the DevOps approach to security which I know pops is kind of just a buzzword but I think that the idea works well here we want to have some sort of Pro Matic programmatic way for managing security changes so just wrapping up my goals here today were to prevent some a couple of security architectures that I think

are very common but give you the bag a perspective on those architectures and get a little good little insight I've gained from trying to get past the security implementations I know a couple of shortcomings of the talk or the reality of any of these implementations is far more complex than anything I've talked about here and and I understand that but I still think that the the concepts apply well and I think that there's a lot of depth that could be taken for any single one of these topics and maybe even you can you could write out a whole book about some of them and before I jump new questions I really enjoy doing the things like like besides

because I get to meet lots of people and usually the conversations I have to have the people afterwards I learned lots of interesting interesting things please come talk to me afterwards look me up send me an email and look me up on Twitter I'm always happy to connect with everybody any questions cool alright thank you everybody