Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Cyberdawn - A Diverse Cyber Exercise - Part II

Passwords are just so easy to abuse...

It was interesting to see that the top scorer in the game (who went by the handle of "ftp", and coincidentally had 21 scores in the first day of game play!) did not use fancy new exploits, 0day attacks or a wide range of open-source or even commercial tools. He was able to gain access to systems because the teams left default or easily guessable passwords set on some of the Linux servers. He used SSH to login to the systems, then SCP to upload some Python code, that was used to update the scoring engine. From there he was able to maintain access, not by rootkit technology or anything sophisticated, but just hiding in plain sight. The Python script makes a TCP connection to the scoring server and sends a message. It was moved into a file called "/dev/vfat", to make it look like a system file. Next, a shell script was written to call the python script every ten minutes. This file was called "getty" and ran in the background, and was also inserted into the startup scripts to ensure it kept running. The teams never found these processes running and "ftp" won the game, no exploits required.



hackeratwork.png
Hacker "ftp" at work, winning the game using built-in tools such as bash, python and SSH.


Keeping Access

This is perhaps one of the toughest jobs an attacker has. The systems are constantly being rebooted, patched, re-configured and have network problems cropping up - just like in the real world! So, the same problems we have in the game are the ones that attackers and penetration testers face when attacking a network and trying to maintain a foothold. Some of the methods used by the Red Team, which were all met with mixed success, follows:


  • SSH Trust Keys - One of the Red Team members managed to keep access to the systems by adding a trusted SSH key. The Blue Team changed the passwords, but did not remember to check for the presence of a trusted key.
  • Rootkits - Several different rootkits were installed, ranging from the Immunity rootkit to Poison Ivy. These were effective in being undetected on the system, but they still needed to call “home” from a running process.
  • Penetration Testing Frameworks - Core IMPACT agents were deployed to compromised hosts. Since the various teams can see these processes, IMPACT's module called the "agent process injector" that was used to install the agent code into an existing process, such as "explorer.exe", which then made a reverse connection back to the Red Team on port 80. This gave the Red Team a little more staying power inside the various networks, which allows pivoting - the ability to launch attacks from inside the firewall. An important point to remember from a defensive perspective is that when analyzing a system for evidence of a compromise, it is important to see which processes are making outbound connections, unless of course the copy of tcpview becomes trojaned.


Conclusion

I tend to think of the “cyber exercises” as an accelerated learning environment. In the real world, you would not have as many attacks and responses in such a short period of time. It is precisely this type of environment that can greatly assist both attackers and defenders improve their skills. It also underscores some of the areas that defenders should focus on, such as monitoring outgoing traffic, creating and implementing a strong password policy and having a process in place to collect and analyze system logs. Tenable's enterprise products can help in all of these areas. The Passive Vulnerability Scanner and Tenable Network Monitor products inspect network traffic for vulnerabilities and allow you to identify suspicious behavior with the Security Center. The Security Center can correlate system logs with both vulnerability and network logs, identifying patterns that could represent security breaches. See the references section below for more examples of Tenable product usage to detect malicious behavior on the network and systems in your environment.


References

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training