1. The bastion machine from the hacker's perspective
A bastion host is a network security device used to protect and manage access between an enterprise's internal network and external networks. As an intermediate node, it provides secure access control and audit functions to protect the internal network from unauthorized access and attacks. The bastion host is usually used as a springboard server, that is, to manage and access other internal servers through the bastion host. As an important portal from the external network to the internal network, the bastion host plays a decisive role in maintaining the security of the internal network. However, in an attack scenario, it also becomes a battleground for attackers. If the attacker obtains the authority of the bastion host, the attacker can gain access to the intranet, and even directly manage all assets on the bastion host. Generally speaking, hackers may try to gain access to the bastion host through exploits or social engineering. From a hacker's point of view, attacking a bastion host has the following value:
1. Important target The bastion host is a key entrance to the internal network. Once hackers successfully invade the bastion host, they can use it to further penetrate into the internal network and obtain more sensitive information or control other hosts. 2. Exposed on the public network The bastion host is usually exposed on the public network, which allows hackers to directly try to attack it. Since its role is to receive and process remote connections, it may be subject to various attacks from the Internet, such as brute force cracking, exploits, denial of service attacks, etc.
3. Privilege escalation Once hackers successfully invade the bastion host, they usually try to obtain higher privileges. Bastion machines usually have administrative privileges and broad network access, so hackers can try to use vulnerabilities, weak passwords, or other technical means to escalate their privileges and gain greater control.
4. Internal network access The bastion host is the key point for hackers to enter the internal network. Once hackers successfully control the bastion host, they can use it as a springboard to access other internal hosts, detect network topology, obtain sensitive data, and perform malicious operations.
## 2. The attack case of the bastion machine
For the bastion host, attackers often use the vulnerabilities of the bastion host, supply chain attacks, social engineering and other means to invade the internal network, obtain sensitive data, tamper with the configuration or control the internal system. However, vulnerabilities must be the key to breaking through the bastion machine. The following are examples of attacks against bastion machines: 1. During the offensive and defensive drill in 2021, a large state-owned enterprise was attacked because of the jumpserver bastion machine, resulting in the loss of a large number of machines on the intranet. The attacker exploits the remote command execution vulnerability of the jumpserver bastion machine to attack, causing the attacker to bypass layers of defenses and enter the intranet of the target enterprise. By manipulating an intranet machine managed by the jumpserver bastion host, the attacker uses this machine as a base to collect information on the intranet, continuously penetrate horizontally, and finally control a large number of intranet machines. 2. During the offensive and defensive drill in 2021, the bastion machine of an Internet company was attacked. The attacker exploited any user login vulnerability to attack the Qizhi bastion machine, obtained the background management authority of the Qizhi bastion machine, and controlled a large number of intranet machines. By gradually infiltrating the intranet, and finally successfully obtained the domain control authority through a high-risk vulnerability of the domain control, and thus completely controlled the AD domain. 3. During the offensive and defensive drill in 2022, a bastion machine of a large state-owned enterprise suffered a cyber attack and eventually withdrew from the drill early. The attacker used the weak password vulnerability of the Tianyue bastion machine to obtain the web console authority of the bastion machine, and gradually penetrated into the internal network of the enterprise. The attackers carried out lateral mobile attacks on the intranet, controlled a large number of corporate computers, and obtained a large amount of sensitive information, including personal information of corporate employees and source codes. In the end, the company lost a lot of points and had to quit the drill halfway.
## 3. The attack surface of the bastion machine
As an important security component, the bastion host has multiple attack surfaces, and attackers can use these attack surfaces to invade and infiltrate internal systems. The following are some common attack surfaces of the bastion host: 1. Operating system vulnerabilities: The operating system used by the bastion host may have known or unknown vulnerabilities. Attackers can use these vulnerabilities to execute malicious code, elevate privileges, or bypass security measures, thereby gaining control over the bastion machine. 2. Application vulnerabilities: There may be vulnerabilities in the application of the bastion host, including remote command execution, permission bypass, SQL injection, etc. Attackers can use these vulnerabilities to perform malicious operations. 3. Weak password and credential management: If the users of the bastion host use weak passwords or improper credential management, attackers can exploit these weaknesses to intrude. 4. Supply chain attack: The supply chain link of the bastion host may have loopholes or be maliciously tampered with. Attackers can gain control over the bastion host or bypass security measures by inserting malicious codes or backdoors into the software, hardware, or firmware of the bastion host. 5. Social engineering attack: Attackers can use social engineering methods such as phishing emails to deceive users or administrators of the bastion host to obtain their credentials or perform malicious operations. Based on real-world scenarios, the following lists three paths to attack the bastion host:
path one
1) The attacker first attacks the bastion machine through the historical vulnerability of the bastion machine or even the 0day vulnerability of the bastion machine, such as directly accessing the web console of the bastion machine by bypassing authentication, and obtaining the web management authority of the bastion machine. 2) The attacker successfully controls the assets managed by the bastion host.
path two
1) The attacker first attacks the bastion machine supplier, and implants malicious code in the bastion machine as a backdoor. 2) The bastion host with a malicious backdoor is downloaded and deployed in the enterprise environment. 3) The attacker successfully controlled the bastion machine by connecting to the back door left in advance, and then opened the portal of the enterprise intranet.
path three
1) The attacker controls a domain member computer in the target AD domain through phishing. 2) After information collection, the attacker finally obtains the domain control authority through exploiting the vulnerability. 3) The attacker tries to reset the password of the administrator account of the bastion host. 4) Log in to the bastion host through the obtained account and the reset password. 5) Directly control the enterprise core production network server cluster through the web console of the bastion host.
## 4. Losses caused by attacks on bastion hosts 1. Data leakage and privacy issues: Attackers can use bastion hosts to access and steal customer sensitive data, including personally identifiable information, financial data, and business secrets. 2. Business interruption and service unavailability: Attackers may make the bastion host unable to operate normally by destroying the bastion host or denial of service attacks, resulting in business interruption and service unavailability. 3. Identity deception and internal penetration: By attacking the bastion host, the attacker may obtain the identity and authority of the legitimate user, thereby conducting deeper internal penetration. 4. Unauthorized access to the internal system: The attacker may successfully obtain the access authority of the bastion host, and then can access and control the internal system and server.
## Five, Bastion machine defense
ITDR Platform As the first ITDR manufacturer in China, Zhongan Netstar has built an ITDR (Identity Threat Detection and Response) platform for protection around Identity and Infrastructure. The platform covers mainstream identity infrastructure and centralization facilities, starting from pre-attack reinforcement, in-process monitoring, and post-event blocking. The product design idea covers the entire life cycle of attacker activities.
ITDR platform capabilities - unique capabilities for bastion host scenarios 1. Real-time monitoring of sensitive and abnormal operations of bastion hosts, such as exploits, abnormal time point authentication, remote login, access to unused resources, etc., allowing administrators to perceive the exploits and sensitive operations performed by attackers on bastion hosts in the first place. 2. Real-time monitoring of protection function shutdown, such as global MFA authentication for all users is disabled, global MFA authentication for administrators is disabled only, MFA authentication for third-party login users is disabled, MFA secondary authentication for users is disabled, etc., to ensure that these protection functions are maliciously disabled and can be discovered in time, leaving no opportunity for attackers. 3. It can actively detect the unsafe configuration of the bastion machine, provide a basis for strengthening the bastion machine, and ensure that attackers cannot use the unsafe configuration of the bastion machine to attack. 4. By setting up the honeypot account of the bastion machine, the attackers can be actively trapped, and suspicious attacks can be found more actively.
Set up a bastion machine honeypot account to actively trap attackers and more actively discover suspicious attacks.
Network security engineer enterprise-level learning route
At this time, of course you need a systematic learning route
If the picture is too large and compressed by the platform, you can download it at the end of the article (free of charge), and you can also learn and communicate together.
Some of my collection of self-study primers on cyber security
Some good video tutorials I got for free:
The above information can be obtained by [scanning the QR code below] and shared for free
