Some “Ethical Hacking”Case Studies
Peter WoodFirst•Base
Technologies
Slide 2 © First Base Technologies 2003
How much damagecan a security breach cause?
• 44% of UK businesses suffered at least one malicious security breach in 2002
• The average cost was £30,000
• Several cost more than £500,000
• and these are just the reported incidents …!
Source: The DTI Information Security Breaches survey
Slide 3 © First Base Technologies 2003
The External Hacker
Slide 4 © First Base Technologies 2003
Desktop PC
Client's business partnerMy Client
Bridge Bridge
Dia
l-in
from
hom
e Dial-up ISDN connection
Internet
Firewall
Leas
ed lin
e
Web Developer
Slide 5 © First Base Technologies 2003
Desktop PC
Client's business partnerMy Client
Bridge Bridge
Dia
l-in
from
hom
e Dial-up ISDN connection
Internet
Firewall
Leas
ed lin
e
Web Developer
Secure the
desktop
Secure the
network
Secure third-party connections
Secure Internet
connections
Slide 6 © First Base Technologies 2003
The Inside Hacker
Slide 7 © First Base Technologies 2003
Plug and go
Ethernet ports are never disabled ….
… or just steal a connection from a desktop
NetBIOS tells you lots and lots ……
…. And you don’t need to be logged on
Slide 8 © First Base Technologies 2003
Get yourself an IP address
• Use DHCP since almost everyone does!
• Or … use a sniffer to see broadcast packets (even in a switched network) and try some suitable addresses
Slide 9 © First Base Technologies 2003
Browse the network
Slide 10 © First Base Technologies 2003
Pick a target machine
Pick a target
Slide 11 © First Base Technologies 2003
Try null sessions ...
Slide 12 © First Base Technologies 2003
List privileged users
Slide 13 © First Base Technologies 2003
Typical passwords
• administrator
• arcserve
• test
• username
• backup
• tivoli
• backupexec
• smsservice
• … any service account
null, password, administrator
arcserve, backup
test, password
password, monday, football
backup
tivoli
backup
smsservice
… same as account name
Slide 14 © First Base Technologies 2003
Game over!
Slide 15 © First Base Technologies 2003
The Inside-Out Hacker
Slide 16 © First Base Technologies 2003
Senior person - laptop at home
Laptop
Internet
Slide 17 © First Base Technologies 2003
… opens attachment
Laptop
Internet
Trojan software now silently
installed
Slide 18 © First Base Technologies 2003
… takes laptop to work
Corporate NetworkLaptop Laptop
Firewall
Internet
Slide 19 © First Base Technologies 2003
… trojan sees what they see
Corporate NetworkLaptop
Firewall
Internet
Finance Server HR Server
Slide 20 © First Base Technologies 2003
Information flows out of the organisation
Corporate NetworkLaptop
Firewall
Internet
Finance Server HR Server
Evil server
Slide 21 © First Base Technologies 2003
Physical Attacks
Slide 22 © First Base Technologies 2003
What NT password?
Slide 23 © First Base Technologies 2003
NTFSDOS
Slide 24 © First Base Technologies 2003
Keyghost
Slide 25 © First Base Technologies 2003
KeyGhost - keystroke capture
Keystrokes recorded so far is 2706 out of 107250 ...
<PWR><CAD>fsmith<tab><tab>arabella xxxxxxx <tab><tab> None<tab><tab> None<tab><tab> None<tab><tab> <CAD> arabella<CAD><CAD> arabella<CAD><CAD> arabellaexittracert 192.168.137.240telnet 192.168.137.240cisco
Slide 26 © First Base Technologies 2003
Viewing Password-Protected Files
Slide 27 © First Base Technologies 2003
Office Documents
Slide 28 © First Base Technologies 2003
Zip Files
Slide 29 © First Base Technologies 2003
Plain Text Passwords
Slide 30 © First Base Technologies 2003
Netlogon
In the unprotected netlogon share on a server:
logon scripts can contain:net use \\server\share “password” /u:“user”
Slide 31 © First Base Technologies 2003
Registry scripts
In shared directories you may find.reg files like this:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"DefaultUserName"="username""DefaultPassword"="password""AutoAdminLogon"="1"
Slide 32 © First Base Technologies 2003
Passwords inprocedures & documents
Slide 33 © First Base Technologies 2003
Packet sniffingGenerated by : TCP.demux V1.02Input File: carol.capOutput File: TB000463.txtSummary File: summary.txtDate Generated: Thu Jan 27 08:43:08 2000
10.1.1.82 103610.1.2.205 23 (telnet)
UnixWare 2.1.3 (mikew) (pts/31).
login:
cl_Carol
Password:
carol1zz
UnixWare 2.1.3.mikew.Copyright 1996 The Santa Cruz Operation, Inc. All Rights Reserved..Copyright 1984-1995 Novell, Inc. All Rights Reserved..Copyright 1987, 1988 Microsoft Corp. All Rights Reserved..U.S. Pat. No. 5,349,642.
• Leave the sniffer running
• Capture all packets to port 23 or 21
• The result ...
Slide 34 © First Base Technologies 2003
Port scan
Slide 35 © First Base Technologies 2003
Brutus dictionary attack
Slide 36 © First Base Technologies 2003
NT Password Cracking
Slide 37 © First Base Technologies 2003
How to get the NT SAM
• On any NT/W2K machine:- In memory (registry)- c:\winnt\repair\sam (invoke rdisk?)- Emergency Repair Disk- Backup tapes- Sniffing (L0phtcrack)
• Run L0phtcrack on the SAM ….
Slide 38 © First Base Technologies 2003
End of part one!
And how to prevent it!
Peter WoodFirst•Base
Technologies
Slide 40 © First Base Technologies 2003
Prevention is better ...
• Harden the servers
• Monitor alerts (e.g. www.sans.org)
• Scan, test and apply patches
• Monitor logs
• Good physical security
• Intrusion detection systems
• Train the technical staff on security
• Serious policy and procedures!
Slide 41 © First Base Technologies 2003
Server hardening
• HardNT40rev1.pdf (www.fbtechies.co.uk)
• HardenW2K101.pdf (www.fbtechies.co.uk)
• FAQ for How to Secure Windows NT (www.sans.org)
• Fundamental Steps to Harden Windows NT 4_0 (www.sans.org)
• ISF NT Checklist v2 (www.securityforum.org)
• http://www.microsoft.com/technet/security/bestprac/default.asp
• Lockdown.pdf (www.iss.net)
• Windows NT Security Guidelines (nsa1.www.conxion.com)
• NTBugtraq FAQs (http://ntbugtraq.ntadvice.com/default.asp?pid=37&sid=1)
• Securing Windows 2000 (www.sans.org)
• Securing Windows 2000 Server (www.sans.org)
• Windows 2000 Known Vulnerabilities and Their Fixes (www.sans.org)
• SANS step-by-step guides
Slide 42 © First Base Technologies 2003
Alerts
• www.sans.org
• www.cert.org
• www.microsoft.com/security
• www.ntbugtraq.com
• www.winnetmag.com
• razor.bindview.com
• eeye.com
• Security Pro News (ientrymail.com)
Slide 43 © First Base Technologies 2003
Scan and apply patches
Slide 44 © First Base Technologies 2003
Monitor logs
Slide 45 © First Base Technologies 2003
Good physical security
• Perimeter security
• Computer room security
• Desktop security
• Close monitoring of admin’s work areas
• No floppy drives?
• No bootable CDs?
Slide 46 © First Base Technologies 2003
Intrusion detection
• RealSecure
• Tripwire
• Dragon
• Snort
• www.networkintrusion.co.uk for guidance
Slide 47 © First Base Technologies 2003
Security Awareness
• Sharing admin accounts
• Service accounts
• Account naming conventions
• Server naming conventions
• Hardening
• Passwords (understand NT passwords!)
• Two-factor authentication?
Slide 48 © First Base Technologies 2003
Serious Policy & Procedures
• Top-down commitment
• Investment
• Designed-in security
• Regular audits
• Regular penetration testing
• Education & awareness
Slide 49 © First Base Technologies 2003
Peter Wood
www.fbtechies.co.uk
Need more information?
Top Related