hacking casestudy
TRANSCRIPT
-
8/3/2019 Hacking Casestudy
1/49
Some Ethical Hacking
Case Studies
Peter Wood
FirstBase
Technologies
-
8/3/2019 Hacking Casestudy
2/49
Slide 2 First Base Technologies 2003
How much damage
can a security breach cause?
44% of UK businesses suffered at least one
malicious security breach in 2002
The average cost was 30,000
Several cost more than 500,000
and these are just the reported incidents !
Source: The DTI Information Security Breaches survey
-
8/3/2019 Hacking Casestudy
3/49
Slide 3 First Base Technologies 2003
The External Hacker
-
8/3/2019 Hacking Casestudy
4/49
Slide 4 First Base Technologies 2003
Desktop PC
Client's business partnerMy Client
Bridge Bridge
Dial-in
from
hom
eDial-upISDNc
onnection
Internet
Firewall
Leas
edline
Web Developer
-
8/3/2019 Hacking Casestudy
5/49
Slide 5 First Base Technologies 2003
Desktop PC
Client's business partnerMy Client
Bridge Bridge
Dial-in
from
hom
eDial-upISDNc
onnection
Internet
Firewall
Leas
edline
Web Developer
Secure
the
desktop
Secure
the
network
Secure
third-party
connections
Secure
Internetconnections
-
8/3/2019 Hacking Casestudy
6/49
Slide 6 First Base Technologies 2003
The Inside Hacker
-
8/3/2019 Hacking Casestudy
7/49
Slide 7 First Base Technologies 2003
Plug and go
Ethernet ports are never disabled .
or just steal a connection from a desktop
NetBIOS tells you lots and lots
. And you dont need to be logged on
-
8/3/2019 Hacking Casestudy
8/49
Slide 8 First Base Technologies 2003
Get yourself an IP address
Use DHCP since almost everyone does!
Or use a sniffer to see broadcast packets
(even in a switched network) and try some
suitable addresses
-
8/3/2019 Hacking Casestudy
9/49
Slide 9 First Base Technologies 2003
Browse the network
-
8/3/2019 Hacking Casestudy
10/49
Slide 10 First Base Technologies 2003
Pick a target machine
Pick a target
-
8/3/2019 Hacking Casestudy
11/49
Slide 11 First Base Technologies 2003
Try null sessions ...
-
8/3/2019 Hacking Casestudy
12/49
Slide 12 First Base Technologies 2003
List privileged users
-
8/3/2019 Hacking Casestudy
13/49
Slide 13 First Base Technologies 2003
Typical passwords
administrator
arcserve
test username
backup
tivoli
backupexec
smsservice
any service account
null, password, administrator
arcserve, backup
test, passwordpassword, monday, football
backup
tivoli
backup
smsservice
same as account name
-
8/3/2019 Hacking Casestudy
14/49
Slide 14 First Base Technologies 2003
Game over!
-
8/3/2019 Hacking Casestudy
15/49
Slide 15 First Base Technologies 2003
The Inside-Out Hacker
-
8/3/2019 Hacking Casestudy
16/49
Slide 16 First Base Technologies 2003
Senior person - laptop at home
e-m
ail
Laptop
Internet
-
8/3/2019 Hacking Casestudy
17/49
Slide 17 First Base Technologies 2003
opens attachment
e-m
ail
Laptop
Internet
Trojan software
now silently
installed
-
8/3/2019 Hacking Casestudy
18/49
Slide 18 First Base Technologies 2003
takes laptop to work
Corporate Network
Laptop Laptop
Firewall
Internet
-
8/3/2019 Hacking Casestudy
19/49
Slide 19 First Base Technologies 2003
trojan sees what they see
Corporate Network
Laptop
Firewall
Internet
Finance Server HR Server
-
8/3/2019 Hacking Casestudy
20/49
Slide 20 First Base Technologies 2003
Information flows out of the
organisation
Corporate Network
Laptop
Firewall
Internet
Finance Server HR Server
Evil server
-
8/3/2019 Hacking Casestudy
21/49
Slide 21 First Base Technologies 2003
Physical Attacks
-
8/3/2019 Hacking Casestudy
22/49
Slide 22 First Base Technologies 2003
What NT password?
-
8/3/2019 Hacking Casestudy
23/49
Slide 23 First Base Technologies 2003
NTFSDOS
-
8/3/2019 Hacking Casestudy
24/49
Slide 24 First Base Technologies 2003
Keyghost
-
8/3/2019 Hacking Casestudy
25/49
Slide 25 First Base Technologies 2003
KeyGhost - keystroke capture
Keystrokes recorded so far is 2706 out of 107250 ...
fsmitharabella
xxxxxxx None None None
arabella
arabella
arabella
exit
tracert 192.168.137.240
telnet 192.168.137.240cisco
-
8/3/2019 Hacking Casestudy
26/49
Slide 26 First Base Technologies 2003
Viewing Password-Protected Files
-
8/3/2019 Hacking Casestudy
27/49
Slide 27 First Base Technologies 2003
Office Documents
-
8/3/2019 Hacking Casestudy
28/49
Slide 28 First Base Technologies 2003
Zip Files
-
8/3/2019 Hacking Casestudy
29/49
Slide 29 First Base Technologies 2003
Plain Text Passwords
-
8/3/2019 Hacking Casestudy
30/49
Slide 30 First Base Technologies 2003
Netlogon
In the unprotected netlogon share on a server:
logon scripts can contain:
net use \\server\share password /u:user
-
8/3/2019 Hacking Casestudy
31/49
Slide 31 First Base Technologies 2003
Registry scripts
In shared directories you may find
.reg files like this:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"DefaultUserName"="username"
"DefaultPassword"="password""AutoAdminLogon"="1"
-
8/3/2019 Hacking Casestudy
32/49
Slide 32 First Base Technologies 2003
Passwords in
procedures & documents
-
8/3/2019 Hacking Casestudy
33/49
Slide 33 First Base Technologies 2003
Packet sniffing
Generated by : TCP.demux V1.02Input File: carol.cap
Output File: TB000463.txt
Summary File: summary.txt
Date Generated: Thu Jan 27 08:43:08 2000
10.1.1.82 1036
10.1.2.205 23 (telnet)
UnixWare 2.1.3 (mikew) (pts/31).
login:
cl_Carol
Password:
carol1zz
UnixWare 2.1.3.
mikew.
Copyright 1996 The Santa Cruz Operation, Inc. All Rights Reserved..
Copyright 1984-1995 Novell, Inc. All Rights Reserved..
Copyright 1987, 1988 Microsoft Corp. All Rights Reserved..
U.S. Pat. No. 5,349,642.
Leave the sniffer
running
Capture all packets
to port 23 or 21
The result ...
-
8/3/2019 Hacking Casestudy
34/49
Slide 34 First Base Technologies 2003
Port scan
-
8/3/2019 Hacking Casestudy
35/49
Slide 35 First Base Technologies 2003
Brutus dictionary attack
-
8/3/2019 Hacking Casestudy
36/49
Slide 36 First Base Technologies 2003
NT Password Cracking
-
8/3/2019 Hacking Casestudy
37/49
Slide 37 First Base Technologies 2003
How to get the NT SAM
On any NT/W2K machine:
- In memory (registry)
- c:\winnt\repair\sam (invoke rdisk?)- Emergency Repair Disk
- Backup tapes
- Sniffing (L0phtcrack) Run L0phtcrack on the SAM .
-
8/3/2019 Hacking Casestudy
38/49
Slide 38 First Base Technologies 2003
End of part one!
-
8/3/2019 Hacking Casestudy
39/49
And how to prevent it!
Peter Wood
FirstBase
Technologies
-
8/3/2019 Hacking Casestudy
40/49
Slide 40 First Base Technologies 2003
Prevention is better ...
Harden the servers
Monitor alerts (e.g. www.sans.org)
Scan, test and apply patches
Monitor logs
Good physical security
Intrusion detection systems Train the technical staff on security
Serious policy and procedures!
-
8/3/2019 Hacking Casestudy
41/49
Slide 41 First Base Technologies 2003
Server hardening
HardNT40rev1.pdf
(www.fbtechies.co.uk)
HardenW2K101.pdf
(www.fbtechies.co.uk)
FAQ for How to Secure WindowsNT (www.sans.org)
Fundamental Steps to Harden
Windows NT 4_0 (www.sans.org)
ISF NT Checklist v2
(www.securityforum.org)
http://www.microsoft.com/technet/
security/bestprac/default.asp
Lockdown.pdf (www.iss.net)
Windows NT Security Guidelines
(nsa1.www.conxion.com)
NTBugtraq FAQs
(http://ntbugtraq.ntadvice.com/defa
ult.asp?pid=37&sid=1) Securing Windows 2000
(www.sans.org)
Securing Windows 2000 Server
(www.sans.org)
Windows 2000 Known
Vulnerabilities and Their Fixes
(www.sans.org)
SANS step-by-step guides
-
8/3/2019 Hacking Casestudy
42/49
Slide 42 First Base Technologies 2003
Alerts
www.sans.org
www.cert.org
www.microsoft.com/security
www.ntbugtraq.com
www.winnetmag.com
razor.bindview.com
eeye.com Security Pro News (ientrymail.com)
-
8/3/2019 Hacking Casestudy
43/49
Slide 43 First Base Technologies 2003
Scan and apply patches
-
8/3/2019 Hacking Casestudy
44/49
Slide 44 First Base Technologies 2003
Monitor logs
-
8/3/2019 Hacking Casestudy
45/49
Slide 45 First Base Technologies 2003
Good physical security
Perimeter security
Computer room security
Desktop security
Close monitoring of admins work areas
No floppy drives? No bootable CDs?
-
8/3/2019 Hacking Casestudy
46/49
Slide 46 First Base Technologies 2003
Intrusion detection
RealSecure
Tripwire Dragon
Snort
www.networkintrusion.co.ukfor guidance
-
8/3/2019 Hacking Casestudy
47/49
Slide 47 First Base Technologies 2003
Security Awareness
Sharing admin accounts
Service accounts
Account naming conventions Server naming conventions
Hardening
Passwords (understand NT passwords!)
Two-factor authentication?
-
8/3/2019 Hacking Casestudy
48/49
Slide 48 First Base Technologies 2003
Serious Policy & Procedures
Top-down commitment
Investment
Designed-in security
Regular audits
Regular penetration testing
Education & awareness
-
8/3/2019 Hacking Casestudy
49/49
Peter Wood
www.fbtechies.co.uk
Need more information?