where would batman be without his belt? - chapters … from 3rd...• “nmap ("network...

©2016 Crowe Horwath LLP

Where Would Batman Be Without His Belt?Leveraging Hacker Tools for Better Auditing

Erika Del GiudiceMichael Salihoglu

©2016 Crowe Horwath LLP 22

Yes, we know Batman is from the D.C. Universe


Agenda

• Who are we?• Auditors vs. InfoSec• Tools:

• NMAP• Wireshark• Shareenum• ad-ldap-enum• Other Tools

• Example Report Card: Avengers, INC.


Who are we?

• The Crowe Horwath LLP cybersecurity team offers a comprehensive suite of solutions to identify and help you manage these risks so you can strengthen the confidentiality, integrity, and availability of organizational assets.

• Erika Del Giudice is a Senior Manager in the Crowe Horwath LLP’s Risk Consulting Practice focusing on IT Audit and Consulting services.

• Michael Salihoglu is a Security Consultant with Crowe Horwath’s Technology Risk practice.


Audit vs. InfoSec (and IT)

•You’re on the same team!•Hostility only hurts you both•Working together can provide stronger results• Audit can leverage IS’s knowledge and administrative capabilities to gather relevant data about the environment

• IS can leverage audit to communicate the significance of deficiencies in the environment and to test their changes.


Hacking Step 1: Identification

Hacking AuditingIdentification


Let’s get to some tools!


Nmap – An Oldie but a Goodie

• “Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.”

• Used for scan networks to determine what hosts are live on a network, where they are located, what services (applications) and which versions are running

• First released in 1997; Still used today

•https://nmap.org/


Nmap - Example

• https://www.youtube.com/watch?v=0PxTAn4g20U

https://www.youtube.com/watch?v=0PxTAn4g20U


Avengers, INC. – Nmap Example

•Using common ports as identifiers, what services exist in the environment?• SQL Servers?• Mail hosts?• VMWare Hosts?• Unix Hosts?• Printers?

•What ports does the network allow out to the internet?

Finding: Avengers, INC. allows all traffic outbound out of their network with no restrictions. This could allow attackers more avenues of exfiltration and data compromise


Wireshark – A pcap is worth a thousand words

• Used to monitor immediate subnet traffic• Can leverage filters to discover what kind of protocols exist in the environment• https://www.wireshark.org/


Avengers INC. – Wireshark Example

•What traffic is present in the network?• Are there any red flags?

• Local Network Discovery Protocols?• Unauthenticated or Unencrypted Routing Protocols?• Unauthenticated or Unencrypted Router Redundancy Protocols?• Unencrypted Management or File Transfer Protocols • IPv6?

•Does the network have any segmentation?• VoIP Networks• Core Banking Networks• Administrative Networks

Finding: Avengers, INC. has NetBIOS and LLMNR enabled on their network, allowing a potential attacker the means to capture user credentials


ad-ldap-enum

• Tool that was developed to query domain information over LDAP and build group membership

• ad-ldap-enum will query the following:• SAM Account Name• Account Flags (Enabled, Disabled, etc.)• Account Full Name• Account Email Address

• Account Home Folder• Account Password Expiration• Account Last Logon• Account User Comments

• https://github.com/CroweCybersecurity/ad-ldap-enum


Avengers, INC. - ad-ldap-enum Example

•Are there excessive disabled accounts in the environment?

•Are there any accounts with passwords that haven’t been reset according to company policy?

•Are there any stale enabled accounts that haven’t been logged into for years?

•Are users in groups that provide access to locations to which the users shouldn’t have access?

Finding: 63 enabled user accounts were found to not have been logged into for over a year. Additionally, 15 accounts have passwords that have not been changed in over a month, which is noncompliant with the current company policy.


ShareEnum

• What shares are available on my network and who has access to them?• Can scan from authenticated or unauthenticated perspective• https://github.com/CroweCybersecurity/shareenum


Avengers, INC. - ShareEnum Example

•What shares does Avengers INC. allow all users to see?• Backups?• Administrative tools?• Sensitive Information?

•What kind of access do these users have to these shares?• Read Only?• Write?• Full Ownership?

Finding: Avengers INC. allows all users read/write access to the “Customer Info” and “Hulk’s Diary” shares which are unnecessary for most users on the network.


Other Tools!

•Enum4linux, polnum, many others..•Built-In Windows Tools:•Example: auditpol

•Linux:•Lynis• https://cisofy.com/lynis/

•Apple OSX:•Lynis•Open-audIT• http://www.open-audit.org

Finding: The Mac and Linux machines on the network do not comply with the enterprise password policy.


Avengers, INC. Report Card

•Five Findings – How typical is this?•Can there be pushback?•The data often points out discrepancies or holes in policies and procedures that otherwise aren’t identified

•Remediation?


Questions

???


In accordance with applicable professional standards, some firm services may not be available to attest clients.

This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction.

© 2016 Crowe Horwath LLP, an independent member of Crowe Horwath International crowehorwath.com/disclosure

Erika Del Giudice, Senior ManagerPhone [email protected]

Michael Salihoglu, ConsultantPhone 312.759.1027 [email protected]

Thank you

http://www.crowehorwath.com/about/legal/

where would batman be without his belt? - chapters … from 3rd...• “nmap ("network...

Documents