where would batman be without his belt? - chapters … from 3rd...• “nmap ("network...
TRANSCRIPT
©2016 Crowe Horwath LLP
Where Would Batman Be Without His Belt?Leveraging Hacker Tools for Better Auditing
Erika Del GiudiceMichael Salihoglu
©2016 Crowe Horwath LLP 22
Yes, we know Batman is from the D.C. Universe
©2016 Crowe Horwath LLP 33
Agenda
• Who are we?• Auditors vs. InfoSec• Tools:
• NMAP• Wireshark• Shareenum• ad-ldap-enum• Other Tools
• Example Report Card: Avengers, INC.
©2016 Crowe Horwath LLP 44
Who are we?
• The Crowe Horwath LLP cybersecurity team offers a comprehensive suite of solutions to identify and help you manage these risks so you can strengthen the confidentiality, integrity, and availability of organizational assets.
• Erika Del Giudice is a Senior Manager in the Crowe Horwath LLP’s Risk Consulting Practice focusing on IT Audit and Consulting services.
• Michael Salihoglu is a Security Consultant with Crowe Horwath’s Technology Risk practice.
©2016 Crowe Horwath LLP 55
Audit vs. InfoSec (and IT)
•You’re on the same team!•Hostility only hurts you both•Working together can provide stronger results• Audit can leverage IS’s knowledge and administrative capabilities to gather relevant data about the environment
• IS can leverage audit to communicate the significance of deficiencies in the environment and to test their changes.
©2016 Crowe Horwath LLP 66
Hacking Step 1: Identification
Hacking AuditingIdentification
©2016 Crowe Horwath LLP 77
Let’s get to some tools!
©2016 Crowe Horwath LLP 88
Nmap – An Oldie but a Goodie
• “Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.”
• Used for scan networks to determine what hosts are live on a network, where they are located, what services (applications) and which versions are running
• First released in 1997; Still used today
•https://nmap.org/
©2016 Crowe Horwath LLP 99
Nmap - Example
• https://www.youtube.com/watch?v=0PxTAn4g20U
©2016 Crowe Horwath LLP 1010
©2016 Crowe Horwath LLP 1111
©2016 Crowe Horwath LLP 1212
Avengers, INC. – Nmap Example
•Using common ports as identifiers, what services exist in the environment?• SQL Servers?• Mail hosts?• VMWare Hosts?• Unix Hosts?• Printers?
•What ports does the network allow out to the internet?
Finding: Avengers, INC. allows all traffic outbound out of their network with no restrictions. This could allow attackers more avenues of exfiltration and data compromise
©2016 Crowe Horwath LLP 1313
Wireshark – A pcap is worth a thousand words
• Used to monitor immediate subnet traffic• Can leverage filters to discover what kind of protocols exist in the environment• https://www.wireshark.org/
©2016 Crowe Horwath LLP 1414
©2016 Crowe Horwath LLP 1515
Avengers INC. – Wireshark Example
•What traffic is present in the network?• Are there any red flags?
• Local Network Discovery Protocols?• Unauthenticated or Unencrypted Routing Protocols?• Unauthenticated or Unencrypted Router Redundancy Protocols?• Unencrypted Management or File Transfer Protocols • IPv6?
•Does the network have any segmentation?• VoIP Networks• Core Banking Networks• Administrative Networks
Finding: Avengers, INC. has NetBIOS and LLMNR enabled on their network, allowing a potential attacker the means to capture user credentials
©2016 Crowe Horwath LLP 1616
ad-ldap-enum
• Tool that was developed to query domain information over LDAP and build group membership
• ad-ldap-enum will query the following:• SAM Account Name• Account Flags (Enabled, Disabled, etc.)• Account Full Name• Account Email Address
• Account Home Folder• Account Password Expiration• Account Last Logon• Account User Comments
• https://github.com/CroweCybersecurity/ad-ldap-enum
©2016 Crowe Horwath LLP 1717
©2016 Crowe Horwath LLP 1818
©2016 Crowe Horwath LLP 1919
©2016 Crowe Horwath LLP 2020
©2016 Crowe Horwath LLP 2121
Avengers, INC. - ad-ldap-enum Example
•Are there excessive disabled accounts in the environment?
•Are there any accounts with passwords that haven’t been reset according to company policy?
•Are there any stale enabled accounts that haven’t been logged into for years?
•Are users in groups that provide access to locations to which the users shouldn’t have access?
Finding: 63 enabled user accounts were found to not have been logged into for over a year. Additionally, 15 accounts have passwords that have not been changed in over a month, which is noncompliant with the current company policy.
©2016 Crowe Horwath LLP 2222
ShareEnum
• What shares are available on my network and who has access to them?• Can scan from authenticated or unauthenticated perspective• https://github.com/CroweCybersecurity/shareenum
©2016 Crowe Horwath LLP 2323
©2016 Crowe Horwath LLP 2424
©2016 Crowe Horwath LLP 2525
Avengers, INC. - ShareEnum Example
•What shares does Avengers INC. allow all users to see?• Backups?• Administrative tools?• Sensitive Information?
•What kind of access do these users have to these shares?• Read Only?• Write?• Full Ownership?
Finding: Avengers INC. allows all users read/write access to the “Customer Info” and “Hulk’s Diary” shares which are unnecessary for most users on the network.
©2016 Crowe Horwath LLP 2626
Other Tools!
•Enum4linux, polnum, many others..•Built-In Windows Tools:•Example: auditpol
•Linux:•Lynis• https://cisofy.com/lynis/
•Apple OSX:•Lynis•Open-audIT• http://www.open-audit.org
Finding: The Mac and Linux machines on the network do not comply with the enterprise password policy.
©2016 Crowe Horwath LLP 2727
Avengers, INC. Report Card
•Five Findings – How typical is this?•Can there be pushback?•The data often points out discrepancies or holes in policies and procedures that otherwise aren’t identified
•Remediation?
©2016 Crowe Horwath LLP 2828
Questions
???
©2016 Crowe Horwath LLP 2929
In accordance with applicable professional standards, some firm services may not be available to attest clients.
This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction.
© 2016 Crowe Horwath LLP, an independent member of Crowe Horwath International crowehorwath.com/disclosure
Erika Del Giudice, Senior ManagerPhone [email protected]
Michael Salihoglu, ConsultantPhone 312.759.1027 [email protected]
Thank you