Hacking Casestudy

download Hacking Casestudy

of 49

Embed Size (px)

Transcript of Hacking Casestudy

  • 8/3/2019 Hacking Casestudy

    1/49

    Some Ethical Hacking

    Case Studies

    Peter Wood

    FirstBase

    Technologies

  • 8/3/2019 Hacking Casestudy

    2/49

    Slide 2 First Base Technologies 2003

    How much damage

    can a security breach cause?

    44% of UK businesses suffered at least one

    malicious security breach in 2002

    The average cost was 30,000

    Several cost more than 500,000

    and these are just the reported incidents !

    Source: The DTI Information Security Breaches survey

  • 8/3/2019 Hacking Casestudy

    3/49

    Slide 3 First Base Technologies 2003

    The External Hacker

  • 8/3/2019 Hacking Casestudy

    4/49

    Slide 4 First Base Technologies 2003

    Desktop PC

    Client's business partnerMy Client

    Bridge Bridge

    Dial-in

    from

    hom

    eDial-upISDNc

    onnection

    Internet

    Firewall

    Leas

    edline

    Web Developer

  • 8/3/2019 Hacking Casestudy

    5/49

    Slide 5 First Base Technologies 2003

    Desktop PC

    Client's business partnerMy Client

    Bridge Bridge

    Dial-in

    from

    hom

    eDial-upISDNc

    onnection

    Internet

    Firewall

    Leas

    edline

    Web Developer

    Secure

    the

    desktop

    Secure

    the

    network

    Secure

    third-party

    connections

    Secure

    Internetconnections

  • 8/3/2019 Hacking Casestudy

    6/49

    Slide 6 First Base Technologies 2003

    The Inside Hacker

  • 8/3/2019 Hacking Casestudy

    7/49

    Slide 7 First Base Technologies 2003

    Plug and go

    Ethernet ports are never disabled .

    or just steal a connection from a desktop

    NetBIOS tells you lots and lots

    . And you dont need to be logged on

  • 8/3/2019 Hacking Casestudy

    8/49

    Slide 8 First Base Technologies 2003

    Get yourself an IP address

    Use DHCP since almost everyone does!

    Or use a sniffer to see broadcast packets

    (even in a switched network) and try some

    suitable addresses

  • 8/3/2019 Hacking Casestudy

    9/49

    Slide 9 First Base Technologies 2003

    Browse the network

  • 8/3/2019 Hacking Casestudy

    10/49

    Slide 10 First Base Technologies 2003

    Pick a target machine

    Pick a target

  • 8/3/2019 Hacking Casestudy

    11/49

    Slide 11 First Base Technologies 2003

    Try null sessions ...

  • 8/3/2019 Hacking Casestudy

    12/49

    Slide 12 First Base Technologies 2003

    List privileged users

  • 8/3/2019 Hacking Casestudy

    13/49

    Slide 13 First Base Technologies 2003

    Typical passwords

    administrator

    arcserve

    test username

    backup

    tivoli

    backupexec

    smsservice

    any service account

    null, password, administrator

    arcserve, backup

    test, passwordpassword, monday, football

    backup

    tivoli

    backup

    smsservice

    same as account name

  • 8/3/2019 Hacking Casestudy

    14/49

    Slide 14 First Base Technologies 2003

    Game over!

  • 8/3/2019 Hacking Casestudy

    15/49

    Slide 15 First Base Technologies 2003

    The Inside-Out Hacker

  • 8/3/2019 Hacking Casestudy

    16/49

    Slide 16 First Base Technologies 2003

    Senior person - laptop at home

    e-m

    ail

    Laptop

    Internet

  • 8/3/2019 Hacking Casestudy

    17/49

    Slide 17 First Base Technologies 2003

    opens attachment

    e-m

    ail

    Laptop

    Internet

    Trojan software

    now silently

    installed

  • 8/3/2019 Hacking Casestudy

    18/49

    Slide 18 First Base Technologies 2003

    takes laptop to work

    Corporate Network

    Laptop Laptop

    Firewall

    Internet

  • 8/3/2019 Hacking Casestudy

    19/49

    Slide 19 First Base Technologies 2003

    trojan sees what they see

    Corporate Network

    Laptop

    Firewall

    Internet

    Finance Server HR Server

  • 8/3/2019 Hacking Casestudy

    20/49

    Slide 20 First Base Technologies 2003

    Information flows out of the

    organisation

    Corporate Network

    Laptop

    Firewall

    Internet

    Finance Server HR Server

    Evil server

  • 8/3/2019 Hacking Casestudy

    21/49

    Slide 21 First Base Technologies 2003

    Physical Attacks

  • 8/3/2019 Hacking Casestudy

    22/49

    Slide 22 First Base Technologies 2003

    What NT password?

  • 8/3/2019 Hacking Casestudy

    23/49

    Slide 23 First Base Technologies 2003

    NTFSDOS

  • 8/3/2019 Hacking Casestudy

    24/49

    Slide 24 First Base Technologies 2003

    Keyghost

  • 8/3/2019 Hacking Casestudy

    25/49

    Slide 25 First Base Technologies 2003

    KeyGhost - keystroke capture

    Keystrokes recorded so far is 2706 out of 107250 ...

    fsmitharabella

    xxxxxxx None None None

    arabella

    arabella

    arabella

    exit

    tracert 192.168.137.240

    telnet 192.168.137.240cisco

  • 8/3/2019 Hacking Casestudy

    26/49

    Slide 26 First Base Technologies 2003

    Viewing Password-Protected Files

  • 8/3/2019 Hacking Casestudy

    27/49

    Slide 27 First Base Technologies 2003

    Office Documents

  • 8/3/2019 Hacking Casestudy

    28/49

    Slide 28 First Base Technologies 2003

    Zip Files

  • 8/3/2019 Hacking Casestudy

    29/49

    Slide 29 First Base Technologies 2003

    Plain Text Passwords

  • 8/3/2019 Hacking Casestudy

    30/49

    Slide 30 First Base Technologies 2003

    Netlogon

    In the unprotected netlogon share on a server:

    logon scripts can contain:

    net use \\server\share password /u:user

  • 8/3/2019 Hacking Casestudy

    31/49

    Slide 31 First Base Technologies 2003

    Registry scripts

    In shared directories you may find

    .reg files like this:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

    NT\CurrentVersion\Winlogon]

    "DefaultUserName"="username"

    "DefaultPassword"="password""AutoAdminLogon"="1"

  • 8/3/2019 Hacking Casestudy

    32/49

    Slide 32 First Base Technologies 2003

    Passwords in

    procedures & documents

  • 8/3/2019 Hacking Casestudy

    33/49

    Slide 33 First Base Technologies 2003

    Packet sniffing

    Generated by : TCP.demux V1.02Input File: carol.cap

    Output File: TB000463.txt

    Summary File: summary.txt

    Date Generated: Thu Jan 27 08:43:08 2000

    10.1.1.82 1036

    10.1.2.205 23 (telnet)

    UnixWare 2.1.3 (mikew) (pts/31).

    login:

    cl_Carol

    Password:

    carol1zz

    UnixWare 2.1.3.

    mikew.

    Copyright 1996 The Santa Cruz Operation, Inc. All Rights Reserved..

    Copyright 1984-1995 Novell, Inc. All Rights Reserved..

    Copyright 1987, 1988 Microsoft Corp. All Rights Reserved..

    U.S. Pat. No. 5,349,642.

    Leave the sniffer

    running

    Capture all packets

    to port 23 or 21

    The result ...

  • 8/3/2019 Hacking Casestudy

    34/49

    Slide 34 First Base Technologies 2003

    Port scan

  • 8/3/2019 Hacking Casestudy

    35/49

    Slide 35 First Base Technologies 2003

    Brutus dictionary attack

  • 8/3/2019 Hacking Casestudy

    36/49

    Slide 36 First Base Technologies 2003

    NT Password Cracking

  • 8/3/2019 Hacking Casestudy

    37/49

    Slide 37 First Base Technologies 2003

    How to get the NT SAM

    On any NT/W2K machine:

    - In memory (registry)

    - c:\winnt\repair\sam (invoke rdisk?)- Emergency Repair Disk

    - Backup tapes

    - Sniffing (L0phtcrack) Run L0phtcrack on the SAM .

  • 8/3/2019 Hacking Casestudy

    38/49

    Slide 38 First Base Technologies 2003

    End of part one!

  • 8/3/2019 Hacking Casestudy

    39/49

    And how to prevent it!

    Peter Wood

    FirstBase

    Technologies

  • 8/3/2019 Hacking Casestudy

    40/49

    Slide 40 First Base Technologies 2003

    Prevention is better ...

    Harden the servers

    Monitor alerts (e.g. www.sans.org)

    Scan, test and apply patches

    Monitor logs

    Good physical security

    Intrusion detection systems Train the technical staff on security

    Serious policy and procedures!

  • 8/3/2019 Hacking Casestudy

    41/49

    Slide 41 First Base Technologies 2003

    Server hardening

    HardNT40rev1.pdf

    (www.fbtechies.co.uk)

    HardenW2K101.pdf

    (www.fbtechies.co.uk)

    FAQ for How to Secure WindowsNT (www.sans.org)

    Fundamental Steps to Harden

    Windows NT 4_0 (www.sans.org)

    ISF NT Checklist v2

    (www.securityforum.org)

    http://www.microsoft.com/technet/

    security/bestprac/default.asp

    Lockdown.pdf (www.iss.net)

    Windows NT Security Guidelines

    (nsa1.www.conxion.com)

    NTBugtraq FAQs

    (http://ntbugtraq.ntadvice.com/defa

    ult.asp?pid=37&sid=1) Securing Windows 2000

    (www.sans.org)

    Securing Windows 2000 Server

    (www.sans.org)

    Windows 2000 Known

    Vulnerabilities and Their Fixes

    (www.sans.org)

    SANS step-by-step guides

  • 8/3/2019 Hacking Casestudy

    42/49

    Slide 42 First Base Technologies 2003

    Alerts

    www.sans.org

    www.cert.org

    www.microsoft.com/security

    www.ntbugtraq.com

    www.winnetmag.com

    razor.bindview.com

    eeye.com Security Pro News (ientrymail.com)

  • 8/3/2019 Hacking Casestudy

    43/49

    Slide 43 First Base Technologies 2003

    Scan and apply patches

  • 8/3/2019 Hacking Casestudy

    44/49

    Slide 44 First Base Technologies 2003

    Monitor logs

  • 8/3/2019 Hacking Casestudy

    45/49

    Slide 45 First Base Technologies 2003

    Good physical security

    Perimeter security

    Computer room security

    Desktop security

    Close monitoring of admins work areas

    No floppy drives? No bootable CDs?

  • 8/3/2019 Hacking Casestudy

    46/49

    Slide 46 First Base Technologies 2003

    Intrusion detection

    RealSecure

    Tripwire Dragon

    Snort

    www.networkintrusion.co.ukfor guidance

  • 8/3/2019 Hacking Casestudy

    47/49

    Slide 47 First Base Technologies 2003

    Security Awareness

    Sharing admin accounts

    Service accounts

    Account naming conventions Server naming conventions

    Hardening

    Passwords (understand NT passwords!)

    Two-factor authentication?

  • 8/3/2019 Hacking Casestudy

    48/49

    Slide 48 First Base Technologies 2003

    Serious Policy & Procedures

    Top-down commitment

    Investment

    Designed-in security

    Regular audits

    Regular penetration testing

    Education & awareness

  • 8/3/2019 Hacking Casestudy

    49/49

    Peter Wood

    [email protected]

    www.fbtechies.co.uk

    Need more information?