Date post: | 31-Dec-2015 |
Category: |
Documents |
Upload: | ruth-solomon |
View: | 36 times |
Download: | 2 times |
Anatomy of a Network Hack:Anatomy of a Network Hack:
How To Get Your How To Get Your Network Hacked in Ten Network Hacked in Ten Easy Steps!Easy Steps!
Jesper M. JohanssonJesper M. JohanssonSenior Security StrategistSenior Security StrategistMicrosoft CorporationMicrosoft Corporation
[email protected]@microsoft.comhttp://blogs.technet.com/http://blogs.technet.com/jesper_johanssonjesper_johansson
This Presentation…This Presentation… … is about operational security… is about operational security
The easy way is not always the secure wayThe easy way is not always the secure way
Networks are usually designed in particular Networks are usually designed in particular waysways
In many cases, these practices simplify attacksIn many cases, these practices simplify attacks
In some cases these practices enable attacksIn some cases these practices enable attacks
You need to know the methods of your You need to know the methods of your adversary to stop themadversary to stop them
This Presentation is This Presentation is Not…Not…
……a hacking tutoriala hacking tutorialHacking networks you own can be enlighteningHacking networks you own can be enlightening
Hacking networks you do not own is illegal!Hacking networks you do not own is illegal!
……a demonstration of Windows vulnerabilities a demonstration of Windows vulnerabilities Everything we show stems from operational Everything we show stems from operational security or custom applicationssecurity or custom applications
Knowing how the platform operates is criticalKnowing how the platform operates is critical
All platforms can get hackedAll platforms can get hacked
……for the faint of heartfor the faint of heart
The ToolsThe Tools
Four categories of tools usedFour categories of tools used““Co-opted” ordinary componentsCo-opted” ordinary components
Windows Resource Kit toolsWindows Resource Kit tools
Commonly available Commonly available hacking/administration toolshacking/administration tools
Custom-written toolsCustom-written tools
The difference between hackers and The difference between hackers and script kiddies is that hackers writescript kiddies is that hackers writetheir own toolstheir own tools
By the Way…By the Way…
I will not give you my tools. It does I will not give you my tools. It does not matter what you do for a living or not matter what you do for a living or who you work forwho you work for
If you do not ask, I don’t have to say If you do not ask, I don’t have to say nono
The TargetThe Target
RRAS BasicFirewall
Internet
FilteringRouter
Web Server
Data Center DC
SQL Server
Bad Guy
192.168.2.30
172.17.0.1
172.17.0.3
Corp DC10.1.2.17
10.1.2.16
172.17.0.2
Knocking Down The Side Knocking Down The Side DoorDoor//Three mistakes in this statement alone:SqlConnection conn = new SqlConnection();conn.ConnectionString =
"data source=PYN-SQL;" + "initial catalog=pubs;" + "user id=sa;" + "password=password;" + "persist security info=True;“+ "packet size=4096";
conn.Open();//Don't do this at home folks: SQL Query Compositionstring strQuery;strQuery = "select * from Users where UserName = '" +
username.Text + "' and Password ='" +
password.Text + "';";
Completely un-validated user input!
Completely un-validated user input!
Bad: not a trusted connection
Worse, privileged user…
…with a lame password
But Wait, It Gets BetterBut Wait, It Gets Betterint rowCount = ds.Tables["Users"].Rows.Count;if(rowCount > 0) // If we get back something...{
//...we must be succesfully logged inSession["LoggedIn"] = true;// Store the username in a session variableSession["username"] = username.Text;
...
<body><asp:Label id="Username" runat="server">
Label</asp:Label>
...private void Page_Load(object sender, System.EventArgs e){...
Username.Text = Session["username"].ToString();}
This is the user name
from the form
Which we cross-site script onto the page!
How to Make Use How to Make Use of Thisof This
Note: Note:
This network is entirely fictitiousThis network is entirely fictitious
Any similarity with any real network is Any similarity with any real network is completely accidentalcompletely accidental
Internet
Where We Are AtWhere We Are At
WhyWhyPoorly written Poorly written web applicationweb application
Insufficient application Insufficient application hardeninghardening
No outbound filteringNo outbound filtering
Insufficient host Insufficient host hardeninghardening
RRAS BasicFirewall
FilteringRouter
Web Server
Data Center DC
SQL Server
Bad Guy
192.168.2.30
172.17.0.1
172.17.0.3
Corp DC10.1.2.17
10.1.2.16
172.17.0.2
Internet
Where We Are AtWhere We Are At
WhyWhyNo internal filteringNo internal filtering
Shared service Shared service accountsaccounts
RRAS BasicFirewall
FilteringRouter
Web Server
Data Center DC
SQL Server
Bad Guy
192.168.2.30
172.17.0.1
172.17.0.3
Corp DC10.1.2.17
10.1.2.16
172.17.0.2
Where We Are AtWhere We Are At
WhyWhyIndiscriminate use Indiscriminate use of domain adminof domain admincredentialscredentials
Unnecessary Unnecessary firewall holesfirewall holes
Lack of paranoiaLack of paranoia
Internet
RRAS BasicFirewall
FilteringRouter
Web Server
Data Center DC
SQL Server
Bad Guy
192.168.2.30
172.17.0.1
172.17.0.3
Corp DC10.1.2.17
10.1.2.16
172.17.0.2
Internet
Where We Are AtWhere We Are At
WhyWhyDuplicate passwordsDuplicate passwords
Unrestricted Unrestricted internal trafficinternal traffic
RRAS BasicFirewall
FilteringRouter
Web Server
Data Center DC
SQL Server
Bad Guy
192.168.2.30
172.17.0.1
172.17.0.3
Corp DC10.1.2.17
10.1.2.16
172.17.0.2
The Moral of the StoryThe Moral of the Story
Initial entry is everythingInitial entry is everything
Most networks are designed like egg Most networks are designed like egg shellsshells
Hard and crunchy on the outsideHard and crunchy on the outside
Soft and chewy on the insideSoft and chewy on the inside
Once an attacker is inside the Once an attacker is inside the network, you can…network, you can…
……update resumeupdate resume
……hope he does a good job running ithope he does a good job running it
……drain itdrain it
How To Get Your Network How To Get Your Network Hacked in 10 Easy StepsHacked in 10 Easy Steps1.1. Don’t patch anythingDon’t patch anything2.2. Run unhardened applicationsRun unhardened applications3.3. Use one admin account, everywhereUse one admin account, everywhere4.4. Open lots of holes in the firewallOpen lots of holes in the firewall5.5. Allow unrestricted internal trafficAllow unrestricted internal traffic6.6. Allow all outbound trafficAllow all outbound traffic7.7. Don’t harden serversDon’t harden servers8.8. Reuse your passwordsReuse your passwords9.9. Use high-level service accounts, in multiple Use high-level service accounts, in multiple
placesplaces10.10.Assume everything is OKAssume everything is OK
10 Things Attackers Don’t Want 10 Things Attackers Don’t Want You To DoYou To Do1.1. Ensure everything is fully patchedEnsure everything is fully patched2.2. Use properly hardened applicationsUse properly hardened applications3.3. Use least privilegeUse least privilege4.4. Open only necessary holes in Open only necessary holes in
firewallsfirewalls5.5. Restrict internal trafficRestrict internal traffic6.6. Restrict outbound trafficRestrict outbound traffic7.7. Harden serversHarden servers8.8. Use unique pass phrases or smart Use unique pass phrases or smart
cardscards9.9. Micro-manage service accountsMicro-manage service accounts10.10.Maintain a healthy level of paranoiaMaintain a healthy level of paranoia
For more informationFor more information
Jesper and Steve finally Jesper and Steve finally wrote a book!wrote a book!
Order online:Order online:http://protectyourwindowsnetwohttp://protectyourwindowsnetwork.comrk.com
[email protected]@microsoft.com