Anatomy of a Network Hack:Anatomy of a Network Hack:

How To Get Your Network How To Get Your Network Hacked in Ten Easy Steps!Hacked in Ten Easy Steps!

Jesper M. JohanssonJesper M. JohanssonEnterprise Security Enterprise Security ArchitectArchitectSecurity Business & Security Business & Technology UnitTechnology Unitjesperjo @ microsoft.comjesperjo @ microsoft.com

This Presentation…This Presentation… … is about operational security… is about operational security

The easy way is not always the secure The easy way is not always the secure wayway

Networks are usually designed in Networks are usually designed in particular waysparticular ways

In many cases, these practices simplify In many cases, these practices simplify attacksattacks

In some cases these practices enable In some cases these practices enable attacksattacks

You need to know the methods of You need to know the methods of your adversary to stop themyour adversary to stop them

This Presentation is This Presentation is Not…Not…

……a hacking tutoriala hacking tutorialHacking networks you own can be Hacking networks you own can be enlighteningenlightening

Hacking networks you do not own is Hacking networks you do not own is illegal!illegal!

……a demonstration of Windows a demonstration of Windows vulnerabilities vulnerabilities

Everything we show stems from Everything we show stems from operational security or custom operational security or custom applicationsapplications

Knowing how the platform operates is Knowing how the platform operates is criticalcritical

All platforms can get hackedAll platforms can get hacked

……for the faint of heartfor the faint of heart

The ToolsThe Tools

Four categories of tools usedFour categories of tools used““Co-opted” ordinary componentsCo-opted” ordinary components

Windows Resource Kit toolsWindows Resource Kit tools

Commonly available Commonly available hacking/administration toolshacking/administration tools

Custom-written toolsCustom-written tools

The difference between hackers The difference between hackers and script kiddies is that hackers and script kiddies is that hackers writewritetheir own toolstheir own tools

By the Way…By the Way…

I will not give you my tools. It I will not give you my tools. It does not matter what you do for does not matter what you do for a living or who you work fora living or who you work for

If you do not ask, I don’t have to If you do not ask, I don’t have to say nosay no

The TargetThe Target

RRAS BasicFirewall

Internet

FilteringRouter

Web Server

Data Center DC

SQL Server

Bad Guy

192.168.2.30

172.17.0.1

172.17.0.3

Corp DC10.1.2.17

10.1.2.16

172.17.0.2

Knocking Down The Side Knocking Down The Side DoorDoor//Three mistakes in this statement alone:SqlConnection conn = new SqlConnection();conn.ConnectionString =

"data source=PYN-SQL;" + "initial catalog=pubs;" + "user id=sa;" + "password=password;" + "persist security info=True;“+ "packet size=4096";

conn.Open();//Don't do this at home folks: SQL Query Compositionstring strQuery;strQuery = "select * from Users where UserName = '" +

username.Text + "' and Password ='" +

password.Text + "';";

Completely un-validated user input!

Completely un-validated user input!

Bad: not a trusted connection

Worse, privileged user…

…with a lame password

But Wait, It Gets BetterBut Wait, It Gets Betterint rowCount = ds.Tables["Users"].Rows.Count;if(rowCount > 0) // If we get back something...{

//...we must be succesfully logged inSession["LoggedIn"] = true;// Store the username in a session variableSession["username"] = username.Text;

...

<body><asp:Label id="Username" runat="server">

Label</asp:Label>

...private void Page_Load(object sender, System.EventArgs e){...

Username.Text = Session["username"].ToString();}

This is the user name

from the form

Which we cross-site script onto the page!

How to Make Use of How to Make Use of ThisThis

Note: Note:

This network is entirely fictitiousThis network is entirely fictitious

Any similarity with any real network Any similarity with any real network is completely accidentalis completely accidental

Internet

Where We Are AtWhere We Are At

WhyWhyPoorly written Poorly written web applicationweb application

Insufficient Insufficient application application hardeninghardening

No outbound No outbound filteringfiltering

Insufficient host Insufficient host hardeninghardening

RRAS BasicFirewall

FilteringRouter

Web Server

Data Center DC

SQL Server

Bad Guy

192.168.2.30

172.17.0.1

172.17.0.3

Corp DC10.1.2.17

10.1.2.16

172.17.0.2

Internet

Where We Are AtWhere We Are At

WhyWhyNo internal No internal filteringfiltering

Shared service Shared service accountsaccounts

RRAS BasicFirewall

FilteringRouter

Web Server

Data Center DC

SQL Server

Bad Guy

192.168.2.30

172.17.0.1

172.17.0.3

Corp DC10.1.2.17

10.1.2.16

172.17.0.2

Where We Are AtWhere We Are At

WhyWhyIndiscriminate use Indiscriminate use of domain adminof domain admincredentialscredentials

Unnecessary Unnecessary firewall holesfirewall holes

Lack of paranoiaLack of paranoia

Internet

RRAS BasicFirewall

FilteringRouter

Web Server

Data Center DC

SQL Server

Bad Guy

192.168.2.30

172.17.0.1

172.17.0.3

Corp DC10.1.2.17

10.1.2.16

172.17.0.2

Internet

Where We Are AtWhere We Are At

WhyWhyDuplicate passwordsDuplicate passwords

Unrestricted Unrestricted internal trafficinternal traffic

RRAS BasicFirewall

FilteringRouter

Web Server

Data Center DC

SQL Server

Bad Guy

192.168.2.30

172.17.0.1

172.17.0.3

Corp DC10.1.2.17

10.1.2.16

172.17.0.2

The Moral of the StoryThe Moral of the Story

Initial entry is everythingInitial entry is everything

Most networks are designed like Most networks are designed like egg shellsegg shells

Hard and crunchy on the outsideHard and crunchy on the outside

Soft and chewy on the insideSoft and chewy on the inside

Once an attacker is inside the Once an attacker is inside the network, you can…network, you can…

……update resumeupdate resume

……hope he does a good job running hope he does a good job running itit

……drain itdrain it

How To Get Your Network How To Get Your Network Hacked in 10 Easy StepsHacked in 10 Easy Steps1.1. Don’t patch anythingDon’t patch anything

2.2. Run unhardened applicationsRun unhardened applications

3.3. Use one admin account, everywhereUse one admin account, everywhere

4.4. Open lots of holes in the firewallOpen lots of holes in the firewall

5.5. Allow unrestricted internal trafficAllow unrestricted internal traffic

6.6. Allow all outbound trafficAllow all outbound traffic

7.7. Don’t harden serversDon’t harden servers

8.8. Reuse your passwordsReuse your passwords

9.9. Use high-level service accounts, in Use high-level service accounts, in multiple placesmultiple places

10.10.Assume everything is OKAssume everything is OK

10 Things Attackers Don’t 10 Things Attackers Don’t Want You To DoWant You To Do1.1. Ensure everything is fully patchedEnsure everything is fully patched

2.2. Use properly hardened applicationsUse properly hardened applications

3.3. Use least privilegeUse least privilege

4.4. Open only necessary holes in Open only necessary holes in firewallsfirewalls

5.5. Restrict internal trafficRestrict internal traffic

6.6. Restrict outbound trafficRestrict outbound traffic

7.7. Harden serversHarden servers

8.8. Use unique pass phrases or smart Use unique pass phrases or smart cardscards

9.9. Micro-manage service accountsMicro-manage service accounts

10.10.Maintain a healthy level of paranoiaMaintain a healthy level of paranoia

For more informationFor more information

Jesper and Steve Jesper and Steve finally wrote a book!finally wrote a book!

Order online:Order online:http://www.awprofessional.chttp://www.awprofessional.com/om/

title/0321336437title/0321336437

Use promo codeUse promo codeJJSR6437JJSR6437

jesperjo@microsoft.comjesperjo@microsoft.com

Jesper M. JohanssonJesper M. Johanssonjesperjo@microsoft.comjesperjo@microsoft.com

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.