SEC403 SEC403 -- Anatomy of a Network Hack:Anatomy of a Network Hack:
How To Get Your Network How To Get Your Network Hacked in Ten Easy Steps!Hacked in Ten Easy Steps!
Jesper M. JohanssonJesper M. JohanssonEnterprise Security ArchitectEnterprise Security ArchitectSecurity Business & Technology Security Business & Technology UnitUnitjesperjo @ microsoft.comjesperjo @ microsoft.com
This PresentationThis Presentation………… is about operational securityis about operational security
The easy way is not always the secure wayThe easy way is not always the secure wayNetworks are usually designed in particular waysNetworks are usually designed in particular ways
In many cases, these practices simplify attacksIn many cases, these practices simplify attacksIn some cases these practices enable attacksIn some cases these practices enable attacks
You need to know the methods of your You need to know the methods of your adversary to stop themadversary to stop them
This Presentation is This Presentation is NotNot……
……a hacking tutoriala hacking tutorialHacking networks you own can be enlighteningHacking networks you own can be enlighteningHacking networks you do not own is illegal!Hacking networks you do not own is illegal!
……a demonstration of Windows vulnerabilities a demonstration of Windows vulnerabilities Everything we show stems from operational security or Everything we show stems from operational security or custom applicationscustom applicationsKnowing how the platform operates is criticalKnowing how the platform operates is criticalAll platforms can get hackedAll platforms can get hacked
……for the faint of heartfor the faint of heart
The ToolsThe Tools
Four categories of tools usedFour categories of tools used““CoCo--optedopted”” ordinary componentsordinary componentsWindows Resource Kit toolsWindows Resource Kit toolsCommonly available hacking/administration Commonly available hacking/administration toolstoolsCustomCustom--written toolswritten tools
The difference between hackers and script The difference between hackers and script kiddies is that hackers writekiddies is that hackers writetheir own toolstheir own tools
By the WayBy the Way……
I will not give you my tools. It does not I will not give you my tools. It does not matter what you do for a living or who matter what you do for a living or who you work foryou work forIf you do not ask, I donIf you do not ask, I don’’ t have to say not have to say no
The TargetThe Target
RRAS BasicFirewall
Internet
FilteringRouter
Web Server
Data Center DC
SQL Server
Bad Guy
192.168.2.30
172.17.0.1
172.17.0.3
Corp DC10.1.2.17
10.1.2.16
172.17.0.2
Slide 6
B7 B;laine: BIG GRAPHIC IS ADDITIONALGRAPHICS CAN BE UNGROUPED, FIXED IN SOME MANNER, REVIEW SHOW DVD FOR NEWER/CLEANER VERSIONS OF HARDWARE.BLAINE, 28/04/2005
Knocking Down The Side DoorKnocking Down The Side Door//Three mistakes in this statement alone:SqlConnection conn = new SqlConnection();conn.ConnectionString =
"data source=PYN-SQL;" +"initial catalog=pubs;" +"user id=sa;" +"password=password;" +"persist security info=True;“+"packet size=4096";
conn.Open();//Don't do this at home folks: SQL Query Compositionstring strQuery;strQuery = "select * from Users where UserName = '" +
username.Text + "' and Password ='" + password.Text + "';";
Completely un-validated user input!
Completely un-validated user input!
Bad: not a trusted connection
Worse, privileged user…
…with a lame password
But Wait, It Gets BetterBut Wait, It Gets Betterint rowCount = ds.Tables["Users"].Rows.Count;if(rowCount > 0) // If we get back something...{
//...we must be succesfully logged inSession["LoggedIn"] = true;// Store the username in a session variableSession["username"] = username.Text;
...
<body><asp:Label id="Username" runat="server">
This is the user name
from the form
Label</asp:Label>
...private void Page_Load(object sender, System.EventArgs e){...
Username.Text = Session["username"].ToString();
Which we cross-site script onto the page!
}
How to Make Use of How to Make Use of ThisThisNote: Note:
This network is entirely fictitiousThis network is entirely fictitiousAny similarity with any real network is Any similarity with any real network is completely accidentalcompletely accidental
Where We Are AtWhere We Are At
InternetWhyWhyPoorly written Poorly written web applicationweb applicationInsufficient application Insufficient application hardeninghardeningNo outbound filteringNo outbound filteringInsufficient host Insufficient host hardeninghardening
RRAS BasicFirewall
FilteringRouter
Web Server
Data Center DC
SQL Server
Bad Guy
192.168.2.30
172.17.0.1
172.17.0.3
Corp DC10.1.2.17
10.1.2.16
172.17.0.2
Where We Are At
Internet
Where We Are At
WhyWhyNo internal filteringNo internal filteringShared service accountsShared service accounts
RRAS BasicFirewall
FilteringRouter
Web Server
Data Center DC
SQL Server
Bad Guy
192.168.2.30
172.17.0.1
172.17.0.3
Corp DC10.1.2.17
10.1.2.16
172.17.0.2
Where We Are AtWhere We Are At
WhyWhyIndiscriminate use Indiscriminate use of domain adminof domain admincredentialscredentialsUnnecessary Unnecessary firewall holesfirewall holesLack of paranoiaLack of paranoia
Internet
RRAS BasicFirewall
FilteringRouter
Web Server
Data Center DC
SQL Server
Bad Guy
192.168.2.30
172.17.0.1
172.17.0.3
Corp DC10.1.2.17
10.1.2.16
172.17.0.2
Where We Are AtWhere We Are At
InternetWhyWhyDuplicate passwordsDuplicate passwordsUnrestricted Unrestricted internal trafficinternal traffic
RRAS BasicFirewall
FilteringRouter
Web Server
Data Center DC
SQL Server
Bad Guy
192.168.2.30
172.17.0.1
172.17.0.3
Corp DC10.1.2.17
10.1.2.16
172.17.0.2
The Moral of the StoryThe Moral of the Story
Initial entry is everythingInitial entry is everythingMost networks are designed like egg shellsMost networks are designed like egg shells
Hard and crunchy on the outsideHard and crunchy on the outsideSoft and chewy on the insideSoft and chewy on the inside
Once an attacker is inside the network, Once an attacker is inside the network, you canyou can……
……update resumeupdate resume……hope he does a good job running ithope he does a good job running it……drain itdrain it
How To Get Your Network Hacked How To Get Your Network Hacked in 10 Easy Stepsin 10 Easy Steps1.1. DonDon’’t patch anythingt patch anything2.2. Run unhardened applicationsRun unhardened applications3.3. Use one admin account, everywhereUse one admin account, everywhere4.4. Open lots of holes in the firewallOpen lots of holes in the firewall5.5. Allow unrestricted internal trafficAllow unrestricted internal traffic6.6. Allow all outbound trafficAllow all outbound traffic7.7. DonDon’’t harden serverst harden servers8.8. Reuse your passwordsReuse your passwords9.9. Use highUse high-- level service accounts, in multiple level service accounts, in multiple
placesplaces10.10. Assume everything is OKAssume everything is OK
10 Things Attackers Don10 Things Attackers Don’’ t Want You t Want You To DoTo Do1.1. Ensure everything isEnsure everything is fully patched
ed applications fully patched
2.2. Use properly hardenUse properly hardened applications3.3. Use least privilegeUse least privilege4.4. Open only necessarOpen only necessary holes in firewallsy holes in firewalls
fic5.5. Restrict internal trafRestrict internal traffic6.6. Restrict outbound tRestrict outbound trafficraffic7.7. Harden serversHarden servers8.8. Use unique pass phrUse unique pass phrases or smart cardsases or smart cards9.9. MicroMicro--manage service accountsmanage service accounts10.10. Maintain a healthy level of paranoiaMaintain a healthy level of paranoia
For more informationFor more information
Jesper and Steve finally Jesper and Steve finally wrote a book!wrote a book!
Order online:Order online:http:/ /www.awprofessional.com/http:/ /www.awprofessional.com/title/0321336437title/0321336437
Use promo codeUse promo codeJJSR6437JJSR6437
[email protected]@microsoft.com
Your FeedbackYour Feedbackis Important!is Important!Please write the number located in the bottom left Please write the number located in the bottom left hand corner of your name badge, on the top of the hand corner of your name badge, on the top of the Evaluation Form.Evaluation Form. This number links back to your This number links back to your registration details so that we can contact you after registration details so that we can contact you after TechEd.TechEd.
When completing the Evaluation Form, When completing the Evaluation Form, please tick the please tick the number that best corresponds to your experience at number that best corresponds to your experience at TechEd.TechEd. For additional comments, use the comments For additional comments, use the comments section at the end of each form.section at the end of each form.
Jesper M. JohanssonJesper M. [email protected]@microsoft.com
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
