Some “Ethical Hacking”Case Studies

Peter WoodFirst•Base

Technologies

Slide 2 © First Base Technologies 2003

How much damagecan a security breach cause?

• 44% of UK businesses suffered at least one malicious security breach in 2002

• The average cost was £30,000

• Several cost more than £500,000

• and these are just the reported incidents …!

Source: The DTI Information Security Breaches survey

Slide 3 © First Base Technologies 2003

The External Hacker

Slide 4 © First Base Technologies 2003

Desktop PC

Client's business partnerMy Client

Bridge Bridge

Dia

l-in

from

hom

e Dial-up ISDN connection

Internet

Firewall

Leas

ed lin

e

Web Developer

Slide 5 © First Base Technologies 2003

Desktop PC

Client's business partnerMy Client

Bridge Bridge

Dia

l-in

from

hom

e Dial-up ISDN connection

Internet

Firewall

Leas

ed lin

e

Web Developer

Secure the

desktop

Secure the

network

Secure third-party connections

Secure Internet

connections

Slide 6 © First Base Technologies 2003

The Inside Hacker

Slide 7 © First Base Technologies 2003

Plug and go

Ethernet ports are never disabled ….

… or just steal a connection from a desktop

NetBIOS tells you lots and lots ……

…. And you don’t need to be logged on

Slide 8 © First Base Technologies 2003

Get yourself an IP address

• Use DHCP since almost everyone does!

• Or … use a sniffer to see broadcast packets (even in a switched network) and try some suitable addresses

Slide 9 © First Base Technologies 2003

Browse the network

Slide 10 © First Base Technologies 2003

Pick a target machine

Pick a target

Slide 11 © First Base Technologies 2003

Try null sessions ...

Slide 12 © First Base Technologies 2003

List privileged users

Slide 13 © First Base Technologies 2003

Typical passwords

• administrator

• arcserve

• test

• username

• backup

• tivoli

• backupexec

• smsservice

• … any service account

null, password, administrator

arcserve, backup

test, password

password, monday, football

backup

tivoli

backup

smsservice

… same as account name

Slide 14 © First Base Technologies 2003

Game over!

Slide 15 © First Base Technologies 2003

The Inside-Out Hacker

Slide 16 © First Base Technologies 2003

Senior person - laptop at home

e-mail

Laptop

Internet

Slide 17 © First Base Technologies 2003

… opens attachment

e-mail

Laptop

Internet

Trojan software now silently

installed

Slide 18 © First Base Technologies 2003

… takes laptop to work

Corporate NetworkLaptop Laptop

Firewall

Internet

Slide 19 © First Base Technologies 2003

… trojan sees what they see

Corporate NetworkLaptop

Firewall

Internet

Finance Server HR Server

Slide 20 © First Base Technologies 2003

Information flows out of the organisation

Corporate NetworkLaptop

Firewall

Internet

Finance Server HR Server

Evil server

Slide 21 © First Base Technologies 2003

Physical Attacks

Slide 22 © First Base Technologies 2003

What NT password?

Slide 23 © First Base Technologies 2003

NTFSDOS

Slide 24 © First Base Technologies 2003

Keyghost

Slide 25 © First Base Technologies 2003

KeyGhost - keystroke capture

Keystrokes recorded so far is 2706 out of 107250 ...

<PWR><CAD>fsmith<tab><tab>arabella xxxxxxx <tab><tab> None<tab><tab> None<tab><tab> None<tab><tab> <CAD> arabella<CAD><CAD> arabella<CAD><CAD> arabellaexittracert 192.168.137.240telnet 192.168.137.240cisco

Slide 26 © First Base Technologies 2003

Viewing Password-Protected Files

Slide 27 © First Base Technologies 2003

Office Documents

Slide 28 © First Base Technologies 2003

Zip Files

Slide 29 © First Base Technologies 2003

Plain Text Passwords

Slide 30 © First Base Technologies 2003

Netlogon

In the unprotected netlogon share on a server:

logon scripts can contain:net use \\server\share “password” /u:“user”

Slide 31 © First Base Technologies 2003

Registry scripts

In shared directories you may find.reg files like this:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"DefaultUserName"="username""DefaultPassword"="password""AutoAdminLogon"="1"

Slide 32 © First Base Technologies 2003

Passwords inprocedures & documents

Slide 33 © First Base Technologies 2003

Packet sniffingGenerated by : TCP.demux V1.02Input File: carol.capOutput File: TB000463.txtSummary File: summary.txtDate Generated: Thu Jan 27 08:43:08 2000

10.1.1.82 103610.1.2.205 23 (telnet)

UnixWare 2.1.3 (mikew) (pts/31).

login:

cl_Carol

Password:

carol1zz

UnixWare 2.1.3.mikew.Copyright 1996 The Santa Cruz Operation, Inc. All Rights Reserved..Copyright 1984-1995 Novell, Inc. All Rights Reserved..Copyright 1987, 1988 Microsoft Corp. All Rights Reserved..U.S. Pat. No. 5,349,642.

• Leave the sniffer running

• Capture all packets to port 23 or 21

• The result ...

Slide 34 © First Base Technologies 2003

Port scan

Slide 35 © First Base Technologies 2003

Brutus dictionary attack

Slide 36 © First Base Technologies 2003

NT Password Cracking

Slide 37 © First Base Technologies 2003

How to get the NT SAM

• On any NT/W2K machine:- In memory (registry)- c:\winnt\repair\sam (invoke rdisk?)- Emergency Repair Disk- Backup tapes- Sniffing (L0phtcrack)

• Run L0phtcrack on the SAM ….

Slide 38 © First Base Technologies 2003

End of part one!

And how to prevent it!

Peter WoodFirst•Base

Technologies

Slide 40 © First Base Technologies 2003

Prevention is better ...

• Harden the servers

• Monitor alerts (e.g. www.sans.org)

• Scan, test and apply patches

• Monitor logs

• Good physical security

• Intrusion detection systems

• Train the technical staff on security

• Serious policy and procedures!

Slide 41 © First Base Technologies 2003

Server hardening

• HardNT40rev1.pdf (www.fbtechies.co.uk)

• HardenW2K101.pdf (www.fbtechies.co.uk)

• FAQ for How to Secure Windows NT (www.sans.org)

• Fundamental Steps to Harden Windows NT 4_0 (www.sans.org)

• ISF NT Checklist v2 (www.securityforum.org)

• http://www.microsoft.com/technet/security/bestprac/default.asp

• Lockdown.pdf (www.iss.net)

• Windows NT Security Guidelines (nsa1.www.conxion.com)

• NTBugtraq FAQs (http://ntbugtraq.ntadvice.com/default.asp?pid=37&sid=1)

• Securing Windows 2000 (www.sans.org)

• Securing Windows 2000 Server (www.sans.org)

• Windows 2000 Known Vulnerabilities and Their Fixes (www.sans.org)

• SANS step-by-step guides

Slide 42 © First Base Technologies 2003

Alerts

• www.sans.org

• www.cert.org

• www.microsoft.com/security

• www.ntbugtraq.com

• www.winnetmag.com

• razor.bindview.com

• eeye.com

• Security Pro News (ientrymail.com)

Slide 43 © First Base Technologies 2003

Scan and apply patches

Slide 44 © First Base Technologies 2003

Monitor logs

Slide 45 © First Base Technologies 2003

Good physical security

• Perimeter security

• Computer room security

• Desktop security

• Close monitoring of admin’s work areas

• No floppy drives?

• No bootable CDs?

Slide 46 © First Base Technologies 2003

Intrusion detection

• RealSecure

• Tripwire

• Dragon

• Snort

• www.networkintrusion.co.uk for guidance

Slide 47 © First Base Technologies 2003

Security Awareness

• Sharing admin accounts

• Service accounts

• Account naming conventions

• Server naming conventions

• Hardening

• Passwords (understand NT passwords!)

• Two-factor authentication?

Slide 48 © First Base Technologies 2003

Serious Policy & Procedures

• Top-down commitment

• Investment

• Designed-in security

• Regular audits

• Regular penetration testing

• Education & awareness

Slide 49 © First Base Technologies 2003

Peter Wood

peterw@firstbase.co.uk

www.fbtechies.co.uk

Need more information?