Anda di halaman 1dari 49

Some “Ethical Hacking”

Case Studies

Peter Wood
First•Base
Technologies
How much damage
can a security breach cause?

• 44% of UK businesses suffered at least one


malicious security breach in 2002
• The average cost was £30,000
• Several cost more than £500,000
• and these are just the reported incidents …!
Source: The DTI Information Security Breaches survey

Slide 2 © First Base Technologies 2003


The External Hacker

Slide 3 © First Base Technologies 2003


Slide 4 © First Base Technologies 2003
Secure
the
desktop Secure
Internet
connections

Secure Secure
the third-party
Slide 5 network connections
© First Base Technologies 2003
The Inside Hacker

Slide 6 © First Base Technologies 2003


Plug and go

Ethernet ports are never disabled ….


… or just steal a connection from a desktop

NetBIOS tells you lots and lots ……


…. And you don’t need to be logged on

Slide 7 © First Base Technologies 2003


Get yourself an IP address
• Use DHCP since almost everyone does!
• Or … use a sniffer to see broadcast packets
(even in a switched network) and try some
suitable addresses

Slide 8 © First Base Technologies 2003


Browse the network

Slide 9 © First Base Technologies 2003


Pick a target machine

Pick a target

Slide 10 © First Base Technologies 2003


Try null sessions ...

Slide 11 © First Base Technologies 2003


List privileged users

Slide 12 © First Base Technologies 2003


Typical passwords

• administrator null, password, administrator


• arcserve arcserve, backup
• test test, password
• username password, monday, football
• backup backup
• tivoli tivoli
• backupexec backup
• smsservice smsservice
• … any service account … same as account name

Slide 13 © First Base Technologies 2003


Game over!

Slide 14 © First Base Technologies 2003


The Inside-Out Hacker

Slide 15 © First Base Technologies 2003


Senior person - laptop at home

Slide 16 © First Base Technologies 2003


… opens attachment

Trojan software
now silently
installed

Slide 17 © First Base Technologies 2003


… takes laptop to work

Slide 18 © First Base Technologies 2003


… trojan sees what they see

Slide 19 © First Base Technologies 2003


Information flows out of the
organisation

Slide 20 © First Base Technologies 2003


Physical Attacks

Slide 21 © First Base Technologies 2003


What NT password?

Slide 22 © First Base Technologies 2003


NTFSDOS

Slide 23 © First Base Technologies 2003


Keyghost

Slide 24 © First Base Technologies 2003


KeyGhost - keystroke capture

Keystrokes recorded so far is 2706 out of 107250 ...

<PWR><CAD>fsmith<tab><tab>arabella
xxxxxxx <tab><tab> None<tab><tab> None<tab><tab> None<tab><tab>
<CAD> arabella
<CAD>
<CAD> arabella
<CAD>
<CAD> arabella
exit
tracert 192.168.137.240
telnet 192.168.137.240
cisco

Slide 25 © First Base Technologies 2003


Viewing Password-Protected Files

Slide 26 © First Base Technologies 2003


Office Documents

Slide 27 © First Base Technologies 2003


Zip Files

Slide 28 © First Base Technologies 2003


Plain Text Passwords

Slide 29 © First Base Technologies 2003


Netlogon
In the unprotected netlogon share on a server:
logon scripts can contain:
net use \\server\share “password” /u:“user”

Slide 30 © First Base Technologies 2003


Registry scripts

In shared directories you may find


.reg files like this:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"DefaultUserName"="username"
"DefaultPassword"="password"
"AutoAdminLogon"="1"

Slide 31 © First Base Technologies 2003


Passwords in
procedures & documents

Slide 32 © First Base Technologies 2003


Packet sniffing
Generated by : TCP.demux V1.02
Input File: carol.cap
Output File: TB000463.txt
• Leave the sniffer Summary File: summary.txt
Date Generated: Thu Jan 27 08:43:08 2000
running 10.1.1.82 1036
10.1.2.205 23 (telnet)

UnixWare 2.1.3 (mikew) (pts/31).


• Capture all packets login:
to port 23 or 21 cl_Carol

Password:

• The result ... carol1zz

UnixWare 2.1.3.
mikew.
Copyright 1996 The Santa Cruz Operation, Inc. All Rights Reserved..
Copyright 1984-1995 Novell, Inc. All Rights Reserved..
Copyright 1987, 1988 Microsoft Corp. All Rights Reserved..
U.S. Pat. No. 5,349,642.

Slide 33 © First Base Technologies 2003


Port scan

Slide 34 © First Base Technologies 2003


Brutus dictionary attack

Slide 35 © First Base Technologies 2003


NT Password Cracking

Slide 36 © First Base Technologies 2003


How to get the NT SAM

• On any NT/W2K machine:


- In memory (registry)
- c:\winnt\repair\sam (invoke rdisk?)
- Emergency Repair Disk
- Backup tapes
- Sniffing (L0phtcrack)
• Run L0phtcrack on the SAM ….

Slide 37 © First Base Technologies 2003


End of part one!

Slide 38 © First Base Technologies 2003


And how to prevent it!

Peter Wood
First•Base
Technologies
Prevention is better ...
• Harden the servers
• Monitor alerts (e.g. www.sans.org)
• Scan, test and apply patches
• Monitor logs
• Good physical security
• Intrusion detection systems
• Train the technical staff on security
• Serious policy and procedures!
Slide 40 © First Base Technologies 2003
Server hardening
• HardNT40rev1.pdf • Windows NT Security Guidelines
(www.fbtechies.co.uk) (nsa1.www.conxion.com)
• HardenW2K101.pdf • NTBugtraq FAQs
(www.fbtechies.co.uk) (http://ntbugtraq.ntadvice.com/defa
• FAQ for How to Secure Windows ult.asp?pid=37&sid=1)
NT (www.sans.org) • Securing Windows 2000
• Fundamental Steps to Harden (www.sans.org)
Windows NT 4_0 (www.sans.org) • Securing Windows 2000 Server
• ISF NT Checklist v2 (www.sans.org)
(www.securityforum.org) • Windows 2000 Known
• http://www.microsoft.com/technet/ Vulnerabilities and Their Fixes
security/bestprac/default.asp (www.sans.org)
• Lockdown.pdf (www.iss.net) • SANS step-by-step guides

Slide 41 © First Base Technologies 2003


Alerts

• www.sans.org
• www.cert.org
• www.microsoft.com/security
• www.ntbugtraq.com
• www.winnetmag.com
• razor.bindview.com
• eeye.com
• Security Pro News (ientrymail.com)

Slide 42 © First Base Technologies 2003


Scan and apply patches

Slide 43 © First Base Technologies 2003


Monitor logs

Slide 44 © First Base Technologies 2003


Good physical security

• Perimeter security
• Computer room security
• Desktop security
• Close monitoring of admin’s work areas
• No floppy drives?
• No bootable CDs?

Slide 45 © First Base Technologies 2003


Intrusion detection

• RealSecure
• Tripwire
• Dragon
• Snort
• www.networkintrusion.co.uk for guidance

Slide 46 © First Base Technologies 2003


Security Awareness

• Sharing admin accounts


• Service accounts
• Account naming conventions
• Server naming conventions
• Hardening
• Passwords (understand NT passwords!)
• Two-factor authentication?

Slide 47 © First Base Technologies 2003


Serious Policy & Procedures

• Top-down commitment
• Investment
• Designed-in security
• Regular audits
• Regular penetration testing
• Education & awareness

Slide 48 © First Base Technologies 2003


Need more information?

Peter Wood

peterw@firstbase.co.uk

www.fbtechies.co.uk

Slide 49 © First Base Technologies 2003