hacking casestudy

8/3/2019 Hacking Casestudy

1/49

Some Ethical Hacking

Case Studies

Peter Wood

FirstBase

Technologies


2/49

Slide 2 First Base Technologies 2003

How much damage

can a security breach cause?

44% of UK businesses suffered at least one

malicious security breach in 2002

The average cost was 30,000

Several cost more than 500,000

and these are just the reported incidents !

Source: The DTI Information Security Breaches survey


3/49


The External Hacker


4/49


Desktop PC

Client's business partnerMy Client

Bridge Bridge

Dial-in

from

hom

eDial-upISDNc

onnection

Internet

Firewall

Leas

edline

Web Developer


5/49


Desktop PC

Client's business partnerMy Client

Bridge Bridge

Dial-in

from

hom

eDial-upISDNc

onnection

Internet

Firewall

Leas

edline

Web Developer

Secure

the

desktop

Secure

the

network

Secure

third-party

connections

Secure

Internetconnections


6/49


The Inside Hacker


7/49


Plug and go

Ethernet ports are never disabled .

or just steal a connection from a desktop

NetBIOS tells you lots and lots

. And you dont need to be logged on


8/49


Get yourself an IP address

Use DHCP since almost everyone does!

Or use a sniffer to see broadcast packets

(even in a switched network) and try some

suitable addresses


9/49


Browse the network


10/49


Pick a target machine

Pick a target


11/49


Try null sessions ...


12/49


List privileged users


13/49


Typical passwords

administrator

arcserve

test username

backup

tivoli

backupexec

smsservice

any service account

null, password, administrator

arcserve, backup

test, passwordpassword, monday, football

backup

tivoli

backup

smsservice

same as account name


14/49


Game over!


15/49


The Inside-Out Hacker


16/49


Senior person - laptop at home

e-m

ail

Laptop

Internet


17/49


opens attachment

e-m

ail

Laptop

Internet

Trojan software

now silently

installed


18/49


takes laptop to work

Corporate Network

Laptop Laptop

Firewall

Internet


19/49


trojan sees what they see

Corporate Network

Laptop

Firewall

Internet

Finance Server HR Server


20/49


Information flows out of the

organisation

Corporate Network

Laptop

Firewall

Internet

Finance Server HR Server

Evil server


21/49


Physical Attacks


22/49


What NT password?


23/49


NTFSDOS


24/49


Keyghost


25/49


KeyGhost - keystroke capture

Keystrokes recorded so far is 2706 out of 107250 ...

fsmitharabella

xxxxxxx None None None

arabella

arabella

arabella

exit

tracert 192.168.137.240

telnet 192.168.137.240cisco


26/49


Viewing Password-Protected Files


27/49


Office Documents


28/49


Zip Files


29/49


Plain Text Passwords


30/49


Netlogon

In the unprotected netlogon share on a server:

logon scripts can contain:

net use \\server\share password /u:user


31/49


Registry scripts

In shared directories you may find

.reg files like this:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon]

"DefaultUserName"="username"

"DefaultPassword"="password""AutoAdminLogon"="1"


32/49


Passwords in

procedures & documents


33/49


Packet sniffing

Generated by : TCP.demux V1.02Input File: carol.cap

Output File: TB000463.txt

Summary File: summary.txt

Date Generated: Thu Jan 27 08:43:08 2000

10.1.1.82 1036

10.1.2.205 23 (telnet)

UnixWare 2.1.3 (mikew) (pts/31).

login:

cl_Carol

Password:

carol1zz

UnixWare 2.1.3.

mikew.

Copyright 1996 The Santa Cruz Operation, Inc. All Rights Reserved..

Copyright 1984-1995 Novell, Inc. All Rights Reserved..

Copyright 1987, 1988 Microsoft Corp. All Rights Reserved..

U.S. Pat. No. 5,349,642.

Leave the sniffer

running

Capture all packets

to port 23 or 21

The result ...


34/49


Port scan


35/49


Brutus dictionary attack


36/49


NT Password Cracking


37/49


How to get the NT SAM

On any NT/W2K machine:

- In memory (registry)

- c:\winnt\repair\sam (invoke rdisk?)- Emergency Repair Disk

- Backup tapes

- Sniffing (L0phtcrack) Run L0phtcrack on the SAM .


38/49


End of part one!


39/49

And how to prevent it!

Peter Wood

FirstBase

Technologies


40/49


Prevention is better ...

Harden the servers

Monitor alerts (e.g. www.sans.org)

Scan, test and apply patches

Monitor logs

Good physical security

Intrusion detection systems Train the technical staff on security

Serious policy and procedures!


41/49


Server hardening

HardNT40rev1.pdf

(www.fbtechies.co.uk)

HardenW2K101.pdf

(www.fbtechies.co.uk)

FAQ for How to Secure WindowsNT (www.sans.org)

Fundamental Steps to Harden

Windows NT 4_0 (www.sans.org)

ISF NT Checklist v2

(www.securityforum.org)

http://www.microsoft.com/technet/

security/bestprac/default.asp

Lockdown.pdf (www.iss.net)

Windows NT Security Guidelines

(nsa1.www.conxion.com)

NTBugtraq FAQs

(http://ntbugtraq.ntadvice.com/defa

ult.asp?pid=37&sid=1) Securing Windows 2000

(www.sans.org)

Securing Windows 2000 Server

(www.sans.org)

Windows 2000 Known

Vulnerabilities and Their Fixes

(www.sans.org)

SANS step-by-step guides


42/49


Alerts

www.sans.org

www.cert.org

www.microsoft.com/security

www.ntbugtraq.com

www.winnetmag.com

razor.bindview.com

eeye.com Security Pro News (ientrymail.com)


43/49


Scan and apply patches


44/49


Monitor logs


45/49


Good physical security

Perimeter security

Computer room security

Desktop security

Close monitoring of admins work areas

No floppy drives? No bootable CDs?


46/49


Intrusion detection

RealSecure

Tripwire Dragon

Snort

www.networkintrusion.co.ukfor guidance


47/49


Security Awareness

Sharing admin accounts

Service accounts

Account naming conventions Server naming conventions

Hardening

Passwords (understand NT passwords!)

Two-factor authentication?


48/49


Serious Policy & Procedures

Top-down commitment

Investment

Designed-in security

Regular audits

Regular penetration testing

Education & awareness


49/49

Peter Wood

[email protected]

www.fbtechies.co.uk

Need more information?