Your SlideShare is downloading. ×
Hacking case-studies
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Hacking case-studies

199
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
199
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Some “Ethical Hacking” Case Studies Peter Wood First•Base Technologies
  • 2. How much damage can a security breach cause? • 44% of UK businesses suffered at least one malicious security breach in 2002 • The average cost was £30,000 • Several cost more than £500,000 • and these are just the reported incidents …! Source: The DTI Information Security Breaches surveySlide 2 © First Base Technologies 2003
  • 3. The External HackerSlide 3 © First Base Technologies 2003
  • 4. Internet Web Developer home m Di n fr o al- up Dial-i e IS DN lin d co se nn Lea e cti o n Desktop PC Firewall Bridge Bridge My Client Clients business partnerSlide 4 © First Base Technologies 2003
  • 5. Internet Web Developer Secure home m Di n fr o the al- up Secure Dial-i e IS DN desktop d lin co se Lea Internetcti nn e on Desktop PC Firewall connections Bridge Bridge Secure Secure My Client Clients business partner the third-partySlide 5 network connections © First Base Technologies 2003
  • 6. The Inside HackerSlide 6 © First Base Technologies 2003
  • 7. Plug and go Ethernet ports are never disabled …. … or just steal a connection from a desktop NetBIOS tells you lots and lots …… …. And you don’t need to be logged onSlide 7 © First Base Technologies 2003
  • 8. Get yourself an IP address • Use DHCP since almost everyone does! • Or … use a sniffer to see broadcast packets (even in a switched network) and try some suitable addressesSlide 8 © First Base Technologies 2003
  • 9. Browse the networkSlide 9 © First Base Technologies 2003
  • 10. Pick a target machine Pick a targetSlide 10 © First Base Technologies 2003
  • 11. Try null sessions ...Slide 11 © First Base Technologies 2003
  • 12. List privileged usersSlide 12 © First Base Technologies 2003
  • 13. Typical passwords • administrator null, password, administrator • arcserve arcserve, backup • test test, password • username password, monday, football • backup backup • tivoli tivoli • backupexec backup • smsservice smsservice • … any service account … same as account nameSlide 13 © First Base Technologies 2003
  • 14. Game over!Slide 14 © First Base Technologies 2003
  • 15. The Inside-Out HackerSlide 15 © First Base Technologies 2003
  • 16. Senior person - laptop at home Internet il e- ma LaptopSlide 16 © First Base Technologies 2003
  • 17. … opens attachment Internet il e- ma Trojan software Laptop now silently installedSlide 17 © First Base Technologies 2003
  • 18. … takes laptop to work Internet Firewall Laptop Laptop Corporate NetworkSlide 18 © First Base Technologies 2003
  • 19. … trojan sees what they see Internet Firewall Finance Server HR Server Laptop Corporate NetworkSlide 19 © First Base Technologies 2003
  • 20. Information flows out of the organisation Evil server Internet Firewall Finance Server HR Server Laptop Corporate NetworkSlide 20 © First Base Technologies 2003
  • 21. Physical AttacksSlide 21 © First Base Technologies 2003
  • 22. What NT password?Slide 22 © First Base Technologies 2003
  • 23. NTFSDOSSlide 23 © First Base Technologies 2003
  • 24. KeyghostSlide 24 © First Base Technologies 2003
  • 25. KeyGhost - keystroke capture Keystrokes recorded so far is 2706 out of 107250 ... <PWR><CAD>fsmith<tab><tab>arabella xxxxxxx <tab><tab> None<tab><tab> None<tab><tab> None<tab><tab> <CAD> arabella <CAD> <CAD> arabella <CAD> <CAD> arabella exit tracert 192.168.137.240 telnet 192.168.137.240 ciscoSlide 25 © First Base Technologies 2003
  • 26. Viewing Password-Protected FilesSlide 26 © First Base Technologies 2003
  • 27. Office DocumentsSlide 27 © First Base Technologies 2003
  • 28. Zip FilesSlide 28 © First Base Technologies 2003
  • 29. Plain Text PasswordsSlide 29 © First Base Technologies 2003
  • 30. Netlogon In the unprotected netlogon share on a server: logon scripts can contain: net use servershare “password” /u:“user”Slide 30 © First Base Technologies 2003
  • 31. Registry scripts In shared directories you may find .reg files like this: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] "DefaultUserName"="username" "DefaultPassword"="password" "AutoAdminLogon"="1"Slide 31 © First Base Technologies 2003
  • 32. Passwords in procedures & documentsSlide 32 © First Base Technologies 2003
  • 33. Packet sniffing Generated by : TCP.demux V1.02 Input File: carol.cap Output File: TB000463.txt • Leave the sniffer Summary File: summary.txt Date Generated: Thu Jan 27 08:43:08 2000 running 10.1.1.82 1036 10.1.2.205 23 (telnet) UnixWare 2.1.3 (mikew) (pts/31). • Capture all packets login: to port 23 or 21 cl_Carol Password: • The result ... carol1zz UnixWare 2.1.3. mikew. Copyright 1996 The Santa Cruz Operation, Inc. All Rights Reserved.. Copyright 1984-1995 Novell, Inc. All Rights Reserved.. Copyright 1987, 1988 Microsoft Corp. All Rights Reserved.. U.S. Pat. No. 5,349,642.Slide 33 © First Base Technologies 2003
  • 34. Port scanSlide 34 © First Base Technologies 2003
  • 35. Brutus dictionary attackSlide 35 © First Base Technologies 2003
  • 36. NT Password CrackingSlide 36 © First Base Technologies 2003
  • 37. How to get the NT SAM • On any NT/W2K machine: - In memory (registry) - c:winntrepairsam (invoke rdisk?) - Emergency Repair Disk - Backup tapes - Sniffing (L0phtcrack) • Run L0phtcrack on the SAM ….Slide 37 © First Base Technologies 2003
  • 38. End of part one!Slide 38 © First Base Technologies 2003
  • 39. And how to prevent it! Peter Wood First•Base Technologies
  • 40. Prevention is better ... • Harden the servers • Monitor alerts (e.g. www.sans.org) • Scan, test and apply patches • Monitor logs • Good physical security • Intrusion detection systems • Train the technical staff on security • Serious policy and procedures!Slide 40 © First Base Technologies 2003
  • 41. Server hardening • HardNT40rev1.pdf • Windows NT Security Guidelines (www.fbtechies.co.uk) (nsa1.www.conxion.com) • HardenW2K101.pdf • NTBugtraq FAQs (www.fbtechies.co.uk) (http://ntbugtraq.ntadvice.com/defa • FAQ for How to Secure Windows ult.asp?pid=37&sid=1) NT (www.sans.org) • Securing Windows 2000 • Fundamental Steps to Harden (www.sans.org) Windows NT 4_0 (www.sans.org) • Securing Windows 2000 Server • ISF NT Checklist v2 (www.sans.org) (www.securityforum.org) • Windows 2000 Known • http://www.microsoft.com/technet/ Vulnerabilities and Their Fixes security/bestprac/default.asp (www.sans.org) • Lockdown.pdf (www.iss.net) • SANS step-by-step guidesSlide 41 © First Base Technologies 2003
  • 42. Alerts • www.sans.org • www.cert.org • www.microsoft.com/security • www.ntbugtraq.com • www.winnetmag.com • razor.bindview.com • eeye.com • Security Pro News (ientrymail.com)Slide 42 © First Base Technologies 2003
  • 43. Scan and apply patchesSlide 43 © First Base Technologies 2003
  • 44. Monitor logsSlide 44 © First Base Technologies 2003
  • 45. Good physical security • Perimeter security • Computer room security • Desktop security • Close monitoring of admin’s work areas • No floppy drives? • No bootable CDs?Slide 45 © First Base Technologies 2003
  • 46. Intrusion detection • RealSecure • Tripwire • Dragon • Snort • www.networkintrusion.co.uk for guidanceSlide 46 © First Base Technologies 2003
  • 47. Security Awareness • Sharing admin accounts • Service accounts • Account naming conventions • Server naming conventions • Hardening • Passwords (understand NT passwords!) • Two-factor authentication?Slide 47 © First Base Technologies 2003
  • 48. Serious Policy & Procedures • Top-down commitment • Investment • Designed-in security • Regular audits • Regular penetration testing • Education & awarenessSlide 48 © First Base Technologies 2003
  • 49. Need more information? Peter Wood peterw@firstbase.co.uk www.fbtechies.co.ukSlide 49 © First Base Technologies 2003