Hacking case-studies

  • 179 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
179
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
6
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Some “Ethical Hacking” Case Studies Peter Wood First•Base Technologies
  • 2. How much damage can a security breach cause? • 44% of UK businesses suffered at least one malicious security breach in 2002 • The average cost was £30,000 • Several cost more than £500,000 • and these are just the reported incidents …! Source: The DTI Information Security Breaches surveySlide 2 © First Base Technologies 2003
  • 3. The External HackerSlide 3 © First Base Technologies 2003
  • 4. Internet Web Developer home m Di n fr o al- up Dial-i e IS DN lin d co se nn Lea e cti o n Desktop PC Firewall Bridge Bridge My Client Clients business partnerSlide 4 © First Base Technologies 2003
  • 5. Internet Web Developer Secure home m Di n fr o the al- up Secure Dial-i e IS DN desktop d lin co se Lea Internetcti nn e on Desktop PC Firewall connections Bridge Bridge Secure Secure My Client Clients business partner the third-partySlide 5 network connections © First Base Technologies 2003
  • 6. The Inside HackerSlide 6 © First Base Technologies 2003
  • 7. Plug and go Ethernet ports are never disabled …. … or just steal a connection from a desktop NetBIOS tells you lots and lots …… …. And you don’t need to be logged onSlide 7 © First Base Technologies 2003
  • 8. Get yourself an IP address • Use DHCP since almost everyone does! • Or … use a sniffer to see broadcast packets (even in a switched network) and try some suitable addressesSlide 8 © First Base Technologies 2003
  • 9. Browse the networkSlide 9 © First Base Technologies 2003
  • 10. Pick a target machine Pick a targetSlide 10 © First Base Technologies 2003
  • 11. Try null sessions ...Slide 11 © First Base Technologies 2003
  • 12. List privileged usersSlide 12 © First Base Technologies 2003
  • 13. Typical passwords • administrator null, password, administrator • arcserve arcserve, backup • test test, password • username password, monday, football • backup backup • tivoli tivoli • backupexec backup • smsservice smsservice • … any service account … same as account nameSlide 13 © First Base Technologies 2003
  • 14. Game over!Slide 14 © First Base Technologies 2003
  • 15. The Inside-Out HackerSlide 15 © First Base Technologies 2003
  • 16. Senior person - laptop at home Internet il e- ma LaptopSlide 16 © First Base Technologies 2003
  • 17. … opens attachment Internet il e- ma Trojan software Laptop now silently installedSlide 17 © First Base Technologies 2003
  • 18. … takes laptop to work Internet Firewall Laptop Laptop Corporate NetworkSlide 18 © First Base Technologies 2003
  • 19. … trojan sees what they see Internet Firewall Finance Server HR Server Laptop Corporate NetworkSlide 19 © First Base Technologies 2003
  • 20. Information flows out of the organisation Evil server Internet Firewall Finance Server HR Server Laptop Corporate NetworkSlide 20 © First Base Technologies 2003
  • 21. Physical AttacksSlide 21 © First Base Technologies 2003
  • 22. What NT password?Slide 22 © First Base Technologies 2003
  • 23. NTFSDOSSlide 23 © First Base Technologies 2003
  • 24. KeyghostSlide 24 © First Base Technologies 2003
  • 25. KeyGhost - keystroke capture Keystrokes recorded so far is 2706 out of 107250 ... <PWR><CAD>fsmith<tab><tab>arabella xxxxxxx <tab><tab> None<tab><tab> None<tab><tab> None<tab><tab> <CAD> arabella <CAD> <CAD> arabella <CAD> <CAD> arabella exit tracert 192.168.137.240 telnet 192.168.137.240 ciscoSlide 25 © First Base Technologies 2003
  • 26. Viewing Password-Protected FilesSlide 26 © First Base Technologies 2003
  • 27. Office DocumentsSlide 27 © First Base Technologies 2003
  • 28. Zip FilesSlide 28 © First Base Technologies 2003
  • 29. Plain Text PasswordsSlide 29 © First Base Technologies 2003
  • 30. Netlogon In the unprotected netlogon share on a server: logon scripts can contain: net use servershare “password” /u:“user”Slide 30 © First Base Technologies 2003
  • 31. Registry scripts In shared directories you may find .reg files like this: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] "DefaultUserName"="username" "DefaultPassword"="password" "AutoAdminLogon"="1"Slide 31 © First Base Technologies 2003
  • 32. Passwords in procedures & documentsSlide 32 © First Base Technologies 2003
  • 33. Packet sniffing Generated by : TCP.demux V1.02 Input File: carol.cap Output File: TB000463.txt • Leave the sniffer Summary File: summary.txt Date Generated: Thu Jan 27 08:43:08 2000 running 10.1.1.82 1036 10.1.2.205 23 (telnet) UnixWare 2.1.3 (mikew) (pts/31). • Capture all packets login: to port 23 or 21 cl_Carol Password: • The result ... carol1zz UnixWare 2.1.3. mikew. Copyright 1996 The Santa Cruz Operation, Inc. All Rights Reserved.. Copyright 1984-1995 Novell, Inc. All Rights Reserved.. Copyright 1987, 1988 Microsoft Corp. All Rights Reserved.. U.S. Pat. No. 5,349,642.Slide 33 © First Base Technologies 2003
  • 34. Port scanSlide 34 © First Base Technologies 2003
  • 35. Brutus dictionary attackSlide 35 © First Base Technologies 2003
  • 36. NT Password CrackingSlide 36 © First Base Technologies 2003
  • 37. How to get the NT SAM • On any NT/W2K machine: - In memory (registry) - c:winntrepairsam (invoke rdisk?) - Emergency Repair Disk - Backup tapes - Sniffing (L0phtcrack) • Run L0phtcrack on the SAM ….Slide 37 © First Base Technologies 2003
  • 38. End of part one!Slide 38 © First Base Technologies 2003
  • 39. And how to prevent it! Peter Wood First•Base Technologies
  • 40. Prevention is better ... • Harden the servers • Monitor alerts (e.g. www.sans.org) • Scan, test and apply patches • Monitor logs • Good physical security • Intrusion detection systems • Train the technical staff on security • Serious policy and procedures!Slide 40 © First Base Technologies 2003
  • 41. Server hardening • HardNT40rev1.pdf • Windows NT Security Guidelines (www.fbtechies.co.uk) (nsa1.www.conxion.com) • HardenW2K101.pdf • NTBugtraq FAQs (www.fbtechies.co.uk) (http://ntbugtraq.ntadvice.com/defa • FAQ for How to Secure Windows ult.asp?pid=37&sid=1) NT (www.sans.org) • Securing Windows 2000 • Fundamental Steps to Harden (www.sans.org) Windows NT 4_0 (www.sans.org) • Securing Windows 2000 Server • ISF NT Checklist v2 (www.sans.org) (www.securityforum.org) • Windows 2000 Known • http://www.microsoft.com/technet/ Vulnerabilities and Their Fixes security/bestprac/default.asp (www.sans.org) • Lockdown.pdf (www.iss.net) • SANS step-by-step guidesSlide 41 © First Base Technologies 2003
  • 42. Alerts • www.sans.org • www.cert.org • www.microsoft.com/security • www.ntbugtraq.com • www.winnetmag.com • razor.bindview.com • eeye.com • Security Pro News (ientrymail.com)Slide 42 © First Base Technologies 2003
  • 43. Scan and apply patchesSlide 43 © First Base Technologies 2003
  • 44. Monitor logsSlide 44 © First Base Technologies 2003
  • 45. Good physical security • Perimeter security • Computer room security • Desktop security • Close monitoring of admin’s work areas • No floppy drives? • No bootable CDs?Slide 45 © First Base Technologies 2003
  • 46. Intrusion detection • RealSecure • Tripwire • Dragon • Snort • www.networkintrusion.co.uk for guidanceSlide 46 © First Base Technologies 2003
  • 47. Security Awareness • Sharing admin accounts • Service accounts • Account naming conventions • Server naming conventions • Hardening • Passwords (understand NT passwords!) • Two-factor authentication?Slide 47 © First Base Technologies 2003
  • 48. Serious Policy & Procedures • Top-down commitment • Investment • Designed-in security • Regular audits • Regular penetration testing • Education & awarenessSlide 48 © First Base Technologies 2003
  • 49. Need more information? Peter Wood peterw@firstbase.co.uk www.fbtechies.co.ukSlide 49 © First Base Technologies 2003