Some “Ethical Hacking”     Case Studies                 Peter Wood                  First•Base                 Technologies
How much damage            can a security breach cause?          • 44% of UK businesses suffered at least one            m...
The External HackerSlide 3                   © First Base Technologies 2003
Internet                          Web Developer              home m                                                       ...
Internet                  Web Developer                            Secure              home m                             ...
The Inside HackerSlide 6                  © First Base Technologies 2003
Plug and go          Ethernet ports are never disabled ….          … or just steal a connection from a desktop          Ne...
Get yourself an IP address          • Use DHCP since almost everyone does!          • Or … use a sniffer to see broadcast ...
Browse the networkSlide 9                  © First Base Technologies 2003
Pick a target machine                    Pick a targetSlide 10                            © First Base Technologies 2003
Try null sessions ...Slide 11                      © First Base Technologies 2003
List privileged usersSlide 12                     © First Base Technologies 2003
Typical passwords           •   administrator           null, password, administrator           •   arcserve              ...
Game over!Slide 14                © First Base Technologies 2003
The Inside-Out HackerSlide 15                    © First Base Technologies 2003
Senior person - laptop at home                                      Internet                                 il           ...
… opens attachment                                   Internet                            il                      e- ma    ...
… takes laptop to work                    Internet                                                  Firewall           Lap...
… trojan sees what they see                         Internet                                      Firewall                ...
Information flows out of the                  organisation                                                     Evil server...
Physical AttacksSlide 21                  © First Base Technologies 2003
What NT password?Slide 22                 © First Base Technologies 2003
NTFSDOSSlide 23             © First Base Technologies 2003
KeyghostSlide 24              © First Base Technologies 2003
KeyGhost - keystroke capture           Keystrokes recorded so far is 2706 out of 107250 ...           <PWR><CAD>fsmith<tab...
Viewing Password-Protected FilesSlide 26                      © First Base Technologies 2003
Office DocumentsSlide 27                 © First Base Technologies 2003
Zip FilesSlide 28               © First Base Technologies 2003
Plain Text PasswordsSlide 29                    © First Base Technologies 2003
Netlogon           In the unprotected netlogon share on a server:           logon scripts can contain:             net use...
Registry scripts           In shared directories you may find             .reg files like this:             [HKEY_LOCAL_MA...
Passwords in           procedures & documentsSlide 32                    © First Base Technologies 2003
Packet sniffing                                   Generated by : TCP.demux V1.02                                   Input F...
Port scanSlide 34               © First Base Technologies 2003
Brutus dictionary attackSlide 35                      © First Base Technologies 2003
NT Password CrackingSlide 36                   © First Base Technologies 2003
How to get the NT SAM           • On any NT/W2K machine:             -   In memory (registry)             -   c:winntrepai...
End of part one!Slide 38                  © First Base Technologies 2003
And how to prevent it!                 Peter Wood                   First•Base                  Technologies
Prevention is better ...           •   Harden the servers           •   Monitor alerts (e.g. www.sans.org)           •   S...
Server hardening           •   HardNT40rev1.pdf                    •   Windows NT Security Guidelines               (www.f...
Alerts           •   www.sans.org           •   www.cert.org           •   www.microsoft.com/security           •   www.nt...
Scan and apply patchesSlide 43                     © First Base Technologies 2003
Monitor logsSlide 44                  © First Base Technologies 2003
Good physical security           •   Perimeter security           •   Computer room security           •   Desktop securit...
Intrusion detection           •   RealSecure           •   Tripwire           •   Dragon           •   Snort           •  ...
Security Awareness           •   Sharing admin accounts           •   Service accounts           •   Account naming conven...
Serious Policy & Procedures             •   Top-down commitment             •   Investment             •   Designed-in sec...
Need more information?                Peter Wood           peterw@firstbase.co.uk            www.fbtechies.co.ukSlide 49  ...
Upcoming SlideShare
Loading in...5
×

Hacking case-studies

221

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
221
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Hacking case-studies

  1. 1. Some “Ethical Hacking” Case Studies Peter Wood First•Base Technologies
  2. 2. How much damage can a security breach cause? • 44% of UK businesses suffered at least one malicious security breach in 2002 • The average cost was £30,000 • Several cost more than £500,000 • and these are just the reported incidents …! Source: The DTI Information Security Breaches surveySlide 2 © First Base Technologies 2003
  3. 3. The External HackerSlide 3 © First Base Technologies 2003
  4. 4. Internet Web Developer home m Di n fr o al- up Dial-i e IS DN lin d co se nn Lea e cti o n Desktop PC Firewall Bridge Bridge My Client Clients business partnerSlide 4 © First Base Technologies 2003
  5. 5. Internet Web Developer Secure home m Di n fr o the al- up Secure Dial-i e IS DN desktop d lin co se Lea Internetcti nn e on Desktop PC Firewall connections Bridge Bridge Secure Secure My Client Clients business partner the third-partySlide 5 network connections © First Base Technologies 2003
  6. 6. The Inside HackerSlide 6 © First Base Technologies 2003
  7. 7. Plug and go Ethernet ports are never disabled …. … or just steal a connection from a desktop NetBIOS tells you lots and lots …… …. And you don’t need to be logged onSlide 7 © First Base Technologies 2003
  8. 8. Get yourself an IP address • Use DHCP since almost everyone does! • Or … use a sniffer to see broadcast packets (even in a switched network) and try some suitable addressesSlide 8 © First Base Technologies 2003
  9. 9. Browse the networkSlide 9 © First Base Technologies 2003
  10. 10. Pick a target machine Pick a targetSlide 10 © First Base Technologies 2003
  11. 11. Try null sessions ...Slide 11 © First Base Technologies 2003
  12. 12. List privileged usersSlide 12 © First Base Technologies 2003
  13. 13. Typical passwords • administrator null, password, administrator • arcserve arcserve, backup • test test, password • username password, monday, football • backup backup • tivoli tivoli • backupexec backup • smsservice smsservice • … any service account … same as account nameSlide 13 © First Base Technologies 2003
  14. 14. Game over!Slide 14 © First Base Technologies 2003
  15. 15. The Inside-Out HackerSlide 15 © First Base Technologies 2003
  16. 16. Senior person - laptop at home Internet il e- ma LaptopSlide 16 © First Base Technologies 2003
  17. 17. … opens attachment Internet il e- ma Trojan software Laptop now silently installedSlide 17 © First Base Technologies 2003
  18. 18. … takes laptop to work Internet Firewall Laptop Laptop Corporate NetworkSlide 18 © First Base Technologies 2003
  19. 19. … trojan sees what they see Internet Firewall Finance Server HR Server Laptop Corporate NetworkSlide 19 © First Base Technologies 2003
  20. 20. Information flows out of the organisation Evil server Internet Firewall Finance Server HR Server Laptop Corporate NetworkSlide 20 © First Base Technologies 2003
  21. 21. Physical AttacksSlide 21 © First Base Technologies 2003
  22. 22. What NT password?Slide 22 © First Base Technologies 2003
  23. 23. NTFSDOSSlide 23 © First Base Technologies 2003
  24. 24. KeyghostSlide 24 © First Base Technologies 2003
  25. 25. KeyGhost - keystroke capture Keystrokes recorded so far is 2706 out of 107250 ... <PWR><CAD>fsmith<tab><tab>arabella xxxxxxx <tab><tab> None<tab><tab> None<tab><tab> None<tab><tab> <CAD> arabella <CAD> <CAD> arabella <CAD> <CAD> arabella exit tracert 192.168.137.240 telnet 192.168.137.240 ciscoSlide 25 © First Base Technologies 2003
  26. 26. Viewing Password-Protected FilesSlide 26 © First Base Technologies 2003
  27. 27. Office DocumentsSlide 27 © First Base Technologies 2003
  28. 28. Zip FilesSlide 28 © First Base Technologies 2003
  29. 29. Plain Text PasswordsSlide 29 © First Base Technologies 2003
  30. 30. Netlogon In the unprotected netlogon share on a server: logon scripts can contain: net use servershare “password” /u:“user”Slide 30 © First Base Technologies 2003
  31. 31. Registry scripts In shared directories you may find .reg files like this: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] "DefaultUserName"="username" "DefaultPassword"="password" "AutoAdminLogon"="1"Slide 31 © First Base Technologies 2003
  32. 32. Passwords in procedures & documentsSlide 32 © First Base Technologies 2003
  33. 33. Packet sniffing Generated by : TCP.demux V1.02 Input File: carol.cap Output File: TB000463.txt • Leave the sniffer Summary File: summary.txt Date Generated: Thu Jan 27 08:43:08 2000 running 10.1.1.82 1036 10.1.2.205 23 (telnet) UnixWare 2.1.3 (mikew) (pts/31). • Capture all packets login: to port 23 or 21 cl_Carol Password: • The result ... carol1zz UnixWare 2.1.3. mikew. Copyright 1996 The Santa Cruz Operation, Inc. All Rights Reserved.. Copyright 1984-1995 Novell, Inc. All Rights Reserved.. Copyright 1987, 1988 Microsoft Corp. All Rights Reserved.. U.S. Pat. No. 5,349,642.Slide 33 © First Base Technologies 2003
  34. 34. Port scanSlide 34 © First Base Technologies 2003
  35. 35. Brutus dictionary attackSlide 35 © First Base Technologies 2003
  36. 36. NT Password CrackingSlide 36 © First Base Technologies 2003
  37. 37. How to get the NT SAM • On any NT/W2K machine: - In memory (registry) - c:winntrepairsam (invoke rdisk?) - Emergency Repair Disk - Backup tapes - Sniffing (L0phtcrack) • Run L0phtcrack on the SAM ….Slide 37 © First Base Technologies 2003
  38. 38. End of part one!Slide 38 © First Base Technologies 2003
  39. 39. And how to prevent it! Peter Wood First•Base Technologies
  40. 40. Prevention is better ... • Harden the servers • Monitor alerts (e.g. www.sans.org) • Scan, test and apply patches • Monitor logs • Good physical security • Intrusion detection systems • Train the technical staff on security • Serious policy and procedures!Slide 40 © First Base Technologies 2003
  41. 41. Server hardening • HardNT40rev1.pdf • Windows NT Security Guidelines (www.fbtechies.co.uk) (nsa1.www.conxion.com) • HardenW2K101.pdf • NTBugtraq FAQs (www.fbtechies.co.uk) (http://ntbugtraq.ntadvice.com/defa • FAQ for How to Secure Windows ult.asp?pid=37&sid=1) NT (www.sans.org) • Securing Windows 2000 • Fundamental Steps to Harden (www.sans.org) Windows NT 4_0 (www.sans.org) • Securing Windows 2000 Server • ISF NT Checklist v2 (www.sans.org) (www.securityforum.org) • Windows 2000 Known • http://www.microsoft.com/technet/ Vulnerabilities and Their Fixes security/bestprac/default.asp (www.sans.org) • Lockdown.pdf (www.iss.net) • SANS step-by-step guidesSlide 41 © First Base Technologies 2003
  42. 42. Alerts • www.sans.org • www.cert.org • www.microsoft.com/security • www.ntbugtraq.com • www.winnetmag.com • razor.bindview.com • eeye.com • Security Pro News (ientrymail.com)Slide 42 © First Base Technologies 2003
  43. 43. Scan and apply patchesSlide 43 © First Base Technologies 2003
  44. 44. Monitor logsSlide 44 © First Base Technologies 2003
  45. 45. Good physical security • Perimeter security • Computer room security • Desktop security • Close monitoring of admin’s work areas • No floppy drives? • No bootable CDs?Slide 45 © First Base Technologies 2003
  46. 46. Intrusion detection • RealSecure • Tripwire • Dragon • Snort • www.networkintrusion.co.uk for guidanceSlide 46 © First Base Technologies 2003
  47. 47. Security Awareness • Sharing admin accounts • Service accounts • Account naming conventions • Server naming conventions • Hardening • Passwords (understand NT passwords!) • Two-factor authentication?Slide 47 © First Base Technologies 2003
  48. 48. Serious Policy & Procedures • Top-down commitment • Investment • Designed-in security • Regular audits • Regular penetration testing • Education & awarenessSlide 48 © First Base Technologies 2003
  49. 49. Need more information? Peter Wood peterw@firstbase.co.uk www.fbtechies.co.ukSlide 49 © First Base Technologies 2003
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×