Hacking case-studies
Upcoming SlideShare
Loading in...5
×
 

Hacking case-studies

on

  • 294 views

 

Statistics

Views

Total Views
294
Views on SlideShare
294
Embed Views
0

Actions

Likes
0
Downloads
5
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Hacking case-studies Hacking case-studies Presentation Transcript

  • Some “Ethical Hacking” Case Studies Peter Wood First•Base Technologies
  • How much damage can a security breach cause? • 44% of UK businesses suffered at least one malicious security breach in 2002 • The average cost was £30,000 • Several cost more than £500,000 • and these are just the reported incidents …! Source: The DTI Information Security Breaches surveySlide 2 © First Base Technologies 2003
  • The External HackerSlide 3 © First Base Technologies 2003
  • Internet Web Developer home m Di n fr o al- up Dial-i e IS DN lin d co se nn Lea e cti o n Desktop PC Firewall Bridge Bridge My Client Clients business partnerSlide 4 © First Base Technologies 2003
  • Internet Web Developer Secure home m Di n fr o the al- up Secure Dial-i e IS DN desktop d lin co se Lea Internetcti nn e on Desktop PC Firewall connections Bridge Bridge Secure Secure My Client Clients business partner the third-partySlide 5 network connections © First Base Technologies 2003
  • The Inside HackerSlide 6 © First Base Technologies 2003
  • Plug and go Ethernet ports are never disabled …. … or just steal a connection from a desktop NetBIOS tells you lots and lots …… …. And you don’t need to be logged onSlide 7 © First Base Technologies 2003
  • Get yourself an IP address • Use DHCP since almost everyone does! • Or … use a sniffer to see broadcast packets (even in a switched network) and try some suitable addressesSlide 8 © First Base Technologies 2003
  • Browse the networkSlide 9 © First Base Technologies 2003
  • Pick a target machine Pick a targetSlide 10 © First Base Technologies 2003
  • Try null sessions ...Slide 11 © First Base Technologies 2003
  • List privileged usersSlide 12 © First Base Technologies 2003
  • Typical passwords • administrator null, password, administrator • arcserve arcserve, backup • test test, password • username password, monday, football • backup backup • tivoli tivoli • backupexec backup • smsservice smsservice • … any service account … same as account nameSlide 13 © First Base Technologies 2003
  • Game over!Slide 14 © First Base Technologies 2003
  • The Inside-Out HackerSlide 15 © First Base Technologies 2003
  • Senior person - laptop at home Internet il e- ma LaptopSlide 16 © First Base Technologies 2003
  • … opens attachment Internet il e- ma Trojan software Laptop now silently installedSlide 17 © First Base Technologies 2003
  • … takes laptop to work Internet Firewall Laptop Laptop Corporate NetworkSlide 18 © First Base Technologies 2003
  • … trojan sees what they see Internet Firewall Finance Server HR Server Laptop Corporate NetworkSlide 19 © First Base Technologies 2003
  • Information flows out of the organisation Evil server Internet Firewall Finance Server HR Server Laptop Corporate NetworkSlide 20 © First Base Technologies 2003
  • Physical AttacksSlide 21 © First Base Technologies 2003
  • What NT password?Slide 22 © First Base Technologies 2003
  • NTFSDOSSlide 23 © First Base Technologies 2003
  • KeyghostSlide 24 © First Base Technologies 2003
  • KeyGhost - keystroke capture Keystrokes recorded so far is 2706 out of 107250 ... <PWR><CAD>fsmith<tab><tab>arabella xxxxxxx <tab><tab> None<tab><tab> None<tab><tab> None<tab><tab> <CAD> arabella <CAD> <CAD> arabella <CAD> <CAD> arabella exit tracert 192.168.137.240 telnet 192.168.137.240 ciscoSlide 25 © First Base Technologies 2003
  • Viewing Password-Protected FilesSlide 26 © First Base Technologies 2003
  • Office DocumentsSlide 27 © First Base Technologies 2003
  • Zip FilesSlide 28 © First Base Technologies 2003
  • Plain Text PasswordsSlide 29 © First Base Technologies 2003
  • Netlogon In the unprotected netlogon share on a server: logon scripts can contain: net use servershare “password” /u:“user”Slide 30 © First Base Technologies 2003
  • Registry scripts In shared directories you may find .reg files like this: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] "DefaultUserName"="username" "DefaultPassword"="password" "AutoAdminLogon"="1"Slide 31 © First Base Technologies 2003
  • Passwords in procedures & documentsSlide 32 © First Base Technologies 2003
  • Packet sniffing Generated by : TCP.demux V1.02 Input File: carol.cap Output File: TB000463.txt • Leave the sniffer Summary File: summary.txt Date Generated: Thu Jan 27 08:43:08 2000 running 10.1.1.82 1036 10.1.2.205 23 (telnet) UnixWare 2.1.3 (mikew) (pts/31). • Capture all packets login: to port 23 or 21 cl_Carol Password: • The result ... carol1zz UnixWare 2.1.3. mikew. Copyright 1996 The Santa Cruz Operation, Inc. All Rights Reserved.. Copyright 1984-1995 Novell, Inc. All Rights Reserved.. Copyright 1987, 1988 Microsoft Corp. All Rights Reserved.. U.S. Pat. No. 5,349,642.Slide 33 © First Base Technologies 2003
  • Port scanSlide 34 © First Base Technologies 2003
  • Brutus dictionary attackSlide 35 © First Base Technologies 2003
  • NT Password CrackingSlide 36 © First Base Technologies 2003
  • How to get the NT SAM • On any NT/W2K machine: - In memory (registry) - c:winntrepairsam (invoke rdisk?) - Emergency Repair Disk - Backup tapes - Sniffing (L0phtcrack) • Run L0phtcrack on the SAM ….Slide 37 © First Base Technologies 2003
  • End of part one!Slide 38 © First Base Technologies 2003
  • And how to prevent it! Peter Wood First•Base Technologies
  • Prevention is better ... • Harden the servers • Monitor alerts (e.g. www.sans.org) • Scan, test and apply patches • Monitor logs • Good physical security • Intrusion detection systems • Train the technical staff on security • Serious policy and procedures!Slide 40 © First Base Technologies 2003
  • Server hardening • HardNT40rev1.pdf • Windows NT Security Guidelines (www.fbtechies.co.uk) (nsa1.www.conxion.com) • HardenW2K101.pdf • NTBugtraq FAQs (www.fbtechies.co.uk) (http://ntbugtraq.ntadvice.com/defa • FAQ for How to Secure Windows ult.asp?pid=37&sid=1) NT (www.sans.org) • Securing Windows 2000 • Fundamental Steps to Harden (www.sans.org) Windows NT 4_0 (www.sans.org) • Securing Windows 2000 Server • ISF NT Checklist v2 (www.sans.org) (www.securityforum.org) • Windows 2000 Known • http://www.microsoft.com/technet/ Vulnerabilities and Their Fixes security/bestprac/default.asp (www.sans.org) • Lockdown.pdf (www.iss.net) • SANS step-by-step guidesSlide 41 © First Base Technologies 2003
  • Alerts • www.sans.org • www.cert.org • www.microsoft.com/security • www.ntbugtraq.com • www.winnetmag.com • razor.bindview.com • eeye.com • Security Pro News (ientrymail.com)Slide 42 © First Base Technologies 2003
  • Scan and apply patchesSlide 43 © First Base Technologies 2003
  • Monitor logsSlide 44 © First Base Technologies 2003
  • Good physical security • Perimeter security • Computer room security • Desktop security • Close monitoring of admin’s work areas • No floppy drives? • No bootable CDs?Slide 45 © First Base Technologies 2003
  • Intrusion detection • RealSecure • Tripwire • Dragon • Snort • www.networkintrusion.co.uk for guidanceSlide 46 © First Base Technologies 2003
  • Security Awareness • Sharing admin accounts • Service accounts • Account naming conventions • Server naming conventions • Hardening • Passwords (understand NT passwords!) • Two-factor authentication?Slide 47 © First Base Technologies 2003
  • Serious Policy & Procedures • Top-down commitment • Investment • Designed-in security • Regular audits • Regular penetration testing • Education & awarenessSlide 48 © First Base Technologies 2003
  • Need more information? Peter Wood peterw@firstbase.co.uk www.fbtechies.co.ukSlide 49 © First Base Technologies 2003