Some “Ethical Hacking”

Case Studies

Peter Wood
First•Base
Technologies
 How much damage
can a security breach cause?

• 44% of UK businesses suffered at least one

malicious security breach in 2002
• The average cost was £30,000
• Several cost more than £500,000
• and these are just the reported incidents …!
Source: The DTI Information Security Breaches survey

Slide 2 © First Base Technologies 2003

 The External Hacker

Slide 3 © First Base Technologies 2003

 Internet Web Developer
home m

Di
n fro

al-
up
Dial-i

e IS
DN
lin
d co
a se nn
ec
Le tio
n
Desktop PC Firewall

Bridge Bridge

My Client Client's business partner

Slide 4 © First Base Technologies 2003

 Internet Web Developer

Secure
home m

Di
n fro

the al-
up
Secure
Dial-i

e IS
DN
desktop d
lin
co
se
Le
a Internet nn
ec
tio
n
Desktop PC Firewall connections

Bridge Bridge

Secure Secure
My Client Client's business partner
the third-party
Slide 5 network connections
© First Base Technologies 2003
 The Inside Hacker

Slide 6 © First Base Technologies 2003

 Plug and go

Ethernet ports are never disabled ….

… or just steal a connection from a desktop

NetBIOS tells you lots and lots ……

…. And you don’t need to be logged on

Slide 7 © First Base Technologies 2003

 Get yourself an IP address
• Use DHCP since almost everyone does!
• Or … use a sniffer to see broadcast packets
(even in a switched network) and try some
suitable addresses

Slide 8 © First Base Technologies 2003

 Browse the network

Slide 9 © First Base Technologies 2003

 Pick a target machine

Pick a target

Slide 10 © First Base Technologies 2003

 Try null sessions ...

Slide 11 © First Base Technologies 2003

 List privileged users

Slide 12 © First Base Technologies 2003

 Typical passwords

• administrator null, password, administrator

• arcserve arcserve, backup
• test test, password
• username password, monday, football
• backup backup
• tivoli tivoli
• backupexec backup
• smsservice smsservice
• … any service account … same as account name

Slide 13 © First Base Technologies 2003

 Game over!

Slide 14 © First Base Technologies 2003

 The Inside-Out Hacker

Slide 15 © First Base Technologies 2003

 Senior person - laptop at home

Internet

mail
e-

Laptop

Slide 16 © First Base Technologies 2003

 … opens attachment

Internet

mail
e-

Trojan software
Laptop now silently
installed

Slide 17 © First Base Technologies 2003

 … takes laptop to work

Internet

Firewall

Laptop Laptop
Corporate Network

Slide 18 © First Base Technologies 2003

 … trojan sees what they see

Internet

Firewall

Finance Server HR Server

Laptop
Corporate Network

Slide 19 © First Base Technologies 2003

 Information flows out of the
organisation

Evil server
Internet

Firewall

Finance Server HR Server

Laptop
Corporate Network
Slide 20 © First Base Technologies 2003
 Physical Attacks

Slide 21 © First Base Technologies 2003

 What NT password?

Slide 22 © First Base Technologies 2003

 NTFSDOS

Slide 23 © First Base Technologies 2003

 Keyghost

Slide 24 © First Base Technologies 2003

 KeyGhost - keystroke capture

Keystrokes recorded so far is 2706 out of 107250 ...

<PWR><CAD>fsmith<tab><tab>arabella
xxxxxxx <tab><tab> None<tab><tab> None<tab><tab> None<tab><tab>
<CAD> arabella
<CAD>
<CAD> arabella
<CAD>
<CAD> arabella
exit
tracert 192.168.137.240
telnet 192.168.137.240
cisco

Slide 25 © First Base Technologies 2003

 Viewing Password-Protected Files

Slide 26 © First Base Technologies 2003

 Office Documents

Slide 27 © First Base Technologies 2003

 Zip Files

Slide 28 © First Base Technologies 2003

 Plain Text Passwords

Slide 29 © First Base Technologies 2003

 Netlogon
In the unprotected netlogon share on a server:
logon scripts can contain:
net use \\server\share “password” /u:“user”

Slide 30 © First Base Technologies 2003

 Registry scripts

In shared directories you may find

.reg files like this:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"DefaultUserName"="username"
"DefaultPassword"="password"
"AutoAdminLogon"="1"

Slide 31 © First Base Technologies 2003

 Passwords in
procedures & documents

Slide 32 © First Base Technologies 2003

 Packet sniffing
Generated by : TCP.demux V1.02
Input File: carol.cap
Output File: TB000463.txt
• Leave the sniffer Summary File: summary.txt
Date Generated: Thu Jan 27 08:43:08 2000
running 10.1.1.82 1036
10.1.2.205 23 (telnet)

UnixWare 2.1.3 (mikew) (pts/31).

• Capture all packets login:
to port 23 or 21 cl_Carol

Password:

• The result ... carol1zz

UnixWare 2.1.3.
mikew.
Copyright 1996 The Santa Cruz Operation, Inc. All Rights Reserved..
Copyright 1984-1995 Novell, Inc. All Rights Reserved..
Copyright 1987, 1988 Microsoft Corp. All Rights Reserved..
U.S. Pat. No. 5,349,642.

Slide 33 © First Base Technologies 2003

 Port scan

Slide 34 © First Base Technologies 2003

 Brutus dictionary attack

Slide 35 © First Base Technologies 2003

 NT Password Cracking

Slide 36 © First Base Technologies 2003

 How to get the NT SAM

• On any NT/W2K machine:

- In memory (registry)
- c:\winnt\repair\sam (invoke rdisk?)
- Emergency Repair Disk
- Backup tapes
- Sniffing (L0phtcrack)
• Run L0phtcrack on the SAM ….

Slide 37 © First Base Technologies 2003

 End of part one!

Slide 38 © First Base Technologies 2003

And how to prevent it!

Peter Wood
First•Base
Technologies
 Prevention is better ...
• Harden the servers
• Monitor alerts (e.g. www.sans.org)
• Scan, test and apply patches
• Monitor logs
• Good physical security
• Intrusion detection systems
• Train the technical staff on security
• Serious policy and procedures!
Slide 40 © First Base Technologies 2003
 Server hardening
• HardNT40rev1.pdf
(www.fbtechies.co.uk)
• HardenW2K101.pdf
(www.fbtechies.co.uk)
• FAQ for How to Secure Windows
NT (www.sans.org)
• Fundamental Steps to Harden
Windows NT 4_0 (www.sans.org)
• ISF NT Checklist v2
(www.securityforum.org)
• http://www.microsoft.com/technet/
security/bestprac/default.asp
• Lockdown.pdf (www.iss.net)
Slide 41
• Windows NT Security Guidelines
(nsa1.www.conxion.com)
• NTBugtraq FAQs
(http://ntbugtraq.ntadvice.com/defa
ult.asp?pid=37&sid=1)
• Securing Windows 2000
(www.sans.org)
• Securing Windows 2000 Server
(www.sans.org)
• Windows 2000 Known
Vulnerabilities and Their Fixes
(www.sans.org)
• SANS step-by-step guides
© First Base Technologies 2003
 Alerts

• www.sans.org
• www.cert.org
• www.microsoft.com/security
• www.ntbugtraq.com
• www.winnetmag.com
• razor.bindview.com
• eeye.com
• Security Pro News (ientrymail.com)

Slide 42 © First Base Technologies 2003

 Scan and apply patches

Slide 43 © First Base Technologies 2003

 Monitor logs

Slide 44 © First Base Technologies 2003

 Good physical security

• Perimeter security
• Computer room security
• Desktop security
• Close monitoring of admin’s work areas
• No floppy drives?
• No bootable CDs?

Slide 45 © First Base Technologies 2003

 Intrusion detection

• RealSecure
• Tripwire
• Dragon
• Snort
• www.networkintrusion.co.uk for guidance

Slide 46 © First Base Technologies 2003

 Security Awareness

• Sharing admin accounts

• Service accounts
• Account naming conventions
• Server naming conventions
• Hardening
• Passwords (understand NT passwords!)
• Two-factor authentication?

Slide 47 © First Base Technologies 2003

 Serious Policy & Procedures

• Top-down commitment
• Investment
• Designed-in security
• Regular audits
• Regular penetration testing
• Education & awareness

Slide 48 © First Base Technologies 2003

 Need more information?

Peter Wood

peterw@firstbase.co.uk

www.fbtechies.co.uk

Slide 49 © First Base Technologies 2003