Prime Targets in Network Infrastructure

Prime Targets inNetwork Infrastructure

Peter WoodChief Executive Officer

First•Base Technologies

An Ethical Hacker’s View

Slide 2 © First Base Technologies 2013

Who is Peter Wood?

Worked in computers & electronics since 1969

Founded First Base in 1989 (one of the first ethical hacking firms)

CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’

Member of ISACA Security Advisory GroupVice Chair of BCS Information Risk Management and Audit GroupUK Chair, Corporate Executive Programme

FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa


Hacker thinking

• How does this work?

• What research is there out there?

• What’s happening under the covers?

• What happens if I do this?

• What happens if I ignore the instructions?

• What if I’m a “legitimate” user?

• Where are the weak points?

• Is there another way in?


Let’s start at the bottom …


SNMPSimple Network Management Protocol

• A protocol developed to manage nodes (servers, workstations, routers, switches and hubs etc.) on an IP network

• Enables network administrators to manage network performance, find and solve network problems, and plan for network growth

• SNMP v1 is the de facto network management protocol

• SNMP v1 authentication is performed by a ‘community string’, in effect a type of shared password, which is transmitted in clear text


SNMP Architecture

• Managers: responsible for communicating with network devices that implement SNMP Agents

• Agents: reside in devices such as servers, workstations, switches, routers, printers, etc.

• Management Information Base (MIB): describe data objects to be managed by an Agent within a device

• MIBs are text files, and the values in MIB data objects are communicated between Managers and Agents


SNMP can talk to many devices


It’s simple to scan for SNMP


Browsing an MIB


MIB data for a network switch


SNMP for hackers

• If you know the read string (default public) you can read the entire MIB for that device

• If you know the read-write string (default private) you may be able to change settings on that device

• You may be able to ‘sniff’ community strings off the network if they’ve been changed from the defaults

• You may be able to control a router or switch:- Intercept traffic and read sensitive information

- Crash the network repeatedly

- Lock the device out, requiring physical access to reset it

• You may be able to list users, groups, shares etc. on servers

• You may be able to subvert wireless network security


Don’t let SNMP stand for

Security’s Not My Problem

(thanks Nilesh Mapara!)


What else is on the network …


Default admin access

All networks contain some devices which retain manufacturer default credentials …


Brocade Fibre Switch:default credentials


Press ‘Enter’ then …


IP CCTV:no password


Avaya switch manager:no password


HP tape library:default credentials


Network device compromise

• SNMP on by default (often not required)

• SNMP default community strings in use

• Default admin logon credentials

• No admin credentials at all

• Cleat text admin (telnet, http)

• Documented standards, regular network discovery

and lots of training is the defence!


Windows Hacking


Windows is complicated

• Widows permissions are confusing

• Default groups can be a problem (e.g. ‘everyone’)

• There isn’t enough granularity:- Domain Admins / Enterprise Admins- Account Operators / Server Operators (seldom used)- The rest!

• Confusion between domain accounts and local accounts

• Windows password weaknesses are not understood

• Usually way too many ‘Domain Admins’


Check for unprotected shares

Everyone has “full control”An unprotected share

Some very interesting directories!


Searching for sensitive data

• Use a tool like Advanced Find and Replace

• Search for documents containing “password”

(files modified in last 6 months)

• Use your imagination in search strings

• Use your brain to select appropriate targets

• Capture files even if they’re password-protected

(they can be cracked)


Don’t ignore open shares!

Things we found on unprotected shares:

• Salary spreadsheets

• HR letters

• Usernames and passwords (for everything!)

• IT diagrams and configurations

• Firewall details

• Security rotas


Files visible to anyone …


Windows architecture (1)

DomainController

DomainController

MemberServer

MemberServer

Workstation

Workstation

Workstation

Domain users and groups


Local users and groups





Domain logon

Global group in local group

Local logon



DomainController

DomainController

MemberServer

MemberServer

Workstation

Workstation

Workstation








Log on as member of Domain Admins

Member of Administrators



Mem

ber of Adm

inistrators



DomainController

DomainController

MemberServer

MemberServer

Workstation

Workstation

Workstation








Logon as member

of Administrators


Look for service accounts


Case study: stupid passwords

admin5crystalfinancefridaymacadminmonkeyorangepasswordpassword1praguepuddingrocky4securitysecurity1sparklewebadminyellow

Global firm:

• 67 Administrator accounts

• 43 simple passwords (64%)

• 15 were “password” (22%)

• Some examples we found ->


Case study: password crack

• 26,310 passwords from a Windows domain

• 11,279 (42.9%) cracked in 2½ minutes

• It’s not a challenge!


Finally, unpatched systems can meandrag and drop Administrator!


Windows Hacking

• Badly configured permissions

• Too much access for too many accounts

• Too many privileged accounts

• Obviously named service accounts

• Easy-to-guess passwords

• No idea how to make a strong password(don’t know about LM hashes!)

• Unpatched systems, because inside is safe!

• Clear standards, regular penetration tests and lots of training is the defence


Physical Windows access


If we can boot from CD or USB …


Boot Ophcrack Live


We have some passwords!


Or just read the disk …


… copy hashes to USB key …


… and crack with rainbow tables!


Or simply change the password!


Desktop & Laptop Security

• Native Windows security is ineffective if the attacker

has physical access

• Everything on local drives is visible

• Everything on local drives can be subverted

• For laptops, encryption is the best defence, coupled

with lots of training

• For desktops, visitor control and staff vigilance –

again, lots of training


Summary and Conclusions

• Scan for SNMP and turn it off where you can

• Look for neglected network devices and set passwords

• Stop using clear text protocols

• Find unprotected shares and files and protect them

• Check for legacy Windows accounts and secure them

• Patch internal systems up to date and harden them

• Segment sensitive systems and firewall them

• Protect physically accessible computers (esp. laptops)

• Create pragmatic policies and train everyone!


Peter WoodChief Executive Officer

First Base Technologies LLP

[email protected]

http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com

Twitter: peterwoodx

Need more information?

Technology

Prime Targets in Network Infrastructure