Upload
peter-wood
View
106
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Over the past fifteen years, Peter Wood and his team have conducted numerous penetration tests for some of the largest organisations in the world. Learn about the most common problems and mistakes that they have found. Discover what to examine and test as though you were "the bad guy", not an architect or network specialist. This presentation will show you how criminal hackers think and offer you ideas for defending against them effectively.
Citation preview
Prime Targets inNetwork Infrastructure
Peter WoodChief Executive Officer
First•Base Technologies
An Ethical Hacker’s View
Slide 2 © First Base Technologies 2013
Who is Peter Wood?
Worked in computers & electronics since 1969
Founded First Base in 1989 (one of the first ethical hacking firms)
CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’
Member of ISACA Security Advisory GroupVice Chair of BCS Information Risk Management and Audit GroupUK Chair, Corporate Executive Programme
FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa
Slide 3 © First Base Technologies 2013
Hacker thinking
• How does this work?
• What research is there out there?
• What’s happening under the covers?
• What happens if I do this?
• What happens if I ignore the instructions?
• What if I’m a “legitimate” user?
• Where are the weak points?
• Is there another way in?
Slide 4 © First Base Technologies 2013
Let’s start at the bottom …
Slide 5 © First Base Technologies 2013
SNMPSimple Network Management Protocol
• A protocol developed to manage nodes (servers, workstations, routers, switches and hubs etc.) on an IP network
• Enables network administrators to manage network performance, find and solve network problems, and plan for network growth
• SNMP v1 is the de facto network management protocol
• SNMP v1 authentication is performed by a ‘community string’, in effect a type of shared password, which is transmitted in clear text
Slide 6 © First Base Technologies 2013
SNMP Architecture
• Managers: responsible for communicating with network devices that implement SNMP Agents
• Agents: reside in devices such as servers, workstations, switches, routers, printers, etc.
• Management Information Base (MIB): describe data objects to be managed by an Agent within a device
• MIBs are text files, and the values in MIB data objects are communicated between Managers and Agents
Slide 7 © First Base Technologies 2013
SNMP can talk to many devices
Slide 8 © First Base Technologies 2013
It’s simple to scan for SNMP
Slide 9 © First Base Technologies 2013
Browsing an MIB
Slide 10 © First Base Technologies 2013
MIB data for a network switch
Slide 11 © First Base Technologies 2013
SNMP for hackers
• If you know the read string (default public) you can read the entire MIB for that device
• If you know the read-write string (default private) you may be able to change settings on that device
• You may be able to ‘sniff’ community strings off the network if they’ve been changed from the defaults
• You may be able to control a router or switch:- Intercept traffic and read sensitive information
- Crash the network repeatedly
- Lock the device out, requiring physical access to reset it
• You may be able to list users, groups, shares etc. on servers
• You may be able to subvert wireless network security
Slide 12 © First Base Technologies 2013
Don’t let SNMP stand for
Security’s Not My Problem
(thanks Nilesh Mapara!)
Slide 13 © First Base Technologies 2013
What else is on the network …
Slide 14 © First Base Technologies 2013
Default admin access
All networks contain some devices which retain manufacturer default credentials …
Slide 15 © First Base Technologies 2013
Brocade Fibre Switch:default credentials
Slide 16 © First Base Technologies 2013
Press ‘Enter’ then …
Slide 17 © First Base Technologies 2013
IP CCTV:no password
Slide 18 © First Base Technologies 2013
Avaya switch manager:no password
Slide 19 © First Base Technologies 2013
HP tape library:default credentials
Slide 20 © First Base Technologies 2013
Network device compromise
• SNMP on by default (often not required)
• SNMP default community strings in use
• Default admin logon credentials
• No admin credentials at all
• Cleat text admin (telnet, http)
• Documented standards, regular network discovery
and lots of training is the defence!
Slide 21 © First Base Technologies 2013
Windows Hacking
Slide 22 © First Base Technologies 2013
Windows is complicated
• Widows permissions are confusing
• Default groups can be a problem (e.g. ‘everyone’)
• There isn’t enough granularity:- Domain Admins / Enterprise Admins- Account Operators / Server Operators (seldom used)- The rest!
• Confusion between domain accounts and local accounts
• Windows password weaknesses are not understood
• Usually way too many ‘Domain Admins’
Slide 23 © First Base Technologies 2013
Check for unprotected shares
Everyone has “full control”An unprotected share
Some very interesting directories!
Slide 24 © First Base Technologies 2013
Searching for sensitive data
• Use a tool like Advanced Find and Replace
• Search for documents containing “password”
(files modified in last 6 months)
• Use your imagination in search strings
• Use your brain to select appropriate targets
• Capture files even if they’re password-protected
(they can be cracked)
Slide 25 © First Base Technologies 2013
Don’t ignore open shares!
Things we found on unprotected shares:
• Salary spreadsheets
• HR letters
• Usernames and passwords (for everything!)
• IT diagrams and configurations
• Firewall details
• Security rotas
Slide 26 © First Base Technologies 2013
Files visible to anyone …
Slide 27 © First Base Technologies 2013
Windows architecture (1)
DomainController
DomainController
MemberServer
MemberServer
Workstation
Workstation
Workstation
Domain users and groups
Domain users and groups
Local users and groups
Local users and groups
Local users and groups
Local users and groups
Local users and groups
Domain logon
Global group in local group
Local logon
Slide 28 © First Base Technologies 2013
Windows architecture (2)
DomainController
DomainController
MemberServer
MemberServer
Workstation
Workstation
Workstation
Domain users and groups
Domain users and groups
Local users and groups
Local users and groups
Local users and groups
Local users and groups
Local users and groups
Log on as member of Domain Admins
Member of Administrators
Member of Administrators
Member of Administrators
Mem
ber of Adm
inistrators
Slide 29 © First Base Technologies 2013
Windows architecture (3)
DomainController
DomainController
MemberServer
MemberServer
Workstation
Workstation
Workstation
Domain users and groups
Domain users and groups
Local users and groups
Local users and groups
Local users and groups
Local users and groups
Local users and groups
Logon as member
of Administrators
Slide 30 © First Base Technologies 2013
Look for service accounts
Slide 31 © First Base Technologies 2013
Case study: stupid passwords
admin5crystalfinancefridaymacadminmonkeyorangepasswordpassword1praguepuddingrocky4securitysecurity1sparklewebadminyellow
Global firm:
• 67 Administrator accounts
• 43 simple passwords (64%)
• 15 were “password” (22%)
• Some examples we found ->
Slide 32 © First Base Technologies 2013
Case study: password crack
• 26,310 passwords from a Windows domain
• 11,279 (42.9%) cracked in 2½ minutes
• It’s not a challenge!
Slide 33 © First Base Technologies 2013
Finally, unpatched systems can meandrag and drop Administrator!
Slide 34 © First Base Technologies 2013
Windows Hacking
• Badly configured permissions
• Too much access for too many accounts
• Too many privileged accounts
• Obviously named service accounts
• Easy-to-guess passwords
• No idea how to make a strong password(don’t know about LM hashes!)
• Unpatched systems, because inside is safe!
• Clear standards, regular penetration tests and lots of training is the defence
Slide 35 © First Base Technologies 2013
Physical Windows access
Slide 36 © First Base Technologies 2013
If we can boot from CD or USB …
Slide 37 © First Base Technologies 2013
Boot Ophcrack Live
Slide 38 © First Base Technologies 2013
We have some passwords!
Slide 39 © First Base Technologies 2013
Or just read the disk …
Slide 40 © First Base Technologies 2013
… copy hashes to USB key …
Slide 41 © First Base Technologies 2013
… and crack with rainbow tables!
Slide 42 © First Base Technologies 2013
Or simply change the password!
Slide 43 © First Base Technologies 2013
Desktop & Laptop Security
• Native Windows security is ineffective if the attacker
has physical access
• Everything on local drives is visible
• Everything on local drives can be subverted
• For laptops, encryption is the best defence, coupled
with lots of training
• For desktops, visitor control and staff vigilance –
again, lots of training
Slide 44 © First Base Technologies 2013
Summary and Conclusions
• Scan for SNMP and turn it off where you can
• Look for neglected network devices and set passwords
• Stop using clear text protocols
• Find unprotected shares and files and protect them
• Check for legacy Windows accounts and secure them
• Patch internal systems up to date and harden them
• Segment sensitive systems and firewall them
• Protect physically accessible computers (esp. laptops)
• Create pragmatic policies and train everyone!
Slide 45 © First Base Technologies 2013
Peter WoodChief Executive Officer
First Base Technologies LLP
http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com
Twitter: peterwoodx
Need more information?