Prime Targets in Network Infrastructure

Prime Targets in
Network Infrastructure

An Ethical Hacker’s View

Peter Wood
Chief Executive Officer
First•Base Technologies

Who is Peter Wood?

Worked in computers & electronics since 1969
Founded First Base in 1989 (one of the first ethical hacking firms)
CEO First Base Technologies LLP
Social engineer & penetration tester
Conference speaker and security „expert‟

Member of ISACA Security Advisory Group
Vice Chair of BCS Information Risk Management and Audit Group
UK Chair, Corporate Executive Programme

FBCS, CITP, CISSP, MIEEE, M.Inst.ISP
Registered BCS Security Consultant
Member of ACM, ISACA, ISSA, Mensa

Slide 2 © First Base Technologies 2013

Hacker thinking

• How does this work?

• What research is there out there?

• What‟s happening under the covers?

• What happens if I do this?

• What happens if I ignore the instructions?

• What if I‟m a “legitimate” user?

• Where are the weak points?

• Is there another way in?


Let’s start at the bottom …


SNMP
Simple Network Management Protocol

• A protocol developed to manage nodes (servers,
workstations, routers, switches and hubs etc.) on an IP
network
• Enables network administrators to manage network
performance, find and solve network problems, and
plan for network growth
• SNMP v1 is the de facto network management protocol
• SNMP v1 authentication is performed by a „community
string‟, in effect a type of shared password, which is
transmitted in clear text


SNMP Architecture

• Managers: responsible for communicating with network
devices that implement SNMP Agents
• Agents: reside in devices such as servers, workstations,
switches, routers, printers, etc.
• Management Information Base (MIB): describe data
objects to be managed by an Agent within a device

• MIBs are text files, and the values in MIB data objects
are communicated between Managers and Agents


SNMP can talk to many devices


It‟s simple to scan for SNMP


Browsing an MIB


MIB data for a network switch


SNMP for hackers

• If you know the read string (default public) you can read the
entire MIB for that device
• If you know the read-write string (default private) you may be
able to change settings on that device
• You may be able to „sniff‟ community strings off the network if
they‟ve been changed from the defaults
• You may be able to control a router or switch:
- Intercept traffic and read sensitive information
- Crash the network repeatedly
- Lock the device out, requiring physical access to reset it
• You may be able to list users, groups, shares etc. on servers
• You may be able to subvert wireless network security


Don’t let SNMP stand for

Security’s Not My Problem

(thanks Nilesh Mapara!)


What else is on the network …


Default admin access

All networks contain some devices which retain
manufacturer default credentials …


Brocade Fibre Switch:
default credentials


Press „Enter‟ then …


IP CCTV:
no password


Avaya switch manager:
no password


HP tape library:
default credentials


Network device compromise

• SNMP on by default (often not required)

• SNMP default community strings in use

• Default admin logon credentials

• No admin credentials at all

• Cleat text admin (telnet, http)

• Documented standards, regular network discovery
and lots of training is the defence!


Windows Hacking


Windows is complicated

• Widows permissions are confusing

• Default groups can be a problem (e.g. „everyone‟)

• There isn‟t enough granularity:
- Domain Admins / Enterprise Admins
- Account Operators / Server Operators (seldom used)
- The rest!
• Confusion between domain accounts and local accounts

• Windows password weaknesses are not understood

• Usually way too many „Domain Admins‟


Check for unprotected shares

Everyone has “full control”
An unprotected share

Some very interesting directories!


Searching for sensitive data

• Use a tool like Advanced Find and Replace

• Search for documents containing “password”
(files modified in last 6 months)

• Use your imagination in search strings

• Use your brain to select appropriate targets

• Capture files even if they‟re password-protected
(they can be cracked)


Don‟t ignore open shares!

Things we found on unprotected shares:

• Salary spreadsheets

• HR letters

• Usernames and passwords (for everything!)

• IT diagrams and configurations

• Firewall details

• Security rotas


Files visible to anyone …


Windows architecture (1)
Domain logon

Local users Domain users
and groups Workstation Domain and groups

Controller
Global group in local group

Lo
Local users
Workstation ca Domain Domain users
and groups l lo and groups
go Controller
n

Local users Local users
and groups Workstation Member and groups

Server

Local users
Member and groups

Server

Log on as member of
Domain Admins


Controller
Member of Administrators


Controller


rs
inis trato
Local users
er o f Ad m Local users
Workstation b Member
Me m
and groups and groups

Server

Local users
Member and groups

Server



Controller

Lo
g
of on a
Local users Ad s m Domain users
Workstation mi Domain
and groups
n i s e mb and groups

tra e Controller
tor r
s

Local users Local users
and groups Workstation Member and groups

Server

Local users
Member and groups

Server

Look for service accounts


Case study: stupid passwords

admin5
crystal
finance
Global firm: friday
macadmin
• 67 Administrator accounts monkey
orange
• 43 simple passwords (64%) password
password1
prague
• 15 were “password” (22%)
pudding
rocky4
• Some examples we found -> security
security1
sparkle
webadmin
yellow


Case study: password crack

• 26,310 passwords from a Windows domain

• 11,279 (42.9%) cracked in 2½ minutes

• It‟s not a challenge!


Finally, unpatched systems can mean
drag and drop Administrator!


Windows Hacking

• Badly configured permissions

• Too much access for too many accounts

• Too many privileged accounts

• Obviously named service accounts

• Easy-to-guess passwords

• No idea how to make a strong password
(don‟t know about LM hashes!)

• Unpatched systems, because inside is safe!

• Clear standards, regular penetration tests and lots
of training is the defence

Physical Windows access


If we can boot from CD or USB …


Boot Ophcrack Live


We have some passwords!


Or just read the disk …


… copy hashes to USB key …


… and crack with rainbow tables!


Or simply change the password!


Desktop & Laptop Security

• Native Windows security is ineffective if the attacker
has physical access

• Everything on local drives is visible

• Everything on local drives can be subverted

• For laptops, encryption is the best defence, coupled
with lots of training

• For desktops, visitor control and staff vigilance –
again, lots of training


Summary and Conclusions

• Scan for SNMP and turn it off where you can

• Look for neglected network devices and set passwords

• Stop using clear text protocols

• Find unprotected shares and files and protect them

• Check for legacy Windows accounts and secure them

• Patch internal systems up to date and harden them

• Segment sensitive systems and firewall them

• Protect physically accessible computers (esp. laptops)

• Create pragmatic policies and train everyone!

Need more information?

Peter Wood
Chief Executive Officer
First Base Technologies LLP

peterw@firstbase.co.uk

http://firstbase.co.uk
http://white-hats.co.uk
http://peterwood.com

Twitter: peterwoodx


Prime Targets in Network Infrastructure

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (13)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie Prime Targets in Network Infrastructure

Ähnlich wie Prime Targets in Network Infrastructure (20)

Mehr von Peter Wood

Mehr von Peter Wood (15)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Prime Targets in Network Infrastructure