1. Some “Ethical Hacking”
Case Studies
Peter Wood
First•Base
Technologies

2. How much damage
can a security breach cause?
• 44% of UK businesses suffered at least one
malicious security breach in 2002
• The average cost was £30,000
• Several cost more than £500,000
• and these are just the reported incidents …!
Source: The DTI Information Security Breaches survey
Slide 2 © First Base Technologies 2003

3. The External Hacker
Slide 3 © First Base Technologies 2003

4. Internet Web Developer
home m
Di
n fr o
al-
up
Dial-i
e IS
DN
lin
d co
se nn
Lea e cti
o n
Desktop PC Firewall
Bridge Bridge
My Client Client's business partner
Slide 4 © First Base Technologies 2003

5. Internet Web Developer
Secure
home m
Di
n fr o
the al-
up
Secure
Dial-i
e IS
DN
desktop d
lin
co
se
Lea Internetcti
nn
e
on
Desktop PC Firewall connections
Bridge Bridge
Secure Secure
My Client Client's business partner
the third-party
Slide 5 network connections
© First Base Technologies 2003

6. The Inside Hacker
Slide 6 © First Base Technologies 2003

7. Plug and go
Ethernet ports are never disabled ….
… or just steal a connection from a desktop
NetBIOS tells you lots and lots ……
…. And you don’t need to be logged on
Slide 7 © First Base Technologies 2003

8. Get yourself an IP address
• Use DHCP since almost everyone does!
• Or … use a sniffer to see broadcast packets
(even in a switched network) and try some
suitable addresses
Slide 8 © First Base Technologies 2003

9. Browse the network
Slide 9 © First Base Technologies 2003

10. Pick a target machine
Pick a target
Slide 10 © First Base Technologies 2003

11. Try null sessions ...
Slide 11 © First Base Technologies 2003

12. List privileged users
Slide 12 © First Base Technologies 2003

13. Typical passwords
• administrator null, password, administrator
• arcserve arcserve, backup
• test test, password
• username password, monday, football
• backup backup
• tivoli tivoli
• backupexec backup
• smsservice smsservice
• … any service account … same as account name
Slide 13 © First Base Technologies 2003

14. Game over!
Slide 14 © First Base Technologies 2003

15. The Inside-Out Hacker
Slide 15 © First Base Technologies 2003

16. Senior person - laptop at home
Internet
il
e- ma
Laptop
Slide 16 © First Base Technologies 2003

17. … opens attachment
Internet
il
e- ma
Trojan software
Laptop now silently
installed
Slide 17 © First Base Technologies 2003

18. … takes laptop to work
Internet
Firewall
Laptop Laptop
Corporate Network
Slide 18 © First Base Technologies 2003

19. … trojan sees what they see
Internet
Firewall
Finance Server HR Server
Laptop
Corporate Network
Slide 19 © First Base Technologies 2003

20. Information flows out of the
organisation
Evil server
Internet
Firewall
Finance Server HR Server
Laptop
Corporate Network
Slide 20 © First Base Technologies 2003

21. Physical Attacks
Slide 21 © First Base Technologies 2003

22. What NT password?
Slide 22 © First Base Technologies 2003

23. NTFSDOS
Slide 23 © First Base Technologies 2003

24. Keyghost
Slide 24 © First Base Technologies 2003

25. KeyGhost - keystroke capture
Keystrokes recorded so far is 2706 out of 107250 ...
<PWR><CAD>fsmith<tab><tab>arabella
xxxxxxx <tab><tab> None<tab><tab> None<tab><tab> None<tab><tab>
<CAD> arabella
<CAD>
<CAD> arabella
<CAD>
<CAD> arabella
exit
tracert 192.168.137.240
telnet 192.168.137.240
cisco
Slide 25 © First Base Technologies 2003

26. Viewing Password-Protected Files
Slide 26 © First Base Technologies 2003

27. Office Documents
Slide 27 © First Base Technologies 2003

28. Zip Files
Slide 28 © First Base Technologies 2003

29. Plain Text Passwords
Slide 29 © First Base Technologies 2003

30. Netlogon
In the unprotected netlogon share on a server:
logon scripts can contain:
net use servershare “password” /u:“user”
Slide 30 © First Base Technologies 2003

31. Registry scripts
In shared directories you may find
.reg files like this:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon]
"DefaultUserName"="username"
"DefaultPassword"="password"
"AutoAdminLogon"="1"
Slide 31 © First Base Technologies 2003

32. Passwords in
procedures & documents
Slide 32 © First Base Technologies 2003

33. Packet sniffing
Generated by : TCP.demux V1.02
Input File: carol.cap
Output File: TB000463.txt
• Leave the sniffer Summary File: summary.txt
Date Generated: Thu Jan 27 08:43:08 2000
running 10.1.1.82 1036
10.1.2.205 23 (telnet)
UnixWare 2.1.3 (mikew) (pts/31).
• Capture all packets login:
to port 23 or 21 cl_Carol
Password:
• The result ... carol1zz
UnixWare 2.1.3.
mikew.
Copyright 1996 The Santa Cruz Operation, Inc. All Rights Reserved..
Copyright 1984-1995 Novell, Inc. All Rights Reserved..
Copyright 1987, 1988 Microsoft Corp. All Rights Reserved..
U.S. Pat. No. 5,349,642.
Slide 33 © First Base Technologies 2003

34. Port scan
Slide 34 © First Base Technologies 2003

35. Brutus dictionary attack
Slide 35 © First Base Technologies 2003

36. NT Password Cracking
Slide 36 © First Base Technologies 2003

37. How to get the NT SAM
• On any NT/W2K machine:
- In memory (registry)
- c:winntrepairsam (invoke rdisk?)
- Emergency Repair Disk
- Backup tapes
- Sniffing (L0phtcrack)
• Run L0phtcrack on the SAM ….
Slide 37 © First Base Technologies 2003

38. End of part one!
Slide 38 © First Base Technologies 2003

39. And how to prevent it!
Peter Wood
First•Base
Technologies

40. Prevention is better ...
• Harden the servers
• Monitor alerts (e.g. www.sans.org)
• Scan, test and apply patches
• Monitor logs
• Good physical security
• Intrusion detection systems
• Train the technical staff on security
• Serious policy and procedures!
Slide 40 © First Base Technologies 2003

41. Server hardening
• HardNT40rev1.pdf • Windows NT Security Guidelines
(www.fbtechies.co.uk) (nsa1.www.conxion.com)
• HardenW2K101.pdf • NTBugtraq FAQs
(www.fbtechies.co.uk) (http://ntbugtraq.ntadvice.com/defa
• FAQ for How to Secure Windows ult.asp?pid=37&sid=1)
NT (www.sans.org) • Securing Windows 2000
• Fundamental Steps to Harden (www.sans.org)
Windows NT 4_0 (www.sans.org) • Securing Windows 2000 Server
• ISF NT Checklist v2 (www.sans.org)
(www.securityforum.org) • Windows 2000 Known
• http://www.microsoft.com/technet/ Vulnerabilities and Their Fixes
security/bestprac/default.asp (www.sans.org)
• Lockdown.pdf (www.iss.net) • SANS step-by-step guides
Slide 41 © First Base Technologies 2003

42. Alerts
• www.sans.org
• www.cert.org
• www.microsoft.com/security
• www.ntbugtraq.com
• www.winnetmag.com
• razor.bindview.com
• eeye.com
• Security Pro News (ientrymail.com)
Slide 42 © First Base Technologies 2003

43. Scan and apply patches
Slide 43 © First Base Technologies 2003

44. Monitor logs
Slide 44 © First Base Technologies 2003

45. Good physical security
• Perimeter security
• Computer room security
• Desktop security
• Close monitoring of admin’s work areas
• No floppy drives?
• No bootable CDs?
Slide 45 © First Base Technologies 2003

46. Intrusion detection
• RealSecure
• Tripwire
• Dragon
• Snort
• www.networkintrusion.co.uk for guidance
Slide 46 © First Base Technologies 2003

47. Security Awareness
• Sharing admin accounts
• Service accounts
• Account naming conventions
• Server naming conventions
• Hardening
• Passwords (understand NT passwords!)
• Two-factor authentication?
Slide 47 © First Base Technologies 2003

48. Serious Policy & Procedures
• Top-down commitment
• Investment
• Designed-in security
• Regular audits
• Regular penetration testing
• Education & awareness
Slide 48 © First Base Technologies 2003

49. Need more information?
Peter Wood
peterw@firstbase.co.uk
www.fbtechies.co.uk
Slide 49 © First Base Technologies 2003