1 / 47

Ernest Staats Director of Technology and Network Services at GCA

Hacking High School. Ernest Staats Director of Technology and Network Services at GCA MS Information Assurance, CISSP, CEH, MCSE, CNA, CWNA, Security+, I-Net+, Network+, Server+, A+ Resources available @ http://es-es.net. Can’t defend what you don’t know.

bijan
Download Presentation

Ernest Staats Director of Technology and Network Services at GCA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hacking High School Ernest Staats Director of Technology and Network Services at GCA MS Information Assurance, CISSP, CEH, MCSE, CNA, CWNA, Security+, I-Net+, Network+, Server+, A+ Resources available @ http://es-es.net

  2. Can’t defend what you don’t know • “Know your enemies & know yourself” <Sun Tzu> • Hacker Mentality • Map your network regularly • Sniff and Baseline your network know what type of data needs to be going across your system • Know what types of paths are open to your data WIFI, USB, BlueTooth, Remote Acess • Web 2.0 • Mobile device access

  3. Hacker Mentality • Hackers are motivated by various factors: • Ego • Curiosity and challenge • Entertainment • Political beliefs • Desire for information • Thrill of gaining privileged access • Own the system long term (Trojans, backdoors) • Attempt to compromise additional systems • A "trophy" to gain status

  4. Hacker Stratification In the End there can only be 1 • Tier I • The best of the best • Ability to find new vulnerabilities • Ability to write exploit code and tools • Motivated by the challenge, and of course, money • Tier II • IT savvy • Ability to program or script • Understand what the vulnerability is and how it works • Intelligent enough to use the exploit code and tools with precision • Motivated by the challenge but primarily curiosity, some ego • Tier III • “Script Kiddies” • Few real talents • Ability to download exploit code and tools written by others • Very little understanding of the actual vulnerability • Randomly fire off scripts until something works • Motivated by ego, entertainment, desire to hurt others

  5. Low Hanging Fruit • Safemode /Hacker Mode : F8 or hold down the CTRL key • God Mode • Lab machines that require Admin rights to run software • IronGeek.com / Youtube “Hack School” lots of step by step videos • Reamane EXE’s two fun ones netsh.exe utilman.exe • When using Microsoft GPO’s use hash instead of Path • Use Windows Run Use MS-Access to make a Macro run CMD • Use IP Address instead of Name Shutdown –i • Use U3 Devices or Portable Apps • Right Click Make shortcut to c drive if you hide C drive • Use Bluetooth to make file transfers to windows system32 if they have USB access they own it

  6. GOD Mode Vista / Win7 Hiding things will not work • GodMode.{ED7BA470-8E54-465E-825C-99712043E01C} • Other Shot cuts • {00C6D95F-329C-409a-81D7-C46C66EA7F33}" • {00C6D95F-329C-409a-81D7-C46C66EA7F33} • {0142e4d0-fb7a-11dc-ba4a-000ffe7ab428} • {025A5937-A6BE-4686-A844-36FE4BEC8B6D} • {05d7b0f4-2121-4eff-bf6b-ed3f69b894d9} • {1206F5F1-0569-412C-8FEC-3204630DFB70} • {15eae92e-f17a-4431-9f28-805e482dafd4} • {17cd9488-1228-4b2f-88ce-4298e93e0966} • {1D2680C9-0E2A-469d-B787-065558BC7D43} • {1FA9085F-25A2-489B-85D4-86326EEDCD87} • {208D2C60-3AEA-1069-A2D7-08002B30309D} • {20D04FE0-3AEA-1069-A2D8-08002B30309D} • {2227A280-3AEA-1069-A2DE-08002B30309D} • {241D7C96-F8BF-4F85-B01F-E2B043341A4B} • {4026492F-2F69-46B8-B9BF-5654FC07E423} • {62D8ED13-C9D0-4CE8-A914-47DD628FB1B0} • {78F3955E-3B90-4184-BD14-5397C15F1EFC}

  7. Not Rocket Science • 2009 saw the first iPhone worm -- most attacks were near-identical to prior years, changing only the victims and the level of sophistication • FBI estimated small and medium businesses have lost $40 million to cyber-crime since 2004

  8. Virus Creation • Anyone can do it!

  9. Malware is very common • Malware • How common? • Spyware • Virus • Worm • Tracking Map • http://wtc.trendmicro.com/wtc/default.asp • http://www.fortiguard.com/map/worldmap.html • Symantec reported over million malware’s since 2007

  10. “Will vulnerabilities ever go away?” If, 95-99% of all attacks come from known vulnerabilities and mis-configurations [Carnegie Mellon] And, known vulnerabilities and mis-configurations come from human error And, for the foreseeable future, humans will be the creators and maintainers of technology Then, vulnerabilities (and risk) are here to stay!

  11. Mis-configurations • Easily guessed passwords • Admin/no password • Admin/username same as password • Admin/”password” • Common user/pass combinations • oracle/oracle • Default Password List http://tinyurl.com/39teob • Default installed files • Admin rights for software • Incorrect permissions

  12. Mobile Devicesexposes you I’m really an IP connected computer!

  13. USB ADD RISK • Flash Memory Devices • Containing what?

  14. Using remote access to hack • BackTrack4 - • Owning Vista with BackTrackhttp://www.offensive-security.com/backtrack-tutorials.php • How to put BT4 on a USB • http://www.offensive-security.com/backtrack-tutorials.php • Portable Apps • http://es-es.net • Mobile devices • Iphone I-Touch http://www.leebaird.com/Me/iPhone.html • Droid PS2 others • Metasploit

  15. Silver Bullet Eater • Process Killer • Recuva File Restore • Sophos Anti-Rootkit • Stinger • Sumatra PDF • Super Scanner • Sysinternals Suite • System Info • Tor • Win SCP • Wireless keyview • Wireshark • Youtube downloader • putty.exe • Kee Pass • LAN Search • Lsa secrets view • MAC address View • MD5Checker • mRemote • netcheck • Netscan • NMap • Pidgin Portable • PortableApps.com • Portable-Virtual Box • Process Injection • Alternate streamview • BinText • BitComet • CCleaner • Clam AV • Convert All Portable • Cool Player+ Portable • Defraggler • Dir html • File Shredder • Firefox • HttTrack Links to Portable USB Software • http://www.portablefreeware.com/all.php • http://www.makeuseof.com/tag/portable-software-usb/ • http://en.wikipedia.org/wiki/List_of_portable_software • http://www.portablefreeware.com/index.php?sc=27 • My Set of Portable apps • http://es-es.net/resources/Portable_Apps.zip

  16. Demo time All resources on my site es-es.net

  17. U3 PocketKnife • Steal passwords • Product keys • Steal files • Kill antivirus software • Turn off theFirewall • And more… • For details seehttp://wapurl.co.uk/?719WZ2T

  18. Customizing U3 • You can create a custom file to be executed when a U3 drive is plugged in • The custom U3 launcher runs PocketKnife • So all those things are stolen and put on the flash drive

  19. BackTrack in VM U3 Device

  20. UBCD in a VM track that one….

  21. Cain and Abel Local Passwords

  22. Passwords Cracking • NTPassword RESET any admin pwd to blank • http://home.eunet.no/pnordahl/ntpasswd/ • Cain and Able • Back Track 4 (BT4) http://www.backtrack-linux.org/downloads/ • Default Password List • http://tinyurl.com/39teob • Paid Password Tools • http://www.brothersoft.com/downloads/crack-password.html • http://www.elcomsoft.com/index.html • http://www.accessdata.com/

  23. Defense

  24. Immediate Risk Reduction • Disable AutoRun / Keep system patches updated • Glue USB ports shut • Install Windows 7 64 bit • several cracking programs do not work • Get rid of Admin rights lockdown work stations • Monitor WIFI access secure your wireless networks http://es-es.net/13.html • USB Blocking • Windows Group Policy • Netwrixhttp://www.netwrix.com/usb_blocker.html • Several Vendors on the show floor have options to limit or block USB

  25. Better USB Solution: IEEE 1667 • Standard Protocol for Authentication in Host Attachments of Transient Storage Devices • USB devices can be signed and authenticates, so only authorized devices are allowed • Implemented in Windows 7 • See http://tinyurl.com/ybce7z7

  26. Keep Data Secure Web 2.0 • Continued Education of Computer Users • Don’t click on strange links (avoid tempt-to-click attacks) • Do not release personal information online • Use caution with IM and SMS (short message service) • Be careful with social networking sites • Don’t e-mail sensitive information • Don’t hit “reply” to a received -email containing sensitive information • Require mandatory VPN (virtual private network) use over wireless networks

  27. Addressing the Threats • Design/implement widely accepted policies and standards • Identify the vulnerabilities, mis-configurations, and policy violations • Apply fixes and patches as quickly as possible • Mitigating the risk with intrusion prevention • Log and monitor all critical systems • Educate yourself & your staff • Disable Safe mode Lock Systems Steady State, Deep Freeze or others • Lock Down Windows Group Policies • Block USB devices • Secure your WIFI network

  28. The List Tools I use!

  29. Password Recovery Tools: • Fgdump (Mass password auditing for Windows) • http://foofus.net/fizzgig/fgdump • Cain and Abel (password cracker and so much more….) • http://www.oxid.it/cain.htnl • John The Ripper (password crackers) • http://www.openwall.org/john/ • GUI for John The Ripper FSCracker • http://www.foundstone.com/us/resources/proddesc/fscrack.htm • RainbowCrack : An Innovative Password Hash Cracker tool that makes use of a large-scale time-memory trade-off. • http://www.rainbowcrack.com/downloads/?PHPSESSID=776fc0bb788953e190cf415e60c781a5

  30. Networking Scanning • MS Baseline Analyzer 2.1 • http://www.microsoft.com/downloads/details.aspx?familyid=f32921af-9dbe-4dce-889e-ecf997eb18e9&displaylang=en • The Dude (Mapper and traffic analyzer great for WIFI) • http://www.mikrotik.com/thedude.php • Getif (Network SNMP discovery and exploit tool) • http://www.wtcs.org/snmp4tpc/getif.htm • SoftPerfect Network Scanner • http://www.softperfect.com/ • HPing2 (Packet assembler/analyzer) • http://www.hping.org • ZENOSS (Enterprise Network mapping and monitoring) • http://www.zenoss.com • TCPDump (packet sniffers) Linux or Windump for windows • http://www.tcpdump.org and http://www.winpcap.org/windump/ • LanSpy (local, Domain, NetBios, and much more) • http://www.lantricks.com/

  31. Tools to Assess Vulnerability • Nessus(vulnerability scanners) • http://www.nessus.org • Snort (IDS - intrusion detection system) • http://www.snort.org • Metasploit Framework (vulnerability exploitation tools) Use with great caution and have permission • http://www.metasploit.com/projects/Framework/ • Open VAS (Vulnerability Assessment Systems) Enterprise network security scanner • http://www.openvas.org

  32. Secure Your Perimeter: • DNS-stuff and DNS-reports • http://www.dnsstuff.comhttp://www.dnsreports.com • Test e-mail & html code • Web Inspect 15 day http://tinyurl.com/ng6khw • Security Space • http://tinyurl.com/cbsr • Other Firewall options • Untangle www.untangle.com • Smooth Wall www.smoothwall.org • IPCopwww.ipcop.org

  33. More Tools: • Soft Perfect Network Scanner • A multi-threaded IP, SNMP and NetBIOS scanner. Very easy to use; http://tinyurl.com/2kzpss • WinSCP • wraps a friendly GUI interface around the command-line switches needed to copy files between Windows and Unix/Linux http://tinyurl.com/yvywqu • Nagios • Highly configurable, flexible network resource monitoring tool http://www.nagios.org • Open DNS-- • Another layer to block proxies and adult sites; http://www.opendns.com/ • Ccleaner • Removes unused files and other software that slows down your PC; http://www.ccleaner.com/ • File Shredder • A fast, safe and reliable tool to shred company files; http://www.fileshredder.org/ • GroundWork (OpenSource) • Full Enterprise performance and network management software. This is designed for data center and large networks but can be used on for small shops as well. (works with Nagios); http://www.groundworkopensource.com

  34. Google (Get Google Hacking book) • The Google Hacking Database (GHDB) • http://johnny.ihackstuff.com/modules.php?op=modload&name=Downloads&file=index • Cain and Abel • (the Swiss Army knife) Crack passwords crack VOIP and so much more • http://www.oxid.it/cain.html • Autoruns / SysinternalsSuite • shows the programs that run during system boot up or login • http://tinyurl.com/3adktf • Iron Geek • Step by step security training http://tinyurl.com/bzvwx • SuperScan 4 • Network Scanner find open ports (I prefer version 3) • http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/superscan.htm • EventSentry • Allows you to consolidate and monitor event logs in real-time, http://tinyurl.com/2g64sy

  35. Well-worn Tools : • Wireshark • Packet sniffer used to find passwords and other important network errors going across network • SSL Passwords are often sent in clear text before logging on • http://tinyurl.com/yclvno • Metasploit • Hacking/networking security made easy • http://www.metasploit.com/ • BackTrack or UBCD4WIN Boot CD • Cleaning infected PC’s or ultimate hacking environment. Will run from USB • http://www.backtrack-linux.org/downloads/ • http://tinyurl.com/38cgd5 • Read notify • “Registered” email • http://www.readnotify.com/ • Virtual Machine • For pen testing • http://tinyurl.com/2qhs2e

  36. Digital Forensics • First and foremost:I am not a lawyer. Always consult your local law enforcement agency and legal department first! • Digital forensics is SERIOUS BUSINESS • You can easily shoot yourself in the foot by doing it incorrectly • Get some in-depth training • …this is not in-depth training!!! (Nor is it legal advice. Be smart. The job you save may be your own.)

  37. Forensics: Open Source / Free to k-12 • Helix (e-fense) • Customized Knoppix disk that is forensically safe • Includes improved versions of ‘dd’ • Terminal windows log everything for good documentation • Includes Sleuthkit, Autopsy, chkrootkit, and others • Includes tools that can be used on a live Windows machine, including precompiled binaries and live acquisition tools • www.e-fense.com • ProDiscover (free for schools) • www.techpathways.com

  38. Anti-Forensics • Be Aware of activity in the Anti-Forensics area!! There are active efforts to produce tools to thwart your forensic investigation. • Metasploit’s Anti-Forensic Toolkit*, Defiler’s Toolkit, etc. • Timestomp • Transmogrify • Slacker • SAM juicer

  39. Sysinternals

  40. Event Log Acquire key data • Use to document unauthorized file and folder access

  41. AccessChk* Acquire key data • Shows what folder permissions a user has • Provides evidence that user has opportunity

  42. PsLoggedOn* Acquire key data • Shows if a user is logged onto a computing resource

  43. RootKitRevealer Acquire key data • Reveals rootkits, which take complete control of a computer and conceal their existence from standard diagnostic tools

  44. PsExec Acquire key data • Allows investigator to remotely obtain information about a user’s computer - without tipping them off or installing any applications on the user’s computer

  45. Sysinternals tool: DU* Acquire key data • Allows investigator to remotely examine the contents of user’s My Documents folder and any subfolders

  46. Free server vrtualization software • Some of my favorite free virtualization tools: • VMware vSphereESXi Free Edition and VMware Go • VMware vMA, vCLI (or command-line interface), PowerCLI, and scripts from the vGhetto script repository such as vSphereHealthCheck • VeeamMonitor (free edition), FastSCP, and Business View • VizioncoreWastefinder, vConvert SC and Virtualization EcoShell • SolarWinds' VM Monitor • Trilead VM Explorer • TripWireConfigCheck • ConfigureSoft/EMC Compliance Checker • ESX Manager 2.3 from ESXGuide (ESX 3i and 4i are not supported) • vKernelSearchMyVM, SnapshotMyVM, and Modeler • Hyper9 GuessMyOSPlugin, Search Bar Plugin, and Virtualization Mobile Manager • XtraVirtvAlarm and vLogView

  47. Shameless Plug • Presentations on my site located at • www.es-es.net • Check out the presentation given this morning • Manage & Secure Your Wireless Connections • To learn more about GCA (Georgia Cumberland Academy) • www.gcasda.org • Face-Saving Tools for Managers • http://tinyurl.com/y9oywob • 20 great Windows open source projects • http://tinyurl.com/yfh7d6t • E-Crime Survey 2009 • http://tinyurl.com/ygtsgft

More Related