1 / 30

Over the Router, Through the Firewall, to Grandma’s House We Go

Over the Router, Through the Firewall, to Grandma’s House We Go. George Kurtz & Eric Schultze Ernst & Young LLP. Session Objective. Discuss common DMZ and host configuration weaknesses Demonstrate what may happen if a hacker were to exploit these weaknesses

emmly
Download Presentation

Over the Router, Through the Firewall, to Grandma’s House We Go

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Over the Router,Through the Firewall,to Grandma’s House We Go George Kurtz & Eric Schultze Ernst & Young LLP

  2. Session Objective • Discuss common DMZ and host configuration weaknesses • Demonstrate what may happen if a hacker were to exploit these weaknesses • Present countermeasures to help secure the network and related hosts

  3. Network Diagram 10.1.1.20 172.16.1.50 172.16.1.200 192.168.1.20 10.1.1.10

  4. Network Design • Internet router is blocking tcp/udp ports 135-139 • NT Web Server (SP3) is dual-homed • Firewall allows only outbound http (80) and smtp (25) traffic

  5. Hacker’s Objective Gain Control over Internal NT Server from the Internet

  6. SysAdmin’s Objective Identify Holes in the Environment and Close Them

  7. Target Selection • Ping Sweep • gping, fping • Port Scan • nmap • NetscanTools Pro 2000 • OS Identification • nmap -O • queso • Banner Grabbing • VisualRoute, Netcat

  8. ttdb • Buffer overflow in rpc.ttdbserver • Allows user to execute arbitrary code • Arbitrary code may be executed that will shell back xterm as root

  9. Netcat Redirection 172.16.1.50 10.1.1.20 172.16.1.200

  10. Netcat Redirection • Attack Linux listens on 139 and redirects to 1139 on Sparc • Sparc listens on 1139 and redirects to 139 on NT Web Server • Attack NT issues NetBIOS request to Attack Linux • NetBIOS request is forwarded over Router to NT Web Server

  11. Enumerate NT Information • Null Session • net use \\172.16.1.50\ipc$ “” /user:”” • NetUserEnum (local, global, DumpACL) • NetWkstaTransportEnum(Getmac) • RpcMgmt Query(EPDump)

  12. Privilege Escalation • Plant sechole on NT Server • Execute sechole via http • IUSR account becomes admin • Add new user account (via http) • Add new user account to Administrator group (via http)

  13. IIS Buffer Overflow • Determine if Server is vulnerable • nc 172.16.1.200 80 • GET /.htr HTTP/1.0 • Evaluate response • Crash IIS and Send Payload • Target server contacts our web server and downloads payload • payload executes on server and contacts our attack host

  14. VNC

  15. Pass The Hash • Modified SMB client can mount shares (C$, etc) on a remote NT host using only the username and password hash • No need to “decrypt” the password hash • Concept first presented by Paul Ashton in an NTBugtraq post

  16. Pass The Hash v.2 • Create an admin account on our own NT host with same name as the admin account for which we have hash values • Upload the hash values into memory on our own NT host • Perform pass-through authentication to target host • No need to “decrypt” the password

  17. Network Diagram 172.16.1.50 10.1.1.20 192.168.1.20 172.16.1.200

  18. Shovel The Shell 10.1.1.20 192.168.1.20

  19. Shovel The Shell • Launch two Netcat Listeners on Attack1a (ports 80 and 25) • Execute Trojan on NT Server: • Netcat TO port 80 on AttackLinux • Commands typed on AttackLinux (port 80) are piped to CMD.exe on NT Server • CMD.exe output is Netcatted TO port 25 on AttackLinux • Type commands in 80 window, view output in 25 window

  20. Network Countermeasures • Block ALL ports at the border routers • Open only those ports that support your security policy • Review Logs • Implement Network and Host Intrusion Detection

  21. Unix Countermeasures • TTDB • Kill the "rpc.ttdbserverd" process • Apply vendor specific patches • Block low and high numbered RPC locator services at the border router • Xterm • Remove trusted relationships with xhost - • If sending sessions to another terminal, restrict to a specific terminal • Block ports 6000-6063 if necessary

  22. NT Countermeasures • Block tcp and udp ports 135, 137, 138 and 139 at the router. • Prevent Information leakage: • Utilize the Restrict anonymous registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Lsa\ RestrictAnonymous DWORD =1 • Unbind “WINS Client (TCP/IP)” from the Internet-connected NIC

  23. NT Countermeasures • Password composition • 7 characters is the strongest humanly usable length, 14 is the strongest • Use meta-characters within the first 7 characters of your password • Utilize account lockout • Utilize the passfilt.dll to require stronger passwords • Utilize Passprop.exe admin lockout feature

  24. NT Countermeasures • Apply current service packs and security related hotfixes • Review IIS security checklist: www.microsoft.com/security/products/iis/CheckList.asp

  25. Countermeasures Disclaimer: • Test all changes on a non-production host before implementing on production servers

  26. Tools and Concepts • Visual Route www.visualroute.com • NetScanTools Pro www.nwpsw.com • gping, fping www.securityfocus.com • nmap www.insecure.org/nmap/ • queso www.apostols.org/projectz/ • ttdb exploit www.securityfocus.com • netcat www.l0pht.com • rinetd www.boutell.com

  27. Tools and Concepts • VMWare www.vmware.com • NT Resource Kit www.microsoft.com • DumpACL www.somarsoft.com • sechole www.cybermedia.co.in • pwdump www.rootshell.com • L0phtCrack www.l0pht.com • VNC www.uk.research.att.com • modified SMB client www.ntbugtraq.com

  28. Security Resources • www.microsoft.com/security • Advisories • Patches • IIS Security Checklist • www.securityfocus.com • Bugtraq Mailing List • Tools, Books, Links • Vulnerabilities and Fixes

  29. Osborne/ McGraw-Hill Hacking Exposed: Network Security Secrets and Solutions George Kurtz Stuart McClure Joel Scambray Due Out September 1999

  30. Contact Information • George Kurtz • george.kurtz@ey.com • (201) 836-5280 • Eric Schultze • eric.schultze@ey.com • (425) 990-6916 • Web Site • www.ey.com/security

More Related