1 / 44

An Ethical Hacker’s Case Book May 2005

An Ethical Hacker’s Case Book May 2005. Peter Wood First•Base Technologies. Who am I ?. Started in electronics in 1969 Worked in networked computers since 1976 Second microcomputer reseller in UK (1980) First local area networks in business (1985)

iram
Download Presentation

An Ethical Hacker’s Case Book May 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Ethical Hacker’s Case BookMay 2005 Peter Wood First•BaseTechnologies

  2. Who am I ? • Started in electronics in 1969 • Worked in networked computers since 1976 • Second microcomputer reseller in UK (1980) • First local area networks in business (1985) • Founded First•Base Technologies in 1989 • Designed secure LANs for major corporates • Presented BS 7799 throughout UK for BSI • First ethical hacking firm in UK

  3. Routers & Switches

  4. Routers & Switches • Using SNscan (a free tool from Foundstone) we can scan for devices running SNMP with common community strings (e.g. public) • We also use SolarWinds - a suite of SNMP tools for network discovery and testing. • Once we’ve found some targets ...

  5. Routers & Switches Default Read string in use Open door for attack Out-of-date router OS Permits break in Read-Write strings revealed Now we have full control of network infrastructure

  6. Routers & Switches Default Read-Write string Open door for attack Read strings revealed Now we can find many more targets!

  7. Routers & Switches Knowing the Read-Write string, we can download the router config The enable password is a Cisco type 7 which is reversible Password revealed! Now we can telnet to this device!

  8. Routers & Switches All the routing revealed Aha - it’s running telnet!

  9. Routers & Switches Default admin account and no password! We now have full control of the router!

  10. Windows

  11. Windows Browsing the network reveals targets and shares

  12. Windows Null session exploit gives access to users, groups & shares

  13. Windows Everyone has “full control” An unprotected share Some very interesting directories!

  14. Windows • Things we found on unprotected shares: • Salary spreadsheets • HR letters • Usernames and passwords (for everything!) • IT diagrams and configurations • Firewall details • Security rotas

  15. Windows List all the administrators then try to guess their passwords

  16. Windows • 67 administrators • 43 simple passwords • 15 were “password” • The worst were these:

  17. Windows Cracking Statistics for xxxxxxxxx Run time: 0.10 seconds Weak Passwords 1085 40.1% Partially Cracked 144 5.3% Strong Passwords 1475 54.5% -------- Total 2704 --------

  18. Windows Unpatched Windows system exploited with Core Impact

  19. Windows Create user with remote shell Make the user an administrator

  20. Windows Game over!

  21. Windows Download the SAM for cracking

  22. UNIX

  23. UNIX Vulnerable FTP service

  24. UNIX Vulnerable SSH service

  25. UNIX Vulnerable SMTP service

  26. UNIX Vulnerable Samba service

  27. UNIX Vulnerable SNMP service

  28. UNIX Unpatched OS gives root

  29. Other Targets

  30. Databases MS-SQL - Blank SA password!

  31. Databases No password on the Oracle listener! Now we can find out more ...

  32. Databases Easy-to-guess passwords and this is a finance system!

  33. Lotus Notes All users have access to this share Over 500 ID files for us to play with!

  34. Lotus Notes Lots of lovely passwords to use with the ID files!

  35. Web Servers 82 targets in one small LAN Default IIS - unpatched ? Video conferencing system Oracle

  36. VNC Remote Control Scan for port 5900, et voila!

  37. A Day in the Life

  38. A Day in the Life • Used Network Sonar with default gateway as seed router to find SNMP devices • Many SNMP devices respond to public • Router crack successful - got all strings • Switch portmapper successful - got MAC addresses • IP network browser reads MIB on each device

  39. A Day in the Life • Null session successful to DC of domain • Enumerated members of Administrators • Successfully logged on as obvious with password of obvious • pwdump4 of SAM file from DC • lmcrack of SAM file from DC • Got lots of passwords

  40. A Day in the Life • Browsing servers. Map to where the user shares are. • Search for "password" in any doc or xls in last 12 months • Search for files called *salar* in last 12 months • Captured files saved for each set

  41. A Day in the Life • salary.xls is password protected • AO97PR cracked salary.xls password • Same password used for other spreadsheets • Captured many Lotus Notes .id files and .nsf files - easy to get access • Notes cracker delivers some passwords • AppDetective delivers some more

  42. A Day in the Life • Accessed second domain using account and password from first domain crack • Logged on to root domain using obvious account name with password same as name • Found PC running VNC, used password harvested earlier in search. • Ctrl-alt-del reveals “administrator” as the username. Used password harvested earlier

  43. A Day in the Life • Full access permissions throughout domain are granted to the backup account. The password on this account is "password” • Game over!

  44. Need more information? Peter Wood peterw@firstbase.co.uk www.fbtechies.co.uk

More Related