1 / 17

Anatomy of a Network Hack: How To Get Your Network Hacked in Ten Easy Steps!

Anatomy of a Network Hack: How To Get Your Network Hacked in Ten Easy Steps!. Jesper M. Johansson Senior Security Strategist Microsoft Corporation jesperjo@microsoft.com http://blogs.technet.com/jesper_johansson. This Presentation… … is about operational security.

Download Presentation

Anatomy of a Network Hack: How To Get Your Network Hacked in Ten Easy Steps!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Anatomy of a Network Hack:How To Get Your Network Hacked in Ten Easy Steps! Jesper M. Johansson Senior Security Strategist Microsoft Corporation jesperjo@microsoft.com http://blogs.technet.com/jesper_johansson

  2. This Presentation…… is about operational security The easy way is not always the secure way • Networks are usually designed in particular ways • In many cases, these practices simplify attacks • In some cases these practices enable attacks • You need to know the methods of your adversary to stop them

  3. This Presentation is Not… …a hacking tutorial • Hacking networks you own can be enlightening • Hacking networks you do not own is illegal! …a demonstration of Windows vulnerabilities • Everything we show stems from operational security or custom applications • Knowing how the platform operates is critical • All platforms can get hacked …for the faint of heart

  4. The Tools • Four categories of tools used • “Co-opted” ordinary components • Windows Resource Kit tools • Commonly available hacking/administration tools • Custom-written tools • The difference between hackers and script kiddies is that hackers writetheir own tools

  5. By the Way… • I will not give you my tools. It does not matter what you do for a living or who you work for • If you do not ask, I don’t have to say no

  6. The Target 192.168.2.30 Internet RRAS Basic Firewall Web Server 172.17.0.1 172.17.0.2 Bad Guy Data Center DC SQL Server 10.1.2.16 172.17.0.3 Filtering Router Corp DC10.1.2.17

  7. Completely un-validated user input! Completely un-validated user input! Knocking Down The Side Door //Three mistakes in this statement alone: SqlConnection conn =new SqlConnection(); conn.ConnectionString = "data source=PYN-SQL;" + "initial catalog=pubs;" + "user id=sa;" + "password=password;" + "persist security info=True;“+ "packet size=4096"; conn.Open(); //Don't do this at home folks: SQL Query Composition string strQuery; strQuery = "select * from Users where UserName = '" + username.Text + "' and Password ='" + password.Text + "';"; Bad: not a trusted connection Worse, privileged user… …with a lame password

  8. But Wait, It Gets Better int rowCount = ds.Tables["Users"].Rows.Count; if(rowCount > 0) // If we get back something... { //...we must be succesfully logged in Session["LoggedIn"] = true; // Store the username in a session variable Session["username"] = username.Text; ... <body> <asp:Labelid="Username"runat="server"> Label </asp:Label> ... private void Page_Load(object sender, System.EventArgs e) { ... Username.Text = Session["username"].ToString(); } This is the user name from the form Which we cross-site script onto the page!

  9. How to Make Use of This Note: This network is entirely fictitious Any similarity with any real network is completely accidental

  10. Internet Where We Are At • Why • Poorly written web application • Insufficient application hardening • No outbound filtering • Insufficient host hardening 192.168.2.30 RRAS Basic Firewall Web Server 172.17.0.1 172.17.0.2 Bad Guy Data Center DC SQL Server 10.1.2.16 172.17.0.3 Filtering Router Corp DC10.1.2.17

  11. Internet Where We Are At • Why • No internal filtering • Shared service accounts 192.168.2.30 RRAS Basic Firewall Web Server 172.17.0.1 172.17.0.2 Bad Guy Data Center DC SQL Server 10.1.2.16 172.17.0.3 Filtering Router Corp DC10.1.2.17

  12. Internet Where We Are At • Why • Indiscriminate use of domain admincredentials • Unnecessary firewall holes • Lack of paranoia 192.168.2.30 RRAS Basic Firewall Web Server 172.17.0.1 172.17.0.2 Bad Guy Data Center DC SQL Server 10.1.2.16 172.17.0.3 Filtering Router Corp DC10.1.2.17

  13. Internet Where We Are At • Why • Duplicate passwords • Unrestricted internal traffic 192.168.2.30 RRAS Basic Firewall Web Server 172.17.0.1 172.17.0.2 Bad Guy Data Center DC SQL Server 10.1.2.16 172.17.0.3 Filtering Router Corp DC10.1.2.17

  14. The Moral of the Story • Initial entry is everything • Most networks are designed like egg shells • Hard and crunchy on the outside • Soft and chewy on the inside • Once an attacker is inside the network, you can… • …update resume • …hope he does a good job running it • …drain it

  15. How To Get Your Network Hacked in 10 Easy Steps • Don’t patch anything • Run unhardened applications • Use one admin account, everywhere • Open lots of holes in the firewall • Allow unrestricted internal traffic • Allow all outbound traffic • Don’t harden servers • Reuse your passwords • Use high-level service accounts, in multiple places • Assume everything is OK

  16. 10 Things Attackers Don’t Want You To Do • Ensure everything is fully patched • Use properly hardened applications • Use least privilege • Open only necessary holes in firewalls • Restrict internal traffic • Restrict outbound traffic • Harden servers • Use unique pass phrases or smart cards • Micro-manage service accounts • Maintain a healthy level of paranoia

  17. For more information Jesper and Steve finally wrote a book! Order online:http://protectyourwindowsnetwork.com jesperjo@microsoft.com

More Related