300 likes | 414 Views
Over the Router, Through the Firewall, to Grandma’s House We Go. George Kurtz & Eric Schultze Ernst & Young LLP. Session Objective. Discuss common DMZ and host configuration weaknesses Demonstrate what may happen if a hacker were to exploit these weaknesses
E N D
Over the Router,Through the Firewall,to Grandma’s House We Go George Kurtz & Eric Schultze Ernst & Young LLP
Session Objective • Discuss common DMZ and host configuration weaknesses • Demonstrate what may happen if a hacker were to exploit these weaknesses • Present countermeasures to help secure the network and related hosts
Network Diagram 10.1.1.20 172.16.1.50 172.16.1.200 192.168.1.20 10.1.1.10
Network Design • Internet router is blocking tcp/udp ports 135-139 • NT Web Server (SP3) is dual-homed • Firewall allows only outbound http (80) and smtp (25) traffic
Hacker’s Objective Gain Control over Internal NT Server from the Internet
SysAdmin’s Objective Identify Holes in the Environment and Close Them
Target Selection • Ping Sweep • gping, fping • Port Scan • nmap • NetscanTools Pro 2000 • OS Identification • nmap -O • queso • Banner Grabbing • VisualRoute, Netcat
ttdb • Buffer overflow in rpc.ttdbserver • Allows user to execute arbitrary code • Arbitrary code may be executed that will shell back xterm as root
Netcat Redirection 172.16.1.50 10.1.1.20 172.16.1.200
Netcat Redirection • Attack Linux listens on 139 and redirects to 1139 on Sparc • Sparc listens on 1139 and redirects to 139 on NT Web Server • Attack NT issues NetBIOS request to Attack Linux • NetBIOS request is forwarded over Router to NT Web Server
Enumerate NT Information • Null Session • net use \\172.16.1.50\ipc$ “” /user:”” • NetUserEnum (local, global, DumpACL) • NetWkstaTransportEnum(Getmac) • RpcMgmt Query(EPDump)
Privilege Escalation • Plant sechole on NT Server • Execute sechole via http • IUSR account becomes admin • Add new user account (via http) • Add new user account to Administrator group (via http)
IIS Buffer Overflow • Determine if Server is vulnerable • nc 172.16.1.200 80 • GET /.htr HTTP/1.0 • Evaluate response • Crash IIS and Send Payload • Target server contacts our web server and downloads payload • payload executes on server and contacts our attack host
Pass The Hash • Modified SMB client can mount shares (C$, etc) on a remote NT host using only the username and password hash • No need to “decrypt” the password hash • Concept first presented by Paul Ashton in an NTBugtraq post
Pass The Hash v.2 • Create an admin account on our own NT host with same name as the admin account for which we have hash values • Upload the hash values into memory on our own NT host • Perform pass-through authentication to target host • No need to “decrypt” the password
Network Diagram 172.16.1.50 10.1.1.20 192.168.1.20 172.16.1.200
Shovel The Shell 10.1.1.20 192.168.1.20
Shovel The Shell • Launch two Netcat Listeners on Attack1a (ports 80 and 25) • Execute Trojan on NT Server: • Netcat TO port 80 on AttackLinux • Commands typed on AttackLinux (port 80) are piped to CMD.exe on NT Server • CMD.exe output is Netcatted TO port 25 on AttackLinux • Type commands in 80 window, view output in 25 window
Network Countermeasures • Block ALL ports at the border routers • Open only those ports that support your security policy • Review Logs • Implement Network and Host Intrusion Detection
Unix Countermeasures • TTDB • Kill the "rpc.ttdbserverd" process • Apply vendor specific patches • Block low and high numbered RPC locator services at the border router • Xterm • Remove trusted relationships with xhost - • If sending sessions to another terminal, restrict to a specific terminal • Block ports 6000-6063 if necessary
NT Countermeasures • Block tcp and udp ports 135, 137, 138 and 139 at the router. • Prevent Information leakage: • Utilize the Restrict anonymous registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Lsa\ RestrictAnonymous DWORD =1 • Unbind “WINS Client (TCP/IP)” from the Internet-connected NIC
NT Countermeasures • Password composition • 7 characters is the strongest humanly usable length, 14 is the strongest • Use meta-characters within the first 7 characters of your password • Utilize account lockout • Utilize the passfilt.dll to require stronger passwords • Utilize Passprop.exe admin lockout feature
NT Countermeasures • Apply current service packs and security related hotfixes • Review IIS security checklist: www.microsoft.com/security/products/iis/CheckList.asp
Countermeasures Disclaimer: • Test all changes on a non-production host before implementing on production servers
Tools and Concepts • Visual Route www.visualroute.com • NetScanTools Pro www.nwpsw.com • gping, fping www.securityfocus.com • nmap www.insecure.org/nmap/ • queso www.apostols.org/projectz/ • ttdb exploit www.securityfocus.com • netcat www.l0pht.com • rinetd www.boutell.com
Tools and Concepts • VMWare www.vmware.com • NT Resource Kit www.microsoft.com • DumpACL www.somarsoft.com • sechole www.cybermedia.co.in • pwdump www.rootshell.com • L0phtCrack www.l0pht.com • VNC www.uk.research.att.com • modified SMB client www.ntbugtraq.com
Security Resources • www.microsoft.com/security • Advisories • Patches • IIS Security Checklist • www.securityfocus.com • Bugtraq Mailing List • Tools, Books, Links • Vulnerabilities and Fixes
Osborne/ McGraw-Hill Hacking Exposed: Network Security Secrets and Solutions George Kurtz Stuart McClure Joel Scambray Due Out September 1999
Contact Information • George Kurtz • george.kurtz@ey.com • (201) 836-5280 • Eric Schultze • eric.schultze@ey.com • (425) 990-6916 • Web Site • www.ey.com/security