440 likes | 525 Views
An Ethical Hacker’s Case Book May 2005. Peter Wood First•Base Technologies. Who am I ?. Started in electronics in 1969 Worked in networked computers since 1976 Second microcomputer reseller in UK (1980) First local area networks in business (1985)
E N D
An Ethical Hacker’s Case BookMay 2005 Peter Wood First•BaseTechnologies
Who am I ? • Started in electronics in 1969 • Worked in networked computers since 1976 • Second microcomputer reseller in UK (1980) • First local area networks in business (1985) • Founded First•Base Technologies in 1989 • Designed secure LANs for major corporates • Presented BS 7799 throughout UK for BSI • First ethical hacking firm in UK
Routers & Switches • Using SNscan (a free tool from Foundstone) we can scan for devices running SNMP with common community strings (e.g. public) • We also use SolarWinds - a suite of SNMP tools for network discovery and testing. • Once we’ve found some targets ...
Routers & Switches Default Read string in use Open door for attack Out-of-date router OS Permits break in Read-Write strings revealed Now we have full control of network infrastructure
Routers & Switches Default Read-Write string Open door for attack Read strings revealed Now we can find many more targets!
Routers & Switches Knowing the Read-Write string, we can download the router config The enable password is a Cisco type 7 which is reversible Password revealed! Now we can telnet to this device!
Routers & Switches All the routing revealed Aha - it’s running telnet!
Routers & Switches Default admin account and no password! We now have full control of the router!
Windows Browsing the network reveals targets and shares
Windows Null session exploit gives access to users, groups & shares
Windows Everyone has “full control” An unprotected share Some very interesting directories!
Windows • Things we found on unprotected shares: • Salary spreadsheets • HR letters • Usernames and passwords (for everything!) • IT diagrams and configurations • Firewall details • Security rotas
Windows List all the administrators then try to guess their passwords
Windows • 67 administrators • 43 simple passwords • 15 were “password” • The worst were these:
Windows Cracking Statistics for xxxxxxxxx Run time: 0.10 seconds Weak Passwords 1085 40.1% Partially Cracked 144 5.3% Strong Passwords 1475 54.5% -------- Total 2704 --------
Windows Unpatched Windows system exploited with Core Impact
Windows Create user with remote shell Make the user an administrator
Windows Game over!
Windows Download the SAM for cracking
UNIX Vulnerable FTP service
UNIX Vulnerable SSH service
UNIX Vulnerable SMTP service
UNIX Vulnerable Samba service
UNIX Vulnerable SNMP service
UNIX Unpatched OS gives root
Databases MS-SQL - Blank SA password!
Databases No password on the Oracle listener! Now we can find out more ...
Databases Easy-to-guess passwords and this is a finance system!
Lotus Notes All users have access to this share Over 500 ID files for us to play with!
Lotus Notes Lots of lovely passwords to use with the ID files!
Web Servers 82 targets in one small LAN Default IIS - unpatched ? Video conferencing system Oracle
VNC Remote Control Scan for port 5900, et voila!
A Day in the Life • Used Network Sonar with default gateway as seed router to find SNMP devices • Many SNMP devices respond to public • Router crack successful - got all strings • Switch portmapper successful - got MAC addresses • IP network browser reads MIB on each device
A Day in the Life • Null session successful to DC of domain • Enumerated members of Administrators • Successfully logged on as obvious with password of obvious • pwdump4 of SAM file from DC • lmcrack of SAM file from DC • Got lots of passwords
A Day in the Life • Browsing servers. Map to where the user shares are. • Search for "password" in any doc or xls in last 12 months • Search for files called *salar* in last 12 months • Captured files saved for each set
A Day in the Life • salary.xls is password protected • AO97PR cracked salary.xls password • Same password used for other spreadsheets • Captured many Lotus Notes .id files and .nsf files - easy to get access • Notes cracker delivers some passwords • AppDetective delivers some more
A Day in the Life • Accessed second domain using account and password from first domain crack • Logged on to root domain using obvious account name with password same as name • Found PC running VNC, used password harvested earlier in search. • Ctrl-alt-del reveals “administrator” as the username. Used password harvested earlier
A Day in the Life • Full access permissions throughout domain are granted to the backup account. The password on this account is "password” • Game over!
Need more information? Peter Wood peterw@firstbase.co.uk www.fbtechies.co.uk