Hacking Highschool - Ernest Staats Network Security Consulting

Download Report

Transcript Hacking Highschool - Ernest Staats Network Security Consulting

Hacking
High School
Ernest Staats
Director of Technology and Network Services at GCA
MS Information Assurance, CISSP, CEH, MCSE, CNA,
CWNA, Security+, I-Net+, Network+, Server+, A+
Resources available @ http://es-es.net
CAN’T DEFEND WHAT YOU DON’T KNOW
• “Know your enemies & know yourself” <Sun Tzu>
• Hacker Mentality
• Map your network regularly
• Sniff and Baseline your network know what type of data needs to
be going across your system
• Know what types of paths are open to your data WIFI, USB,
BlueTooth, Remote Acess
• Web 2.0
• Mobile device access
HACKER MENTALITY
• Hackers are motivated by various factors:
• Ego
• Curiosity and challenge
• Entertainment
• Political beliefs
• Desire for information
• Thrill of gaining privileged access
• Own the system long term (Trojans, backdoors)
• Attempt to compromise additional systems
• A "trophy" to gain status
Hacker Stratification
Tier I
Tier II
In the End there can only be 1
The best of the best
Ability to find new vulnerabilities
Ability to write exploit code and tools
Motivated by the challenge, and of course, money
IT savvy
Ability to program or script
Understand what the vulnerability is and how it works
Intelligent enough to use the exploit code and tools with precision
Motivated by the challenge but primarily curiosity, some ego
Tier III
“Script Kiddies”
Few real talents
Ability to download exploit code and tools written by others
Very little understanding of the actual vulnerability
Randomly fire off scripts until something works
Motivated by ego, entertainment, desire to hurt others
LOW HANGING FRUIT
•
Safemode /Hacker Mode : F8 or hold down the CTRL key
•
God Mode
•
Lab machines that require Admin rights to run software
•
IronGeek.com / Youtube “Hack School” lots of step by step videos
•
Reamane EXE’s two fun ones netsh.exe utilman.exe
• When using Microsoft GPO’s use hash instead of Path
•
Use Windows Run
Use MS-Access to make a Macro run CMD
•
Use IP Address instead of Name
•
Use U3 Devices or Portable Apps
•
Right Click Make shortcut to c drive if you hide C drive
•
Use Bluetooth to make file transfers to windows system32 if they have USB access they
own it
Shutdown –i
GOD MODE VISTA / WIN7
•
GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
•
Other Shot cuts
•
{00C6D95F-329C-409a-81D7-C46C66EA7F33}"
•
{00C6D95F-329C-409a-81D7-C46C66EA7F33}
•
{0142e4d0-fb7a-11dc-ba4a-000ffe7ab428}
•
{025A5937-A6BE-4686-A844-36FE4BEC8B6D}
•
{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}
•
{1206F5F1-0569-412C-8FEC-3204630DFB70}
•
{15eae92e-f17a-4431-9f28-805e482dafd4}
•
{17cd9488-1228-4b2f-88ce-4298e93e0966}
•
{1D2680C9-0E2A-469d-B787-065558BC7D43}
•
{1FA9085F-25A2-489B-85D4-86326EEDCD87}
•
{208D2C60-3AEA-1069-A2D7-08002B30309D}
•
{20D04FE0-3AEA-1069-A2D8-08002B30309D}
•
{2227A280-3AEA-1069-A2DE-08002B30309D}
•
{241D7C96-F8BF-4F85-B01F-E2B043341A4B}
•
{4026492F-2F69-46B8-B9BF-5654FC07E423}
•
{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}
•
{78F3955E-3B90-4184-BD14-5397C15F1EFC}
Hiding things will not work
NOT ROCKET SCIENCE
•
2009 saw the first iPhone worm -- most attacks were near-identical to prior
years, changing only the victims and the level of sophistication
•
FBI estimated small and medium businesses have lost $40 million to cyber crime since 2004
VIRUS CREATION
•
Anyone can do it!
MALWARE IS VERY COMMON
•
Malware
• How common?
• Spyware
• Virus
• Worm
• Tracking Map
• http://wtc.trendmicro.com/wtc/default.asp
• http://www.fortiguard.com/map/worldmap.html
• Symantec reported over million malware’s since 2007
“WILL VULNERABILITIES EVER GO AWAY?”
If, 95-99% of all attacks come from known vulnerabilities and misconfigurations [Carnegie Mellon]
And, known vulnerabilities and mis-configurations come from human error
And, for the foreseeable future, humans will be the creators and maintainers
of technology
Then, vulnerabilities (and risk) are here to stay!
MIS-CONFIGURATIONS
•
Easily guessed passwords
• Admin/no password
• Admin/username same as password
• Admin/”password”
• Common user/pass combinations
• oracle/oracle
• Default Password List http://tinyurl.com/39teob
•
Default installed files
•
Admin rights for software
•
Incorrect permissions
MOBILE DEVICES EXPOSES YOU
I’m really
an IP
connected
computer!
USB ADD RISK
• Flash Memory Devices
• Containing what?
USING REMOTE ACCESS TO HACK
•
BackTrack4 • Owning Vista with BackTrack http://www.offensive-security.com/backtracktutorials.php
• How to put BT4 on a USB
• http://www.offensive-security.com/backtrack-tutorials.php
•
Portable Apps
• http://es-es.net
•
Mobile devices
• Iphone I-Touch http://www.leebaird.com/Me/iPhone.html
•
•
Droid PS2 others
Metasploit
SILVER BULLET EATER
Alternate
streamview
•
Kee Pass
•
Process Killer
•
LAN Search
•
•
BinText
•
•
BitComet
Lsa secrets
view
Recuva File
Restore
•
•
CCleaner
•
MAC address
View
Sophos AntiRootkit
•
Stinger
•
Clam AV
•
MD5Checker
•
Sumatra PDF
•
Super
Scanner
•
Sysinternals
Suite
•
•
•
•
Convert All
Portable
•
mRemote
•
netcheck
Cool
Player+
Portable
•
Netscan
•
NMap
•
System Info
•
Pidgin
Portable
•
Tor
PortableApps
.com
•
Win SCP
•
Wireless
keyview
•
Wireshark
•
Youtube
downloader
•
putty.exe
Defraggler
•
Dir html
•
•
File
Shredder
•
PortableVirtual Box
•
Firefox
•
•
HttTrack
Process
Injection
Links to Portable USB Software
•
http://www.portablefreeware.com/all.php
•
http://www.makeuseof.com/tag/portable-softwareusb/
•
http://en.wikipedia.org/wiki/List_of_portable_softwar
e
•
http://www.portablefreeware.com/index.php?sc=27
•
My Set of Portable apps
•
http://es-es.net/resources/Portable_Apps.zip
DEMO TIME
All resources on my site es-es.net
U3 POCKETKNIFE
•
Steal
passwords
•
Product keys
•
Steal files
•
Kill antivirus
software
•
Turn off the
Firewall
•
And more…
•
For details see
http://wapurl.co.uk/?719WZ2T
CUSTOMIZING U3
•
You can create a custom file to
be executed when a U3 drive is
plugged in
•
The custom U3 launcher runs
PocketKnife
•
So all those things are stolen
and put on the flash drive
18
BACKTRACK IN VM U3 DEVICE
UBCD IN A VM TRACK THAT ONE….
Cain and Abel Local Passwords
PASSWORDS CRACKING
• NTPassword RESET any admin pwd to blank
• http://home.eunet.no/pnordahl/ntpasswd/
• Cain and Able
• Back Track 4 (BT4) http://www.backtrack-linux.org/downloads/
• Default Password List
• http://tinyurl.com/39teob
• Paid Password Tools
• http://www.brothersoft.com/downloads/crack-password.html
• http://www.elcomsoft.com/index.html
• http://www.accessdata.com/
DEFENSE
IMMEDIATE RISK REDUCTION
•
Disable AutoRun / Keep system patches updated
•
Glue USB ports shut
•
Install Windows 7 64 bit
• several cracking programs do not work
•
Get rid of Admin rights lockdown work stations
•
Monitor WIFI access secure your wireless networks http://es-es.net/13.html
• USB Blocking
• Windows Group Policy
• Netwrix
http://www.netwrix.com/usb_blocker.html
• Several Vendors on the show floor have options to limit or block
USB
24
BETTER USB SOLUTION: IEEE 1667
• Standard Protocol for Authentication in Host Attachments of
Transient Storage Devices
• USB devices can be signed and authenticates, so only authorized
devices are allowed
• Implemented in Windows 7
• See http://tinyurl.com/ybce7z7
25
KEEP DATA SECURE WEB 2.0
•
Continued Education of Computer Users
• Don’t click on strange links (avoid tempt-to-click attacks)
• Do not release personal information online
• Use caution with IM and SMS (short message service)
• Be careful with social networking sites
• Don’t e-mail sensitive information
• Don’t hit “reply” to a received -email containing sensitive information
• Require mandatory VPN (virtual private network) use over wireless networks
ADDRESSING THE THREATS
• Design/implement widely accepted policies and standards
• Identify the vulnerabilities, mis-configurations, and policy violations
• Apply fixes and patches as quickly as possible
• Mitigating the risk with intrusion prevention
• Log and monitor all critical systems
• Educate yourself & your staff
• Disable Safe mode Lock Systems Steady State, Deep Freeze or others
• Lock Down Windows Group Policies
• Block USB devices
• Secure your WIFI network
THE LIST
Tools I use!
PASSWORD RECOVERY TOOLS:
•
Fgdump (Mass password auditing for Windows)
• http://foofus.net/fizzgig/fgdump
•
Cain and Abel (password cracker and so much more….)
• http://www.oxid.it/cain.htnl
•
John The Ripper (password crackers)
• http://www.openwall.org/john/
•
GUI for John The Ripper FSCracker
• http://www.foundstone.com/us/resources/proddesc/fscrack.htm
•
RainbowCrack : An Innovative Password Hash Cracker tool that makes use of a large-scale
time-memory trade-off.
• http://www.rainbowcrack.com/downloads/?PHPSESSID=776fc0bb788953e190cf415e60c
781a5
NETWORKING SCANNING
•
MS Baseline Analyzer 2.1
•
•
The Dude (Mapper and traffic analyzer great for WIFI)
•
•
http://www.zenoss.com
TCPDump (packet sniffers) Linux or Windump for windows
•
•
http://www.hping.org
ZENOSS (Enterprise Network mapping and monitoring)
•
•
http://www.softperfect.com/
HPing2 (Packet assembler/analyzer)
•
•
http://www.wtcs.org/snmp4tpc/getif.htm
SoftPerfect Network Scanner
•
•
http://www.mikrotik.com/thedude.php
Getif (Network SNMP discovery and exploit tool)
•
•
http://www.microsoft.com/downloads/details.aspx?familyid=f32921af-9dbe-4dce-889eecf997eb18e9&displaylang=en
http://www.tcpdump.org and http://www.winpcap.org/windump/
LanSpy (local, Domain, NetBios, and much more)
•
http://www.lantricks.com/
TOOLS TO ASSESS VULNERABILITY
• Nessus(vulnerability scanners)
• http://www.nessus.org
• Snort (IDS - intrusion detection system)
• http://www.snort.org
• Metasploit Framework (vulnerability exploitation tools) Use with great
caution and have permission
• http://www.metasploit.com/projects/Framework/
• Open VAS (Vulnerability Assessment Systems) Enterprise network
security scanner
• http://www.openvas.org
SECURE YOUR PERIMETER:
•
DNS-stuff and DNS-reports
• http://www.dnsstuff.com http://www.dnsreports.com
• Test e-mail & html code
•
Web Inspect 15 day http://tinyurl.com/ng6khw
• Security Space
• http://tinyurl.com/cbsr
•
Other Firewall options
• Untangle www.untangle.com
• Smooth Wall www.smoothwall.org
• IPCop www.ipcop.org
More Tools:
•
Soft Perfect Network Scanner
•
•
WinSCP
•
•
Removes unused files and other software that slows down your PC; http://www.ccleaner.com/
File Shredder
•
•
Another layer to block proxies and adult sites; http://www.opendns.com/
Ccleaner
•
•
Highly configurable, flexible network resource monitoring tool http://www.nagios.org
Open DNS-•
•
wraps a friendly GUI interface around the command-line switches needed to copy files between
Windows and Unix/Linux http://tinyurl.com/yvywqu
Nagios
•
•
A multi-threaded IP, SNMP and NetBIOS scanner. Very easy to use; http://tinyurl.com/2kzpss
A fast, safe and reliable tool to shred company files; http://www.fileshredder.org/
GroundWork (OpenSource)
•
Full Enterprise performance and network management software. This is designed for data center
and large networks but can be used on for small shops as well. (works with Nagios);
http://www.groundworkopensource.com
•
Google (Get Google Hacking book)
•
The Google Hacking Database (GHDB)
•
•
Cain and Abel
•
(the Swiss Army knife) Crack passwords crack VOIP and so much more
•
•
•
•
shows the programs that run during system boot up or login
•
http://tinyurl.com/3adktf
Iron Geek
Step by step security training http://tinyurl.com/bzvwx
SuperScan 4
•
Network Scanner find open ports (I prefer version 3)
•
•
http://www.oxid.it/cain.html
Autoruns / Sysinternals Suite
•
•
http://johnny.ihackstuff.com/modules.php?op=modload&name=Downloads&file=index
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/sup
erscan.htm
EventSentry
•
Allows you to consolidate and monitor event logs in real-time, http://tinyurl.com/2g64sy
WELL-WORN TOOLS :
• Wireshark
– Packet sniffer used to find passwords and other important network errors going across network
– SSL Passwords are often sent in clear text before logging on
–
http://tinyurl.com/yclvno
• Metasploit
– Hacking/networking security made easy
–
http://www.metasploit.com/
• BackTrack or UBCD4WIN Boot CD
– Cleaning infected PC’s or ultimate hacking environment. Will run from USB
– http://www.backtrack-linux.org/downloads/
–
http://tinyurl.com/38cgd5
• Read notify
– “Registered” email
–
http://www.readnotify.com/
• Virtual Machine
– For pen testing
–
http://tinyurl.com/2qhs2e
DIGITAL FORENSICS
• First and foremost: I am not a lawyer. Always consult your local
law enforcement agency and legal department first!
• Digital forensics is SERIOUS BUSINESS
•
•
•
You can easily shoot yourself in the foot by doing it incorrectly
Get some in-depth training
…this is not in-depth training!!! (Nor is it legal advice.
Be smart. The job you save may be your own.)
FORENSICS: OPEN SOURCE / FREE TO K-12
•
Helix (e-fense)
•
Customized Knoppix disk that
is forensically safe
•
Includes improved versions of ‘dd’
•
Terminal windows log everything
for good documentation
•
Includes Sleuthkit, Autopsy,
chkrootkit, and others
•
Includes tools that can be used on a live Windows machine, including precompiled binaries and
live acquisition tools
• www.e-fense.com
• ProDiscover (free for schools)
• www.techpathways.com
ANTI-FORENSICS
• Be Aware of activity in the Anti-Forensics area!! There are active
efforts to produce tools to thwart your forensic investigation.
• Metasploit’s Anti-Forensic Toolkit*, Defiler’s Toolkit, etc.
•
•
•
•
Timestomp
Transmogrify
Slacker
SAM juicer
Sysinternals
EVENT LOG
Acquire key data
•
Use to document unauthorized file
and folder access
ACCESSCHK*
Acquire key data
•
Shows what folder permissions a user has
•
Provides evidence that user has opportunity
PSLOGGEDON*
Acquire key data
•
Shows if a user is logged onto
a computing resource
ROOTKIT REVEALER
Acquire key data
•
Reveals rootkits, which take complete control
of a computer and conceal their existence
from standard diagnostic tools
PSEXEC
Acquire key data
•
Allows investigator to remotely obtain
information about a user’s computer - without tipping them off or installing any applications
on the user’s computer
SYSINTERNALS TOOL: DU*
Acquire key data
•
Allows investigator to remotely examine the contents of user’s My Documents folder and
any subfolders
FREE SERVER VRTUALIZATION SOFTWARE
•
Some of my favorite free virtualization tools:
•
VMware vSphere ESXi Free Edition and VMware Go
•
VMware vMA, vCLI (or command-line interface), PowerCLI, and scripts from the vGhetto script
repository such as vSphereHealthCheck
•
Veeam Monitor (free edition), FastSCP, and Business View
•
Vizioncore Wastefinder, vConvert SC and Virtualization EcoShell
•
SolarWinds' VM Monitor
•
Trilead VM Explorer
•
TripWire ConfigCheck
•
ConfigureSoft/EMC Compliance Checker
•
ESX Manager 2.3 from ESXGuide (ESX 3i and 4i are not supported)
•
vKernel SearchMyVM, SnapshotMyVM, and Modeler
•
Hyper9 GuessMyOS Plugin, Search Bar Plugin, and Virtualization Mobile Manager
•
XtraVirt vAlarm and vLogView
SHAMELESS PLUG
•
Presentations on my site located at
•
•
Check out the presentation given this morning
•
•
http://tinyurl.com/y9oywob
20 great Windows open source projects
•
•
www.gcasda.org
Face-Saving Tools for Managers
•
•
Manage & Secure Your Wireless Connections
To learn more about GCA (Georgia Cumberland Academy)
•
•
www.es-es.net
http://tinyurl.com/yfh7d6t
E-Crime Survey 2009
•
http://tinyurl.com/ygtsgft