© 1999 Ernst & Young LLP e e treme hacking Black Hat 1999 Over the Router, Through the Firewall, to...
-
Upload
spencer-hudson -
Category
Documents
-
view
213 -
download
0
Transcript of © 1999 Ernst & Young LLP e e treme hacking Black Hat 1999 Over the Router, Through the Firewall, to...
© 1999 Ernst & Young LLP e
e treme
hackingBlack Hat 1999Black Hat 1999
Over the Router,Over the Router,Through the Through the
Firewall,Firewall,to Grandma’s to Grandma’s House We GoHouse We GoGeorge Kurtz & Eric George Kurtz & Eric
SchultzeSchultze
Ernst & Young LLPErnst & Young LLP
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Session ObjectiveSession Objective Discuss common DMZ and Discuss common DMZ and
host configuration host configuration weaknessesweaknesses
Demonstrate what may Demonstrate what may happen if a hacker were to happen if a hacker were to exploit these weaknessesexploit these weaknesses
Present countermeasures to Present countermeasures to help secure the network and help secure the network and related hostsrelated hosts
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Network DiagramNetwork Diagram10.1.1.20
10.1.1.10
172.16.1.200
172.16.1.50
192.168.1.20
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Network DesignNetwork Design Internet router is blocking Internet router is blocking
tcp/udp ports 135-139tcp/udp ports 135-139 NT Web Server (SP3) is NT Web Server (SP3) is
dual-homeddual-homed Firewall allows only outbound Firewall allows only outbound
http (80) and smtp (25) traffichttp (80) and smtp (25) traffic
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Hacker’s ObjectiveHacker’s Objective
Gain Control over Gain Control over Internal NT Server from Internal NT Server from
the Internetthe Internet
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999SysAdmin’s ObjectiveSysAdmin’s Objective
Identify Holes in the Identify Holes in the Environment and Close Environment and Close
ThemThem
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Target SelectionTarget Selection Ping SweepPing Sweep
gping, fpinggping, fping Port ScanPort Scan
nmapnmap NetscanTools Pro 2000NetscanTools Pro 2000
OS IdentificationOS Identification nmap -Onmap -O quesoqueso
Banner GrabbingBanner Grabbing VisualRoute, NetcatVisualRoute, Netcat
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999ttdbttdb Buffer overflow in Buffer overflow in
rpc.ttdbserverrpc.ttdbserver Allows user to execute Allows user to execute
arbitrary codearbitrary code Arbitrary code may be Arbitrary code may be
executed that will shell back executed that will shell back xterm as rootxterm as root
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Netcat RedirectionNetcat Redirection
10.1.1.20
172.16.1.50
172.16.1.200
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Netcat RedirectionNetcat Redirection Attack Linux listens on 139 and Attack Linux listens on 139 and
redirects to 1139 on Sparcredirects to 1139 on Sparc Sparc listens on 1139 and Sparc listens on 1139 and
redirects to 139 on NT Web redirects to 139 on NT Web ServerServer
Attack NT issues NetBIOS Attack NT issues NetBIOS request to Attack Linuxrequest to Attack Linux
NetBIOS request is forwarded NetBIOS request is forwarded over Router to NT Web Serverover Router to NT Web Server
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Enumerate NT Enumerate NT InformationInformation Null SessionNull Session
net use \\172.16.1.50\ipc$ “” net use \\172.16.1.50\ipc$ “” /user:””/user:””
NetUserEnum NetUserEnum (local, global, DumpACL)(local, global, DumpACL)
NetWkstaTransportEnumNetWkstaTransportEnum(Getmac)(Getmac)
RpcMgmt QueryRpcMgmt Query(EPDump)(EPDump)
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Privilege EscalationPrivilege Escalation Plant sechole on NT ServerPlant sechole on NT Server Execute sechole via httpExecute sechole via http
IUSR account becomes adminIUSR account becomes admin Add new user account (via Add new user account (via
http)http) Add new user account to Add new user account to
Administrator group (via http)Administrator group (via http)
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999IIS Buffer OverflowIIS Buffer Overflow Determine if Server is Determine if Server is
vulnerablevulnerable nc 172.16.1.200 80nc 172.16.1.200 80 GET /.htr HTTP/1.0GET /.htr HTTP/1.0 Evaluate responseEvaluate response
Crash IIS and Send PayloadCrash IIS and Send Payload Target server contacts our web Target server contacts our web
server and downloads payloadserver and downloads payload payload executes on server and payload executes on server and
contacts our attack hostcontacts our attack host
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999VNCVNC
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Pass The HashPass The Hash Modified SMB clientModified SMB client can can
mount shares (C$, etc) on a mount shares (C$, etc) on a remote NT host using only the remote NT host using only the username and password hashusername and password hash
No need to “decrypt” the No need to “decrypt” the password hashpassword hash
Concept first presented by Concept first presented by Paul Ashton in an NTBugtraq Paul Ashton in an NTBugtraq postpost
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Pass The Hash v.2Pass The Hash v.2 Create an admin account on Create an admin account on
our own our own NTNT host with same host with same name as the admin account for name as the admin account for which we have hash valueswhich we have hash values
Upload the hash values into Upload the hash values into memory on our own NT hostmemory on our own NT host
Perform pass-through Perform pass-through authentication to target hostauthentication to target host
No need to “decrypt” the No need to “decrypt” the passwordpassword
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Network DiagramNetwork Diagram
10.1.1.20
172.16.1.200
172.16.1.50
192.168.1.20
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Shovel The ShellShovel The Shell
10.1.1.20
192.168.1.20
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Shovel The ShellShovel The Shell Launch two Netcat Listeners Launch two Netcat Listeners
on Attack1a (ports 80 and 25)on Attack1a (ports 80 and 25) Execute Trojan on NT Server:Execute Trojan on NT Server:
Netcat Netcat TOTO port 80 on AttackLinux port 80 on AttackLinux Commands typed on AttackLinux Commands typed on AttackLinux
(port 80) are piped to CMD.exe on (port 80) are piped to CMD.exe on NT ServerNT Server
CMD.exe output is Netcatted CMD.exe output is Netcatted TOTO port 25 on AttackLinuxport 25 on AttackLinux
Type commands in 80 Type commands in 80 window, view output in 25 window, view output in 25 windowwindow
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Network Network CountermeasuresCountermeasures Block ALL ports at the border Block ALL ports at the border
routersrouters Open only those ports that Open only those ports that
support your security policysupport your security policy Review LogsReview Logs Implement Network and Host Implement Network and Host
Intrusion DetectionIntrusion Detection
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Unix CountermeasuresUnix Countermeasures TTDBTTDB
Kill the "rpc.ttdbserverd" process Kill the "rpc.ttdbserverd" process Apply vendor specific patchesApply vendor specific patches Block low and high numbered RPC Block low and high numbered RPC
locator services at the border routerlocator services at the border router
XtermXterm Remove trusted relationships with Remove trusted relationships with
xhost -xhost - If sending sessions to another If sending sessions to another
terminal, restrict to a specific terminal, restrict to a specific terminalterminal
Block ports 6000-6063 if necessaryBlock ports 6000-6063 if necessary
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999
NT CountermeasuresNT Countermeasures Block tcp and udp ports 135, Block tcp and udp ports 135,
137, 138 and 139 at the router.137, 138 and 139 at the router. Prevent Information leakage:Prevent Information leakage:
Utilize the Restrict anonymous Utilize the Restrict anonymous registry key:registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Lsa\ RestrictAnonymous DWORD =1Control\Lsa\ RestrictAnonymous DWORD =1
Unbind “WINS Client (TCP/IP)” Unbind “WINS Client (TCP/IP)” from the Internet-connected from the Internet-connected NICNIC
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999
NT CountermeasuresNT Countermeasures Password compositionPassword composition
7 characters is the strongest 7 characters is the strongest humanly usable length, 14 is the humanly usable length, 14 is the strongeststrongest
Use meta-characters within the first Use meta-characters within the first 7 characters of your password7 characters of your password
Utilize account lockoutUtilize account lockout Utilize the passfilt.dll to require Utilize the passfilt.dll to require
stronger passwordsstronger passwords Utilize Passprop.exe admin lockout Utilize Passprop.exe admin lockout
featurefeature
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999
NT CountermeasuresNT Countermeasures Apply current service packs and Apply current service packs and
security related hotfixessecurity related hotfixes Review IIS security checklist:Review IIS security checklist:
www.microsoft.com/security/products/iis/www.microsoft.com/security/products/iis/CheckList.aspCheckList.asp
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999
CountermeasuresCountermeasures
Disclaimer:Disclaimer: Test all changes on a non-Test all changes on a non-
production host before production host before implementing on implementing on production serversproduction servers
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Tools and ConceptsTools and Concepts Visual RouteVisual Route www.visualroute.comwww.visualroute.com NetScanTools ProNetScanTools Pro www.nwpsw.comwww.nwpsw.com gping, fpinggping, fping www.securityfocus.comwww.securityfocus.com nmapnmap www.insecure.org/www.insecure.org/
nmap/nmap/ quesoqueso www.apostols.org/www.apostols.org/
projectz/projectz/ ttdb exploitttdb exploit www.securityfocus.comwww.securityfocus.com netcatnetcat www.l0pht.com www.l0pht.com rinetdrinetd www.boutell.comwww.boutell.com
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Tools and ConceptsTools and Concepts VMWareVMWare www.vmware.comwww.vmware.com NT Resource KitNT Resource Kit www.microsoft.comwww.microsoft.com DumpACLDumpACL www.somarsoft.comwww.somarsoft.com secholesechole www.cybermedia.co.inwww.cybermedia.co.in pwdumppwdump www.rootshell.comwww.rootshell.com L0phtCrackL0phtCrack www.l0pht.comwww.l0pht.com VNCVNC
www.uk.research.att.comwww.uk.research.att.com modified SMB clientmodified SMB client www.ntbugtraq.comwww.ntbugtraq.com
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Security ResourcesSecurity Resources www.microsoft.com/securitywww.microsoft.com/security
AdvisoriesAdvisories PatchesPatches IIS Security ChecklistIIS Security Checklist
www.securityfocus.comwww.securityfocus.com Bugtraq Mailing ListBugtraq Mailing List Tools, Books, LinksTools, Books, Links Vulnerabilities and FixesVulnerabilities and Fixes
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Osborne/ McGraw-HillOsborne/ McGraw-Hill
Hacking Exposed: Network Hacking Exposed: Network SecuritySecurity
Secrets and SolutionsSecrets and Solutions
George KurtzGeorge Kurtz
Stuart McClureStuart McClure
Joel ScambrayJoel Scambray
Due Out September 1999Due Out September 1999
e © 1999 Ernst & Young LLP
e treme
hackingBlack Hat 1999Black Hat 1999Contact InformationContact Information George KurtzGeorge Kurtz
[email protected]@ey.com (201) 836-5280(201) 836-5280
Eric SchultzeEric Schultze [email protected]@ey.com (425) 990-6916(425) 990-6916
Web SiteWeb Site www.ey.com/securitywww.ey.com/security