How to Fix A Broken Window Erik Pace Birkholz, CISSP, Principal Consultant, Foundstone...

How to Fix A Broken Window

Erik Pace Birkholz, CISSP, Principal Consultant, Foundstone

[email protected]

©1999, 2000 Laurie Brosius

Part 1: Intranet Penetration Testing: Discovering network negligence

Part 2: Strengthening Microsoft: When # is not an option

Background Information

Who am i? When did I start security? Where do I work? What is my job? Why do you care? What was your inspiration for this talk?


Who am i? Erik Pace Birkholz, CISSP – MCSE Contrary to popular belief, I am 27 years old. From New Jersey, just outside of Philadelphia. BS in Computer Science from Dickinson College, PA (est 1773)

When did I start security? 1995, NCSA - National Computer Security Association, Carlisle, PA 1997, KPMG - Information Risk Management, Manhattan, NY 1998, E&Y – National Attack and Penetration Team, Los Angeles, CA 1999, ISS – Lead Consultant, Hollywood, CA 2000, Foundstone Inc., Irvine, CA

Where do I work? Foundstone

KNOW VULNERABILITIES


What is my job? Principal Consultant Internet and Intranet Penetration tests Instructor for Foundstone courses Contributing Author for Hacking Exposed

series


Why do you care? You probably don’t, but that’s ok. In you are trying to decide if you should

head off to Halvar or Chip’s talk instead.

What was your inspiration for this talk?

Inspiration / Rant

Year 2001 was the year that got away. Our comfort zone crumbled. Seemingly well laid plans turned to dust. Systems crashed and networks halted as faceless network attacks tore through cyberspace.

Inspiration / Rant

As a nation and an industry, we fell victim to devastating attacks that could have been avoided. Security and comfort slipped through our fingers and was gone.

Inspiration / Rant

Ladies and gentleman, security has reached the board room. Management wants answers. They want solutions. Above all else they want piece of mind this won’t happen again. Purse-strings are opening; now is the time for IT to make things right. Management finally understands a simple fact that can no longer be avoided: responsibility without authority is a recipe for failure.

Inspiration / Rant

C:\>net send * “Don’t expect secure networks if you haven’t empowered your internal security team.”

Inspiration / Rant

Security vs. usability may finally become a balanced equation. All the usability in the world isn’t worth a damn if your internal network is a wasteland of default configurations and blank passwords.

Inspiration / Rant

Security teams are now a required internal resource. Contrary to popular belief there are NOT 24 working hours in a day. Security can not be treated as a side order. The excuses need to stop - now.

10 Lessons from 2001

Secure perimeters still allow web attacks.

Laptops tend to be promiscuous, spending time in untrusted networks then coming home to the corporate LAN.

Employee’s REALLY DO get disgruntled.

Default configurations are bad, even if they are internal only.

Flat networks are bad.

Inconsistent server configuration will hurt you.

Exploits can be scripted to replicate just like a virus.

Users WILL click on a link to a picture of Anna Kournikova.

There is NOT one tool that replaces the human element of a security expert.


http://images.google.com/imgres?imgurl=www.poster.net/kournikova-anna/kournikova-anna-tennis-playing-4000913.jpg&imgrefurl=http://www.postershop.com/Kournikova-Anna/Kournikova-Anna-Tennis-playing-4000913.html&h=300&w=212&prev=/images%3Fq%3Danna%2Btennis%26svnum%3D10%26hl%3Den%26sa%3DN

Responsibility without authority is

impossible in the security world.

C:\>net send * “Don’t expect secure networks if you haven’t empowered your internal security team.”


Internal Penetration Testing

Two scenarios CYA and documentation Defining scope and goals Tools of the Trade Presentation of findings

Internal Penetration Testing Two scenarios

Third party assessment Foundstone @stake Big 5 Guardent ISS etc…

Internal security team Current IT staff vs. pure security team

http://www.foundstone.com/index.html

http://www.eeye.com/html/index.html

Two scenarios

Third party assessment

Be VERY selective Current methodology Established in the security community Provides report samples Onsite team guarantee

Biographies provided and approved

Two scenarios

Third party assessment

Be VERY selective Provides reputable references for previous work Guidelines and standards for data destruction Considers YOUR company important Will help teach you to fish

Two scenarios Third party assessment

Use 3rd party assessments to compliment your year round security testing brushing teeth vs. dentist office visit

Use multiple vendors Each assessment should be independent of the previous

Request all raw data in addition to reports

Two scenarios Internal Security Team

Current IT staff vs. pure security team? What is a pure security team?

Internal staff with the sole function of security Can they exist in small companies? Can they exist in large corporations?

Can these two teams peacefully co-exist? Of course.

Sample structure for large corporation

Two scenarios

From here on out, lets consider the assessment team is interchangeable between internal and 3rd party.

Stuff you already knowWindows NT/2000 Domains: The Impact of Local and Domain Account Compromises

NT/2000 domains, simply put, are Windows systems connected to facilitate the sharing of resources and ease of administration. The glue that binds this domain together is centralized administration of users and their access/restriction to domain resources. This administration is achieved through Domain Controllers. Domain controllers contain all the domain accounts and provide access/restriction to domain resources based on these accounts. NT/2000 systems also have local accounts that provide access to local resources. Depending on the role and configuration of the server, these resources can be exploited to gain administrative domain access. With that said, the end goal of penetrating an NT/2000 domain is achieved by compromising an administrative level domain account

Stuff you already knowDomain Controllers

Domain Controllers are the "treasure chest" for Windows NT/2000 accounts and passwords. If a Domain Controller is compromised at an administrative level, all usernames and encrypted password hashes for that domain will likely be stolen and cracked offline on the attackers system. This includes all administrative level domain accounts.

Since Domain Controllers are the foundation of any Microsoft NT/2000 Domain. A compromise at this level almost ensures compromise of Application servers and Member servers. Additionally, due to password reuse, it is feasible that an attacker could compromise other NT/2000 Domains, Stand-alone servers, as well as non-NT/2000 operating systems.

Stuff you already knowDomain Controllers

Domain controllers must be single function servers. This means they should not perform or offer any other functions to the domain. The user account database is their critical resource and this must be protected at all costs.

Provided the server is locked-down as a single function server offering no services beyond what is required, an attacker will need to compromise a username/password that is a member of the local Administrators group or one with administrative level privileges (ie. Domain Admins group). This can be achieved by password guessing or password reuse from other sources. With that said, the compromise of an account that has administrative domain privileges usually signifies "game over" for the domain, its systems and their resources. These accounts are stored on Domain Controllers and must be protected with the strongest passwords controls allowable by corporate policies.

Stuff you already knowApplication servers

Application servers on the network provide access to services such as Web, FTP, SQL, Oracle, Mail and File sharing. These servers are usually the second tier of an attack against and NT/2000 domain. Generally, vulnerabilities in these services will be attacked with exploits that in many cases result in a complete compromise of the system.

Unnecessary services should not be run on application servers. These services constitute a potential avenue for attack. These services, if required at all, must be kept up to date with current stable vendor patches. If an attacker gains control of an Application server, the username/passwords from that system will often provide the credentials needed to compromise a domain account that has administrative privileges. Additionally, previously established connections and trusts can be leveraged to compromise other systems. For example, web servers often contain e-commerce data, existing connections and scripted passwords to backend databases. The worst-case scenario would be an attacker gaining an administrative domain account from a Application server compromise. This can be avoided by never running services in the context of an administrative domain account on non-Domain Controllers.

Stuff you already knowMember Servers

Member servers (workstations, test systems, back-up servers, etc) are usually the final targets for an NT/2000 attacker with zero network knowledge. Unless an attacker is unsuccessful in the first two tiers they will most likely already have full access to all Member servers. Common targets of this type are administrative workstations and desktops of Supervisors and Executives. Accounts should not exist on these systems that would allow an attacker to gain domain level access via password reuse. An attacker that compromises a member server will have full access to all data on the system (personal & corporate) and may have access to systems administered from this system. The worst-case scenario would be an attacker gaining an administrative domain account from a Member server compromise. This can be avoided by never running services in the context of an administrative domain account on non-Domain Controllers.

Stuff you already knowCritical Application Servers (Non-Domain Requirement)

Critical Application Servers (Payroll/Finance/HR) typically are not required to be accessible from the domain except by a very tightly restricted group. The isolation of these servers can be exaggerated by removing them from the domain and creating strict access control lists or firewall rules for protection. Individuals who require access should be using a `static´ workstation with a defined IP address. This address will be one of the few that will be allowed remote connection to shared drives. Accounts should be unique to this system with both userid and passwords different from the primary domain. Applications running such as Peoplesoft or Oracle Financials, which require the general population the ability to connect, should be controlled by creating strict access control lists or firewall rules limiting connections only to the application server port.

CYA and Documentation

BEFORE YOU BEGIN Get signed approval Gather contact/emergency information Obtain critical operations information

Maintenance windows

Agree on documentation and reporting Screenshots?

Defining Scope and Goals

Define specific goals for assessment What defines success? Identify vs. exploit? Should systems be tagged? Are screenshots enough?

Create timelines Active assessment?

LIMITS?

Out of scope? Not for hackers Reading email in attempt to gain passwords Attacking workstations to gain network credentials Attacking administrative workstations to gain admin access Searching .txt and .doc files on workstations Searching .txt and .doc files on production systems Sniffing traffic Keystroke loggers Intentional denial of service

The bad guys can/may/will do these things.


Internal vs. External

What is the difference?

•less or no access controls

•test systems

•trust relationships

Internal Penetration Testing Footprint Host Identification Service Identification Service Enumeration Host Enumeration Network Map HSV Scans Vulnerability Mapping/Exploitation


Footprint

Goal: identify ranges and domains


Footprint

Identify domains

net view /domain


Footprint

Identify IP ranges

SNMP DNS ICMPwww.solarwinds.net

Internal Penetration TestingHost Identification

Identify Hosts

TCP ICMP

Fscan - Foundstone

Internal Penetration TestingHost Identification

Identify domain members using the NET command

net view /domain:<domain>

Internal Penetration TestingService Identification

Identify Ports

TCP UDP

Fscan - Foundstone

Internal Penetration TestingService Identification

Don’t forget source port scans!

Fscan –i <ip>

Fscan – www.Foundstone.com

Internal Penetration TestingService Enumeration

Identify what is running on listening ports

TCP UDP

Fscan - Foundstone


Host Enumeration: use all the previous information to make accurate guess at OS and version


Network Maps should be created to identify hosts, services and access paths.


High Severity Vulnerability (HSV) Scans should be performed to identify systems with high severity vulnerability.


High Severity Vulnerability Scans

NetBIOS weak passwordsSQL weak passwordsWeb Vulnerabilities


High Severity Vulnerability Scans

NetBIOS weak passwords


High Severity Vulnerability ScansNetBIOS weak passwords


High Severity Vulnerability ScansSQL weak passwords


High Severity Vulnerability ScansWeb vulnerabilities


Vulnerability Mapping/Exploitation

Source port attacks

If you use IPSec don’t forget to use the NoDefaultExempt key

HKLM\SYSTEM\CCS\Services\IPSEC\NoDefaultExec

DWORD = 1



.printerunicode

Presentation of Findings

HSVs should be reported ASAP

Report should be clear and concise

Include screenshots

Use action items for remediation

Presentation of Findings

Do not confuse symptoms for systemic causes

Think about systemic causes

Categorize findings TACTICAL STRATEGIC

Strengthening Microsoft Networks

strong domain architectures

rigid user management

hardened applications

principle of least privilege

Strengthening Microsoft Networks

security baselines for systems

defense in depth

network segmentation

3rd party audit

Summary

What was the point again?

Where can we get these slides?

Do you have a web site?

Is there time for Q&A?

Question and Answer

How to Fix A Broken Window

Erik Pace Birkholz, CISSP, Principal Consultant, Foundstone

[email protected]

©1999, 2000 Laurie Brosius

How to Fix A Broken Window Erik Pace Birkholz, CISSP, Principal Consultant, Foundstone...

Documents

Transcript of How to Fix A Broken Window Erik Pace Birkholz, CISSP, Principal Consultant, Foundstone...