Methodology of a Hacker · Methodology of a Hacker Matthew Schmid Telemus Solutions, Inc....

Methodology of a Hacker

Matthew SchmidTelemus Solutions, Inc.

Copyright© 2006 Telemus Solutions, Inc.Proprietary

Today's Topics

IntroductionFBI Cyber Crime ReportInformation Warfare Techniques

Information gatheringSocial engineeringNetwork reconnaissanceFinding and exploiting vulnerabilitiesControlling and maintaining access

Top 10 Security Vulnerabilities


Introduction

Telemus Solutions, Inc.Government and commercial securityProtecting the critical infrastructure

CapabilitiesPhysical and IT vulnerability assessmentsSecurity consultingSystems engineeringCustom software developmentResearch and development


FBI Cyber Crime Survey (2005)Over 5,000 respondents with over 87% experiencing one or more incidents

1. Total financial losses and the reported number of incidents have declined

2. Website attacks and wireless attacks have increased

3. Insider attacks occur about as often as external attacks

4. Defense is focused on the perimeter and antivirus / antispyware solutions

5. Security awareness continues to improve

Information WarfareTechniques


Information GatheringWHOIS lookup

Find information about ownership and registration of networks

Newsgroup postingsLearn what problems the system administrator is dealing with

Google hackingFind unintentionally published information

Dumpster divingFind account names, passwords, network infoImproperly disposed media


Example: WHOIS HealthTechNet.orgIPv4 whois information for 204.227.246.38 OrgName: Pillsbury Madison & Sutro, Inc. NetRange: 204.227.224.0 - 204.227.255.255 CIDR: 204.227.224.0/19 NameServer: SFNS01.PILLSBURYWINTHROP.COMNameServer: LANS01.PILLSBURYWINTHROP.COMNameServer: VANS01.PILLSBURYWINTHROP.COMNameServer: NYNS01.PILLSBURYWINTHROP.COMsmtp.shawpittman.com 208.200.185.221

OrgTechName: Network Engineering Group OrgTechPhone: 1-415-477-4917OrgTechEmail: [email protected]


Social Engineering

Using gathered information to trick employees into compromising the organization’s security

Provide accounts/passwordsModify machine settingsProvide physical access

Getting users to introduce a vulnerability to the system

Removable mediaEmail attachmentsActive web content


Network Reconnaissance

Network and service mapping

Find out what servers are up/downIdentify operating systemsIdentify open services and versions

ToolsPort scannersNetwork mappersOS fingerprinters


Wireless Networks

TopologyWhere is it connected?

Access PointsNo securityDefault accountsWEP vulnerabilitiesRogue access points

Wireless on the laptopAssociations with other APsAd-hoc networks


Vulnerability Discovery

Identify issuesMatch service information to known vulnerabilitiesScan specific machines for vulnerabilities

ToolsOS vulnerability scannersWeb vulnerability scanners


Compromising the Target

Exploit a vulnerability to gain access to the machineTools

Exploit frameworksShellcode buildersAutomated attack toolsRemote password crackers


Controlling the Host

Privilege escalationBackdoors

Allow the attacker to easily returnTrojan horses

Disguise malicious programsRootkits

Subvert the operating system itselfErasing tracks


Example: Titan RainForeign attacks against a broad sector of USG and defense contractors in 2004/2005

Most targets were unaware of compromiseHighly sophisticated attacks against perimeter defenses

Exhibited well-planned attack methodologyCustomized tools and exploits

Goals were data gathering and continued accessOrganizations are still struggling to recover


Gathering Data

Documents of all kinds from compromised machinesDocuments from file serversNetwork trafficKeyboard loggersEmail messagesRecovering deleted data


Example: Department of Veterans Affairs

Employee had millions of records with personal information on his computer and external driveComputer and drive were stolen in a burglaryIncident cost huge amount of time, money, and bad publicityEquipment was eventually recovered


Expanding Control

Leverage new resources to target other machines

Open sharesUnprotected hostsRouters and firewallsNetwork sniffingIntranetsControl systemsAffiliated networks

Conclusions


Top 10 Security Vulnerabilities1. Unpatched vulnerabilities in services2. Weak authentication and passwords3. Out-of-date antivirus/antispyware software4. Unnecessary administrative privileges5. Poorly configured access controls and file sharing6. Inadequate wireless security7. Mis-configured routers and firewalls8. Lack of policy and education9. Zero-day exploits10. Flawed recovery procedures


Summary

Seemingly unimportant data can be leveraged by an attackerPerimeter security is critical, but not sufficientEffective security is a combination of technical solutions and good policies


Thank You

Matthew Schmid, CISSP

[email protected]

Telemus Solutions, Inc.http://www.telemussolutions.com

Methodology of a Hacker · Methodology of a Hacker Matthew Schmid Telemus Solutions, Inc....

Documents

Transcript of Methodology of a Hacker · Methodology of a Hacker Matthew Schmid Telemus Solutions, Inc....