through the eyes of a hacker

1
_
through the eyes of a hacker
_
anatomy of an exploit
_
orlando scott-cowley
_
senior security consultant
2
Dave the cleaner

• Dave worked for you for 2 weeks
• Never finished his probationary period
• Had to leave because of personal issues
• Seemed sad about leaving

3
A few weeks ago

• Dave (AKA The Hacker) managed to head hunt
  the previous cleaner
• Pretended to be a recruitment consultant
• Got your previous cleaner a great job at another
  company
• Managed to get her old job at your company
• Funny that.

4
Whats the story with Dave?

• Dave was employed via a friend of a friend of
  your competitor
• he was paid to locate and steal sensitive
  corporate information
• .and then to shut your operation down
• Dave started by gathering intelligence
• general company information
• technical information

5
Dave does his homework

• DNS query
• dig yourcompany.com ns
• dig yourcompany.com mx
• Telnet to the mailserver on port 25

no c.filter
mailserver
nameserver
6
Finding out more

• Newsgroups
• locate technical support issues
• social engineering
• Company website
• view source
• telnet to webserver
• telnet www.yourcompany.com 80
• HEAD / HTTP/1.1

IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
7
Finding out more

• Job page

Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
8
ISP Router..

• Dave traceroutes to the public IPs of your
  company
• Guesses IPs that could be your ISP router
• Uses nmap to fingerprint the router
• Telnet is available no ACLs

Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
9
Hacking the Cisco
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
Password adm1nz
FW-1 NGX
no c.filter
mailserver
nameserver
10
A little more social engineering

• Dave pretended to be from an IT security
  reseller
• deals on IPS equipment
• would you let us quote you on your AV
  renewalswe do a buy-back scheme to tempt you
  into using Sophos..
• Dave contacted the HR dept
• spoke to Lisa, HR assistant
• your recruitment agency
• contacted the recruitment agency

Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
11
A little more social engineering

• Dave pretended he was from HR
• who was the last person we had from you?...
• Dave phoned Mark Shaw
• pretended to be Mike Smith from IT
• requested he
• open the e-mail from mikesmith_at_hotmail.com
• double click on the attachment
• reply to my e-mail with the results
• Mike (alias Dave the Hacker) thanked him for his
  help

DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
12
Getting Granular

• Dave could have
• used firewalk to determine the firewall policy
• vulnerability scanned the public-facing
  infrastructure
• Nessus
• Core Impact
• Internet Scanner others
• but he didnt need to

DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
13
Dave as the cleaner

• First day on the job
• key logger's IT, Finance
• wireless LAN hub printing room
• network topology (IT dept wall), taken with a
  digital camera
• Second day on the job
• key logger downloaded and plugged back in to
  another PC
• Finance users PC imaged from bootable USB drive

DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
14
Interpreting the results

• Keystroke logger
• local and domain passwords
• Disk image of Finance users PC
• NT hashed passwords
• cracked off-line with L0phtcrack
• financial spreadsheets
• Topology
• development LAN
• source-code servers

Topology
Financial Info
Dom.Admin
DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
15
More back-doors

• Third day on the job
• logs on to 10 machines as the domain admin
• re-configure the AV
• installs a mixture of Rootkits
• Fourth day on the job
• install a key logger which automatically e-mails
  Dave all the keystrokes

Root kits
Topology
Financial Info
Dom.Admin
DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
16
Getting the source code

• During the fifth day
• Dave uses his Linux laptop wireless NIC
• portscan the Linux servers in Dev
• ./nmap sS O vv 10.1.1.0/24 d ltx,y,zgt -T
  Insane gt info
• SSH running?
• telnet to server on port 22
• man in the middle attack

Root kits
Finance Info
Domain Admin
Topology
DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
17
Dave uses dsniff

• Topology core server iceman
• Dave had to make sure he could route traffic
  between victim and destination host
• ./fragrouter B1
• Spoof DNS mapping
• ./dnsspoof f /etc/dnsspoof.hosts
• Belt braces
• ./arpspoof i eth0 t ltworkstationIPgt
  10.1.1.1
• Run sshmitm to hack SSH

SSH
Root kits
Finance Info
Domain Admin
Topology
DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
18
Dave gets the source
Source code

• Log in to Linux servers using SSH
• Root logins over SSH allowed!
• Use scp to copy source code to laptop
• Install a rootkitincluding dsniff..

SSH p/w
Root kits
Finance Info
Domain Admin
Topology
DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
19
Dave does value add
Source code

• Dave now has an SSH connection
• Opens up the server enables a telnet daemon
• Runs webmitm
• ./fragrouter B1
• ./dnsspoof f /etc/dnsspoof.hosts
• ./webmitm (generate X5.09 cert)
• ./webmitm -dd

SSH p/w
Root kits
Finance Info
Domain Admin
Topology
DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
20
Dave does value add
Source code
SSH p/w
Root kits
Finance Info
Domain Admin
Topology
DHCP/WINS
Int. F/W IP
Int. IPs
Nortons A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
21
Dave in action
Wheres www.e-bank.com?
DHCP Server
Development
Source code
SSH p/w
Root kits
www
Finance Info
Domain Admin
Thats me!
switch
Topology
DHCP/WINS
Printing room
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Linux (10.1.1.1)
Cisco p/w
Linux/Win
IIS v5
Frontpage
wireless
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
22
Dave goes crazy

Shut down

• On the Linux servers
• Cronjob to delete all the files
• to re-write DNS for website to point to
  something else
• On the 2003 servers
• create an AT job to stop all services, delete
  user accounts
• allows mail relay tells his friends
• modifies backup jobs to backup rubbish
• Quits the job, wait for the cronjobs/AT jobs to
  run
• Logs in to the router, changes access lists
• Posts usernames, p/ws, rootkit info on hacking
  newsgroups
• Mails your customers to let them know youve been
  hacked

Source code
SSH p/w
Root kits
Finance Info
Domain Admin
Topology
DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
23
_
orlando scott-cowley