through the eyes of a hacker - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

through the eyes of a hacker

Description:

Dave (AKA The Hacker') managed to head hunt' the previous cleaner ... Finance users PC imaged from bootable USB drive. nameserver. mailserver. no c.filter ... – PowerPoint PPT presentation

Number of Views:50
Avg rating:3.0/5.0
Slides: 24
Provided by: orlan9
Category:

less

Transcript and Presenter's Notes

Title: through the eyes of a hacker


1
_
through the eyes of a hacker
_
anatomy of an exploit
_
orlando scott-cowley
_
senior security consultant
2
Dave the cleaner
  • Dave worked for you for 2 weeks
  • Never finished his probationary period
  • Had to leave because of personal issues
  • Seemed sad about leaving

3
A few weeks ago
  • Dave (AKA The Hacker) managed to head hunt
    the previous cleaner
  • Pretended to be a recruitment consultant
  • Got your previous cleaner a great job at another
    company
  • Managed to get her old job at your company
  • Funny that.

4
Whats the story with Dave?
  • Dave was employed via a friend of a friend of
    your competitor
  • he was paid to locate and steal sensitive
    corporate information
  • .and then to shut your operation down
  • Dave started by gathering intelligence
  • general company information
  • technical information

5
Dave does his homework
  • DNS query
  • dig yourcompany.com ns
  • dig yourcompany.com mx
  • Telnet to the mailserver on port 25

no c.filter
mailserver
nameserver
6
Finding out more
  • Newsgroups
  • locate technical support issues
  • social engineering
  • Company website
  • view source
  • telnet to webserver
  • telnet www.yourcompany.com 80
  • HEAD / HTTP/1.1

IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
7
Finding out more
  • Job page

Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
8
ISP Router..
  • Dave traceroutes to the public IPs of your
    company
  • Guesses IPs that could be your ISP router
  • Uses nmap to fingerprint the router
  • Telnet is available no ACLs

Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
9
Hacking the Cisco
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
Password adm1nz
FW-1 NGX
no c.filter
mailserver
nameserver
10
A little more social engineering
  • Dave pretended to be from an IT security
    reseller
  • deals on IPS equipment
  • would you let us quote you on your AV
    renewalswe do a buy-back scheme to tempt you
    into using Sophos..
  • Dave contacted the HR dept
  • spoke to Lisa, HR assistant
  • your recruitment agency
  • contacted the recruitment agency

Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
11
A little more social engineering
  • Dave pretended he was from HR
  • who was the last person we had from you?...
  • Dave phoned Mark Shaw
  • pretended to be Mike Smith from IT
  • requested he
  • open the e-mail from mikesmith_at_hotmail.com
  • double click on the attachment
  • reply to my e-mail with the results
  • Mike (alias Dave the Hacker) thanked him for his
    help

DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
12
Getting Granular
  • Dave could have
  • used firewalk to determine the firewall policy
  • vulnerability scanned the public-facing
    infrastructure
  • Nessus
  • Core Impact
  • Internet Scanner others
  • but he didnt need to

DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
13
Dave as the cleaner
  • First day on the job
  • key logger's IT, Finance
  • wireless LAN hub printing room
  • network topology (IT dept wall), taken with a
    digital camera
  • Second day on the job
  • key logger downloaded and plugged back in to
    another PC
  • Finance users PC imaged from bootable USB drive

DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
14
Interpreting the results
  • Keystroke logger
  • local and domain passwords
  • Disk image of Finance users PC
  • NT hashed passwords
  • cracked off-line with L0phtcrack
  • financial spreadsheets
  • Topology
  • development LAN
  • source-code servers

Topology
Financial Info
Dom.Admin
DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
15
More back-doors
  • Third day on the job
  • logs on to 10 machines as the domain admin
  • re-configure the AV
  • installs a mixture of Rootkits
  • Fourth day on the job
  • install a key logger which automatically e-mails
    Dave all the keystrokes

Root kits
Topology
Financial Info
Dom.Admin
DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
16
Getting the source code
  • During the fifth day
  • Dave uses his Linux laptop wireless NIC
  • portscan the Linux servers in Dev
  • ./nmap sS O vv 10.1.1.0/24 d ltx,y,zgt -T
    Insane gt info
  • SSH running?
  • telnet to server on port 22
  • man in the middle attack

Root kits
Finance Info
Domain Admin
Topology
DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
17
Dave uses dsniff
  • Topology core server iceman
  • Dave had to make sure he could route traffic
    between victim and destination host
  • ./fragrouter B1
  • Spoof DNS mapping
  • ./dnsspoof f /etc/dnsspoof.hosts
  • Belt braces
  • ./arpspoof i eth0 t ltworkstationIPgt
    10.1.1.1
  • Run sshmitm to hack SSH

SSH
Root kits
Finance Info
Domain Admin
Topology
DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
18
Dave gets the source
Source code
  • Log in to Linux servers using SSH
  • Root logins over SSH allowed!
  • Use scp to copy source code to laptop
  • Install a rootkitincluding dsniff..

SSH p/w
Root kits
Finance Info
Domain Admin
Topology
DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
19
Dave does value add
Source code
  • Dave now has an SSH connection
  • Opens up the server enables a telnet daemon
  • Runs webmitm
  • ./fragrouter B1
  • ./dnsspoof f /etc/dnsspoof.hosts
  • ./webmitm (generate X5.09 cert)
  • ./webmitm -dd

SSH p/w
Root kits
Finance Info
Domain Admin
Topology
DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
20
Dave does value add
Source code
SSH p/w
Root kits
Finance Info
Domain Admin
Topology
DHCP/WINS
Int. F/W IP
Int. IPs
Nortons A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
21
Dave in action
Wheres www.e-bank.com?
DHCP Server
Development
Source code
SSH p/w
Root kits
www
Finance Info
Domain Admin
Thats me!
switch
Topology
DHCP/WINS
Printing room
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Linux (10.1.1.1)
Cisco p/w
Linux/Win
IIS v5
Frontpage
wireless
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
22
Dave goes crazy

Shut down
  • On the Linux servers
  • Cronjob to delete all the files
  • to re-write DNS for website to point to
    something else
  • On the 2003 servers
  • create an AT job to stop all services, delete
    user accounts
  • allows mail relay tells his friends
  • modifies backup jobs to backup rubbish
  • Quits the job, wait for the cronjobs/AT jobs to
    run
  • Logs in to the router, changes access lists
  • Posts usernames, p/ws, rootkit info on hacking
    newsgroups
  • Mails your customers to let them know youve been
    hacked

Source code
SSH p/w
Root kits
Finance Info
Domain Admin
Topology
DHCP/WINS
Int. F/W IP
Int. IPs
Norton A/V
No IDS
Cisco p/w
Linux/Win
IIS v5
Frontpage
ACE v5 -DMZ
FW-1 NGX
no c.filter
mailserver
nameserver
23
_
orlando scott-cowley
Write a Comment
User Comments (0)
About PowerShow.com