e treme hacking Black Hat 1999 Over the Router, Through the Firewall, to Grandma’s House We Go George Kurtz & Eric Schultze Ernst & Young LLP e © 1999 Ernst.
Download ReportTranscript e treme hacking Black Hat 1999 Over the Router, Through the Firewall, to Grandma’s House We Go George Kurtz & Eric Schultze Ernst & Young LLP e © 1999 Ernst.
e treme hacking Black Hat 1999 Over the Router, Through the Firewall, to Grandma’s House We Go George Kurtz & Eric Schultze Ernst & Young LLP e © 1999 Ernst & Young LLP Session Objective e e treme hacking Black Hat 1999 Discuss common DMZ and host configuration weaknesses Demonstrate what may happen if a hacker were to exploit these weaknesses Present countermeasures to help secure the network and related hosts © 1999 Ernst & Young LLP Network Diagram 10.1.1.20 e treme hacking Black Hat 1999 172.16.1.50 172.16.1.200 192.168.1.20 10.1.1.10 e © 1999 Ernst & Young LLP Network Design e e treme hacking Black Hat 1999 Internet router is blocking tcp/udp ports 135-139 NT Web Server (SP3) is dual-homed Firewall allows only outbound http (80) and smtp (25) traffic © 1999 Ernst & Young LLP Hacker’s Objective e treme hacking Black Hat 1999 Gain Control over Internal NT Server from the Internet e © 1999 Ernst & Young LLP SysAdmin’s Objective e treme hacking Black Hat 1999 Identify Holes in the Environment and Close Them e © 1999 Ernst & Young LLP Target Selection nmap -O queso Banner Grabbing e nmap NetscanTools Pro 2000 OS Identification gping, fping Port Scan Black Hat 1999 Ping Sweep e treme hacking VisualRoute, Netcat © 1999 Ernst & Young LLP ttdb e e treme hacking Black Hat 1999 Buffer overflow in rpc.ttdbserver Allows user to execute arbitrary code Arbitrary code may be executed that will shell back xterm as root © 1999 Ernst & Young LLP Netcat Redirection e treme hacking Black Hat 1999 172.16.1.50 10.1.1.20 172.16.1.200 e © 1999 Ernst & Young LLP Netcat Redirection e e treme hacking Black Hat 1999 Attack Linux listens on 139 and redirects to 1139 on Sparc Sparc listens on 1139 and redirects to 139 on NT Web Server Attack NT issues NetBIOS request to Attack Linux NetBIOS request is forwarded over Router to NT Web Server © 1999 Ernst & Young LLP e treme hacking Enumerate NT Information Black Hat 1999 Null Session e net use \\172.16.1.50\ipc$ “” /user:”” NetUserEnum (local, global, DumpACL) NetWkstaTransportEnum (Getmac) RpcMgmt Query (EPDump) © 1999 Ernst & Young LLP Privilege Escalation e Black Hat 1999 Plant sechole on NT Server Execute sechole via http e treme hacking IUSR account becomes admin Add new user account (via http) Add new user account to Administrator group (via http) © 1999 Ernst & Young LLP IIS Buffer Overflow nc 172.16.1.200 80 GET /.htr HTTP/1.0 Evaluate response Crash IIS and Send Payload e Black Hat 1999 Determine if Server is vulnerable e treme hacking Target server contacts our web server and downloads payload payload executes on server and contacts our attack host © 1999 Ernst & Young LLP VNC e e treme hacking Black Hat 1999 © 1999 Ernst & Young LLP Pass The Hash e e treme hacking Black Hat 1999 Modified SMB client can mount shares (C$, etc) on a remote NT host using only the username and password hash No need to “decrypt” the password hash Concept first presented by Paul Ashton in an NTBugtraq post © 1999 Ernst & Young LLP Pass The Hash v.2 e e treme hacking Black Hat 1999 Create an admin account on our own NT host with same name as the admin account for which we have hash values Upload the hash values into memory on our own NT host Perform pass-through authentication to target host No need to “decrypt” the password © 1999 Ernst & Young LLP Network Diagram e treme hacking Black Hat 1999 172.16.1.50 10.1.1.20 192.168.1.20 172.16.1.200 e © 1999 Ernst & Young LLP Shovel The Shell e treme hacking Black Hat 1999 10.1.1.20 192.168.1.20 e © 1999 Ernst & Young LLP Shovel The Shell e Black Hat 1999 Launch two Netcat Listeners on Attack1a (ports 80 and 25) Execute Trojan on NT Server: e treme hacking Netcat TO port 80 on AttackLinux Commands typed on AttackLinux (port 80) are piped to CMD.exe on NT Server CMD.exe output is Netcatted TO port 25 on AttackLinux Type commands in 80 window, view output in 25 window © 1999 Ernst & Young LLP e treme hacking Network Countermeasures Black Hat 1999 e Block ALL ports at the border routers Open only those ports that support your security policy Review Logs Implement Network and Host Intrusion Detection © 1999 Ernst & Young LLP Unix Countermeasures Kill the "rpc.ttdbserverd" process Apply vendor specific patches Block low and high numbered RPC locator services at the border router Xterm e Black Hat 1999 TTDB e treme hacking Remove trusted relationships with xhost If sending sessions to another terminal, restrict to a specific terminal Block ports 6000-6063 if necessary © 1999 Ernst & Young LLP NT Countermeasures e Black Hat 1999 Block tcp and udp ports 135, 137, 138 and 139 at the router. Prevent Information leakage: e treme hacking Utilize the Restrict anonymous registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Lsa\ RestrictAnonymous DWORD =1 Unbind “WINS Client (TCP/IP)” from the Internet-connected NIC © 1999 Ernst & Young LLP NT Countermeasures Black Hat 1999 Password composition e e treme hacking 7 characters is the strongest humanly usable length, 14 is the strongest Use meta-characters within the first 7 characters of your password Utilize account lockout Utilize the passfilt.dll to require stronger passwords Utilize Passprop.exe admin lockout feature © 1999 Ernst & Young LLP NT Countermeasures e treme hacking Black Hat 1999 Apply current service packs and security related hotfixes Review IIS security checklist: www.microsoft.com/security/products/iis/CheckList.asp e © 1999 Ernst & Young LLP Countermeasures e treme hacking Black Hat 1999 Disclaimer: e Test all changes on a nonproduction host before implementing on production servers © 1999 Ernst & Young LLP Tools and Concepts e Visual Route NetScanTools Pro gping, fping nmap queso ttdb exploit netcat rinetd e treme hacking Black Hat 1999 www.visualroute.com www.nwpsw.com www.securityfocus.com www.insecure.org/nmap/ www.apostols.org/projectz/ www.securityfocus.com www.l0pht.com www.boutell.com © 1999 Ernst & Young LLP Tools and Concepts e VMWare NT Resource Kit DumpACL sechole pwdump L0phtCrack VNC modified SMB client e treme hacking Black Hat 1999 www.vmware.com www.microsoft.com www.somarsoft.com www.cybermedia.co.in www.rootshell.com www.l0pht.com www.uk.research.att.com www.ntbugtraq.com © 1999 Ernst & Young LLP Security Resources Advisories Patches IIS Security Checklist www.securityfocus.com e Black Hat 1999 www.microsoft.com/security e treme hacking Bugtraq Mailing List Tools, Books, Links Vulnerabilities and Fixes © 1999 Ernst & Young LLP Osborne/ McGraw-Hill e treme hacking Black Hat 1999 Hacking Exposed: Network Security Secrets and Solutions George Kurtz Stuart McClure Joel Scambray Due Out September 1999 e © 1999 Ernst & Young LLP Contact Information [email protected] (425) 990-6916 Web Site e [email protected] (201) 836-5280 Eric Schultze Black Hat 1999 George Kurtz e treme hacking www.ey.com/security © 1999 Ernst & Young LLP