Over the Router, Through the Firewall, to Grandma’s House We Go George Kurtz & Eric Schultze



Yüklə 503 b.
tarix14.10.2017
ölçüsü503 b.
#4675


Over the Router, Through the Firewall, to Grandma’s House We Go

  • George Kurtz & Eric Schultze

  • Ernst & Young LLP


Session Objective

  • Discuss common DMZ and host configuration weaknesses

  • Demonstrate what may happen if a hacker were to exploit these weaknesses

  • Present countermeasures to help secure the network and related hosts



Network Diagram



Network Design

  • Internet router is blocking tcp/udp ports 135-139

  • NT Web Server (SP3) is dual-homed

  • Firewall allows only outbound http (80) and smtp (25) traffic



Hacker’s Objective

  • Gain Control over Internal NT Server from the Internet



SysAdmin’s Objective

  • Identify Holes in the Environment and Close Them



Target Selection

  • Ping Sweep

    • gping, fping
  • Port Scan

    • nmap
    • NetscanTools Pro 2000
  • OS Identification

    • nmap -O
    • queso
  • Banner Grabbing

    • VisualRoute, Netcat


ttdb



Netcat Redirection



Netcat Redirection

  • Attack Linux listens on 139 and redirects to 1139 on Sparc

  • Sparc listens on 1139 and redirects to 139 on NT Web Server

  • Attack NT issues NetBIOS request to Attack Linux

  • NetBIOS request is forwarded over Router to NT Web Server



Enumerate NT Information

  • Null Session

    • net use \\172.16.1.50\ipc$ “” /user:””
  • NetUserEnum (local, global, DumpACL)

  • NetWkstaTransportEnum (Getmac)

  • RpcMgmt Query (EPDump)



Privilege Escalation

  • Plant sechole on NT Server

  • Execute sechole via http

    • IUSR account becomes admin
  • Add new user account (via http)

  • Add new user account to Administrator group (via http)



IIS Buffer Overflow

  • Determine if Server is vulnerable

    • nc 172.16.1.200 80
    • GET /.htr HTTP/1.0
    • Evaluate response
  • Crash IIS and Send Payload

    • Target server contacts our web server and downloads payload
    • payload executes on server and contacts our attack host


VNC



Pass The Hash

  • Modified SMB client can mount shares (C$, etc) on a remote NT host using only the username and password hash

  • No need to “decrypt” the password hash

  • Concept first presented by Paul Ashton in an NTBugtraq post



Pass The Hash v.2

  • Create an admin account on our own NT host with same name as the admin account for which we have hash values

  • Upload the hash values into memory on our own NT host

  • Perform pass-through authentication to target host

  • No need to “decrypt” the password



Network Diagram



Shovel The Shell



Shovel The Shell

  • Launch two Netcat Listeners on Attack1a (ports 80 and 25)

  • Execute Trojan on NT Server:

    • Netcat TO port 80 on AttackLinux
    • Commands typed on AttackLinux (port 80) are piped to CMD.exe on NT Server
    • CMD.exe output is Netcatted TO port 25 on AttackLinux
  • Type commands in 80 window, view output in 25 window



Network Countermeasures

  • Block ALL ports at the border routers

  • Open only those ports that support your security policy

  • Review Logs

  • Implement Network and Host Intrusion Detection



Unix Countermeasures

  • TTDB

    • Kill the "rpc.ttdbserverd" process
    • Apply vendor specific patches
    • Block low and high numbered RPC locator services at the border router
  • Xterm

    • Remove trusted relationships with xhost -
    • If sending sessions to another terminal, restrict to a specific terminal
    • Block ports 6000-6063 if necessary


NT Countermeasures

  • Block tcp and udp ports 135, 137, 138 and 139 at the router.

  • Prevent Information leakage:

    • Utilize the Restrict anonymous registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Lsa\ RestrictAnonymous DWORD =1
  • Unbind “WINS Client (TCP/IP)” from the Internet-connected NIC



NT Countermeasures

  • Password composition

    • 7 characters is the strongest humanly usable length, 14 is the strongest
    • Use meta-characters within the first 7 characters of your password
    • Utilize account lockout
    • Utilize the passfilt.dll to require stronger passwords
    • Utilize Passprop.exe admin lockout feature


NT Countermeasures



Countermeasures

  • Disclaimer:

  • Test all changes on a non-production host before implementing on production servers



Tools and Concepts

  • Visual Route www.visualroute.com

  • NetScanTools Pro www.nwpsw.com

  • gping, fping www.securityfocus.com

  • nmap www.insecure.org/nmap/

  • queso www.apostols.org/projectz/

  • ttdb exploit www.securityfocus.com

  • netcat www.l0pht.com

  • rinetd www.boutell.com



Tools and Concepts

  • VMWare www.vmware.com

  • NT Resource Kit www.microsoft.com

  • DumpACL www.somarsoft.com

  • sechole www.cybermedia.co.in

  • pwdump www.rootshell.com

  • L0phtCrack www.l0pht.com

  • VNC www.uk.research.att.com

  • modified SMB client www.ntbugtraq.com



Security Resources

  • www.microsoft.com/security

    • Advisories
    • Patches
    • IIS Security Checklist
  • www.securityfocus.com

    • Bugtraq Mailing List
    • Tools, Books, Links
    • Vulnerabilities and Fixes


Osborne/ McGraw-Hill

  • Hacking Exposed: Network Security

  • Secrets and Solutions

  • George Kurtz

  • Stuart McClure

  • Joel Scambray

  • Due Out September 1999



Contact Information

  • George Kurtz

    • george.kurtz@ey.com
    • (201) 836-5280
  • Eric Schultze

    • eric.schultze@ey.com
    • (425) 990-6916
  • Web Site

    • www.ey.com/security


Yüklə 503 b.

Dostları ilə paylaş:




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©genderi.org 2024
rəhbərliyinə müraciət

    Ana səhifə