|
Over the Router, Through the Firewall, to Grandma’s House We Go George Kurtz & Eric Schultze
|
tarix | 14.10.2017 | ölçüsü | 503 b. | | #4675 |
|
Over the Router, Through the Firewall, to Grandma’s House We Go George Kurtz & Eric Schultze Ernst & Young LLP
Session Objective Discuss common DMZ and host configuration weaknesses Demonstrate what may happen if a hacker were to exploit these weaknesses Present countermeasures to help secure the network and related hosts
Network Diagram
Network Design Internet router is blocking tcp/udp ports 135-139 Firewall allows only outbound http (80) and smtp (25) traffic
Hacker’s Objective Gain Control over Internal NT Server from the Internet
SysAdmin’s Objective Identify Holes in the Environment and Close Them
Target Selection Ping Sweep Port Scan - nmap
- NetscanTools Pro 2000
OS Identification Banner Grabbing
ttdb Buffer overflow in rpc.ttdbserver Allows user to execute arbitrary code
Netcat Redirection
Netcat Redirection Attack Linux listens on 139 and redirects to 1139 on Sparc Sparc listens on 1139 and redirects to 139 on NT Web Server Attack NT issues NetBIOS request to Attack Linux NetBIOS request is forwarded over Router to NT Web Server
Enumerate NT Information Null Session - net use \\172.16.1.50\ipc$ “” /user:””
NetUserEnum (local, global, DumpACL) NetWkstaTransportEnum (Getmac) RpcMgmt Query (EPDump)
Privilege Escalation Execute sechole via http - IUSR account becomes admin
Add new user account (via http) Add new user account to Administrator group (via http)
IIS Buffer Overflow Determine if Server is vulnerable - nc 172.16.1.200 80
- GET /.htr HTTP/1.0
- Evaluate response
Crash IIS and Send Payload - Target server contacts our web server and downloads payload
- payload executes on server and contacts our attack host
VNC
Modified SMB client can mount shares (C$, etc) on a remote NT host using only the username and password hash No need to “decrypt” the password hash Concept first presented by Paul Ashton in an NTBugtraq post
Pass The Hash v.2 Create an admin account on our own NT host with same name as the admin account for which we have hash values Upload the hash values into memory on our own NT host Perform pass-through authentication to target host No need to “decrypt” the password
Network Diagram
Shovel The Shell Launch two Netcat Listeners on Attack1a (ports 80 and 25) Execute Trojan on NT Server: - Netcat TO port 80 on AttackLinux
- Commands typed on AttackLinux (port 80) are piped to CMD.exe on NT Server
- CMD.exe output is Netcatted TO port 25 on AttackLinux
Type commands in 80 window, view output in 25 window
Block ALL ports at the border routers Open only those ports that support your security policy Review Logs Implement Network and Host Intrusion Detection
Unix Countermeasures TTDB - Kill the "rpc.ttdbserverd" process
- Apply vendor specific patches
- Block low and high numbered RPC locator services at the border router
Xterm - Remove trusted relationships with xhost -
- If sending sessions to another terminal, restrict to a specific terminal
- Block ports 6000-6063 if necessary
NT Countermeasures Block tcp and udp ports 135, 137, 138 and 139 at the router. Prevent Information leakage: - Utilize the Restrict anonymous registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Lsa\ RestrictAnonymous DWORD =1
Unbind “WINS Client (TCP/IP)” from the Internet-connected NIC
NT Countermeasures Password composition - 7 characters is the strongest humanly usable length, 14 is the strongest
- Use meta-characters within the first 7 characters of your password
- Utilize account lockout
- Utilize the passfilt.dll to require stronger passwords
- Utilize Passprop.exe admin lockout feature
NT Countermeasures Review IIS security checklist: www.microsoft.com/security/products/iis/CheckList.asp
Countermeasures Disclaimer: Test all changes on a non-production host before implementing on production servers
Tools and Concepts Visual Route www.visualroute.com NetScanTools Pro www.nwpsw.com gping, fping www.securityfocus.com nmap www.insecure.org/nmap/ queso www.apostols.org/projectz/ ttdb exploit www.securityfocus.com netcat www.l0pht.com rinetd www.boutell.com
Tools and Concepts VMWare www.vmware.com NT Resource Kit www.microsoft.com DumpACL www.somarsoft.com sechole www.cybermedia.co.in pwdump www.rootshell.com L0phtCrack www.l0pht.com VNC www.uk.research.att.com modified SMB client www.ntbugtraq.com
Security Resources www.microsoft.com/security - Advisories
- Patches
- IIS Security Checklist
www.securityfocus.com - Bugtraq Mailing List
- Tools, Books, Links
- Vulnerabilities and Fixes
Osborne/ McGraw-Hill Secrets and Solutions George Kurtz Stuart McClure Joel Scambray Due Out September 1999
Contact Information George Kurtz - george.kurtz@ey.com
- (201) 836-5280
Eric Schultze - eric.schultze@ey.com
- (425) 990-6916
Web Site
Dostları ilə paylaş: |
|
|