Ernest Staats Director of Technology and Network Services at GCA MS Information Assurance, CISSP, CEH, MCSE, CNA, CWNA, Security+, I-Net+, Network+, Server+, A+ Resources Hacking High School
CAN’T DEFEND WHAT YOU DON’T KNOW “Know your enemies & know yourself” Hacker Mentality Map your network regularly Sniff and Baseline your network know what type of data needs to be going across your system Know what types of paths are open to your data WIFI, USB, BlueTooth, Remote Acess Web 2.0 Mobile device access
HACKER MENTALITY Hackers are motivated by various factors: Ego Curiosity and challenge Entertainment Political beliefs Desire for information Thrill of gaining privileged access Own the system long term (Trojans, backdoors) Attempt to compromise additional systems A "trophy" to gain status
Hacker Stratification Tier I The best of the best Ability to find new vulnerabilities Ability to write exploit code and tools Motivated by the challenge, and of course, money Tier II IT savvy Ability to program or script Understand what the vulnerability is and how it works Intelligent enough to use the exploit code and tools with precision Motivated by the challenge but primarily curiosity, some ego Tier III “Script Kiddies” Few real talents Ability to download exploit code and tools written by others Very little understanding of the actual vulnerability Randomly fire off scripts until something works Motivated by ego, entertainment, desire to hurt others In the End there can only be 1
LOW HANGING FRUIT Safemode /Hacker Mode : F8 or hold down the CTRL key God Mode Lab machines that require Admin rights to run software IronGeek.com / Youtube “Hack School” lots of step by step videos Reamane EXE’s two fun ones netsh.exe utilman.exe When using Microsoft GPO’s use hash instead of Path Use Windows RunUse MS-Access to make a Macro run CMD Use IP Address instead of NameShutdown –i Use U3 Devices or Portable Apps Right Click Make shortcut to c drive if you hide C drive Use Bluetooth to make file transfers to windows system32 if they have USB access they own it
GOD MODE VISTA / WIN7 GodMode.{ED7BA470-8E54-465E-825C E01C} Other Shot cuts {00C6D95F-329C-409a-81D7-C46C66EA7F33}" {00C6D95F-329C-409a-81D7-C46C66EA7F33} {0142e4d0-fb7a-11dc-ba4a-000ffe7ab428} {025A5937-A6BE-4686-A844-36FE4BEC8B6D} {05d7b0f eff-bf6b-ed3f69b894d9} {1206F5F C-8FEC DFB70} {15eae92e-f17a f28-805e482dafd4} {17cd b2f-88ce-4298e93e0966} {1D2680C9-0E2A-469d-B BC7D43} {1FA9085F-25A2-489B-85D EEDCD87} {208D2C60-3AEA-1069-A2D B30309D} {20D04FE0-3AEA-1069-A2D B30309D} {2227A280-3AEA-1069-A2DE-08002B30309D} {241D7C96-F8BF-4F85-B01F-E2B043341A4B} { F-2F69-46B8-B9BF-5654FC07E423} {62D8ED13-C9D0-4CE8-A914-47DD628FB1B0} {78F3955E-3B BD C15F1EFC} Hiding things will not work
NOT ROCKET SCIENCE 2009 saw the first iPhone worm -- most attacks were near-identical to prior years, changing only the victims and the level of sophistication FBI estimated small and medium businesses have lost $40 million to cyber- crime since 2004
VIRUS CREATION Anyone can do it!
MALWARE IS VERY COMMON Malware How common? Spyware Virus Worm Tracking Map Symantec reported over million malware’s since 2007
“WILL VULNERABILITIES EVER GO AWAY?” If, 95-99% of all attacks come from known vulnerabilities and mis- configurations [Carnegie Mellon] And, known vulnerabilities and mis-configurations come from human error And, for the foreseeable future, humans will be the creators and maintainers of technology Then, vulnerabilities (and risk) are here to stay!
MIS-CONFIGURATIONS Easily guessed passwords Admin/no password Admin/username same as password Admin/”password” Common user/pass combinations oracle/oracle Default Password List Default installed files Admin rights for software Incorrect permissions
MOBILE DEVICES EXPOSES YOU I’m really an IP connected computer!
USB ADD RISK Flash Memory Devices Containing what?
USING REMOTE ACCESS TO HACK BackTrack4 - Owning Vista with BackTrack tutorials.phphttp:// tutorials.php How to put BT4 on a USB Portable Apps Mobile devices Iphone I-Touch Droid PS2 others Metasploit
SILVER BULLET EATER Alternate streamview BinText BitComet CCleaner Clam AV Convert All Portable Cool Player+ Portable Defraggler Dir html File Shredder Firefox HttTrack Links to Portable USB Software usb/ usb/ e e My Set of Portable apps Kee Pass LAN Search Lsa secrets view MAC address View MD5Checker mRemote netcheck Netscan NMap Pidgin Portable PortableApps.com Portable- Virtual Box Process Injection Process Killer Recuva File Restore Sophos Anti- Rootkit Stinger Sumatra PDF Super Scanner Sysinternals Suite System Info Tor Win SCP Wireless keyview Wireshark Youtube downloader putty.exe
DEMO TIME All resources on my site es-es.net
U3 POCKETKNIFE Steal passwords Product keys Steal files Kill antivirus software Turn off the Firewall And more… For details see
CUSTOMIZING U3 You can create a custom file to be executed when a U3 drive is plugged in The custom U3 launcher runs PocketKnife So all those things are stolen and put on the flash drive 18
BACKTRACK IN VM U3 DEVICEU3 DEVICE
UBCD IN A VM TRACK THAT ONE….
Cain and Abel Local Passwords
PASSWORDS CRACKING NTPassword RESET any admin pwd to blank Cain and Able Back Track 4 (BT4) Default Password List Paid Password Tools
DEFENSE
IMMEDIATE RISK REDUCTION Disable AutoRun / Keep system patches updated Glue USB ports shut Install Windows 7 64 bit several cracking programs do not work Get rid of Admin rights lockdown work stations Monitor WIFI access secure your wireless networks USB Blocking Windows Group Policy Netwrix Several Vendors on the show floor have options to limit or block USB 24
BETTER USB SOLUTION: IEEE 1667 Standard Protocol for Authentication in Host Attachments of Transient Storage Devices USB devices can be signed and authenticates, so only authorized devices are allowed Implemented in Windows 7 See
KEEP DATA SECURE WEB 2.0 Continued Education of Computer Users Don’t click on strange links (avoid tempt-to-click attacks) Do not release personal information online Use caution with IM and SMS (short message service) Be careful with social networking sites Don’t sensitive information Don’t hit “reply” to a received - containing sensitive information Require mandatory VPN (virtual private network) use over wireless networks
ADDRESSING THE THREATS Design/implement widely accepted policies and standards Identify the vulnerabilities, mis-configurations, and policy violations Apply fixes and patches as quickly as possible Mitigating the risk with intrusion prevention Log and monitor all critical systems Educate yourself & your staff Disable Safe mode Lock Systems Steady State, Deep Freeze or others Lock Down Windows Group Policies Block USB devices Secure your WIFI network
THE LIST Tools I use!
PASSWORD RECOVERY TOOLS: Fgdump (Mass password auditing for Windows) Cain and Abel (password cracker and so much more….) John The Ripper (password crackers) GUI for John The Ripper FSCracker RainbowCrack : An Innovative Password Hash Cracker tool that makes use of a large-scale time-memory trade-off a a5
NETWORKING SCANNING MS Baseline Analyzer ecf997eb18e9&displaylang=en ecf997eb18e9&displaylang=en The Dude (Mapper and traffic analyzer great for WIFI) Getif (Network SNMP discovery and exploit tool) SoftPerfect Network Scanner HPing2 (Packet assembler/analyzer) ZENOSS (Enterprise Network mapping and monitoring) TCPDump (packet sniffers) Linux or Windump for windows and LanSpy (local, Domain, NetBios, and much more)
TOOLS TO ASSESS VULNERABILITY Nessus(vulnerability scanners) Snort (IDS - intrusion detection system) Metasploit Framework (vulnerability exploitation tools) Use with great caution and have permission Open VAS (Vulnerability Assessment Systems) Enterprise network security scanner
SECURE YOUR PERIMETER: DNS-stuff and DNS-reports Test & html code Web Inspect 15 day Security Space Other Firewall options Untangle Smooth Wall IPCop
Soft Perfect Network Scanner A multi-threaded IP, SNMP and NetBIOS scanner. Very easy to use; WinSCP wraps a friendly GUI interface around the command-line switches needed to copy files between Windows and Unix/Linux Nagios Highly configurable, flexible network resource monitoring tool Open DNS-- Another layer to block proxies and adult sites; Ccleaner Removes unused files and other software that slows down your PC; File Shredder A fast, safe and reliable tool to shred company files; GroundWork (OpenSource) Full Enterprise performance and network management software. This is designed for data center and large networks but can be used on for small shops as well. (works with Nagios); More Tools:
Google (Get Google Hacking book) The Google Hacking Database (GHDB) Cain and Abel (the Swiss Army knife) Crack passwords crack VOIP and so much more Autoruns / Sysinternals Suite shows the programs that run during system boot up or login Iron Geek Step by step security training SuperScan 4 Network Scanner find open ports (I prefer version 3) erscan.htm erscan.htm EventSentry Allows you to consolidate and monitor event logs in real-time,
WELL-WORN TOOLS : Wireshark –Packet sniffer used to find passwords and other important network errors going across network –SSL Passwords are often sent in clear text before logging on – Metasploit –Hacking/networking security made easy – BackTrack or UBCD4WIN Boot CD –Cleaning infected PC’s or ultimate hacking environment. Will run from USB – – Read notify –“Registered” – Virtual Machine –For pen testing –
DIGITAL FORENSICS First and foremost: I am not a lawyer. Always consult your local law enforcement agency and legal department first! Digital forensics is SERIOUS BUSINESS You can easily shoot yourself in the foot by doing it incorrectly Get some in-depth training …this is not in-depth training!!! (Nor is it legal advice. Be smart. The job you save may be your own.)
FORENSICS: OPEN SOURCE / FREE TO K-12 Helix (e-fense) Customized Knoppix disk that is forensically safe Includes improved versions of ‘dd’ Terminal windows log everything for good documentation Includes Sleuthkit, Autopsy, chkrootkit, and others Includes tools that can be used on a live Windows machine, including precompiled binaries and live acquisition tools ProDiscover (free for schools)
ANTI-FORENSICS Be Aware of activity in the Anti-Forensics area!! There are active efforts to produce tools to thwart your forensic investigation. Metasploit’s Anti-Forensic Toolkit*, Defiler’s Toolkit, etc. Timestomp Transmogrify Slacker SAM juicer
Sysinternals
EVENT LOG Use to document unauthorized file and folder access Acquire key data
ACCESSCHK* Shows what folder permissions a user has Provides evidence that user has opportunity Acquire key data
PSLOGGEDON* Shows if a user is logged onto a computing resource Acquire key data
ROOTKIT REVEALER Reveals rootkits, which take complete control of a computer and conceal their existence from standard diagnostic tools Acquire key data
PSEXEC Allows investigator to remotely obtain information about a user’s computer - without tipping them off or installing any applications on the user’s computer Acquire key data
SYSINTERNALS TOOL: DU* Allows investigator to remotely examine the contents of user’s My Documents folder and any subfolders Acquire key data
FREE SERVER VRTUALIZATION SOFTWARE Some of my favorite free virtualization tools: VMware vSphere ESXi Free Edition and VMware Go VMware vMA, vCLI (or command-line interface), PowerCLI, and scripts from the vGhetto script repository such as vSphereHealthCheckvMAvCLIPowerCLIvGhetto script repositoryvSphereHealthCheck Veeam Monitor (free edition), FastSCP, and Business ViewMonitor (free edition)FastSCPBusiness View Vizioncore Wastefinder, vConvert SC and Virtualization EcoShellWastefindervConvert SCVirtualization EcoShell SolarWinds' VM Monitor Trilead VM Explorer TripWire ConfigCheck ConfigureSoft/EMC Compliance Checker ESX Manager 2.3 from ESXGuide (ESX 3i and 4i are not supported) ESX Manager 2.3 from ESXGuide vKernel SearchMyVM, SnapshotMyVM, and ModelerSearchMyVMSnapshotMyVMModeler Hyper9 GuessMyOS Plugin, Search Bar Plugin, and Virtualization Mobile Manager XtraVirt vAlarm and vLogViewvAlarmvLogView
SHAMELESS PLUG Presentations on my site located at Check out the presentation given this morning Manage & Secure Your Wireless Connections To learn more about GCA (Georgia Cumberland Academy) Face-Saving Tools for Managers 20 great Windows open source projects E-Crime Survey