Ernest Staats Director of Technology and Network Services at GCA MS Information Assurance, CISSP, CEH, MCSE, CNA, CWNA, Security+, I-Net+, Network+, Server+,

Ernest Staats Director of Technology and Network Services at GCAMS Information Assurance, CISSP, CEH, MCSE, CNA, CWNA, Security+, I-Net+, Network+, Server+, A+Resources available @ http://es-es.net

Hacking High School

CAN’T DEFEND WHAT YOU DON’T KNOW

• “Know your enemies & know yourself” <Sun Tzu>

• Hacker Mentality

• Map your network regularly

• Sniff and Baseline your network know what type of data needs to be going across your system

• Know what types of paths are open to your data WIFI, USB, BlueTooth, Remote Acess

• Web 2.0

• Mobile device access

HACKER MENTALITY• Hackers are motivated by various factors:

• Ego

• Curiosity and challenge

• Entertainment

• Political beliefs

• Desire for information

• Thrill of gaining privileged access

• Own the system long term (Trojans, backdoors)

• Attempt to compromise additional systems

•A "trophy" to gain status

Hacker StratificationHacker StratificationTier I

The best of the best Ability to find new vulnerabilities Ability to write exploit code and tools Motivated by the challenge, and of course, money

Tier II IT savvy Ability to program or script Understand what the vulnerability is and how it works Intelligent enough to use the exploit code and tools with precision Motivated by the challenge but primarily curiosity, some ego

Tier III “Script Kiddies” Few real talents Ability to download exploit code and tools written by others Very little understanding of the actual vulnerability Randomly fire off scripts until something works Motivated by ego, entertainment, desire to hurt others

In the End there can only be 1

LOW HANGING FRUIT

• Safemode /Hacker Mode : F8 or hold down the CTRL key

• God Mode

• Lab machines that require Admin rights to run software

• IronGeek.com / Youtube “Hack School” lots of step by step videos

• Reamane EXE’s two fun ones netsh.exe utilman.exe

• When using Microsoft GPO’s use hash instead of Path

• Use Windows Run Use MS-Access to make a Macro run CMD

• Use IP Address instead of Name Shutdown –i

• Use U3 Devices or Portable Apps

• Right Click Make shortcut to c drive if you hide C drive

• Use Bluetooth to make file transfers to windows system32 if they have USB access they own it

GOD MODE VISTA / WIN7 • GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

• Other Shot cuts

• {00C6D95F-329C-409a-81D7-C46C66EA7F33}"

• {00C6D95F-329C-409a-81D7-C46C66EA7F33}

• {0142e4d0-fb7a-11dc-ba4a-000ffe7ab428}

• {025A5937-A6BE-4686-A844-36FE4BEC8B6D}

• {05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}

• {1206F5F1-0569-412C-8FEC-3204630DFB70}

• {15eae92e-f17a-4431-9f28-805e482dafd4}

• {17cd9488-1228-4b2f-88ce-4298e93e0966}

• {1D2680C9-0E2A-469d-B787-065558BC7D43}

• {1FA9085F-25A2-489B-85D4-86326EEDCD87}

• {208D2C60-3AEA-1069-A2D7-08002B30309D}

• {20D04FE0-3AEA-1069-A2D8-08002B30309D}

• {2227A280-3AEA-1069-A2DE-08002B30309D}

• {241D7C96-F8BF-4F85-B01F-E2B043341A4B}

• {4026492F-2F69-46B8-B9BF-5654FC07E423}

• {62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}

• {78F3955E-3B90-4184-BD14-5397C15F1EFC}

Hiding things will not work

NOT ROCKET SCIENCE

• 2009 saw the first iPhone worm -- most attacks were near-identical to prior years, changing only the victims and the level of sophistication

• FBI estimated small and medium businesses have lost $40 million to cyber-crime since 2004

VIRUS CREATION• Anyone can do it!

MALWARE IS VERY COMMON

• Malware

• How common?

• Spyware

• Virus

• Worm

• Tracking Map

• http://wtc.trendmicro.com/wtc/default.asp

• http://www.fortiguard.com/map/worldmap.html

• Symantec reported over million malware’s since 2007

“WILL VULNERABILITIES EVER GO AWAY?”

If, 95-99% of all attacks come from known vulnerabilities and mis-configurations [Carnegie Mellon]

And, known vulnerabilities and mis-configurations come from human error

And, for the foreseeable future, humans will be the creators and maintainers of technology

Then, vulnerabilities (and risk) are here to stay!

MIS-CONFIGURATIONS

• Easily guessed passwords

• Admin/no password

• Admin/username same as password

• Admin/”password”

• Common user/pass combinations

• oracle/oracle

• Default Password List http://tinyurl.com/39teob • Default installed files

• Admin rights for software

• Incorrect permissions

MOBILE DEVICES EXPOSES YOU

I’m really an IP connected computer!

USB ADD RISK• Flash Memory Devices

• Containing what?

USING REMOTE ACCESS TO HACK

• BackTrack4 -

• Owning Vista with BackTrack http://www.offensive-security.com/backtrack-tutorials.php

• How to put BT4 on a USB

• http://www.offensive-security.com/backtrack-tutorials.php

• Portable Apps

• http://es-es.net

• Mobile devices

• Iphone I-Touch http://www.leebaird.com/Me/iPhone.html

• Droid PS2 others

• Metasploit

SILVER BULLET EATER• Alternate

streamview

• BinText

• BitComet

• CCleaner

• Clam AV

• Convert All Portable

• Cool Player+ Portable

• Defraggler

• Dir html

• File Shredder

• Firefox

• HttTrack

Links to Portable USB Software•http://www.portablefreeware.com/all.php

•http://www.makeuseof.com/tag/portable-software-usb/

•http://en.wikipedia.org/wiki/List_of_portable_software

•http://www.portablefreeware.com/index.php?sc=27

•My Set of Portable apps

• http://es-es.net/resources/Portable_Apps.zip

• Kee Pass

• LAN Search

• Lsa secrets view

• MAC address View

• MD5Checker

• mRemote

• netcheck

• Netscan

• NMap

• Pidgin Portable

• PortableApps.com

• Portable-Virtual Box

• Process Injection

• Process Killer

• Recuva File Restore

• Sophos Anti-Rootkit

• Stinger

• Sumatra PDF

• Super Scanner

• Sysinternals Suite

• System Info

• Tor

• Win SCP

• Wireless keyview

• Wireshark

• Youtube downloader

• putty.exe

DEMO TIMEAll resources on my site es-es.net

U3 POCKETKNIFE

• Steal passwords

• Product keys

• Steal files

• Kill antivirus software

• Turn off theFirewall

• And more…

• For details see http://wapurl.co.uk/?719WZ2T

CUSTOMIZING U3

• You can create a custom file to be executed when a U3 drive is plugged in

• The custom U3 launcher runs PocketKnife

• So all those things are stolen and put on the flash drive

18

BACKTRACK IN VM U3 DEVICE

UBCD IN A VM TRACK THAT ONE….

Cain and Abel Local Passwords

PASSWORDS CRACKING • NTPassword RESET any admin pwd to blank

• http://home.eunet.no/pnordahl/ntpasswd/

• Cain and Able

• Back Track 4 (BT4) http://www.backtrack-linux.org/downloads/ • Default Password List

• http://tinyurl.com/39teob

• Paid Password Tools

• http://www.brothersoft.com/downloads/crack-password.html

• http://www.elcomsoft.com/index.html

• http://www.accessdata.com/

DEFENSE

IMMEDIATE RISK REDUCTION• Disable AutoRun / Keep system patches updated

• Glue USB ports shut

• Install Windows 7 64 bit

• several cracking programs do not work

• Get rid of Admin rights lockdown work stations

• Monitor WIFI access secure your wireless networks http://es-es.net/13.html

• USB Blocking

• Windows Group Policy• Netwrix http://www.netwrix.com/usb_blocker.html

• Several Vendors on the show floor have options to limit or block USB

24

BETTER USB SOLUTION: IEEE 1667

• Standard Protocol for Authentication in Host Attachments of Transient Storage Devices

• USB devices can be signed and authenticates, so only authorized devices are allowed

• Implemented in Windows 7

• See http://tinyurl.com/ybce7z7

25

KEEP DATA SECURE WEB 2.0

• Continued Education of Computer Users

• Don’t click on strange links (avoid tempt-to-click attacks)

• Do not release personal information online

• Use caution with IM and SMS (short message service)

• Be careful with social networking sites

• Don’t e-mail sensitive information

• Don’t hit “reply” to a received -email containing sensitive information

• Require mandatory VPN (virtual private network) use over wireless networks

ADDRESSING THE THREATS

• Design/implement widely accepted policies and standards

• Identify the vulnerabilities, mis-configurations, and policy violations

• Apply fixes and patches as quickly as possible

• Mitigating the risk with intrusion prevention

• Log and monitor all critical systems

• Educate yourself & your staff

• Disable Safe mode Lock Systems Steady State, Deep Freeze or others

• Lock Down Windows Group Policies

• Block USB devices

• Secure your WIFI network

THE LISTTools I use!

PASSWORD RECOVERY TOOLS:• Fgdump (Mass password auditing for Windows)

• http://foofus.net/fizzgig/fgdump • Cain and Abel (password cracker and so much more….)

• http://www.oxid.it/cain.htnl • John The Ripper (password crackers)

• http://www.openwall.org/john/ • GUI for John The Ripper FSCracker

• http://www.foundstone.com/us/resources/proddesc/fscrack.htm • RainbowCrack : An Innovative Password Hash Cracker tool that makes use of a large-scale time-

memory trade-off.• http://www.rainbowcrack.com/downloads/?PHPSESSID=776fc0bb788953e190cf415e60c78

1a5

NETWORKING SCANNING• MS Baseline Analyzer 2.1

• http://www.microsoft.com/downloads/details.aspx?familyid=f32921af-9dbe-4dce-889e-ecf997eb18e9&displaylang=en

• The Dude (Mapper and traffic analyzer great for WIFI)

• http://www.mikrotik.com/thedude.php

• Getif (Network SNMP discovery and exploit tool)

• http://www.wtcs.org/snmp4tpc/getif.htm

• SoftPerfect Network Scanner

• http://www.softperfect.com/

• HPing2 (Packet assembler/analyzer)

• http://www.hping.org

• ZENOSS (Enterprise Network mapping and monitoring)

• http://www.zenoss.com

• TCPDump (packet sniffers) Linux or Windump for windows

• http://www.tcpdump.org and http://www.winpcap.org/windump/

• LanSpy (local, Domain, NetBios, and much more)

• http://www.lantricks.com/

TOOLS TO ASSESS VULNERABILITY • Nessus(vulnerability scanners)

• http://www.nessus.org

• Snort (IDS - intrusion detection system)

• http://www.snort.org

• Metasploit Framework (vulnerability exploitation tools) Use with great caution and have permission

• http://www.metasploit.com/projects/Framework/

• Open VAS (Vulnerability Assessment Systems) Enterprise network security scanner

• http://www.openvas.org

SECURE YOUR PERIMETER:• DNS-stuff and DNS-reports

• http://www.dnsstuff.com http://www.dnsreports.com

• Test e-mail & html code

• Web Inspect 15 day http://tinyurl.com/ng6khw

• Security Space• http://tinyurl.com/cbsr

• Other Firewall options

• Untangle www.untangle.com

• Smooth Wall www.smoothwall.org

• IPCop www.ipcop.org

• Soft Perfect Network Scanner

• A multi-threaded IP, SNMP and NetBIOS scanner. Very easy to use; http://tinyurl.com/2kzpss

• WinSCP

• wraps a friendly GUI interface around the command-line switches needed to copy files between Windows and Unix/Linux http://tinyurl.com/yvywqu

• Nagios

• Highly configurable, flexible network resource monitoring tool http://www.nagios.org

• Open DNS--

• Another layer to block proxies and adult sites; http://www.opendns.com/

• Ccleaner

• Removes unused files and other software that slows down your PC; http://www.ccleaner.com/

• File Shredder

• A fast, safe and reliable tool to shred company files; http://www.fileshredder.org/

• GroundWork (OpenSource)

• Full Enterprise performance and network management software. This is designed for data center and large networks but can be used on for small shops as well. (works with Nagios); http://www.groundworkopensource.com

More Tools:

• Google (Get Google Hacking book)

• The Google Hacking Database (GHDB)• http://johnny.ihackstuff.com/modules.php?op=modload&name=Downloads&file=index

• Cain and Abel • (the Swiss Army knife) Crack passwords crack VOIP and so much more

• http://www.oxid.it/cain.html

• Autoruns / Sysinternals Suite

• shows the programs that run during system boot up or login

• http://tinyurl.com/3adktf

• Iron Geek

• Step by step security training http://tinyurl.com/bzvwx

• SuperScan 4 • Network Scanner find open ports (I prefer version 3)

• http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/superscan.htm

• EventSentry

• Allows you to consolidate and monitor event logs in real-time, http://tinyurl.com/2g64sy

WELL-WORN TOOLS :• Wireshark

– Packet sniffer used to find passwords and other important network errors going across network– SSL Passwords are often sent in clear text before logging on – http://tinyurl.com/yclvno

• Metasploit – Hacking/networking security made easy– http://www.metasploit.com/

• BackTrack or UBCD4WIN Boot CD – Cleaning infected PC’s or ultimate hacking environment. Will run from USB– http://www.backtrack-linux.org/downloads/ – http://tinyurl.com/38cgd5

• Read notify – “Registered” email– http://www.readnotify.com/

• Virtual Machine – For pen testing – http://tinyurl.com/2qhs2e

DIGITAL FORENSICS

• First and foremost: I am not a lawyer. Always consult your local law enforcement agency and legal department first!

• Digital forensics is SERIOUS BUSINESS• You can easily shoot yourself in the foot by doing it incorrectly• Get some in-depth training• …this is not in-depth training!!! (Nor is it legal advice.

Be smart. The job you save may be your own.)

FORENSICS: OPEN SOURCE / FREE TO K-12

• Helix (e-fense)

• Customized Knoppix disk that is forensically safe

• Includes improved versions of ‘dd’

• Terminal windows log everything for good documentation

• Includes Sleuthkit, Autopsy, chkrootkit, and others

• Includes tools that can be used on a live Windows machine, including precompiled binaries and live acquisition tools

• www.e-fense.com

• ProDiscover (free for schools)• www.techpathways.com

ANTI-FORENSICS

• Be Aware of activity in the Anti-Forensics area!! There are active efforts to produce tools to thwart your forensic investigation.

• Metasploit’s Anti-Forensic Toolkit*, Defiler’s Toolkit, etc.

• Timestomp• Transmogrify• Slacker• SAM juicer

Sysinternals

EVENT LOG

• Use to document unauthorized file and folder access

Acquire key dataAcquire key data

ACCESSCHK*

• Shows what folder permissions a user has

• Provides evidence that user has opportunity

Acquire key dataAcquire key data

PSLOGGEDON*

• Shows if a user is logged onto a computing resource

Acquire key dataAcquire key data

ROOTKIT REVEALER

• Reveals rootkits, which take complete control of a computer and conceal their existence from standard diagnostic tools

Acquire key dataAcquire key data

PSEXEC

• Allows investigator to remotely obtain information about a user’s computer - without tipping them off or installing any applications on the user’s computer

Acquire key dataAcquire key data

SYSINTERNALS TOOL: DU*

• Allows investigator to remotely examine the contents of user’s My Documents folder and any subfolders

Acquire key dataAcquire key data

FREE SERVER VRTUALIZATION SOFTWARE• Some of my favorite free virtualization tools:

• VMware vSphere ESXi Free Edition and VMware Go

• VMware vMA, vCLI (or command-line interface), PowerCLI, and scripts from the vGhetto script repository such as vSphereHealthCheck

• Veeam Monitor (free edition), FastSCP, and Business View

• Vizioncore Wastefinder, vConvert SC and Virtualization EcoShell

• SolarWinds' VM Monitor

• Trilead VM Explorer

• TripWire ConfigCheck

• ConfigureSoft/EMC Compliance Checker

• ESX Manager 2.3 from ESXGuide (ESX 3i and 4i are not supported)

• vKernel SearchMyVM, SnapshotMyVM, and Modeler

• Hyper9 GuessMyOS Plugin, Search Bar Plugin, and Virtualization Mobile Manager

• XtraVirt vAlarm and vLogView

SHAMELESS PLUG• Presentations on my site located at

• www.es-es.net

• Check out the presentation given this morning

• Manage & Secure Your Wireless Connections

• To learn more about GCA (Georgia Cumberland Academy)

• www.gcasda.org

• Face-Saving Tools for Managers

• http://tinyurl.com/y9oywob

• 20 great Windows open source projects

• http://tinyurl.com/yfh7d6t

• E-Crime Survey 2009

• http://tinyurl.com/ygtsgft