peter wood – the ethical hacker

1

PETER WOOD – THE ETHICAL HACKER

The Ultimate Defence:

Think Like a Hacker

Peter WoodChief Executive Officer

First•Base Technologies LLP

An Ethical Hacker’s View of Corporate Security

Who is Peter Wood?

Worked in computers & electronics since 1969

Founded First Base in 1989 (one of the first ethical hacking firms)

CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’

Member of ISACA Security Advisory GroupVice Chair of BCS Information Risk Management and Audit GroupUK Chair, Corporate Executive Programme

FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa

Thinking like a hacker

• Hacking is a way of thinkingA hacker is someone who thinks outside the box. It's someone who discards conventional wisdom, and does something else instead. It's someone who looks at the edge and wonders what's beyond. It's someone who sees a set of rules and wonders what happens if you don't follow them. [Bruce Schneier]

• Hacking applies to all aspects of life- not just computers

Network Device Compromise

SNMPSimple Network Management Protocol

• A protocol developed to manage nodes (servers, workstations, routers, switches and hubs etc.) on an IP network

• Enables network administrators to manage network performance, find and solve network problems, and plan for network growth

• SNMP v1 is the de facto network management protocol

• SNMP v1 has been criticised for its poor security. Authentication is performed only by a ‘community string’, in effect a type of password, which is transmitted in clear text

SNMP Scanning

SNMP for hackers• If you know the read string (default public) you can read the entire MIB for

that device

• If you know the read-write string (default private) you may be able to change settings on that device

• You may be able to ‘sniff’ community strings off the network if they’ve been changed from the defaults

• You may be able to control a router or switch:– Intercept traffic and read sensitive information

– ‘Crash’ the network repeatedly

– Lock the device out, requiring physical access to reset it

• You may be able to list users, groups, shares etc. on servers

• You may be able to subvert wireless network security

Windows Hacking

Windows architecture

DomainController

DomainController

MemberServer

MemberServer

Workstation

Workstation

Workstation

Domain users and groups

Domain users and groups

Local users and groups

Local users and groups

Local users and groups

Local users and groups

Local users and groups

Domain logon

Global group in local group

Local logon

List privileged accounts andlook for service accounts

Case study: Administrator passwords

admin5crystalfinancefridaymacadminmonkeyorangepasswordpassword1praguepuddingrocky4securitysecurity1sparklewebadminyellow

Global firm worth £800million

• 67 Administrator accounts

• 43 simple passwords (64%)

• 15 were “password” (22%)

• Some examples we found ->

Case study: password crack

• 26,310 passwords from a Windows domain

• 11,279 (42.9%) cracked in 2½ minutes

• It’s not a challenge!

Laptop hacking

If we can boot from CD or USB …

We have some passwords!

… or just read the disk

Change the Administrator password

Desktop & Laptop Security

• Physical security on Windows desktops and laptops doesn’t exist

• Native Windows security is ineffective if you have physical access

• Everything is visible: e-mails, spreadsheets, documents, passwords

• If it’s on your machine - it’s stolen!

• Encryption is the best defence, coupled with lots of training!

Attack the building

Impersonating an employee

Impersonating a supplier

Do-it-yourself ID cards

Impersonate a cleaner• No vetting• Out-of-hours access• Cleans the desks• Takes out large black sacks

Data theft by keylogger

Keyghost log file

Keystrokes recorded so far is 2706 out of 107250 ...

<PWR><CAD>fsmith<tab><tab>arabella xxxxxxx <tab><tab> None<tab><tab> None<tab><tab> None<tab><tab> <CAD> arabella<CAD><CAD> arabella<CAD><CAD> arabellaexittracert 192.168.137.240telnet 192.168.137.240cisco

Peter WoodChief Executive Officer

First•Base Technologies LLP

peterw@firstbase.co.uk

http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com

Blog: fpws.blogspot.comTwitter: @peterwoodx

Need more information?