Tuesday, June 07, 2005
Anatomy of a Network Hack: How to get your network hacked in 10 easy steps
This session was presented by Jesper Johansson, Senior Program Manager in the Security Tools department.
Need to figure out the things that really good hackers do
Is anyone after you???
Picture of construction road sign that shows
Question: If your company does direct deposit for payroll, how easy would it be to find out if there are people on your payroll that don't work for your company?
Example from last TechEd where an attendee went back and had his company do manual payroll for 1 cycle. They found "several" people on the payroll that were not employees.
Know your adversary!!!
Picture of a homeless man with a sign that reads "Will Code HTML for Food"
You need the right weapons!!!
Picture of a man strapped underneath an airplane with a machine gun
1. Try and ping the target
There really is no good reason to enable ICMP from outside to inside your network.
2. Portscan - this tells you what ports are open on the target machine.
Knocking down the side door...
The problem is not the database back-end - it is usually the Web App that is broken
Have you logged on with a Domain Admin account on a non-Domain Controller recently?
If you have, you have just degraded the security of your network to the least secure machine that you have logged on with that account.
Do you have identical accounts with the same password in different domains or forests?
Cracking passwords is a waste of time. If a hacker can get a list of the hashes, they won't waste time with cracking passwords.
Unrestricted/unfiltered internal traffic
Moral of the story:
Most networks today are built like eggshells. On the outside, the are hard, but on the inside, they are soft and gooey. All you have to do is find 1 hole through the outside, and typically you will then own the entire network.
1. Update resume
2. Hope the hacker does a good job running the network
3. Nuke and rebuild.
How to get your network hacked in 10 easy steps
1. Don't patch anything.
2. Run unhardened applications
3. Use one admin account, everywhere (you should be using different admin accounts for every machine)
4. Open lots of holes in your firewall
5. Allow unrestricted internal traffic
6. Allow all outbound traffic
7. Don't harden servers
8. Re-use your passwords
9. Use high-level service accounts in multiple places
10. Assume everything is OK
What they don't want you to do
1. Ensure everything is properly patched
2. Use properly hardened papplications
3. Use least priveleged
4.Open only necessary holes in firewalls
5. Restrict internal traffic
6. Restrict outbound traffic
7. Harden servers
8. Use unique pass phrasess or smart cards
9. Micro-manager service accoutns
10. Maintain a health level of paranoia
Book - Protect your Windows Network - Jesper Johansson and Steve Riley
Promo code JJSR6437