Hacking

www.hellowww.hello-engineers.blogspot.com

CANT DEFEND WHAT YOU DONT KNOW

Know your enemies & know yourself <Sun Tzu>

Hacker Mentality
Map your network regularly Sniff and Baseline your network know what type of data needs to be going across your system Know what types of paths are open to your data WIFI, USB, BlueTooth, Remote Acess Web 2.0 Mobile device access

HACKER MENTALITY
Hackers are motivated by various factors:
Ego Curiosity and challenge Entertainment Political beliefs Desire for information Thrill of gaining privileged access Own the system long term (Trojans, backdoors) Attempt to compromise additional systems A "trophy" to gain status

Hacker Stratification
Tier I

In the End there can only be 1

The best of the best Ability to find new vulnerabilities Ability to write exploit code and tools Motivated by the challenge, and of course, money

Tier II IT savvy Ability to program or script Understand what the vulnerability is and how it works Intelligent enough to use the exploit code and tools with precision Motivated by the challenge but primarily curiosity, some ego Tier III Script Kiddies Few real talents Ability to download exploit code and tools written by others Very little understanding of the actual vulnerability Randomly fire off scripts until something works Motivated by ego, entertainment, desire to hurt others

LOW HANGING FRUIT

Safemode /Hacker Mode : F8 or hold down the CTRL key God Mode Lab machines that require Admin rights to run software IronGeek.com / Youtube Hack School lots of step by step videos Reamane EXEs two fun ones netsh.exe utilman.exe

When using Microsoft GPOs use hash instead of Path Use Windows Run Use IP Address instead of Name Use U3 Devices or Portable Apps Right Click Make shortcut to c drive if you hide C drive Use Bluetooth to make file transfers to windows system32 if they have USB access they own it Use MS-Access to make a Macro run CMD Shutdown i

GOD MODE VISTA / WIN7

GodMode.{ED7BA470-8E54-465E-825C-99712043E01C} Other Shot cuts {00C6D95F-329C-409a-81D7-C46C66EA7F33}" {00C6D95F-329C-409a-81D7-C46C66EA7F33} {0142e4d0-fb7a-11dc-ba4a-000ffe7ab428} {025A5937-A6BE-4686-A844-36FE4BEC8B6D} {05d7b0f4-2121-4eff-bf6b-ed3f69b894d9} {1206F5F1-0569-412C-8FEC-3204630DFB70} {15eae92e-f17a-4431-9f28-805e482dafd4} {17cd9488-1228-4b2f-88ce-4298e93e0966} {1D2680C9-0E2A-469d-B787-065558BC7D43} {1FA9085F-25A2-489B-85D4-86326EEDCD87} {208D2C60-3AEA-1069-A2D7-08002B30309D} {20D04FE0-3AEA-1069-A2D8-08002B30309D} {2227A280-3AEA-1069-A2DE-08002B30309D} {241D7C96-F8BF-4F85-B01F-E2B043341A4B} {4026492F-2F69-46B8-B9BF-5654FC07E423} {62D8ED13-C9D0-4CE8-A914-47DD628FB1B0} {78F3955E-3B90-4184-BD14-5397C15F1EFC}

Hiding things will not work

NOT ROCKET SCIENCE

2009 saw the first iPhone worm -- most attacks were near-identical to prior years, changing only the victims and the level of sophistication

FBI estimated small and medium businesses have lost $40 million to cybercrime since 2004

VIRUS CREATION
Anyone can do it!

MALWARE IS VERY COMMON

Malware How common? Spyware Virus Worm

Tracking Map http://wtc.trendmicro.com/wtc/default.asp http://www.fortiguard.com/map/worldmap.html

Symantec reported over million malwares since 2007

WILL VULNERABILITIES EVER GO AWAY?

If, 95-99% of all attacks come from known vulnerabilities and misconfigurations [Carnegie Mellon] And, known vulnerabilities and mis-configurations come from human error And, for the foreseeable future, humans will be the creators and maintainers of technology Then, vulnerabilities (and risk) are here to stay!

MIS-CONFIGURATIONS
Easily guessed passwords Admin/no password Admin/username same as password Admin/password Common user/pass combinations oracle/oracle

Default Password List http://tinyurl.com/39teob

Default installed files Admin rights for software Incorrect permissions

MOBILE DEVICES EXPOSES YOU

Im really an IP connected computer!

USB ADD RISK

Flash Memory Devices Containing what?

USING REMOTE ACCESS TO HACK

BackTrack4 Owning Vista with BackTrack http://www.offensive-security.com/backtracktutorials.php How to put BT4 on a USB http://www.offensive-security.com/backtrack-tutorials.php Portable Apps http://es-es.net Mobile devices Iphone I-Touch http://www.leebaird.com/Me/iPhone.html Droid PS2 others

Metasploit

SILVER BULLET EATER

Alternate streamview BinText BitComet CCleaner Clam AV Convert All Portable Cool Player+ Portable Defraggler Dir html File Shredder Firefox HttTrack
Kee Pass LAN Search Lsa secrets view MAC address View MD5Checker mRemote netcheck Netscan NMap Pidgin Portable PortableApps .com PortableVirtual Box Process Injection Process Killer Recuva File Restore Sophos AntiRootkit Stinger Sumatra PDF Super Scanner Sysinternals Suite System Info Tor Win SCP Wireless keyview Wireshark Youtube downloader putty.exe

Links to Portable USB Software

http://www.portablefreeware.com/all.php http://www.makeuseof.com/tag/portable-softwareusb/ http://en.wikipedia.org/wiki/List_of_portable_softwar e http://www.portablefreeware.com/index.php?sc=27 My Set of Portable apps http://es-es.net/resources/Portable_Apps.zip

DEMO TIME
All resources on my site es-es.net

U3 POCKETKNIFE

Steal passwords Product keys Steal files Kill antivirus software Turn off the Firewall And more
For details see http://wapurl.co.uk/?719WZ2T

CUSTOMIZING U3
You can create a custom file to be executed when a U3 drive is plugged in The custom U3 launcher runs PocketKnife So all those things are stolen and put on the flash drive

18

BACKTRACK IN VM U3 DEVICE

UBCD IN A VM TRACK THAT ONE.

Cain and Abel Local Passwords

PASSWORDS CRACKING
NTPassword RESET any admin pwd to blank http://home.eunet.no/pnordahl/ntpasswd/ Cain and Able Back Track 4 (BT4) http://www.backtrack-linux.org/downloads/ Default Password List http://tinyurl.com/39teob Paid Password Tools http://www.brothersoft.com/downloads/crack-password.html http://www.elcomsoft.com/index.html http://www.accessdata.com/

DEFENSE

IMMEDIATE RISK REDUCTION

Disable AutoRun / Keep system patches updated Glue USB ports shut Install Windows 7 64 bit several cracking programs do not work Get rid of Admin rights lockdown work stations Monitor WIFI access secure your wireless networks http://es-es.net/13.html

USB Blocking Windows Group Policy Netwrix

http://www.netwrix.com/usb_blocker.html

Several Vendors on the show floor have options to limit or block USB
24

BETTER USB SOLUTION: IEEE 1667

Standard Protocol for Authentication in Host Attachments of Transient Storage Devices USB devices can be signed and authenticates, so only authorized devices are allowed Implemented in Windows 7 See http://tinyurl.com/ybce7z7

25

KEEP DATA SECURE WEB 2.0

Continued Education of Computer Users Dont click on strange links (avoid tempt-to-click attacks) Do not release personal information online Use caution with IM and SMS (short message service) Be careful with social networking sites Dont e-mail sensitive information Dont hit reply to a received -email containing sensitive information Require mandatory VPN (virtual private network) use over wireless networks

ADDRESSING THE THREATS

Design/implement widely accepted policies and standards Identify the vulnerabilities, mis-configurations, and policy violations Apply fixes and patches as quickly as possible Mitigating the risk with intrusion prevention Log and monitor all critical systems Educate yourself & your staff
Disable Safe mode Lock Systems Steady State, Deep Freeze or others Lock Down Windows Group Policies Block USB devices Secure your WIFI network

THE LIST
Tools I use!

PASSWORD RECOVERY TOOLS:

Fgdump (Mass password auditing for Windows) http://foofus.net/fizzgig/fgdump Cain and Abel (password cracker and so much more.) http://www.oxid.it/cain.htnl John The Ripper (password crackers) http://www.openwall.org/john/ GUI for John The Ripper FSCracker http://www.foundstone.com/us/resources/proddesc/fscrack.htm RainbowCrack : An Innovative Password Hash Cracker tool that makes use of a large-scale time-memory trade-off. http://www.rainbowcrack.com/downloads/?PHPSESSID=776fc0bb788953e190cf415e60c 781a5

NETWORKING SCANNING
MS Baseline Analyzer 2.1 http://www.microsoft.com/downloads/details.aspx?familyid=f32921af-9dbe-4dce-889eecf997eb18e9&displaylang=en http://www.mikrotik.com/thedude.php http://www.wtcs.org/snmp4tpc/getif.htm http://www.softperfect.com/ http://www.hping.org http://www.zenoss.com http://www.tcpdump.org and http://www.winpcap.org/windump/ http://www.lantricks.com/ The Dude (Mapper and traffic analyzer great for WIFI) Getif (Network SNMP discovery and exploit tool) SoftPerfect Network Scanner HPing2 (Packet assembler/analyzer) ZENOSS (Enterprise Network mapping and monitoring) TCPDump (packet sniffers) Linux or Windump for windows LanSpy (local, Domain, NetBios, and much more)

TOOLS TO ASSESS VULNERABILITY

Nessus(vulnerability scanners) http://www.nessus.org Snort (IDS - intrusion detection system) http://www.snort.org Metasploit Framework (vulnerability exploitation tools) Use with great caution and have permission http://www.metasploit.com/projects/Framework/ Open VAS (Vulnerability Assessment Systems) Enterprise network security scanner http://www.openvas.org

SECURE YOUR PERIMETER:

DNS-stuff and DNS-reports http://www.dnsstuff.com http://www.dnsreports.com Test e-mail & html code Web Inspect 15 day http://tinyurl.com/ng6khw

Security Space
http://tinyurl.com/cbsr Other Firewall options Untangle www.untangle.com Smooth Wall www.smoothwall.org IPCop www.ipcop.org

More Tools:
Soft Perfect Network Scanner A multi-threaded IP, SNMP and NetBIOS scanner. Very easy to use; http://tinyurl.com/2kzpss wraps a friendly GUI interface around the command-line switches needed to copy files between Windows and Unix/Linux http://tinyurl.com/yvywqu Highly configurable, flexible network resource monitoring tool http://www.nagios.org Another layer to block proxies and adult sites; http://www.opendns.com/ Removes unused files and other software that slows down your PC; http://www.ccleaner.com/ A fast, safe and reliable tool to shred company files; http://www.fileshredder.org/ Full Enterprise performance and network management software. This is designed for data center and large networks but can be used on for small shops as well. (works with Nagios); http://www.groundworkopensource.com WinSCP

Nagios Open DNS-Ccleaner File Shredder GroundWork (OpenSource)

Google (Get Google Hacking book) The Google Hacking Database (GHDB)
http://johnny.ihackstuff.com/modules.php?op=modload&name=Downloads&file=index

Cain and Abel

(the Swiss Army knife) Crack passwords crack VOIP and so much more
http://www.oxid.it/cain.html

Autoruns / Sysinternals Suite shows the programs that run during system boot up or login http://tinyurl.com/3adktf Step by step security training http://tinyurl.com/bzvwx
Network Scanner find open ports (I prefer version 3)
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/sup erscan.htm

Iron Geek

SuperScan 4

EventSentry Allows you to consolidate and monitor event logs in real-time, http://tinyurl.com/2g64sy

WELL-WORN TOOLS :
Wireshark

Packet sniffer used to find passwords and other important network errors going across network SSL Passwords are often sent in clear text before logging on
http://tinyurl.com/yclvno

Metasploit
Hacking/networking security made easy
http://www.metasploit.com/

BackTrack or UBCD4WIN Boot CD

Cleaning infected PCs or ultimate hacking environment. Will run from USB http://www.backtrack-linux.org/downloads/
http://tinyurl.com/38cgd5

Read notify
Registered email
http://www.readnotify.com/

Virtual Machine
For pen testing
http://tinyurl.com/2qhs2e

DIGITAL FORENSICS
First and foremost: I am not a lawyer. Always consult your local law enforcement agency and legal department first!

Digital forensics is SERIOUS BUSINESS

You can easily shoot yourself in the foot by doing it incorrectly Get some in-depth training this is not in-depth training!!! (Nor is it legal advice. Be smart. The job you save may be your own.)

FORENSICS: OPEN SOURCE / FREE TO K-12

Helix (e-fense) Customized Knoppix disk that is forensically safe Includes improved versions of dd Terminal windows log everything for good documentation Includes Sleuthkit, Autopsy, chkrootkit, and others Includes tools that can be used on a live Windows machine, including precompiled binaries and live acquisition tools

www.e-fense.com

ProDiscover (free for schools)

www.techpathways.com

ANTI-FORENSICS
Be Aware of activity in the Anti-Forensics area!! There are active efforts to produce tools to thwart your forensic investigation.

Metasploits Anti-Forensic Toolkit*, Defilers Toolkit, etc.

Timestomp Transmogrify Slacker SAM juicer

Sysinternals

EVENT LOG
Acquire key data
Use to document unauthorized file and folder access

ACCESSCHK*
Acquire key data
Shows what folder permissions a user has Provides evidence that user has opportunity

PSLOGGEDON*
Acquire key data
Shows if a user is logged onto a computing resource

ROOTKIT REVEALER
Acquire key data
Reveals rootkits, which take complete control of a computer and conceal their existence from standard diagnostic tools

PSEXEC
Acquire key data
Allows investigator to remotely obtain information about a users computer - without tipping them off or installing any applications on the users computer

SYSINTERNALS TOOL: DU*

Acquire key data
Allows investigator to remotely examine the contents of users My Documents folder and any subfolders

FREE SERVER VRTUALIZATION SOFTWARE

Some of my favorite free virtualization tools: VMware vSphere ESXi Free Edition and VMware Go VMware vMA, vCLI (or command-line interface), PowerCLI, and scripts from the vGhetto script repository such as vSphereHealthCheck Veeam Monitor (free edition), FastSCP, and Business View Vizioncore Wastefinder, vConvert SC and Virtualization EcoShell SolarWinds' VM Monitor Trilead VM Explorer TripWire ConfigCheck ConfigureSoft/EMC Compliance Checker ESX Manager 2.3 from ESXGuide (ESX 3i and 4i are not supported) vKernel SearchMyVM, SnapshotMyVM, and Modeler Hyper9 GuessMyOS Plugin, Search Bar Plugin, and Virtualization Mobile Manager XtraVirt vAlarm and vLogView

SHAMELESS PLUG
Presentations on my site located at www.es-es.net Manage & Secure Your Wireless Connections www.gcasda.org http://tinyurl.com/y9oywob http://tinyurl.com/yfh7d6t http://tinyurl.com/ygtsgft Check out the presentation given this morning To learn more about GCA (Georgia Cumberland Academy) Face-Saving Tools for Managers 20 great Windows open source projects E-Crime Survey 2009