Five Steps to Improve Internal Network Security. Chattanooga Information security Professionals

Transcription

1 Five Steps to Improve Internal Network Security Chattanooga Information security Professionals

2 Who Am I? Security Analyst: Sword & Shield Blogger: averagesecurityguy.info Developer: github.com/averagesecurityguy I have been in IT since 2000 and in Information Security since I have worked as a programmer, technical trainer, system administrator, and information security auditor. I currently work as a Security Analyst at Sword & Shield, I maintain a blog at averagesecurityguy.info, and I have developed a few small projects, which are on github.com/ averagesecurityguy.

3 Since 1997 Sword & Shield Enterprise Security has been the trusted information security partner for more than 3,000 clients in all 50 states and 27 countries around the globe. We serve clients in the financial, health care, retail, manufacturing, energy & utilities, and education sectors.

4 Five Steps 1. Disable LM Hashes 2. Change Shared Local Admin Passwords 3. Disable Open File Shares 4. Change Default/Blank Passwords 5. Disable RDP Access

5 Disclaimer I see most things in black and white with a few shades of grey coming into focus once in while. Disable is very black and white and may not be suitable for all situations. If disabling RDP or open file shares does not work for you consider implementing other mitigating factors such as restricting access by IP address. As for the rest, I will remain emphatically black and white.

6 Disable LM Hashes LM is a weak hashing algorithm, which breaks 14 character or less passwords into two easily cracked 7 character or less passwords. Many tools exist to crack LM hashes. Ophcrack, John the Ripper, and Hashcat

7 Disable LM Hashes Group Policy 1. Open Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options 2. Network security: Do not store LAN Manager hash value on next password change. Local Machine 1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control \Lsa 2. Add DWORD NoLMHash 3. Set the value to 1 LM hashes are disabled by default in Windows Vista and above including Server 2008.

8 Disable LM Hashes Are You Sure? LM Hashes are not saved to disk but are still created in memory, which means they can be extracted and cracked.* The only solution is to use 15 character passwords. *

9 Disable LM Hashes Rainbowtables provide the best results for cracking LM hashes. I use both rcracki_mt and ophcrack for cracking LM hashes. Rcracki_mt cracked all 114 passwords in ~38 minutes including the most complex passwords. Ophcrack was able to crack 96 of them in 7.5 minutes, failing to get only the most complicated passwords. Fortunately, one of the passwords cracked was a domain admin account.

10 Ophcrack Demo

11 Change Shared Local Admin Passwords It is very common for the same local administrator password to be used throughout an organization. Once an attacker has the shared password he has control of a large portion of the organization. A recent client had multiple AD domains in use. I compromised a machine in one domain and cracked the local administrator password. Since this password was reused throughout the organization, I was able to access machines in the other domains and eventually obtained Domain Admin access on multiple domains.

12 Change Shared Local Admin Passwords Here are some of the 240 computers in this organization using the same admin password.

13 These methods will apply the new passwords to all computers affected by the GPO, which defeats the purpose if all computers are under the same GPO. I would recommend having workstations, servers, and Domain Controllers placed in separate OUs with appropriate GPOs applied and a different admin password for each group. I would also recommend all local administrator passwords be at least 15 characters to avoid LM hashes. Change Shared Local Admin Passwords 2003 AD Domain You can create a VB script and place it in the logon scripts of the GPO or run it as a standalone script with a list of computers to modify AD Domain 1. Open Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups 2. Right-click and select New -> Local User 3. In the dialog box set the Action to Update, set the Username to Administrator, and put in the password twice. * When placing a script in the GPO you risk exposing the password of the domain admin account used in the script. One option would be to setup the script, force a reboot of the client machines so the script gets applied, and then remove the script. Another option would be to run the script as a domain admin outside of the GPO. A list of computers would need to be supplied to the script to automate the process.

14 Disable Open File Shares Client 1 All shares on the primary file server were open and I found Protected Health Information and the source code to the client s web site, including database credentials. Client 2 A user was sharing files with Windows Simple File Sharing in Windows XP. The user shared a document containing passwords used by the marketing department, including passwords to the Facebook account and mailing list system. Also look for anonymous FTP servers, which can be excellent sources of sensitive files.

15 Disable Open File Shares I was able to access his Password1 database and Dropbox data.

16 Disable Open File Shares World writeable root owned files on an NFS share. We could add a script here or modify an existing script to run malicious code. I believe this was because squash root was not configured properly.

17 Disable Open File Shares Notice the root folder and the HIPAA folder.

18 Disable Open File Shares This was the file server for a law firm. Lots of case files in here.

19 Disable Open File Shares Windows Shares 1. Open Folder Options 2. Go to the View tab 3. Uncheck Use Simple File Sharing 4. View the Properties for a Folder 5. Go to the Sharing tab and set the permissions to Everyone Full Control 6. Go to the Security tab and set appropriate NTFS permissions.

20 Disable Open File Shares NFS Shares 1. Edit/etc/exports to ensure only appropriate directories are listed. 2. For each directory, ensure only the appropriate IP addresses are granted access. 3. Check the options for each IP address to ensure read/write permissions are set correctly. 4. Ensure root is properly squashed.

21 Change Default/Blank Passwords Blank sa passwords in MSSQL can lead to full machine compromise. Blank local administrator passwords allow full machine compromise. My favorite are default/blank passwords on devices like printers, scanners, UPSs, and blade management servers. Default and blank passwords are everywhere. I have compromised servers using blank sa passwords, blank local admin passwords, and default Apache Tomcat passwords. In one case I had access to the UPS web management server and could have shutdown the clients entire network by powering down the VM servers.

22 Change Default/Blank Passwords My preference is to put management systems on a separate network. If that is not possible then use a firewall to restrict access to the management interface. At a minimum a strong password should be used on the management interface.

23 Change Default/Blank Passwords Want to see every fax sent to the president of the company? Just change the address.

24 Change Default/Blank Passwords No credentials were necessary to access this page. Shall we launch a console?

25 Change Default/Blank Passwords A default password can get you console access?

26 Change Default/Blank Passwords Yes, I did get console access to the server but unfortunately no one was logged in at the console.

27 Change Default/Blank Passwords My personal favorite was a default password on an IBM iseries server. This is a screenshot of an FTP login but the default credentials also gave me SSH access and external Telnet access.

28 Change Default/Blank Passwords There is no automated method for fixing this issue. You can use tools like Nessus to help you identify vulnerable services but Nessus can not find everything. During a typical pentest, I manually browse to almost every web server found. Nessus will find most of the dangerous stuff like blank admin/root passwords, blank sa passwords, and Apache tomcat default passwords. Nessus can not determine weak passwords though.

29 Change Default/Blank Passwords Identify devices such as routers, switches, printers, and faxes. Disable any services not needed such as web servers and FTP. Put a strong password on any services that are not disabled. My preference is to disable the Web management functionality on most systems. If you can t do that, then restrict access to only specific IP addresses and make sure a strong password is used.

30 Change Default/Blank Passwords Default Password Lists:* *Visit these at your own risk. These are some web sites that maintain lists of default passwords. You can also do google searches for default passwords. For odd devices you can typically find the default passwords in the product manual.

31 Disable RDP Access Once logged in attacker has full control of machine. Local Administrator account cannot be logged out. (Morto Worm) MS12-020: Currently DOS only but RCE may become available soon. (Will be wormable.)

32 Disable RDP Access Morto Worm: The Morto worm scans a network for machines running RDP and attempts to login using the administrator account and a list of weak passwords. After it logs in it copies itself to the new machine, searches for other vulnerable machines and, it calls back to a C&C server to await commands.* *

33 Disable RDP Access MS12-020: The update in MS fixes a vulnerability in RDP, which is present in all versions of Windows.* Newer versions of RDP use network level authentication (NLA), which requires an attacker to authenticate to the server before connecting to the RDP service, but this does not fix the underlying vulnerability. The only fix is to apply the update. * **

34 Disable RDP Access Group Policy (Server 2003) 1. Open Computer Configuration -> Administrative Templates -> Windows Components -> Terminal Services 2. Set Allow users to connect remotely using Terminal Services to disabled.* * RDP is disabled by default in Windows XP / Server 2003 and above. Use Group Policy to ensure it stays disabled. Watch out for Windows 2000 machines, vendor system, etc. Use nmap to scan the network for RDP.

35 Disable RDP Access Group Policy (Server 2008) 1. Open Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Connections 2. Set Allow users to connect remotely using Remote Desktop Services to disabled.* *

36 Questions about the Five Steps? 1. Disable LM Hashes 2. Change Shared Local Admin Passwords 3. Disable Open File Shares 4. Change Default/Blank Passwords 5. Disable RDP Access

37 Five Steps to Improve Internal Network Security Chattanooga Information security Professionals