The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (21 page)

What I try to accomplish in red teaming efforts is from the defen-

sive posture that I find companies picking up. They think, "Let's

assume the attacker's mentality. How would we defend against

it?" That's already strike one against them. They don't know how

they're going to act or react unless they know what's important to

them.

I agree; as Sun Tzu wrote: Know thy enemy and thyself, and you will be victorious.

All thorough pen tests -- when the client agrees -- use the same types of attack described earlier in this chapter.

We identify in our methodology four areas: Technical entry into

the network, which is much of what we talk about. Social engi-

neering, [which for us also includes] eavesdropping and shoulder

surfing. Dumpster diving. And then also physical entry. So those

four areas.

(Shoulder surfing is a colorful term for surreptitiously watching an employee type his or her password. An attacker skilled in this art has Chapter 6 The Wisdom and Folly of Penetration Testing 127

learned to watch the flying fingers carefully enough to know what the person has typed, even while pretending not to be paying attention.)

Attack! On the first day, Dustin walked into Biotech's lobby. Off to the right of the guard station was a restroom and the company cafeteria, both of which were readily accessible to visitors. On the other side of the guard station was the same conference room where Dustin's team had gathered for their initial meeting with the Biotech executives. The guard was cen- trally stationed to watch the primary access to the secured entrances, but the conference room was completely out of his range of vision. Anyone could walk in, no questions asked. Which is exactly what Dustin and his teammate did. And then they had plenty of time to take a leisurely look around. After all, no one knew they were even there.

They discovered a live network jack, presumably for the convenience of company personnel who wanted to be able to access the corporate net- work during meetings. Plugging in an Ethernet cable from his laptop to the wall jack, Dustin quickly found what he expected: He had access into the network from behind the company's firewall, which was an open invi- tation into the company's system.

Like a scene that should have the Mission Impossible music playing in the background, Dustin fastened to the wall a small wireless access device (like the one in Figure 6-1) and plugged it into the jack. The device would permit Dustin's people to penetrate the Biotech network from computers in a car or van parked nearby but outside the company's build- ing. Transmissions from such a "wireless access point" (WAP) device may reach distances up to 300 feet. Using a high-gain directional antenna allows connecting to the hidden WAP from an even greater distance.

Figure 6-1: Wireless device of the type used in the attack.

Dustin favors wireless access units that operate on European channels -- which gives his pen team a decided advantage, since the fre- quencies are much less likely to be detected. Also, "It doesn't look like a 128 The Art of Intrusion

wireless access point, so it doesn't tip people off. I've left them up for as long as a month without them being noticed and taken down."

When he installs one of these units, Dustin also puts up a small but very official-looking note card that reads, "Property of Information Security Services. Do Not Remove."

With temperatures hovering at seven below, neither Dustin nor his team buddies, now wearing jeans and T-shirts to stay in sync with the Biotech image, wanted to freeze their butts off sitting in a car parked on the lot. So they appreciated the fact that Biotech had offered the use of a small room in a nonsecured area of a nearby building. Nothing fancy, but the room was warm, and within range of the wireless device. They were connected -- for the company, a little too well connected.

As the team began exploring Biotech's network, the initial tentative reconnaissance located approximately 40 machines running Windows that had an administrative account with no password, or with a password of pass- word. In other words, they had no security at all, which as noted in earlier stories is unfortunately the case on the trusted side of corporate networks, with companies focusing on perimeter security controls to keep the bad guys out, but leaving the hosts on the inside vulnerable to attack. An attacker who finds a way to penetrate or get around the firewall is home free.

Once he had compromised one of those machines, Dustin extracted all the password hashes for every account and ran this file through the l0phtCrack program.

l0phtCrack at Work On a Windows machine, user passwords are stored in encrypted form (a "hash") in an area called the Security Accounts Manager (SAM); the passwords are not just encrypted, but encrypted in a scrambled form known as a "one-way hash," which means the encryption algorithm will convert the plaintext password to its encrypted form but cannot convert the encrypted form back to plaintext.

The Windows operating system stores two versions of the hash in the SAM. One, the "LAN Manager hash," or LANMAN, is a legacy version, a holdover from the pre-NT days. The LANMAN hash is computed from the uppercase version of the user's password and is divided into two halves of seven characters each. Because of the properties, this type of hash is much easier to crack than its successor, NT LAN Manager (NTLM), which among other features does not convert the password to uppercase characters.

As an illustration, here's an actual hash for a system administrator of a company I won't name: Chapter 6 The Wisdom and Folly of Penetration Testing 129

Administrator:500:AA33FDF289D20A799FB3AF221F3220DC:0ABC818FE0

5A120233838B9131F36BB1:::

The section between two colons that begins "AA33" and ends "20DC" is the LANMAN hash. The section from "0ABC" to "6BB1" is the NTLM hash. Both are 32 characters long, both represent the same password, but the first is much easier to crack and recover the plaintext password.

Since most users choose a password that is either a name or a simple dictionary word, an attacker usually begins by setting l0phtCrack (or whatever program he's using) to perform a "dictionary attack" -- testing every word in the dictionary to see if it proves to be the user's password. If the program doesn't have any success with the dictionary attack, the attacker will then start a "brute-force attack," in which case the program tries every possible combination (for example, AAA, AAB, AAC ... ABA, ABB, ABC, and so on), then tries combinations that include uppercase and lowercase, numerals, and symbols.

An efficient program like l0phtCrack can break simple, straightforward passwords (the kind that maybe 90 percent of the population uses) in seconds. The more complicated kind may take hours or days, but almost all account passwords succumb in time.

Access Dustin soon had cracked most of the passwords.

I tried logging into the primary domain controller with the

[administrator] password, and it worked. They used the same

password on the local machine as on the domain account. Now I

have administrator rights on the entire domain.

A primary domain controller (PDC) maintains the master database of domain users accounts. When a user logs in to the domain, the PDC authenticates the login request with the information stored in the PDC's database. This master database of accounts is also copied to the backup domain controller (BDC) as a precaution in the event the PDC goes down. This architecture has been substantially changed with the release of Windows 2000. These later versions of windows use what is called Active Directory, but for backward compatibility with old versions of Windows, there is at least one system that acts as the PDC for the domain.

He had the keys to Biotech's kingdom, gaining access to many internal documents labeled "confidential" or "internal use only." In his intense way, Dustin spent hours gathering sensitive information from the highly confi- dential drug safety files, which contain detailed information about possible ill effects caused by the pharmaceuticals the company was studying. 130 The Art of Intrusion

Because of the nature of Biotech's business, access to this information is strictly regulated by the Food and Drug Administration, and the success of the penetration test would need to be the subject of a formal report to that agency.

Dustin also gained access to the employee database that gave full name, email account, telephone number, department, position, and so forth. Using this information, he was able to select a target for the next phase of his attack. The person he chose was a company systems administrator involved in overseeing the pen test. "I figured even though I already had plenty of sensitive information, I wanted to show that there were multiple attack vectors," meaning more than one way to compromise information.

The Callisma team had learned that if you want to enter a secure area, there's no better way than to blend in with a group of talkative employ- ees returning from lunch. Compared to morning and evening hours when people may be edgy and irritable, after lunch they tend to be less vigilant, perhaps feeling a bit logy as their system digests the recent meal. Conversation is friendly, and the camaraderie is filled with free-flowing social cues. A favorite trick of Dustin's is to notice someone getting ready to leave the cafeteria. He'll walk ahead of the target and hold the door for him, then follow. Nine times out of ten -- even if it leads to a secured area -- the target will reciprocate by graciously holding the door open for him. And he's in, no sweat.

Alarmed Once the target had been selected, the team needed to figure out a way to physically enter the secured area, so they could attach to the target's computer a keystroke logger -- a device that would record every key typed on the keyboard, even keys typed at startup, before the operating system had loaded. On a system administrator's machine, this would likely inter- cept passwords to a variety of systems on the network. It could also mean the pen testers would be privy to messages about any efforts to detect their exploits.

Dustin was determined not to risk being caught tailgating. A little social engineering was called for. With free access to the lobby and cafe- teria, he got himself a good look at the employee badges and set about counterfeiting one for himself. The logo was no problem -- he simply copied it from the company Web site and pasted it into his design. But it wouldn't need to pass a close-up examination, he was sure.

One set of Biotech offices was located in a nearby building, a shared facility with offices rented to a number of different companies. The lobby had a guard on duty, including at night and on weekends, and a familiar Chapter 6 The Wisdom and Folly of Penetration Testing 131

card reader that unlocks the door from the lobby when an employee swiped a badge with the correct electronic coding.

I go up during the weekend, start flashing the false badge that I'd

made. I'm flashing the badge across the reader and of course it

doesn't work. The security guard comes, opens the door, and

smiles. I smile back, and blow by him.

Without a word passing between them, Dustin had successfully gotten past the guard, into the secured area.

But the Biotech offices still lay secure behind yet another reader. Weekend traffic in the building was nil.

There's nobody there on the weekend to tailgate through. So, try-

ing to find an alternate means of entry, I go up a glassed-in

staircase to the second level and figure I'll try the door and see if

it opens or not. I open it, it opens right up, there's no badge

requirement.

But alarms are going off everywhere. Apparently I'm going in

what's essentially a fire escape. I jump inside, the door slams

behind me. On the inside, there's a sign, "Do not open, alarm

will sound." My heart's beating 100 miles an hour.

The Ghost Dustin knew exactly which cubicle to head for. The employee database the team had compromised listed actual physical cube location for every worker. With the alarm bell still ringing in his ears, he headed for the cubicle of his target.

An attacker can capture the keystrokes on a computer by installing soft- ware that will record each key typed, and periodically email the data to a specified address. But, determined to demonstrate to the client that they were vulnerable to being penetrated in a variety of ways, Dustin wanted to use a physical means of doing the same thing.

The device he chose for the purpose was the Keyghost (see Figure 6-2). This is an innocent-looking object that connects between the keyboard and computer, and, because of its miniature size, is almost guaranteed to go unnoticed. One model can hold up to half a million keystrokes, which for the typical computer user represents weeks of typing. (There's a downside, however. The attacker must make a return trip to the site when it's time to recover the logger and read the data.) 132 The Art of Intrusion

Figure 6-2: The Keyghost keystroke logger.

It took Dustin only seconds to unplug the cable from keyboard to computer, plug in the Keyghost, and reconnect the cable. Getting done quickly was very much on his mind because "I'm assuming that the alarm is raised, the time's counting down, my hands are slightly shaky. I'm gonna be caught. You know nothing bad is essentially going to happen because I do have my `get-out-of-jail-free' card, but even so, the adren- aline is definitely flowing."

As soon as the Keyghost was installed, Dustin walked down the main stairway, which landed him near the security station. Applying another dose of social engineering, he brazenly confronted the problem.

I purposely left by the door that was right next to Security. Instead

of trying to avoid Security on my way out, I went directly up to

[the guard]. I said, "Look, I'm sorry for setting off the alarm,

that was me. I never come over to this building, I didn't think

that would happen, I really apologize." And the guard said, "Oh,

no problem."

Then he hopped on the phone, so I'm assuming he called somebody