© 2006 Cisco Systems, Inc. All rights reserved. SND v Introduction to Network Security Policies Thinking Like a Hacker

© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline How Do Hackers Think? –Step 1: Footprint Analysis –Step 2: Enumerate Information –Step 3: Manipulate Users to Gain Access –Step 4: Escalate Privileges –Step 5: Gather Additional Passwords and Secrets –Step 6: Install Back Doors and Port Redirectors –Step 7: Leverage the Compromised System Best Practices to Defeat Hackers

© 2006 Cisco Systems, Inc. All rights reserved. SND v "All men by nature desire knowledge." Aristotle 384–322 B.C.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Thinking Like a Hacker Seven steps for compromising targets and applications: Step 1: Perform footprint analysis (reconnaissance). Step 2: Enumerate information. Step 3: Manipulate users to gain access. Step 4: Escalate privileges. Step 5: Gather additional passwords and secrets. Step 6: Install back doors. Step 7: Leverage the compromised system.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Step 1: Footprint Analysis Web pages, phone books, company brochures, subsidiaries, and so on Knowledge of acquisitions nslookup command to reconcile domain names against IP addresses of the company servers and devices Port scanning to find open ports and operating systems installed on hosts traceroute commamd to help build topology Whois queries

© 2006 Cisco Systems, Inc. All rights reserved. SND v Defeat Footprinting Keep all sensitive data off line (business plans, formulas, and proprietary documents). Minimize the amount of information on your public website. Examine your own website for insecurities. Run a ping sweep on your network. Familiarize yourself with ARIN to determine network blocks.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Step 2: Enumerate Information Find your server applications and versions: What are your web, FTP, and mail server versions? Listen to TCP and UDP ports and send random data to each. Cross-reference information to vulnerability databases to look for potential exploits. Exploit selected TCP ports: Windows NT, 2000, and XP file sharing using SMB protocol uses TCP port 445. In Windows NT, SMB runs on top of NetBT using ports 137, 138 (UDP), and 139 (TCP).

© 2006 Cisco Systems, Inc. All rights reserved. SND v Step 3: Manipulate Users to Gain Access Social engineering techniques : Social engineering techniques by telephone Dumpster diving Reverse social engineering techniques Password cracking tools and techniques : Word lists Brute force Hybrids Aimed at network basic I/O system (NetBIOS) over TCP (TCP 139) Direct host (TCP 445) FTP (TCP 21) Telnet (TCP 23) SNMP (UDP 161) PPTP (TCP 1723) Terminal services (TCP 3389)

© 2006 Cisco Systems, Inc. All rights reserved. SND v Step 4: Escalate Privileges The hacker will review all the information that the hacker can see on the host: –Files containing usernames and passwords –Registry keys containing application or user passwords –Any available documentation (for example, ) If the host cannot be seen by the hacker, the hacker may launch a Trojan application such as W32/QAZ to determine the hostname.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Step 5: Gather Additional Passwords and Secrets Hackers target: –The local security accounts manager database –The active directory of a domain controller Hackers can use legitimate tools including pwdump and lsadump applications. Hackers gain administrative access to all computers by cross-referencing usernames and password combinations.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Step 6: Install Back doors and Port Redirectors Back doors: Back doors provide: –A way back into the system if the front door is locked –A way into the system that is not likely to be detected Back doors may use reverse trafficking: –Example: Code Red HELLO! Welcome to Hacked By Chinese! Port redirectors: Port redirectors can help bypass port filters, routers, and firewalls, and may even be encrypted over a Secure Sockets Layer tunnel to evade intrusion detection devices.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Step 7: Leverage the Compromised System Back doors and port redirectors let hackers attack other systems in the network. Reverse trafficking lets hackers bypass security mechanisms. Trojans let hackers execute commands undetected. Scanning and exploiting the network can be automated. The hacker remains behind the cover of a valid administrator account. The whole seven-step process is repeated as the hacker continues to penetrate the network.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Best Practices to Defeat Hackers Keep patches up to date. Shut down unnecessary services and ports. Use strong passwords and change them often. Control physical access to systems. Curtail unexpected and unnecessary input. Perform system backups and test them on a regular basis. Warn everybody about social engineering. Encrypt and password-protect sensitive data. Use appropriate security hardware and software. Develop a written security policy for the company.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary Hackers generally follow a systematic and rigorous seven- step process to break into networks. Hackers start by building a footprint. Common sense steps are required to frustrate footprinting. Hackers discover exploits and vulnerabilities by learning what server and application versions you are running. Social engineering, dumpster diving, and plain hard work allow hackers to discover usernames and passwords. Once they have gained access to a network, hackers escalate their user privileges to administrator levels.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary (Cont.) Posing as administrators, hackers gather additional passwords and secrets and exploit more devices. Back doors and port redirectors allow hackers to come and go as they like. Once they have free rein, hackers can attack other parts of your network. There are some best practices to help you defend your network from hackers.

© 2006 Cisco Systems, Inc. All rights reserved. SND v