Home > Security > Defending Windows Networks – Day 2

Defending Windows Networks – Day 2


So today, after an initial introduction into several of the free available security tools, we were required to update our toolbox with several new versions of the following softwware of which I have included thier corresponding web sties:

Karl had already created a Security Tools folder which contained a multitude of other security tools along with this  mornings downloads as seen below.

Once they were downloaded we began Exercise 3 “Installing Security Tools”.  This involved installing the following from the list above

  • Wireshark
  • LANguard
  • Metasploit
  • LC5
  • Superscan
  • BackOrifice
  • Aircrack-ng

It appears however that we may need to downgrade the Metaploit install as the new version is currently command line only and runs using Linux commands.

After installing the utilities we continued with section 3:”Target Aquisition” which describes the organizations that have a high profile of attack like government agencies, finanical institutions, miliatry and schools.   After deciding on who to attack the next step is to do some reconisaince on the internet in order to discover as much information about that organization such as the following:

  • Job postings (can reveal what technologies they are currently impleting)
  • DNS registries (usually looking for admin contact info or IP address ranges)
  • Google Hacks (looking for specific file types associated with that company)

It was just a matter of time before the topic of “Windows Hacking” was discussed and for obvious reasons.  It is by far the most popular OS being used by both home and corporate  desktop users, who are almost always poorly trained regarding best practices as they apply to computer security.  The users who write their passwords down on sticky notes and post them on their monitor are at risk of compromising their immediate divisions resources and quite possibly other sections of the network environment.   The same person wouldn’t leave their house key attached to the front door for anyone to use, but they don’t apply the same principles to computer security.  This doesn’t make them idiots, just uneducated in best security practices…Well, maybe the sticky notes might qualify them for idiot status but there are many other areas of possible compromise that could be avoided with a little bit of training. 

And so it is now time for Exercise 4 : “Network Scanning and Footprinting”. This exercise uses the following tools in order to scan for open ports and then determine thier corresponding services:

  • Superscan
  • LANguard
  • Zenmap (gui version of nmap)

The most effective tool by far was LANguard as it detected the most information far beyond just open ports.  I did like however the topology view in Zenmap as it color coded the machines based on their attack and vulnerability status.

After lunch we have now moved onto section 5: “Sniffing Around”, covering such tools like Wireshark and Cain & Able to sniff network traffic and use the results as a means of discovery.  The first demonstration using Cain & Able was used to discover FTP and Outlook Express POP3 usernames\passwords.   I have to admit that I was not aware that outlook express sends credentials in plain text but now in hindsight I realize just how obvious this was.  Neither FTP, POP3, SMTP, or Telnet encrypt traffic.  When accessing Hotmail using the web, the original connection used to authenticate via username\password is actually transmitted using HTTPS (encrypted), all subsequent traffic utilizes HTTP.   When using Outlook Express all email traffic uses either POP3 (download) or SMTP (send). 

Cain & Able can also be used to sniff in passive mode (your mac only) which goes undetected by Intrusion Detection Systems (IDS).  This is contrary to placing the network adapter card in promiscous mode (all mac’s on the wire) which would be flagged by an IDS as it is more vocal about it’s desire to capture all traffic on the switch.  Capturing data sent to\from your machine is fairly simple using tools like Wireshark and Cain and Able but the real gem would be to capture all traffic transversing a switch.  There are 2 ways to do this:

  • Attach machine to mirrored port on switch
  • Arp cache poisining

Of the two ways arp cache poisining is the easiest to do as it is software based and requires no physical access to the switch.  The idea is to send out false arp traffic to the switch that it becomes overwhelmed and turns itself into a hub thereby allowing all traffic to be sniffed.  Arp poisining can also be extended to redirect traffic to a specific host machine that was originally destined for another client on the network.  Once this is done the machine receiving the data can then, with additional software, be configured to act as a proxy and forward the data to the appropriate machine.  In this instance neither party would be aware that traffic is being captured  as there would be no disruption in network communication.  Below are the configurations available via C&A regarding arp cache poisining:

Having the ability to discover usernames\passwords in clear text has it’s limitations.  This is due to the fact that current authentication mechanisms don’t send passwords in clear text over the wire.  This takes us to section 6: “Compromising Windows Authentication”. 

After a brief review of the history of LM, NTLMv1,v2 & Kerberos authentication schemes, at the end of the day it all boils down to the simple principle “You don’t  hack systems, you hack people”.  When people unknowingly install a trojan which then uses pwdump or fgdump to download usernames and thier encrypted passwords for both local and cached domain accounts it’s possible to use Rainbow tables to crack them.  As I have just learned there is no shelter to be found from the password cracker. 

Some sites that assist in accessing rainbow tables, either free or paid for are:

Categories: Security
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: