Home > Security > Defending Windows Networks – Full 5 Days

Defending Windows Networks – Full 5 Days

If you’ve read the previous blog article “CISSP Training” posted severals weeks ago or have had any direct communication with yours truly, then you would know I recently took advantage of an “unlimited” training package offered by Global Knowledge. It includes unlimited training (certain classes not optional) within 4 months for one set price. If permitted to take all the classes requested the total value of the package would come close to $30,000, of which i paid a mere $4,400 in comparison. Such an opportunity is rare indeed so I decided to sign up and have not regretted it one bit.

Today I began a week long training session called “Defending Windows Networks”. The instructor, Karl Koeler, has brought an enourmous amount of energy and knowledge to the class and I have enjoyed his instructional style, as well as admire his level of security expertise.  

The following key concepts will be covered during the training:

  • Security: From Concept to Policy
  • Encryption Concepts
  • Evaluating the Threat
  • Target Acquisition
  • Sniffing Around (network monitoring)
  • Comprising Windows Authentication
  • Account Discovery
  • Trojan Horse
  • Defeating and Defending the Firewall
  • Defending Against Other Windows Exploits
  • Wireless Intrusion
  • Using Windows Certificate Services
  • Laptops
  • Leveraging Security Policies

The package includes 3 books:

  • Global Knowledge course content (developed by Karl)
  • Lab Guide
  • Hacking Windows Exposed by Joel Scambray & Stuart McClure (third edition)

I had purchased and read the original “Hacking Exposed” book sometime in 2001 and just remembered an incident in which i made a poor decision in downloading and testing one of the free HTTP vulnerability scanners at my then current position as Helpdesk Analyst at TimeInc.  Let’s just say the incident brought much attention to me and after careful explanation and an overwhelming apology I was lucky to keep my job.  I was also advised to not bring or be seen reading Hacking Exposed on company property.   Of couse I couldn’t help bringing the book as reading material for the train ride in\out of manhattan but it remained safe and sound inside my bag while onsite.

So today’s class covered setting up VirtualPC in order to utilize preconfigured virutal machines as well as the following concepts:

  • Security: From Concept to Policy
  • Encryption Concepts

Completed the following labs:

  • Designing security policy
  • Setting up the lab environment


So today, after an initial introduction into several of the free available security tools, we were required to update our toolbox with several new versions of the following softwware of which I have included thier corresponding web sties:

Karl had already created a Security Tools folder which contained a multitude of other security tools along with this  mornings downloads as seen below.

Once they were downloaded we began Exercise 3 “Installing Security Tools”.  This involved installing the following from the list above

  • Wireshark
  • LANguard
  • Metasploit
  • LC5
  • Superscan
  • BackOrifice
  • Aircrack-ng

It appears however that we may need to downgrade the Metaploit install as the new version is currently command line only and runs using Linux commands.

After installing the utilities we continued with section 3:”Target Aquisition” which describes the organizations that have a high profile of attack like government agencies, finanical institutions, miliatry and schools.   After deciding on who to attack the next step is to do some reconisaince on the internet in order to discover as much information about that organization such as the following:

  • Job postings (can reveal what technologies they are currently impleting)
  • DNS registries (usually looking for admin contact info or IP address ranges)
  • Google Hacks (looking for specific file types associated with that company)

It was just a matter of time before the topic of “Windows Hacking” was discussed and for obvious reasons.  It is by far the most popular OS being used by both home and corporate  desktop users, who are almost always poorly trained regarding best practices as they apply to computer security.  The users who write their passwords down on sticky notes and post them on their monitor are at risk of compromising their immediate divisions resources and quite possibly other sections of the network environment.   The same person wouldn’t leave their house key attached to the front door for anyone to use, but they don’t apply the same principles to computer security.  This doesn’t make them idiots, just uneducated in best security practices…Well, maybe the sticky notes might qualify them for idiot status but there are many other areas of possible compromise that could be avoided with a little bit of training. 

And so it is now time for Exercise 4 : “Network Scanning and Footprinting”. This exercise uses the following tools in order to scan for open ports and then determine thier corresponding services:

  • Superscan
  • LANguard
  • Zenmap (gui version of nmap)

The most effective tool by far was LANguard as it detected the most information far beyond just open ports.  I did like however the topology view in Zenmap as it color coded the machines based on their attack and vulnerability status.

After lunch we have now moved onto section 5: “Sniffing Around”, covering such tools like Wireshark and Cain & Able to sniff network traffic and use the results as a means of discovery.  The first demonstration using Cain & Able was used to discover FTP and Outlook Express POP3 usernames\passwords.   I have to admit that I was not aware that outlook express sends credentials in plain text but now in hindsight I realize just how obvious this was.  Neither FTP, POP3, SMTP, or Telnet encrypt traffic.  When accessing Hotmail using the web, the original connection used to authenticate via username\password is actually transmitted using HTTPS (encrypted), all subsequent traffic utilizes HTTP.   When using Outlook Express all email traffic uses either POP3 (download) or SMTP (send). 

Cain & Able can also be used to sniff in passive mode (your mac only) which goes undetected by Intrusion Detection Systems (IDS).  This is contrary to placing the network adapter card in promiscous mode (all mac’s on the wire) which would be flagged by an IDS as it is more vocal about it’s desire to capture all traffic on the switch.  Capturing data sent to\from your machine is fairly simple using tools like Wireshark and Cain and Able but the real gem would be to capture all traffic transversing a switch.  There are 2 ways to do this:

  • Attach machine to mirrored port on switch
  • Arp cache poisining

Of the two ways arp cache poisining is the easiest to do as it is software based and requires no physical access to the switch.  The idea is to send out false arp traffic to the switch that it becomes overwhelmed and turns itself into a hub thereby allowing all traffic to be sniffed.  Arp poisining can also be extended to redirect traffic to a specific host machine that was originally destined for another client on the network.  Once this is done the machine receiving the data can then, with additional software, be configured to act as a proxy and forward the data to the appropriate machine.  In this instance neither party would be aware that traffic is being captured  as there would be no disruption in network communication.  Below are the configurations available via C&A regarding arp cache poisining:

Having the ability to discover usernames\passwords in clear text has it’s limitations.  This is due to the fact that current authentication mechanisms don’t send passwords in clear text over the wire.  This takes us to section 6: “Compromising Windows Authentication”. 

After a brief review of the history of LM, NTLMv1,v2 & Kerberos authentication schemes, at the end of the day it all boils down to the simple principle “You don’t  hack systems, you hack people”.  When people unknowingly install a trojan which then uses pwdump or fgdump to download usernames and thier encrypted passwords for both local and cached domain accounts it’s possible to use Rainbow tables to crack them.  As I have just learned there is no shelter to be found from the password cracker. 

Some sites that assist in accessing rainbow tables, either free or paid for are:

Categories: Security
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: