Tweet
Tweet

Slide 1

Slide 1 text

ABCDEF Excercise Team F (Subnet 4)

Slide 2

Slide 2 text

Our team – Team F  David Apeji,  Maneesh Augestine,  Richard Born,  Venu Gopal Kakarla

Slide 3

Slide 3 text

Overview  Our Setup  Services  Protective Measures  Observed Attacks  Our Discoveries

Slide 4

Slide 4 text

Our Setup  VmWare ESXi Servers  2 Hosts  Windows  5 Hosts  Linux  3 Hosts  BSD  10 Hosts

Slide 5

Slide 5 text

Physical Topology

Slide 6

Slide 6 text

Logical Topology

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

Windows  Active Directory  Windows Server 2008 (non R2) Standard Core 32bit  Terminal Services (RDP) and Print Server  Windows Server 2008 (non R2) Standard Full 32bit  Active Directory Client  Windows Seven Professional 32bit  Internet Information Services (Httpd)  Windows Server 2000 (Legacy)  Nginx (Httpd)  Windows Server 2000 (Legacy)

Slide 9

Slide 9 text

Linux  Mail Server Appliance  Ubuntu Server 8.04.3 JeOS (Legacy)  Zimbra 6.5 Community Edition  Honeyd  Fedora 7 (Moonstone) (Legacy)

Slide 10

Slide 10 text

BSD  Open BSD 4.8  Primary Name Server (Bind)  Secondary Name Server (Bind)  Network Time Server (OpenNTPD)  Secure Shell Server (OpenSSHD)  Decoy Mail Server (Sendmaild and POPd)  XMPP/Jabber Server (OpenFire)  Snort IDS Server (Snort)  Honeynet Server (Honeyd)  HTTP Web Server (Apache)

Slide 11

Slide 11 text

BSD  Free BSD 8.1  File and FTP Server (FreeNAS Appliance)

Slide 12

Slide 12 text

Hardening OpenBSD  We can’t use firewalls so disable it.  # pfctl –d  Go to /etc/rc.conf.local add the line  pf=NO  Go to /etc/inetd.conf and comment out all the unnecessary services, thus closing the open ports.  Every service is Chrooted/Jailed by default.

Slide 13

Slide 13 text

 Open BSD  These are the pots open on a standard install  Probably for POSIX compliance  TCP Port: 13 daytime  TCP Port: 22 ssh  TCP Port: 37 time  TCP Port: 80 http  TCP Port: 113 ident

Slide 14

Slide 14 text

Securing SSHd  Set the following options in /etc/ssh/sshd_config  Protocol 2 PermitRootLogin no MaxAuthTries 2 PermitEmptyPasswords no AllowUsers user1 user2 user3  ChrootDirectory /home/%u  This made the difference

Slide 15

Slide 15 text

Securing name servers  Primary  Do not allow AXFR zone transfers except to secondary (172.16.4.54)  Secondary  Do not allow AXFR transfers at all

Slide 16

Slide 16 text

Securing mail server  No anonymous relays  Authentication

Slide 17

Slide 17 text

Securing Windows 2008 Boxes  Disabled Local Administrator account.  Without the firewall, windows provides no major technique of protecting the system. So nothing much done.  Generated strong passwords for all domain users.

Slide 18

Slide 18 text

Patches and Updates  None of the boxes were patched or updated.  Except for the Windows 2000 Server, which was patched till the last available service pack.  (That’s Service Pack 4)

Slide 19

Slide 19 text

Observed Attacks  Our first Win 2000 box broke in a week of deployment.  Someone crashed and corrupted the windows services.  RPC service  The services wont start even after a reboot.  These services essential for functioning of Windows.  Therefore the Box was unusable  It became a bootable brick

Slide 20

Slide 20 text

Hardening our second Windows 2000 Server  Closing Internet Ports - Windows 2000 PRO  By: Arthur R. Kopp (6/25/2005)  http://www.claymania.com/windows2000-hardening.html  Minimizing Windows network services : Examples with Windows 2000 and Windows XP  By Jean-Baptiste Marchand (02/09/2002)  http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html  How To: Harden the TCP/IP Stack  By J.D. Meier, Et.al. (Jan/2006), Microsoft Corporation  http://msdn.microsoft.com/en-us/library/ff648853.aspx

Slide 21

Slide 21 text

Win 2000 TCP ports open  TCP 0.0.0.0:25 0.0.0.0:0 LISTENING  TCP 0.0.0.0:80 0.0.0.0:0 LISTENING  TCP 0.0.0.0:135 0.0.0.0:0 LISTENING  TCP 0.0.0.0:443 0.0.0.0:0 LISTENING  TCP 0.0.0.0:445 0.0.0.0:0 LISTENING  TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING  TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING  TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING  TCP 0.0.0.0:3372 0.0.0.0:0 LISTENING  TCP 0.0.0.0:4983 0.0.0.0:0 LISTENING  TCP 172.16.4.82:139 0.0.0.0:0 LISTENING

Slide 22

Slide 22 text

Win 2000 UDP ports open  UDP 0.0.0.0:135 *:*  UDP 0.0.0.0:445 *:*  UDP 0.0.0.0:1028 *:*  UDP 0.0.0.0:1029 *:*  UDP 0.0.0.0:3456 *:*  UDP 172.16.4.82:137 *:*  UDP 172.16.4.82:138 *:*  UDP 172.16.4.82:500 *:*

Slide 23

Slide 23 text

Closing NetBIOS group of ports

Slide 24

Slide 24 text

Closing port 445  Blank the following key  HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\ NetBt\Parameters\TransportBindName

Slide 25

Slide 25 text

Closing port 135  C:\winnt\System32\Dcomcnfg.exe

Slide 26

Slide 26 text

Closing port 135  HKEY_LOCAL_MACHINE\Software \Microsoft\Rpc\  Create a new key named Internet  Under Internet create a new string named UseInternetPorts  Set the data value of UseInternetPorts as N

Slide 27

Slide 27 text

Protect Against SYN Attacks  Under  HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\TcpIp\Parameters\  Create the following Dword keys

Slide 28

Slide 28 text

Protect Against SYN Attacks

Slide 29

Slide 29 text

Protect Against ICMP Attacks

Slide 30

Slide 30 text

Protect Against SNMP Attacks

Slide 31

Slide 31 text

These services can safely be disabled  World Wide Web Publishing  Service Simple Mail Transport Protocol (SMTP)  The IPSEC Services service is stopping.  The Distributed Transaction Coordinator  The SSDP Discovery Service  The Windows Time service  The TCP/IP NetBIOS Helper  The Workstation service  The Server service  The NetBios over Tcipip

Slide 32

Slide 32 text

Securing RPC  Without RPC service Windows will not function  A lot of Windows services are dependent on RPC

Slide 33

Slide 33 text

Securing RPC  Windows 2000 Resource Kit Tool: Rpccfg.exe  (RPC Configuration Tool)  https://www.microsoft.com/downloads/en/details.aspx?Fa milyID=0f9cde2f-8632-4da8-ae70-645e1ddaf369  rpccfg –q  Bind the RPC service to only the Loopback Adaptor

Slide 34

Slide 34 text

Compromised  ProFTPd on 172.16.200.221  “ACIDBITCHZ” backdoor  Vandalized a Wiki running Media Wiki.  Portscans, Vulnerability Scans

Slide 35

Slide 35 text

Observed Attacks  Did not observe the first Win 2000 box  Because snort was not setup by then  Saw a lot of port scans all the while  Saw a lot of shell code in Snort Logs  Most of them failed.  Was difficult to distinguish failed/successful.

Slide 36

Slide 36 text

What we lost  Our Win 2008 Server (non R2) 32bit box  Terminal Services Server  The attacker had a limited user account.  He logged in, using that. Discovered the system had Active directory tools, using them he had read access to the AD.  Escalated privileges to Admin.  Created a new domain admin account.  Then he had complete admin access to all our Windows boxes, everything in the domain.

Slide 37

Slide 37 text

 The attacker enabled the following roles and features on the RDP box,  File Services  Internet Information Services  Telentd  FTPd  SMTP, POP  Used the domain admin account to login to the AD Server.  Didn’t do anything here

Slide 38

Slide 38 text

Other discoveries  Interesting finds.

Slide 39

Slide 39 text

Thank You.