Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Red Teams vs Blue Teams

Red Teams vs Blue Teams

वेणु गोपाल

February 23, 2011
Tweet

More Decks by वेणु गोपाल

Other Decks in Technology

Transcript

  1. Our team – Team F  David Apeji,  Maneesh

    Augestine,  Richard Born,  Venu Gopal Kakarla
  2. Our Setup  VmWare ESXi Servers  2 Hosts 

    Windows  5 Hosts  Linux  3 Hosts  BSD  10 Hosts
  3. Windows  Active Directory  Windows Server 2008 (non R2)

    Standard Core 32bit  Terminal Services (RDP) and Print Server  Windows Server 2008 (non R2) Standard Full 32bit  Active Directory Client  Windows Seven Professional 32bit  Internet Information Services (Httpd)  Windows Server 2000 (Legacy)  Nginx (Httpd)  Windows Server 2000 (Legacy)
  4. Linux  Mail Server Appliance  Ubuntu Server 8.04.3 JeOS

    (Legacy)  Zimbra 6.5 Community Edition  Honeyd  Fedora 7 (Moonstone) (Legacy)
  5. BSD  Open BSD 4.8  Primary Name Server (Bind)

     Secondary Name Server (Bind)  Network Time Server (OpenNTPD)  Secure Shell Server (OpenSSHD)  Decoy Mail Server (Sendmaild and POPd)  XMPP/Jabber Server (OpenFire)  Snort IDS Server (Snort)  Honeynet Server (Honeyd)  HTTP Web Server (Apache)
  6. Hardening OpenBSD  We can’t use firewalls so disable it.

     # pfctl –d  Go to /etc/rc.conf.local add the line  pf=NO  Go to /etc/inetd.conf and comment out all the unnecessary services, thus closing the open ports.  Every service is Chrooted/Jailed by default.
  7.  Open BSD  These are the pots open on

    a standard install  Probably for POSIX compliance  TCP Port: 13 daytime  TCP Port: 22 ssh  TCP Port: 37 time  TCP Port: 80 http  TCP Port: 113 ident
  8. Securing SSHd  Set the following options in /etc/ssh/sshd_config 

    Protocol 2 PermitRootLogin no MaxAuthTries 2 PermitEmptyPasswords no AllowUsers user1 user2 user3  ChrootDirectory /home/%u  This made the difference
  9. Securing name servers  Primary  Do not allow AXFR

    zone transfers except to secondary (172.16.4.54)  Secondary  Do not allow AXFR transfers at all
  10. Securing Windows 2008 Boxes  Disabled Local Administrator account. 

    Without the firewall, windows provides no major technique of protecting the system. So nothing much done.  Generated strong passwords for all domain users.
  11. Patches and Updates  None of the boxes were patched

    or updated.  Except for the Windows 2000 Server, which was patched till the last available service pack.  (That’s Service Pack 4)
  12. Observed Attacks  Our first Win 2000 box broke in

    a week of deployment.  Someone crashed and corrupted the windows services.  RPC service  The services wont start even after a reboot.  These services essential for functioning of Windows.  Therefore the Box was unusable  It became a bootable brick
  13. Hardening our second Windows 2000 Server  Closing Internet Ports

    - Windows 2000 PRO  By: Arthur R. Kopp (6/25/2005)  http://www.claymania.com/windows2000-hardening.html  Minimizing Windows network services : Examples with Windows 2000 and Windows XP  By Jean-Baptiste Marchand (02/09/2002)  http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html  How To: Harden the TCP/IP Stack  By J.D. Meier, Et.al. (Jan/2006), Microsoft Corporation  http://msdn.microsoft.com/en-us/library/ff648853.aspx
  14. Win 2000 TCP ports open  TCP 0.0.0.0:25 0.0.0.0:0 LISTENING

     TCP 0.0.0.0:80 0.0.0.0:0 LISTENING  TCP 0.0.0.0:135 0.0.0.0:0 LISTENING  TCP 0.0.0.0:443 0.0.0.0:0 LISTENING  TCP 0.0.0.0:445 0.0.0.0:0 LISTENING  TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING  TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING  TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING  TCP 0.0.0.0:3372 0.0.0.0:0 LISTENING  TCP 0.0.0.0:4983 0.0.0.0:0 LISTENING  TCP 172.16.4.82:139 0.0.0.0:0 LISTENING
  15. Win 2000 UDP ports open  UDP 0.0.0.0:135 *:* 

    UDP 0.0.0.0:445 *:*  UDP 0.0.0.0:1028 *:*  UDP 0.0.0.0:1029 *:*  UDP 0.0.0.0:3456 *:*  UDP 172.16.4.82:137 *:*  UDP 172.16.4.82:138 *:*  UDP 172.16.4.82:500 *:*
  16. Closing port 445  Blank the following key  HKEY_LOCAL_MACHINE\SYSTEM\

    CurrentControlSet\Services\ NetBt\Parameters\TransportBindName
  17. Closing port 135  HKEY_LOCAL_MACHINE\Software \Microsoft\Rpc\  Create a new

    key named Internet  Under Internet create a new string named UseInternetPorts  Set the data value of UseInternetPorts as N
  18. These services can safely be disabled  World Wide Web

    Publishing  Service Simple Mail Transport Protocol (SMTP)  The IPSEC Services service is stopping.  The Distributed Transaction Coordinator  The SSDP Discovery Service  The Windows Time service  The TCP/IP NetBIOS Helper  The Workstation service  The Server service  The NetBios over Tcipip
  19. Securing RPC  Without RPC service Windows will not function

     A lot of Windows services are dependent on RPC
  20. Securing RPC  Windows 2000 Resource Kit Tool: Rpccfg.exe 

    (RPC Configuration Tool)  https://www.microsoft.com/downloads/en/details.aspx?Fa milyID=0f9cde2f-8632-4da8-ae70-645e1ddaf369  rpccfg –q  Bind the RPC service to only the Loopback Adaptor
  21. Compromised  ProFTPd on 172.16.200.221  “ACIDBITCHZ” backdoor  Vandalized

    a Wiki running Media Wiki.  Portscans, Vulnerability Scans
  22. Observed Attacks  Did not observe the first Win 2000

    box  Because snort was not setup by then  Saw a lot of port scans all the while  Saw a lot of shell code in Snort Logs  Most of them failed.  Was difficult to distinguish failed/successful.
  23. What we lost  Our Win 2008 Server (non R2)

    32bit box  Terminal Services Server  The attacker had a limited user account.  He logged in, using that. Discovered the system had Active directory tools, using them he had read access to the AD.  Escalated privileges to Admin.  Created a new domain admin account.  Then he had complete admin access to all our Windows boxes, everything in the domain.
  24.  The attacker enabled the following roles and features on

    the RDP box,  File Services  Internet Information Services  Telentd  FTPd  SMTP, POP  Used the domain admin account to login to the AD Server.  Didn’t do anything here