Red Teams vs Blue Teams

Transcript

1. ABCDEF Excercise Team F (Subnet 4)

2. Our team – Team F  David Apeji,  Maneesh

   Augestine,  Richard Born,  Venu Gopal Kakarla

3. Overview  Our Setup  Services  Protective Measures 

   Observed Attacks  Our Discoveries

4. Our Setup  VmWare ESXi Servers  2 Hosts 

   Windows  5 Hosts  Linux  3 Hosts  BSD  10 Hosts

5. Physical Topology

6. Logical Topology

7. None

8. Windows  Active Directory  Windows Server 2008 (non R2)

   Standard Core 32bit  Terminal Services (RDP) and Print Server  Windows Server 2008 (non R2) Standard Full 32bit  Active Directory Client  Windows Seven Professional 32bit  Internet Information Services (Httpd)  Windows Server 2000 (Legacy)  Nginx (Httpd)  Windows Server 2000 (Legacy)

9. Linux  Mail Server Appliance  Ubuntu Server 8.04.3 JeOS

   (Legacy)  Zimbra 6.5 Community Edition  Honeyd  Fedora 7 (Moonstone) (Legacy)

10. BSD  Open BSD 4.8  Primary Name Server (Bind)

     Secondary Name Server (Bind)  Network Time Server (OpenNTPD)  Secure Shell Server (OpenSSHD)  Decoy Mail Server (Sendmaild and POPd)  XMPP/Jabber Server (OpenFire)  Snort IDS Server (Snort)  Honeynet Server (Honeyd)  HTTP Web Server (Apache)

11. BSD  Free BSD 8.1  File and FTP Server

    (FreeNAS Appliance)

12. Hardening OpenBSD  We can’t use firewalls so disable it.

     # pfctl –d  Go to /etc/rc.conf.local add the line  pf=NO  Go to /etc/inetd.conf and comment out all the unnecessary services, thus closing the open ports.  Every service is Chrooted/Jailed by default.

13.  Open BSD  These are the pots open on

    a standard install  Probably for POSIX compliance  TCP Port: 13 daytime  TCP Port: 22 ssh  TCP Port: 37 time  TCP Port: 80 http  TCP Port: 113 ident

14. Securing SSHd  Set the following options in /etc/ssh/sshd_config 

    Protocol 2 PermitRootLogin no MaxAuthTries 2 PermitEmptyPasswords no AllowUsers user1 user2 user3  ChrootDirectory /home/%u  This made the difference

15. Securing name servers  Primary  Do not allow AXFR

    zone transfers except to secondary (172.16.4.54)  Secondary  Do not allow AXFR transfers at all

16. Securing mail server  No anonymous relays  Authentication

17. Securing Windows 2008 Boxes  Disabled Local Administrator account. 

    Without the firewall, windows provides no major technique of protecting the system. So nothing much done.  Generated strong passwords for all domain users.

18. Patches and Updates  None of the boxes were patched

    or updated.  Except for the Windows 2000 Server, which was patched till the last available service pack.  (That’s Service Pack 4)

19. Observed Attacks  Our first Win 2000 box broke in

    a week of deployment.  Someone crashed and corrupted the windows services.  RPC service  The services wont start even after a reboot.  These services essential for functioning of Windows.  Therefore the Box was unusable  It became a bootable brick

20. Hardening our second Windows 2000 Server  Closing Internet Ports

    - Windows 2000 PRO  By: Arthur R. Kopp (6/25/2005)  http://www.claymania.com/windows2000-hardening.html  Minimizing Windows network services : Examples with Windows 2000 and Windows XP  By Jean-Baptiste Marchand (02/09/2002)  http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html  How To: Harden the TCP/IP Stack  By J.D. Meier, Et.al. (Jan/2006), Microsoft Corporation  http://msdn.microsoft.com/en-us/library/ff648853.aspx

21. Win 2000 TCP ports open  TCP 0.0.0.0:25 0.0.0.0:0 LISTENING

     TCP 0.0.0.0:80 0.0.0.0:0 LISTENING  TCP 0.0.0.0:135 0.0.0.0:0 LISTENING  TCP 0.0.0.0:443 0.0.0.0:0 LISTENING  TCP 0.0.0.0:445 0.0.0.0:0 LISTENING  TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING  TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING  TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING  TCP 0.0.0.0:3372 0.0.0.0:0 LISTENING  TCP 0.0.0.0:4983 0.0.0.0:0 LISTENING  TCP 172.16.4.82:139 0.0.0.0:0 LISTENING

22. Win 2000 UDP ports open  UDP 0.0.0.0:135 *:* 

    UDP 0.0.0.0:445 *:*  UDP 0.0.0.0:1028 *:*  UDP 0.0.0.0:1029 *:*  UDP 0.0.0.0:3456 *:*  UDP 172.16.4.82:137 *:*  UDP 172.16.4.82:138 *:*  UDP 172.16.4.82:500 *:*

23. Closing NetBIOS group of ports

24. Closing port 445  Blank the following key  HKEY_LOCAL_MACHINE\SYSTEM\

    CurrentControlSet\Services\ NetBt\Parameters\TransportBindName

25. Closing port 135  C:\winnt\System32\Dcomcnfg.exe

26. Closing port 135  HKEY_LOCAL_MACHINE\Software \Microsoft\Rpc\  Create a new

    key named Internet  Under Internet create a new string named UseInternetPorts  Set the data value of UseInternetPorts as N

27. Protect Against SYN Attacks  Under  HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\TcpIp\Parameters\ 

    Create the following Dword keys

28. Protect Against SYN Attacks

29. Protect Against ICMP Attacks

30. Protect Against SNMP Attacks

31. These services can safely be disabled  World Wide Web

    Publishing  Service Simple Mail Transport Protocol (SMTP)  The IPSEC Services service is stopping.  The Distributed Transaction Coordinator  The SSDP Discovery Service  The Windows Time service  The TCP/IP NetBIOS Helper  The Workstation service  The Server service  The NetBios over Tcipip

32. Securing RPC  Without RPC service Windows will not function

     A lot of Windows services are dependent on RPC

33. Securing RPC  Windows 2000 Resource Kit Tool: Rpccfg.exe 

    (RPC Configuration Tool)  https://www.microsoft.com/downloads/en/details.aspx?Fa milyID=0f9cde2f-8632-4da8-ae70-645e1ddaf369  rpccfg –q  Bind the RPC service to only the Loopback Adaptor

34. Compromised  ProFTPd on 172.16.200.221  “ACIDBITCHZ” backdoor  Vandalized

    a Wiki running Media Wiki.  Portscans, Vulnerability Scans

35. Observed Attacks  Did not observe the first Win 2000

    box  Because snort was not setup by then  Saw a lot of port scans all the while  Saw a lot of shell code in Snort Logs  Most of them failed.  Was difficult to distinguish failed/successful.

36. What we lost  Our Win 2008 Server (non R2)

    32bit box  Terminal Services Server  The attacker had a limited user account.  He logged in, using that. Discovered the system had Active directory tools, using them he had read access to the AD.  Escalated privileges to Admin.  Created a new domain admin account.  Then he had complete admin access to all our Windows boxes, everything in the domain.

37.  The attacker enabled the following roles and features on

    the RDP box,  File Services  Internet Information Services  Telentd  FTPd  SMTP, POP  Used the domain admin account to login to the AD Server.  Didn’t do anything here

38. Other discoveries  Interesting finds.

39. Thank You.