These days I spend my time breaking into networks and web servers for a living.
It's not that I'm of a criminal persuasion, but rather that many large organizations have decided that it's sensible to pay someone like me to break into their network before someone with malicious intent does. The impact of such a breach can be significant, yet most networks are woefully vulnerable. In fact, I sometimes despair at the common misconfigurations and ignorance I encounter day after day. Problems which have been well documented for months, or even years, raise their ugly heads at site after site. Simple mistakes are repeated again and again by otherwise perfectly good system administrators.
When we all decided that Windows NT (and subsequently Windows 2000) was to be the corporate standard and that the internet was to be the communications medium of choice, the network security model changed forever. Breaking into corporate networks, and thereby corporate information, has never been easier. Why?
Firstly, NT comes with many easily-exploited security vulnerabilities by default. Secondly, most IT people either do not know about or do not have the incentive to fix these vulnerabilities. Thirdly, information about how to exploit these vulnerabilities is freely available on the internet for everyone to see. Fourthly, access to systems at the desktop is universal. Lastly, most people, including techies, don't appear to know how to select reasonably secure passwords.
Of course, it's not that any given vulnerability grants you instant control of a company's systems, but rather that a combination of two or three such vulnerabilities do. My current favorite exploit has enabled me to gain control of most networks in less than 20 minutes. As usual, this exploit works thanks to a combination of ignorance and sloppiness (or lack of investment). It goes like this.
Plug in a Windows laptop anywhere on the corporate network - this can be in head office, at a branch office or store, anywhere in any trusted third-party premises or perhaps through a dial-up connection. Browse the network using Windows Explorer and you'll get to see all the Windows machines on the network - there's no need to logon or join a domain for this to happen. Select a server (they're usually named in a obvious fashion) and attempt a 'null session' connection - null sessions is a standard feature of NT and Windows 2000 which enable you to list users, groups, group memberships, etc. without any form of authentication whatsoever. And, yes, there's plenty of software on the internet which will help you to establish a null session and then interrogate this information.
Now list the users in the Administrators and Domain Admins groups and look for patterns, or rather exceptions to a pattern. Typically, organizations use obvious naming conventions for user accounts, but these are usually ignored where service accounts are concerned (service accounts are administrator-level accounts used to enable applications to log on to servers and domains - applications such as Backupexec, Arcserve, Tivoli are obvious examples).
Select each of these service accounts in turn and try to guess its password - it's not as hard as you might think. Frequently, network administrators will select something obvious, such as a password the same as the account name! Beware that you don't exceed the account lockout threshold, otherwise even the most harassed admin will guess something is up. If these fail, try those accounts which look like shared administrator accounts or scripted accounts, such as Administrator, Install, AutoInstall or similar. At least fifty percent of the time you'll gain Domain Admin access, allowing you to create your own administrator account, join the domain legitimately and help yourself to any information on any server.
Now this is not rocket science. In fact it's something any teenage student could accomplish with the minimum of research. So why is it still possible to conduct this exploit at the majority of sites I visit? The answer has to be a combination of ignorance and disinterest. When I studied the official Microsoft NT courses, security issues were barely mentioned, so many MCSEs will remain ignorant of things like null sessions. Few organizations have invested in a technical security role with a remit to monitor new exploits and produce security build standards, review existing installations and plug the holes. Then most managers continue to believe that a firewall is a panacea, either ignorant or disbelieving of the fact that the majority of hacks come from within the organization. Senior management still fail to realize that anyone with Domain Admins privilege can read, alter and delete any document anywhere on their network - be it on a server, a workstation or even a laptop, and that there are often dozens of accounts with that privilege.
The apathy towards security is frightening. The push from the top for more results using the same or fewer people and resources makes it unrealistic for security to feature in any meaningful way. We seem to be becoming more aware of security in general terms, but unwilling to make the investment in personnel, training and good solid procedures.
Peter Wood is chief of operations, First Base Technologies (www.firstbase.co.uk).
First Base Technologies are exhibiting at Infosecurity Europe, Europe's largest and most important information security event. Now in its 8th year, the show features Europe's most comprehensive FREE education program, and over 200 exhibitors at the Grand Hall at Olympia from April 29- May 1, 2003. www.infosec.co.uk
