Hacking demo - most spectacular techniques

[Mike Ahern <mc_ahern () yahoo com>]

I think one of the more fun & spectacular techniques
is to show them session hijacking of a telnet session
or an X-Windows session or the like. Tools like
T-Sight and IPWatcher from Engarde are excellent for
this, and there are others like Hunt that you might
want to use for session hijacking. 

It is always effective to show them serious
vulnerabilities on real production systems - in a way
that doesn't make it seem like you are picking on
anyone in attendance (you don't want to alienate
anyone). For example if you can remotely gain access
and root/admin level privs in a matter of seconds or a
few keystrokes they often are impressed. I would
replay or show the results of that kind of thing if
you are unable to do so at the time.

I would definitely show them session sniffing to
illustrate the problem with unencrypted logins.

Every manager and executive needs to see the hackers
disapearing act - such as blowing WTMP/UTMP and hiding
processes (either with utilities, backdoors, or
rootkit). They need to see that standard logging is
not in effect on backdoor access, and that the hacker
can effectively hide himself on a system including
processes, files, directories, network connections,
etc..

Most Executives and IT Managers need to see how fast
most NT/2000 passwords crack (on most networks with
the LAN MAN hash enabled). You can get the majority of
passwords in a couple days, especially if you know
what you are doing (have a dictionary of previously
cracked passwords from prior audits, and analyze last
few password cracks for character frequency - so you
can brute force crack most efficiently). I'd start it
at the beginning of the effort and then produce
results at the end. LC3 can output results without
displaying actual passwords, although maybe a top
executive or two should see how poorly people often
choose the passwords in the first place. They need to
understand how big a problem this is and how trivial
and quick it is to crack.

Senior executives are not all that technical and have
short attention spans. I would think that tying your
testing to important or sensitive business processes,
or illustrating financial or other impact to the
business is as important as a flashy demo. Nothing got
my CEO's and Exec VP's attention like seeing the
primary financial and other business-critical systems
compromised. In the words of one CEO I worked for in
the past, "if someone gets these other systems they
may get the companies money. If someone gets this
particular financial system they get **REAL** money".

These are just a few suggestions, but there are really
lots of things you can do. ARP spoofing in interesting
(dsniff). Web based vulnerabilities. Enumeration of
NT/2000 networks via null user, open network shares.
SNMP often reveals ALOT, and some Cisco tools can be
fun! Getting a router and displaying all known routes.
Illustrating common stupid things like r-services
issues and trusts, NFS mounts of user space, improper
file permissions, displaying what services remotely
advertise about the system (rusers, finger, SMTP
VRFY/EXPN, showmount, rpcinfo, etc., etc.). 

IT Managers will be more technical and some may be
defensive - more oriented at providing services and
features than in doing things securely - and feeling
adversarial about security (like you are there to make
their life more complicated and make them look bad).
It is really important to get these guys on your side
to be effective. Having the ability to generically
discuss vulnerabilities in each IT Managers area of
business is also a positive (and it can disarm them
somewhat - its hard to argue against the facts), but
actual details must be provided discretely with each
individual manager. The "names can be changed to
protect the innocent" if you want to use actual data
for examples in your presentation.

Anyhow, have fun and keep it interesting. Don't bog
down too much in the technical details. Just do a
quick show and tell. Keep it simple. 

Good Luck!!

 - Mike 







__________________________________________________
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/