Where Would Batman Be Without His Belt?

Transcription

1 Where Would Batman Be Without His Belt? Leveraging Hacker Tools for Better Auditing Erika Del Giudice Michael Salihoglu 2016 Crowe Horwath LLP

2 Yes, we know Batman is from the D.C. Universe 2016 Crowe Horwath LLP 2

3 Agenda Who are we? Auditors vs. InfoSec Tools: NMAP Wireshark Shareenum ad-ldap-enum Other Tools Example Report Card: Avengers, INC Crowe Horwath LLP 3

4 Who are we? The Crowe Horwath LLP cybersecurity team offers a comprehensive suite of solutions to identify and help you manage these risks so you can strengthen the confidentiality, integrity, and availability of organizational assets. Erika Del Giudice is a Senior Manager in the Crowe Horwath LLP s Risk Consulting Practice focusing on IT Audit and Consulting services. Michael Salihoglu is a Security Consultant with Crowe Horwath s Technology Risk practice Crowe Horwath LLP 4

5 Audit vs. InfoSec (and IT) You re on the same team! Hostility only hurts you both Working together can provide stronger results Audit can leverage IS s knowledge and administrative capabilities to gather relevant data about the environment IS can leverage audit to communicate the significance of deficiencies in the environment and to test their changes Crowe Horwath LLP 5

6 Hacking Step 1: Identification Hacking Identification Auditing 2016 Crowe Horwath LLP 6

7 Let s get to some tools! 2016 Crowe Horwath LLP 7

8 Nmap An Oldie but a Goodie Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Used for scan networks to determine what hosts are live on a network, where they are located, what services (applications) and which versions are running First released in 1997; Still used today Crowe Horwath LLP 8

9 Nmap - Example Crowe Horwath LLP 9

10 2016 Crowe Horwath LLP 10

11 2016 Crowe Horwath LLP 11

12 Avengers, INC. Nmap Example Using common ports as identifiers, what services exist in the environment? SQL Servers? Mail hosts? VMWare Hosts? Unix Hosts? Printers? What ports does the network allow out to the internet? Finding: Avengers, INC. allows all traffic outbound out of their network with no restrictions. This could allow attackers more avenues of exfiltration and data compromise 2016 Crowe Horwath LLP 12

13 Wireshark A pcap is worth a thousand words Used to monitor immediate subnet traffic Can leverage filters to discover what kind of protocols exist in the environment Crowe Horwath LLP 13

14 2016 Crowe Horwath LLP 14

15 Avengers INC. Wireshark Example What traffic is present in the network? Are there any red flags? Local Network Discovery Protocols? Unauthenticated or Unencrypted Routing Protocols? Unauthenticated or Unencrypted Router Redundancy Protocols? Unencrypted Management or File Transfer Protocols IPv6? Does the network have any segmentation? VoIP Networks Core Banking Networks Administrative Networks Finding: Avengers, INC. has NetBIOS and LLMNR enabled on their network, allowing a potential attacker the means to capture user credentials 2016 Crowe Horwath LLP 15

16 ad-ldap-enum Tool that was developed to query domain information over LDAP and build group membership ad-ldap-enum will query the following: SAM Account Name Account Flags (Enabled, Disabled, etc.) Account Full Name Account Address Account Home Folder Account Password Expiration Account Last Logon Account User Comments 2016 Crowe Horwath LLP 16

17 2016 Crowe Horwath LLP 17

18 2016 Crowe Horwath LLP 18

19 2016 Crowe Horwath LLP 19

20 2016 Crowe Horwath LLP 20

21 Avengers, INC. - ad-ldap-enum Example Are there excessive disabled accounts in the environment? Are there any accounts with passwords that haven t been reset according to company policy? Are there any stale enabled accounts that haven t been logged into for years? Are users in groups that provide access to locations to which the users shouldn t have access? Finding: 63 enabled user accounts were found to not have been logged into for over a year. Additionally, 15 accounts have passwords that have not been changed in over a month, which is noncompliant with the current company policy Crowe Horwath LLP 21

22 ShareEnum What shares are available on my network and who has access to them? Can scan from authenticated or unauthenticated perspective Crowe Horwath LLP 22

23 2016 Crowe Horwath LLP 23

24 2016 Crowe Horwath LLP 24

25 Avengers, INC. - ShareEnum Example What shares does Avengers INC. allow all users to see? Backups? Administrative tools? Sensitive Information? What kind of access do these users have to these shares? Read Only? Write? Full Ownership? Finding: Avengers INC. allows all users read/write access to the Customer Info and Hulk s Diary shares which are unnecessary for most users on the network Crowe Horwath LLP 25

26 Other Tools! Enum4linux, polnum, many others.. Built-In Windows Tools: Example: auditpol Linux: Lynis Apple OSX: Lynis Open-audIT Finding: The Mac and Linux machines on the network do not comply with the enterprise password policy Crowe Horwath LLP 26

27 Avengers, INC. Report Card Five Findings How typical is this? Can there be pushback? The data often points out discrepancies or holes in policies and procedures that otherwise aren t identified Remediation? 2016 Crowe Horwath LLP 27

28 Questions??? 2016 Crowe Horwath LLP 28

29 Thank you Erika Del Giudice, Senior Manager Phone Michael Salihoglu, Consultant Phone In accordance with applicable professional standards, some firm services may not be available to attest clients. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction Crowe Horwath LLP Crowe Horwath LLP, an independent member of Crowe Horwath Internationalcrowehorwath.com/disclosure