frederick
Well-Known Member
- Reaction score
- 154
- Location
- Phoenix, AZ
Well not really a doomed network, but here we go. A few months ago, I was told for my advanced network security course to pick something, discuss and prove the vulnerabilities, and then of course show your solution to the problem.
I chose: Remote Activiation of Mac OS X Root Account, and the theft of corporate secrets housed on Windows OS through an Encrypted Firewall operating on a Windows Server Domain for a long-term period.
a.k.a. break in, and steal everything for as long as possible without getting caught...
The problem: Data is not all held on the server. As we all know, sometimes the good stuff is actually on the individual workstations as well. Servers are great, but the juicy is also found on those workstations. A lot of companies with Mac OS X computers also run Windows VM on their workstations, and servers are also Windows Based. Oh yeah, there is a SonicWall TZ 105 in my way.
The setup:
Now I chose Windows VM on Mac OSX for several reasons, but the biggest was because I have a client who has the exact setup. For about a month, I bought various 2 to 3 year old Mac OSX computers (those monitor things...how I hate all-in-ones) and installed Windows 7 (free from me school tell the end of the year) on all of them. I purchased roughly 7 apple systems. I installed a Windows 2008 R2 (again free tell Jan 1) as my DC, AD, DB, and for giggles, put up a website for my made up firm "International Cactus Umpires of Phoenix" or "iCUP". Great content...assuming you like a page that says "I Heart [censored]" with picture to match.
Did I take any of this seriously, no. Far from it actually. I thought for sure after a week, I picked the wrong thing, and that I was doomed to fail. My teacher agreed.
Data was saved to both the server, mostly completed data. Incomplete data, and other things of value, such as cache and remnant data, were stored on the Mac OS and Windows OS's. My job was to get everything.
The progression of failure:
I had my friend come in, configure it all for me. And my options for a breach were limited. The SonicWall was well configured, and things were well locked down nice and tight. Even the AV made things difficult, as I couldn't try and infect my way through windows...darn you Kaspersky...
For about a week I attempted to break in to the sonicwall, sometimes, successfully, but before I made any progress, my friend caught me and severed the line. What a jerk. Each failure, meant he would add configurations to the network security, closing holes, sometimes several at a time. My list of options got really small really quick.
Finally! Progress is made...and stopped:
Finally, I found a way to piggyback on Windows Time Synchronization, get me behind the firewall, all the way to a computer, and setup a base of operations. My friend was unaware, as was the SonicWall. Eventually, I started monitoring all the traffic, looking for things to help me get domain-admin access. Finally, my friend had a problem, and he had to log in to fix the computer I was on because of "unusual activity" that I caused to get his attention. HEHEHEHEHE....I GOT CREDENTIALS!!! Keylogged and done, the Windows computers are mine. I trickle the information through the network, at a retarded speed of 1kbps up and down. Total bandwidth of slow, but completely not noticeable. Dial-up would have been faster. Please understand, the whole time this is happening, I'm pretending to be Windows Time Synchronization. I worked that service for everything and the internet connection it makes.
However, while I can see Mac Computers on the net, I can't actually do anything with them. They won't even let me in. Then I noticed something on the Domain Controller. The Macs...they are using credentials from a windows server. Not very smart at all.
Game Over
I got tired of slow speeds, so I disabled the SonicWall, and he never knew. Next thing I know, I got the interwebs under my control. I use domain credentials, to access the systems, which is the same admin credentials for the OSX admin account, which allowed me to pop the bars on root, and let him out under my password. After that, I let things ride for about a week. Letting my system to continue to download made up crap he put in every day. I was actively stealing, and he was completely unaware. For about two weeks of theft, he'd come in, see me sitting on my couch and ask "how are things going?" and I'd reply with "still haven't figured it out yet." He'd go in, do his updates, check the security logs, by the way, its too easy to fake a "working" sonicwall..shame on them..he never knew.
finally, I got bored, trying to figure out a solution to this problem...and confessed and showed him everything and how I did it. He pooped a little.
The Part You All Should Care About
1) Separate the domains. Even with a setup like this, place your Windows OS computers on say 10.10.10.255, and your Apples on 192.168.1.255. Why? Cause that was the final straw in the camels back. Its a simple thing. You can do it on a MikroTik or any other non-crap router. You can do this on a Single NIC in a computer.
2) Who actually needs the internet connection? The Apple Computers or the Windows VM's? We devised a plan to have the Apple Computers be the ones for the Internet Connection, and treat the Windows VM's like an application in this sense. Place all Windows Systems in a state where they are allowed to talk to each other, and the Server, and get their time from the server as well. But the Windows don't get actual internet connection. The Windows Server gets standard, whatever internet they can...very limited and through the proxy. And use the Windows Server behind a Proxy (we used a cheap ubuntu build and it performed well), and have the Windows Server only push updates to the Windows Computers. The Apple computers are also placed behind the Proxy.
3) The Apple Computers were the hardest to crack, initially, but fell quickly because they used domain admin credentials. Do they need this? No. Local admin accounts, not domain. You already got the Windows VM's on a domain, so having them on there is pointless when all they are is a host and youtube machine. We actually increased the overall security of the windows systems by doing just this. This also means nothing is stored on the Apple Computers that is in any way important or sensitive. If you have to save a document, save it to the windows.
4) Check your firewall passwords. If they are under 8 characters, and use letters and numbers only...you are doing it wrong. And for the love of god...don't use pas, pass, passw, pa33word, or anything that looks like password, start of it, end of it, middle of it, deformed, abformed, noformed, anything. Sideways or vertical...
After we did these fixes, I was, unable, to actually break in again. Even attempting to piggyback on the Windows Time Service, which is easy to spoof, the proxy ended up dropping me.
Overall, for a 10 system network or less using Windows VM's on a Mac OS X host, a cheap $500 scrap build ubuntu system provided 3 times the actual needed bandwidth.
It originally took me 9 days, at about 4 hours every night to finally break in. A total time of 36 Hours. I spent 17 days, automatically and continuously monitoring and downloading data from the network. I was allowed to only use my computer at work, while the "network" was located in my garage at home.
I chose: Remote Activiation of Mac OS X Root Account, and the theft of corporate secrets housed on Windows OS through an Encrypted Firewall operating on a Windows Server Domain for a long-term period.
a.k.a. break in, and steal everything for as long as possible without getting caught...
The problem: Data is not all held on the server. As we all know, sometimes the good stuff is actually on the individual workstations as well. Servers are great, but the juicy is also found on those workstations. A lot of companies with Mac OS X computers also run Windows VM on their workstations, and servers are also Windows Based. Oh yeah, there is a SonicWall TZ 105 in my way.
The setup:
Now I chose Windows VM on Mac OSX for several reasons, but the biggest was because I have a client who has the exact setup. For about a month, I bought various 2 to 3 year old Mac OSX computers (those monitor things...how I hate all-in-ones) and installed Windows 7 (free from me school tell the end of the year) on all of them. I purchased roughly 7 apple systems. I installed a Windows 2008 R2 (again free tell Jan 1) as my DC, AD, DB, and for giggles, put up a website for my made up firm "International Cactus Umpires of Phoenix" or "iCUP". Great content...assuming you like a page that says "I Heart [censored]" with picture to match.
Did I take any of this seriously, no. Far from it actually. I thought for sure after a week, I picked the wrong thing, and that I was doomed to fail. My teacher agreed.
Data was saved to both the server, mostly completed data. Incomplete data, and other things of value, such as cache and remnant data, were stored on the Mac OS and Windows OS's. My job was to get everything.
The progression of failure:
I had my friend come in, configure it all for me. And my options for a breach were limited. The SonicWall was well configured, and things were well locked down nice and tight. Even the AV made things difficult, as I couldn't try and infect my way through windows...darn you Kaspersky...
For about a week I attempted to break in to the sonicwall, sometimes, successfully, but before I made any progress, my friend caught me and severed the line. What a jerk. Each failure, meant he would add configurations to the network security, closing holes, sometimes several at a time. My list of options got really small really quick.
Finally! Progress is made...and stopped:
Finally, I found a way to piggyback on Windows Time Synchronization, get me behind the firewall, all the way to a computer, and setup a base of operations. My friend was unaware, as was the SonicWall. Eventually, I started monitoring all the traffic, looking for things to help me get domain-admin access. Finally, my friend had a problem, and he had to log in to fix the computer I was on because of "unusual activity" that I caused to get his attention. HEHEHEHEHE....I GOT CREDENTIALS!!! Keylogged and done, the Windows computers are mine. I trickle the information through the network, at a retarded speed of 1kbps up and down. Total bandwidth of slow, but completely not noticeable. Dial-up would have been faster. Please understand, the whole time this is happening, I'm pretending to be Windows Time Synchronization. I worked that service for everything and the internet connection it makes.
However, while I can see Mac Computers on the net, I can't actually do anything with them. They won't even let me in. Then I noticed something on the Domain Controller. The Macs...they are using credentials from a windows server. Not very smart at all.
Game Over
I got tired of slow speeds, so I disabled the SonicWall, and he never knew. Next thing I know, I got the interwebs under my control. I use domain credentials, to access the systems, which is the same admin credentials for the OSX admin account, which allowed me to pop the bars on root, and let him out under my password. After that, I let things ride for about a week. Letting my system to continue to download made up crap he put in every day. I was actively stealing, and he was completely unaware. For about two weeks of theft, he'd come in, see me sitting on my couch and ask "how are things going?" and I'd reply with "still haven't figured it out yet." He'd go in, do his updates, check the security logs, by the way, its too easy to fake a "working" sonicwall..shame on them..he never knew.
finally, I got bored, trying to figure out a solution to this problem...and confessed and showed him everything and how I did it. He pooped a little.
The Part You All Should Care About
1) Separate the domains. Even with a setup like this, place your Windows OS computers on say 10.10.10.255, and your Apples on 192.168.1.255. Why? Cause that was the final straw in the camels back. Its a simple thing. You can do it on a MikroTik or any other non-crap router. You can do this on a Single NIC in a computer.
2) Who actually needs the internet connection? The Apple Computers or the Windows VM's? We devised a plan to have the Apple Computers be the ones for the Internet Connection, and treat the Windows VM's like an application in this sense. Place all Windows Systems in a state where they are allowed to talk to each other, and the Server, and get their time from the server as well. But the Windows don't get actual internet connection. The Windows Server gets standard, whatever internet they can...very limited and through the proxy. And use the Windows Server behind a Proxy (we used a cheap ubuntu build and it performed well), and have the Windows Server only push updates to the Windows Computers. The Apple computers are also placed behind the Proxy.
3) The Apple Computers were the hardest to crack, initially, but fell quickly because they used domain admin credentials. Do they need this? No. Local admin accounts, not domain. You already got the Windows VM's on a domain, so having them on there is pointless when all they are is a host and youtube machine. We actually increased the overall security of the windows systems by doing just this. This also means nothing is stored on the Apple Computers that is in any way important or sensitive. If you have to save a document, save it to the windows.
4) Check your firewall passwords. If they are under 8 characters, and use letters and numbers only...you are doing it wrong. And for the love of god...don't use pas, pass, passw, pa33word, or anything that looks like password, start of it, end of it, middle of it, deformed, abformed, noformed, anything. Sideways or vertical...
After we did these fixes, I was, unable, to actually break in again. Even attempting to piggyback on the Windows Time Service, which is easy to spoof, the proxy ended up dropping me.
Overall, for a 10 system network or less using Windows VM's on a Mac OS X host, a cheap $500 scrap build ubuntu system provided 3 times the actual needed bandwidth.
It originally took me 9 days, at about 4 hours every night to finally break in. A total time of 36 Hours. I spent 17 days, automatically and continuously monitoring and downloading data from the network. I was allowed to only use my computer at work, while the "network" was located in my garage at home.
