Marcus Murray´s Blog

Welcome to Marcus Murray´s blog. I´m an IT-security guy with about 13 years of experience from the field. I spend most of my time assessing/designing security for enterprise environments and my customers are localized all over the world. I also present at international events like TechED, ITForum and similar. In this blog you can read about some research done by my team (Truesec Security Team), some notes from the field and my personal thoughts.. Hope you enjoy!

Session notes - SEC 310 Why I can Hack your Network In a Day [TechED US 2007] part 1 (More to come shortly!!)

 

SEC 310 Why I can Hack your Network In a Day NOTES!

These notes are to support my “Network hacking” session on TechED US [June 2007]

Since It´s a live session with tons of demos and hardly any PowerPoint-slides, I decided to put some notes up for you guys who attended the session.

External Attacks

  • Trojan attack
    • Objective: Install a customized Trojan on an internal computer.
    • Tools used:
      • Beast 2.07 (A Trojan made by a guy named Tataye)
    • Countermeasures:
      • Only install trusted applications on computers!
        • User education
        • Enforce a strict Application deployment policy
      • Antivirus/Antimalware-applications (They are not a silver bullet!)
      • Run OS and apps in Low privileges (Will reduce impact)
      • Restrict/monitor suspicious internet access
      • Software Restriction Policy (Crossing my fingers for next version)

 

 

 

  • Wireless Attacks
    • Objective: Gain access to internal network through decrypting WEP/WPA KEYS or making internal clients connect to Rogue AP or extracting WEP/WPA key from unattended laptop.
    • Tools used:

 

    • Countermeasures:
      • PKI based 801.X+EAP/PEAP or similar
      • Segment Wireless networks from internal networks (And in some scenarios use PKI-based VPN over wireless for increased internal access.)
      • Harddrive encryption (For unattended laptops)
      • Disable Automatic (re-)connection to Wireless Networks.
      • Use Local Firewalls on clients, Restrict inbound access

 

Posted: Jun 05 2007, 07:30 PM by Marcus Murray | with 29 comment(s) |
Filed under:

Comments

Matt M said:

Just watched your presentation at MS Tech Ed 2007 online... other than the sound delay, this was a great presentation.  

I especially appreciate the 'live' model for presenting the information rather than the same old powerpoint.  

Also, thanks for the additional notes provided here - I am sure to have fun and nightmares for a week!

# June 6, 2007 4:05 PM

Rob G said:

Great session this morning!!!

# June 6, 2007 4:11 PM

Mick said:

Great session! This is my 2nd time at TechEd and this is one of the best presentations that I have seen in those 2 years. It really opened my eyes and I thought your presentation was very informative, and humorous (see, we Americans really do get your humor!). I'll be filling out my presentation review right now and I must say that I really hope you'll be at future TechEd's in America.

# June 6, 2007 4:33 PM

phiberloop said:

Marcus, that was awesome. You need to come back more often. Great broad demo with enough depth to make admins think.

# June 6, 2007 5:03 PM

culmor said:

Great session (very funny also); will there be an offline download?

# June 6, 2007 5:38 PM

TenBrink Tech said:

This kind of thing is described in books and articles many times in our industry, but it is more impressive

# June 6, 2007 6:46 PM

Mike S said:

Really enjoyed your session Marcus! Very down-to-earth way of explaining and showing and you have a great sense of humor that captures the audience! Hope to see you here again next year!

# June 6, 2007 7:33 PM

Chris Catto said:

Marcus,

This was a very interesting session. I really enjoyed it.

Thanks,

Catto

# June 6, 2007 9:21 PM

hbleemel said:

Marcus,

Fantastic! I too am at my 2nd tech-ed (as another comment above) and this was by far the best 2 (I attended both of your sessions today) sessions I've attended. I have told my friends that are here about them and recommended they go. You presented the information in a way that made it enjoyable and it was VERY informative! Great job and I hope to see you back next year!

# June 7, 2007 5:10 AM

hbleemel said:

Marcus,

Fantastic! I too am at my 2nd tech-ed (as another comment above) and this was by far the best 2 (I attended both of your sessions today) sessions I've attended. I have told my friends that are here about them and recommended they go. You presented the information in a way that made it enjoyable and it was VERY informative! Great job and I hope to see you back next year!

# June 7, 2007 5:18 AM

Dustin said:

This was the best session of teched 2007!  It was funny and very interesting.  Thank you, Marcus and I hope they bring you back next year.  

# June 7, 2007 5:42 AM

SG said:

Absolutely great session at TechEd.  Sent a glowing review so hopefully you're back next year.  This blog is going into my bookmark file.  Thanks for the info!

# June 7, 2007 2:41 PM

Jake said:

Marcus,

Hands down one of the best teched sessions of 2007.  Microsoft would have to be foolish not to have you back in full form next year.

# June 7, 2007 3:38 PM

Marcos Rodrigues said:

Olá pessoal, Acabei de ver uma palestra sobre segurança e o Marcus murray deu um show de como invadir

# June 7, 2007 3:52 PM

Marcus Murray said:

Thanks you guys for all the great feedback! I so happy you all liked my sessions. I hope to see you all again in the future :)

# June 7, 2007 5:00 PM

Andy said:

Great session this morning.  I'm still surprised at the number of people who are surprised by these type of demos.  I'm glad you did this and specifically challenged people to change.

PS.  What was the name of the tool you used to "net use" just using the hash?  You said you wouldn't release it, but could you point me to some resources on that subject?

# June 7, 2007 7:08 PM

2121212121 said:

Hi Marcus, i missed being able to see two things on the small screen - could you repeat the debug util name and what was the stuff called after the buffer padding.. knop slides???

Excellent trap stuff at the end of the TLC lab.

# June 7, 2007 9:14 PM

thegeek said:

Very nice presenation(s) at TechEd.  I need you to come talk to my CIO!

# June 7, 2007 10:43 PM

objDave said:

Awsome presentation!  Point taken about using trusted apps only, so...  Would be nice to have links to 'clean' versions of the tools you used before everyone goes-a-downloading all willy-nilly like.  

# June 8, 2007 9:26 PM

Dave Chlopecki said:

Great session ...it blew away "the anatomy of a hack"!  Thanks for getting your notes up here, when I went to read mine they were rambling and flimsy.  You know your stuff and put a very humorous light on the subject.  Hope to see you back!

# June 8, 2007 10:31 PM

Microsoft Tech Ed 2007 at Schwo.com said:

PingBack from http://schwo.com/2007/06/08/microsoft-tech-ed-2007/

# June 9, 2007 2:20 AM

Chris said:

Marcus,

I saw this session and the "Why You Should Patch Your Servers In A Day" session at TechEd, and they were both very enjoyable.  Thank you so much for them.

Personally, I think you should swear more :)  It might help to emphasize these issues even more.

Cheers and thanks again.

# June 11, 2007 6:40 PM

Marcus Murray said:

q:

Hi Marcus, i missed being able to see two things on the small screen - could you repeat the debug util name and what was the stuff called after the buffer padding.. knop slides???

Excellent trap stuff at the end of the TLC lab.

a:

The Debuggers name: Ollydbg http://www.ollydbg.de/

"Nop Sleds" (No Peration Sleds) is the word youre looking for.

The exploit:Buffer padding+Return address+Nop sleds+payload

# June 11, 2007 11:53 PM

Marcus Murray said:

Q:

PS.  What was the name of the tool you used to "net use" just using the hash?  You said you wouldn't release it, but could you point me to some resources on that subject?

A:

The name of the tool is msvctl.exe and it´s a Truesec internal tool (We have a lot of exiting internal tools ;) )

I have a long blog entry that demnstrates the hash extration and the use of msvctl.exe

http://truesecurity.se/blogs/murray/archive/2007/03/16/why-an-exposed-lm-ntlm-hash-is-comparable-to-a-clear-text-password.aspx

# June 11, 2007 11:57 PM

Steve Pinkston said:

Marcus, I loved the session, the best one of TechEd!!!!

I went and downloaded most of the tools right away but I was concerned about the CaIn tool.  Is it a safe tool if I downloaded from OXid?  Symantec is saying it is trojan!

# June 13, 2007 5:55 AM

Adrian Glanvill said:

Definately the best session of TechEd.  Funny and interesting.

# June 13, 2007 9:53 AM

Derek said:

Excellent TechEd session. Best yet. Have shown it to my students who thought it was fab and intend to use it in the future to wet the appetites of my Network students. When is the book coming out!!!!

# June 19, 2007 8:00 PM

Scary tools said:

Pingback from  Scary tools

# December 12, 2007 5:41 PM

http://truesecurity.se/blogs/murray/archive/2007/06/05/session-notes-sec-310-why-i-can-hack-your-network-in-a-day-teched-us-2007-part-1.aspx said:

Pingback from  truesecurity.se/.../session-notes-sec-310-why-i-can-hack-your-network-in-a-day-teched-us-2007-part-1.aspx

# March 27, 2008 10:22 AM