 NT a little bit or something. Okay. What I do is I do a lot of vulnerability analysis on NT We've done penetration testing on NT On a variety of government firms. Basically what this is for is for the CIS admins Or security type people and it's also for the newbie hacker who wants to learn a little bit more about your system So as I'm giving this information out, this is This is not only for them and they're probably going to be paying it more attention than you are as a CIS admin This is mr. Nasty, which is me doesn't don't I look like that? The arms and everything, huh? Okay And basically what we're going to do is we're using a free tool. Okay, it's a free talk called dump ACL Have you ever used that anybody use dump ACL? You probably have it on your system somewhere. It's in a little bitty Folder up there called dump ACL. Nobody ever really uses it. They just have it out there, right? Okay, we've exploited so many systems using that particular tool because we can go out and dump your ACL lists and Look at everything that's out there on your machine and These are like seriously poorly configured machines that are out there We go on basically what this is is this is pretty much the application here that you can see and this is where to get it And this is where to email me if you if you really want to ask me another question about this or anything Pretty much what I have an agenda here and in a pretty much a cause and I will explain something to you a lot of you CIS admins who work in areas where You have people who want to stand above the policy Can you guys hear me? Okay? It's people who want to stand above the policy and and I'm going to point out two critical individuals because there were two here Yesterday in the Haxer track and they were attorneys one of them is attorneys and the other one is doctors These people want a ride above your policy your policies say that you need to have stronger passwords But doctors feel above the law and they feel like they don't need to have Stronger passwords because they need to have access to all these systems Well, we've been in the hospitals where we could go in and see a doctor logged on five different computers and he's not even there But he's got all this information open What does that have to do with this? Well, if you go and look at his password It's probably a four digit password and it's probably his dog's name or something. Okay But when when we've gone in and we've told security officers you need to just shut them down The security officer will tell us what we've done that we've gone over and we've shut down the machine that doctor goes over to the chief of security of chief of surgery And he'll complain and guess who gets in trouble The security officer he gets his he gets his butt rained for doing his job, but the doctor gets away with it now What better way as a hacker? Okay, this is just some more information on dump a seal. I don't like to read from slides Would you guys rather me read from slides? I could read from slides and it would bore the death out of you I'm not gonna say any four letter words I Wanted to I really did but no This works on Windows 2000 It does it works wonderfully on the windows 2000 if you go over to their website Samarrasoft.com he's got a whole bunch of information over there. You know, he's from a little bitty town in South, Texas I couldn't believe that I would expect him to be from like Silicon Valley or Boston or something Okay I'm kind of nervous so I'm gonna go on a little bit of a rant and more information. Yeah, go ahead Right, you could you could run past felt dot DLL, but you can override past felt dot DLL I mean that is not the silver bullet. I mean to this problem because That's right You could do that and you could set that up in your policies and that's very good to do But then if you have a doctor that comes in and says hey I can't remember all of those funky digits and you better trick them off because if you don't take them off I'm gonna get the chief of surgery to come down and he's gonna crawl down your rear end and the chief of surgery He's gonna go over and he's gonna throw policy at you and say, you know what take that stuff off of the system So where did you go? I mean, where did you get from that? What my point is my point is and it to any newbie hacker out there don't identify yourself I don't care who you are to any newbie hacker out there, you know Stop the DDoS attacks and the buffer overflow stuff. I mean those are good to get in what you need to okay into the NT systems and and probably shut down one to get into another because it's probably blocked by some kind of firewall That's not an NT box. It's probably some Solaris Box or something like that out there. But then once you get in the NT machine Don't go over there and set up on you know an IRC channel or something stupid that they can track you You know, I mean that's that's ridiculous. You know just something good if you're gonna go to jail Which you probably will you know, you might as well come out. You might as well come out with a little honeypot, right of your own Right a couple of ten thousand dollars or whatever How do you do that? Well use your imagination a little bit doctor's information is privacy Period. That's all I'll say okay You heard what the limit were was with the lawyers. What was it five thousand dollars? So at four thousand nine hundred ninety nine dollars and ninety nine cents And there's Right somebody got the joke. Okay All right, what you do is you want when you go in a dump ACL in your permission reports You want to get a lot of information off of your system so that you can see how it's set up. All right This is good for you new system admins. This is good for you people who are taken over a new machine You know, they all of a sudden the director goes over there Whoever is in charge and says okay now you're you're in charge of this box You have no clue what's going on with it So this is a good thing to run when you first initially get there if you put this on your machines I suggest you you You limit the permissions to only yourself and Again, this is a good reason to have a security officer besides the sista admin sista admin's got too many other jobs to do For instance, I don't want to go off on a rant here, but You know sista admin's got a lot of work to do you guys are fixing printer problems And people can't get their monitor up and they can't get their stuff running I had a guy one time run into the office. He was just scared death. He had pulled up a Document on the word and he was like I can't get my word document. I can see it on the screen But I just can't I can't I mean I know it's up there because I can see the the header up here How come I can't get to my word document? I went over to his desk and sure enough There was a word document He had a white background and I could move the cursor around like as it was as if it was going through a document There was like 15 20 pages. I Said did you just change your font to white? He said, yeah, uh-huh I said what colors your background he said white They said you don't get it yet So I mean those are the problems that you guys are dealing with right I mean you dealing with a lot of brain dead type of losers out there, right? Yeah, they have no idea You know their job is eight to five, you know, it's not these guys who are sleeping on the floor at night You know waiting for the hacker to come in the uber hackers to come in All right. All right. This is a report view. This is all the information that you can get off of I only have half a screen That's a penny them, too. Okay So this is this is the report can you guys see that okay over there probably not right Yeah, believe me if it'll be I'll put it on the Def Con place When I get home not not not while I'm here Anyway, this is a report view. This is the type of information that you can't get out of it remember if you run in a Real big system, you know, you guys have five thousand or more users on your system It's gonna take a little while you can run it remotely You don't have to run it on the server so it doesn't take up so much CPU energy Yes Yeah, oh, yeah, by the way, it's free. The question was is this free? Yes, it is free right now It is free. So if you go out to that site, you can get it for free. Okay, so I Don't work for them. I just use the tool Pardon me Same to you I What's the URL the URL is www.Somarasoftsomarsoft.com s-o-m-a-r s-o-f-t.com it's on it's on each one of my slides Okay, it'll be on each one of the slides believe me Okay, this way since you can run it remotely. This is just to prove it You can run it remotely all you have to do is just tap in the slash slash in the computer name And it'll just What is it UNC you can type in UNC or you can type in the IP address of the other computer and you can run it now because it can Be run remotely it somebody can probably run it on your machine I mean on a big networks that we've run you just get in a client side you go in establish an old session Boom you're in you can start downloading the ACL from there and I'll address that in a second pretty much These are the different categories of the dump ACO reports But one of the things I want to ask you guys while this is kind of going up there You want to look at policies groups? How many people would run a test? on a production environment How many people in here would run tests on a production environment? Yeah, you work for the government then I found a Fed Okay Can you see why the logic in that it just doesn't make any sense you want to run as many tests as you can the reason being and The reason why I say this is because going out and running something like this on a on a machine. Yeah me test accounts We can find We can find so many test accounts and and they remain dormant. They're active, but they just they're just dormant there So if you even run Pastel dot DLL and you did it is you know is this Conscientious sys admin, you know so that everybody's gonna have to comply with this stronger passwords You're still gonna have all these dormant accounts that don't comply that somebody can just change the password on any time They want to and usually these test accounts are run by who sys admins and usually they're what they're probably Administrative accounts right and you know what each one of these hackers out here if they didn't know it They know it now So guard them and do what do what it says to do with NT change Hide it decoy that admin account make it something that it's really isn't so that so that newbie hacker will go after that admin account You know what I went to Defconn the guy told me how to get into the NT machine now I'm over there and then he's got this little bitty nothing But he thinks he's got something so let him happy. He's been happy for a while. He's keep track of it Okay a lot of times This stuff goes by itself did I just have to hit a button every once in a while. I'll just start run by itself on the policies You know it dumped what five different five different categories. This is one of the categories basically It's gonna tell you when you run this this makes more sense to you when you get the program It's it's like Greek right now. Okay. It was Greek to me when I first saw this I was like, what does it mean? I don't know but just believe me when it's doing this You'll see it when it comes up with the program You want to run your policies so that you can check to make sure that your policies comply with how Your real policy your written policies are set up your permissions. You don't you know you don't want Okay, I went into one place and the guys were saying hey, we got this really cool way of setting up accounts Okay, it was a conference. I went to last month and they were teaching they were teaching sys admins how to set it up And guess what the guy was real proud of the fact that he was an MCSE Almond MCSE he made sure he stated that and he says guess what what we do is when we get all these new People come in because we got a lot of students coming in in order to save time. We set them up in a guest account So we got 5,000 students that come in every six months and we set them up in a guest account How safe is that? That's real safe, isn't it? That scares me Okay, this is the policy information so I the point there is Don't don't make any assumptions on how you're setting this stuff up. Look at this pull this information down You can by the way, this is all word you guys are NT people. I mean word. This is windows You guys are all NT people save this as a text column delimited file You'll know when you're going to save as okay file save as The reason being is because then you can pull this up into something like Excel And you can run a lot of analysis on it really quick. Okay, you know the Sort what is that sort fast function or something like that in the Excel? And it pulls up information. It's unbelievable. Okay All right, we'll go in the next one And this particular category here is the group accounts. This isn't that this one isn't as important It doesn't have a lot of Good information, but it's good to know and to keep track of you know You don't know if you're especially if you got 4,000 5,000 accounts out there How do you know you've been hacked? How do you know that there's a new account in there? I mean in some cases. Are you the only sys admin out there in your particular domain? Probably not, you know, I mean in some of these places, especially if you guys are government people I know that there's probably you know I've seen anywhere between 15 and 25 sys admins all running around They're running around different divisions, but on the same domain and they're installing stuff right and left and all of a sudden Half of the domain goes down They don't know who did it. It was there's only sys admins that are doing it I mean they're hacking into their own systems and crashing them. So they don't need they don't need you newbie hackers running any Kitty script keys against them They're doing it on their own Okay, this is a group accounts. I can't remember what the next one is. Oh By the way, I hope you guys don't mind don't don't try to steal my camera afterwards I took pictures of the group here and the reason why I did is because I'm giving this seminar again in Austin, Texas to a group of government folks I Just want to show them what they're up against Because if the room at the next conference has got like a smidgen of people here and there I just want to show them the odds the ratio You know They're doomed Okay, this is the file system permission reports pretty much. It's going to give you all these information On your file systems There's a red edit or Yeah, reged it report that kind of gives that works alongside this and you can Make changes to your reged it or however you need to So that nobody else can get to it and a lot of systems that we've seen they reg The reged it He's really not set up so it's secure and everybody everybody their brother has access to it So you know go into your system use this particular tool and you know, I'm emphasizing that and I I'm sorry if I'm emphasizing it But the thing is is that not too many people go in and really take a conscientious look at what their system is doing If you guys are the sys admins, you know, I'm pleading with you Please don't also be the security officer as well I mean if you don't know what I'm saying is there's a cross-section of duties there There's not a segregation of duties. I mean Don't be the only one that has to be accountable because you know if legal issues come out at you you're You know you're boxing yourself in pretty much is what I'm saying Okay, boy I had a lot of things here Another thing that what we've seen is a lot of security officers that they put out there They just kind of pick them at random. You know she got he's gonna get ready to retire Or she's he's got a couple more years in the company before he leaves So they put him in there as a security officer and the guy has no clue, you know, what is a security officer? He doesn't know if he should wear a gun If he should wear a badge, you know, he wants to go to some kind of some kind of class on TCP IP that he has no clue that probably has no relationship to what he's doing at all But to me what I the way I look at that is You send somebody out. Has anybody ever gone looking for? Oh gosh, what is it? I had it on the tip of my tongue earlier Snipe hunting So you know what I'm talking about is they what they're doing is they're just taking these Security officers and they're telling me go snipe hunting if you've never gone and seen a snipe You have no clue to what to look for. It's the same thing with Hacking and looking for somebody hacking into your system. I'm not just talking about your newbies out there I'm talking about the internal people because that's what this tool basically is for is the internal people who are just kind of clicking around going You know, how far can I get? How far can I get up there? All right, if you don't know what kind of Configuration to look for you you're clueless out there, right? I mean the ISO is clueless the information security officers are just completely clueless Oh, by the way, I hope I didn't offend any MCSEs out there This is a share permission report This is a real good report because this this provides you information on your different shares I mean and what you want to do is you want to look at segregation of duties if you don't have a Good knowledge of segregation of duties, you know, you might want to get to with your accounting department and maybe talk to an auditor or something and ask them what How to go about a segregation of duties or maybe run this report and share this with another with an auditor so that they can help you break this out oops by the way There's my pointer the information over here to save as That's just a good rule of thumb just save it as that you know dot txt or whatever before so that you know what What you ran just kind of helps you have a little bit there and As far as these options are concerned for the permissions and reports You want to select certain settings or certain certain information here so that it pulls up this stuff That way when you go back you can kind of refer back to something like this and we'll tell you what's there This is the share permission report It's hot in here is it hot in here to you guys Oh, this is this is awful Okay, I'm gonna try to go through this really really quick so you guys can walk outside because this is I'm about to pass out up here Yes Yeah, you call it what you want to as far as the the question is what is the file extension for the column delimited file You call it what you want to basically it's gonna be you should save it as a txt file Okay, then you can export it or I'm sorry import it into Excel. It's it's really since it's calm delimited I mean that little wizard comes up and it just kind of just go. Yes. Yes. Yes. Yes, and then it does the rest for you Any other questions yes What does it run on oh it will Yes, it'll run on. Oh, it won't run on like 9x Okay, it'll run on NT it only run on NT box because usually that's where your servers are located 139 yes Right and it'll also run on an alpha box as well. I ran it on an alpha box as well as an Intel machine So yes, any other questions Yes Yeah, I'm gonna put them on the Defconn slide. I'm gonna give them to them when I get back and they'll be Monday. I'm sorry Yeah DT's website it'll be on his so you guys can get it off there if you really want to what I'm also gonna put On the side is a couple of documents. It'll be in word and you know I'm sorry for anybody unix people out there or whatever, but this is an NT kind of situation So it'll all be in doc format and it's how to set up The everyone groups what this is another problem that I've noticed with people is setting up everyone groups a lot of people just Copy the everyone and just maybe rename it But it keeps all the permissions of the everyone group the problem with that I mean you can obviously see if you're trying to separate the receiving department from say the accounting department Then there's no really no segregation except in the name of the group itself, right? All they have to do is just point and click in the network neighborhood and boom there or wherever they want to go and If you're a sysad man, you know use this along with the security administrator as well I know you don't have a lot of time boy. Your time is really really short and if you work for the government. I You know, I hope you guys more Yes Okay, how can you prevent Somebody from having access to this tool you go you right-click on the folder that it's in or the best Well with that what you have to do is you have to go in and you have to shut down probably 139 But if you do that then how's how people gonna authenticate? Yes, go ahead Okay Right, but you got a okay the question or the other comment basically is to turn off Enumeration inside of your server so that somebody else sitting on an empty box remotely is not going to use this tool as they get it for free and then Scam all this information off of your box Good question apparently it's on techneck Technet and if you do a search on it It will come up. Yes. I mean wait Do you have to run the tools administrator equivalent? Yes, you do Yeah, you can only run this on one PDC at a time you cannot run this on your entire domain Right exactly and that's why I was kind of concerned about the renumeration. Yes Yes a null session attack is that that's what I had mentioned earlier He was just saying about the null session attack that I'd mentioned earlier. Yes Remotely on an NT box you can establish a null session with any with the server that's over there I mean you want exploits on NT, you know Greg Hoagland and I were sitting out there at lunch time We were talking about an exploit that we had done in at the conference in Reno, Nevada Where all you do is set up a server an empty server remotely and then it's going Gosh, I can't remember what we said that anyway what it does is it you set it up as a BDC and and it it Replicates on your on your system. So you actually and then if you want to I mean you can knock the other system down and people Are authenticating on you so you can get passwords right and left on an LM hash, especially I mean Well, it doesn't matter. You have to sand file right there. So you can sit up and run loft crack against it all day long So I mean that's that's something that you need to worry about and you need to look at But you know those are something some things that your information security officer as you as a sys admin needs to do Yes I'm sorry what I Still didn't get that Secure ID for anti-login. Oh using like a third-party log in No at this point. No and part of the reason like I mentioned before it's the doctors You got doctors and lawyers who feel that they don't they cannot be bothered With that, okay, they just cannot be bothered with that and until there's a liability placed on the doctors until there's a liability placed on the doctors that makes them accountable for Securing patient information or for securing client information Then nothing's going to happen to them Okay, and believe me if you go to a doctor and tell him hey, I got patient information Right me at a check for four thousand nine hundred ninety nine dollars and ninety nine cents Do you think he's going to go to the CIA or FBI? Well if he does what's going to happen to him he probably loses license. So it's probably cheaper to you one of those Risks of business he probably just writes you out a check for four thousand nine hundred ninety nine dollars and ninety nine cents No, am I encouraging you to do that? No, I don't encourage anybody to do that. Okay? I Guess I should have put a waiver up here And a disclaimer. Yes Right my point though is that even if you do something like that The doctors the doctors themselves for release of patient information poorly secured like that will probably lose their license or Sadly their reputation which is even worse Yes That's the weakest link That's a great one the question is is how do you make end users? Rain dead end users learn to make stronger passwords Well, one of them of course is to put in the past felt that DLL I mean that's going to sort of force them to do it It's going to tick them off But it's going to force them to do it the other thing is just training training users on a regular basis It's called past felt that DLL it's on What is it sp2 on up and I think sp4 has got a better Fix on the old stuff What website is it on the past all that DLL well you can get off microphone soft side, but it's on if you're running Nt. It's it's on your sp What is it sp2 on up? But I think like I said sp4 has got a fix to something that was on sp2 Any other questions yes ACO Yes, okay, the question is can you do modeling with this like engineer your your whole topology there Create policy right. Yes. Yeah, that would be an excellent idea to do something like that You know set it up on a test environment see how it runs set up all your groups and all your individual accounts and everything that works fine And just move it over into the real environment once it works. Yes, excellent idea any other questions Okay, it's hot. Yeah, I'm hot and I feel sorry for the people over at CDC because not only are they hot But they're also going to get a virus. So thank you very much