TechEd 2007: Security MVP Demos Broken Wireless Access Protocols
ORLANDO - During an updated version of one of the more popular sessions at TechEd each year, senior security engineer and Microsoft MVP Marcus Murray did attendees a major service by demonstrating that hacking into a network is not really an art, and in some ways, not even much of a science.
His "Why I Can Hack Your Network in a Day" session is actually something of a misnomer, as many of the tools he uses (including one written by SysInternals guru-turned-Microsoft fellow Mark Russinovich) can enable individuals to work their way to revealing the passwords of domain administrators in closer to 15 minutes.
"We all take our keys with us everywhere we go," Murray told a standing-room-only crowd (once again, we were among those standing). By that, he meant that domain admins use their own passwords to gain access to networks even from remote systems. Thus the integrity of an entire domain may be as rigid as that of the desktop or laptop of what Murray referred to as "the guy in marketing," or "the end loser."
Sniffing packet traffic from the parking lot can reveal enough information for a malicious user to gain access to an end-loser system (with apologies to those of you who aren't losers and who do work in marketing), mainly because the encryption protocols used in wireless encryption (WEP) are so weak.
A single intercepted probe for a wireless access point won't reveal enough information about the probing system for the malicious user to do any damage, but given several minutes of multiple sniffs, a sniffing tool can reconstruct information about the user's Security Accounts Manager (SAM) account to be able to log on as that user.
In systems where the "end-loser" has high privileges, the malicious user can then launch a command-line tool which dumps the hashes of the accounts of everyone who's logged onto that system, including the domain admin. (How do we know it's the domain admin? Usually the username is something like "Domain_admin.") The hash is just the part that tools use to check the validity of a logon and password during authentication. When the "net use" command authenticates, it checks against the hash that's loaded in memory. When you don't know the password, the check fails...normally.
But with a tool that injects the hash into the stream in memory, the command checks whatever you happen to enter as the password (perhaps it's nothing) against the injected hash, and approves it. Once logged onto the domain admin's account, the same hash dumping tool can be used to capture hashes throughout the entire Active Directory table.
If there's a message attendees may take away from this -- besides "Be afraid, be very afraid!" -- it's that the rudimentary protection tools Microsoft shipped with Windows Server 2003 (prior to Service Pack 1) are broken. "You can't rely on WEP," Murray proclaimed. "It is not a secure protocol; it doesn't work."
Stay in touch with BetaNews for more throughout the day and week, from the floor of TechEd.