Hacking Windows 2K, XP

1
Hacking Windows 2K, XP
2
Windows 2K, XP

• Review NetBIOS name resolution. SMB - Shared
  Message Block - uses TCP port 139, and NBT -
  NetBIOS over TCP/IP - uses UDP port 137., if only
  port 139 responds, probably is Win 9x, but if
  port 445 responds, then is Win 2k,XP. See also
  this paper on C IFS Common Internet File System
  and SMB vulnerabilities. Close these ports!
• 2K, XP basic security Net logon, no bypass of
  BIOS (HAL), No remote access to console
  (default), requires admin privileges for
  interactive login (Server), and has object-based
  security model
• a security object can be any resource in the
  system files, devices, processes, users, etc.
• server processes impersonate the client's
  security context (key for file servers)
• Win2k,XP are windows NT updated, with more
  security tools and patches .
• Quest for administrator
• Privilege Escalation
• Consolidation of power, and
• Covering tracks.

3
Quest for Administrator

• Remote password guessing. Net use can help. Nat
  guesses passwords using user and password lists
  (Brutus is similar).
• Countermeasures close ports, in 2k,XP use
  Disable NBT to disable 139 and File and Printer
  Sharing to disable 445. Use Account Policies to
  setup password length, lock, expiration, etc.
  Passfilt implements stronger passwords in NT, in
  2k,XP just activate. Use Passprop to lock the
  Administrator account. Use Audit.
• Read good and bad passwords and see how to reduce
  other password vulnerabilities. Note use
  kaHt2.exe to exploit MSRPC vulnerabilities at
  your own risk (some versions are a disguised
  Trojan).
• Eavesdropping on network password exchange and
  obtaining password hash values Sniff tools and
  NT user authentication. If possible disable
  (Q299656) LanMan authentication (Win 9x
  problems).
• Remote buffer overflows local (interactive login
  users), LASS, and remote using Web, FTP, DB
  servers and many others. Use BOWall to fix or
  detect.
• Basic countermeasure download and run Microsoft
  Baseline Security Advisor.to check for setup and
  patch vulnerabilities.
• Use runas.exe to run administrative jobs from
  regular accounts.

4
Privilege Escalation

• Gathering information logged as user (not
  admin), use find, look in directories ,look for
  SAM, and enumeration tools. Basic countermeasure
  set files/directory permissions properly. BIOS
  password!!
• Add to administrator group getadmin and sechole
  - apply service packs and restrict FTP to server
  script directories. Also rogue DLLs.
• Spoofing LPC port requests using LPC ports API
  to add to admin group. Again apply the
  corresponding patch.
• Obtaining SYSTEM account privileges at 1000
  /INTERACTIVE cmd.exe
• Trojans Basic rule do not use a Server as a
  workstation (no e-mail, no outside browsing),
  backup! See Symantec Trojan, Worm, virus list.
  Or this other just of Trojans by ports.
• Registry very few items accessible by everyone.
  Probably the lowest threat, and you can use the
  Policy Editor to hide/deny access, but admin.
• Kerberos V5 only 2K, XP machines have it,
  downgrades to NT and LAN Manager authentication
  if Win 9x/NT are involved.
• EFS attack deleting the SAM blanks the
  Administrator password. Set BIOS password and C
  drive boot only. This allows to login as
  Administrator (the recovery agent) and decrypt
  the content of the files (just open and save in a
  regular folder). It is possible to backup the
  recovery keys .

5
Consolidation of Power
Assumes that administrator-level access has been
obtained.

• Cracking the SAM from local admin to domain
  admin, other users. See look for SAM, Disable
  LanMan authentication. Apply service packs!
• Cracking 2K, XP Passwords See an
  introduction/FAQ. L0phtcrack is the key tool,
  graphical, good documentation and was acquired by
  Symantec.
• Countermeasures choosing strong passwords -- no
  dictionary words, seven digits (if LanMan not
  disabled), alpha, special characters, facts,
  names from youth,etc. Win 2K, XP use Use SYSKEY
  SAM encryption, but Pwdump2 circumvents SYSKEY
  and dump hashes from SAM and Active Directory.
• Duplicate credentials locally stored domain user
  credentials (same user domain account), local
  Administrator with same password as in the
  Domain.
• LSA Secrets includes plain text service account
  passwords, cached passwords(last 10), FTP and web
  user plain text passwords, etc. A hack lsadump2
  or available info by Design?
• Keystroke loggers record every keystroke to a
  (hidden) file. ActMon and SurfControl are tools
  to capture keystrokes and more.
• Sniffers See Sniff tools and also BUTTsniffer,
  and dsniff (Win32 version).

6
Covering Tracks
Consolidation of Power

• Remote control Remote control applications
  (pcAnywhere, VNC, WinXP, etc.) are useful, but a
  major security risk, even when configured
  properly.
• Rootkits patching the OS kernel with rogue code,
  assuming control of the OS. See the Rootkit page
  and later class meeting.
• Port redirection redirect from one IP number and
  port to another IP number and port at the
  gateway/firewall. See rinetd and fpipe.
• Check security settings in Domain Controller
  ports 389 and 3268 (Active Directory). Filter
  these ports at the network border router
  (firewall). Remove Everyone group from access.

• Disabling Auditing disable Auditing using
  Auditpol.
• Clearing the Event Log use elsave to clear the
  Event Log.
• Hiding files using attrib, NTFS file streaming.
  Use LNS to search for files hidden in streams.