Windows Security Analysis - PowerPoint PPT Presentation

1 / 67

About This Presentation

Title:

Windows Security Analysis

Description:

'Hacker' used primarily by the media to describe malicious ... Erase logs from hard disc. Erasing Eventlog harder. IDS Systems. Network Monitoring at firewall ... – PowerPoint PPT presentation

Number of Views:232

Avg rating:3.0/5.0

Slides: 68

Provided by: mattcookht

Category:

more less

Transcript and Presenter's Notes

Title: Windows Security Analysis

1
Windows Security AnalysisComputer Science
E-Commerce Security Matthew Cookhttp//escarpment
.net/
2
Introduction

Loughborough University
http//www.lboro.ac.uk/computing/
Janet Web Cache Service
http//wwwcache.ja.net/

3
Windows Security Analysis

Introduction
Step-by-step Machine Compromise
Preventing Attack
Further Reading
The Future

4
Introduction

Physical Security
Security Threats
Hacker or Cracker
The Easiest Security Improvement
Can you buy security?

5
Physical Security

Secure Location
BIOS restrictions
Password Protection
Boot Devices
Case Locks
Case Panels

6
Security Threats

Denial of Service
Theft of information
Modification
Fabrication (Spoofing or Masquerading)

7
Security Threats

Why a compromise can occur
Physical Security Holes
Software Security Holes
Incompatible Usage Security Holes
Social Engineering
Complacency

8
Hacker or Cracker

Hacker used primarily by the media to describe
malicious attacks by individuals
However the computing community uses Cracker to
mean the same
A Hacker tinkers with systems for good
purposes. (Not breaking the law)
To avoid confusion many people now sayA machine
has been compromised!Not A machine has been
hacked!

9
The Easiest Security Improvement

Good passwords
Usernames and Passwords are the primary security
defence
Use a password that is easy to type to avoid
Shoulder Surfers
Use the first letters from song titles, song
lyrics or film quotations

10
Can you buy Security?

This system is secure. A product vendor might
say This product makes your network secure.
Or We secure e-commerce. Inevitably, these
claims are naïve and simplistic. They look at the
security of the product, rather than the security
of the system. The first questions to ask are
Secure from whom? and Secure against what?
Bruce Schneier

11
Step-by-step Machine Compromise

Background
Gathering Information
Identifying System Weakness
Exploiting the Security Hole
Gaining Root
Backdoor Access
System Alteration
Audit Trail Removal

12
Background

Reasons for Attack
Personal Issues
Political Statement
Financial Gain (Theft of money, information)
Learning Experience
DoS (Denial of Service)
Support for Illegal Activity
In our scenario we are going to attack the
company laggyband.com

13
Gathering Information

Companies House
Internet SearchURL http//www.google.co.uk
WhoisURL http//www.netsol.com/cgi-bin/whois/who
is
A Whois query can provide
The Registrant
The Domain Names Registered
The Administrative, Technical and Billing Contact
Record updated and created date stamps
DNS Servers for the Domain

14
Gathering Information

Use Nslookup or dig
dig _at_dns.laggyband.com www.laggyband.com
Different query type available
A Network address
Any All or Any Information available
Mx Mail exchange records
Soa Zone of Authority
Hinfo Host information
Axfr Zone Transfer
Txt Additional strings

15
Identifying System Weakness

Many products available
Nmap
Nessus
Pandora
Pwdump
L0pht Crack
Null Authentication

16
Nmap

Port Scanning Tool
Stealth scanning, OS Fingerprinting
Open Source
Runs under Unix based OS
Port development for Win32
URL http//www.insure.org/nmap/

17
Nmap
18
Nessus

Remote security scanner similar to Typhon
Very comprehensive
Frequently updated modules
Testing of DoS attacks
Open Source
Win32 and Java Client
URL http//nessus.org/

19
Pandora

Not strictly Windows Security
Runs on either Unix or Win32
Excellent tool to evaluate Netware security
Open Source
Lots of additional information
URL http//www.nmrc.org/pandora/

20
pwdump

Version 3 (e encrypted)
Developed by Phil Staubs and Erik Hjelmstad
Based on pwdump and pwdump2
URL http//www.ebiz-tech.com/html/pwdump.html
Needs Administrative Privilidges
Extracts hashs even if syskey is installed
Extract from remote machines
Identifies accounts with no password
Self contained utility

21
L0pht Crack

Password Auditing and Recovery
Crack Passwords from many sources
Registration 249
URL http//www.atstake.com/research/lc3/

22
L0pht Crack

Crack Passwords from
Local Machine
Remote Machine
SAM File
SMB Sniffer
PWDump file

23
Nmap Analysis

nmap sP 158.125.0.0/16
Dependant on ICMP (Internet Control Message
Protocol)
nmap sP PT80 158.125.0.0/16
Dependant on TCP SYN/ACK packet

24
Nmap Analysis

TCP Connect Scan
Completes a Three Way Handshake
Very noisy (Detection by IDS)

25
Nmap Analysis

TCP SYN Scan
Half open scanning (Full port TCP connection not
made)
Less noisy than the TCP Connect Scan

26
Nmap Analysis

TCP FIN Scan
FIN Packet sent to target port
RST returned for all closed ports
Mostly works UNIX based TCP/IP Stacks
TCP Xmas Tree Scan
Sends a FIN, URG and PUSH packet
RST returned for all closed ports
TCP Null Scan
Turns off all flags
RST returned for all closed ports
UDP Scan
UDP Packet sent to target port
ICMP Port Unreachable for closed ports

27
Null Authentication

Null Authentication
Net use \\camford\IPC /u
Famous tools like Red Button
Net view \\camford
List of Users, groups and shares
Last logged on date
Last password change
Much more

28
Exploiting the Security Hole

Using IIS Unicode/Directory Traversal
/scripts/../../winnt/system32/cmd.exe /cdir
/scripts/..c0af../winnt/system32/cmd.exe?/cdir
Displays the listing of c in browser
Copy cmd.exe to /scripts/root.exe
Echo upload.asp
GET /scripts/root.exe /cechoblahgtupload.asp
Upload cmdasp.asp using upload.asp
Still vulnerable on 24 of E-Commerce servers

29
Gaining Root

Cmdasp.asp provides a cmd shell in the SYSTEM
context
Increase in privileges is now simple
ISAPI.dll RevertToSelf (Horovitz)
Version 2 coded by Foundstone
http//camford/scripts/idq.dll?
Patch Bulletin MS01-26
NOT included in Windows 2000 SP2

30
Backdoor Access

Create several user accounts
Net user iisservice ltpassgt /ADD
Net localgroup administrators iisservice /ADD
Add root shells on high end ports
Tiri is 3Kb in size
Add backdoors to Run registry keys

31
System Alteration

Web page alteration
Information Theft
Enable services
Add VNC
Creating a Warez Server
Net start msftpsvc
Check access
Upload file 1Mb in size
Advertise as a warez server

32
Audit Trail Removal

Many machines have auditing disabled
Main problems are IIS logs
DoS IIS before logs sync to disc
Erase logs from hard disc
Erasing Eventlog harder
IDS Systems
Network Monitoring at firewall

33
Preventing Attack

NetBIOS/SMB Services
Hfnetchk and Qchain
SNMP Vulnerabilities
Active Directory Vulnerabilities
IPSec
IIS Security
IDS Snort
.NET Server

34
NetBIOS/SMB Services

NetBIOS Browsing Request UDP 137
NetBIOS Browsing Response UDP 138
NetBIOS Communications TCP 135
CIFS TCP 139, 445 UDP 445
Port 445 Windows 2000 only
Block ports at firewall
Netstat -A

35
NetBIOS/SMB Services

To disable NetBIOS
Select Disable NetBIOS in the WINS tab of
advanced TCP/IP properties.
Deselect File and Print sharing in the advanced
settings of the Network and Dial-up connections
window

36
NetBIOS/SMB Services

Disable Null Authentication
Key similar to Windows NT 4.0
HKLM\SYSTEM\CurrentControlSet\Control\LSA\Restrict
Anonymous
REG_DWORD set to 0, 1 or 2!
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeSe
rvers\RestrictAnonymous
REG_DWORD set to 0 or 1

37
Hfnetchk

Use Hfnetchk to check hot fixes
Checks machines against Microsoft XML
Automate the process using a batch files and a
mail client (Postie)
URL http//www.infradig.com/infradig/postie/
Use QChain to chain hot fixes together without
rebooting in-between.

38
Hfnetchk

Patch details for
Windows NT 4.0, 2000, XP, .NET server
IIS 4, IIS 5 and IIS 6
SQL Server 7.0
SQL Server 2000
Internet Explorer 5.01 (and later)

39
Hfnetchk

Default scan of local host (Pre
downloaded)hfnetchk x mssecure.xml
Default scan of lboro domainhfnetchk d lboro
Verbose scan of local hosthfnetchk v x
mssecure.xml
Verbose scan including installed hot
fixeshfnetchk v a b x mssecure.xml

40
SNMP Vulnerabilities

Simple Network Management Protocol
Snmpwalk camford public .1.3.6.1.4.1.77.1.2.25
SNMP Utilities in Resource Kit
Turn off SNMP services
Set community names
Set accepted hosts

41
SNMP Vulnerabilities
42
SNMP Vulnerabilities

CERT Advisory Tuesday 12th February
Privilege Escalation, DoS, Instability
Block UDP 161 and 162 at firewall
Patch or disable SNMP
Patches available for Windows 2000 and XP
URL http//www.microsoft.com/technet/treeview/def
ault.asp?url/technet/security/bulletin/ms02-006.a
sp

43
AD Vulnerabilities

Listing of AD contents using ldp.exe
Ldp is contained on the Resource Kit
Authenticated connection needed
Filter TCP 389 (LDAP) and 3268 (GC)
DNS Securing Zone Transfers to Slave Name
servers only

44
IPSec

IP security
Linux Connectivity using FreeS/WAN
Mainly for wireless use
WEP encryption cracked
URL http//www.freeswan.org/
URL http//airsnort.sourceforge.net/

45
IIS Security

History
Recent Worms
IIS Lock Down Tool
URL Scan
The Future

46
IIS History

IIS 2.0 Installed by NT 4.0
IIS 3.0 followed by more common IIS 4.0
Quickly gained reputation for (in)security
IIS 5.0 Installed by Windows 2000
IIS 6.0 Installed by .NET Server
Microsoft releases Hfnetchk
Closely followed by IIS Lockdown and URLScan

47
Recent Worms

Sadmind/IISDirectory Traversal (Unicode Exploit)
CodeRedida/idq buffer overflow
CodeGreen ida/idq buffer overflow
NimdaDirectory Traversal (Unicode Exploit)

48
Sadmind/IIS

2001-05-03 223449 203.67.x.x - 158.125.x.x 80
GET /scripts/root.exe /cecholthtmlgtltbodybgcol
or3Dblackgtltbrgtltbrgtltbrgtltbrgtltbrgtltbrgtlt
tablewidth3D100gtlttdgtltpalign3D22center22
gtltfontsize3D7color3DredgtfUSAGovernment
lt/fontgtlttrgtlttdgtltpalign3D22center22gtltf
ontsize3D7color3DredgtfPoizonBOxlttrgtlttd
gtltpalign3D22center22gtltfontsize3D4color
3Dredgtcontactsysadmcn_at_yahoo.com.cnlt/htmlgtgt../w
wwroot/default.htm 200 -

49
IIS Lock Down Tool