Hacking Windows 9X/ME

1
Hacking Windows 9X/ME
2
Hacking framework

• Initial access
• physical access
• brute force
• trojans
• Privilege escalation
• Administrator, root privileges
• Consolidation of power
• other accounts and resources
• Covering tracks
• avoid detection

3
95/98/ME

• Not a network OS
• limited remote admin features, no native telnet,
  remote execution, and most applications
  graphical, not command prompt
• Remote exploits direct connection to shared
  resources
• file sharing e.g. use Legion to find, then use
  brute force (BF), also Network Neighborhood
  Cracker.
• countermeasures turn off file sharing, or use
  password with eight characters, alpha plus meta
  characters. Add to the share name, e,g. share
  -- to hide from net view, Legion scan, Network
  Neighborhood.
• Win 9x Dial-up server users can attach modem and
  allow dial in.
• countermeasure do not use Dial-up and do not
  allow modems in user machines (VPN discussed in
  another class).
• Win 9x registry is not accessible remotely,
  unless the Remote Registry Service is installed
  (dont).
• Use Policy Editor to turn off resource share
  globally.

4
Backdoor Servers and Trojans

• (see a comprehensive list at PacketStorm).

• Back Orifice (BO), original in 1998, new version
  2k. There are plug-ins. Originally listened to
  UDP port 31337 (but it can be configured to run
  in other ports), but 2K uses TCP port 54320 or
  UDP port 54321 (default, can be changed).
  Symantec description. This is a scanner for BO.
• NetBus, graphical oriented, more user friendly,
  listen to TCP ports 12345 or 20034 by default
  (configurable). Symantec description. See this
  page for details, screen shoot, removal tools.
• SubSeven (S7S), very popular, comprehensive and
  easy to use, Listen to port 27374 (again
  configurable). Symantec description. See
  utilities to remove it in this page.
• Countermeasures
• backdoor server run in target machine, not
  remotely. Lock your machine! Close the default
  ports (better only open what you need).
• Save attachments to a directory, run virus
  scanner on the file you saved. Most virus
  scanners (set to scan all files) can detect (and
  some times remove) backdoor server trojans, see
  Symantec list.
• See also PacketStorm Trojans page, for removal
  tools

5
Other vulnerabilities

• Server application vulnerabilities
• Remote control applications (pcAnywhere, VNC,
  WinXP, etc.) are useful, but a major security
  risk, even when configured properly.
• Personal Web Server, if not patched and
  configured properly (it is ISS with access
  limitations, but same security risks, including
  Code Red). See Microsoft Security patches site
  for PWS and IIS .
• FTP and Telnet server applications (add on).
  Windows 2000, XP have a Telnet server. Same
  problems.
• Countermeasures limit or do not allow server
  applications (particularly Internet and remote
  control) in user machines. Close these ports in
  the firewall. If you need to run a Web Server in
  Win9x try Code(red) Hunter, as a
  protection/detection system.
• Denial of Service DUN 1.3 patch (win 95), 98, ME
  no need the patch, but malformed requests can be
  a problem, anyway. Use Win9x behind a user or
  site firewall to protect from attacks. Use a
  detection software, like ActivePorts (seen
  previously).

6
Local Exploits

• Reboot either set BIOS password, of if connected
  to Domain require domain login, to avoid the
  escape login.
• Screen-saver password, good but limited (CD-ROM
  autorun.inf is executed even when screen saver
  is running). How about BO in a CD-ROM? Disable
  autorun.
• Revealing passwords more for recovery that hack
  (you need to be logged in the machine).
• PWL cracking copy password files to diskette
  (copy c\windows\.pwl a) and crack them later.
  Also more recovery than hack -- you need to be
  logged in.
• countermeasures secure physical access to
  computer (lock key), in addition to above.