Hacking Windows

1
Hacking Windows

• Justin Bell

Department of Computer Science University of
Wisconsin, Platteville belljus_at_uwplatt.edu
2
Topics

• This presentation will explore some high-profile
  intrusions along with the general methodology
  behind hacking techniques. The presentation will
  also cover some specific examples of attacks and
  vulnerable services.

• Definitions
• Famous Hacks
• Breaking In
• Malicious Code
• Terminal Services
• Denial of Service

3
Definitions
Hacker someone who attempts to gain unauthorized
access into a computer system. Hacking the
process of attempting to gain and possibly
achieving access to computer systems by an
unauthorized user.
4
Famous Hacks

• Bank Hack
• Johan, 20 years old from Estonia
• Gained access through a limited guest account
• Was able to access services that allowed him to
  download the SAM file
• Once this file was decrypted Johan had login
  access to all the web accounts for the entire
  bank.

5
Famous Hacks

• Security firm
• Two 22 year old hackers from London
• Through enumeration found open ports
• This told them it was a windows server.
• Asked the server for user names then did a
  dictionary attack
• Hacked into a personal laptop connected to the
  system through the guest account

6
Famous Hacks

• Hacking Comunities
• Hackers Against Child Pornography
• Takes down child pornography rings after
  notifying international police.
• Nashville 2600
• HAL2001 (Hackers At Large

7
Breaking In

• Profiling
• Casing the Place
• Finding a System To Hack into and figuring out
  whats open and what is being used.
• Foot-Printing
• Scanning
• Enumeration

8
Breaking In

• Footprinting
• Finding out everything from the outside, before
  any access is actually gained
• Documentation is extremely important
• Finding the Posture
• Internet Posture
• Intranet Posture
• Extranet Posture

9
Breaking In Footprinting

• whois info
• Can be done manually
• Services like www.ARIN.net
• University of Wisconsin Platteville
• Clients can do batch whois queries for hackers
  that dont have a specific target

10
Breaking In Footprinting

• whois info
• Company Name
• Administrators name
• Administrators Account Name
• Can deduce other account names
• Site Creation Date
• Gives info on Legacy systems that may be running

11
Breaking In Footprinting

• Internet Search Engines
• Google is the easiest because of its massive size
• Search for default file paths
• C\inetpub
• TSweb/default.htm
• Now the hacker knows the weaknesses of the site
  and what port to attack 3389

12
Breaking In Scanning

• Finding ports
• Easiest way to access a system and establish a
  connection
• Tools will scan all possible ports
• If default ports are used the hacker can gain
  knowledge of services that are running
• If a hacker sees port 389 open he can assume the
  target is running an LDAP server

13
Breaking In Enumeration

• Find valid usernames or file shares
• Takes advantage of default windows services
• Domain Controller lookup
• Exploited by a free Microsoft tool called nltest

14
Breaking In Enumeration

• NLTEST Output
• C\nltest /whowillESS bob 205855 Mail
  message 0 sent successfully (\MAILSLOT\NET\GETDC9
  39) 205855 Response 0 S\\NET1 DESS
  Abob (Act found) The command completed
  successfully
• C\nltest /whowilltestd test 212613
  Response 0 S\\TEST2 DTESTD Atest (Act found)
  212615 Mail message 0 sent successfully
  (\MAILSLOT\NET\GETDC295) The command
  completed successfully

15
Breaking In Enumeration

• NLTEST Output
• C\nltest /dclisttestd List of DCs in
  Domain testd \\TEST2 (PDC) \\TEST1
  The command completed successfully

16
Breaking In Privilege Escalation

• Goal of all hacks
• Highest possible Escalation is the Domain or
  Forest Admin as well as the Local Admin
• All Windows Accounts are stored in the SAM
  (Security Accounts Manager)
• Stores valid users, groups and passwords in an
  encrypted database.
• Hashed, then encrypted with a 128 bit key called
  SYSKEY

17
Breaking In Privilege Escalation
18
Breaking In Privilege Escalation

• More than one user can be running processes at
  any given time
• Individual SIDs ( Security IDs) are given to each
  process so Windows knows the privilege level it
  can operate at.
• Can be a user or SYSTEM LOCAL SERVICE or
  DEFAULT LOGON accounts

19
Breaking In Privilege Escalation

• Because every process needs to access the SAM it
  has been the top target for Hackers.
• There have been numerous bugs in the encryption
  that have allowed the SAM to be cracked.
• Since this is just a file, it can be copied and
  moved to another system.
• Then it can either be cracked or have a brute
  force attack to find passwords.

20
Breaking In Privilege Escalation

• Once a single account is broken the hacker will
  try to infiltrate many different accounts in case
  the one he knows is changed.
• This can be done by watching for keys typed or
  cracking network SAM files
• John the Ripper by Solar Designer
• Searching for files on the system containing the
  words password, access, logon or
  Administrator

21
Malicious Code

• Viruses
• Worms
• Trojan Horses

22
Malicious Code - Viruses

• Segments of code that attach themselves to
  existing programs and perform some predetermined
  actions when the host program is executed.
• Piggy-back other files, no way to spread on their
  own needs a host
• The host passes the infected file to some new
  host who runs the file on another system.

23
Malicious Code - Viruses

• Usually try to copy themselves throughout a
  system making them difficult to remove.
• A single Virus can copy many different viruses to
  many different files.
• Can do things as harmless as report internet
  activity to an outside source
• Can do things as harmful as copy passwords,
  format a system, or replace words in e-mails.
• Chernobyl Deletes Flash Bios Memory

24
Malicious Code - Worms

• Similar to Viruses, but they contain a mechanism
  to spread through a computer network without the
  assistance of other programs or people.
• Spread Extremely quickly
• Hard to remove because they re-install right away
  from other machines

25
Malicious Code - Worms

• Internet Worm Installed repeatedly
• LoveBug
• Flooded the Internet with e-mails in May 2000
  with the subject, ILOVEYOU
• When attachment was opened it sent itself to
  other systems and ruined system files

26
Malicious Code Trojan Horses

• Malicious programs packaged within other
  seemingly useful programs
• Hidden like the Trojans waiting in the giant
  wooden horse
• Can perform the advertised function, or just the
  malicious code
• Hard to pin-point exactly what program the Trojan
  is hiding in.

27
Malicious Code Trojan Horses

• RAT Remote Access Tool
• Installed through a web site
• When executed, installs back door for the site
  administrator
• Administrator just looks through the list of IP
  addresses that accessed the site

28
Terminal Services

• Provide Remote Access for Hacker
• Using the usernames gained through enumeration
  the only thing needed is a password. If the
  hacker cracked the SAM the system is open.
• Administrator accounts can not be locked out
  leaving them open to brute force attacks.
• ProbTS and TS Grinder help find and exploit
  Terminal Services Connections

29
Denial of Services (DoS)

• Over-load the server to render it unable to
  accept any additional connections
• Effectiveness of attacks are seriously limited by
  the hardware and internet connection of the
  attacker
• DoS attacks exploit the fact that the target
  cant tell if its legitimate traffic or not, so
  it has to respond to everything

30
Distributed Denial of Services (DDoS)

• Perform the same functions as a DoS, but from
  many computers at the same time
• Performed through machines infested with Trojan
  Horses or Worms
• Limited only by the number of machines infected
• Feburary 2000 first major DDoS
• Targeted Google and Microsoft
• Took down both sites for a little more than a day
• Originated in computer labs from two major
  California Universities

31
Conclusion

• Hacking is a lucrative, multinational, criminal
  occupation
• As Computer Science or Software Engineering
  Professionals we must strive to make sure
  everything we produce is safe against hackers
• Through understanding the methodology of hackers
  its easier to protect systems from them

32
Questions???