Hacking Windows 2K, XP - PowerPoint PPT Presentation

About This Presentation
Title:

Hacking Windows 2K, XP

Description:

Hacking Windows 2K, XP – PowerPoint PPT presentation

Number of Views:38
Avg rating:3.0/5.0
Slides: 7
Provided by: Dr23695
Learn more at: http://home.ubalt.edu
Category:

less

Transcript and Presenter's Notes

Title: Hacking Windows 2K, XP


1
Hacking Windows 2K, XP
2
Windows 2K, XP
  • Review NetBIOS name resolution. SMB - Shared
    Message Block - uses TCP port 139, and NBT -
    NetBIOS over TCP/IP - uses UDP port 137., if only
    port 139 responds, probably is Win 9x, but if
    port 445 responds, then is Win 2k,XP. See also
    this paper on C IFS Common Internet File System
    and SMB vulnerabilities. Close these ports!
  • 2K, XP basic security Net logon, no bypass of
    BIOS (HAL), No remote access to console
    (default), requires admin privileges for
    interactive login (Server), and has object-based
    security model
  • a security object can be any resource in the
    system files, devices, processes, users, etc.
  • server processes impersonate the client's
    security context (key for file servers)
  • Win2k,XP are windows NT updated, with more
    security tools and patches .
  • Quest for administrator
  • Privilege Escalation
  • Consolidation of power, and
  • Covering tracks.

3
Quest for Administrator
  • Remote password guessing. Net use can help. Nat
    guesses passwords using user and password lists
    (Brutus is similar).
  • Countermeasures close ports, in 2k,XP use
    Disable NBT to disable 139 and File and Printer
    Sharing to disable 445. Use Account Policies to
    setup password length, lock, expiration, etc.
    Passfilt implements stronger passwords in NT, in
    2k,XP just activate. Use Passprop to lock the
    Administrator account. Use Audit.
  • Read good and bad passwords and see how to reduce
    other password vulnerabilities. Note use
    kaHt2.exe to exploit MSRPC vulnerabilities at
    your own risk (some versions are a disguised
    Trojan).
  • Eavesdropping on network password exchange and
    obtaining password hash values Sniff tools and
    NT user authentication. If possible disable
    (Q299656) LanMan authentication (Win 9x
    problems).
  • Remote buffer overflows local (interactive login
    users), LASS, and remote using Web, FTP, DB
    servers and many others. Use BOWall to fix or
    detect.
  • Basic countermeasure download and run Microsoft
    Baseline Security Advisor.to check for setup and
    patch vulnerabilities.
  • Use runas.exe to run administrative jobs from
    regular accounts.

4
Privilege Escalation
  • Gathering information logged as user (not
    admin), use find, look in directories ,look for
    SAM, and enumeration tools. Basic countermeasure
    set files/directory permissions properly. BIOS
    password!!
  • Add to administrator group getadmin and sechole
    - apply service packs and restrict FTP to server
    script directories. Also rogue DLLs.
  • Spoofing LPC port requests using LPC ports API
    to add to admin group. Again apply the
    corresponding patch.
  • Obtaining SYSTEM account privileges at 1000
    /INTERACTIVE cmd.exe
  • Trojans Basic rule do not use a Server as a
    workstation (no e-mail, no outside browsing),
    backup! See Symantec Trojan, Worm, virus list.
    Or this other just of Trojans by ports.
  • Registry very few items accessible by everyone.
    Probably the lowest threat, and you can use the
    Policy Editor to hide/deny access, but admin.
  • Kerberos V5 only 2K, XP machines have it,
    downgrades to NT and LAN Manager authentication
    if Win 9x/NT are involved.
  • EFS attack deleting the SAM blanks the
    Administrator password. Set BIOS password and C
    drive boot only. This allows to login as
    Administrator (the recovery agent) and decrypt
    the content of the files (just open and save in a
    regular folder). It is possible to backup the
    recovery keys .

5
Consolidation of Power
Assumes that administrator-level access has been
obtained.
  • Cracking the SAM from local admin to domain
    admin, other users. See look for SAM, Disable
    LanMan authentication. Apply service packs!
  • Cracking 2K, XP Passwords See an
    introduction/FAQ. L0phtcrack is the key tool,
    graphical, good documentation and was acquired by
    Symantec.
  • Countermeasures choosing strong passwords -- no
    dictionary words, seven digits (if LanMan not
    disabled), alpha, special characters, facts,
    names from youth,etc. Win 2K, XP use Use SYSKEY
    SAM encryption, but Pwdump2 circumvents SYSKEY
    and dump hashes from SAM and Active Directory.
  • Duplicate credentials locally stored domain user
    credentials (same user domain account), local
    Administrator with same password as in the
    Domain.
  • LSA Secrets includes plain text service account
    passwords, cached passwords(last 10), FTP and web
    user plain text passwords, etc. A hack lsadump2
    or available info by Design?
  • Keystroke loggers record every keystroke to a
    (hidden) file. ActMon and SurfControl are tools
    to capture keystrokes and more.
  • Sniffers See Sniff tools and also BUTTsniffer,
    and dsniff (Win32 version).

6
Covering Tracks
Consolidation of Power
  • Remote control Remote control applications
    (pcAnywhere, VNC, WinXP, etc.) are useful, but a
    major security risk, even when configured
    properly.
  • Rootkits patching the OS kernel with rogue code,
    assuming control of the OS. See the Rootkit page
    and later class meeting.
  • Port redirection redirect from one IP number and
    port to another IP number and port at the
    gateway/firewall. See rinetd and fpipe.
  • Check security settings in Domain Controller
    ports 389 and 3268 (Active Directory). Filter
    these ports at the network border router
    (firewall). Remove Everyone group from access.
  • Disabling Auditing disable Auditing using
    Auditpol.
  • Clearing the Event Log use elsave to clear the
    Event Log.
  • Hiding files using attrib, NTFS file streaming.
    Use LNS to search for files hidden in streams.
Write a Comment
User Comments (0)
About PowerShow.com