Embed Size (px)
Citation preview
AnnouncementsAnnouncements
RSA Security Conference (extra credit)RSA Security Conference (extra credit)– April 7 through April 11, San FranciscoApril 7 through April 11, San Francisco– Visit the Forum for details and to get your free Visit the Forum for details and to get your free
ticketticket
Fixing Telnet – Ctrl+], set localecho (link Fixing Telnet – Ctrl+], set localecho (link Ch 3z11)Ch 3z11)
IPv6IPv6
On Feb 4, 2008, the root DNS zone on the On Feb 4, 2008, the root DNS zone on the Internet was updated with IPv6 Addresses Internet was updated with IPv6 Addresses for 6 of the 13 root serversfor 6 of the 13 root servers
Chapter 4Chapter 4
Hacking Windows Hacking Windows
Reasons for Windows Security Reasons for Windows Security ProblemsProblems
PopularityPopularity
Default insecure configurationsDefault insecure configurations– Perceived simplicity, so administrators leave Perceived simplicity, so administrators leave
settings at defaultssettings at defaults
Legacy SupportLegacy Support
Proliferation of featuresProliferation of features
Unauthenticated AttacksUnauthenticated Attacks
Proprietary Windows networking Proprietary Windows networking protocolsprotocols – Server Message Block (SMB)Server Message Block (SMB)– Microsoft Remote Procedure Call (MSRPC)Microsoft Remote Procedure Call (MSRPC)– NetBIOS Session Service NetBIOS Session Service – NetBIOS Names Service (NBNS) NetBIOS Names Service (NBNS)
Remote Password Guessing Remote Password Guessing
Attack the Windows file and print sharing Attack the Windows file and print sharing service service – Uses Server Message Block (SMB)Uses Server Message Block (SMB)– SMB uses TCP ports 139 and 445SMB uses TCP ports 139 and 445
Attempt to connect to an enumerated Attempt to connect to an enumerated share (such as IPC$ or C$)share (such as IPC$ or C$)
Try username/password combinations Try username/password combinations until you find one that works until you find one that works
Getting UsernamesGetting Usernames
As covered in chapter 3, these techniques As covered in chapter 3, these techniques give you the usernamesgive you the usernames– Null sessionsNull sessions– DumpACL/DumpSecDumpACL/DumpSec– sid2user/user2sid sid2user/user2sid
Password Guessing from the Password Guessing from the Command LineCommand Line
Accounts may lock out after too many Accounts may lock out after too many guessesguesses
Common PasswordsCommon Passwords
Link Ch 4aLink Ch 4a
Windows Internet service Windows Internet service implementationsimplementations
HTTP, SMTP, POP3, and NNTP HTTP, SMTP, POP3, and NNTP
All within IIS (Internet Information All within IIS (Internet Information Services)Services)
A Password Guessing ScriptA Password Guessing Script
Put password – user Put password – user name pairs in a file name pairs in a file named credentials.txtnamed credentials.txt
Other tools: Legion, NetBIOS Auditing Other tools: Legion, NetBIOS Auditing Tool (NAT) , SMBGrind Tool (NAT) , SMBGrind
Password-Guessing Password-Guessing Countermeasures Countermeasures
Use a network firewall to restrict access to SMB services Use a network firewall to restrict access to SMB services on TCP 139 and 445on TCP 139 and 445Use host-resident features of Windows to restrict access Use host-resident features of Windows to restrict access to SMBto SMB– IPSec filters (Restricts by source IP – link Ch4b)IPSec filters (Restricts by source IP – link Ch4b)– Windows FirewallWindows Firewall
Disable SMB services (on TCP 139 and 445)Disable SMB services (on TCP 139 and 445)Enforce the use of strong passwords using policyEnforce the use of strong passwords using policySet an account-lockout threshold and ensure that it Set an account-lockout threshold and ensure that it applies to the built-in Administrator accountapplies to the built-in Administrator accountEnable audit account logon failures and regularly review Enable audit account logon failures and regularly review Event LogsEvent Logs
Security PolicySecurity Policy
SECPOL.MSC at a Command PromptSECPOL.MSC at a Command Prompt
Real-Time Burglar Alarms: Real-Time Burglar Alarms: Intrusion Detection/PreventionIntrusion Detection/Prevention
For more, see links Ch 4c, 4dFor more, see links Ch 4c, 4d
Eavesdropping on Network Eavesdropping on Network Password Exchange Password Exchange
L0phtcrack was renamed LC5, and was L0phtcrack was renamed LC5, and was discontinued by Symantec in 2006 discontinued by Symantec in 2006
You can sniff password challenge-You can sniff password challenge-response hashes with ettercap, or Cainresponse hashes with ettercap, or Cain– Follow the Proj X2 procedureFollow the Proj X2 procedure– Captured hash appears in C:\Program Files\Captured hash appears in C:\Program Files\
Cain, in the NTLMv2LST fileCain, in the NTLMv2LST file
Use NTLM, not LMUse NTLM, not LM
The old LM Hashes are easily crackedThe old LM Hashes are easily cracked
The newer NTLM hashes are harder to The newer NTLM hashes are harder to crack, although they can be broken by crack, although they can be broken by dictionary attacksdictionary attacks
Elcomsoft has a new tool that cracks Elcomsoft has a new tool that cracks NTLM hashes by brute force, clustering NTLM hashes by brute force, clustering many computers togethermany computers together– See link Ch 4fSee link Ch 4f
Microsoft Remote Procedure Call Microsoft Remote Procedure Call (MSRPC) vulnerabilities (MSRPC) vulnerabilities
The MSRPC port mapper is advertised on The MSRPC port mapper is advertised on TCP and UDP 135 by Windows systemsTCP and UDP 135 by Windows systems– It cannot be disabled without drastically It cannot be disabled without drastically
affecting the core functionality of the operating affecting the core functionality of the operating systemsystem
MSRPC interfaces are also available via MSRPC interfaces are also available via other ports, including TCP/UDP 139, 445 other ports, including TCP/UDP 139, 445 or 593, and can also be configured to or 593, and can also be configured to listen over a custom HTTP port via IIS or listen over a custom HTTP port via IIS or COM Internet Services COM Internet Services
RPC DOM Buffer OverflowRPC DOM Buffer OverflowVery serious, from 2003Very serious, from 2003– Used by the Blaster worm and moreUsed by the Blaster worm and more– In the Metasploit databaseIn the Metasploit database– See links Ch 4g, 4hSee links Ch 4g, 4h
MSRPC Countermeasures MSRPC Countermeasures
Filter these portsFilter these ports– TCP ports 135, 139, 445, and 593TCP ports 135, 139, 445, and 593– UDP ports 135, 137, 138, and 445UDP ports 135, 137, 138, and 445– All unsolicited inbound traffic on ports greater All unsolicited inbound traffic on ports greater
than 1024than 1024– Any other specifically configured RPC portAny other specifically configured RPC port– If installed, COM Internet Services (CIS) or If installed, COM Internet Services (CIS) or
RPC over HTTP, which listen on ports 80 and RPC over HTTP, which listen on ports 80 and 443443
Local Security Authority Service Local Security Authority Service (LSASS) Buffer Overflow (LSASS) Buffer Overflow
Very serious, used in Sasser workVery serious, used in Sasser work– Microsoft took 188 days to patch itMicrosoft took 188 days to patch it– In Metasploit database; links Ch 4i, 4jIn Metasploit database; links Ch 4i, 4j
LSASS Buffer Overflow LSASS Buffer Overflow Countermeasures Countermeasures
Filter access to TCP ports 139 and 445 Filter access to TCP ports 139 and 445
Apply the MS04-011 patch to your Apply the MS04-011 patch to your systemssystems
Modern antivirus products like McAfee Modern antivirus products like McAfee also protect youalso protect you– see project 2 (Metasploit) in CNIT 123see project 2 (Metasploit) in CNIT 123
Internet Information Services (IIS) Internet Information Services (IIS) ExploitsExploits
IIS was installed by default in Win 2000, IIS was installed by default in Win 2000, but not in Win 2003but not in Win 2003
IIS exploits use three major attack vectors IIS exploits use three major attack vectors – Information disclosureInformation disclosure– Directory traversalDirectory traversal– Buffer overflowsBuffer overflows
Buffer Overflows Buffer Overflows
The MS04-011 patch addressed many The MS04-011 patch addressed many vulnerabilities (link Ch 4j)vulnerabilities (link Ch 4j)
PCT (Private Communications PCT (Private Communications Transport)Transport)
PCT was an early method of securing PCT was an early method of securing HTTPHTTP– Made obsolete by SSL long agoMade obsolete by SSL long ago– Legacy code still exists in Windows 2000 and Legacy code still exists in Windows 2000 and
2003 SSL libraries2003 SSL libraries– To disable it, see link Ch 4kTo disable it, see link Ch 4k
Lesson – remove legacy code promptly!Lesson – remove legacy code promptly!
IIS Attack Countermeasures IIS Attack Countermeasures
Network Ingress—and Egress!—Network Ingress—and Egress!—FilteringFiltering – Web servers should never be initiating Web servers should never be initiating
connections to external partiesconnections to external parties– But some newer XML-based services require But some newer XML-based services require
servers to initiate connectionsservers to initiate connectionsSee links Ch 4l, 4m See links Ch 4l, 4m
Keep Up with Patches!Keep Up with Patches! – Even patch the services you aren't usingEven patch the services you aren't using
IIS Attack CountermeasuresIIS Attack Countermeasures
Disable Unused ISAPI Extension and Disable Unused ISAPI Extension and Filters!Filters! – These handle requests for special file types These handle requests for special file types
(for example, .printer or .idq files) (for example, .printer or .idq files) – All of the serious IIS buffer overflows to date All of the serious IIS buffer overflows to date
could be completely avoided if the vulnerable could be completely avoided if the vulnerable ISAPIs were unmapped ISAPIs were unmapped
IIS Attack CountermeasuresIIS Attack Countermeasures
No Sensitive Data in Source CodeNo Sensitive Data in Source Code – ASP scripts often contain user names and ASP scripts often contain user names and
passwords in the clearpasswords in the clear
– See links Ch 4n and 4o (a Google Code See links Ch 4n and 4o (a Google Code search for real examples)search for real examples)
IIS Attack CountermeasuresIIS Attack Countermeasures
Deploy Virtual Roots on Separate Deploy Virtual Roots on Separate VolumeVolume – Put public Web page files on a separate Put public Web page files on a separate
volume, that doesn't containvolume, that doesn't containPrivate filesPrivate files
System executablesSystem executables
– That way even if an attacker can traverse That way even if an attacker can traverse directories(../ attack), there's less for them to directories(../ attack), there's less for them to findfind
IIS Attack CountermeasuresIIS Attack Countermeasures
Use NTFSUse NTFS – FAT has no securityFAT has no security
Disable Unnecessary ServicesDisable Unnecessary Services
Other IIS Security ResourcesOther IIS Security Resources – Link Ch 4qLink Ch 4q
Consider IIS Lockdown and URLScanConsider IIS Lockdown and URLScan– Implemented in IIS 6 by default Implemented in IIS 6 by default
IIS Attack CountermeasuresIIS Attack Countermeasures
Enable LoggingEnable Logging
Tighten Web App Security, Too!Tighten Web App Security, Too!
Last modified 2-8-08Last modified 2-8-08
