Upload
eric-grant
View
217
Download
2
Embed Size (px)
Citation preview
Hacking Windows Hacking Windows 9X/ME9X/ME
Hacking frameworkHacking framework
Initial access physical access brute force trojans
Privilege escalation Administrator, root privileges
Consolidation of power other accounts and resources
Covering tracks avoid detection
95/98/ME95/98/ME Not a network OS
limited remote admin features, no native telnet, remote execution, and most applications graphical, not command prompt
Remote exploits: direct connection to shared resources file sharing: e.g. use Legion to find, then use brute force
(BF), also Network Neighborhood Cracker. countermeasures: turn off file sharing, or use password
with eight characters, alpha plus meta characters. Add $ to the share name, e,g. share$ -- to hide from net view, Legion scan, Network Neighborhood.
Win 9x Dial-up server: users can attach modem and allow dial in.
countermeasure: do not use Dial-up and do not allow modems in user machines (VPN discussed in another class).
Win 9x registry is not accessible remotely, unless the Remote Registry Service is installed (don’t).
Use Policy Editor to turn off resource share globally.
Backdoor Servers and Backdoor Servers and TrojansTrojans
Back Orifice (BO), original in 1998, new version 2k. There are plug-ins. Originally listened to UDP port 31337 (but it can be configured to run in other ports), but 2K uses TCP port 54320 or UDP port 54321 (default, can be changed). Symantec description. This is a scanner for BO.
NetBus, graphical oriented, more user friendly, listen to TCP ports 12345 or 20034 by default (configurable). Symantec description. See this page for details, screen shoot, removal tools.
SubSeven (S7S), very popular, comprehensive and easy to use, Listen to port 27374 (again configurable). Symantec description. See utilities to remove it in this page.
Countermeasures: backdoor server run in target machine, not remotely. Lock your
machine! Close the default ports (better only open what you need).
Save attachments to a directory, run virus scanner on the file you saved. Most virus scanners (set to scan all files) can detect (and some times remove) backdoor server trojans, see Symantec list.
See also PacketStorm Trojans page, for removal tools
(see a comprehensive list at PacketStorm).
Other vulnerabilitiesOther vulnerabilities Server application vulnerabilities
Remote control applications (pcAnywhere, VNC, WinXP, etc.) are useful, but a major security risk, even when configured properly.
Personal Web Server, if not patched and configured properly (it is ISS with access limitations, but same security risks, including Code Red). See Microsoft Security patches site for PWS and IIS .
FTP and Telnet server applications (add on). Windows 2000, XP have a Telnet server. Same problems.
Countermeasures: limit or do not allow server applications (particularly Internet and remote control) in user machines. Close these ports in the firewall. If you need to run a Web Server in Win9x try Code(red) Hunter, as a protection/detection system.
Denial of Service: DUN 1.3 patch (win 95), 98, ME no need the patch, but malformed requests can be a problem, anyway. Use Win9x behind a user or site firewall to protect from attacks. Use a detection software, like ActivePorts (seen previously).
Local ExploitsLocal Exploits Reboot: either set BIOS password, of if connected to
Domain require domain login, to avoid the “escape” login.
Screen-saver password, good but limited (CD-ROM autorun.inf is executed even when screen saver is running). How about BO in a CD-ROM? Disable autorun.
Revealing passwords: more for recovery that hack (you need to be logged in the machine).
PWL cracking: copy password files to diskette (copy c:\windows\*.pwl a:) and crack them later. Also more recovery than hack -- you need to be logged in.
countermeasures: secure physical access to computer (lock key), in addition to above.