Hacking Windows Hacking Windows 9X/ME9X/ME

Hacking frameworkHacking framework

Initial access physical access brute force trojans

Privilege escalation Administrator, root privileges

Consolidation of power other accounts and resources

Covering tracks avoid detection

95/98/ME95/98/ME Not a network OS

limited remote admin features, no native telnet, remote execution, and most applications graphical, not command prompt

Remote exploits: direct connection to shared resources file sharing: e.g. use Legion to find, then use brute force

(BF), also Network Neighborhood Cracker. countermeasures: turn off file sharing, or use password

with eight characters, alpha plus meta characters. Add $ to the share name, e,g. share$ -- to hide from net view, Legion scan, Network Neighborhood.

Win 9x Dial-up server: users can attach modem and allow dial in.

countermeasure: do not use Dial-up and do not allow modems in user machines (VPN discussed in another class).

Win 9x registry is not accessible remotely, unless the Remote Registry Service is installed (don’t).

Use Policy Editor to turn off resource share globally.

Backdoor Servers and Backdoor Servers and TrojansTrojans

Back Orifice (BO), original in 1998, new version 2k. There are plug-ins. Originally listened to UDP port 31337 (but it can be configured to run in other ports), but 2K uses TCP port 54320 or UDP port 54321 (default, can be changed). Symantec description. This is a scanner for BO.

NetBus, graphical oriented, more user friendly, listen to TCP ports 12345 or 20034 by default (configurable). Symantec description. See this page for details, screen shoot, removal tools.

SubSeven (S7S), very popular, comprehensive and easy to use, Listen to port 27374 (again configurable). Symantec description. See utilities to remove it in this page.

Countermeasures: backdoor server run in target machine, not remotely. Lock your

machine! Close the default ports (better only open what you need).

Save attachments to a directory, run virus scanner on the file you saved. Most virus scanners (set to scan all files) can detect (and some times remove) backdoor server trojans, see Symantec list.

See also PacketStorm Trojans page, for removal tools

(see a comprehensive list at PacketStorm).

Other vulnerabilitiesOther vulnerabilities Server application vulnerabilities

Remote control applications (pcAnywhere, VNC, WinXP, etc.) are useful, but a major security risk, even when configured properly.

Personal Web Server, if not patched and configured properly (it is ISS with access limitations, but same security risks, including Code Red). See Microsoft Security patches site for PWS and IIS .

FTP and Telnet server applications (add on). Windows 2000, XP have a Telnet server. Same problems.

Countermeasures: limit or do not allow server applications (particularly Internet and remote control) in user machines. Close these ports in the firewall. If you need to run a Web Server in Win9x try Code(red) Hunter, as a protection/detection system.

Denial of Service: DUN 1.3 patch (win 95), 98, ME no need the patch, but malformed requests can be a problem, anyway. Use Win9x behind a user or site firewall to protect from attacks. Use a detection software, like ActivePorts (seen previously).

Local ExploitsLocal Exploits Reboot: either set BIOS password, of if connected to

Domain require domain login, to avoid the “escape” login.

Screen-saver password, good but limited (CD-ROM autorun.inf is executed even when screen saver is running). How about BO in a CD-ROM? Disable autorun.

Revealing passwords: more for recovery that hack (you need to be logged in the machine).

PWL cracking: copy password files to diskette (copy c:\windows\*.pwl a:) and crack them later. Also more recovery than hack -- you need to be logged in.

countermeasures: secure physical access to computer (lock key), in addition to above.