Text of Slide 1 1 Windows Security Analysis Computer Science E-Commerce Security Matthew Cook...
Slide 1 1 Windows Security Analysis Computer Science E-Commerce Security Matthew Cook http://escarpment.net/
Slide 2 2 Introduction Loughborough University http://www.lboro.ac.uk/computing/ Janet Web Cache Service http://wwwcache.ja.net/
Slide 3 3 Windows Security Analysis Introduction Step-by-step Machine Compromise Preventing Attack Further Reading The Future
Slide 4 4 Introduction Physical Security Security Threats Hacker or Cracker The Easiest Security Improvement Can you buy security?
Slide 5 5 Physical Security Secure Location BIOS restrictions Password Protection Boot Devices Case Locks Case Panels
Slide 6 6 Security Threats Denial of Service Theft of information Modification Fabrication (Spoofing or Masquerading)
Slide 7 7 Security Threats Why a compromise can occur: Physical Security Holes Software Security Holes Incompatible Usage Security Holes Social Engineering Complacency
Slide 8 8 Hacker or Cracker Hacker used primarily by the media to describe malicious attacks by individuals However the computing community uses Cracker to mean the same A Hacker tinkers with systems for good purposes. (Not breaking the law) To avoid confusion many people now say A machine has been compromised! Not A machine has been hacked!
Slide 9 9 The Easiest Security Improvement Good passwords Usernames and Passwords are the primary security defence Use a password that is easy to type to avoid Shoulder Surfers Use the first letters from song titles, song lyrics or film quotations
Slide 10 10 Can you buy Security? This system is secure. A product vendor might say: This product makes your network secure. Or: We secure e- commerce. Inevitably, these claims are nave and simplistic. They look at the security of the product, rather than the security of the system. The first questions to ask are: Secure from whom? and Secure against what? Bruce Schneier
Slide 11 11 Step-by-step Machine Compromise Background Gathering Information Identifying System Weakness Exploiting the Security Hole Gaining Root Backdoor Access System Alteration Audit Trail Removal
Slide 12 12 Background Reasons for Attack: Personal Issues Political Statement Financial Gain (Theft of money, information) Learning Experience DoS (Denial of Service) Support for Illegal Activity In our scenario we are going to attack the company laggyband.com
Slide 13 13 Gathering Information Companies House Internet Search URL: http://www.google.co.uk http://www.google.co.uk Whois URL: http://www.netsol.com/cgi-bin/whois/whois http://www.netsol.com/cgi-bin/whois/whois A Whois query can provide: The Registrant The Domain Names Registered The Administrative, Technical and Billing Contact Record updated and created date stamps DNS Servers for the Domain
Slide 14 14 Gathering Information Use Nslookup or dig dig @dns.laggyband.com www.laggyband.com Different query type available: A Network address Any All or Any Information available Mx Mail exchange records Soa Zone of Authority Hinfo Host information Axfr Zone Transfer Txt Additional strings
Slide 15 15 Identifying System Weakness Many products available: NmapNessusPandoraPwdump L0pht Crack Null Authentication
Slide 16 16 Nmap Port Scanning Tool Stealth scanning, OS Fingerprinting Open Source Runs under Unix based OS Port development for Win32 URL: http://www.insure.org/nmap/
Slide 17 17 Nmap
Slide 18 18 Nessus Remote security scanner similar to Typhon Very comprehensive Frequently updated modules Testing of DoS attacks Open Source Win32 and Java Client URL: http://nessus.org/
Slide 19 19 Pandora Not strictly Windows Security Runs on either Unix or Win32 Excellent tool to evaluate Netware security Open Source Lots of additional information URL: http://www.nmrc.org/pandora/
Slide 20 20 pwdump Version 3 (e = encrypted) Developed by Phil Staubs and Erik Hjelmstad Based on pwdump and pwdump2 URL: http://www.ebiz-tech.com/html/pwdump.html http://www.ebiz-tech.com/html/pwdump.html Needs Administrative Privilidges Extracts hashs even if syskey is installed Extract from remote machines Identifies accounts with no password Self contained utility
Slide 21 21 L0pht Crack Password Auditing and Recovery Crack Passwords from many sources Registration $249 URL: http://www.atstake.com/research/lc3/
Slide 22 22 L0pht Crack Crack Passwords from: Local Machine Remote Machine SAM File SMB Sniffer PWDump file
Slide 23 23 Nmap Analysis nmap sP 220.127.116.11/16 Dependant on ICMP (Internet Control Message Protocol) nmap sP PT80 18.104.22.168/16 Dependant on TCP SYN/ACK packet
Slide 24 24 Nmap Analysis TCP Connect Scan Completes a Three Way Handshake Very noisy (Detection by IDS)
Slide 25 25 Nmap Analysis TCP SYN Scan Half open scanning (Full port TCP connection not made) Less noisy than the TCP Connect Scan
Slide 26 26 Nmap Analysis TCP FIN Scan FIN Packet sent to target port RST returned for all closed ports Mostly works UNIX based TCP/IP Stacks TCP Xmas Tree Scan Sends a FIN, URG and PUSH packet RST returned for all closed ports TCP Null Scan Turns off all flags RST returned for all closed ports UDP Scan UDP Packet sent to target port ICMP Port Unreachable for closed ports
Slide 27 27 Null Authentication Null Authentication: Net use \\camford\IPC$ /u: \\camford\IPC$ Famous tools like Red Button Net view \\camford \\camford List of Users, groups and shares Last logged on date Last password change Much more
Slide 28 28 Exploiting the Security Hole Using IIS Unicode/Directory Traversal /scripts/../../winnt/system32/cmd.exe /c+dir /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir Displays the listing of c: in browser Copy cmd.exe to /scripts/root.exe Echo upload.asp GET /scripts/root.exe /c+echo+[blah]>upload.asp Upload cmdasp.asp using upload.asp Still vulnerable on 24% of E-Commerce servers
Slide 29 29 Gaining Root Cmdasp.asp provides a cmd shell in the SYSTEM context Increase in privileges is now simple ISAPI.dll RevertToSelf (Horovitz) Version 2 coded by Foundstone http://camford/scripts/idq.dllhttp://camford/scripts/idq.dll? http://camford/scripts/idq.dll Patch Bulletin: MS01-26 NOT included in Windows 2000 SP2
Slide 30 30 Backdoor Access Create several user accounts Net user iisservice /ADD Net localgroup administrators iisservice /ADD Add root shells on high end ports Tiri is 3Kb in size Add backdoors to Run registry keys
Slide 31 31 System Alteration Web page alteration Information Theft Enable services Add VNC Creating a Warez Server Net start msftpsvc Check access Upload file 1Mb in size Advertise as a warez server
Slide 32 32 Audit Trail Removal Many machines have auditing disabled Main problems are IIS logs DoS IIS before logs sync to disc Erase logs from hard disc Erasing Eventlog harder IDS Systems Network Monitoring at firewall
Slide 33 33 Preventing Attack NetBIOS/SMB Services Hfnetchk and Qchain SNMP Vulnerabilities Active Directory Vulnerabilities IPSec IIS Security IDS Snort.NET Server
Slide 34 34 NetBIOS/SMB Services NetBIOS Browsing Request [UDP 137] NetBIOS Browsing Response [UDP 138] NetBIOS Communications [TCP 135] CIFS [TCP 139, 445 UDP 445] Port 445 Windows 2000 only Block ports at firewall Netstat -A
Slide 35 35 NetBIOS/SMB Services To disable NetBIOS 1. Select Disable NetBIOS in the WINS tab of advanced TCP/IP properties. 2. Deselect File and Print sharing in the advanced settings of the Network and Dial- up connections window
Slide 36 36 NetBIOS/SMB Services Disable Null Authentication Key similar to Windows NT 4.0 HKLM\SYSTEM\CurrentControlSet\Control\LSA\Re strictAnonymous REG_DWORD set to 0, 1 or 2! HKLM\SYSTEM\CurrentControlSet\Control\Secure PipeServers\RestrictAnonymous REG_DWORD set to 0 or 1
Slide 37 37 Hfnetchk Use Hfnetchk to check hot fixes Checks machines against Microsoft XML Automate the process using a batch files and a mail client (Postie) URL: http://www.infradig.com/infradig/postie/ http://www.infradig.com/infradig/postie/ Use QChain to chain hot fixes together without rebooting in-between.
Slide 38 38 Hfnetchk Patch details for: Windows NT 4.0, 2000, XP,.NET server IIS 4, IIS 5 and IIS 6 SQL Server 7.0 SQL Server 2000 Internet Explorer 5.01 (and later)
Slide 39 39 Hfnetchk Default scan of local host (Pre downloaded) hfnetchk x mssecure.xml hfnetchk x mssecure.xml hfnetchk x mssecure.