Remote Control and Advanced Techniques Lesson 16

Remote Control Software With global corporations, support personnel who can deal with computer problems may not always be on-site. They may use remote control software to allow them to provide support and maintenance from a central location. The problem is that the same software that can be used for useful purposes can be exploited, especially if misconfigured, by attackers to gain remote access and control of computers and networks. Some new trojans designed to perform the same sort of functions as legitimate remote controls SW.

Ports for some Remote Control SW SoftwareTCPUDP Citrix ICA pcAnywhere22, 5631, , 5632 ReachOut43188None Remotely Anywhere2000,2001None Remotely Possible/ ControlIT799, Timbuktu VNC5800, 5801…None 5900, 5901… Windows Term Server3389None Radmin4899None

Discovering RC Software If an attacker finds one of these ports answering, they will try to exploit. After default installation, many applications leave themselves open to accept connections from anywhere, possibly even without a username or password. The easiest way to test for these is to simply attempt to connect to one of these ports. Try enumeration techniques to obtain possible userids from which you can guess passwords

Some sensible countermeasures Enable Passwords on your system Too often this is left off, especially for dial up access where folks think “nobody knows about it, they would have to know the phone #.” Enforce Strong passwords If you’re going to use them, you might as well make them strong. Force Alternate Authentication You don’t have to rely on OS alone, can utilize additional authentication some packages provide Encrypt Session Traffic Limit Login Attempts Log Failed Attempts Lock Out Failed Users Change Default Listen Port

Virtual Network Computing Originally developed at AT&T Labs. Can be used with/by Windows, Linux, and Solaris platforms Obtainable from Has some vulnerabilities (big surprise) Brute forcing VNC passwords Weak passwords a possible problem as always Network eavesdropping By default, VNC does not use any sort of encryption after a user authenticates to the VNC server. Weak WinVNC password obfuscation Stores the server password in an obfuscated fashion that may allow an attacker to recover the cleartext server password.

Microsoft Terminal Server Terminal Server lets you deliver Windows-based applications, or the Windows desktop itself, to virtually any computing device—including those that cannot run Windows. When users run an application on Terminal Server, the application execution takes place on the server, and only keyboard, mouse and display information is transmitted over the network. Users see only their own individual sessions, which are managed transparently by the server operating system, and remain independent of any other client session. Windows 2000 Terminal Services remote administration mode is called "Remote Desktop for Administration" in Windows Server 2003, and has the ability to remote the actual console session of the server.

Terminal Server Attacks Locating Terminal Server easy, uses port Launch your own Terminal Server client then wait to be prompted for login ID/Password, normal attempts at guessing at this point. ProbeTS, TSEnum are tools that will cycle through identified subnet attempting to locate Terminal Server Some other attacks possible as well RegAPI.DLL buffer overflow Weak encryption that can lead to eavesdropping Some possible user privilege elevation attacks

Session Hijacking An attempt to “take over” an established session. Some tools that can aid in this endeavor: Hunt: first allows you to snoop, then insert commands into stream Best countermeasure: encryption. If a person can’t view the traffic/session, it is hard to insert commands.

Back Doors If an intruder gets into your system, count on them attempting to install some backdoors to allow them continued access, even if you find and eliminate their primary method. Finding and clearing these can be a laborious task Some common back doors: Rogue user accounts Startup files – even if you clean up, these can reinstall ways in Scheduled jobs – similar to startup files, these will execute in future and will reinstall ways in Remote Control program installation

Back Orifice and Netbus These both are very similar to some of the RC software packages (and are sometimes advertised in that fashion). Original BO ran on Win 9x, BO2K added NT/2000. NetBus, similar to BO, consists of two parts: a client- program ("netbus.exe") and a server-program often named: "patch.exe" (or "SysEdit.exe" with version 1.5x), which is the actual backdoor. Version 1.60 uses the TCP/UDP-Port # "12345" which can't be altered. From version 1.70 and higher the port can be configured. BO2K also added some stealth capabilities and ability to customize it thus making it harder to detect.

Remote Control Backdoor Port Numbers DefaultDefaultAltern. Backdoor TCPUDPPorts Remote.exe No NetcatAnyAnyYes Back OrificeNA31337Yes Back Orifice Yes NetBus12345NAYes Masters Paradise NAYes

Trojans “A Trojan horse is a program that purports to be a useful software tool, but it actually performs unintended (and often unauthorized) actions, or installs malicious or damaging software behind the scenes when launched.” Key to Trojans is that you have to have somebody on the system run the Trojan in order for it to do its nefarious task. Two implications for us When doing an assessment, does the organization we are working with have Trojans installed? Is the environment such that it is likely they could be? Can we use a Trojan to further our testing goals?

Whack-A-Mole An example of a program that installed NetBus server while allowing you to play a game. Figure pg. 581 McClure et al.

Secure Shell (SSH) Attacks SSH is a secure protocol used in place of programs such as telnet to conduct protected remote interactive communications. Pretty good tool, but is vulnerable to a couple things: Traffic analysis. Program exists that allows you to determine the length of a password or command sent. Man-in-the-middle attack. Requires that you be able to replace public key used by host and that you are able to control DNS.

Rootkits Once a system has been subverted, a rootkit is often one of the first things downloaded and installed. Generally will include Trojanized versions of common programs Back doors (as discussed previously) Sniffers System Log cleaners Imaging the system (creating mirror image of system volumes) also sometimes accomplished when access obtained. Useful in circumventing security tools that utilize system states or details such as checksums.

Social Engineering “Clueless User” vs. the Help Desk “Help Desk” vs. the Clueless User Countermeasures Limit data leakage through web sites, public databases, … Formulate a strict policy for internal and external technical support procedures Be paranoid about remote access Craft outbound firewall and router access controls just as carefully as inbound Use safely Educate employees on the basics of a secure environment (and on social engineering)

Summary What is the importance and significance of this material? Remote Control software is more prevalent and is a tremendous security concern. How does this topic fit into the subject of “Security Risk Analysis”? We need to know about the different packages that could be installed and that the organization we are testing might not know about.