Hacking Windows Justin Bell Department of Computer Science University of Wisconsin, Platteville

Topics This presentation will explore some high-profile intrusions along with the general methodology behind hacking techniques. The presentation will also cover some specific examples of attacks and vulnerable services. Definitions Famous Hacks Breaking In Malicious Code Terminal Services Denial of Service

Definitions: Hacker: someone who attempts to gain unauthorized access into a computer system. Hacking: the process of attempting to gain and possibly achieving access to computer systems by an unauthorized user.

Famous Hacks Bank Hack – Johan, 20 years old from Estonia – Gained access through a limited “guest account” – Was able to access services that allowed him to download the SAM file – Once this file was decrypted Johan had login access to all the web accounts for the entire bank.

Famous Hacks Security firm – Two 22 year old hackers from London – Through enumeration found open ports – This told them it was a windows server. – Asked the server for user names then did a dictionary attack – Hacked into a personal laptop connected to the system through the guest account

Famous Hacks Hacking Comunities – Hackers Against Child Pornography Takes down child pornography rings after notifying international police. – Nashville 2600 – HAL2001 (Hackers At Large

Breaking In Profiling – “Casing the Place” – Finding a System To Hack into and figuring out what’s open and what is being used. – Foot-Printing – Scanning – Enumeration

Breaking In Footprinting – Finding out everything from the outside, before any access is actually gained – Documentation is extremely important Finding the Posture – Internet Posture – Intranet Posture – Extranet Posture

Breaking In – Footprinting whois info – Can be done manually – Services like University of Wisconsin – Platteville – Clients can do batch whois queries for hackers that don’t have a specific target

whois info – Company Name – Administrator’s name – Administrator’s Account Name Can deduce other account names – Site Creation Date Gives info on Legacy systems that may be running Breaking In – Footprinting

Internet Search Engines – Google is the easiest because of its massive size – Search for default file paths C:\inetpub TSweb/default.htm –Now the hacker knows the weaknesses of the site and what port to attack : 3389 Breaking In – Footprinting

Finding ports – Easiest way to access a system and establish a connection – Tools will scan all possible ports – If default ports are used the hacker can gain knowledge of services that are running If a hacker sees port 389 open he can assume the target is running an LDAP server Breaking In – Scanning

Find valid usernames or file shares – Takes advantage of default windows services Domain Controller lookup Exploited by a free Microsoft tool called nltest Breaking In – Enumeration

NLTEST Output –C:\>nltest /whowill:ESS bob [20:58:55] Mail message 0 sent successfully (\MAILSLOT\NET\GETDC939) [20:58:55] Response 0: S:\\NET1 D:ESS A:bob (Act found) The command completed successfully –C:\>nltest /whowill:testd test [21:26:13] Response 0: S:\\TEST2 D:TESTD A:test (Act found) [21:26:15] Mail message 0 sent successfully (\MAILSLOT\NET\GETDC295) The command completed successfully Breaking In – Enumeration

NLTEST Output –C:\>nltest /dclist:testd List of DCs in Domain testd \\TEST2 (PDC) \\TEST1 The command completed successfully Breaking In – Enumeration

Goal of all hacks Highest possible Escalation is the Domain or Forest Admin as well as the Local Admin All Windows Accounts are stored in the “SAM” (Security Accounts Manager) Stores valid users, groups and passwords in an encrypted database. Hashed, then encrypted with a 128 bit key called “SYSKEY” Breaking In – Privilege Escalation

More than one user can be running processes at any given time – Individual SIDs ( Security IDs) are given to each process so Windows knows the privilege level it can operate at. – Can be a user or “SYSTEM” “LOCAL SERVICE” or “DEFAULT LOGON” accounts

Breaking In – Privilege Escalation Because every process needs to access the SAM it has been the top target for Hackers. There have been numerous “bugs” in the encryption that have allowed the SAM to be cracked. Since this is just a file, it can be copied and moved to another system. Then it can either be cracked or have a brute force attack to find passwords.

Breaking In – Privilege Escalation Once a single account is broken the hacker will try to infiltrate many different accounts in case the one he knows is changed. This can be done by watching for keys typed or cracking network SAM files “John the Ripper” by “Solar Designer” Searching for files on the system containing the words “password,” “access,” “logon” or “Administrator”

Malicious Code Viruses Worms Trojan Horses

Malicious Code - Viruses “Segments of code that attach themselves to existing programs and perform some predetermined actions when the host program is executed.” Piggy-back other files, no way to spread on their own – needs a “host” The “host” passes the infected file to some new “host” who runs the file on another system.

Malicious Code - Viruses Usually try to copy themselves throughout a system making them difficult to remove. A single Virus can copy many different viruses to many different files. Can do things as harmless as report internet activity to an outside source Can do things as harmful as copy passwords, format a system, or replace words in s. Chernobyl – Deletes Flash Bios Memory

Malicious Code - Worms Similar to Viruses, but they contain a mechanism to spread through a computer network without the assistance of other programs or people. Spread Extremely quickly Hard to remove because they re-install right away from other machines

Malicious Code - Worms Internet Worm – Installed repeatedly LoveBug – Flooded the Internet with s in May 2000 with the subject, ILOVEYOU – When attachment was opened it sent itself to other systems and ruined system files

Malicious Code – Trojan Horses Malicious programs packaged within other seemingly useful programs Hidden like the Trojans waiting in the giant wooden horse Can perform the advertised function, or just the malicious code Hard to pin-point exactly what program the Trojan is hiding in.

Malicious Code – Trojan Horses RAT – Remote Access Tool – Installed through a web site – When executed, installs back door for the site administrator – Administrator just looks through the list of IP addresses that accessed the site

Terminal Services Provide Remote Access for Hacker Using the usernames gained through enumeration the only thing needed is a password. If the hacker cracked the SAM the system is open. Administrator accounts can not be locked out leaving them open to brute force attacks. ProbTS and TS Grinder help find and exploit Terminal Services Connections

Denial of Services (DoS) Over-load the server to render it unable to accept any additional connections Effectiveness of attacks are seriously limited by the hardware and internet connection of the attacker DoS attacks exploit the fact that the target can’t tell if it’s legitimate traffic or not, so it has to respond to everything

Distributed Denial of Services (DDoS) Perform the same functions as a DoS, but from many computers at the same time Performed through machines infested with Trojan Horses or Worms Limited only by the number of machines infected Feburary 2000 – first major DDoS – Targeted Google and Microsoft – Took down both sites for a little more than a day – Originated in computer labs from two major California Universities

Conclusion Hacking is a lucrative, multinational, criminal occupation As Computer Science or Software Engineering Professionals we must strive to make sure everything we produce is safe against hackers Through understanding the methodology of hackers it’s easier to protect systems from them

Questions???