ITTIP SeminarCopyright 2001 R.C.Marchany1 The Top 10/20 Internet Security Vulnerabilities – A Primer Randy Marchany VA Tech Computing Center Blacksburg,

Slides:



Advertisements
Similar presentations
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Advertisements

DMZ (De-Militarized Zone)
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
System Security Scanning and Discovery Chapter 14.
System and Network Security Practices COEN 351 E-Commerce Security.
Homework 3.2 Clients Hub What’s wrong with this picture? Clients Using 100TX.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.
TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
1 Chapter Overview Introduction to Windows XP Professional Printing Setting Up Network Printers Connecting to Network Printers Configuring Network Printers.
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Va-scanCopyright 2002, Marchany Securing Solaris Servers Randy Marchany.
Module 7: Configuring TCP/IP Addressing and Name Resolution.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Lesson 9 Common Windows Exploits. UTSA IS 3523 ID and Incident Response Overview Top 20 Exploits Common Vulnerable Ports Detecting Events.
Chapter 7: Using Windows Servers to Share Information.
PRACTICAL STEPS IN SECURING WINDOWS NT Copyright, 1996 © Dale Carnegie & Associates, Inc. TIP For additional advice see Dale Carnegie Training® Presentation.
Overview: Identify the Internet protocols and standards Identify common vulnerabilities and countermeasures Identify specific IIS/WWW/FTP concerns Identify.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Chapter 6: Packet Filtering
Security Issues in Unix OS Saubhagya Joshi Suroop Mohan Chandran.
Microsoft Internet Information Services 5.0 (IIS) By: Edik Magardomyan Fozi Abdurhman Bassem Albaiady Vince Serobyan.
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
CIS 450 – Network Security Chapter 3 – Information Gathering.
1 The Top 10/20 Internet Security Vulnerabilities – A Primer This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis.
Computer Security and Penetration Testing Chapter 16 Windows Vulnerabilities.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Hour 7 The Application Layer 1. What Is the Application Layer? The Application layer is the top layer in TCP/IP's protocol suite Some of the components.
Copyright 2001 Marchanyh1 Auditing Networks, Perimeters and Systems The SANS Top Ten Audit Checklists, Part 1.
© 1999 Ernst & Young LLP e e treme hacking Black Hat 1999 Over the Router, Through the Firewall, to Grandma’s House We Go George Kurtz & Eric Schultze.
Linux Networking and Security
Firewalls and Info Services Prevent unathorized access between nets Most of the protection is based upon examination of the IP packets There is always.
Application Layer Khondaker Abdullah-Al-Mamun Lecturer, CSE Instructor, CNAP AUST.
CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 13 FTP and Telnet.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
The Top 10 Bugs in Windows 2000 From Jesper Johanssen’s W2K Security Vulnerabilities Lecture.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Cracking Techniques Onno W. Purbo
1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.
Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
1 Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise your system.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Retina Network Security Scanner
1 Syllabus at a glance – CMCN 6103 Introduction Introduction to Networking Network Fundamentals Number Systems Ethernet IP Addressing Subnetting ARP DNS.
Hands-On Ethical Hacking and Network Defense Chapter 2 TCP/IP Concepts Review Last modified
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Networks Lecture 12.
Working at a Small-to-Medium Business or ISP – Chapter 8
Chapter 6 Application Hardening
Onno W. Purbo Cracking Techniques Onno W. Purbo
A Distributed DoS in Action
6. Application Software Security
Presentation transcript:

ITTIP SeminarCopyright 2001 R.C.Marchany1 The Top 10/20 Internet Security Vulnerabilities – A Primer Randy Marchany VA Tech Computing Center Blacksburg, VA

ITTIP SeminarCopyright 2001 R.C.Marchany2 Introduction This presentation is designed to give you a brief overview of the top 10 most critical Internet Security threats. These aren’t the only threats….just the most common at the moment. Hopefully, we’ll eliminate these threats and create a new list next year. The Top 10 and Top 20 documents are in Appendix A of this presentation.

ITTIP SeminarCopyright 2001 R.C.Marchany3 Introduction We’ll review the original Top 10 list first We’ll review the new items in the Top 20 We’ll also provide a list of common ports to filter or monitor.

ITTIP SeminarCopyright 2001 R.C.Marchany4 Why Are We Vulnerable? Computer systems and programs have become more complex in the past 25 years. Quality control hasn’t been able to keep up due to market pressures, programming skill deficiencies, etc. Most of these programs/systems are based on code that was never intended to be “production” quality.They were “proof of concept” programs that became the basis of production systems.

ITTIP SeminarCopyright 2001 R.C.Marchany5 So Many Systems, Not Enough Time… million hosts are connected to the Net each month. There aren’t 2.3 million sysadmins. Something has to give…. Unfortunately, it’s the sysadmin. Not enough training, too many conflicting demands on their time. The Prime Directive: Keep the system up! Patch the system? When I have time….

ITTIP SeminarCopyright 2001 R.C.Marchany6 Hacking = Rocket Science? Not! Any good hacker can write the attack tool. The real skill is making so easy to use that a CEO could launch the attack. There are lots of hacker WWW sites where you can get these tools. These sites try to outdo each other by designing the best, baddest, user- friendly site.

ITTIP SeminarCopyright 2001 R.C.Marchany7 Why Are the Attacks Successful? We didn’t close all the doors because we’re too busy doing “real” stuff. If the hackers got caught, we didn’t punish them. It would be too embarrassing to admit we got hit. Our Incident Response Plans were inadequate.

ITTIP SeminarCopyright 2001 R.C.Marchany8 Why Are the Attacks Successful? The attack designers studied (cased) the target code carefully. A lot of attacks are based on Buffer Overflows. Example: a program expects 80 input characters max. You give it 5000 characters. How does the code handle it?

ITTIP SeminarCopyright 2001 R.C.Marchany9 Some Pointers About the Lists Each item in the list is divided into 4 parts A description of the vulnerability The systems affected by the vulnerability A CVE number identifying the vulnerability Some suggested corrections

ITTIP SeminarCopyright 2001 R.C.Marchany10 Some Pointers about the Lists What’s a CVE number? CVE = Common Vulnerabilities & Exposures reference number that is used to uniquely identify a vulnerability. It’s like the Dewey Decimal #’s that are used in the library. You can go to any library and find the same book using the same Dewey catalog number CVE’s does the same for vulnerabilities.

ITTIP SeminarCopyright 2001 R.C.Marchany11 Some More Pointers about the Lists Ports to block/monitor at the firewall are provided at the end of the Top 20 list. Remember this only works for EXTERNAL attacks. Internal attacks need additional security measures.

ITTIP SeminarCopyright 2001 R.C.Marchany12 Some More Pointers about the Lists Automated Scanning for the Top 20 SARA – freeware scanning tool designed specifically for this. See Commercial scanners are becoming available. Links to ICAT Vulnerability Index Each entry is linked to the NIST ICAT indexing service. ICAT entries contain a short description of the vulnerability and other info.

ITTIP SeminarCopyright 2001 R.C.Marchany13 Item #1: BIND All Internet systems have a hostname and an IP address. Every home is known by its address and who lives in it. “hey, is that Randy’s house?” “Yeah, it’s at 24 Main St.” “Randy’s house” = hostname “24 Main St.” = IP address BIND (Berkeley Internet Domain) maps hostnames to IP addresses. It’s the set of “phone books” of the Internet.

ITTIP SeminarCopyright 2001 R.C.Marchany14 Item #1: BIND Every network needs a couple of systems that run BIND. They’re called nameservers. Old versions of BIND have security holes.The nameservers aren’t always up-to-date. They were when they were installed but that was years ago. It works so why fix it? Right? Wrong!

ITTIP SeminarCopyright 2001 R.C.Marchany15 Item #1: BIND The Danger: Hackers get full control of the nameserver and can use it for anything they want. A Solution Make sure your version is higher than BIND patch level 5

ITTIP SeminarCopyright 2001 R.C.Marchany16 Item #2: CGI Scripts CGI = Common Gateway Interface It’s the language that programmers use to display and read your input to a WWW based form. Not everyone knows how to use it so WWW server vendors supply examples. The examples have security holes in them. Some CGI programmers haven’t checked their code.

ITTIP SeminarCopyright 2001 R.C.Marchany17 The Second Item – CGI Scripts All Web servers could be affected by this “feature”. The Danger Your WWW pages could be changed a la DOJ, CIA, FBI, Valujet. Your WWW server could be used to attack other sites A Solution Remove unsafe CGI scripts from the WWW server

ITTIP SeminarCopyright 2001 R.C.Marchany18 Item #3: Remote Procedure Calls (RPC) RPC allows a computer to run a program on another computer. It’s used by computers that share files between them. Many client – server systems depend on the use of RPC calls. Unix systems (Solaris, AIX, HP-UX, Linux, Tru64, Irix) were primarily affected but any computer that uses the RPC subsystem is vulnerable

ITTIP SeminarCopyright 2001 R.C.Marchany19 Item #3: Remote Procedure Calls (RPC) The Danger: Older versions of RPC have security weaknesses that allow hackers to gain full control of your computer(s). A Solution Disable the RPC services if you don’t use them Install the latest vendor patches

ITTIP SeminarCopyright 2001 R.C.Marchany20 Item #4: Microsoft Internet Information Server (IIS) Windows NT and Windows 2000 Web servers use IIS to support web services. IIS has a component called Remote Data Services (RDS) that could allow a hacker to run remote commands with administrator privileges. Code Red, NIMDA

ITTIP SeminarCopyright 2001 R.C.Marchany21 Item #4: Microsoft Internet Information Server (IIS) The Danger: A hacker can run commands on another system without having to access it directly. A Solution: Read the Microsoft technical bulletins that describe how to fix the problem

ITTIP SeminarCopyright 2001 R.C.Marchany22 Item #5: Sendmail Weakness Sendmail is one of the original Internet programs. It was a graduate programming project that was never designed to work in a “production” environment. It became the defacto standard. Pre-version 8.10 had security problems Some vendors still ship Sendmail v5.65! Most vendors shipped their systems with these older versions.

ITTIP SeminarCopyright 2001 R.C.Marchany23 Item #5: Sendmail Weakness The 1988 Internet Worm exploited a problem in sendmail.There are a lot of systems that still run that version of sendmail. Why? It works! The Danger: Hackers can run commands on your systems without ever logging into your system. Hackers can take over your machine. A Solution: Update to the latest version of sendmail

ITTIP SeminarCopyright 2001 R.C.Marchany24 Item #6: sadmind and mountd Sadmind is used by Solaris applications to run distributed sysadmin operations. It executes the request on the server from a client program. Sounds like RPC? It is. Mountd controls file sharing across the network using NFS. This is the program that “attaches” a remote disk to your computer.

ITTIP SeminarCopyright 2001 R.C.Marchany25 Item #6: sadmind and mountd The Danger: Hackers can cause these programs to give them access to root. They can take over your machine. This was one of the primary ways hackers used to set up the systems used in the recent DDOS attacks against Yahoo, CNN and other sites. A Solution: Install the latest vendor patches for sadmind and mountd.

ITTIP SeminarCopyright 2001 R.C.Marchany26 Item #7: Global File Sharing You can share files between computers using tools like Network Neighborhood (Windows), AppleShare(Macintosh) or NFS(Unix). By default, the access is read-write.

ITTIP SeminarCopyright 2001 R.C.Marchany27 Item #7: Global File Sharing Anyone on the same network could access your files. In the old days, the network was small but now the network is the Internet so anyone anywhere in the world could access your files if you let them. The problem is that you don’t always know that you’re letting them.

ITTIP SeminarCopyright 2001 R.C.Marchany28 Item #7: Global File Sharing This is a real danger to homes that have direct connect modems. The Danger: People can get access to your personal data, for example, your checking account data (if you use MSMoney), your , etc. A Solution: Make sure you know what you’re sharing. Make sure you know who’s sharing the data with you.

ITTIP SeminarCopyright 2001 R.C.Marchany29 Item #8: User Accounts with No Passwords Some systems come with demo or guest accounts with no passwords or well known passwords. The initial/default password for VMS system manager account, SYSTEM was MANAGER. The initial password for the Field Service account, FIELD, was SERVICE.

ITTIP SeminarCopyright 2001 R.C.Marchany30 Item #8: User Accounts with No Passwords People forgot to change these passwords. The first thing hackers do is check to see if the defaults passwords were changed. Why waste a lot of effort if the door is unlocked?

ITTIP SeminarCopyright 2001 R.C.Marchany31 Item #8: User Accounts with No Passwords The Danger: Someone can get complete control of your system. Someone can get access to your system via a general accounts and then run exploit tools on your systems to get full control of your system. A Solution: Change your root, administrator passwords before the systems goes into production. Run a password checking program to discover who has weak passwords on your system. Do it before the hackers do!

ITTIP SeminarCopyright 2001 R.C.Marchany32 Item #9: IMAP, POP Vulnerabilities IMAP and POP are two common protocols that provide additional features to users. They allow users to access their accounts from anywhere on the Internet.

ITTIP SeminarCopyright 2001 R.C.Marchany33 Item #9: IMAP, POP Vulnerabilities Firewalls usually allow using these services to pass through the firewall. Quality control of the software is inconsistent most of the time.

ITTIP SeminarCopyright 2001 R.C.Marchany34 Item#9: IMAP, POP Vulnerabilities The Danger: Hackers can gain access to your internal network if they can subvert IMAP or POP mail server systems. If successful, they gain complete control of your system. A Solution: Make sure you’ve installed the latest patches. Run the services on your mail servers only.

ITTIP SeminarCopyright 2001 R.C.Marchany35 Item #10: SNMP Vulnerabilities Simple Network Management Protocol (SNMP) is used by network managers to monitor the status, performance and availability of the network. The Net Mgrs can remotely manage their routers, printers, systems using SNMP.

ITTIP SeminarCopyright 2001 R.C.Marchany36 Item #10: SNMP Vulnerabilities SNMP has very weak authentication. Its default “password” is “private”. Everyone knows this.

ITTIP SeminarCopyright 2001 R.C.Marchany37 Item #10: SNMP Vulnerabilities The Danger: Hackers can gain control of network devices such as routers. They could shut them down. They can map your network w/o your knowledge. A Solution: Pick strong community strings (passwords) for your SNMP devices. Make the MIBs read only.

ITTIP SeminarCopyright 2001 R.C.Marchany38 Summary Most of the successful system and network attacks exploit a small set of vulnerabilities. The Top 10 list briefly describes this set of vulnerabilities and gives you references to learning more about them. More importantly, it gives you some suggested fixes for the problem. Our individual security depends on our mutual security.

ITTIP SeminarCopyright 2001 R.C.Marchany39 The SANS/FBI Top 20 List If we had fixed the top 10, there wouldn’t be a top 20.

ITTIP SeminarCopyright 2001 R.C.Marchany40 Top 20 List Organization Vulnerabilities that affect all systems Unix/Linux Windows Mac Mainframes Windows Vulnerabilities Unix Vulnerabilities

ITTIP SeminarCopyright 2001 R.C.Marchany41 Top 20 Summary General – Affects all Systems G1: Default OS Installations G2: Accounts with Weak or No Passwords G3: Non-existent or Incomplete Backups G4: Large Number of Open Ports G5: Incorrect Ingress/Egress Packet Filtering G6: Non-existent or Incomplete Logging G7: Vulnerable CGI Programs

ITTIP SeminarCopyright 2001 R.C.Marchany42 Top 20 Summary Windows W1: Unicode Vulnerability W2: ISAPI Extension Buffer Overflows W3: IIS RDS Exploit W4: Unprotected NETBIOS Shares W5: Null Sessions W6: Weak Hashing in SAM (LM Hash)

ITTIP SeminarCopyright 2001 R.C.Marchany43 Top 20 Summary Unix U1: RPC buffer Overflows U2: Sendmail Vulnerabilities U3: BIND U4: R Commands U5: LPD Buffer Overflow U6: sadmind mountd Buffer Overflow U7: Default SNMP

ITTIP SeminarCopyright 2001 R.C.Marchany44 G1: Default OS Installations OS and application installs are not configured for security Vendor Philosophy Better to enable all functions than require the user to turn them on individually. Convenience vs. Security: Who wins?

ITTIP SeminarCopyright 2001 R.C.Marchany45 G1: Default OS Installations System Impacted All Unix, Linux, Windows, MacOS are vulnerable to some degree. Windows, SGI are more open than normal.

ITTIP SeminarCopyright 2001 R.C.Marchany46 G1: Default OS Installations Are you vulnerable? If you use default vendor installation programs then you are vulnerable. Extra extra service/tool installed that is not needed is another window into your system.

ITTIP SeminarCopyright 2001 R.C.Marchany47 G1: Default OS Installations How to protect? Remove unnecessary software/services asap. Install minimum then add. This can be automated using Minimum Installation guidelines. Use the CIS Security Benchmark tools for your OS.

ITTIP SeminarCopyright 2001 R.C.Marchany48 G3: Non-existent, Incomplete Backups Recovery from an incidents requires up-to- date backup. Have you verified the backups actually work? Offsite? 9/11 proved this. How long does it take to RESTORE the data? What is the data xfer rate of your tape drives? Systems Impacted Any critical system

ITTIP SeminarCopyright 2001 R.C.Marchany49 G3: Non-existent, Incomplete Backups Am I vulnerable? Check backup procedures. Is the backup interval acceptable? Are the systems being backup up according to procedure? Off site storage? Procedures? Restoration tested and verified?

ITTIP SeminarCopyright 2001 R.C.Marchany50 G3: Non-existent, Incomplete Backups How to Protect Daily backups Monthly backups should be verified.

ITTIP SeminarCopyright 2001 R.C.Marchany51 G4: Large Number of Open Ports The more ports open, the more ways to get into the system. Related to Default OS install vulnerability. Systems Impacted Any system that used a vendor default installation program.

ITTIP SeminarCopyright 2001 R.C.Marchany52 G4: Large Number of Open Ports Am I vulnerable? Use netstat command to list open ports. Run a port scanner (nmap, Nessus) against your system. Match open ports to legitimate services provided by the machine. If no match, then it’s an unnecessary service.

ITTIP SeminarCopyright 2001 R.C.Marchany53 G4: Large Number of Open Ports How to protect myself Unix: modify /etc/inetd.conf Windows NT/2000 : use fport from to list the ports. Windows XP: netstat –o command

ITTIP SeminarCopyright 2001 R.C.Marchany54 G5: Incorrect Ingress/Egress Router Filters Description IP spoofing hides the attacker. Numerous attacks (Smurf, mail forgery) use this technique. Systems Impacted Unix, Windows, Mac, Routers

ITTIP SeminarCopyright 2001 R.C.Marchany55 G5: Incorrect Ingress/Egress Router Filters Am I vulnerable? Send a spoofed packet and see if it’s blocked and logged.

ITTIP SeminarCopyright 2001 R.C.Marchany56 G5: Incorrect Ingress/Egress Router Filters How to Protect Incoming packets must not have SRC of your internal network. It must have a DST of your internal network. Outbound packets must have a SRC of your internal network. Outbound packets must not have a DST of your internal net. No packet should have SRC/DST of a private address or address listed in RFC Block any source routed packet with IP options set

ITTIP SeminarCopyright 2001 R.C.Marchany57 G6: Non-existent, Incomplete Logging Description You can’t detect an attack if you don’t know what’s going on your network. Logs are business records! Systems Impacted All system and network devices

ITTIP SeminarCopyright 2001 R.C.Marchany58 G6: Non-existent, Incomplete Logging Am I vulnerable? Are there logs for the critical assets? How to Protect? Set up local and central logging. Save on CD or other Read-Only device.

ITTIP SeminarCopyright 2001 R.C.Marchany59 W1: Unicode – Web Server Traversal Description Unicode provides a unique number for every character regardless of the the platform, program or language. You can send IIS a carefully constructed URL with an invalid Unicode sequence that will let an attacker see any file anywhere on the system. You can run programs as well.

ITTIP SeminarCopyright 2001 R.C.Marchany60 W1: Unicode – Web Server Traversal Systems Impacted Windows NT 4.0 with IIS 4.0 Windows 2000 server with IIS 5.0 with no SP2 CVE

ITTIP SeminarCopyright 2001 R.C.Marchany61 W1: Unicode – Web Server Traversal Am I vulnerable? Unpatched version of IIS? Yes! Did you install MS00-057, MS00-078, MS00-086, MS00-026, MS00-044, SP2? Yes, then ok.

ITTIP SeminarCopyright 2001 R.C.Marchany62 W1: Unicode – Web Server Traversal Enter: tem32/cmd.exe?/c+dir+c:\ tem32/cmd.exe?/c+dir+c:\ If you removed scripts dir, then it’ll fail. Replace scripts with whatever you named your script directory.

ITTIP SeminarCopyright 2001 R.C.Marchany63 W1: Unicode – Web Server Traversal How to Protect Install latest Microsoft patches. See bulletin/MS00-78.asp bulletin/MS00-78.asp Install IIS lockdown tool if you want. Don’t use IIS for critical functions, IMHO.

ITTIP SeminarCopyright 2001 R.C.Marchany64 W2: ISAPI Extension Buffer Overflows Description Several ISAPI extensions are installed by default when you install IIS. This allows developers to extend IIS by using DLLs. Several DLLs, idq.dll, have errors that allow buffer overflow attacks. This lets an attacker take full control of your IIS server.

ITTIP SeminarCopyright 2001 R.C.Marchany65 W2: ISAPI Extension Buffer Overflows Systems Impacted Windows 2000 running Index Server 2.0, Indexing Service Windows 2000 server, Adv. Server, Server Data Center Edition, Professional

ITTIP SeminarCopyright 2001 R.C.Marchany66 W2: ISAPI Extension Buffer Overflows Am I vulnerable? SP2 installed? No, then you are. Installed MS01-023, MS01-033, MS , MS01-033, MS01-044, NT4.0 Security Roll-up Package? Yes, then ok. How to Fix Install latest patches from Microsoft. Unmap unnecessary ISAPI extensions

ITTIP SeminarCopyright 2001 R.C.Marchany67 W5: Null Session Connections Description Null Session (anonymous login) lets you get info over the net about shares, etc. When 1 machine needs something from another, it uses the local SYSTEM (LocalSystem, W2K) account to open a null session to the remote system. Hackers can use Null logins to gain access to SYSTEM. This has no password.

ITTIP SeminarCopyright 2001 R.C.Marchany68 W5: Null Session Connections Systems Impacted Windows NT 4.0, Windows 2000 Am I vulnerable? Go to and click on the ShieldsUP link to see your system’s SMB exposure.

ITTIP SeminarCopyright 2001 R.C.Marchany69 W5: Null Session Connections How to Protect Needed for Domain Controllers Block TCP/UDP 139, 445 on the network Never allow Internet users to access any internal DC.

ITTIP SeminarCopyright 2001 R.C.Marchany70 W6: Weak Hashing in SAM Description LAN Manager passwords have very weak encryption. LM passwords are truncated to 14 characters, padded with spaces to 14 characters, converted to all Upper case, split into 2 seven character pieces. Crackers only have to do 2 upper case seven characters passwords.

ITTIP SeminarCopyright 2001 R.C.Marchany71 W6: Weak Hashing in SAM Systems Impacted Windows NT, Windows 2000 Am I vulnerable? Running default installation of NT or W2K? Yes because LM is created by default.

ITTIP SeminarCopyright 2001 R.C.Marchany72 W6: Weak Hashing in SAM How to Protect? Disable LAN Manager Use NTLMv2 (version 2 LM) Read Technet article “ How to Disable LM Authentication on Windows NT [Q147706]

ITTIP SeminarCopyright 2001 R.C.Marchany73 U4: R Commands Description If a user logins from a trusted system, then no password is needed to gain access to your system. rlogin, rsh, rcp Used by Network Appliance vendors with no concept of security. Systems Impacted Any Unix/Linux system

ITTIP SeminarCopyright 2001 R.C.Marchany74 U4: R Commands Am I vulnerable? Look for.rhosts, /etc/hosts.equiv files. If there, then yes. How to Protect Disable r-command in /etc/inetd.conf. Fire any one who wants to use it for they have no concept of security.

ITTIP SeminarCopyright 2001 R.C.Marchany75 U5: LPD Description The in.lpd program provides local printer services for Unix users. It listens on port 515 for incoming requests but has a buffer overflow vulnerability allowing root access. Systems Impacted Solaris Linux

ITTIP SeminarCopyright 2001 R.C.Marchany76 U5:LPD Am I vulnerable? Are you running unpatched version of lpd? Yes, then you are. How to Protect Install latest Solaris or Linux patches. Disable print service in /etc/inetd.conf Block access to port 515 Install TCP Wrappers, Portsentry

ITTIP SeminarCopyright 2001 R.C.Marchany77 Common Vulnerable Ports Common ports probed/attacked Block or log all access to these ports as necessary. Login services telnet: 23/tcp FTP: 21/tcp NetBIOS: 139/tcp Ssh: 22/tcp r-commands: /tcp RPC/NFS Portmap/rpcbind: 111/tcp/udp NFS: 2049/tcp/udplockd: 4045/tcp/udp

ITTIP SeminarCopyright 2001 R.C.Marchany78 Common Vulnerable Ports NetBIOS: 135/tcp/udp, 137/udp, 138/udp, 139/tcp, 445/tcp/udp X-Windows: /tcp DNS: 53/udp, LDAP: 389/tcp/udp Mail SMTP: 25/tcp POP: 109/tcp, 110/tcp IMAP: 143/tcp WWW HTTP: 80/’tcp SSL:443/tcp

ITTIP SeminarCopyright 2001 R.C.Marchany79 Common Vulnerable Ports Small Services Ports < 20/tcp/udp, Time: 37/tcp/udp Miscellaneous TFTP: 69/udp finger: 79/tcp NNTP: 119/tcp NTP: 123/tcp LPD: 515/tcp syslog: 514/udp SNMP: 161/tcp/udp, 162/tcp/udp BGP: 179/tcp SOCKS: 1080/tcp ICMP: Block incoming echo requests, outgoing echo reply, time exceeded, destination unreachable. This breaks ping.

ITTIP SeminarCopyright 2001 R.C.Marchany80 Summary You won’t eliminate all of your exposure by closing these 20 holes. Constant vigilance and awareness is the best defense. The consequences of failure could drive your company out of business. There’ll be another top 20 items to inspect in the future but at least we got rid of these items.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.