Hacking Windows and Windows Security Lesson 10

Windows 9X/Me/NT There are still some folks out there using Windows 95 and 98, ME, 2000, and NT. Remote Exploitation: 4 categories Direct connection to a shared resource Installation of backdoor server daemons Exploitation of known server application vulnerabilities Denial of service

Connection to Windows Shared Resources Most obvious & easiest way to gain unauthorized access to Windows systems is through the use of shared resources. Windows 9x provided 3 methods for direct access to the system: File and print sharing An optional dial-up server Remote Registry manipulation File and print sharing: Legion by the Rhino9 group, provides the ability to scan an IP range for Windows shares and also comes with a brute force password cracker. Countermeasure to this type of attack is to simply not utilize file sharing on your systems. If you must, make sure you pick good passwords

Windows 9x Dial-up Servers The issue is the ease in which anybody can install a modem and then use the Microsoft Plus! add-on package for Windows 95 (comes standard with 98) which includes the Dial-Up server. Chances are high that a system using this will also have file sharing turned on. Matter of guessing a password then. Countermeasure is to not utilize this package or at least select a good password.

Remotely attacking the Registry Windows 9x did not provide built-in capability for remotely managing the registry but if the MS Remote Registry Service is installed then it can be. If you are going to install this package, pick a good password. Best idea is probably just not to install it.

Windows Backdoors Most common delivery tool for backdoor client/server programs are trojan horses. Most famous of these tools is Back Orifice Like other programs of this sort billed as a “remote Windows 9x administration tool” Allows almost complete remote control of Windows 9x systems. So popular a version was released for Windows NT/2K, BO2K. The way it infects a system is by having the user execute the trojan which will install it. Best way to avoid this is through good malicious code practices NetBus is another, similar program but with more features and capabilities. SubSeven is possibly the most common backdoor program and includes the ability to communicate via IRC.

Denial of Service Attacks In addition to the host of other methods to conduct a denial of service attack, there are some Windows 9X specific attacks such as POD (ping of death), and WinNuke. Countermeasures include loading patches and software fixes and not attaching 9X systems directly to the Internet—some legacy systems use this fix.

Windows Local Exploits If others can gain physical access to a Windows box, then you are in trouble. Password protected screen-save can be circumvented with a reboot. Password screen as system reboots can simply be avoided using “cancel” button option. One possible way to increase difficulty of attacking these systems is to utilize a BIOS password since BIOS is first thing that is loaded. Other interesting tricks are available open source

Windows ME An updated version of Windows 98. From an attacker’s point of view, ME looks very much the same as 98. Remote attacks: file and print sharing disabled by default as is Remote Registry Service so will have to count on luck to have end user turn them on. Local Attacks: users may try to protect files by using password feature when compressing. Problem is that the passwords are kept in cleartext in the file c:\windows\dynazip.log and can thus be viewed by anybody. Countermeasure to this is education so folks don’t use this feature and count on it to protect files.

Windows NT OS family A very significant portion of networks run one of the Operating Systems in the Windows NT family (NT, 2000, 2003, XP). Microsoft has done good job of patching problems as they are found so it is possible to secure these systems! The issue, however, is that default installations and novice administrators don’t always result in the most secure of boxes. Another issue is legacy support. Microsoft in its desire to keep users happy has attempted to ensure newer systems can function with earlier SW, but this may result in less than secure systems. Many large systems still have “key” older MS OSes at core of legacy systems

Unauthenticated Attacks Two major mechanisms for compromising NT systems: Server Message Blocks (SMB) attacks The Windows file and print sharing service utilizes the SMB protocol. SMB accessed through 2 TCP ports Most effective method to attack SMB if accessible is password guessing Check textbook for discussion on this process Countermeasure: Block access to SMB at perimeter firewall, also set an account lockout threshold so account locked after too many guesses Internet Information Services (IIS) MS installed IIS by default with W2K (eventually MS stopped this) Three major types of attacks on IIS (check text for full discussions) Information Disclosure Directory Traversal Buffer Overflows Again, firewalls to limit inbound (and outbound) access and probably most importantly – PATCH!!!

Authenticated Attacks If an attacker succeeds in gaining access to an user account, the next step is to attempt escalation and obtain administrator privilege. getadmin family of attacks useful against unpatched NT4 systems W2K, though it has addressed the specific getadmin tools, is not that much more secure against escalation. Number of potential attacks discussed in text. Once escalated privileges have been obtained, the next goal is pilfering in which attackers grab as much stuff as they can The password hashes will be a common target (discussion in text) Why? The attacker has obtained admin already! Because you may eventually notice and them off, they’ll want to be able to get back in. Password cracking, LC (L0phtCrack) probably best program for this. Don’t forget to check for Remote Control programs and Back Doors!

Signs of Intrusion Check your log files Establish baseline metrics, know your system and its users! Watch for signs of an intrusion: Auditing has been disabled (and it wasn’t by you the administrator) Event log has been cleared Check occasionally for hidden files For NTFS file streams try using sfind

Security Features One of the most valuable things you can do for a client is to help them better secure their systems and networks. Thus, it is important for us to know as much about securing systems as possible. For Windows family of OS’s, PATCH!!! Become familiar with the large number of security configurations that are available through Group Policy Objects. IPSec implemented in W2K and later in the NT family, XP, Vista, Win7.0 Internet Connection Firewall (ICF) shipped with XP Encrypted File System (EFS) released with W2K More Security Tools finding way to OS--Sysinternals

Summary What is the importance and significance of this material? Windows-based systems are found throughout government, academia, and business. Very common and most common OS for home use. How does this topic fit into the subject of “Security Risk Analysis”? With the large number of Windows-based systems, we will undoubtedly come across them in performing a security assessment. We therefore need to know how to test for vulnerabilities and how to protect these systems.