Асоциация за информационна сигурност Мрежова сигурност 1 изборен курс във ФМИ на СУ понеделник, зала 325, ФМИ, 19:00 четвъртък, зала 200, ФМИ, 19:00 Лекция 3.11 :-) Windows

Windows  General Windows  User roles  Type of targets  Type of attacks  Example attacks  Attack prevention  Hardening Windows

Windows general  Windows role  Windows and the others  Patch management  Today role of the security

User Roles  Local System  Administrator  User  Special Roles

Type of targets  Services  Applications  Registry  Users  Permissions  Passwords

Type of attacks  Information gathering Error messages enumerations  Programming errors Buffer overflows Format strings Other

Type of attacks  DoS resource consume Others  Misconfiguration  Privileges More privileges Not dropped privileges

Type of attacks  User Lack of security knowledge Misleading Boredom  Local attacks On site  Password dumping Off site

Type of attacks  Hiding Root Kits NTFS Registry

Example attacks  Information gathering Snmpwalk Path disclosure Banner matching  Programming errors Code red – IIS /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u909 0%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090 %u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

Example attacks  SASSER  Local Security Authority Subsystem Service - Lsasrv.dll RPC buffer overflow  allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file  Windows WMF  The vulnerability is caused due to an error in the handling of Windows Metafile files (‘.wmf’) containing specially crafted SETABORTPROC ‘Escape’ records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails.” According to the Windows 3.1 SDK docs, the SETABORTPROC escape was obsoleted and replaced by the function of the same name in Windows 3.1, long before the WMF vulnerability took advantage of it  Local privileges escalation attacks

Example attacks  Microsoft Word document handling buffer overflow  A memory corruption vulnerability in Microsoft Word could allow a remote attacker to execute arbitrary code with the privileges of the user running Word.

Example attacks  DoS TCP/IP Microsoft Windows 2000 empty TCP packet denial of service  Microsoft Windows 2000 is vulnerable to a denial of service attack. A remote attacker can send a stream of empty TCP packets to the NetBIOS port (TCP port 139) to consume all available system memory Applications IIS DOS  POST /_vti_bin/shtml.dll HTTP/1.0 Host: [32762 '/' characters] Content-length: 22 This will cause the web service to consume 99% of the CPU for about 35 seconds. During this time, no other HTTP requests will be serviced.

Example attacks  Enumerations Shares  Netbios Auditing Tool Accounts LC 5 Other bindview enum  enum is a console-based Win32 information enumeration utility. Using null sessions, enum can retrieve userlists, machine lists, sharelists, namelists, group and member lists, password and LSA policy information. enum is also capable of a rudimentary brute force dictionary attack on individual accounts.

Example attacks  Misconfiguration Registry permissions Files / Directory permissions  Privileges Higher privileges than needed

Example attacks  Hiding Root kits Trojans

Attack prevention  OS side DEP – Data Execution Prevention Randomization Safe libs Registry tweaks  IDS Deep packet inspection Honeypots  Updates

Hardening  Safe coding  Best practices  Lock tools  Education of users  Good security polices Password polices Access polices