Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hacking Windows.

Published byMorgan Owens Modified over 6 years ago

Similar presentations

Presentation on theme: "Hacking Windows."— Presentation transcript:

1 Hacking Windows

2 Windows Windows basic security: Net logon, no bypass of BIOS (HAL), No remote access to console (default), requires admin privileges for interactive login (Server), and has object-based security model: a security object can be any resource in the system: files, devices, processes, users, etc. server processes impersonate the client's security context (key for file servers) Windows is windows NT updated, with more security tools and patches . Quest for administrator Privilege Escalation Consolidation of power, and Covering tracks.

3 Quest for Administrator
Remote password guessing. Net use can help. Nat guesses passwords using user and password lists (Cain and Abel) is similar). Countermeasures: close ports: use Disable NBT to disable 139 and File and Printer Sharing to disable 445. Use Account Policies to setup password length, lock, expiration, etc. Passfilt implements stronger passwords just activate. Read good and bad passwords and see how to reduce other password vulnerabilities. A database of hacked passwords Pwned Passwords (download do not use online). NIST authentication recommendations and this funny take on it. Use Nmap to exploit MSRPC. Eavesdropping on network password exchange and obtaining password hash values: Sniff tools and NT user authentication. Remote buffer overflows: local (interactive login users), LSASS, and remote using Web, FTP, DB servers and many others. Basic countermeasure: download and run Microsoft Baseline Security Advisor to check for patch vulnerabilities. Run administrative jobs from regular accounts.

4 Privilege Escalation Gathering information: logged as user (not admin), use enumeration tools. Basic countermeasure: set files/directory permissions properly. BIOS password!! Add to administrator group: getadmin and sechole - apply service packs and restrict FTP to server script directories. Also rogue DLLs. Spoofing LPC port requests: using LPC ports API to add to admin group. Again apply the corresponding patch. Trojans: Basic rule: do not use a Server as a workstation (no , no outside browsing), backup! See Symantec Trojan, Worm, virus list. Or this other with Trojans by ports. And how Trojans scan ports. Kerberos V5: only 2K and above machines have it, downgrades to LAN Manager authentication if older Windows are involved. EFS attack: deleting the SAM blanks the Administrator password. Set BIOS password and C: drive boot only. This allows to login as Administrator (the recovery agent) and decrypt the content of the files (just open and save in a regular folder). It is possible to backup the recovery keys .

5 Consolidation of Power
Assumes that administrator-level access has been obtained. Cracking Passwords: See an introduction/FAQ. L0phtcrack is the key tool, graphical, good documentation and was acquired by Symantec. Again Abel and Cain , etc. Countermeasures: choosing strong passwords. Use SYSKEY SAM encryption, but Pwdump7 circumvents SYSKEY and dump hashes from SAM and Active Directory. Duplicate credentials: locally stored domain user credentials, local Administrator with same password as in the Domain. LSA Secrets: includes plain text service account passwords, cached passwords(last 10), FTP and web user plain text passwords, etc. DSScan detects LSA vulnerabilities. Keystroke loggers: record every keystroke to a (hidden) file. See a variety of Free Keyloggers at cnet to capture keystrokes and more. Sniffers again: See Sniff tools and also dsniff (Win32 version).

6 Consolidation of Power
Remote control: Remote control applications (pcAnywhere, VNC, Windows RemoteDesktop, etc.) are useful, but a major security risk, even when configured properly. Rootkits: patching the OS kernel with rogue code, assuming control of the OS. See Rootkit in Wikipedia for now, more later. Port redirection: redirect from one IP number and port to another IP number and port at the gateway/firewall. See rinetd and fpipe. Man-in-middle-attacks: originally using SMBRelay and SMB Proxy, Abel and Cain MITM capabilities. Check security settings in Domain Controller ports 389 and 3268 (Active Directory). Remove Everyone group from access. Covering Tracks Disabling Auditing: using Auditpol and an example. Clearing the Event Log: use elsave to clear the Event Log. Hiding files: using attrib, NTFS file streaming. Use LNS to search for files hidden in streams.

Download ppt "Hacking Windows."

Similar presentations

Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Week 5-1 Week 5: System Hacking Administrator Password Guessing.

Week 5-1 Week 5: System Hacking Administrator Password Guessing.
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.

Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.

70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.

Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.

September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.
VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.

VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.
The Truth About Protecting Passwords COEN 150: Intro to Information Security Mary Le Carol Reiley.

The Truth About Protecting Passwords COEN 150: Intro to Information Security Mary Le Carol Reiley.

Similar presentations

Ads by Google