1. Hacking Windows 2K, XP

2. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP - uses UDP port 137., if only port 139 responds, probably is Win 9x, but if port 445 responds, then is Win 2k,XP. See also this paper on C IFS – Common Internet File System and SMB vulnerabilities. Close these ports! NetBIOS name resolutionthis paper 2K, XP basic security : Net logon, no bypass of BIOS (HAL), No remote access to console (default), requires admin privileges for interactive login (Server), and has object-based security model: a security object can be any resource in the system: files, devices, processes, users, etc. server processes impersonate the client's security context (key for file servers) Win2k,XP are windows NT updated, with more security tools and patches. Quest for administrator Privilege Escalation Consolidation of power, and Covering tracks.

3. Quest for Administrator Remote password guessing. Net use can help. Nat guesses passwords using user and password lists (Brutus is similar).Net use NatBrutus Countermeasures: close ports, in 2k,XP use Disable NBT to disable 139 and File and Printer Sharing to disable 445. Use Account Policies to setup password length, lock, expiration, etc. Passfilt implements stronger passwords in NT, in 2k,XP just activate. Use Passprop to lock the Administrator account. Use Audit.Disable NBTFile and Printer Sharing Account Policies Passfilt activatePassprop Note Read good and bad passwords and see how to reduce other password vulnerabilities. Note : use kaHt2.exe to exploit MSRPC vulnerabilities at your own risk (some versions are a disguised Trojan).good and bad passwords Eavesdropping on network password exchange and obtaining password hash values: Sniff tools and NT user authentication. If possible disable (Q299656) LanMan authentication (Win 9x problems).SnifftoolsNT user authenticationdisable Q299656LanMan authentication Remote buffer overflows: local (interactive login users), LASS, and remote using Web, FTP, DB servers and many others. Use BOWall to fix or detect.buffer overflowsLASSremote BOWall Basic countermeasure: download and run Microsoft Baseline Security Advisor.to check for setup and patch vulnerabilities.Microsoft Baseline Security Advisor runas.exe. Use runas.exe to run administrative jobs from regular accounts.

4. Privilege Escalation Gathering information: logged as user (not admin), use find, look in directories,look for SAM, and enumeration tools. Basic countermeasure: set files/directory permissions properly. BIOS password!!look for SAM Add to administrator group: getadmin and sechole - apply service packs and restrict FTP to server script directories. Also rogue DLLs.getadminsechole rogue DLLs Spoofing LPC port requests: using LPC ports API to add to admin group. Again apply the corresponding patch.patch Obtaining SYSTEM account privileges: at 10:00 /INTERACTIVE cmd.exe Trojans: Basic rule: do not use a Server as a workstation (no e- mail, no outside browsing), backup! See Symantec Trojan, Worm, virus list. Or this other just of Trojans by ports. TrojansTrojan, Worm, virus listTrojans Registry: very few items accessible by everyone. Probably the lowest threat, and you can use the Policy Editor to hide/deny access, but admin. Kerberos V5: only 2K, XP machines have it, downgrades to NT and LAN Manager authentication if Win 9x/NT are involved. Kerberos EFS attack: deleting the SAM blanks the Administrator password. Set BIOS password and C: drive boot only. This allows to login as Administrator (the recovery agent) and decrypt the content of the files (just open and save in a regular folder). It is possible to backup the recovery keys.backup the recovery keys

5. Consolidation of Power Cracking the SAM: from local admin to domain admin, other users. See look for SAM, Disable LanMan authentication. Apply service packs!look for SAMDisable Cracking 2K, XP Passwords: See an introduction/FAQ. L0phtcrack is the key tool, graphical, good documentation and was acquired by Symantec.introduction/FAQL0phtcrackgraphical Countermeasures: choosing strong passwords -- no dictionary words, seven digits (if LanMan not disabled), alpha, special characters, facts, names from youth,etc. Win 2K, XP use Use SYSKEY SAM encryption, but Pwdump2 circumvents SYSKEY and dump hashes from SAM and Active Directory.SYSKEYPwdump2 Duplicate credentials: locally stored domain user credentials (same user domain account), local Administrator with same password as in the Domain. LSA Secrets: includes plain text service account passwords, cached passwords(last 10), FTP and web user plain text passwords, etc. A hack: lsadump2 or available info by Design?lsadump2Design Keystroke loggers: record every keystroke to a (hidden) file. ActMon and SurfControl are tools to capture keystrokes and more. ActMonSurfControl Sniffers: See Sniff tools and also BUTTsniffer, and dsniff (Win32 version).SnifftoolsBUTTsnifferdsniffWin32 version Assumes that administrator-level access has been obtained.

6. Covering Tracks Disabling Auditing: disable Auditing using Auditpol.Auditpol Clearing the Event Log: use elsave to clear the Event Log.elsave Hiding files: using attrib, NTFS file streaming. Use LNS to search for files hidden in streams.LNS Consolidation of Power Remote control: Remote control applications (pcAnywhere, VNC, WinXP, etc.) are useful, but a major security risk, even when configured properly.pcAnywhere VNCWinXP Rootkits: patching the OS kernel with rogue code, assuming control of the OS. See the Rootkit page and later class meeting.Rootkit Port redirection: redirect from one IP number and port to another IP number and port at the gateway/firewall. See rinetd and fpipe.rinetdfpipe Check security settings in Domain Controller ports 389 and 3268 (Active Directory). Filter these ports at the network border router (firewall). Remove Everyone group from access.