310 likes | 429 Views
Lesson 9 Common Windows Exploits. Overview. Top 20 Exploits Common Vulnerable Ports Detecting Events. SANS/FBI Top 20 List. Publish list of the Twenty Most Critical Internet Security Vulnerabilities www.sans.org/top20 Updated in October (or sooner if necessary)
E N D
Overview • Top 20 Exploits • Common Vulnerable Ports • Detecting Events UTSA IS 3523 ID and Incident Response
SANS/FBI Top 20 List • Publish list of the Twenty Most Critical Internet Security Vulnerabilities • www.sans.org/top20 • Updated in October (or sooner if necessary) • Thousands use this list to close up holes in their system • Most incidents traced back to Top 20 list UTSA IS 3523 ID and Incident Response
SANS/FBI Top 20 List • Based on facts, attackers • are opportunistic • take the easiest and most convenient route • exploit the best-known flaws with the most effective and widely available attack tools • count on organizations not fixing the “holes” UTSA IS 3523 ID and Incident Response
SANS/FBI Top 20 List • List broken down into two sections • Two Top Ten lists • Ten most commonly exploited vulnerable services in Windows • Ten most commonly exploited vulnerable services in Unix UTSA IS 3523 ID and Incident Response
W1: Internet Information Services (IIS) • IIS prone to vulnerabilities in three major classes • Failure to handle unanticipated requests • Buffer overflows • Sample applications • Target port: TCP Port 80 (http) UTSA IS 3523 ID and Incident Response
Failure to Handle Unanticipated Requests • IIS has a problem handling improperly formed HTTP requests • Web folder traversal (unicode) • Allows • view of the source code of scripted applications • view of files outside the Web document root • view of files Web server has been instructed not to serve • execution of arbitrary commands on the server • deletion of files, uploading of rootkits, creation of backdoors UTSA IS 3523 ID and Incident Response
Buffer Overflows • Many ISAPI and SSI extensions vulnerable to buffer overflows • .asp / .htr / .idq / printer • A carefully crafted request from a remote attacker may results in • Denial of Service • Execution of arbitrary code and/or commands in the Web server’s user context • through the IUSR_servername account (like anonymous) UTSA IS 3523 ID and Incident Response
W2: Microsoft SQL Server • Microsoft SQL Server contains several serious vulnerabilities that allow remote attackers to • obtain information • alter database content • compromise SQL servers • compromise server hosts • There’s Was an MSSQL worm released in May 2002 UTSA IS 3523 ID and Incident Response
W2: Microsoft SQL Server • Target port: TCP port 1433 • OS’s affected • Microsoft SQL Server 7.0 • Microsoft SQL Server 2000 • Microsoft SQL Server Engine 2000 UTSA IS 3523 ID and Incident Response
W2: Microsoft SQL Server • How to detect a compromise: • First thing you’ll see is the “probing” or “fishing” for information • Probes on port 1433 • Attacker is looking for those boxes that respond “positively” to a probe on port 1433 • tells them box is “listening” (or has the port open) on port 1433 UTSA IS 3523 ID and Incident Response
W3: General Windows Authentication • Accounts with No Passwords or Weak Passwords • Only protection is to have a strong password and good password habits • With advent of Windows XP consider “everyday” accounts at user privilege UTSA IS 3523 ID and Incident Response
W3: LAN Manager Authentication • Most current Windows environments have no need for LAN Manager (weak hashing) • Most use NTLM now • But Windows NT, 2000, and XP do have LM by default • LM has a very weak encryption scheme • Won’t take a hacker long to crack passwords UTSA IS 3523 ID and Incident Response
W3: Unprotected Windows Networking Shares(NetBios) • OS’s affected: • Windows 95, Windows 98, Windows NT, Windows Me, Windows 2000, and Windows XP • Main objective: • gather info about guest host names • try these guest host names with null passwords until one works • attacker will then attempt to download the entire database of userid’s and/or passwords UTSA IS 3523 ID and Incident Response
W4: Internet Explorer • Consequences can include • Disclosure of cookies • Disclosure of local files or data * • Execution of local programs * • Download and execution of arbitrary code * • Complete takeover of vulnerable system * • * Most Critical UTSA IS 3523 ID and Incident Response
W4: Internet Explorer • Default web browser installed on MS Windows platforms • All existing IE’s have critical vulnerabilities • A malicious web administrator can design web pages to exploit these vulnerabilities • Just need someone to browse the web page UTSA IS 3523 ID and Incident Response
W4: Internet Explorer • Vulnerabilities can be categorized into multiple classes • Web page spoofing • ActiveX control vulnerabilities • Active scripting vulnerabilities • MIME-type and content-type misinterpretation • Buffer overflows UTSA IS 3523 ID and Incident Response
W5: Unprotected Windows Networking Shares(NetBios) • MS Windows provides a host machine with the ability to share files or folders across a network • Underlying mechanism of this feature is the • Server Message Block (SMB) protocol, or the • Common Internet Files System (CIFS) protocol • Target Port: TCP Port 139 UTSA IS 3523 ID and Incident Response
W5: Anonymous Logon -- Null Sessions • This vulnerability is very similar to the one described before in Netbios • Attacker is looking for a host name with a null password • Attacker uses IPC$ (called IPC shares) with a double-double quote (“”) in place of a password UTSA IS 3523 ID and Incident Response
W6: Microsoft Data Access Components (MDAC)--Remote Data Services • RDS component in older versions of MDAC has flaws that allow a remote user to run commands locally with administrative privileges • This exploit is readily used to deface Web pages • Check Web Server Logs to make sure UTSA IS 3523 ID and Incident Response
W7: Windows Scripting Host (WSH) • Permits any text file with a “.vbs” extension to be executed as a Visual Basic script • A typical worm propagates by including a VBScript as the contents of another file and executes when that file is viewed or in some cases previewed UTSA IS 3523 ID and Incident Response
The Other 3 W8: Outlook and Outlook Express W9: P2P File Sharing W10: Simple Network Mgt Protocol UTSA IS 3523 ID and Incident Response
Common Vulnerable Ports • Login Services • telnet (port 23/tcp) • SSH (port 22/tcp) • FTP (port 21/tcp) • NetBIOS (port 139/tcp) • rlogin (port 512 - 514/tcp) UTSA IS 3523 ID and Incident Response
Common Vulnerable Ports • RPC and NFS • portmap/rpcbind (port 111/tcp and udp) • NFS (port 2049/tcp and udp) • lockd (port 4045/tcp and udp) • Xwindows • port 6000/tcp through 6255/tcp UTSA IS 3523 ID and Incident Response
Common Vulnerable Ports • Naming services • DNS (port 53/udp) for all machines that are not DNS servers • DNS (port 53/tcp) for zone transfer requests • LDAP (port 389/tcp and udp) UTSA IS 3523 ID and Incident Response
Common Vulnerable Ports • Mail • SMTP (port 25/tcp) for all machines that are not external mail relays • POP (port 109/tcp and port 110/tcp) • IMAP (port 143/tcp) UTSA IS 3523 ID and Incident Response
Common Vulnerable Ports • Web • HTTP (port 80/tcp) • SSL (port 443/tcp) except to external Web servers • HTTP proxies • port 8000/tcp • port 8080/tcp • port 8888/tcp UTSA IS 3523 ID and Incident Response
Common Vulnerable Ports • “Small services” • ports below 20/tcp and udp • time (port 37/tcp and udp) • Miscellaneous • TFTP (port 69/udp) • Finger (port 79/tcp) • NNTP (port 119/tcp) UTSA IS 3523 ID and Incident Response
Common Vulnerable Ports • Miscellaneous (continued) • NTP (port 123/udp) • LPD (port 515/tcp) • syslog (port 514/udp) • SNMP (port 161/tcp and udp, and port 162/tcp and udp) • BGP (port 179/tcp) • SOCKS (port 1080/tcp) UTSA IS 3523 ID and Incident Response
Common Vulnerable Ports • ICMP • block incoming “echo” requests (ping and Windows traceroute) • block outgoing “echo” replies, “time exceeded,” and “destination unreachable” • except “packet too big” messages UTSA IS 3523 ID and Incident Response
How To Detect and Investigate • http://www.sans.org/top20/tools04.pdf • Run an IDS and review logs for common signatures…especially IIS hacks • Aggressively review web server logs • Ensure FTP application logging turned on…then review FTP logs • Know your network…and know what is abnormal UTSA IS 3523 ID and Incident Response