Networking in Linux

Download Report

Transcript Networking in Linux

Hacking Windows
2000
What to do first?
 Patch: of course the first thing to do is apply SP3 and the critical
.
updates More will come
…
 Null session countermeasure: RestrictAnonymous using
the Local Security Policy applet.
 Disable NetBIOS over TCP/IP:
 open Network and Dial-Up Connections, select Local Area
Connections, Internet Protocol (TCP/IP) Properties, Advanced,
Select the WINS tab and disable NetBIOS over TCP/IP. This
disables connection to port 139
 again in Network and Dial-Up Connections, select Advanced
from the toolbar, Advanced settings and de-select File and
Printer sharing as shown here. This disables connection to
port 139 and 445.
 Close ports: TCP 389 - LDAP and 3268 - Global Catalog (Active
Directory) at the firewall. See table 6.1 for 2k ports. Terminal Server
Zone transfers, SNMP, etc (3)
 Check that NetBios enumeration is closed: use nat
xxx.xxx.xxx.xxx .
 Change SNMP from public to private community
name to prevent SNMP enumeration.
 Block Win 2000 DNS Zone Transfer (AD and DNS).
Computer Mgmt, Services and Applications, DNS,
only for specified servers not all as default (WS not
vulnerable).
 Check security settings in Domain Controller ports
389 and 3268 (Active Directory). Filter these ports at
the network border router (firewall). Remove
Everyone group from access.
 Lock BIOS setup, boot from HD only, otherwise
What else?
 Set IP Sec
: block ping, filters host-based port filtering. You can
use command prompt (Ipsecpol.exe -- see book for examples) or
graphical dialogs from the Local Security Policy applet.
 Passfilt: enable Passfilt to strength password as shown in this
image.
 Kerberos V5: only Win2K machines have it, downgrades to NT
and LAN Manager authentication if Win 9x/NT are involved.
 DoS: only gateway/firewall can actually prevent, but Win2k provide
registry keys you can tinker with when under attack (to help, not
solve the problem).
 AD vs SAM: AD in domain controllers, SAM in WS and ordinary
servers, with the same NT vulnerabilities, but uses SYSKEY by
default. See this article on how SYSKEY can be by-passed (use
NTFSDOS) and hashes added to the SAM.
 EFS attack: deleting the SAM blanks the Administrator
password!!! Set BIOS password and C: drive boot only. This allows
to login as Administrator (the recovery agent) and decrypt the