Networking in Linux
Download
Report
Transcript Networking in Linux
Hacking Windows
2000
What to do first?
Patch: of course the first thing to do is apply SP3 and the critical
.
updates More will come
…
Null session countermeasure: RestrictAnonymous using
the Local Security Policy applet.
Disable NetBIOS over TCP/IP:
open Network and Dial-Up Connections, select Local Area
Connections, Internet Protocol (TCP/IP) Properties, Advanced,
Select the WINS tab and disable NetBIOS over TCP/IP. This
disables connection to port 139
again in Network and Dial-Up Connections, select Advanced
from the toolbar, Advanced settings and de-select File and
Printer sharing as shown here. This disables connection to
port 139 and 445.
Close ports: TCP 389 - LDAP and 3268 - Global Catalog (Active
Directory) at the firewall. See table 6.1 for 2k ports. Terminal Server
Zone transfers, SNMP, etc (3)
Check that NetBios enumeration is closed: use nat
xxx.xxx.xxx.xxx .
Change SNMP from public to private community
name to prevent SNMP enumeration.
Block Win 2000 DNS Zone Transfer (AD and DNS).
Computer Mgmt, Services and Applications, DNS,
only for specified servers not all as default (WS not
vulnerable).
Check security settings in Domain Controller ports
389 and 3268 (Active Directory). Filter these ports at
the network border router (firewall). Remove
Everyone group from access.
Lock BIOS setup, boot from HD only, otherwise
What else?
Set IP Sec
: block ping, filters host-based port filtering. You can
use command prompt (Ipsecpol.exe -- see book for examples) or
graphical dialogs from the Local Security Policy applet.
Passfilt: enable Passfilt to strength password as shown in this
image.
Kerberos V5: only Win2K machines have it, downgrades to NT
and LAN Manager authentication if Win 9x/NT are involved.
DoS: only gateway/firewall can actually prevent, but Win2k provide
registry keys you can tinker with when under attack (to help, not
solve the problem).
AD vs SAM: AD in domain controllers, SAM in WS and ordinary
servers, with the same NT vulnerabilities, but uses SYSKEY by
default. See this article on how SYSKEY can be by-passed (use
NTFSDOS) and hashes added to the SAM.
EFS attack: deleting the SAM blanks the Administrator
password!!! Set BIOS password and C: drive boot only. This allows
to login as Administrator (the recovery agent) and decrypt the