1 / 45

Windows Security Analysis Computer Science E-Commerce Security ‘2004’

Windows Security Analysis Computer Science E-Commerce Security ‘2004’ Matthew Cook http://escarpment.net/. Introduction. Senior IT Security Specialist Loughborough University http://www.lboro.ac.uk/computing/. Windows Security Analysis. Introduction Step-by-step Machine Compromise

marnin
Download Presentation

Windows Security Analysis Computer Science E-Commerce Security ‘2004’

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows Security AnalysisComputer Science E-Commerce Security ‘2004’ Matthew Cookhttp://escarpment.net/

  2. Introduction Senior IT Security Specialist Loughborough University http://www.lboro.ac.uk/computing/

  3. Windows Security Analysis • Introduction • Step-by-step Machine Compromise • Preventing Attack • Incident Response • Further Reading

  4. Introduction Basic Security Overview

  5. Physical Security • Secure Location • BIOS restrictions • Password Protection • Boot Devices • Case Locks • Case Panels

  6. Security Threats • Denial of Service • Theft of information • Modification • Fabrication (Spoofing or Masquerading)

  7. Security Threats… Why a compromise can occur: • Physical Security Holes • Software Security Holes • Incompatible Usage Security Holes • Social Engineering • Complacency

  8. The Easiest Security Improvement • Good passwords • Usernames and Passwords are the primary security defence • Use a password that is easy to type to avoid ‘Shoulder Surfers’ • Use the first letters from song titles, song lyrics or film quotations

  9. Step-by-step Machine Compromise Why, where, how?

  10. Background Reasons for Attack: • Personal Issues • Political Statement • Financial Gain (Theft of money, information) • Learning Experience • DoS (Denial of Service) • Support for Illegal Activity

  11. Gathering Information • Companies House • Internet SearchURL: http://www.google.co.uk • WhoisURL: http://www.netsol.com/cgi-bin/whois/whois • A Whois query can provide: • The Registrant • The Domain Names Registered • The Administrative, Technical and Billing Contact • Record updated and created date stamps • DNS Servers for the Domain

  12. Gathering Information… • Use Nslookup or dig • dig @<dns server> <machine address> • Different query type available: • A – Network address • Any – All or Any Information available • Mx – Mail exchange records • Soa – Zone of Authority • Hinfo – Host information • Axfr – Zone Transfer • Txt – Additional strings

  13. Identifying System Weakness Many products available: • Nmap • Nessus • Pwdump • L0pht Crack • Null Authentication

  14. Nmap • Port Scanning Tool • Stealth scanning, OS Fingerprinting • Open Source • Runs under Unix based OS • Port development for Win32 • URL: http://www.insure.org/nmap/

  15. Nmap

  16. Nessus • Remote security scanner • Very comprehensive • Frequently updated modules • Testing of DoS attacks • Open Source • Win32 and Java Client • URL: http://nessus.org/

  17. pwdump • Version 3 (e = encrypted) • Developed by Phil Staubs and Erik Hjelmstad • Based on pwdump and pwdump2 • URL: http://www.ebiz-tech.com/html/pwdump.html • Needs Administrative Privilidges • Extracts hashs even if syskey is installed • Extract from remote machines • Identifies accounts with no password • Self contained utility

  18. L0pht Crack • Password Auditing and Recovery • Crack Passwords from many sources • Registration $249 • URL: http://www.atstake.com/research/lc3/

  19. L0pht Crack Crack Passwords from: • Local Machine • Remote Machine • SAM File • SMB Sniffer • PWDump file

  20. Nmap Analysis • nmap –sP 158.125.0.0/16 • Ping scan! • nmap –sS 158.125.0.0/16 - Stealth scan

  21. Nmap Analysis… • TCP Connect Scan • Completes a ‘Three Way Handshake’ • Very noisy (Detection by IDS)

  22. Nmap Analysis… • TCP SYN Scan • Half open scanning (Full port TCP connection not made) • Less noisy than the TCP Connect Scan

  23. Nmap Analysis… • TCP FIN Scan • FIN Packet sent to target port • RST returned for all closed ports • Mostly works UNIX based TCP/IP Stacks • TCP Xmas Tree Scan • Sends a FIN, URG and PUSH packet • RST returned for all closed ports • TCP Null Scan • Turns off all flags • RST returned for all closed ports • UDP Scan • UDP Packet sent to target port • “ICMP Port Unreachable” for closed ports

  24. Null Authentication Null Authentication: • Net use \\camford\IPC$ “” /u:“” • Famous tools like ‘Red Button’ • Net view \\camford • List of Users, groups and shares • Last logged on date • Last password change • Much more…

  25. Exploiting the Security Hole • Using IIS Unicode/Directory Traversal • /scripts/../../winnt/system32/cmd.exe /c+dir • /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir • Displays the listing of c: in browser • Copy cmd.exe to /scripts/root.exe • Echo upload.asp • GET /scripts/root.exe /c+echo+[blah]>upload.asp • Upload cmdasp.asp using upload.asp • Still vulnerable on 24% of E-Commerce servers

  26. Gaining ‘Root’ • Cmdasp.asp provides a cmd shell in the SYSTEM context • Increase in privileges is now simple • ISAPI.dll – RevertToSelf (Horovitz) • Version 2 coded by Foundstone • http://camford/scripts/idq.dll? • Patch Bulletin: MS01-26 • NOT included in Windows 2000 SP2

  27. Backdoor Access • Create several user accounts • Net user iisservice <pass> /ADD • Net localgroup administrators iisservice /ADD • Add root shells on high end ports • Tiri is 3Kb in size • Add backdoors to ‘Run’ registry keys

  28. System Alteration • Web page alteration • Information Theft • Enable services • Add VNC • Creating a Warez Server • Net start msftpsvc • Check access • Upload file 1Mb in size • Advertise as a warez server

  29. Audit Trail Removal • Many machines have auditing disabled • Main problems are IIS logs • DoS IIS before logs sync to disc • Erase logs from hard disc • Erasing Eventlog harder • IDS Systems • Network Monitoring at firewall

  30. Preventing Attack How to stop the attack from happening and how to limit the damage from crackers!

  31. NetBIOS/SMB Services • NetBIOS Browsing Request [UDP 137] • NetBIOS Browsing Response [UDP 138] • NetBIOS Communications [TCP 135] • CIFS [TCP 139, 445 UDP 445] • Port 445 Windows 2000 only • Block ports at firewall • Netstat -A

  32. NetBIOS/SMB Services… To disable NetBIOS • Select ‘Disable NetBIOS’ in the WINS tab of advanced TCP/IP properties. • Deselect ‘File and Print sharing’ in the advanced settings of the ‘Network and Dial-up connections’ window

  33. NetBIOS/SMB Services… Disable Null Authentication • HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous • REG_DWORD set to 0, 1 or 2! • HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\RestrictAnonymous • REG_DWORD set to 0 or 1

  34. Operating System Patching • Operating Systems do contain bugs, and patches are a common method of distributing these fixes. • A patch or hot fix usually contains a fix for one discovered bug. • Service packs contain multiple patches or hotfixes.

  35. Operating System Patching… • Only install patches after you have tested them in a development environment. • Only install patches obtained direct from the vendor. • Install security patches as soon as possible after released. • Install feature patches as and when needed. • Automate patch collection and installation as much as possible (QChain).

  36. Operating System Patching… Use automated patching technology: • SUS – Microsoft Software Update Service • SMS – Microsoft Systems Management Server • Ghost – Symantec imaging software. And other application deployment software: • Lights out Distribution • Deferred installation

  37. IPSec • IP security • Linux Connectivity using FreeS/WAN • Mainly for wireless use • WEP encryption cracked • URL: http://www.freeswan.org/ • URL: http://airsnort.sourceforge.net/

  38. Well Known Worms • NimdaDirectory Traversal (Unicode Exploit) • SlammerMS SQL Server transaction control • Blaster MS Port 135 DCom vulnerabilities • Sasser MS Port 445 vulnerabilities

  39. Incident Response What to do when something does go wrong!

  40. Incident Response… • Don’t Panic! • Unplug the network • Get a notebook • Back-up the system and keep the Back-ups • Restrict use of email • Look for information • Investigate the cause • Request help and assistance.

  41. Incident Response… • Important to return to service swiftly • Do not jeopardize security • If in doubt, re-build • Perform forensics on a backup • Keep documentation and evidence • Contact local CERT if investigation proves non worm/script kiddie activity.

  42. Further Reading • Garfinkel, S. Web Security & CommerceO’Reilly [ISBN 1-56592-269-7] • Hassler, V. Security Fundamentals for E-Commerce Artech House [ISBN 1-58053-108-3] • Huth, M R A. Secure Communicating Systems Cambridge Uni Press [ISBN 0-52180-731-X] • Schneier, B. Secrets & Lies (Digital Security in a Networked World) [ISBN 0-47125-311-1]

  43. Useful Books, Tools and URLs • Securing Windows NT/2000 Servers for the Internet. (Stefan Norberg.) • Incident Response. (Kenneth R. van Wyk, Richard Forno.) • Hacking Exposed: Network Security Secrets & Solutions. (Stuart McClure et al) • Hacking Exposed Windows 2000: Network Security Secrets and Solutions. (Scambray.)

  44. Useful Books, Tools and URLs • Microsoft Security Websitehttp://www.microsoft.com/security/ • Computer Security Incident Response Teamhttp://www.cert.org/csirts/csirt_faq.html • JANET CERThttp://www.ja.net/cert/ • Bugtraq Mailing Listhttp://online.securityfocus.com/

  45. Questions Slides available at: http://escarpment.net/

More Related