Remote Control and Advanced Techniques Lesson 17
Remote Control Software • With global corporations, support personnel who can deal with computer problems may not always be on-site. They may use remote control software to allow them to provide support and maintenance from a central location. • The problem is that the same software that can be used for useful purposes can be exploited, especially if misconfigured, by attackers to gain remote access and control of computers and networks. • Some new trojans designed to perform the same sort of functions as legitimate remote controls SW.
Ports for some Remote Control SW Software TCP UDP Citrix ICA 1494 1494 pcAnywhere 22, 5631, 65301 22, 5632 ReachOut 43188 None Remotely Anywhere 2000,2001 None Remotely Possible/ ControlIT 799, 800 800 Timbuktu 407 407 VNC 5800, 5801… None 5900, 5901… Windows Term Server 3389 None Radmin 4899 None
Discovering RC Software • If an attacker finds one of these ports answering, they will try to exploit. • After default installation, many applications leave themselves open to accept connections from anywhere, possibly even without a username or password. • The easiest way to test for these is to simply attempt to connect to one of these ports. • Try enumeration techniques to obtain possible userids from which you can guess passwords
Some sensible countermeasures • Enable Passwords on your system • Too often this is left off, especially for dial up access where folks think “nobody knows about it, they would have to know the phone #.” • Enforce Strong passwords • If you’re going to use them, you might as well make them strong. • Force Alternate Authentication • You don’t have to rely on OS alone, can utilize additional authentication some packages provide • Encrypt Session Traffic • Limit Login Attempts • Log Failed Attempts • Lock Out Failed Users • Change Default Listen Port
Virtual Network Computing • Originally developed at AT&T Labs. • Can be used with/by Windows, Linux, and Solaris platforms • Obtainable from http://www.realvnc.com • Has some vulnerabilities (big surprise) • Brute forcing VNC passwords • Weak passwords a possible problem as always • Network eavesdropping • By default, VNC does not use any sort of encryption after a user authenticates to the VNC server. • Weak WinVNC password obfuscation • Stores the server password in an obfuscated fashion that may allow an attacker to recover the cleartext server password.
Microsoft Terminal Server • Terminal Server lets you deliver Windows-based applications, or the Windows desktop itself, to virtually any computing device—including those that cannot run Windows. • When users run an application on Terminal Server, the application execution takes place on the server, and only keyboard, mouse and display information is transmitted over the network. Users see only their own individual sessions, which are managed transparently by the server operating system, and remain independent of any other client session. • Windows 2000 Terminal Services remote administration mode is called "Remote Desktop for Administration" in Windows Server 2003, and has the ability to remote the actual console session of the server.
Terminal Server Attacks • Locating Terminal Server easy, uses port 3389. • Launch your own Terminal Server client then wait to be prompted for login ID/Password, normal attempts at guessing at this point. • ProbeTS, TSEnum are tools that will cycle through identified subnet attempting to locate Terminal Server • Some other attacks possible as well • RegAPI.DLL buffer overflow • Weak encryption that can lead to eavesdropping • Some possible user privilege elevation attacks
Session Hijacking • An attempt to “take over” an established session. • Some tools that can aid in this endeavor: • Hunt: first allows you to snoop, then insert commands into stream • Best countermeasure: encryption. If a person can’t view the traffic/session, it is hard to insert commands.
Back Doors • If an intruder gets into your system, count on them attempting to install some backdoors to allow them continued access, even if you find and eliminate their primary method. • Finding and clearing these can be a laborious task • Some common back doors: • Rogue user accounts • Startup files – even if you clean up, these can reinstall ways in • Scheduled jobs – similar to startup files, these will execute in future and will reinstall ways in • Remote Control program installation
Back Orifice and Netbus • These both are very similar to some of the RC software packages (and are sometimes advertised in that fashion). • Original BO ran on Win 9x, BO2K added NT/2000. • NetBus, similar to BO, consists of two parts: a client-program ("netbus.exe") and a server-program often named: "patch.exe" (or "SysEdit.exe" with version 1.5x), which is the actual backdoor. Version 1.60 uses the TCP/UDP-Port # "12345" which can't be altered. From version 1.70 and higher the port can be configured. • BO2K also added some stealth capabilities and ability to customize it thus making it harder to detect.
Remote Control Backdoor Port Numbers Default Default Altern. Backdoor TCP UDP Ports Remote.exe 135-139 135-139 No Netcat Any Any Yes Back Orifice NA 31337 Yes Back Orifice 2000 54320 54321 Yes NetBus 12345 NA Yes Masters Paradise 40421 40422 40426 NA Yes
Trojans • “A Trojan horse is a program that purports to be a useful software tool, but it actually performs unintended (and often unauthorized) actions, or installs malicious or damaging software behind the scenes when launched.” • Key to Trojans is that you have to have somebody on the system run the Trojan in order for it to do its nefarious task. • Two implications for us • When doing an assessment, does the organization we are working with have Trojans installed? Is the environment such that it is likely they could be? • Can we use a Trojan to further our testing goals?
Whack-A-Mole • An example of a program that installed NetBus server while allowing you to play a game. • Figure pg. 581 McClure et al.
Secure Shell (SSH) Attacks • SSH is a secure protocol used in place of programs such as telnet to conduct protected remote interactive communications. • Pretty good tool, but is vulnerable to a couple things: • Traffic analysis. Program exists that allows you to determine the length of a password or command sent. • Man-in-the-middle attack. Requires that you be able to replace public key used by host and that you are able to control DNS.
Rootkits • Once a system has been subverted, a rootkit is often one of the first things downloaded and installed. • Generally will include • Trojanized versions of common programs • Back doors (as discussed previously) • Sniffers • System Log cleaners • Imaging the system (creating mirror image of system volumes) also sometimes accomplished when access obtained. • Useful in circumventing security tools that utilize system states or details such as checksums.
Social Engineering • “Clueless User” vs. the Help Desk • “Help Desk” vs. the Clueless User • Countermeasures • Limit data leakage through web sites, public databases, … • Formulate a strict policy for internal and external technical support procedures • Be paranoid about remote access • Craft outbound firewall and router access controls just as carefully as inbound • Use email safely • Educate employees on the basics of a secure environment (and on social engineering)
Summary • What is the importance and significance of this material? • Remote Control software is more prevalent and is a tremendous security concern. • How does this topic fit into the subject of “Security Risk Analysis”? • We need to know about the different packages that could be installed and that the organization we are testing might not know about.
Report from Teams • Another possible assessment. • So, how’d it go?