1 / 67

Windows Security Analysis Computer Science E-Commerce Security Matthew Cook escarpment/

Windows Security Analysis Computer Science E-Commerce Security Matthew Cook http://escarpment.net/. Introduction. Loughborough University http://www.lboro.ac.uk/computing/ Janet Web Cache Service http://wwwcache.ja.net/. Windows Security Analysis. Introduction

thuy
Download Presentation

Windows Security Analysis Computer Science E-Commerce Security Matthew Cook escarpment/

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Windows Security AnalysisComputer Science E-Commerce Security Matthew Cookhttp://escarpment.net/

  2. Introduction Loughborough University http://www.lboro.ac.uk/computing/ Janet Web Cache Service http://wwwcache.ja.net/

  3. Windows Security Analysis • Introduction • Step-by-step Machine Compromise • Preventing Attack • Further Reading • The Future

  4. Introduction • Physical Security • Security Threats • “Hacker” or “Cracker” • The Easiest Security Improvement • Can you buy security?

  5. Physical Security • Secure Location • BIOS restrictions • Password Protection • Boot Devices • Case Locks • Case Panels

  6. Security Threats • Denial of Service • Theft of information • Modification • Fabrication (Spoofing or Masquerading)

  7. Security Threats… Why a compromise can occur: • Physical Security Holes • Software Security Holes • Incompatible Usage Security Holes • Social Engineering • Complacency

  8. “Hacker” or “Cracker” • “Hacker” used primarily by the media to describe malicious attacks by individuals • However the computing community uses “Cracker” to mean the same • A “Hacker” tinkers with systems for good purposes. (Not breaking the law) • To avoid confusion many people now say“A machine has been compromised!”Not “A machine has been hacked!”

  9. The Easiest Security Improvement • Good passwords • Usernames and Passwords are the primary security defence • Use a password that is easy to type to avoid ‘Shoulder Surfers’ • Use the first letters from song titles, song lyrics or film quotations

  10. Can you buy Security? “This system is secure.” A product vendor might say: “This product makes your network secure.” Or: “We secure e-commerce.” Inevitably, these claims are naïve and simplistic. They look at the security of the product, rather than the security of the system. The first questions to ask are: “Secure from whom?” and “Secure against what?” Bruce Schneier

  11. Step-by-step Machine Compromise • Background • Gathering Information • Identifying System Weakness • Exploiting the Security Hole • Gaining ‘Root’ • Backdoor Access • System Alteration • Audit Trail Removal

  12. Background Reasons for Attack: • Personal Issues • Political Statement • Financial Gain (Theft of money, information) • Learning Experience • DoS (Denial of Service) • Support for Illegal Activity • In our scenario we are going to attack the company laggyband.com

  13. Gathering Information • Companies House • Internet SearchURL: http://www.google.co.uk • WhoisURL: http://www.netsol.com/cgi-bin/whois/whois • A Whois query can provide: • The Registrant • The Domain Names Registered • The Administrative, Technical and Billing Contact • Record updated and created date stamps • DNS Servers for the Domain

  14. Gathering Information… • Use Nslookup or dig • dig @dns.laggyband.com www.laggyband.com • Different query type available: • A – Network address • Any – All or Any Information available • Mx – Mail exchange records • Soa – Zone of Authority • Hinfo – Host information • Axfr – Zone Transfer • Txt – Additional strings

  15. Identifying System Weakness Many products available: • Nmap • Nessus • Pandora • Pwdump • L0pht Crack • Null Authentication

  16. Nmap • Port Scanning Tool • Stealth scanning, OS Fingerprinting • Open Source • Runs under Unix based OS • Port development for Win32 • URL: http://www.insure.org/nmap/

  17. Nmap

  18. Nessus • Remote security scanner similar to Typhon • Very comprehensive • Frequently updated modules • Testing of DoS attacks • Open Source • Win32 and Java Client • URL: http://nessus.org/

  19. Pandora • Not strictly Windows Security • Runs on either Unix or Win32 • Excellent tool to evaluate Netware security • Open Source • Lots of additional information • URL: http://www.nmrc.org/pandora/

  20. pwdump • Version 3 (e = encrypted) • Developed by Phil Staubs and Erik Hjelmstad • Based on pwdump and pwdump2 • URL: http://www.ebiz-tech.com/html/pwdump.html • Needs Administrative Privilidges • Extracts hashs even if syskey is installed • Extract from remote machines • Identifies accounts with no password • Self contained utility

  21. L0pht Crack • Password Auditing and Recovery • Crack Passwords from many sources • Registration $249 • URL: http://www.atstake.com/research/lc3/

  22. L0pht Crack Crack Passwords from: • Local Machine • Remote Machine • SAM File • SMB Sniffer • PWDump file

  23. Nmap Analysis • nmap –sP 158.125.0.0/16 • Dependant on ICMP (Internet Control Message Protocol) • nmap –sP –PT80 158.125.0.0/16 • Dependant on TCP SYN/ACK packet

  24. Nmap Analysis… • TCP Connect Scan • Completes a ‘Three Way Handshake’ • Very noisy (Detection by IDS)

  25. Nmap Analysis… • TCP SYN Scan • Half open scanning (Full port TCP connection not made) • Less noisy than the TCP Connect Scan

  26. Nmap Analysis… • TCP FIN Scan • FIN Packet sent to target port • RST returned for all closed ports • Mostly works UNIX based TCP/IP Stacks • TCP Xmas Tree Scan • Sends a FIN, URG and PUSH packet • RST returned for all closed ports • TCP Null Scan • Turns off all flags • RST returned for all closed ports • UDP Scan • UDP Packet sent to target port • “ICMP Port Unreachable” for closed ports

  27. Null Authentication Null Authentication: • Net use \\camford\IPC$ “” /u:“” • Famous tools like ‘Red Button’ • Net view \\camford • List of Users, groups and shares • Last logged on date • Last password change • Much more…

  28. Exploiting the Security Hole • Using IIS Unicode/Directory Traversal • /scripts/../../winnt/system32/cmd.exe /c+dir • /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir • Displays the listing of c: in browser • Copy cmd.exe to /scripts/root.exe • Echo upload.asp • GET /scripts/root.exe /c+echo+[blah]>upload.asp • Upload cmdasp.asp using upload.asp • Still vulnerable on 24% of E-Commerce servers

  29. Gaining ‘Root’ • Cmdasp.asp provides a cmd shell in the SYSTEM context • Increase in privileges is now simple • ISAPI.dll – RevertToSelf (Horovitz) • Version 2 coded by Foundstone • http://camford/scripts/idq.dll? • Patch Bulletin: MS01-26 • NOT included in Windows 2000 SP2

  30. Backdoor Access • Create several user accounts • Net user iisservice <pass> /ADD • Net localgroup administrators iisservice /ADD • Add root shells on high end ports • Tiri is 3Kb in size • Add backdoors to ‘Run’ registry keys

  31. System Alteration • Web page alteration • Information Theft • Enable services • Add VNC • Creating a Warez Server • Net start msftpsvc • Check access • Upload file 1Mb in size • Advertise as a warez server

  32. Audit Trail Removal • Many machines have auditing disabled • Main problems are IIS logs • DoS IIS before logs sync to disc • Erase logs from hard disc • Erasing Eventlog harder • IDS Systems • Network Monitoring at firewall

  33. Preventing Attack • NetBIOS/SMB Services • Hfnetchk and Qchain • SNMP Vulnerabilities • Active Directory Vulnerabilities • IPSec • IIS Security • IDS – Snort • .NET Server

  34. NetBIOS/SMB Services • NetBIOS Browsing Request [UDP 137] • NetBIOS Browsing Response [UDP 138] • NetBIOS Communications [TCP 135] • CIFS [TCP 139, 445 UDP 445] • Port 445 Windows 2000 only • Block ports at firewall • Netstat -A

  35. NetBIOS/SMB Services… To disable NetBIOS • Select ‘Disable NetBIOS’ in the WINS tab of advanced TCP/IP properties. • Deselect ‘File and Print sharing’ in the advanced settings of the ‘Network and Dial-up connections’ window

  36. NetBIOS/SMB Services… Disable Null Authentication • Key similar to Windows NT 4.0 • HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous • REG_DWORD set to 0, 1 or 2! • HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\RestrictAnonymous • REG_DWORD set to 0 or 1

  37. Hfnetchk • Use Hfnetchk to check hot fixes • Checks machines against Microsoft XML • Automate the process using a batch files and a mail client (Postie) • URL: http://www.infradig.com/infradig/postie/ • Use QChain to chain hot fixes together without rebooting in-between.

  38. Hfnetchk… Patch details for: • Windows NT 4.0, 2000, XP, .NET server • IIS 4, IIS 5 and IIS 6 • SQL Server 7.0 • SQL Server 2000 • Internet Explorer 5.01 (and later)

  39. Hfnetchk… • Default scan of local host (Pre downloaded)hfnetchk –x mssecure.xml • Default scan of lboro domainhfnetchk –d lboro • Verbose scan of local hosthfnetchk –v –x mssecure.xml • Verbose scan including installed hot fixeshfnetchk –v –a b –x mssecure.xml

  40. SNMP Vulnerabilities • Simple Network Management Protocol • Snmpwalk camford public .1.3.6.1.4.1.77.1.2.25 • SNMP Utilities in Resource Kit • Turn off SNMP services • Set community names • Set accepted hosts

  41. SNMP Vulnerabilities…

  42. SNMP Vulnerabilities… • CERT Advisory “Tuesday 12th February” • Privilege Escalation, DoS, Instability • Block UDP 161 and 162 at firewall • Patch or disable SNMP • Patches available for Windows 2000 and XP • URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-006.asp

  43. AD Vulnerabilities • Listing of AD contents using ldp.exe • Ldp is contained on the Resource Kit • Authenticated connection needed • Filter TCP 389 (LDAP) and 3268 (GC) • DNS – Securing Zone Transfers to Slave Name servers only

  44. IPSec • IP security • Linux Connectivity using FreeS/WAN • Mainly for wireless use • WEP encryption cracked • URL: http://www.freeswan.org/ • URL: http://airsnort.sourceforge.net/

  45. IIS Security • History • Recent Worms • IIS Lock Down Tool • URL Scan • The Future

  46. IIS History • IIS 2.0 Installed by NT 4.0 • IIS 3.0 followed by more common IIS 4.0 • Quickly gained reputation for (in)security • IIS 5.0 Installed by Windows 2000 • IIS 6.0 Installed by .NET Server • Microsoft releases Hfnetchk • Closely followed by IIS Lockdown and URLScan

  47. Recent Worms • Sadmind/IISDirectory Traversal (Unicode Exploit) • CodeRedida/idq buffer overflow • CodeGreen ida/idq buffer overflow • NimdaDirectory Traversal (Unicode Exploit)

  48. Sadmind/IIS • 2001-05-03 22:34:49 203.67.x.x - 158.125.x.x 80 GET /scripts/root.exe /c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%3Dred^>f***+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%3Dred^>f***+PoizonBOx^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D4+color%3Dred^>contact:sysadmcn@yahoo.com.cn^</html^>>../wwwroot/default.htm 200 -

  49. IIS Lock Down Tool • Automatic ‘Lock Down’ [Now 2nd version] • Locks down IIS 4.0 and IIS 5.0 • Express ‘lock down’ for simple web sites • Custom ‘lock down’ for more complex servers • Undo facility to reverse last ‘lock down’ • URL: http://www.microsoft.com/Downloads\Release.asp?ReleaseID=32362

  50. Disable: Active Server Pages Index Server Interface Server Side Includes Internet Data Connector Internet Printing HTR Scripting Remove: Sample Web Files Script Virtual Directory MSADC Directory WebDAV Set Permissions on: Exe files Content Directories IIS Lock Down Tool…

More Related