CH 04
CH 04
Reasons for Windows Security Problems Popularity & Complexity Backward Compatibility Very important at businesses Enabled by default Causes many security problems Proliferation of features Windows is Improving Windows XP SP2 was a giant improvement in security Windows Firewall Data Execution Prevention Vista is even more secure User Account Control BitLocker Drive Encryption Unauthenticated Attacks Four Vectors Authentication Spoofing Network Services Client Vulnerabilities Device Drivers Authentication Spoofing Attacks Services to Attack Server Message Block (SMB) TCP ports 445 and 139 Microsoft Remote Procedure Call (MSRPC) TCP port 135 Terminal Services TCP port 3389 SQL TCP 1443 and UDP 1434 SharePoint and other Web services TCP 80 and 443 Password Guessing from the Command Line Accounts may lock out after too many guesses A Password Guessing Script Put password user name pairs in a file named credentials.txt Tools: enum, Brutus, TSGrinder, many more Link Ch 4a1
Page 1 of 16
Audit Policy Use a log analysis tool to check the logs For even better security, use Intrusion Detection/Intrusion Prevention software
Page 2 of 16
Use NTLM, not LM The old LM Hashes are easily cracked The newer NTLM hashes are harder to crack, although they can be broken by dictionary attacks Elcomsoft has a new tool that cracks NTLM hashes by brute force, clustering many computers together See link Ch 4f Man In The Middle Attacks SMBRelay and SMBProxy pass authentication hashes along get authenticated access to the server, on Windows versions before XP MITM Attack on Terminal Server Cain can sniff Remote Desktop sessions unencrypted and get administrative credentials For Windows XP and Windows Server 2003 Because Microsoft made a private key public (link Ch 4f1) Microsoft Remote Procedure Call (MSRPC) vulnerabilities The MSRPC port mapper is advertised on TCP and UDP 135 by Windows systems It cannot be disabled without drastically affecting the core functionality of the operating system MSRPC interfaces are also available via other ports, including TCP/UDP 139, 445 or 593, and can also be configured to listen over a custom HTTP port via IIS or COM Internet Services MITM Countermeasures Attacker usually has to be on your LAN Use authenticated and encrypted protocols Enforce them with Group Policy and firewall rules CNIT 124 Bowne Page 3 of 16
Page 4 of 16
Making a SYSTEM Task in Vista Start, Task Scheduler Action, Create Task Change User or Group, select SYSTEM Fill in wizard, notepad.exe You can see it in Task Manager, but it's not interactive (see link Ch 4t) Preventing Privilege Escalation Keep machines patched Restrict interactive logon to trusted accounts Start, secpol.msc Deny log on locally Extracting and Cracking Passwords Once Administrator-equivalent status has been obtained on one machine Attackers often want to penetrate deeper into the network, so they want passwords Grabbing the Password Hashes Stored in in the Windows Security Accounts Manager (SAM) under NT4 and earlier, and In the Active Directory on Windows 2000 and greater domain controllers (DCs) The SAM contains the usernames and hashed passwords of all users The counterpart of the /etc/passwd file from the UNIX world CNIT 124 Bowne Page 5 of 16
Obtaining the Hashes NT4 and earlier stores password hashes in %systemroot%\system32\config\SAM It's locked as long as the OS is running It's also in the Registry key HKEY_LOCAL_MACHINE\ SAM On Windows 2000 and greater domain controllers, password hashes are kept in the Active Directory %windir%\WindowsDS\ntds.dit How to Get the Hashes Easy way: Just use Cain Cracker tab, right-click, "Add to List"
How Cain Works Injects a DLL into a highly privileged process in a running system That's how pwdump, Cain, and Ophcrack do it Link Ch 4x Other Ways to Get the Hashes Boot the target system to an alternate OS and copy the files to removable media Copy the backup of the SAM file created by the Repair Disk Utility But this file is protected by SYSKEY encryption, which makes it harder to crack (perhaps impossible) Links Ch 4u, 4v, 4w Sniff Windows authentication exchanges pwdump2 Countermeasures There is no defense against pwdump2, 3, 4, Cain, Ophcrack, etc. But the attacker needs local Administrative rights to use them Cracking Passwords The hash is supposed to be really difficult to reverse NTLM hashes are really hard to break But Windows XP and earlier still use LM Hashes for backwards compatibility They are turned off by default in Vista
Page 6 of 16
Brute Force v. Dictionary There are two techniques for cracking passwords Brute Force Tries all possible combinations of characters Dictionary Tries all the words in a word list, such as able, baker, cow May try variations such as ABLE, Able, @bl3, etc. Password-Cracking Countermeasures Strong passwords not dictionary words, long, complex Add non-printable ASCII characters like (NUM LOCK) ALT255 or (NUM LOCK) ALT-129 Ways to Speed Cracks Rainbow tables trade time for memory with precomputed hashes Elcomsoft Distributed Password Recovery Uses many machines together, and their graphics cards, to make cracking 100x faster Link Ch 4f CNIT 124 Bowne Page 7 of 16
LSA Secrets Countermeasures There's not much you can doMicrosoft offers a patch but it doesn't help much Microsoft KB Article ID Q184017 (link Ch 4z02) Vista seems far less vulnerable Local Admin rights can lead to compromise of other accounts that machine has logged in to Previous Logon Cache Dump If a domain member cannot reach the domain controller, it performs an offline logon with cached credentials The last ten domain logons are stored in the cache, in an encrypted and hashes form CNIT 124 Bowne Page 8 of 16
Works on Vista PsExec From SysInternals (now part of Microsoft) Allows remote code execution (with a username and password) Link Ch 4z07 CNIT 124 Bowne Page 9 of 16
Page 10 of 16
Port Redirection Fpipe is a port redirection tool from Foundstone Link Ch 4z12
Page 11 of 16
ADS With Binary Files You need the cp command (supposedly in the Resource Kit, although I can't find it available free online) To detect alternate data streams, use LADS (link Ch 4z16) Rootkits Rootkits are the best way to hide files, accounts, backdoors, network connections, etc. on a machine More on rootkits in a later chapter General Countermeasures to Authenticated Compromise Once a system has been compromised with administrator privileges, you should just reinstall it completely You can never be sure you really found and removed all the backdoors But if you want to clean it, here are techniques: Suspicious Files Known dangerous filenames like nc.exe Run antivirus software CNIT 124 Bowne Page 12 of 16
Page 13 of 16
Ways to Make a Program Run at Startup in Vista Registry keys Run or RunOnce or Policies\Explorer\Run Load value RunServices or RunServicesOnce Winlogon or BootExecute Scheduled Tasks Win.ini Group Policy Shell service objects Logon scripts Suspicious Processes Process Explorer Link Ch 4z14
Page 14 of 16
Page 15 of 16
Group Policy Allows customized security settings in domains Encryption: BitLocker and EFS EFS encrypts folders BitLocker encrypts the whole hard drive In Windows 7 Beta, BitLocker can encrypt removable USB devices Video: Hacking BitLocker Least Privilege Most Windows users use an Administrative accout all the time Very poor for security, but convenient For XP, 2003, and earlier: log on as a limited user, use runas to elevate privileges as needed For Vista and later versions, this process is automated by User Account Control Last modified 2-5-09 CNIT 124 Bowne Page 16 of 16