Slide 1 1 Windows Security Analysis Computer Science E-Commerce Security ‘2004’ Matthew Cook

1

Windows Security AnalysisComputer Science E-Commerce Security ‘2004’

Matthew Cookhttp://escarpment.net/

2

IntroductionIntroduction

Senior IT Security SpecialistSenior IT Security Specialist

Loughborough UniversityLoughborough Universityhttp://www.lboro.ac.uk/computing/http://www.lboro.ac.uk/computing/

3

Windows Security AnalysisWindows Security Analysis

IntroductionIntroduction Step-by-step Machine CompromiseStep-by-step Machine Compromise Preventing AttackPreventing Attack Incident ResponseIncident Response Further ReadingFurther Reading

4

IntroductionIntroduction

Basic Security OverviewBasic Security Overview

5

Physical SecurityPhysical Security

Secure LocationSecure Location BIOS restrictionsBIOS restrictions Password ProtectionPassword Protection Boot DevicesBoot Devices Case LocksCase Locks Case PanelsCase Panels

6

Security ThreatsSecurity Threats

Denial of ServiceDenial of Service Theft of informationTheft of information ModificationModification Fabrication (Spoofing or Masquerading)Fabrication (Spoofing or Masquerading)

7

Security Threats…Security Threats…

Why a compromise can occur:Why a compromise can occur: Physical Security HolesPhysical Security Holes Software Security HolesSoftware Security Holes Incompatible Usage Security HolesIncompatible Usage Security Holes Social EngineeringSocial Engineering ComplacencyComplacency

8

The Easiest Security ImprovementThe Easiest Security Improvement

Good passwordsGood passwords Usernames and Passwords are the primary Usernames and Passwords are the primary

security defencesecurity defence

Use a password that is easy to type to avoid Use a password that is easy to type to avoid ‘Shoulder Surfers’‘Shoulder Surfers’

Use the first letters from song titles, song Use the first letters from song titles, song lyrics or film quotationslyrics or film quotations

9

Step-by-step Machine Step-by-step Machine CompromiseCompromise

Why, where, how?Why, where, how?

10

BackgroundBackground

Reasons for Attack:Reasons for Attack:

Personal IssuesPersonal Issues Political StatementPolitical Statement Financial Gain (Theft of money, information)Financial Gain (Theft of money, information) Learning ExperienceLearning Experience DoS (Denial of Service)DoS (Denial of Service) Support for Illegal ActivitySupport for Illegal Activity

11

Gathering InformationGathering Information

Companies HouseCompanies House Internet SearchInternet Search

URL: URL: http://www.google.co.ukhttp://www.google.co.uk WhoisWhois

URL: URL: http://www.netsol.com/cgi-bin/whois/whoishttp://www.netsol.com/cgi-bin/whois/whois A Whois query can provide:A Whois query can provide:

– The RegistrantThe Registrant– The Domain Names RegisteredThe Domain Names Registered– The Administrative, Technical and Billing ContactThe Administrative, Technical and Billing Contact– Record updated and created date stampsRecord updated and created date stamps– DNS Servers for the DomainDNS Servers for the Domain

12

Gathering Information…Gathering Information…

Use Nslookup or digUse Nslookup or dig dig @<dns server> <machine address>dig @<dns server> <machine address> Different query type available:Different query type available:

– A – Network addressA – Network address– Any – All or Any Information availableAny – All or Any Information available– Mx – Mail exchange recordsMx – Mail exchange records– Soa – Zone of AuthoritySoa – Zone of Authority– Hinfo – Host informationHinfo – Host information– Axfr – Zone TransferAxfr – Zone Transfer– Txt – Additional stringsTxt – Additional strings

13

Identifying System WeaknessIdentifying System Weakness

Many products available:Many products available: NmapNmap NessusNessus

PwdumpPwdump L0pht CrackL0pht Crack Null AuthenticationNull Authentication

14

NmapNmap

Port Scanning ToolPort Scanning Tool Stealth scanning, OS FingerprintingStealth scanning, OS Fingerprinting Open SourceOpen Source Runs under Unix based OSRuns under Unix based OS Port development for Win32Port development for Win32 URL: URL: http://www.insure.org/nmap/http://www.insure.org/nmap/

15

NmapNmap

16

NessusNessus

Remote security scannerRemote security scanner Very comprehensiveVery comprehensive Frequently updated modulesFrequently updated modules Testing of DoS attacksTesting of DoS attacks Open SourceOpen Source Win32 and Java ClientWin32 and Java Client URL: URL: http://nessus.org/http://nessus.org/

17

pwdumppwdump

Version 3 (e = encrypted)Version 3 (e = encrypted) Developed by Phil Staubs and Erik Developed by Phil Staubs and Erik

HjelmstadHjelmstad Based on pwdump and pwdump2Based on pwdump and pwdump2 URL: URL: http://www.ebiz-tech.com/html/pwdump.htmlhttp://www.ebiz-tech.com/html/pwdump.html Needs Administrative PrivilidgesNeeds Administrative Privilidges Extracts hashs even if syskey is installedExtracts hashs even if syskey is installed Extract from remote machinesExtract from remote machines Identifies accounts with no passwordIdentifies accounts with no password Self contained utilitySelf contained utility

18

L0pht CrackL0pht Crack

Password Auditing and RecoveryPassword Auditing and Recovery Crack Passwords from many sourcesCrack Passwords from many sources Registration $249Registration $249 URL: URL: http://www.atstake.com/research/lc3/http://www.atstake.com/research/lc3/

19

L0pht CrackL0pht Crack

Crack Passwords from:Crack Passwords from: Local MachineLocal Machine Remote MachineRemote Machine SAM FileSAM File SMB SnifferSMB Sniffer PWDump filePWDump file

20

Nmap AnalysisNmap Analysis

nmap –sP 158.125.0.0/16nmap –sP 158.125.0.0/16- Ping scan!Ping scan!

nmap –sS 158.125.0.0/16nmap –sS 158.125.0.0/16- Stealth scan- Stealth scan

21

Nmap Analysis…Nmap Analysis…

TCP Connect ScanTCP Connect Scan Completes a ‘Three Way Handshake’Completes a ‘Three Way Handshake’ Very noisy (Detection by IDS)Very noisy (Detection by IDS)

22


TCP SYN ScanTCP SYN Scan Half open scanning (Full port TCP Half open scanning (Full port TCP

connection not made)connection not made) Less noisy than the TCP Connect ScanLess noisy than the TCP Connect Scan

23


TCP FIN ScanTCP FIN Scan– FIN Packet sent to target portFIN Packet sent to target port– RST returned for all closed portsRST returned for all closed ports– Mostly works UNIX based TCP/IP StacksMostly works UNIX based TCP/IP Stacks

TCP Xmas Tree ScanTCP Xmas Tree Scan– Sends a FIN, URG and PUSH packetSends a FIN, URG and PUSH packet– RST returned for all closed portsRST returned for all closed ports

TCP Null ScanTCP Null Scan– Turns off all flagsTurns off all flags– RST returned for all closed portsRST returned for all closed ports

UDP ScanUDP Scan– UDP Packet sent to target portUDP Packet sent to target port– ““ICMP Port Unreachable” for closed portsICMP Port Unreachable” for closed ports

24

Null AuthenticationNull Authentication

Null Authentication:Null Authentication: Net use Net use \\camford\IPC$\\camford\IPC$ “” /u:“” “” /u:“” Famous tools like ‘Red Button’Famous tools like ‘Red Button’ Net view Net view \\camford\\camford

List of Users, groups and sharesList of Users, groups and shares Last logged on dateLast logged on date Last password changeLast password change Much more…Much more…

25

Exploiting the Security HoleExploiting the Security Hole

Using IIS Unicode/Directory TraversalUsing IIS Unicode/Directory Traversal /scripts/../../winnt/system32/cmd.exe /c+dir/scripts/../../winnt/system32/cmd.exe /c+dir /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir Displays the listing of c: in browserDisplays the listing of c: in browser

Copy cmd.exe to /scripts/root.exeCopy cmd.exe to /scripts/root.exe Echo upload.aspEcho upload.asp GET /scripts/root.exe /c+echo+[blah]>upload.aspGET /scripts/root.exe /c+echo+[blah]>upload.asp Upload cmdasp.asp using upload.aspUpload cmdasp.asp using upload.asp

Still vulnerable on 24% of E-Commerce serversStill vulnerable on 24% of E-Commerce servers

26

Gaining ‘Root’Gaining ‘Root’

Cmdasp.asp provides a cmd shell in the Cmdasp.asp provides a cmd shell in the SYSTEM contextSYSTEM context

Increase in privileges is now simpleIncrease in privileges is now simple

ISAPI.dll – RevertToSelf (Horovitz)ISAPI.dll – RevertToSelf (Horovitz) Version 2 coded by FoundstoneVersion 2 coded by Foundstone http://http://camford/scripts/idq.dllcamford/scripts/idq.dll? ? Patch Bulletin: MS01-26Patch Bulletin: MS01-26 NOT included in Windows 2000 SP2NOT included in Windows 2000 SP2

27

Backdoor AccessBackdoor Access

Create several user accountsCreate several user accounts Net user iisservice <pass> /ADDNet user iisservice <pass> /ADD Net localgroup administrators iisservice /ADDNet localgroup administrators iisservice /ADD Add root shells on high end portsAdd root shells on high end ports Tiri is 3Kb in sizeTiri is 3Kb in size Add backdoors to ‘Run’ registry keys Add backdoors to ‘Run’ registry keys

28

System AlterationSystem Alteration

Web page alterationWeb page alteration Information TheftInformation Theft Enable servicesEnable services Add VNCAdd VNC

Creating a Warez ServerCreating a Warez Server Net start msftpsvcNet start msftpsvc Check accessCheck access Upload file 1Mb in sizeUpload file 1Mb in size Advertise as a warez server Advertise as a warez server

29

Audit Trail RemovalAudit Trail Removal

Many machines have auditing disabledMany machines have auditing disabled Main problems are IIS logsMain problems are IIS logs DoS IIS before logs sync to discDoS IIS before logs sync to disc Erase logs from hard discErase logs from hard disc Erasing Eventlog harderErasing Eventlog harder

IDS SystemsIDS Systems Network Monitoring at firewallNetwork Monitoring at firewall

30

Preventing AttackPreventing Attack

How to stop the attack from How to stop the attack from happening and how to limit the happening and how to limit the

damage from crackers!damage from crackers!

31

NetBIOS/SMB ServicesNetBIOS/SMB Services

NetBIOS Browsing Request [UDP 137]NetBIOS Browsing Request [UDP 137] NetBIOS Browsing Response [UDP 138]NetBIOS Browsing Response [UDP 138] NetBIOS Communications [TCP 135]NetBIOS Communications [TCP 135] CIFS [TCP 139, 445 UDP 445]CIFS [TCP 139, 445 UDP 445] Port 445 Windows 2000 onlyPort 445 Windows 2000 only Block ports at firewallBlock ports at firewall Netstat -ANetstat -A

32

NetBIOS/SMB Services…NetBIOS/SMB Services…

To disable NetBIOSTo disable NetBIOS1.1. Select ‘Disable NetBIOS’ in the WINS tab Select ‘Disable NetBIOS’ in the WINS tab

of advanced TCP/IP properties.of advanced TCP/IP properties.2.2. Deselect ‘File and Print sharing’ in the Deselect ‘File and Print sharing’ in the

advanced settings of the ‘Network and Dial-advanced settings of the ‘Network and Dial-up connections’ windowup connections’ window

33

NetBIOS/SMB Services…NetBIOS/SMB Services…

Disable Null AuthenticationDisable Null Authentication HKLM\SYSTEM\CurrentControlSet\Control\LSA\HKLM\SYSTEM\CurrentControlSet\Control\LSA\

RestrictAnonymousRestrictAnonymous REG_DWORD set to 0, 1 or REG_DWORD set to 0, 1 or 2!2! HKLM\SYSTEM\CurrentControlSet\Control\HKLM\SYSTEM\CurrentControlSet\Control\

SecurePipeServers\RestrictAnonymousSecurePipeServers\RestrictAnonymous REG_DWORD set to 0 or 1REG_DWORD set to 0 or 1

34

Operating System PatchingOperating System Patching

Operating Systems do contain bugs, and Operating Systems do contain bugs, and patches are a common method of distributing patches are a common method of distributing these fixes.these fixes.

A patch or hot fix usually contains a fix for A patch or hot fix usually contains a fix for one discovered bug.one discovered bug.

Service packs contain multiple patches or Service packs contain multiple patches or hotfixes.hotfixes.

35

Operating System Patching…Operating System Patching…

Only install patches after you have tested Only install patches after you have tested them in a development environment.them in a development environment.

Only install patches obtained direct from the Only install patches obtained direct from the vendor.vendor.

Install security patches as soon as possible Install security patches as soon as possible after released.after released.

Install feature patches as and when needed.Install feature patches as and when needed. Automate patch collection and installation as Automate patch collection and installation as

much as possible (QChain).much as possible (QChain).

36

Operating System Patching…Operating System Patching…

Use automated patching technology:Use automated patching technology: SUS – Microsoft Software Update ServiceSUS – Microsoft Software Update Service SMS – Microsoft Systems Management ServerSMS – Microsoft Systems Management Server Ghost – Symantec imaging software.Ghost – Symantec imaging software.

And other application deployment software:And other application deployment software: Lights out DistributionLights out Distribution Deferred installationDeferred installation

37

IPSecIPSec

IP securityIP security Linux Connectivity using FreeS/WANLinux Connectivity using FreeS/WAN Mainly for wireless useMainly for wireless use WEP encryption crackedWEP encryption cracked URL: URL: http://www.freeswan.org/http://www.freeswan.org/ URL: URL: http://airsnort.sourceforge.net/http://airsnort.sourceforge.net/

38

Well Known WormsWell Known Worms

NimdaNimdaDirectory Traversal (Unicode Exploit)Directory Traversal (Unicode Exploit)

SlammerSlammerMS SQL Server transaction controlMS SQL Server transaction control

BlasterBlasterMS Port 135 DCom vulnerabilitiesMS Port 135 DCom vulnerabilities

SasserSasserMS Port 445 vulnerabilitiesMS Port 445 vulnerabilities

39

Incident ResponseIncident Response

What to do when something does What to do when something does go wrong!go wrong!

40

Incident Response…Incident Response…

Don’t Panic!Don’t Panic! Unplug the networkUnplug the network Get a notebookGet a notebook Back-up the system and keep the Back-upsBack-up the system and keep the Back-ups Restrict use of emailRestrict use of email Look for informationLook for information Investigate the causeInvestigate the cause

Request help and assistance.Request help and assistance.

41

Incident Response…Incident Response…

Important to return to service swiftlyImportant to return to service swiftly– Do not jeopardize securityDo not jeopardize security– If in doubt, re-buildIf in doubt, re-build– Perform forensics on a backupPerform forensics on a backup

Keep documentation and evidenceKeep documentation and evidence Contact local CERT if investigation proves Contact local CERT if investigation proves

non worm/script kiddie activity.non worm/script kiddie activity.

42

Further ReadingFurther Reading

Garfinkel, S. Web Security & CommerceGarfinkel, S. Web Security & CommerceO’ReillyO’Reilly [ISBN 1-56592-269-7] [ISBN 1-56592-269-7]

Hassler, V. Security Fundamentals for E-Hassler, V. Security Fundamentals for E-Commerce Commerce Artech HouseArtech House [ISBN 1-58053-108-3] [ISBN 1-58053-108-3]

Huth, M R A. Secure Communicating Systems Huth, M R A. Secure Communicating Systems Cambridge Uni PressCambridge Uni Press [ISBN 0-52180-731-X] [ISBN 0-52180-731-X]

Schneier, B. Schneier, B. Secrets & Lies (Digital Security in Secrets & Lies (Digital Security in a Networked World) [ISBN 0-47125-311-1]a Networked World) [ISBN 0-47125-311-1]

43

Useful Books, Tools and URLsUseful Books, Tools and URLs

Securing Windows NT/2000 Servers for the Securing Windows NT/2000 Servers for the Internet. (Stefan Norberg.)Internet. (Stefan Norberg.)

Incident Response. (Kenneth R. van Wyk, Incident Response. (Kenneth R. van Wyk, Richard Forno.)Richard Forno.)

Hacking Exposed: Network Security Secrets Hacking Exposed: Network Security Secrets & Solutions. (Stuart McClure et al)& Solutions. (Stuart McClure et al)

Hacking Exposed Windows 2000: Network Hacking Exposed Windows 2000: Network Security Secrets and Solutions. (Scambray.)Security Secrets and Solutions. (Scambray.)

44

Useful Books, Tools and URLsUseful Books, Tools and URLs

Microsoft Security WebsiteMicrosoft Security Websitehttp://www.microsoft.com/security/http://www.microsoft.com/security/

Computer Security Incident Response TeamComputer Security Incident Response Teamhttp://www.cert.org/csirts/csirt_faq.htmlhttp://www.cert.org/csirts/csirt_faq.html

JANET CERTJANET CERThttp://www.ja.net/cert/http://www.ja.net/cert/

Bugtraq Mailing ListBugtraq Mailing Listhttp://http://online.securityfocus.comonline.securityfocus.com//

45

QuestionsQuestions

Slides available at:Slides available at:http://escarpment.net/http://escarpment.net/

Slide 1 1 Windows Security Analysis Computer Science E-Commerce Security ‘2004’ Matthew Cook

Documents

Transcript of Slide 1 1 Windows Security Analysis Computer Science E-Commerce Security ‘2004’ Matthew Cook