Slide 1 1 Windows Security Analysis Computer Science E-Commerce Security ‘2004’ Matthew Cook
-
Upload
devon-grindle -
Category
Documents
-
view
215 -
download
0
Transcript of Slide 1 1 Windows Security Analysis Computer Science E-Commerce Security ‘2004’ Matthew Cook
Slide 1
1
Windows Security AnalysisComputer Science E-Commerce Security ‘2004’
Matthew Cookhttp://escarpment.net/
Slide 2
2
IntroductionIntroduction
Senior IT Security SpecialistSenior IT Security Specialist
Loughborough UniversityLoughborough Universityhttp://www.lboro.ac.uk/computing/http://www.lboro.ac.uk/computing/
Slide 3
3
Windows Security AnalysisWindows Security Analysis
IntroductionIntroduction Step-by-step Machine CompromiseStep-by-step Machine Compromise Preventing AttackPreventing Attack Incident ResponseIncident Response Further ReadingFurther Reading
Slide 5
5
Physical SecurityPhysical Security
Secure LocationSecure Location BIOS restrictionsBIOS restrictions Password ProtectionPassword Protection Boot DevicesBoot Devices Case LocksCase Locks Case PanelsCase Panels
Slide 6
6
Security ThreatsSecurity Threats
Denial of ServiceDenial of Service Theft of informationTheft of information ModificationModification Fabrication (Spoofing or Masquerading)Fabrication (Spoofing or Masquerading)
Slide 7
7
Security Threats…Security Threats…
Why a compromise can occur:Why a compromise can occur: Physical Security HolesPhysical Security Holes Software Security HolesSoftware Security Holes Incompatible Usage Security HolesIncompatible Usage Security Holes Social EngineeringSocial Engineering ComplacencyComplacency
Slide 8
8
The Easiest Security ImprovementThe Easiest Security Improvement
Good passwordsGood passwords Usernames and Passwords are the primary Usernames and Passwords are the primary
security defencesecurity defence
Use a password that is easy to type to avoid Use a password that is easy to type to avoid ‘Shoulder Surfers’‘Shoulder Surfers’
Use the first letters from song titles, song Use the first letters from song titles, song lyrics or film quotationslyrics or film quotations
Slide 9
9
Step-by-step Machine Step-by-step Machine CompromiseCompromise
Why, where, how?Why, where, how?
Slide 10
10
BackgroundBackground
Reasons for Attack:Reasons for Attack:
Personal IssuesPersonal Issues Political StatementPolitical Statement Financial Gain (Theft of money, information)Financial Gain (Theft of money, information) Learning ExperienceLearning Experience DoS (Denial of Service)DoS (Denial of Service) Support for Illegal ActivitySupport for Illegal Activity
Slide 11
11
Gathering InformationGathering Information
Companies HouseCompanies House Internet SearchInternet Search
URL: URL: http://www.google.co.ukhttp://www.google.co.uk WhoisWhois
URL: URL: http://www.netsol.com/cgi-bin/whois/whoishttp://www.netsol.com/cgi-bin/whois/whois A Whois query can provide:A Whois query can provide:
– The RegistrantThe Registrant– The Domain Names RegisteredThe Domain Names Registered– The Administrative, Technical and Billing ContactThe Administrative, Technical and Billing Contact– Record updated and created date stampsRecord updated and created date stamps– DNS Servers for the DomainDNS Servers for the Domain
Slide 12
12
Gathering Information…Gathering Information…
Use Nslookup or digUse Nslookup or dig dig @<dns server> <machine address>dig @<dns server> <machine address> Different query type available:Different query type available:
– A – Network addressA – Network address– Any – All or Any Information availableAny – All or Any Information available– Mx – Mail exchange recordsMx – Mail exchange records– Soa – Zone of AuthoritySoa – Zone of Authority– Hinfo – Host informationHinfo – Host information– Axfr – Zone TransferAxfr – Zone Transfer– Txt – Additional stringsTxt – Additional strings
Slide 13
13
Identifying System WeaknessIdentifying System Weakness
Many products available:Many products available: NmapNmap NessusNessus
PwdumpPwdump L0pht CrackL0pht Crack Null AuthenticationNull Authentication
Slide 14
14
NmapNmap
Port Scanning ToolPort Scanning Tool Stealth scanning, OS FingerprintingStealth scanning, OS Fingerprinting Open SourceOpen Source Runs under Unix based OSRuns under Unix based OS Port development for Win32Port development for Win32 URL: URL: http://www.insure.org/nmap/http://www.insure.org/nmap/
Slide 16
16
NessusNessus
Remote security scannerRemote security scanner Very comprehensiveVery comprehensive Frequently updated modulesFrequently updated modules Testing of DoS attacksTesting of DoS attacks Open SourceOpen Source Win32 and Java ClientWin32 and Java Client URL: URL: http://nessus.org/http://nessus.org/
Slide 17
17
pwdumppwdump
Version 3 (e = encrypted)Version 3 (e = encrypted) Developed by Phil Staubs and Erik Developed by Phil Staubs and Erik
HjelmstadHjelmstad Based on pwdump and pwdump2Based on pwdump and pwdump2 URL: URL: http://www.ebiz-tech.com/html/pwdump.htmlhttp://www.ebiz-tech.com/html/pwdump.html Needs Administrative PrivilidgesNeeds Administrative Privilidges Extracts hashs even if syskey is installedExtracts hashs even if syskey is installed Extract from remote machinesExtract from remote machines Identifies accounts with no passwordIdentifies accounts with no password Self contained utilitySelf contained utility
Slide 18
18
L0pht CrackL0pht Crack
Password Auditing and RecoveryPassword Auditing and Recovery Crack Passwords from many sourcesCrack Passwords from many sources Registration $249Registration $249 URL: URL: http://www.atstake.com/research/lc3/http://www.atstake.com/research/lc3/
Slide 19
19
L0pht CrackL0pht Crack
Crack Passwords from:Crack Passwords from: Local MachineLocal Machine Remote MachineRemote Machine SAM FileSAM File SMB SnifferSMB Sniffer PWDump filePWDump file
Slide 20
20
Nmap AnalysisNmap Analysis
nmap –sP 158.125.0.0/16nmap –sP 158.125.0.0/16- Ping scan!Ping scan!
nmap –sS 158.125.0.0/16nmap –sS 158.125.0.0/16- Stealth scan- Stealth scan
Slide 21
21
Nmap Analysis…Nmap Analysis…
TCP Connect ScanTCP Connect Scan Completes a ‘Three Way Handshake’Completes a ‘Three Way Handshake’ Very noisy (Detection by IDS)Very noisy (Detection by IDS)
Slide 22
22
Nmap Analysis…Nmap Analysis…
TCP SYN ScanTCP SYN Scan Half open scanning (Full port TCP Half open scanning (Full port TCP
connection not made)connection not made) Less noisy than the TCP Connect ScanLess noisy than the TCP Connect Scan
Slide 23
23
Nmap Analysis…Nmap Analysis…
TCP FIN ScanTCP FIN Scan– FIN Packet sent to target portFIN Packet sent to target port– RST returned for all closed portsRST returned for all closed ports– Mostly works UNIX based TCP/IP StacksMostly works UNIX based TCP/IP Stacks
TCP Xmas Tree ScanTCP Xmas Tree Scan– Sends a FIN, URG and PUSH packetSends a FIN, URG and PUSH packet– RST returned for all closed portsRST returned for all closed ports
TCP Null ScanTCP Null Scan– Turns off all flagsTurns off all flags– RST returned for all closed portsRST returned for all closed ports
UDP ScanUDP Scan– UDP Packet sent to target portUDP Packet sent to target port– ““ICMP Port Unreachable” for closed portsICMP Port Unreachable” for closed ports
Slide 24
24
Null AuthenticationNull Authentication
Null Authentication:Null Authentication: Net use Net use \\camford\IPC$\\camford\IPC$ “” /u:“” “” /u:“” Famous tools like ‘Red Button’Famous tools like ‘Red Button’ Net view Net view \\camford\\camford
List of Users, groups and sharesList of Users, groups and shares Last logged on dateLast logged on date Last password changeLast password change Much more…Much more…
Slide 25
25
Exploiting the Security HoleExploiting the Security Hole
Using IIS Unicode/Directory TraversalUsing IIS Unicode/Directory Traversal /scripts/../../winnt/system32/cmd.exe /c+dir/scripts/../../winnt/system32/cmd.exe /c+dir /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir Displays the listing of c: in browserDisplays the listing of c: in browser
Copy cmd.exe to /scripts/root.exeCopy cmd.exe to /scripts/root.exe Echo upload.aspEcho upload.asp GET /scripts/root.exe /c+echo+[blah]>upload.aspGET /scripts/root.exe /c+echo+[blah]>upload.asp Upload cmdasp.asp using upload.aspUpload cmdasp.asp using upload.asp
Still vulnerable on 24% of E-Commerce serversStill vulnerable on 24% of E-Commerce servers
Slide 26
26
Gaining ‘Root’Gaining ‘Root’
Cmdasp.asp provides a cmd shell in the Cmdasp.asp provides a cmd shell in the SYSTEM contextSYSTEM context
Increase in privileges is now simpleIncrease in privileges is now simple
ISAPI.dll – RevertToSelf (Horovitz)ISAPI.dll – RevertToSelf (Horovitz) Version 2 coded by FoundstoneVersion 2 coded by Foundstone http://http://camford/scripts/idq.dllcamford/scripts/idq.dll? ? Patch Bulletin: MS01-26Patch Bulletin: MS01-26 NOT included in Windows 2000 SP2NOT included in Windows 2000 SP2
Slide 27
27
Backdoor AccessBackdoor Access
Create several user accountsCreate several user accounts Net user iisservice <pass> /ADDNet user iisservice <pass> /ADD Net localgroup administrators iisservice /ADDNet localgroup administrators iisservice /ADD Add root shells on high end portsAdd root shells on high end ports Tiri is 3Kb in sizeTiri is 3Kb in size Add backdoors to ‘Run’ registry keys Add backdoors to ‘Run’ registry keys
Slide 28
28
System AlterationSystem Alteration
Web page alterationWeb page alteration Information TheftInformation Theft Enable servicesEnable services Add VNCAdd VNC
Creating a Warez ServerCreating a Warez Server Net start msftpsvcNet start msftpsvc Check accessCheck access Upload file 1Mb in sizeUpload file 1Mb in size Advertise as a warez server Advertise as a warez server
Slide 29
29
Audit Trail RemovalAudit Trail Removal
Many machines have auditing disabledMany machines have auditing disabled Main problems are IIS logsMain problems are IIS logs DoS IIS before logs sync to discDoS IIS before logs sync to disc Erase logs from hard discErase logs from hard disc Erasing Eventlog harderErasing Eventlog harder
IDS SystemsIDS Systems Network Monitoring at firewallNetwork Monitoring at firewall
Slide 30
30
Preventing AttackPreventing Attack
How to stop the attack from How to stop the attack from happening and how to limit the happening and how to limit the
damage from crackers!damage from crackers!
Slide 31
31
NetBIOS/SMB ServicesNetBIOS/SMB Services
NetBIOS Browsing Request [UDP 137]NetBIOS Browsing Request [UDP 137] NetBIOS Browsing Response [UDP 138]NetBIOS Browsing Response [UDP 138] NetBIOS Communications [TCP 135]NetBIOS Communications [TCP 135] CIFS [TCP 139, 445 UDP 445]CIFS [TCP 139, 445 UDP 445] Port 445 Windows 2000 onlyPort 445 Windows 2000 only Block ports at firewallBlock ports at firewall Netstat -ANetstat -A
Slide 32
32
NetBIOS/SMB Services…NetBIOS/SMB Services…
To disable NetBIOSTo disable NetBIOS1.1. Select ‘Disable NetBIOS’ in the WINS tab Select ‘Disable NetBIOS’ in the WINS tab
of advanced TCP/IP properties.of advanced TCP/IP properties.2.2. Deselect ‘File and Print sharing’ in the Deselect ‘File and Print sharing’ in the
advanced settings of the ‘Network and Dial-advanced settings of the ‘Network and Dial-up connections’ windowup connections’ window
Slide 33
33
NetBIOS/SMB Services…NetBIOS/SMB Services…
Disable Null AuthenticationDisable Null Authentication HKLM\SYSTEM\CurrentControlSet\Control\LSA\HKLM\SYSTEM\CurrentControlSet\Control\LSA\
RestrictAnonymousRestrictAnonymous REG_DWORD set to 0, 1 or REG_DWORD set to 0, 1 or 2!2! HKLM\SYSTEM\CurrentControlSet\Control\HKLM\SYSTEM\CurrentControlSet\Control\
SecurePipeServers\RestrictAnonymousSecurePipeServers\RestrictAnonymous REG_DWORD set to 0 or 1REG_DWORD set to 0 or 1
Slide 34
34
Operating System PatchingOperating System Patching
Operating Systems do contain bugs, and Operating Systems do contain bugs, and patches are a common method of distributing patches are a common method of distributing these fixes.these fixes.
A patch or hot fix usually contains a fix for A patch or hot fix usually contains a fix for one discovered bug.one discovered bug.
Service packs contain multiple patches or Service packs contain multiple patches or hotfixes.hotfixes.
Slide 35
35
Operating System Patching…Operating System Patching…
Only install patches after you have tested Only install patches after you have tested them in a development environment.them in a development environment.
Only install patches obtained direct from the Only install patches obtained direct from the vendor.vendor.
Install security patches as soon as possible Install security patches as soon as possible after released.after released.
Install feature patches as and when needed.Install feature patches as and when needed. Automate patch collection and installation as Automate patch collection and installation as
much as possible (QChain).much as possible (QChain).
Slide 36
36
Operating System Patching…Operating System Patching…
Use automated patching technology:Use automated patching technology: SUS – Microsoft Software Update ServiceSUS – Microsoft Software Update Service SMS – Microsoft Systems Management ServerSMS – Microsoft Systems Management Server Ghost – Symantec imaging software.Ghost – Symantec imaging software.
And other application deployment software:And other application deployment software: Lights out DistributionLights out Distribution Deferred installationDeferred installation
Slide 37
37
IPSecIPSec
IP securityIP security Linux Connectivity using FreeS/WANLinux Connectivity using FreeS/WAN Mainly for wireless useMainly for wireless use WEP encryption crackedWEP encryption cracked URL: URL: http://www.freeswan.org/http://www.freeswan.org/ URL: URL: http://airsnort.sourceforge.net/http://airsnort.sourceforge.net/
Slide 38
38
Well Known WormsWell Known Worms
NimdaNimdaDirectory Traversal (Unicode Exploit)Directory Traversal (Unicode Exploit)
SlammerSlammerMS SQL Server transaction controlMS SQL Server transaction control
BlasterBlasterMS Port 135 DCom vulnerabilitiesMS Port 135 DCom vulnerabilities
SasserSasserMS Port 445 vulnerabilitiesMS Port 445 vulnerabilities
Slide 39
39
Incident ResponseIncident Response
What to do when something does What to do when something does go wrong!go wrong!
Slide 40
40
Incident Response…Incident Response…
Don’t Panic!Don’t Panic! Unplug the networkUnplug the network Get a notebookGet a notebook Back-up the system and keep the Back-upsBack-up the system and keep the Back-ups Restrict use of emailRestrict use of email Look for informationLook for information Investigate the causeInvestigate the cause
Request help and assistance.Request help and assistance.
Slide 41
41
Incident Response…Incident Response…
Important to return to service swiftlyImportant to return to service swiftly– Do not jeopardize securityDo not jeopardize security– If in doubt, re-buildIf in doubt, re-build– Perform forensics on a backupPerform forensics on a backup
Keep documentation and evidenceKeep documentation and evidence Contact local CERT if investigation proves Contact local CERT if investigation proves
non worm/script kiddie activity.non worm/script kiddie activity.
Slide 42
42
Further ReadingFurther Reading
Garfinkel, S. Web Security & CommerceGarfinkel, S. Web Security & CommerceO’ReillyO’Reilly [ISBN 1-56592-269-7] [ISBN 1-56592-269-7]
Hassler, V. Security Fundamentals for E-Hassler, V. Security Fundamentals for E-Commerce Commerce Artech HouseArtech House [ISBN 1-58053-108-3] [ISBN 1-58053-108-3]
Huth, M R A. Secure Communicating Systems Huth, M R A. Secure Communicating Systems Cambridge Uni PressCambridge Uni Press [ISBN 0-52180-731-X] [ISBN 0-52180-731-X]
Schneier, B. Schneier, B. Secrets & Lies (Digital Security in Secrets & Lies (Digital Security in a Networked World) [ISBN 0-47125-311-1]a Networked World) [ISBN 0-47125-311-1]
Slide 43
43
Useful Books, Tools and URLsUseful Books, Tools and URLs
Securing Windows NT/2000 Servers for the Securing Windows NT/2000 Servers for the Internet. (Stefan Norberg.)Internet. (Stefan Norberg.)
Incident Response. (Kenneth R. van Wyk, Incident Response. (Kenneth R. van Wyk, Richard Forno.)Richard Forno.)
Hacking Exposed: Network Security Secrets Hacking Exposed: Network Security Secrets & Solutions. (Stuart McClure et al)& Solutions. (Stuart McClure et al)
Hacking Exposed Windows 2000: Network Hacking Exposed Windows 2000: Network Security Secrets and Solutions. (Scambray.)Security Secrets and Solutions. (Scambray.)
Slide 44
44
Useful Books, Tools and URLsUseful Books, Tools and URLs
Microsoft Security WebsiteMicrosoft Security Websitehttp://www.microsoft.com/security/http://www.microsoft.com/security/
Computer Security Incident Response TeamComputer Security Incident Response Teamhttp://www.cert.org/csirts/csirt_faq.htmlhttp://www.cert.org/csirts/csirt_faq.html
JANET CERTJANET CERThttp://www.ja.net/cert/http://www.ja.net/cert/
Bugtraq Mailing ListBugtraq Mailing Listhttp://http://online.securityfocus.comonline.securityfocus.com//