Network Security Secrets amp Solutions Chapter 4 Hacking Windows 1 Hacking Windows Unauthenticated attacks Authenticated attacks Windows security features 2 Prelude Vulnerabilities Trivially exploited configuration vulnerabilities ID: 429302
Download Presentation The PPT/PDF document "Hacking Exposed 7" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Hacking Exposed 7Network Security Secrets & Solutions
Chapter 4 Hacking Windows
1Slide2
Hacking WindowsUnauthenticated attacks
Authenticated attacksWindows security features
2Slide3
Prelude
VulnerabilitiesTrivially exploited configuration vulnerabilitiesNetBIOS null sessions, simple IIS buffer overflow
More complex ones
Heap exploits, end user attack through Internet Explorer
Areas of focus
Network services, kernel drivers, applications
Factors of risk: popularity and complexity
Popular Windows vulnerabilities: Code Red, Nimda, Slammer, Blaster, Netsky, Gimmiv, etc.NT 3.51 Windows 7: tenfold in code sizeNew security-related featuresReduced default network services, host firewall enabled by default, user account control (UAC), etc.
3Slide4
Unauthenticated AttacksAuthenticated S
poofing
Remote password guessing
Main targets: Server Message Block (SMB) on TCP 445 and 139, Microsoft Remote Procedure Call (MSRPC) on TCP 135, Terminal Services (TS) on TCP 3389, SQL on TCP 1433 and UDP 1434, SharePoint (SP) over HTTP on TCP 80 and HTTPS on TCP 443, etc.
Automatic guessing on CLI:
FOR
and
net use with username/password file (see virus/org/default-password), enum, Brutus, THC Hydra, VenomAutomatic guessing on GUI of Terminal Services/Remote Desktop Services: TSGrinder, Rdesktop after
patch
with brute-force capabilities
4Slide5
Unauthenticated AttacksPassword-Guessing
CountermeasuresNetwork firewall to restrict access to potentially vulnerable services/ports
Host “
Windows Firewall
”
Disable unnecessary services
Enforce strong password policy
Set an account-lockout thresholdLog and analyze account logon failuresDumpel, DumpEvt, Event Comb, ELM Log Manager5Slide6
Unauthenticated AttacksEavesdropping on
Network Password Exchange
Three authentication protocols: LM (LAN Manager) (with hash), NTLM (with RC4 encryption), Kerberos (with private or optional public key encryption)
Attack tools:
Cain
, LCP, L0phtcrack,
KerbSniff
Sniffing, brute-force cracking, dictionary cracking, Rainbow cracking (from a valid account)To sniff on a switched network: ARP spoofing/poisoning to redirect traffic through attackers6Slide7
Unauthenticated AttacksWindows Authentication Sniffing
CountermeasuresDisable LM authentication
Pick good passwords (password complexity features)
No dictionary password
Use public key encryption
Use built-in Windows IPsec to authenticate and encrypt traffic
7Slide8
Unauthenticated AttacksMan-in-the-Middle Attacks
(MITM)
Relay legitimate client authentication exchange and gain access to the server as the client
SMBRelay
: Harvest usernames and password hashes from SMB traffic and import into cracking tools
ARP spoofing and DNS redirection: force victims to connect and authenticate to malicious SMB servers
Tools:
Cain, Squirtle, SMBRelay3Cain: redirect local traffic to itself with ARP spoofing, then downgrade clients to easier authentication dialects (sniffed, unencrypted, recorded)MITM countermeasuresAuthenticate and encrypt connections between clients and serversIPsec in Windows Firewall
Disable NetBIOS Name Services
8Slide9
Unauthenticated AttacksPass-the-Hash
Use LM and/or NTLM hash of a user’s password
No need to crack/brute-force the hash to
cleartext
password
Replay to gain to gain authorized access
Limitations: Not all functionalities of the protocol are implemented
Dump/modify NTLM credentials stored in memory and replayWindows Credentials Editor (WCE)Pass the ticket for KerberosWCE: dump Windows Kerberos tickets and reuse them9Slide10
Unauthenticated AttacksRemote Unauthenticated
Exploits
Flaws or misconfigurations in Windows software itself
TCP/UDP services
driver interface, user-mode applications (MS Office, Internet Explorer, Adobe Acrobat Reader)
Metaexploit
Framework plus archive of exploit modules
Locate/search the exploit moduleCustomize exploit parameters (vendor and model of victim software), payloads (remote command shell, users, injecting prebuilt code), and options (target IP address, IDS evasion, etc.)Network service exploit countermeasuresPatch, available workaround, log and respond10Slide11
Unauthenticated AttacksEnd-User Application
Exploits
End users
Less professional on security
Poorly managed rich software ecosystem
Adobe Flash Player in browser
Display of rich media and animated content over Internet
Metaexploit (search /w adobe flash)CountermeasuresPersonal firewall, network firewall, patch, antivirus, Internet options in control panel, least privilege, read email in plaintext, configure to very high macro security, don’t be gullible, secure devices physically11Slide12
Unauthenticated AttacksDevice
Driver Exploits
Windows wireless: within physical proximity to a rogue access point beaconing malicious packets
Plug and play (compatibility)
Vast sea of drivers
Execution in highly privileged kernel mode
total compromiseMetaexploit exploit modules: e.g. oversized wireless beacon frame remote code executionCountermeasuresPatch, turn-off at high concentration of APs, driver signing (trusted signatures on kernel-mode software), User-Mode D
river
F
ramework (UMDF)
12Slide13
Authenticated AttacksPrivilege
escalation
Privilege escalation
From a user account to admin/system privilege
Getadmin
family of exploits – DLL injection
Interactively logged-on accounts from escalating privileges
From Administrator to SYSTEM privilegeat (Windows Scheduler service) or psexec (remotely) Preventing privilege escalationPatch your WindowsRestrict interactive logon privilegesRun Security
P
olicy
applet
Local Policies User Right Assignment Deny log on locally
13Slide14
Authenticated AttacksExtracting Passwords
Extracting and cracking passwords
From administrator, post-exploit activities:
G
ather more usernames and passwords
Disable Windows firewall
Grabbing password hashes
Stored in Windows Security Accounts Manager (SAM) for local users, Active Directory on Windows 2000 and domain controllers (DCs) for domain accountspwdump/pwdump2-6, fgdump, and automated remote hash extraction
(LSA cache dumping, protected store enumeration)
use DLL injection to insert themselves into a privileged running process to extract password hashes
p
wdump
countermeasures: no defense if /w admin and DLL injection
14Slide15
Authenticated AttacksCracking
passwords
Hashing – one-way
encipherment
Offline password guessing
Hashing algorithm
hash for a list of possible values (e.g. dictionary) compare with hashed password from
pwdump matched means crackedAccount lockout is not an issueWeak hash algorithmStronger hashing vs. salting (random value to prevent precomputed hash tables, rainbow tables, that speedup cracking)Smart guessingDictionary, brute-force, precomputed
hash tables
Project Rainbow Crack
:
precomputed
LM hash table for $120 with 24GB in 6 DVDs
Tools
CLI:
John The Ripper Jumbo
GUI:
LCP,
Cain
(dictionary, brute-force, LM/NTLM hashes, sniffed, rainbow tables),
Ophcrack
, L0phtcrack,
Elcomsoft
Processing time
Entropy ~ unpredictability
15Slide16
Authenticated AttacksDumping Cached
Passwords
Dumping cached passwords
Local Security Authority (LSA) Secrets cache
Service account passwords in plaintext, cached password hashes of the last ten logon users, FTP/Web user plaintext passwords, remote access services (RAS) dial-up accounts and passwords, etc.
LSADump2
(~
pwdump2 with DLL injection): finds PID of LSASS, injects itself, grabs LSA SecretsCain (with built-in LSA Secrets extractor), gsecdumpCacheDump, MS-Cache Hashes, WCEPassword cache dumping countermeasures
LSA hotfix
/w encryption: but circumvented by lsadump2 by DLL injection
Avoid getting admin-
ed
in the first place
Change the Registry value
16Slide17
Authenticated AttacksDumping Hashes Stored
in Memory
Dumping hashes stored in memory
Windows Credentials Editor (WCE)
In memory: usernames, domain names, password hashes of users logon interactively, locally or remotely
Cached credentials
Dumping hashes stored in memory countermeasures
No silver bulletKeep the security of ALL membersCompromised server compromised domainAvoid RDP to unknown systemsAvoid granting admin privileges17Slide18
Authenticated AttacksRemote Control and Back Doors
Back doors: services enabling remote control
Command-line remote control tools
n
etcat
/
nc
(TCP/IP Swiss army knife)Configured to listen on a port and launch an executable when connectedpsexec (SMB on TCP 139 or 445) and atMetaexploit Framework: a large array of backdoor payloads to spawn command-line shells bound to listening ports, etc.Graphical remote control tools
Terminal Services
on TCP 3389
Virtual Network Control (VNC)
18Slide19
Authenticated AttacksPort Redirection
Fpipe
A TCP source port forwarder/redirector
A compromised system running a telnet server behind a firewall that blocks port 23 (telnet) but allow port 53 (DNS)
Fpipe
started with a listening server port 53 and redirected to port 23
Stream forced by
Fpipe to use source port 53 to pass the firewall19Slide20
Authenticated AttacksCovering Tracks
Disabling auditinga
uditpol
Clearing event log
e
lsave
Hiding files
attribAlternate Data Streams (ADS)RootkitsPost-exploit kits after gaining the root privilege
20Slide21
General Countermeasures to Authenticated Compromise
FilenamesLook for suspicious or hidden file namesUse antimalware software
Registry keys
Look for rogue registry keys (most applications look for specific values in specific locations)
reg
delete
to remove them
ProcessesMalicious process with CPU utilizationkill to stopCheck scheduler queue: at, schtasks, task schedulerPortsIdentify renamed
netcat
listener (back door):
netstat
-an
21Slide22
Windows Security Features (1/3)
Windows Firewall
“Exception” metaphor for permitted applications
All inbound connections are blocked by default
Automated
Updates
Security
CenterFor consumers, not IT prosSecurity Policy and Group PolicyFor stand-alone computer and large number of systemsMicrosoft Security EssentialsAntimalware: real-time protection, system scanning and cleaning, rootkit protection, network inspection, automatic updatesThe Enhanced Mitigation Experience ToolkitManaging mitigation technologies in Windows: DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization)
22Slide23
Windows Security Features (2/3)
Bitlocker and encryption file systemEFS (Encryption File System)
Symmetric key itself encrypted by public key of a user and stored as an attribute of the file; symmetric key decrypted by a private key first before decrypting the file
BDE (
Bitlock
Drive Encryption)
Encrypt the entire volumes and store the key securely
Cold boot attack: cool DRAM chips to increase the time before the key is flushed from volatile memoryCountermeasures: separate the key physically, removable external moduleWindows Resource Protection (WRP)Protect files and registry values from modifications by ACLIntegrity levelsMandatory Integrity Control (MIC): actions - privileges23Slide24
Windows Security Features (3/3)
Data Execution Protection (DEP)Mark portions of memory nonexecutable
to prevent buffer overflow attacks
Windows service hardening
Service resource isolation, least privilege services, service refactoring, restricted network access, session 0 isolation
Compiler-based enhancements
Compile-time under-the-hood features, not configurable by admins or users: buffer security check (GS), ASLR,
SafeSEH24Slide25
Summary
Center for Internet Security (CIS): free Microsoft security configuration benchmarks and scoring tools at
www.cisecurity.org
Another book – Hacking Exposed Windows
New Microsoft security tools and best practices at microsoft.com/security
Don’t forget exposures from other Microsoft products, e.g. SQL vulnerabilities
Applications are far more vulnerable than OS
Hacking Exposed Web ApplicationsMinimization equals higher securityDisable file, print, and other unnecessary servicesUse Windows Firewall
Protect Internet-facing servers
Keep up to date service packs and security patches
Limit interactive logon privileges and escalation
Use Group Policy to create and distribute configurations
Enforce physical security against offline attacks
Subscribe to security publications and online resources
25