Hacking Exposed 7 - PowerPoint Presentation

Slide1

Hacking Exposed 7Network Security Secrets & Solutions

Chapter 4 Hacking Windows

1Slide2

Hacking WindowsUnauthenticated attacks

Authenticated attacksWindows security features

2Slide3

Prelude

VulnerabilitiesTrivially exploited configuration vulnerabilitiesNetBIOS null sessions, simple IIS buffer overflow

More complex ones

Heap exploits, end user attack through Internet Explorer

Areas of focus

Network services, kernel drivers, applications

Factors of risk: popularity and complexity

Popular Windows vulnerabilities: Code Red, Nimda, Slammer, Blaster, Netsky, Gimmiv, etc.NT 3.51  Windows 7: tenfold in code sizeNew security-related featuresReduced default network services, host firewall enabled by default, user account control (UAC), etc.

3Slide4

Unauthenticated AttacksAuthenticated S

poofing

Remote password guessing

Main targets: Server Message Block (SMB) on TCP 445 and 139, Microsoft Remote Procedure Call (MSRPC) on TCP 135, Terminal Services (TS) on TCP 3389, SQL on TCP 1433 and UDP 1434, SharePoint (SP) over HTTP on TCP 80 and HTTPS on TCP 443, etc.

Automatic guessing on CLI:

FOR

and

net use with username/password file (see virus/org/default-password), enum, Brutus, THC Hydra, VenomAutomatic guessing on GUI of Terminal Services/Remote Desktop Services: TSGrinder, Rdesktop after

patch

with brute-force capabilities

4Slide5

Unauthenticated AttacksPassword-Guessing

CountermeasuresNetwork firewall to restrict access to potentially vulnerable services/ports

Host “

Windows Firewall

”

Disable unnecessary services

Enforce strong password policy

Set an account-lockout thresholdLog and analyze account logon failuresDumpel, DumpEvt, Event Comb, ELM Log Manager5Slide6

Unauthenticated AttacksEavesdropping on

Network Password Exchange

Three authentication protocols: LM (LAN Manager) (with hash), NTLM (with RC4 encryption), Kerberos (with private or optional public key encryption)

Attack tools:

Cain

, LCP, L0phtcrack,

KerbSniff

Sniffing, brute-force cracking, dictionary cracking, Rainbow cracking (from a valid account)To sniff on a switched network: ARP spoofing/poisoning to redirect traffic through attackers6Slide7

Unauthenticated AttacksWindows Authentication Sniffing

CountermeasuresDisable LM authentication

Pick good passwords (password complexity features)

No dictionary password

Use public key encryption

Use built-in Windows IPsec to authenticate and encrypt traffic

7Slide8

Unauthenticated AttacksMan-in-the-Middle Attacks

(MITM)

Relay legitimate client authentication exchange and gain access to the server as the client

SMBRelay

: Harvest usernames and password hashes from SMB traffic and import into cracking tools

ARP spoofing and DNS redirection: force victims to connect and authenticate to malicious SMB servers

Tools:

Cain, Squirtle, SMBRelay3Cain: redirect local traffic to itself with ARP spoofing, then downgrade clients to easier authentication dialects (sniffed, unencrypted, recorded)MITM countermeasuresAuthenticate and encrypt connections between clients and serversIPsec in Windows Firewall

Disable NetBIOS Name Services

8Slide9

Unauthenticated AttacksPass-the-Hash

Use LM and/or NTLM hash of a user’s password

No need to crack/brute-force the hash to

cleartext

password

Replay to gain to gain authorized access

Limitations: Not all functionalities of the protocol are implemented

Dump/modify NTLM credentials stored in memory and replayWindows Credentials Editor (WCE)Pass the ticket for KerberosWCE: dump Windows Kerberos tickets and reuse them9Slide10

Unauthenticated AttacksRemote Unauthenticated

Exploits

Flaws or misconfigurations in Windows software itself

TCP/UDP services

 driver interface, user-mode applications (MS Office, Internet Explorer, Adobe Acrobat Reader)

Metaexploit

Framework plus archive of exploit modules

Locate/search the exploit moduleCustomize exploit parameters (vendor and model of victim software), payloads (remote command shell, users, injecting prebuilt code), and options (target IP address, IDS evasion, etc.)Network service exploit countermeasuresPatch, available workaround, log and respond10Slide11

Unauthenticated AttacksEnd-User Application

Exploits

End users

Less professional on security

Poorly managed rich software ecosystem

Adobe Flash Player in browser

Display of rich media and animated content over Internet

Metaexploit (search /w adobe flash)CountermeasuresPersonal firewall, network firewall, patch, antivirus, Internet options in control panel, least privilege, read email in plaintext, configure to very high macro security, don’t be gullible, secure devices physically11Slide12

Unauthenticated AttacksDevice

Driver Exploits

Windows wireless: within physical proximity to a rogue access point beaconing malicious packets

Plug and play (compatibility)

Vast sea of drivers

Execution in highly privileged kernel mode

 total compromiseMetaexploit exploit modules: e.g. oversized wireless beacon frame  remote code executionCountermeasuresPatch, turn-off at high concentration of APs, driver signing (trusted signatures on kernel-mode software), User-Mode D

river

F

ramework (UMDF)

12Slide13

Authenticated AttacksPrivilege

escalation

Privilege escalation

From a user account to admin/system privilege

Getadmin

family of exploits – DLL injection

Interactively logged-on accounts from escalating privileges

From Administrator to SYSTEM privilegeat (Windows Scheduler service) or psexec (remotely) Preventing privilege escalationPatch your WindowsRestrict interactive logon privilegesRun Security

P

olicy

applet

 Local Policies  User Right Assignment  Deny log on locally

13Slide14

Authenticated AttacksExtracting Passwords

Extracting and cracking passwords

From administrator, post-exploit activities:

G

ather more usernames and passwords

Disable Windows firewall

Grabbing password hashes

Stored in Windows Security Accounts Manager (SAM) for local users, Active Directory on Windows 2000 and domain controllers (DCs) for domain accountspwdump/pwdump2-6, fgdump, and automated remote hash extraction

(LSA cache dumping, protected store enumeration)

use DLL injection to insert themselves into a privileged running process to extract password hashes

p

wdump

countermeasures: no defense if /w admin and DLL injection

14Slide15

Authenticated AttacksCracking

passwords

Hashing – one-way

encipherment

Offline password guessing

Hashing algorithm

 hash for a list of possible values (e.g. dictionary)  compare with hashed password from

pwdump  matched means crackedAccount lockout is not an issueWeak hash algorithmStronger hashing vs. salting (random value to prevent precomputed hash tables, rainbow tables, that speedup cracking)Smart guessingDictionary, brute-force, precomputed

hash tables

Project Rainbow Crack

:

precomputed

LM hash table for $120 with 24GB in 6 DVDs

Tools

CLI:

John The Ripper Jumbo

GUI:

LCP,

Cain

(dictionary, brute-force, LM/NTLM hashes, sniffed, rainbow tables),

Ophcrack

, L0phtcrack,

Elcomsoft

Processing time

Entropy ~ unpredictability

15Slide16

Authenticated AttacksDumping Cached

Passwords

Dumping cached passwords

Local Security Authority (LSA) Secrets cache

Service account passwords in plaintext, cached password hashes of the last ten logon users, FTP/Web user plaintext passwords, remote access services (RAS) dial-up accounts and passwords, etc.

LSADump2

(~

pwdump2 with DLL injection): finds PID of LSASS, injects itself, grabs LSA SecretsCain (with built-in LSA Secrets extractor), gsecdumpCacheDump, MS-Cache Hashes, WCEPassword cache dumping countermeasures

LSA hotfix

/w encryption: but circumvented by lsadump2 by DLL injection

Avoid getting admin-

ed

in the first place

Change the Registry value

16Slide17

Authenticated AttacksDumping Hashes Stored

in Memory

Dumping hashes stored in memory

Windows Credentials Editor (WCE)

In memory: usernames, domain names, password hashes of users logon interactively, locally or remotely

Cached credentials

Dumping hashes stored in memory countermeasures

No silver bulletKeep the security of ALL membersCompromised server  compromised domainAvoid RDP to unknown systemsAvoid granting admin privileges17Slide18

Authenticated AttacksRemote Control and Back Doors

Back doors: services enabling remote control

Command-line remote control tools

n

etcat

/

nc

(TCP/IP Swiss army knife)Configured to listen on a port and launch an executable when connectedpsexec (SMB on TCP 139 or 445) and atMetaexploit Framework: a large array of backdoor payloads to spawn command-line shells bound to listening ports, etc.Graphical remote control tools

Terminal Services

on TCP 3389

Virtual Network Control (VNC)

18Slide19

Authenticated AttacksPort Redirection

Fpipe

A TCP source port forwarder/redirector

A compromised system running a telnet server behind a firewall that blocks port 23 (telnet) but allow port 53 (DNS)

Fpipe

started with a listening server port 53 and redirected to port 23

Stream forced by

Fpipe to use source port 53 to pass the firewall19Slide20

Authenticated AttacksCovering Tracks

Disabling auditinga

uditpol

Clearing event log

e

lsave

Hiding files

attribAlternate Data Streams (ADS)RootkitsPost-exploit kits after gaining the root privilege

20Slide21

General Countermeasures to Authenticated Compromise

FilenamesLook for suspicious or hidden file namesUse antimalware software

Registry keys

Look for rogue registry keys (most applications look for specific values in specific locations)

reg

delete

to remove them

ProcessesMalicious process with CPU utilizationkill to stopCheck scheduler queue: at, schtasks, task schedulerPortsIdentify renamed

netcat

listener (back door):

netstat

-an

21Slide22

Windows Security Features (1/3)

Windows Firewall

“Exception” metaphor for permitted applications

All inbound connections are blocked by default

Automated

Updates

Security

CenterFor consumers, not IT prosSecurity Policy and Group PolicyFor stand-alone computer and large number of systemsMicrosoft Security EssentialsAntimalware: real-time protection, system scanning and cleaning, rootkit protection, network inspection, automatic updatesThe Enhanced Mitigation Experience ToolkitManaging mitigation technologies in Windows: DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization)

22Slide23

Windows Security Features (2/3)

Bitlocker and encryption file systemEFS (Encryption File System)

Symmetric key itself encrypted by public key of a user and stored as an attribute of the file; symmetric key decrypted by a private key first before decrypting the file

BDE (

Bitlock

Drive Encryption)

Encrypt the entire volumes and store the key securely

Cold boot attack: cool DRAM chips to increase the time before the key is flushed from volatile memoryCountermeasures: separate the key physically, removable external moduleWindows Resource Protection (WRP)Protect files and registry values from modifications by ACLIntegrity levelsMandatory Integrity Control (MIC): actions - privileges23Slide24

Windows Security Features (3/3)

Data Execution Protection (DEP)Mark portions of memory nonexecutable

to prevent buffer overflow attacks

Windows service hardening

Service resource isolation, least privilege services, service refactoring, restricted network access, session 0 isolation

Compiler-based enhancements

Compile-time under-the-hood features, not configurable by admins or users: buffer security check (GS), ASLR,

SafeSEH24Slide25

Summary

Center for Internet Security (CIS): free Microsoft security configuration benchmarks and scoring tools at

www.cisecurity.org

Another book – Hacking Exposed Windows

New Microsoft security tools and best practices at microsoft.com/security

Don’t forget exposures from other Microsoft products, e.g. SQL vulnerabilities

Applications are far more vulnerable than OS

Hacking Exposed Web ApplicationsMinimization equals higher securityDisable file, print, and other unnecessary servicesUse Windows Firewall

Protect Internet-facing servers

Keep up to date service packs and security patches

Limit interactive logon privileges and escalation

Use Group Policy to create and distribute configurations

Enforce physical security against offline attacks

Subscribe to security publications and online resources

25