Remote Control and

Remote Control and Advanced Techniques

Lesson

16

Remote Control Software

With global corporations, support personnel who can deal with computer problems may not always be on-site. They may use remote control software to allow them to provide support and maintenance from a central location.

The problem is that the same software that can be used for useful purposes can be exploited, especially if misconfigured, by attackers to gain remote access and control of computers and networks.

Some new trojans designed to perform the same sort of functions as legitimate remote controls SW.

Ports for some Remote Control SW

Software TCP UDP

Citrix ICA 1494 1494

pcAnywhere 22, 5631, 65301 22, 5632

ReachOut 43188 None

Remotely Anywhere 2000,2001 None

Remotely Possible/

ControlIT 799, 800 800

Timbuktu 407 407

VNC 5800, 5801… None

5900, 5901…

Windows Term Server 3389 None

Radmin 4899 None

Discovering RC Software

If an attacker finds one of these ports answering, they will try to exploit.

After default installation, many applications leave themselves open to accept connections from anywhere, possibly even without a username or password.

The easiest way to test for these is to simply attempt to connect to one of these ports.

Try enumeration techniques to obtain possible userids from which you can guess passwords

Some sensible countermeasures

Enable Passwords on your system

Too often this is left off, especially for dial up access where folks think “nobody knows about it, they would have to know the phone #.”

Enforce Strong passwords

If you’re going to use them, you might as well make them strong.

Force Alternate Authentication

You don’t have to rely on OS alone, can utilize additional authentication some packages provide

Encrypt Session Traffic

Limit Login Attempts

Log Failed Attempts

Lock Out Failed Users

Change Default Listen Port

Virtual Network Computing

Originally developed at AT&T Labs.

Can be used with/by Windows, Linux, and Solaris platforms

Obtainable from

http://www.realvnc.com

Has some vulnerabilities (big surprise)

Brute forcing VNC passwords

Weak passwords a possible problem as always

Network eavesdropping

By default, VNC does not use any sort of encryption after a user authenticates to the VNC server.

Weak WinVNC password obfuscation

Stores the server password in an obfuscated fashion that may allow an attacker to recover the cleartext server password.

Microsoft Terminal Server

Terminal Server lets you deliver Windows-based applications, or the Windows desktop itself, to virtually any computing device—including those that cannot run Windows.

When users run an application on Terminal Server, the application execution takes place on the server, and only keyboard, mouse and display information is transmitted over the network. Users see only their own individual sessions, which are managed transparently by the server operating system, and remain independent of any other client session.

Windows 2000 Terminal Services remote administration mode is called "Remote Desktop for Administration" in Windows Server 2003, and has the ability to remote the actual console session of the server.

Terminal Server Attacks

Locating Terminal Server easy, uses port 3389.

Launch your own Terminal Server client then wait to be prompted for login ID/Password, normal attempts at guessing at this point.

ProbeTS, TSEnum are tools that will cycle through identified subnet attempting to locate Terminal Server

Some other attacks possible as well

RegAPI.DLL buffer overflow

Weak encryption that can lead to eavesdropping

Some possible user privilege elevation attacks

Session Hijacking

An attempt to “take over” an established session.

Some tools that can aid in this endeavor:

Hunt: first allows you to snoop, then insert commands into stream

Best countermeasure: encryption. If a person can’t view the traffic/session, it is hard to insert commands.

Back Doors

If an intruder gets into your system, count on them attempting to install some backdoors to allow them continued access, even if you find and eliminate their primary method.

Finding and clearing these can be a laborious task

Some common back doors:

Rogue user accounts

Startup files – even if you clean up, these can reinstall ways in

Scheduled jobs – similar to startup files, these will execute in future and will reinstall ways in

Remote Control program installation

Back Orifice and Netbus

These both are very similar to some of the RC software packages (and are sometimes advertised in that fashion).

Original BO ran on Win 9x, BO2K added NT/2000.

NetBus,

similar to BO, consists of two parts: a client-program ("

netbus.exe

") and a server-program often named: "patch.exe" (or "SysEdit.exe" with version 1.5x), which is the actual backdoor. Version 1.60 uses the TCP/UDP-Port # "12345" which can't be altered. From version 1.70 and higher the port can be configured.

BO2K also added some stealth capabilities and ability to customize it thus making it harder to detect.

Remote Control Backdoor Port Numbers

Default Default Altern.

Backdoor TCP UDP Ports

Remote.exe 135-139 135-139 No

Netcat Any Any Yes

Back Orifice NA 31337 Yes

Back Orifice 2000 54320 54321 Yes

NetBus 12345 NA Yes

Masters Paradise 40421

40422

40426 NA Yes

Trojans

“A Trojan horse is a program that purports to be a useful software tool, but it actually performs unintended (and often unauthorized) actions, or installs malicious or damaging software behind the scenes when launched.”

Key to Trojans is that you have to have somebody on the system run the Trojan in order for it to do its nefarious task.

Two implications for us

When doing an assessment, does the organization we are working with have Trojans installed? Is the environment such that it is likely they could be?

Can we use a Trojan to further our testing goals?

Whack-A-Mole

An example of a program that installed NetBus server while allowing you to play a game.Figure pg. 581 McClure et al.

Secure Shell (SSH) Attacks

SSH is a secure protocol used in place of programs such as telnet to conduct protected remote interactive communications.

Pretty good tool, but is vulnerable to a couple things:

Traffic analysis. Program exists that allows you to determine the length of a password or command sent.

Man-in-the-middle attack. Requires that you be able to replace public key used by host and that you are able to control DNS.

Rootkits

Once a system has been subverted, a rootkit is often one of the first things downloaded and installed.

Generally will include

Trojanized versions of common programs

Back doors (as discussed previously)

Sniffers

System Log cleaners

Imaging the system (creating mirror image of system volumes) also sometimes accomplished when access obtained.

Useful in circumventing security tools that utilize system states or details such as checksums.

Social Engineering

“Clueless User” vs. the Help Desk

“Help Desk” vs. the Clueless User

Countermeasures

Limit data leakage through web sites, public databases, …

Formulate a strict policy for internal and external technical support procedures

Be paranoid about remote access

Craft outbound firewall and router access controls just as carefully as inbound

Use email safely

Educate employees on the basics of a secure environment (and on social engineering)

Summary

What is the importance and significance of this material?

Remote Control software is more prevalent and is a tremendous security concern.

How does this topic fit into the subject of “Security Risk Analysis”?

We need to know about the different packages that could be installed and that the organization we are testing might not know about.