Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright (C) 2000, Network Associates Technology Inc. Advanced Windows NT/2000 Security (II) Beyond The User Command Shell… Into The Trusted Computing.

Published byKerry Parker Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright (C) 2000, Network Associates Technology Inc. Advanced Windows NT/2000 Security (II) Beyond The User Command Shell… Into The Trusted Computing."— Presentation transcript:

1 Copyright (C) 2000, Network Associates Technology Inc. Advanced Windows NT/2000 Security (II) Beyond The User Command Shell… Into The Trusted Computing Base! Nishad Herath Nishad Herath COVERT Labs of PGP Security

2 Copyright (C) 2000, Network Associates Technology Inc. The Playing Field Windows NT/2000 systems, with security vulnerabilities that could lead to arbitrary code execution at elevated privileges, either directly or indirectly. For example;  Direct arbitrary code execution - buffer overflow conditions in privileged network services.  Indirect arbitrary code execution - inadequate permissions on registry keys that belong to privileged applications or privileged operating system components.

3 Copyright (C) 2000, Network Associates Technology Inc. The Game Rules…  Understand the nature of security vulnerabilities that could allow arbitrary code execution at elevated privileges.  Understand the array of technologies that can be utilized in exploiting these vulnerabilities.  Explore the world of possibilities these technologies offer to potential exploits.  Understand, acknowledge and appreciate the wide ranging implications of such exploits, on Windows NT/2000 systems. Goal…  To take necessary measures to minimize, detect and respond to the security implications of such exploits.

4 Copyright (C) 2000, Network Associates Technology Inc. An example: Win32 Buffer Overflows Buffer overflow vulnerabilities are one of the most direct methods in which, arbitrary code can be executed at elevated privileges.  Aleph1’s article on stack overflows, “Smashing The Stack For Fun And Profit” published in Phrack 49.  Solar Designer’s early work on exploiting Win32 buffer overflows.  Dildog’s cDc text, “The Tao of Windows Buffer Overflow”.  Barnaby Jack’s comprehensive and inspirational paper, “Win32 Buffer Overflows” published in Phrack 55.  Greg Hoglund’s excellent series of talks on Win32 buffer overflows at BlackHat Briefings.  “Advanced Windows NT/2000 Security” talk at BlackHat Briefings, Singapore 2000.

5 Copyright (C) 2000, Network Associates Technology Inc. Win32 Payload: Old School Initially, we saw simple payload. But progress was rapid…  Upload a Trojan executable into a directory within an IIS website with executable permissions and execute it via an HTTP request.  Enable the “Guest” user account, change the password and add it to the “Administrators” group.  Download a Trojan executable from a remote site via HTTP/FTP and execute it.  Download NetCat from a remote site via HTTP/FTP and execute it, such that it will bind a command shell (“CMD.EXE”) to a specific TCP port and listen for inbound connections.  Directly bind a command shell (“CMD.EXE”) to a specific TCP port and listen for inbound connections.

6 Copyright (C) 2000, Network Associates Technology Inc. Win32 Payload: Reverse Command Shell  Code, that connects to a specific TCP port listening on a specific remote machine and binds a command shell (“CMD.EXE”) to it.  Advantageous in situations where router/firewall based access restrictions are imposed on incoming traffic to hosts.  In most situations, host based or network based intrusion detection systems are configured to monitor only incoming traffic to hosts.  Attacks are possible where the origin of the attack can be independent of the location(s) from which the subsequent exploitations are conducted.

7 Copyright (C) 2000, Network Associates Technology Inc. Win32 Payload: Double Payload  “Double-Payload” code, that;  Allocates an execution environment within the exploited process address space or a separate process address space;  Tweak the execution environment for the secondary payload code.  Connects to a specific TCP port listening on a specific remote machine;  Fetches the larger, sophisticated secondary payload code from the remote machine and relocates it in the allocated execution environment;  Executes the secondary payload code in the allocated execution environment.

8 Copyright (C) 2000, Network Associates Technology Inc. Win32 Payload: Double Payload  Sole purpose of the primary payload code is the successful retrieval and the execution of the secondary payload code.  Advantageous in situations where payload limitations exist, such as the payload size and content restrictions.  Reliance of existing operating system components, such as “CMD.EXE” in the case of most remote shell exploits, can be avoided by the powerful secondary payload code, that is self sufficient in functionality.  Potential for a more flexible and versatile mechanism for exploitation by decoupling the initial exploitation from the secondary payload.

9 Copyright (C) 2000, Network Associates Technology Inc. Win32 Payload: Recycling Payload  Payload that re-use an existing network connection for further exploitation, for example a TCP connection that is already established, which was used for the initial exploitation.  Can be successfully utilized in environments where tightest router/firewall based access controls are imposed, on incoming as well as outgoing traffic.  Combined with “Double-Payload” code, this can result in very powerful exploits.

10 Copyright (C) 2000, Network Associates Technology Inc. Beyond The Command Shell… On compromised systems, malicious activities performed through user-mode Win32 application code can be detected with relative ease using modern system integrity and security tools.  Intrusion detection systems such as CyberCop Monitor (http://www.pgp.com) which has powerful detection features against a range of malicious activity within a system.  Products such as Tripwire, which can detect changes to the file system or changes and inconsistencies in other system parameters (http://www.tripwire.com).  J.D Glaser’s papers, tools (http://www.ntobjectives.com) and his series of talks at BlackHat Briefings on computer forensics.

11 Copyright (C) 2000, Network Associates Technology Inc. Into The Trusted Computing Base! Why violate the TCB (Trusted Computing Base) of a Windows NT/2000 system?  For advanced stealth capabilities, beyond detection by intrusion detection and protection agents that trust the integrity and rely upon the functionality of the core operating system (TCB).  To achieve advanced, system-wide spying capabilities, with the ability to intercept virtually all important information.  To introduce subtle and complex changes to the core operating system functionality, in order to fulfill malicious purposes.  To implement stealth and complex covert communication channels over normal network communications.

12 Copyright (C) 2000, Network Associates Technology Inc. Violating The Trust: Old School A KMD (Kernel Mode Driver) is used to introduce malicious code into the TCB, code which violates the integrity of the kernel and other trusted components of the core operating system.  Greg Hoglund’s excellent paper, “A Real NT Rootkit” published in Phrack 55, which demonstrates patching SeAccessCheck routine of the kernel SRM (Security Reference Monitor) to bypass access control checks.  The Rootkit Project, (http://www.rootkit.com).  Advanced variations, such as a KMDs that patch already loaded kernel-mode drivers (ex: NULL.SYS) to host it’s malicious code, then unloads itself from the system address space.

Download ppt "Copyright (C) 2000, Network Associates Technology Inc. Advanced Windows NT/2000 Security (II) Beyond The User Command Shell… Into The Trusted Computing."

Similar presentations

Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.

 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Setiri: Advances in Trojan Technology Roelof Temmingh Haroon Meer BlackHat USA 2002.

Setiri: Advances in Trojan Technology Roelof Temmingh Haroon Meer BlackHat USA 2002.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
2440: 141 Web Site Administration Remote Web Server Access Tools Instructor: Enoch E. Damson.

2440: 141 Web Site Administration Remote Web Server Access Tools Instructor: Enoch E. Damson.

Similar presentations

Ads by Google