Hacking Windows 9X/ME
Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation of power other accounts and resources Covering tracks avoid detection
95/98/ME Not a network OS limited remote admin features, no native telnet, remote execution, and most applications graphical, not command prompt Remote exploits: direct connection to shared resources file sharing: e.g. use Legion to find, then use brute force (BF), also Network Neighborhood Cracker.Network Neighborhood Cracker countermeasures: turn off file sharing, or use password with eight characters, alpha plus meta characters. Add $ to the share name, e,g. share$ -- to hide from net view, Legion scan, Network Neighborhood. Win 9x Dial-up server: users can attach modem and allow dial in. countermeasure: do not use Dial-up and do not allow modems in user machines (VPN discussed in another class). Win 9x registry is not accessible remotely, unless the Remote Registry Service is installed (don’t). Use Policy Editor to turn off resource share globally.Policy Editor
Backdoor Servers and Trojans Back Orifice (BO), original in 1998, new version 2k. There are plug-ins. Originally listened to UDP port (but it can be configured to run in other ports), but 2K uses TCP port or UDP port (default, can be changed). Symantec description. This is a scanner for BO. descriptionscanner for BO NetBus, graphical oriented, more user friendly, listen to TCP ports or by default (configurable). Symantec description. See this page for details, screen shoot, removal tools. descriptionthis page SubSeven (S7S), very popular, comprehensive and easy to use, Listen to port (again configurable). Symantec description. See utilities to remove it in this page. descriptionthis page Countermeasures: backdoor server run in target machine, not remotely. Lock your machine! Close the default ports (better only open what you need). Save attachments to a directory, run virus scanner on the file you saved. Most virus scanners (set to scan all files) can detect (and some times remove) backdoor server trojans, see Symantec list.Symantec list See also PacketStorm Trojans page, for removal toolsTrojans page (see a comprehensive list at PacketStorm). PacketStorm
Other vulnerabilities Server application vulnerabilities Remote control applications (pcAnywhere, VNC, WinXP, etc.) are useful, but a major security risk, even when configured properly.pcAnywhereVNCWinXP Personal Web Server, if not patched and configured properly (it is ISS with access limitations, but same security risks, including Code Red). See Microsoft Security patches site for PWS and IIS.patched PWSIIS FTP and Telnet server applications (add on). Windows 2000, XP have a Telnet server. Same problems. FTPTelnet Countermeasures: limit or do not allow server applications (particularly Internet and remote control) in user machines. Close these ports in the firewall. If you need to run a Web Server in Win9x try Code(red) Hunter, as a protection/detection system.Code(red) Hunter Denial of Service: DUN 1.3 patch (win 95), 98, ME no need the patch, but malformed requests can be a problem, anyway. Use Win9x behind a user or site firewall to protect from attacks. Use a detection software, like ActivePorts (seen previously). DUN 1.3 patchuserActivePorts
Local Exploits Reboot: either set BIOS password, of if connected to Domain require domain login, to avoid the “escape” login. Screen-saver password, good but limited (CD-ROM autorun.inf is executed even when screen saver is running). How about BO in a CD-ROM? Disable autorun.Disable autorun Revealing passwords: more for recovery that hack (you need to be logged in the machine). PWL cracking: copy password files to diskette (copy c:\windows\*.pwl a:) and crack them later. Also more recovery than hack -- you need to be logged in. PWL countermeasures: secure physical access to computer (lock key), in addition to above.