Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lesson 9 Common Windows Exploits. UTSA IS 3523 ID and Incident Response Overview Top 20 Exploits Common Vulnerable Ports Detecting Events.

Published byKathleen Beasley Modified over 8 years ago

Similar presentations

Presentation on theme: "Lesson 9 Common Windows Exploits. UTSA IS 3523 ID and Incident Response Overview Top 20 Exploits Common Vulnerable Ports Detecting Events."— Presentation transcript:

1 Lesson 9 Common Windows Exploits

2 UTSA IS 3523 ID and Incident Response Overview Top 20 Exploits Common Vulnerable Ports Detecting Events

3 UTSA IS 3523 ID and Incident Response SANS/FBI Top 20 List Publish list of the Twenty Most Critical Internet Security Vulnerabilities www.sans.org/top20 Updated in October (or sooner if necessary) Thousands use this list to close up holes in their system Most incidents traced back to Top 20 list

4 UTSA IS 3523 ID and Incident Response SANS/FBI Top 20 List Based on facts, attackers –are opportunistic –take the easiest and most convenient route –exploit the best-known flaws with the most effective and widely available attack tools –count on organizations not fixing the “holes”

5 UTSA IS 3523 ID and Incident Response SANS/FBI Top 20 List List broken down into two sections Two Top Ten lists –Ten most commonly exploited vulnerable services in Windows –Ten most commonly exploited vulnerable services in Unix

6 UTSA IS 3523 ID and Incident Response W1: Internet Information Services (IIS) IIS prone to vulnerabilities in three major classes –Failure to handle unanticipated requests –Buffer overflows –Sample applications Target port: TCP Port 80 (http)

7 UTSA IS 3523 ID and Incident Response Failure to Handle Unanticipated Requests IIS has a problem handling improperly formed HTTP requests –Web folder traversal (unicode) Allows –view of the source code of scripted applications –view of files outside the Web document root –view of files Web server has been instructed not to serve –execution of arbitrary commands on the server deletion of files, uploading of rootkits, creation of backdoors

8 UTSA IS 3523 ID and Incident Response Buffer Overflows Many ISAPI and SSI extensions vulnerable to buffer overflows –.asp /.htr /.idq / printer A carefully crafted request from a remote attacker may results in –Denial of Service –Execution of arbitrary code and/or commands in the Web server’s user context through the IUSR_servername account (like anonymous)

9 UTSA IS 3523 ID and Incident Response W2: Microsoft SQL Server Microsoft SQL Server contains several serious vulnerabilities that allow remote attackers to –obtain information –alter database content –compromise SQL servers –compromise server hosts There’s Was an MSSQL worm released in May 2002

10 UTSA IS 3523 ID and Incident Response W2: Microsoft SQL Server Target port: TCP port 1433 OS’s affected –Microsoft SQL Server 7.0 –Microsoft SQL Server 2000 –Microsoft SQL Server Engine 2000

11 UTSA IS 3523 ID and Incident Response W2: Microsoft SQL Server How to detect a compromise: First thing you’ll see is the “probing” or “fishing” for information –Probes on port 1433 –Attacker is looking for those boxes that respond “positively” to a probe on port 1433 tells them box is “listening” (or has the port open) on port 1433

12 UTSA IS 3523 ID and Incident Response W3: General Windows Authentication Accounts with No Passwords or Weak Passwords Only protection is to have a strong password and good password habits With advent of Windows XP consider “everyday” accounts at user privilege

13 UTSA IS 3523 ID and Incident Response W3: LAN Manager Authentication Most current Windows environments have no need for LAN Manager (weak hashing) –Most use NTLM now But Windows NT, 2000, and XP do have LM by default LM has a very weak encryption scheme Won’t take a hacker long to crack passwords

14 UTSA IS 3523 ID and Incident Response OS’s affected: –Windows 95, Windows 98, Windows NT, Windows Me, Windows 2000, and Windows XP Main objective: –gather info about guest host names –try these guest host names with null passwords until one works –attacker will then attempt to download the entire database of userid’s and/or passwords W3: Unprotected Windows Networking Shares (NetBios)

15 UTSA IS 3523 ID and Incident Response W4: Internet Explorer Consequences can include –Disclosure of cookies –Disclosure of local files or data * –Execution of local programs * –Download and execution of arbitrary code * –Complete takeover of vulnerable system * * Most Critical

16 UTSA IS 3523 ID and Incident Response W4: Internet Explorer Default web browser installed on MS Windows platforms All existing IE’s have critical vulnerabilities A malicious web administrator can design web pages to exploit these vulnerabilities –Just need someone to browse the web page

17 UTSA IS 3523 ID and Incident Response W4: Internet Explorer Vulnerabilities can be categorized into multiple classes –Web page spoofing –ActiveX control vulnerabilities –Active scripting vulnerabilities –MIME-type and content-type misinterpretation –Buffer overflows

18 UTSA IS 3523 ID and Incident Response W5: Unprotected Windows Networking Shares (NetBios) MS Windows provides a host machine with the ability to share files or folders across a network Underlying mechanism of this feature is the –Server Message Block (SMB) protocol, or the –Common Internet Files System (CIFS) protocol Target Port: TCP Port 139

19 UTSA IS 3523 ID and Incident Response W5: Anonymous Logon -- Null Sessions This vulnerability is very similar to the one described before in Netbios Attacker is looking for a host name with a null password Attacker uses IPC$ (called IPC shares) with a double-double quote (“”) in place of a password

20 UTSA IS 3523 ID and Incident Response W6: Microsoft Data Access Components (MDAC)--Remote Data Services RDS component in older versions of MDAC has flaws that allow a remote user to run commands locally with administrative privileges This exploit is readily used to deface Web pages Check Web Server Logs to make sure

21 UTSA IS 3523 ID and Incident Response W7: Windows Scripting Host (WSH) Permits any text file with a “.vbs” extension to be executed as a Visual Basic script A typical worm propagates by including a VBScript as the contents of another file and executes when that file is viewed or in some cases previewed

22 UTSA IS 3523 ID and Incident Response The Other 3 W8: Outlook and Outlook Express W9: P2P File Sharing W10: Simple Network Mgt Protocol

23 UTSA IS 3523 ID and Incident Response Common Vulnerable Ports Login Services –telnet (port 23/tcp) –SSH (port 22/tcp) –FTP (port 21/tcp) –NetBIOS (port 139/tcp) –rlogin (port 512 - 514/tcp)

24 UTSA IS 3523 ID and Incident Response Common Vulnerable Ports RPC and NFS –portmap/rpcbind (port 111/tcp and udp) –NFS (port 2049/tcp and udp) –lockd (port 4045/tcp and udp) Xwindows –port 6000/tcp through 6255/tcp

25 UTSA IS 3523 ID and Incident Response Common Vulnerable Ports Naming services –DNS (port 53/udp) for all machines that are not DNS servers –DNS (port 53/tcp) for zone transfer requests –LDAP (port 389/tcp and udp)

26 UTSA IS 3523 ID and Incident Response Common Vulnerable Ports Mail –SMTP (port 25/tcp) for all machines that are not external mail relays –POP (port 109/tcp and port 110/tcp) –IMAP (port 143/tcp)

27 UTSA IS 3523 ID and Incident Response Common Vulnerable Ports Web –HTTP (port 80/tcp) –SSL (port 443/tcp) except to external Web servers –HTTP proxies port 8000/tcp port 8080/tcp port 8888/tcp

28 UTSA IS 3523 ID and Incident Response Common Vulnerable Ports “Small services” –ports below 20/tcp and udp –time (port 37/tcp and udp) Miscellaneous –TFTP (port 69/udp) –Finger (port 79/tcp) –NNTP (port 119/tcp)

29 UTSA IS 3523 ID and Incident Response Common Vulnerable Ports Miscellaneous (continued) –NTP (port 123/udp) –LPD (port 515/tcp) –syslog (port 514/udp) –SNMP (port 161/tcp and udp, and port 162/tcp and udp) –BGP (port 179/tcp) –SOCKS (port 1080/tcp)

30 UTSA IS 3523 ID and Incident Response Common Vulnerable Ports ICMP –block incoming “echo” requests (ping and Windows traceroute) –block outgoing “echo” replies, “time exceeded,” and “destination unreachable” except “packet too big” messages

31 UTSA IS 3523 ID and Incident Response How To Detect and Investigate http://www.sans.org/top20/tools04.pdf Run an IDS and review logs for common signatures…especially IIS hacks Aggressively review web server logs Ensure FTP application logging turned on…then review FTP logs Know your network…and know what is abnormal

Download ppt "Lesson 9 Common Windows Exploits. UTSA IS 3523 ID and Incident Response Overview Top 20 Exploits Common Vulnerable Ports Detecting Events."

Similar presentations

DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
How Clients and Servers Work Together

How Clients and Servers Work Together
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.

Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
How Clients and Servers Work Together. Objectives Web Server Protocols Examine how e-mail server and client software work Use FTP to transfer files Initiate.

How Clients and Servers Work Together. Objectives Web Server Protocols Examine how server and client software work Use FTP to transfer files Initiate.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.

Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.

TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

Similar presentations

Ads by Google