tcom 59901 information assurance management system hacking
TRANSCRIPT
TCOM 5990 1
Information Assurance Management
System Hacking
TCOM 5990 2
Hacking Windows 95/98
• Win 9x was not designed to be secure…like NT was…well
• 4 categories of remote exploitation– Direct connect to shared resource– Backdoor server daemons– Exploit known server application vulnerabilities– Denial of service
TCOM 5990 3
Hacking Windows 95/98
• Note that three of these require some misconfiguration or poor judgement on the part of the sysadmin or user
• Can be easily fixed...
TCOM 5990 4
Hacking Windows NT
• The Administrator
• Can’t go anywhere if your not…
• Passwords…Manual guessing– Easiest password possible…no password!
– Something easy
– Popular software default passwords
TCOM 5990 5
Hacking Windows NT
• Automated guessing– Legion...– Can scan multiple class C IP ranges for
Windows shares and has a manual dictionary attack tool.
– NAT NetBIOS Auditing Tool does one at a time
TCOM 5990 6
Hacking Windows NT
– Network password exchange
– L0phtcrack - password files• SMB Packet Capture bypasses that
need - grabs them on the fly by listening to local network segment
• Password Countermeasures?
TCOM 5990 7
What to Do?
• Block access to TCP and UDP ports 135-139
• Enable TCP/IP security
• Set Restrict Anonymous key in Registry
TCOM 5990 8
What to Do?
• Remove Everyone from the Access This Computer in user rights
• Apply the Service Packs and hotfixes
TCOM 5990 9
What to Do?
• Strong Passwords! And enforce it!
• Rename the Administrator account…time, time, time
• Disable Guest
TCOM 5990 10
What to Do?
• Admin passwords must be the strongest…and change them regularly
• No Domain Admin credentials on stand-alone machines
TCOM 5990 11
What to Do?
• Install passprop from NTRK to enable account lockout for Administrators
• Install SYSKEY enhanced encryption for the SAM…time, time, time
TCOM 5990 12
What to Do?
• Enable auditing…then check the logs! Weekly or use automated log analysis tools
• Verify Registry access permissions are secure
TCOM 5990 13
What to Do?
• Set the Hidden Registry value on sensitive servers…removes the host from browse lists
• Don’t run unnecessary services and avoid those that run in the security context of a user
TCOM 5990 14
What to Do?
• Understand how to configure applications securely or don’t run them!
• Educate your users on sensitivity of passwords
TCOM 5990 15
What to Do?
• Migrate to switched architectures…harder to eavesdrop then shared infrastructures
• Keep current with security mailing lists