Hacking Windows NT - PowerPoint PPT Presentation

1 / 6
About This Presentation
Title:

Hacking Windows NT

Description:

Be sure the latest patch (6a) is applied or upgrade to Win2k. ... Rootkits: patching the OS kernel with rogue code, assuming control of the OS. ... – PowerPoint PPT presentation

Number of Views:140
Avg rating:3.0/5.0
Slides: 7
Provided by: DrAlB
Category:

less

Transcript and Presenter's Notes

Title: Hacking Windows NT


1
Hacking Windows NT
2
Windows NT
  • Review NetBIOS name resolution. SMB - Shared
    Message Block - uses TCP port 139, and NBT -
    NetBIOS over TCP/IP - uses UDP port 137., if only
    port 139 responds, probably is Win 9x, not NT,
    but if port 445 responds, then is Win 2k. See
    also this paper on NT vulnerabilities. Close
    these ports!
  • NT basic security Net logon, no bypass of BIOS
    (HAL), No remote access to console (default),
    requires admin privileges for interactive login
    (Server), and has object-based security model
  • a security object can be any resource in the
    system files, devices, processes, users, etc.
  • server processes impersonate the client's
    security context (key for file servers)
  • Win2k is windows NT updated, with more security
    tools and patches (upgrade!).
  • Quest for administrator
  • Privilege Escalation
  • Consolidation of power, and
  • Covering tracks.

3
Quest for Administrator
  • Remote password guessing. Net use can help. Nat
    guesses passwords using user and password lists
    (Brutus is similar).
  • Countermeasures close ports, disable binding to
    WINS, use Account Policies to setup password
    length, lock, expiration, etc. Passfilt
    implements stronger passwords in NT (in 2k just
    activate). Use Audit. Set intrusion detection
    Psionic Abacus and others.
  • Eavesdropping on network password exchange and
    obtaining password hash values Sniff tools and
    NT user authentication. If possible disable
    (4,5) LanMan authentication (Win 9x problems).
  • Remote buffer overflows local (interactive login
    users) and remote using Web, FTP, DB servers and
    many others. Use BOWall to fix or detect.
  • Denial of Service (DoS) use a detection software
    , like Snort, which was recently ported to
    Windows. Be sure the latest patch (6a) is applied
    or upgrade to Win2k. More when we see firewalls
    in a later class.

4
Privilege Escalation
  • Gathering information logged as user (not
    admin), use find, look in directories ,look for
    SAM, and enumeration tools. Basic countermeasure
    set files/directory permissions properly.
  • Add to administrator group getadmin and sechole
    - apply service packs and restrict FTP to server
    script directories. Also rogue DLLs.
  • Spoofing LPC port requests using LPC ports API
    to add to admin group. Again apply the
    corresponding patch.
  • Trojans Basic rule do not use a Server as a
    workstation (no e-mail, no outside browsing),
    backup! See TL Security Trojans page, for
    removal tools.
  • Registry very few are accessible by everyone
    (see book Table 5-5). Probably the lowest threat,
    because NT strongly protects the Registry and you
    can use the Policy Editor to hide/deny access to
    all users, other than admin.

5
Consolidation of Power
Assumes that administrator-level access has been
obtained.
  • Cracking the SAM from local admin to domain
    admin, other users. See look for SAM, disable
    (4,5) LanMan authentication. Apply service packs!
  • Cracking NT Passwords See an introduction/FAQ.
    LC3 is the key tool, graphical, good
    documentation and support!
  • Countermeasures choosing strong passwords -- no
    dictionary words, seven digits (if LanMan not
    disabled), alpha (mixed case) and special
    characters, facts, names from youth (for
    example). Use SYSKEY SAM encryption(patch it).
  • Duplicate credentials locally stored domain user
    credentials (same user domain account), local
    Administrator with same password as in the
    Domain.
  • LSA Secrets includes plain text service account
    passwords, cached passwords(last 10), FTP and web
    user plain text passwords, etc. A hack lsadump2
    , or available info by Design?
  • Keystroke loggers record every keystroke to a
    (hidden) file. IOpus Starr, WhinWhatWhere
    Investigator are tools to capture keystrokes and
    more.
  • Sniffers See Sniff tools and also BUTTsniffer,
    and dsniff (Win32 version).

6
Covering Tracks
Consolidation of Power
  • Remote control Remote control applications
    (pcAnywhere, VNC, WinXP, etc.) are useful, but a
    major security risk, even when configured
    properly. More in a class meeting just for it.
  • Backdoors See it in Win 9x/ME and class on
    advanced techniques.
  • Port redirection redirect from one IP number and
    port to another IP number and port at the
    gateway/firewall. See rinetd.
  • Rootkits patching the OS kernel with rogue code,
    assuming control of the OS. See the Rootkit page.
  • Disabling Auditing disable Auditing using
    Auditpol.
  • Clearing the Event Log use elsave to clear the
    Event Log.
  • Hiding files using attrib, NTFS file streaming.
    Use sfind to search for files hidden in streams.
Write a Comment
User Comments (0)
About PowerShow.com