Post on 14-May-2015
description
transcript
Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network
DefenseDefense
Chapter 8Chapter 8Microsoft Operating System VulnerabilitiesMicrosoft Operating System Vulnerabilities
22
ObjectivesObjectives
Tools to assess Microsoft system Tools to assess Microsoft system vulnerabilitiesvulnerabilities
Describe the vulnerabilities of Microsoft Describe the vulnerabilities of Microsoft operating systems and servicesoperating systems and services
Techniques to harden Microsoft systems Techniques to harden Microsoft systems against common vulnerabilitiesagainst common vulnerabilities
Best practices for securing Microsoft Best practices for securing Microsoft systemssystems
33
Tools to Identify Vulnerabilities Tools to Identify Vulnerabilities on Microsoft Systemson Microsoft Systems
Many tools are available for this taskMany tools are available for this task Using more than one tool is advisableUsing more than one tool is advisable
Using several tools help you pinpoint Using several tools help you pinpoint problems more accuratelyproblems more accurately
44
Built-in Microsoft ToolsBuilt-in Microsoft Tools
Microsoft Baseline Security Analyzer Microsoft Baseline Security Analyzer (MBSA)(MBSA)WinfingerprintWinfingerprintHFNetChkHFNetChk
55
Microsoft Baseline Security Microsoft Baseline Security Analyzer (MBSA)Analyzer (MBSA)
Effective tool that checks forEffective tool that checks for PatchesPatches Security updatesSecurity updates Configuration errorsConfiguration errors Blank or weak passwordsBlank or weak passwords OthersOthers
MBSA supports remote scanningMBSA supports remote scanning Associated product must be installed on Associated product must be installed on
scanned computerscanned computer
66
MBSA ResultsMBSA Results
77
88
99
MBSA VersionsMBSA Versions
2.x for Win 2000 or later & Office XP or 2.x for Win 2000 or later & Office XP or laterlater
1.2.1 if you have older products 1.2.1 if you have older products
After installing, MBSA canAfter installing, MBSA can Scan the local machineScan the local machine Scan other computers remotelyScan other computers remotely Be scanned remotely over the Internet Be scanned remotely over the Internet
1010
HFNetChkHFNetChk
HFNetChk is part of MBSAHFNetChk is part of MBSA Available separately from Shavlik Available separately from Shavlik
TechnologiesTechnologies Can be used to control the scanning more Can be used to control the scanning more
precisely, from the command lineprecisely, from the command line
1111
WinfingerprintWinfingerprint
Administrative toolAdministrative tool
It can be used to scan network resourcesIt can be used to scan network resources
Exploits Windows null sessions Exploits Windows null sessions
DetectsDetects NetBIOS sharesNetBIOS shares Disk information and servicesDisk information and services Null sessionsNull sessions
1212
WinfingerprintWinfingerprint
Can findCan find OS detectionOS detection Service packs and hotfixesService packs and hotfixes Running ServicesRunning Services See Proj X6 for DetailsSee Proj X6 for Details
1313
Microsoft OS VulnerabilitiesMicrosoft OS Vulnerabilities
Microsoft integrates many of its products into Microsoft integrates many of its products into a single packagea single package Such as Internet Explorer and Windows OSSuch as Internet Explorer and Windows OS This creates many useful featuresThis creates many useful features It also creates vulnerabilities It also creates vulnerabilities
Security testers should search for Security testers should search for vulnerabilities onvulnerabilities on The OS they are testingThe OS they are testing Any application running on the serverAny application running on the server
1414
CVE (Common Vulnerabilities and CVE (Common Vulnerabilities and Exposures )Exposures )
A list of standardized names for A list of standardized names for vulnerabilitiesvulnerabilities
Makes it easier to share information about Makes it easier to share information about themthem cve.mitre.org (link Ch 8c)cve.mitre.org (link Ch 8c) Demonstration: Search Demonstration: Search
1515
Remote Procedure Call (RPC)Remote Procedure Call (RPC)
RPC is an interprocess communication RPC is an interprocess communication mechanismmechanism Allows a program running on one host to run code Allows a program running on one host to run code
on a remote hoston a remote host
Examples of worms that exploited RPCExamples of worms that exploited RPC MSBlast (LovSAN, Blaster)MSBlast (LovSAN, Blaster) NachiNachi
Use MBSA to detect if a computer is Use MBSA to detect if a computer is vulnerable to an RPC-related issuevulnerable to an RPC-related issue
1616
NetBIOSNetBIOS
Software loaded into memory Software loaded into memory Enables a computer program to interact with a Enables a computer program to interact with a
network resource or other devicenetwork resource or other device
NetBIOS is not a protocolNetBIOS is not a protocol NetBIOS is an interface to a network protocolNetBIOS is an interface to a network protocol It’s sometimes called a session-layer protocol, It’s sometimes called a session-layer protocol,
or a protocol suite (Links Ch 8d, 8e, 8f)or a protocol suite (Links Ch 8d, 8e, 8f)
1717
NetBEUINetBEUI
NetBIOS Extended User InterfaceNetBIOS Extended User Interface Fast, efficient network protocolFast, efficient network protocol Allows NetBIOS packets to be transmitted Allows NetBIOS packets to be transmitted
over TCP/IPover TCP/IP NBT is NetBIOS over TCPNBT is NetBIOS over TCP
1818
NetBIOS (continued)NetBIOS (continued)
Newer Microsoft OSs do not need Newer Microsoft OSs do not need NetBIOS to share resourcesNetBIOS to share resources NetBIOS is used for backward compatibilityNetBIOS is used for backward compatibility You can turn off NetBIOS for Windows 2000 You can turn off NetBIOS for Windows 2000
and later (links Ch 8g & 8h)and later (links Ch 8g & 8h)
1919
Server Message Block (SMB)Server Message Block (SMB)
Used by Windows 95, 98 and NT to share Used by Windows 95, 98 and NT to share filesfiles
Usually runs on top of NetBIOS, NetBEUI Usually runs on top of NetBIOS, NetBEUI or TCP/IPor TCP/IP
Hacking toolsHacking tools L0phtcrack’s SMB Packet Capture utilityL0phtcrack’s SMB Packet Capture utility SMBRelaySMBRelay Ettercap (see Project 23, Links Ch 8r & 8s)Ettercap (see Project 23, Links Ch 8r & 8s)
2020
Demonstration: ettercapDemonstration: ettercap
2121
Common Internet File System Common Internet File System (CIFS)(CIFS)
CIFS replaced SMB for Windows 2000, XP, CIFS replaced SMB for Windows 2000, XP, and Windows 2003 Serverand Windows 2003 Server SMB is still used for backward compatibilitySMB is still used for backward compatibility
CIFS is a remote file system protocol CIFS is a remote file system protocol Enables computers to share network resources Enables computers to share network resources
over the Internetover the Internet
2222
Common Internet File System Common Internet File System (CIFS) (continued)(CIFS) (continued)
Enhancements over SMBEnhancements over SMB Resource locking (if 2 people use the same Resource locking (if 2 people use the same
thing at once)thing at once) Support for fault toleranceSupport for fault tolerance Capability to run more efficiently over dial-upCapability to run more efficiently over dial-up Support for anonymous and authenticated Support for anonymous and authenticated
accessaccess
2323
Common Internet File System Common Internet File System (CIFS) (continued)(CIFS) (continued)
Server security methodsServer security methods Share-level securityShare-level security
A password assigned to a shared resourceA password assigned to a shared resource User-level securityUser-level security
An access control list assigned to a shared resourceAn access control list assigned to a shared resource
Users must be on the list to gain accessUsers must be on the list to gain access Passwords are stored in an encrypted form on the Passwords are stored in an encrypted form on the
serverserver
But CIFS is still vulnerable (see link Ch 8n)But CIFS is still vulnerable (see link Ch 8n) Don’t let NetBIOS traffic past the firewallDon’t let NetBIOS traffic past the firewall
2424
Understanding SambaUnderstanding Samba
Open-source implementation of CIFSOpen-source implementation of CIFS Created in 1992Created in 1992
Samba allows sharing resources over Samba allows sharing resources over multiple OSsmultiple OSs
Samba accessing Microsoft shares can Samba accessing Microsoft shares can make a network susceptible to attackmake a network susceptible to attack
Samba is used to “trick” Microsoft services Samba is used to “trick” Microsoft services into believing the *NIX resources are into believing the *NIX resources are Microsoft resourcesMicrosoft resources
2525
Samba is Built into UbuntuSamba is Built into Ubuntu
Click Places, Connect to ServerClick Places, Connect to Server Windows shares are marked with Windows shares are marked with SMBSMB
2626
Closing SMB PortsClosing SMB Ports
Best way to protect a network from SMB Best way to protect a network from SMB attacksattacks Routers should filter out portsRouters should filter out ports
137 to 139137 to 139
445445
2727
Default InstallationsDefault Installations
Windows 9x, NT, and 2000 all start out Windows 9x, NT, and 2000 all start out with many services running and ports with many services running and ports openopen They are very insecure until you lock them They are very insecure until you lock them
downdown
Win XP, 2003, and Vista are much more Win XP, 2003, and Vista are much more secure by defaultsecure by default Services are blocked until you open themServices are blocked until you open them
2828
Passwords and AuthenticationPasswords and Authentication
A comprehensive password policy is A comprehensive password policy is criticalcritical Change password regularlyChange password regularly Require passwords length of at least six Require passwords length of at least six
characterscharacters Require complex passwordsRequire complex passwords Never write a password down or store it online Never write a password down or store it online
or on the local systemor on the local system Do not reveal a password over the phoneDo not reveal a password over the phone
2929
Passwords and AuthenticationPasswords and Authentication
Configure domain controllersConfigure domain controllers Enforce password age, length and complexityEnforce password age, length and complexity Account lockout thresholdAccount lockout threshold Account lockout durationAccount lockout duration
Start, Run, Start, Run, GPEDIT.MSCGPEDIT.MSC
3030
IIS (Internet Information Services)IIS (Internet Information Services)
IIS 5 and earlier installs with critical security IIS 5 and earlier installs with critical security vulnerabilitiesvulnerabilities Run IIS Lockdown Wizard (link Ch 8p)Run IIS Lockdown Wizard (link Ch 8p)
IIS 6.0 installs with a “secure by default” IIS 6.0 installs with a “secure by default” postureposture Configure only services that are neededConfigure only services that are needed Windows 2000 ships with IIS installed by defaultWindows 2000 ships with IIS installed by default Running MBSA can detect IIS running on your Running MBSA can detect IIS running on your
networknetwork
3131
IIS Buffer OverflowsIIS Buffer Overflows
3232
SQL ServerSQL Server
SQL vulnerabilities exploits areasSQL vulnerabilities exploits areas The SA account with a blank passwordThe SA account with a blank password SQL Server AgentSQL Server Agent Buffer overflowBuffer overflow Extended stored proceduresExtended stored procedures Default SQL port 1433Default SQL port 1433
Vulnerabilities related to SQL Server 7.0 Vulnerabilities related to SQL Server 7.0 and SQL Server 2000and SQL Server 2000
3333
The SA AccountThe SA Account
The SA account is the master account, The SA account is the master account, with full rightswith full rights
SQL Server 6.5 and 7 installations do not SQL Server 6.5 and 7 installations do not require setting a password for this accountrequire setting a password for this account
SQL Server 2000 supports mixed-mode SQL Server 2000 supports mixed-mode authenticationauthentication SA account is created with a blank passwordSA account is created with a blank password SA account cannot be disabledSA account cannot be disabled
3434
SQL Server AgentSQL Server Agent
Service mainly responsible forService mainly responsible for ReplicationReplication Running scheduled jobsRunning scheduled jobs Restarting the SQL serviceRestarting the SQL service
Authorized but unprivileged user can Authorized but unprivileged user can create scheduled jobs to be run by the create scheduled jobs to be run by the agentagent
3535
Buffer OverflowBuffer Overflow
Database Consistency Checker in SQL Database Consistency Checker in SQL Server 2000Server 2000 Contains commands with buffer overflowsContains commands with buffer overflows
SQL Server 7 and 2000 have functions SQL Server 7 and 2000 have functions that generate text messagesthat generate text messages They do not check that messages fit in the They do not check that messages fit in the
buffers supplied to hold thembuffers supplied to hold them
Format string vulnerability in the C runtime Format string vulnerability in the C runtime functionsfunctions
3636
Extended Stored ProceduresExtended Stored Procedures
Several of the extended stored procedures Several of the extended stored procedures fail to perform input validationfail to perform input validation They are susceptible to buffer overrunsThey are susceptible to buffer overruns
3737
Default SQL Port 1443Default SQL Port 1443
SQL Server is a Winsock applicationSQL Server is a Winsock application Communicates over TCP/IP using port 1443Communicates over TCP/IP using port 1443
Spida wormSpida worm Scans for systems listening on TCP port 1443Scans for systems listening on TCP port 1443 Once connected, attempts to use the Once connected, attempts to use the
xp_cmdshellxp_cmdshellEnables and sets a password for the Guest Enables and sets a password for the Guest accountaccount
Changing default port is not an easy taskChanging default port is not an easy task
3838
Best Practices for Hardening Best Practices for Hardening Microsoft SystemsMicrosoft Systems
Penetration testerPenetration tester Finds vulnerabilitiesFinds vulnerabilities
Security testerSecurity tester Finds vulnerabilitiesFinds vulnerabilities Gives recommendations for correcting found Gives recommendations for correcting found
vulnerabilitiesvulnerabilities
3939
Patching SystemsPatching Systems
The number-one way to keep your system The number-one way to keep your system securesecure Attacks take advantage of known vulnerabilitiesAttacks take advantage of known vulnerabilities Options for small networksOptions for small networks
Accessing Windows Update manuallyAccessing Windows Update manually
Automatic UpdatesAutomatic Updates This technique does not really ensure that all This technique does not really ensure that all
machines are patched at the same timemachines are patched at the same time Does not let you skip patches you don’t wantDoes not let you skip patches you don’t want
4040
Patching SystemsPatching Systems
Some patches cause problems, so they Some patches cause problems, so they should be tested firstshould be tested first
Options for patch management for large Options for patch management for large networksnetworks Systems Management Server (SMS)Systems Management Server (SMS) Software Update Service (SUS)Software Update Service (SUS)
Patches are pushed out from the network Patches are pushed out from the network server after they have been testedserver after they have been tested
4141
Antivirus SolutionsAntivirus Solutions
An antivirus solution is essentialAn antivirus solution is essential
For small networksFor small networks Desktop antivirus tool with automatic updatesDesktop antivirus tool with automatic updates
For large networksFor large networks Corporate-level solutionCorporate-level solution
An antivirus tool is almost useless if it is An antivirus tool is almost useless if it is not updated regularlynot updated regularly
4242
Enable Logging and Review Enable Logging and Review Logs RegularlyLogs Regularly
Important step for monitoring critical areasImportant step for monitoring critical areas PerformancePerformance Traffic patternsTraffic patterns Possible security breachesPossible security breaches
Logging can have negative impact on Logging can have negative impact on performanceperformance
Review logs regularly for signs of intrusion Review logs regularly for signs of intrusion or other problemsor other problems Use a log-monitoring toolUse a log-monitoring tool
4343
Disable Unused or Unneeded Disable Unused or Unneeded ServicesServices
Disable unneeded servicesDisable unneeded services
Delete unnecessary applications or scriptsDelete unnecessary applications or scripts
Unused applications or services are an Unused applications or services are an invitation for attacksinvitation for attacks
Requires careful planningRequires careful planning Close unused ports but maintain functionalityClose unused ports but maintain functionality
4444
Other Security Best PracticesOther Security Best Practices Use a firewall on each machine, and also a Use a firewall on each machine, and also a
firewall protecting the whole LAN from the firewall protecting the whole LAN from the InternetInternet
Delete unused scripts and sample Delete unused scripts and sample applicationsapplications
Delete default hidden sharesDelete default hidden shares Use different names and passwords for Use different names and passwords for
public interfacespublic interfaces
4545
Other Security Best PracticesOther Security Best Practices Be careful of default permissionsBe careful of default permissions
For example, new shares are readable by all users For example, new shares are readable by all users in Win XP in Win XP
Use available tools to assess system securityUse available tools to assess system securityLike MBSA, IIS Lockdown Wizard, etc.Like MBSA, IIS Lockdown Wizard, etc.
Disable the Guest accountDisable the Guest account Rename the default Administrator accountRename the default Administrator account Enforce a good password policyEnforce a good password policy Educate users about securityEducate users about security Keep informed about current threatsKeep informed about current threats