1

Hacking Exposed 7Network Security Secrets & Solutions

Chapter 4 Hacking Windows

2

Hacking Windows

• Unauthenticated attacks• Authenticated attacks• Windows security features

3

Prelude• Vulnerabilities

– Trivially exploited configuration vulnerabilities• NetBIOS null sessions, simple IIS buffer overflow

– More complex ones• Heap exploits, end user attack through Internet Explorer

• Areas of focus– Network services, kernel drivers, applications

• Factors of risk: popularity and complexity– Popular Windows vulnerabilities: Code Red, Nimda, Slammer,

Blaster, Netsky, Gimmiv, etc.– NT 3.51 Windows 7: tenfold in code size

• New security-related features– Reduced default network services, host firewall enabled by

default, user account control (UAC), etc.

4

Unauthenticated AttacksAuthenticated Spoofing

• Remote password guessing– Main targets: Server Message Block (SMB) on TCP 445 and

139, Microsoft Remote Procedure Call (MSRPC) on TCP 135, Terminal Services (TS) on TCP 3389, SQL on TCP 1433 and UDP 1434, SharePoint (SP) over HTTP on TCP 80 and HTTPS on TCP 443, etc.

– Automatic guessing on CLI: FOR and net use with username/password file (see virus/org/default-password), enum, Brutus, THC Hydra, Venom

– Automatic guessing on GUI of Terminal Services/Remote Desktop Services: TSGrinder, Rdesktop after patch with brute-force capabilities

5

Unauthenticated AttacksPassword-Guessing Countermeasures

• Network firewall to restrict access to potentially vulnerable services/ports

• Host “Windows Firewall”• Disable unnecessary services• Enforce strong password policy• Set an account-lockout threshold• Log and analyze account logon failures– Dumpel, DumpEvt, Event Comb, ELM Log Manager

6

Unauthenticated AttacksEavesdropping on Network Password Exchange• Three authentication protocols: LM (LAN

Manager) (with hash), NTLM (with RC4 encryption), Kerberos (with private or optional public key encryption)

• Attack tools: Cain, LCP, L0phtcrack, KerbSniff– Sniffing, brute-force cracking, dictionary cracking,

Rainbow cracking (from a valid account)– To sniff on a switched network: ARP

spoofing/poisoning to redirect traffic through attackers

7

Unauthenticated AttacksWindows Authentication Sniffing Countermeasures

• Disable LM authentication• Pick good passwords (password complexity

features)• No dictionary password• Use public key encryption• Use built-in Windows IPsec to authenticate

and encrypt traffic

8

Unauthenticated AttacksMan-in-the-Middle Attacks (MITM)

• Relay legitimate client authentication exchange and gain access to the server as the client

• SMBRelay: Harvest usernames and password hashes from SMB traffic and import into cracking tools

• ARP spoofing and DNS redirection: force victims to connect and authenticate to malicious SMB servers

• Tools: Cain, Squirtle, SMBRelay3– Cain: redirect local traffic to itself with ARP spoofing, then

downgrade clients to easier authentication dialects (sniffed, unencrypted, recorded)

• MITM countermeasures– Authenticate and encrypt connections between clients and servers

• IPsec in Windows Firewall– Disable NetBIOS Name Services

9

Unauthenticated AttacksPass-the-Hash

• Use LM and/or NTLM hash of a user’s password– No need to crack/brute-force the hash to cleartext

password– Replay to gain to gain authorized access– Limitations: Not all functionalities of the protocol

are implemented– Dump/modify NTLM credentials stored in memory

and replay• Windows Credentials Editor (WCE)

• Pass the ticket for Kerberos– WCE: dump Windows Kerberos tickets and reuse

them

10

Unauthenticated AttacksRemote Unauthenticated Exploits

• Flaws or misconfigurations in Windows software itself– TCP/UDP services driver interface, user-mode applications

(MS Office, Internet Explorer, Adobe Acrobat Reader)• Metaexploit– Framework plus archive of exploit modules– Locate/search the exploit module– Customize exploit parameters (vendor and model of victim

software), payloads (remote command shell, users, injecting prebuilt code), and options (target IP address, IDS evasion, etc.)

• Network service exploit countermeasures– Patch, available workaround, log and respond

11

Unauthenticated AttacksEnd-User Application Exploits

• End users– Less professional on security– Poorly managed rich software ecosystem

• Adobe Flash Player in browser– Display of rich media and animated content over

Internet– Metaexploit (search /w adobe flash)

• Countermeasures– Personal firewall, network firewall, patch, antivirus,

Internet options in control panel, least privilege, read email in plaintext, configure to very high macro security, don’t be gullible, secure devices physically

12

Unauthenticated AttacksDevice Driver Exploits

• Windows wireless: within physical proximity to a rogue access point beaconing malicious packets

• Plug and play (compatibility)– Vast sea of drivers

• Execution in highly privileged kernel mode total compromise

• Metaexploit exploit modules: e.g. oversized wireless beacon frame remote code execution

• Countermeasures– Patch, turn-off at high concentration of APs, driver signing

(trusted signatures on kernel-mode software), User-Mode Driver Framework (UMDF)

13

Authenticated AttacksPrivilege escalation

• Privilege escalation– From a user account to admin/system privilege

• Getadmin family of exploits – DLL injection– Interactively logged-on accounts from escalating privileges

– From Administrator to SYSTEM privilege• at (Windows Scheduler service) or psexec (remotely)

• Preventing privilege escalation– Patch your Windows– Restrict interactive logon privileges

• Run Security Policy applet Local Policies User Right Assignment Deny log on locally

14

Authenticated AttacksExtracting Passwords

• Extracting and cracking passwords– From administrator, post-exploit activities:

• Gather more usernames and passwords• Disable Windows firewall

• Grabbing password hashes– Stored in Windows Security Accounts Manager (SAM) for local

users, Active Directory on Windows 2000 and domain controllers (DCs) for domain accounts

– pwdump/pwdump2-6, fgdump, and automated remote hash extraction (LSA cache dumping, protected store enumeration)• use DLL injection to insert themselves into a privileged running

process to extract password hashes– pwdump countermeasures: no defense if /w admin and DLL

injection

15

Authenticated AttacksCracking passwords

• Hashing – one-way encipherment• Offline password guessing

– Hashing algorithm hash for a list of possible values (e.g. dictionary) compare with hashed password from pwdump matched means cracked

– Account lockout is not an issue• Weak hash algorithm

– Stronger hashing vs. salting (random value to prevent precomputed hash tables, rainbow tables, that speedup cracking)

• Smart guessing– Dictionary, brute-force, precomputed hash tables– Project Rainbow Crack: precomputed LM hash table for $120 with 24GB in 6 DVDs

• Tools– CLI: John The Ripper Jumbo– GUI: LCP, Cain (dictionary, brute-force, LM/NTLM hashes, sniffed, rainbow tables),

Ophcrack, L0phtcrack, Elcomsoft• Processing time

– Entropy ~ unpredictability

16

Authenticated AttacksDumping Cached Passwords

• Dumping cached passwords– Local Security Authority (LSA) Secrets cache

• Service account passwords in plaintext, cached password hashes of the last ten logon users, FTP/Web user plaintext passwords, remote access services (RAS) dial-up accounts and passwords, etc.

• LSADump2 (~pwdump2 with DLL injection): finds PID of LSASS, injects itself, grabs LSA Secrets

• Cain (with built-in LSA Secrets extractor), gsecdump• CacheDump, MS-Cache Hashes, WCE

• Password cache dumping countermeasures– LSA hotfix /w encryption: but circumvented by lsadump2 by DLL

injection– Avoid getting admin-ed in the first place– Change the Registry value

17

Authenticated AttacksDumping Hashes Stored in Memory

• Dumping hashes stored in memory– Windows Credentials Editor (WCE)– In memory: usernames, domain names, password hashes

of users logon interactively, locally or remotely• Cached credentials

• Dumping hashes stored in memory countermeasures– No silver bullet– Keep the security of ALL members

• Compromised server compromised domain– Avoid RDP to unknown systems– Avoid granting admin privileges

18

Authenticated AttacksRemote Control and Back Doors

• Back doors: services enabling remote control• Command-line remote control tools

– netcat/nc (TCP/IP Swiss army knife)• Configured to listen on a port and launch an executable when

connected– psexec (SMB on TCP 139 or 445) and at– Metaexploit Framework: a large array of backdoor payloads

to spawn command-line shells bound to listening ports, etc.• Graphical remote control tools

– Terminal Services on TCP 3389– Virtual Network Control (VNC)

19

Authenticated AttacksPort Redirection

• Fpipe– A TCP source port forwarder/redirector– A compromised system running a telnet server

behind a firewall that blocks port 23 (telnet) but allow port 53 (DNS)• Fpipe started with a listening server port 53 and

redirected to port 23• Stream forced by Fpipe to use source port 53 to pass

the firewall

20

Authenticated AttacksCovering Tracks

• Disabling auditing– auditpol

• Clearing event log– elsave

• Hiding files– attrib– Alternate Data Streams (ADS)

• Rootkits

21

Windows Security Features• Windows Firewall• Automated Updates• Security Center• Security Policy and Group Policy• Microsoft Security Essentials• The Enhanced Mitigation Experience Toolkit• Bitlocker and Encrypted Files System• Windows Resource/File Protection• Integrity Levels, UAC, and PMIE• Data Execution Prevention• Windows Service Hardening• Compiler-based Enhancements