Асоциация за информационна

сигурност www.iseca.org

Мрежова сигурност 1

изборен курс във ФМИ на СУпонеделник , зала 325, ФМИ, 19:00четвъртък, зала 200, ФМИ, 19:00

Лекция 3.11 :-)Windows

Windows General Windows User roles Type of targets Type of attacks Example attacks Attack prevention Hardening Windows

Windows general Windows role Windows and the others Patch management Today role of the security

User Roles Local System Administrator User Special Roles

Type of targets Services Applications Registry Users Permissions Passwords

Type of attacks Information gathering

Error messages enumerations

Programming errors Buffer overflows Format strings Other

Type of attacks DoS

resource consume Others

Misconfiguration Privileges

More privileges Not dropped privileges

Type of attacks User

Lack of security knowledge Misleading Boredom

Local attacks On site

Password dumping Off site

Type of attacks Hiding

Root Kits NTFS Registry

Example attacks Information gathering

Snmpwalk Path disclosure Banner matching

Programming errors Code red – IIS /default.ida?

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

Example attacks SASSER Local Security Authority Subsystem Service - Lsasrv.dll RPC buffer overflow allows remote attackers to execute arbitrary code via a packet that causes the

DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file

Windows WMF The vulnerability is caused due to an error in the handling of Windows Metafile

files (‘.wmf’) containing specially crafted SETABORTPROC ‘Escape’ records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails.” According to the Windows 3.1 SDK docs, the SETABORTPROC escape was obsoleted and replaced by the function of the same name in Windows 3.1, long before the WMF vulnerability took advantage of it

Local privileges escalation attacks

Example attacks Microsoft Word document handling

buffer overflow A memory corruption vulnerability in Microsoft Word could allow a remote attacker to execute

arbitrary code with the privileges of the user running Word.

Example attacks DoS

TCP/IP Microsoft Windows 2000 empty TCP packet denial of service

Microsoft Windows 2000 is vulnerable to a denial of service attack. A remote attacker can send a stream of empty TCP packets to the NetBIOS port (TCP port 139) to consume all available system memory

Applications IIS DOS

POST /_vti_bin/shtml.dll HTTP/1.0Host: [32762 '/' characters]Content-length: 22This will cause the web service to consume 99% of the CPU for about 35 seconds. During this time, no other HTTP requests will be serviced.

Example attacks Enumerations

Shares Netbios Auditing Tool

Accounts @stake LC 5

Other bindview enum

enum is a console-based Win32 information enumeration utility. Using null sessions, enum can retrieve userlists, machine lists, sharelists, namelists, group and member lists, password and LSA policy information. enum is also capable of a rudimentary brute force dictionary attack on individual accounts.

Example attacks Misconfiguration

Registry permissions Files / Directory permissions

Privileges Higher privileges than needed

Example attacks Hiding

Root kits Trojans

Attack prevention OS side

DEP – Data Execution Prevention Randomization Safe libs Registry tweaks

IDS Deep packet inspection Honeypots

Updates

Hardening Safe coding Best practices Lock tools Education of users Good security polices

Password polices Access polices