August 9th, 2002, 02:27 PM
Network Vulnerabilities and Countermeasures
This was the tech script I was requested to write after attending a Windows 2000 Security Seminar. I do not consider myself to be a professional in this field, but I would like to say well educated. This was written last year, and is up to be edited again for this year. Any comments, suggestions, or edits would be greatly appreciated.
The hacker methodology is the steps in which an attacker takes to gain access to a selected machine. These steps are as followed. Footprint, Scan, Enumerate, Penetrate, Escalate, Pillage, Get Interactive, Expand Influence, and Cleanup. In this tech script, the steps will be explained, followed by the appropriate countermeasures.
Footprinting: is the process of accumulating data regarding a specific network environment, usually for the purpose of finding ways to intrude into the environment. Footprinting can reveal system vulnerabilities and improve the ease with which they can be exploited. Footprinting begins by determining the location and objective of an intrusion. Once this is known, specific information about the organization is gathered using non-intrusive methods. For example, the organizations own Web page may provide personnel directory or employee bios, which may prove useful if the hacker needs to use social engineering to reach the objective. Conducting a whois query on the Web provides the domain names and associated networks related to a specific organization. Other information obtained may include learning the Internet technologies being used; the operating system and hardware being used; IP addresses; e-mail addresses and phone numbers; and policies and procedures.
To countermeasure this procedure, it is highly recommended that the information provided to Internet registrars be sanitized. It should not contain direct contact information for specific company personnel or other inappropriate information. An easy way to view the information regarding your company is to search www.arin.net. Enter in your company name, and this will supply you with the information that is available to the general public.
Scanning: Once the network scope has been identified, an attacker will then attempt to determine which addresses are live hosts, and what type of services they are running. One method used to perform this task is called a Ping Sweep.
Ping Sweeping: Typically, the IMCP Echo request, also known as ping is used to see if a host is alive or not. Due to the fact that almost every Internet-connected network blocks ping, no response usually means nothing. A better way to identify live hosts is to see if they are running any services. This is often referred to as Port Scanning.
Port Scanning: The act of systematically scanning a computer's ports. Since a port is a place where information goes into and out of a computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer. While connected to services during port scanning, the information on banners is presented by the services. Gaining access to these banners is known as Banner Grabbing. The banner can tell you detailed information on the type of software in use, and the operating system running the software.
To countermeasure the port scanning procedures, set the router and firewall ACLs to block all inbound access that is not specifically required, Especially to the windows specific ports. Always ensure that TCP/UDP 135-139 and 445 are not available from the Internet. Block TCP/UDP 135-139 and 445 at host level using TCP/IP or IPSec filters. Also block all ports, except those explicitly required.
To countermeasure the banner grabbing, alter the service banners. For IIS, this requires the use of a hex-editor, to alter the information on the associated DLL file or installing an ISAPI filter.
Enumerate: In addition to Port Scanning, native NT/2000 commands can be used to enumerate further information about the selected NT/2000 networks, and hosts. The information can come from or about The Windows Network including such detail as the numbers and names of the domains on the wire, or from Individual Host, which will let information out about user accounts and groups. Since Windows 2000 is still heavily dependant on NetBIOS naming system, one can extract a great deal of information about Windows NT/2000 networks by querying the NetBIOS Name Service which can be found on UDP 137. NT/2000 hosts identify themselves to domains and workgroups via “Browse Lists” also known as Network Neighborhood. These hosts do not require official machine accounts within the domain, and this ‘function’ can be exploited using native NT/2000 Commands. The target system could be one of three types, first the domain controls are know for holding the ‘treasure chest’ of accounts, secondly web servers may contain e-commerce data, and scripted passwords to backend databases. Finally, standalone hosts may not be well protected, especially “lab or tests” systems.
To countermeasure the enumeration of the targeted systems you should block UDP 137 at sensitive network points such as the Internet and Extranet. If implemented on the Intranet, this may cause resolution errors between legitimate hosts. Results performed by NT/2000 commands are presented as NetBIOS machine names. If hosts are running TCP/IP the IP address of each host can be obtained by using the PING command. Editing the LMHOSTS will use force against the issue, if the IP Address and NetBIOS names are mostly interchangeable.
DNS Zone Transfers reveal the results from common DNS server mis-configuration, showing hostname to IP address mappings for the entire organization. On the other hand the Windows 2000 DNS reveals much more. Using the built in nslookup utility will make performing zone transfers a snap.
To counter against DNS Zone Transfers restrict zone transfers to authorized back up servers only.
Host Enumeration is used to obtain sensitive information such as: User Details, Machine Details, and Domain Configuration Details. The availability of this information invariably maximizes the efficiency of further attacks. By querying it’s NetBIOS Name Table, more information can be determined about a specific host. The name table can reveal information such as: Name of User currently logged on, machine name, domain or workgroup name, and the special services it runs from IIS to RAS. With access to such information this will provide access to entry using a null session. This is a connection made with a blank user name and a blank password. This function is enabled by default on Windows NT/2000. This is one of the most debilitating vulnerabilities faced by NT/2000 deployments due to the sure fact that the connection is not logged in the event log, nor is it recorded by a majority of the hosts based IDS products.
To countermeasure the act of host enumeration you must disable these services: first block TCP/UDP 135-139, and 445 at sensitive network gateways. This would include such areas as the Internet and Extranet. Furthermore you would need to block the TCP/UDP 135-139 and 445 again, at the host level using TCP/IP or IPSec filters. A vastly under used feature of Windows 2000 is the IPSec filters. They can be configured much like a personal firewall to block specific inbound traffic. This is a simple way to block access to potentially vulnerable W2K services like TCP 139 and 445. To disable TCP 139 and 445 enumeration completely you can unbind WINS from the adapters by: For Windows NT 4 unbind WINS client (TCP/IP) from the appropriate interface using the network control panel’s binding tab, or for Windows 2000. Go to network and Dial up connections applet | Advanced | Advanced Settings for adapter, deselect File and Printer sharing for Microsoft Networks. If you must enable SMB, you should restrict the type of information available via the RestrictAnonymous Registry key. A new advancement in Windows 2000 allows for the restricted anonymous to be set to 2, which does not include the ‘everyone’ group in anonymous access tokens. This setting may cause undesirable connectivity problems for third party products and older Windows platforms.
The primary guide to authenticating to the remote host can often be done by guessing the user name and password combinations, obtaining the user hash, or exploiting a vulnerable service. In the process of guessing the user name and password combinations is often done by gaining information from a DumpSec output. This information can reveal sensitive information such as: Users that haven’t changed their passwords recently, users who haven’t logged on recently, members who are assigned to the admin group, if an account is a shared account, if the account is a test or lab account, or if there was carelessness in placing sensitive information in the user comment fields. Although a system may have a lock out account, an attacker may be able to count the amount of tries by first guessing against the guest account. Even if the account is disabled you will still be alerted of the lockout threshold. This is often an easy way to find out the lockout policy.
To countermeasure this form of penetration the following suggestions must be implemented. All accounts should have the lockout option enabled and be enforced with strict password policy this will make a password recovery attempt difficult. With this information set, you can use the logon/logoff audit to investigate failures. The main administrator account should be assigned a complex 16-character password with non-printing ASCII characters, and not be used. Also create a decoy account named “Administrator” with no group membership. Periodically checking the failed log on attempts against this account will alert you of the slightest attempts.
One access to a system has been compromised; to do anything useful the attacker must escalate the owned account to administrator or higher. To date, there are a few serious W2K privilege escalation vulnerabilities released in public: Named pipes predictability, NetDDE, and RevertToSelf. PipeUpAdmin exploits the Named Pipes Predictability issue, and adds the interactive user to local Administrator group. PipeUpAdmin requires that the attacker be logged in at the keyboard or terminal interactively to be effective, and must log out, and back in to take effect.
Escalation with NetDDE: Network Dynamic Data Exchange is a technology that enables applications on a different windows computer to dynamically share data. The network DDE agent runs using the LocalSystem security context, and allows interactive users to request NetDDE agent to run commands as system. Also if an attacker is able to upload or find an ISAPI DLL that calls RevertToSelf API on an IIS server and execute it, they may be able to escalate to local system.
Countermeasures for named pipes and NetDDE, obtain post-SP1 patches, so SP1 does not fix these issues. For RevertToSelf, make sure Application Protection is set to medium or higher, and that no existing ISAPI filters call it.
No that the Admin account has been compromised, an attacker would often work to cover his trails by such activities as clearing the logs, disabling audits, obtain the system password data, and often enough start cracking passwords.
Looking to grab the hash, an attacker will take one of three methods to grab the password data. Extract them from the SAM/AD, grab the backup SAM, or sniff them off the wire. There was a time where you could use a simple tool to remotely extract the password hashes from the SAM. Since then two roadblocks have arisen, the SYSKEY and Active Directory. Passwords ere originally stored in the NT4 SAM using a one-way function (OWF) to scramble them. With NT4 Service Pack 3, Microsoft introduced a function called syskey that could apply a second layer of encryption to the hashes. If the attacker were to obtain a SYSKEY’d hash; he would have to additionally defeat the 128-bit hash encryption. This act at times can be practically impossible, and was implemented on Windows 2000 by default. The attacker may use a technique called “DLL Injection” to hijack a privileged process. This process has the authority to request the password hashes from memory without SYSKEY encryption. Grabbing the backup SAM: The NT ERDiskutility provided a way to create a backup copy of the SAM, and Windows 2000 retains the capability with the NTBackup tool.
Sniffing password data: NT/2000 uses a challenge/response authentication mechanism, which retains from sending passwords nor their hashes across the wire.
Once a hacker has obtained password hashes, there is nothing stopping them from immediately starting to crack them. NT/2000 keeps two versions of the hash: The LanMan and the hash. LanMan divides passwords into two 7- character pieces before hashing. Thus cracking can be attempted against each 7-character piece independently.
To countermeasure against disabling the system auditing, enable auditing according to policy, and minimally, audit failure of logon events to catch password guessing. Don’t forget to review the logs on a regular basis.
To ensure the security of your SYSKEY’d hashes ensure that NT systems have been updated to Service Pack 3 or greater. As for Windows 2000, with the default already implemented it is practically impossible to defeat the 128-bit encryption.
For protection against password sniffing the registry setting will prevent using easily cracked hashes for authentication, you can also use the DSClient on the Windows 2000 CD for non-NT/2000 Win32 clients.
The basis behind protecting your systems is left to making it practically impossible for the attacker to crack the obtained passwords. One way to do this is to enforce password length of exactly 7 characters. Passwords should meet complexity minimums, such as different case, numerals, and punctuation. This policy can be enforced via the local or domain security policy. To further protect the hashes from easily being crack it is suggested that either the disabling the storage of the LanMan hash or the prevention of a weaker LanMan must be implemented. There has been a warning that disabling the storage of the LanMan hash may break applications. See Q147706 for the prevention of weaker LanMan has during authentication.
Although the attacker may have administrator access to the host, they don’t yet have the ability to run commands ON the host. They first need an interactive shell on the remote machine, without relying upon telnet or similar services that may or may not be installed. Interactive sessions will put the attacker on the hacked host. This will also allow the attacker to hack hosts in the internal network – behind a dual homed host. “Shoveling the shell “can be achieved via a resource kit tool called remote.exe. Remote is protocol independent, and works over named pipes. The attacker may also use netcat to spawn a remote shell. Netcat offers the flexibility of choosing the port over which to communicate.
Command-line shells like remote or netcat are great, but don’t you think the attacker is going to takeover the system as if they were sitting at the keyboard? Most attackers like to arrange a VNC Connection Virtual Network Computer is a lightweight remote control application that are easily installed remotely. VNC is used to hijack the mouse and keyboard and view the screen of the remote computer. It runs on a customized port number such as TCP 5800 or 5900, and requires a password to connect.
THIS IS NOT THE END
This is a typical course followed during a penetration engagement. The obscure web or test server has been compromised, and from this lack of knowledge configuration, complete and total domination of the internal networks is achieved.
An attacker has now knocked down a player at this point, but here are the questions that are most likely running through your mind. What other systems can be reached? What trusts can be exploited? What additional compromising data can be gathered over time from this perch?
From this scenario you will see the most common performances that an attacker may perform on the exploited computer. When an attacker plans to expand their influence they will make moves to attack the trust and configure port redirection.
In the act of attacking the trust they will hide, or initiate such programs as LSA Secrets, keystroke loggers, Trojan logons, and/or sniffers on the exploited system. The LSA Secrets are services running under the context of a user account and stores their passwords in an insecure fashion in the registry. The passwords stored in this fashion can be enumerated in clear text. In addition to service accounts, the last ten logged on domain user hashes are stored in the registry. RAS passwords are also stored in this section of the registry, even if you choose to use the do not save password function.
Another form of an attack on the trust is in the use of keystroke loggers. By logging the keystrokes of legitimate users, a lot of passwords can be collected. Often, these passwords grant access to additional systems within the target infrastructure.
Keystroke loggers may contain a little more work that needed to gain the access an attacker is looking for. A popular method used for simplicity reasons is Trojan Logons. Trojan logons can intercept the communication between winlogon and the normal GINA, and captures all successful logons including Domain, Username, and Password, while writing them to a text file.
A classic technique of a trust attack is the installation of a sniffer on a compromised system. This will monitor network traffic over time while yielding info on additional systems within the target infrastructure.
If an attacker can’t gain direct access to a port, they often attempt to redirect the port. A port redirector can be used to listen on a selected port number, and any packets it receives on that port are forwarded to a new port number on a remote host. This action is primarily used to bypass router ACLs and firewalls.
At this time the attacker has more or less gained all access, and permissions he or she needs to bring your system to its knees. Although this may not be at all the attention the attacker will ensure they can come back to a system again if necessary. They may or may not have already planted a myriad of remote control tools, it is helpful to have redundancy, and ensure they can survive a reboot. After an attacker gains admin access to a box, it is easy to plant a back door. A favorite technique of attackers is to plant back doors in one of several well-known locations that are automatically executed at boot.
Once the system has been compromised, there are minor countermeasures to can take to regain control of your system, but the integrity of the system as a whole will maintain affected by this intrusion. The most often spoken advice to someone in this situation would be to burn down the system, and start from scratch. There are no such available counters for an LSA attack, the valued word is to not get admin’d in the first place, and to refrain from running services in the context of trusted domain user accounts if at all possible, especially if they are highly privileged in that domain. As for keystroke loggers, if you know what type of logger your system has been introduced to. You can always look for and remove both the drivers, and the log. Most updated anti virus will flag such devices as a Trojan Logon. Another way to look for this type of feature is to inspect the registry value, if it contains something else than “msgina” or “msgina.dll,” you’ve probably been had. When it comes to sniffers it comes down to procedures that should have already been implemented such as the use of encrypted communications. Such forms of this encryption could be Secure Shell (ssh), Secure Sockets Layer (SSL), Secure Email via Pretty Good Privacy (PGP), or IP-Layer encryption like that supplied by IPSec. This is the only nearly foolproof way to invade eavesdropping attacks. Adopting switched network topologies and VLANs can greatly reduce the risk, but is not guaranteed with new attack techniques. Never assume a firewall will protect you, take the steps needed to lock down hosts, and disable unnecessary services. Last, but not least when it comes to back doors scrutinize outbound ACLs just as closely as inbound. Look for default ports using netstat –an | findstr “54320 54321”, or use a tool to monitor the ports bound to each running process. If your system has been compromised to this point. The logical step now would be to shut down the system, analyze the method, or methods the attacker took to violate your system, and use the countermeasures included in this paper to secure your system, and protect yourself from a déjà vu.
-Word Document Version