September 20th, 2002, 09:03 PM
Update (Format Changes)
TABLE OF CONTENTS
1.0 HACKER METHODOLOGY. 1
2.0 FOOTPRINT. 1
2.1 Process. 1
2.2 Countermeasure. 1
3.0 SCAN. 1
3.1 Ping Sweeping. 1
3.2 Port Scanning. 1
3.3 Countermeasures. 1
3.3.1 Port Scanning. 1
3.3.2 Banner Grabbing. 2
4.0 ENUMERATE. 2
4.1.1 Countermeasure. 2
4.2 DNS Zone Transfers. 2
4.2.1 Countermeasure. 2
4.3 Host Enumeration. 2
4.3.1 Countermeasure. 2
5.0 PENETRATION. 3
5.1 Countermeasure. 3
6.0 ESCALATION. 3
6.1 Escalation with NetDDE. 3
6.2 Countermeasures. 3
7.0 PILLAGE. 3
7.1 Sniffing password data. 4
7.2 Countermeasure. 4
8.0 GET INTERACTIVE. 4
9.0 THIS IS NOT THE END. 4
10.0 EXPANDING INFLUENCE. 5
10.1 Trust Attack. 5
10.2 Port Redirection. 5
11.0 CLEANUP. 5
11.1 Countermeasure. 5
12.0 DEFINITIONS 6
1.0 HACKER METHODOLOGY.
The steps in which an attacker takes to gain access to a selected machine. These steps are as follows: Footprint, Scan, Enumerate, Penetrate, Escalate, Pillage, Get Interactive, Expand Influence, and Cleanup. In this tech script, the steps will be explained, followed by the appropriate countermeasures.
The process of accumulating data, regarding a specific network environment. Which is usually for the purpose of finding ways to intrude into the environment. Footprinting can reveal system vulnerabilities and improve the ease with which they can be exploited.
This process begins by determining the location and objective of an intrusion. Once this is known, specific information about the organization is gathered using non-intrusive methods. For example, the organizations own Web page may provide personnel directory or employee bios, which may prove useful if the hacker needs to use social engineering to reach the objective. Conducting a whois query on the Web provides the domain names and associated networks related to a specific organization. Other information obtained may include learning the Internet technologies being used; the operating system and hardware being used; IP addresses; e-mail addresses and phone numbers; and policies and procedures.
To countermeasure this procedure, it is highly recommended that the information provided to Internet registrars be sanitized. It should not contain direct contact information for specific company personnel or other inappropriate information. An easy way to view the information regarding your company is to search www.arin.net. Enter in your company name, and this will supply you with the information that is available to the general public.
Once the network scope has been identified, an attacker will then attempt to determine which addresses are live hosts, and what type of services they are running. The following are two methods of scanning:
3.1 Ping Sweeping.
Typically, the IMCP Echo request, also known as ping is used to see if a host is alive or not. Due to the fact that almost every Internet-connected network blocks ping, no response usually means nothing. A better way to identify live hosts is to see if they are running any services. This is often referred to as Port Scanning.
3.2 Port Scanning.
The act of systematically scanning a computer's ports. Since a port is a place where information goes into and out of a computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer. While connected to services during port scanning, the information on banners is presented by the services. Gaining access to these banners is known as Banner Grabbing. The banner can tell you detailed information on the type of software in use, and the operating system running the software.
3.3.1 Port Scanning.
To countermeasure the port scanning procedures, set the router and firewall ACLs to block all inbound access that is not specifically required, Especially to the windows specific ports. Always ensure that TCP/UDP 135-139 and 445 are not available from the Internet. Block TCP/UDP 135-139 and 445 at host level using TCP/IP or IPSec filters. Also block all ports, except those explicitly required.
3.3.2 Banner Grabbing.
To countermeasure the banner grabbing, alter the service banners. For IIS, this requires the use of a hex-editor, to alter the information on the associated DLL file or installing an ISAPI filter.
In addition to Port Scanning, native NT/2000 commands can be used to enumerate further information about the selected NT/2000 networks, and hosts. The information can come from or about The Windows Network including such detail as the numbers and names of the domains on the wire, or from Individual Host, which will let information out about user accounts and groups. Since Windows 2000 is still heavily dependant on NetBIOS naming system, one can extract a great deal of information about Windows NT/2000 networks by querying the NetBIOS Name Service which can be found on UDP 137. NT/2000 hosts identify themselves to domains and workgroups via “Browse Lists” also known as Network Neighborhood. These hosts do not require official machine accounts within the domain, and this ‘function’ can be exploited using native NT/2000 Commands. The target system could be one of three types, first the domain controls are know for holding the ‘treasure chest’ of accounts, secondly web servers may contain e-commerce data, and scripted passwords to backend databases. Finally, standalone hosts may not be well protected, especially “lab or tests” systems.
To countermeasure the enumeration of the targeted systems you should block UDP 137 at sensitive network points such as the Internet and Extranet. If implemented on the Intranet, this may cause resolution errors between legitimate hosts. Results performed by NT/2000 commands are presented as NetBIOS machine names. If hosts are running TCP/IP the IP address of each host can be obtained by using the PING command. Editing the LMHOSTS will use force against the issue, if the IP Address and NetBIOS names are mostly interchangeable.
4.2 DNS Zone Transfers.
DNS Zone Transfers reveal the results from common DNS server mis-configuration, showing hostname to IP address mappings for the entire organization. On the other hand the Windows 2000 DNS reveals much more. Using the built in nslookup utility will make performing zone transfers a snap.
To counter against DNS Zone Transfers restrict zone transfers to authorized back up servers only.
4.3 Host Enumeration.
Host Enumeration is used to obtain sensitive information such as: User Details, Machine Details, and Domain Configuration Details. The availability of this information invariably maximizes the efficiency of further attacks. By querying it’s NetBIOS Name Table, more information can be determined about a specific host. The name table can reveal information such as: Name of User currently logged on, machine name, domain or workgroup name, and the special services it runs from IIS to RAS. With access to such information this will provide access to entry using a null session. This is a connection made with a blank user name and a blank password. This function is enabled by default on Windows NT/2000. This is one of the most debilitating vulnerabilities faced by NT/2000 deployments due to the sure fact that the connection is not logged in the event log, nor is it recorded by a majority of the hosts based IDS products.
To countermeasure the act of host enumeration you must disable these services: first block TCP/UDP 135-139, and 445 at sensitive network gateways. This would include such areas as the Internet and Extranet. Furthermore you would need to block the TCP/UDP 135-139 and 445 again, at the host level using TCP/IP or IPSec filters. A vastly under used feature of Windows 2000 is the IPSec filters. They can be configured much like a personal firewall to block specific inbound traffic. This is a simple way to block access to potentially vulnerable W2K services like TCP 139 and 445. To disable TCP 139 and 445 enumeration completely you can unbind WINS from the adapters by: For Windows NT 4 unbind WINS client (TCP/IP) from the appropriate interface using the network control panel’s binding tab, or for Windows 2000. Go to network and Dial up connections applet | Advanced | Advanced Settings for adapter, deselect File and Printer sharing for Microsoft Networks. If you must enable SMB, you should restrict the type of information available via the RestrictAnonymous Registry key. A new advancement in Windows 2000 allows for the restricted anonymous to be set to 2, which does not include the ‘everyone’ group in anonymous access tokens. This setting may cause undesirable connectivity problems for third party products and older Windows platforms.
The primary guide to authenticating to the remote host can often be done by guessing the user name and password combinations, obtaining the user hash, or exploiting a vulnerable service. In the process of guessing the user name and password combinations is often done by gaining information from a DumpSec output. This information can reveal sensitive information such as: Users that haven’t changed their passwords recently, users who haven’t logged on recently, members who are assigned to the admin group, if an account is a shared account, if the account is a test or lab account, or if there was carelessness in placing sensitive information in the user comment fields. Although a system may have a lock out account, an attacker may be able to count the amount of tries by first guessing against the guest account. Even if the account is disabled you will still be alerted of the lockout threshold. This is often an easy way to find out the lockout policy.
To countermeasure this form of penetration the following suggestions must be implemented. All accounts should have the lockout option enabled and be enforced with strict password policy this will make a password recovery attempt difficult. With this information set, you can use the logon/logoff audit to investigate failures. The main administrator account should be assigned a complex 16-character password with non-printing ASCII characters, and not be used. Also create a decoy account named “Administrator” with no group membership. Periodically checking the failed log on attempts against this account will alert you of the slightest attempts.
Once access to a system has been compromised; to do anything useful the attacker must escalate the owned account to administrator or higher. To date, there are a few serious W2K privilege escalation vulnerabilities released in public: Named pipes predictability, NetDDE, and RevertToSelf. PipeUpAdmin exploits the Named Pipes Predictability issue, and adds the interactive user to local Administrator group. PipeUpAdmin requires that the attacker be logged in at the keyboard or terminal interactively to be effective, and must log out, and back in to take effect.
6.1 Escalation with NetDDE.
Network Dynamic Data Exchange is a technology that enables applications on a different Windows computer to dynamically share data. The network DDE agent runs using the LocalSystem security context, and allows interactive users to request NetDDE agent to run commands as system. Also if an attacker is able to upload or find an ISAPI DLL that calls RevertToSelf API on an IIS server and execute it, they may be able to escalate to local system.
Countermeasures for named pipes and NetDDE obtain post-SP1 patches, so SP1 does not fix these issues. For RevertToSelf, make sure Application Protection is set to medium or higher, and that no existing ISAPI filters call it.
Now that the Admin account has been compromised, an attacker would often work to cover his trails by such activities as clearing the logs, disabling audits, obtain the system password data, and often enough start cracking passwords.
Looking to grab the hash, an attacker will take one of three methods to grab the password data. Extract them from the SAM/AD, grab the backup SAM, or sniff them off the wire. There was a time where you could use a simple tool to remotely extract the password hashes from the SAM. Since then two roadblocks have arisen, the SYSKEY and Active Directory. Passwords ere originally stored in the NT4 SAM using a one-way function (OWF) to scramble them. With NT4 Service Pack 3, Microsoft introduced a function called syskey that could apply a second layer of encryption to the hashes. If the attacker were to obtain a SYSKEY’d hash; he would have to additionally defeat the 128-bit hash encryption. This act at times can be practically impossible, and was implemented on Windows 2000 by default. The attacker may use a technique called “DLL Injection” to hijack a privileged process. This process has the authority to request the password hashes from memory without SYSKEY encryption. Grabbing the backup SAM: The NT ERDiskutility provided a way to create a backup copy of the SAM, and Windows 2000 retains the capability with the NTBackup tool.
7.1 Sniffing password data.
NT/2000 uses a challenge/response authentication mechanism, which retains from sending passwords or their hashes across the wire.
Once a hacker has obtained password hashes, there is nothing stopping them from immediately starting to crack them. NT/2000 keeps two versions of the hash: The LanMan and the hash. LanMan divides passwords into two 7- character pieces before hashing. Thus cracking can be attempted against each 7-character piece independently.
To countermeasure against disabling the system auditing, enable auditing according to policy, and minimally, audit failure of logon events to catch password guessing. Don’t forget to review the logs on a regular basis.
To ensure the security of your SYSKEY’d hashes ensure that NT systems have been updated to Service Pack 3 or greater. As for Windows 2000, with the default already implemented it is practically impossible to defeat the 128-bit encryption.
For protection against password sniffing the registry setting will prevent using easily cracked hashes for authentication, you can also use the DSClient on the Windows 2000 CD for non-NT/2000 Win32 clients.
The basis behind protecting your systems is left to making it practically impossible for the attacker to crack the obtained passwords. One way to do this is to enforce password length of exactly 7 characters. Passwords should meet complexity minimums, such as different case, numerals, and punctuation. This policy can be enforced via the local or domain security policy. To further protect the hashes from easily being crack it is suggested that either the disabling the storage of the LanMan hash or the prevention of a weaker LanMan must be implemented. There has been a warning that disabling the storage of the LanMan hash may break applications. See Q147706 for the prevention of weaker LanMan has during authentication.
8.0 GET INTERACTIVE.
Although the attacker may have administrator access to the host, they don’t yet have the ability to run commands ON the host. They first need an interactive shell on the remote machine, without relying upon telnet or similar services that may or may not be installed. Interactive sessions will put the attacker on the hacked host. This will also allow the attacker to hack hosts in the internal network – behind a dual homed host. “Shoveling the shell “can be achieved via a resource kit tool called remote.exe. Remote is protocol independent, and works over named pipes. The attacker may also use netcat to spawn a remote shell. Netcat offers the flexibility of choosing the port over which to communicate.
Command-line shells like remote or netcat are great, but don’t you think the attacker is going to takeover the system as if they were sitting at the keyboard? Most attackers like to arrange a VNC Connection Virtual Network Computer is a lightweight remote control application that are easily installed remotely. VNC is used to hijack the mouse and keyboard and view the screen of the remote computer. It runs on a customized port number such as TCP 5800 or 5900, and requires a password to connect.
9.0 THIS IS NOT THE END.
This is a typical course followed during a penetration engagement. The obscure web or test server has been compromised, and from this lack of knowledge configuration, complete and total domination of the internal networks is achieved.
An attacker has now knocked down a player at this point, but here are the questions that are most likely running through your mind. What other systems can be reached? What trusts can be exploited? What additional compromising data can be gathered over time from this perch?
10.0 EXPANDING INFLUENCE.
From this scenario you will see the most common performances that an attacker may perform on the exploited computer. When an attacker plans to expand their influence they will make moves to attack the trust and configure port redirection.
10.1 Trust Attack.
In the act of attacking the trust they will hide, or initiate such programs as LSA Secrets, keystroke loggers, Trojan logons, and/or sniffers on the exploited system. The LSA Secrets are services running under the context of a user account and stores their passwords in an insecure fashion in the registry. The passwords stored in this fashion can be enumerated in clear text. In addition to service accounts, the last ten logged on domain user hashes are stored in the registry. RAS passwords are also stored in this section of the registry, even if you choose to use the do not save password function.
Another form of an attack on the trust is in the use of keystroke loggers. By logging the keystrokes of legitimate users, a lot of passwords can be collected. Often, these passwords grant access to additional systems within the target infrastructure.
Keystroke loggers may contain a little more work that needed to gain the access an attacker is looking for. A popular method used for simplicity reasons is Trojan Logons. Trojan logons can intercept the communication between winlogon and the normal GINA, and captures all successful logons including Domain, Username, and Password, while writing them to a text file.
A classic technique of a trust attack is the installation of a sniffer on a compromised system. This will monitor network traffic over time while yielding info on additional systems within the target infrastructure.
10.2 Port Redirection.
If an attacker can’t gain direct access to a port, they often attempt to redirect the port. A port redirector can be used to listen on a selected port number, and any packets it receives on that port are forwarded to a new port number on a remote host. This action is primarily used to bypass router ACLs and firewalls.
At this time the attacker has more or less gained all access, and permissions he or she needs to bring your system to its knees. Although this may not be at all the attention the attacker will ensure they can come back to a system again if necessary. They may or may not have already planted a myriad of remote control tools, it is helpful to have redundancy, and ensure they can survive a reboot. After an attacker gains admin access to a box, it is easy to plant a back door. A favorite technique of attackers is to plant back doors in one of several well-known locations that are automatically executed at boot.
Once the system has been compromised, there are minor countermeasures to can take to regain control of your system, but the integrity of the system as a whole will maintain affected by this intrusion. The most often spoken advice to someone in this situation would be to burn down the system, and start from scratch. There are no such available counters for an LSA attack, the valued word is to not get admin’d in the first place, and to refrain from running services in the context of trusted domain user accounts if at all possible, especially if they are highly privileged in that domain. As for keystroke loggers, if you know what type of logger your system has been introduced to. You can always look for and remove both the drivers, and the log. Most updated anti virus will flag such devices as a Trojan Logon. Another way to look for this type of feature is to inspect the registry value, if it contains something else than “msgina” or “msgina.dll,” you’ve probably been had. When it comes to sniffers it comes down to procedures that should have already been implemented such as the use of encrypted communications. Such forms of this encryption could be Secure Shell (ssh), Secure Sockets Layer (SSL), Secure Email via Pretty Good Privacy (PGP), or IP-Layer encryption like that supplied by IPSec. This is the only nearly foolproof way to invade eavesdropping attacks. Adopting switched network topologies and VLANs can greatly reduce the risk, but is not guaranteed with new attack techniques. Never assume a firewall will protect you, take the steps needed to lock down hosts, and disable unnecessary services. Last, but not least when it comes to back doors scrutinize outbound ACLs just as closely as inbound. Look for default ports using netstat –an | findstr “54320 54321”, or use a tool to monitor the ports bound to each running process. If your system has been compromised to this point. The logical step now would be to shut down the system, analyze the method, or methods the attacker took to violate your system, and use the countermeasures included in this paper to secure your system, and protect yourself from a déjà vu.
API (application program interface) - a set of routines, protocols, and tools for building software applications. A good API makes it easier to develop a program by providing all the building blocks. A programmer puts the blocks together.
Most operating environments, such as MS-Windows, provide an API so programmers can write applications consistent with the operating environment. Although APIs are designed for programmers, they are ultimately good for users because they guarantee that all programs using a common API will have similar interfaces. This makes it easier for users to learn new programs.
ASCII (American Standard Code for Information Interchange) - Pronounced ask-ee. ASCII is a code for representing English characters as numbers, with each letter assigned a number from 0 to 127. For example, the ASCII code for uppercase M is 77. Most computers use ASCII codes to represent text, which makes it possible to transfer data from one computer to another.
Text files stored in ASCII format are sometimes called ASCII files. Text editors and word processors are usually capable of storing data in ASCII format, although ASCII format is not always the default storage format. Most data files, particularly if they contain numeric data, are not stored in ASCII format. Executable programs are never stored in ASCII format.
The standard ASCII character set uses just 7 bits for each character. There are several larger character sets that use 8 bits, which gives them 128 additional characters. The extra characters are used to represent non-English characters, graphics symbols, and mathematical symbols. Several companies and organizations have proposed extensions for these 128 characters. The DOS operating system uses a superset of ASCII called extended ASCII or high ASCII. A more universal standard is the ISO Latin 1 set of characters, which is used by many operating systems, as well as Web browsers.
Another set of codes that is used on large IBM computers is EBCDIC.
DLL (Dynamic Link Library) - A library of executable functions or data that can be used by a Windows application. Typically, a DLL provides one or more particular functions and a program accesses the functions by creating either a static or dynamic link to the DLL. A static link remains constant during program execution while a dynamic link is created by the program as needed. DLLs can also contain just data. DLL files usually end with the extension .dll., exe., drv, or .fon.
A DLL can be used by several applications at the same time. Some DLLs are provided with the Windows operating system and available for any Windows application. Other DLLs are written for a particular application and are loaded with the application.
DNS (Domain Name System [or Service]) - an Internet service that translates domain names into IP addresses. Because domain names are alphabetic, they're easier to remember. The Internet however, is really based on IP addresses. Every time you use a domain name, therefore, a DNS service must translate the name into the corresponding IP address. For example, the domain name www.example.com might translate to 126.96.36.199.
The DNS system is, in fact, its own network. If one DNS server doesn't know how to translate a particular domain name, it asks another one, and so on, until the correct IP address is returned.
IDS - An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system.
There are several ways to categorize an IDS:
Misuse Detection vs. Anomaly Detection: in misuse detection, the IDS analyzes the information it gathers and compares it to large databases of attack signatures. Essentially, the IDS looks for a specific attack that has already been documented. Like a virus detection system, misuse detection software is only as good as the database of attack signatures that it uses to compare packets against. In anomaly detection, the system administrator defines the baseline, or normal, state of the network’s traffic load, breakdown, protocol, and typical packet size. The anomaly detector monitors network segments to compare their state to the normal baseline and look for anomalies.
Network-based vs. Host-based Systems: in a network-based system, or NIDS, the individual packets flowing through a network are analyzed. The NIDS can detect malicious packets that are designed to be overlooked by a firewall’s simplistic filtering rules. In a host-based system, the IDS examines at the activity on each individual computer or host.
Passive System vs. Reactive System: in a passive system, the IDS detects a potential security breach, logs the information and signals an alert. In a reactive system, the IDS responds to the suspicious activity by logging off a user or by reprogramming the firewall to block network traffic from the suspected malicious source.
Though they both relate to network security, an IDS differs from a firewall in that a firewall looks out for intrusions in order to stop them from happening. The firewall limits the access between networks in order to prevent intrusion and does not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system.
IIS (Internet Information Server) - Microsoft's Web server that runs on Windows NT platforms. In fact, IIS comes bundled with Windows NT 4.0. Because IIS is tightly integrated with the operating system, it is relatively easy to administer. However, currently IIS is available only for the Windows NT platform, whereas Netscape's Web servers run on all major platforms, including Windows NT, OS/2 and UNIX.
IP (Internet Protocol) pronounced as two separate letters - IP specifies the format of packets, also called datagrams, and the addressing scheme. Most networks combine IP with a higher-level protocol called Transport Control Protocol (TCP), which establishes a virtual connection between a destination and a source.
IP by itself is something like the postal system. It allows you to address a package and drop it in the system, but there's no direct link between you and the recipient. TCP/IP, on the other hand, establishes a connection between two hosts so that they can send messages back and forth for a period of time.
The current version of IP is IPv4. A new version, called IPv6 or IPng, is under development.
IPSec (IP Security) - A set of protocols developed by the IETF to support secure exchange of packets at the IP layer. IPsec has been deployed widely to implement Virtual Private Networks (VPNs).
ISAPI (Internet Server API) - an API for Microsoft's IIS (Internet Information Server) Web server. ISAPI enables programmers to develop Web-based applications that run much faster than conventional CGI programs because they're more tightly integrated with the Web server. In addition to IIS, several Web servers from companies other than Microsoft support ISAPI.
LMHOSTS - Specific to Windows, the LMHOSTS file is a plain text file (without a file extension ) that tells your computer where to find another computer on a network. The file resides in the Windows directory, and it lists the computer names (NetBIOS ) and IP addresses of machines you access on a regular basis.
NetBIOS - Short for Network Basic Input Output System, an application programming interface (API) that augments the DOS BIOS by adding special functions for local-area networks (LANs). Almost all LANs for PCs are based on the NetBIOS. Some LAN manufacturers have even extended it, adding additional network capabilities.
NetBIOS relies on a message format called Server Message Block (SMB).
RAS (Remote Access Services) – (1) A feature built into Windows NT that enables users to log into an NT-based LAN using a modem, X.25 connection or WAN link. RAS works with several major network protocols, including TCP/IP, IPX, and Netbeui.
To use RAS from a remote node, you need a RAS client program, which is built into most versions of Windows, or any PPP client software. For example, most remote control programs work with RAS. (2) Remote Access Server.
SMB (Server Message Block) – A message format used by DOS and Windows to share files, directories and devices. NetBIOS is based on the SMB format, and many network products use SMB. These SMB-based networks include Lan Manager, Windows for Workgroups, Windows NT, and Lan Server. There are also a number of products that use SMB to enable file sharing among different operating system platforms. A product called Samba, for example, enables UNIX and Windows machines to share directories and files.
TCP (Transmission Control Protocol) and pronounced as separate letters - TCP is one of the main protocols in TCP/IP networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent.
UDP (User Datagram Protocol) - a connectionless protocol that, like TCP, runs on top of IP networks. Unlike TCP/IP, UDP/IP provides very few error recovery services, offering instead a direct way to send and receive datagrams over an IP network. It's used primarily for broadcasting messages over a network.