Chapter 4 Hacking Windows Part 2. Authenticated Attacks Privilege Escalation Pilfering –Grabbing the Password Hashes –Cracking Passwords –LSADump –Previous.
Post on 14-Dec-2015
226 Views
Preview:
Transcript
Authenticated AttacksAuthenticated Attacks
Privilege Escalation Privilege Escalation
Pilfering Pilfering – Grabbing the Password Hashes Grabbing the Password Hashes – Cracking Passwords Cracking Passwords – LSADump LSADump – Previous Logon Cache Dump Previous Logon Cache Dump
Remote Control and Back Doors Remote Control and Back Doors
Port Redirection Port Redirection
CountermeasuresCountermeasures
Covering TracksCovering Tracks
Privilege Escalation Privilege Escalation
Once a user can log on to a Windows Once a user can log on to a Windows machine as a Guest or Limited User, the machine as a Guest or Limited User, the next goal is to escalate privileges to next goal is to escalate privileges to Administrator or SYSTEMAdministrator or SYSTEM– Getadmin was an early exploit (link Ch 4r)Getadmin was an early exploit (link Ch 4r)– There have been many others, including a There have been many others, including a
buffer overrun MS03-013 (link Ch 4s)buffer overrun MS03-013 (link Ch 4s)
SYSTEM statusSYSTEM status
The SYSTEM account is more powerful The SYSTEM account is more powerful than the Administrator accountthan the Administrator account
The Administrator can schedule tasks to The Administrator can schedule tasks to be performed as SYSTEMbe performed as SYSTEM– It's more complicated in Vista, but still It's more complicated in Vista, but still
possiblepossible
Making a SYSTEM Task in VistaMaking a SYSTEM Task in Vista
Start, Task SchedulerStart, Task Scheduler
Action, Create TaskAction, Create Task
Change User or Group, select SYSTEMChange User or Group, select SYSTEM
Fill in wizard, notepad.exeFill in wizard, notepad.exe
You can see it in Task Manager, but it's You can see it in Task Manager, but it's not interactive (see link Ch 4t)not interactive (see link Ch 4t)
Preventing Privilege Escalation Preventing Privilege Escalation
Keep machines patchedKeep machines patched
Restrict interactive logon to trusted Restrict interactive logon to trusted accountsaccounts– Start, secpol.mscStart, secpol.msc– Deny log on locallyDeny log on locally
Pilfering Pilfering
Once Administrator-equivalent status has Once Administrator-equivalent status has been obtained on one machinebeen obtained on one machine
Attackers try to gather important Attackers try to gather important information – information – pilferingpilfering
Common TargetsCommon Targets– Password hashesPassword hashes– LSA SecretsLSA Secrets– Previous Logon CachePrevious Logon Cache
Grabbing the Password Hashes Grabbing the Password Hashes
Stored in in the Windows Security Stored in in the Windows Security Accounts Manager (SAM) under NT4 and Accounts Manager (SAM) under NT4 and earlier, andearlier, andIn the Active Directory on Windows 2000 In the Active Directory on Windows 2000 and greater domain controllers (DCs) and greater domain controllers (DCs) The SAM contains the usernames and The SAM contains the usernames and hashed passwords of all users hashed passwords of all users – The counterpart of the /etc/passwd file from The counterpart of the /etc/passwd file from
the UNIX world the UNIX world
Obtaining the Hashes Obtaining the Hashes
NT4 and earlier stores password hashes NT4 and earlier stores password hashes in %systemroot%\system32\config\SAMin %systemroot%\system32\config\SAM– It's locked as long as the OS is runningIt's locked as long as the OS is running– It's also in the Registry key It's also in the Registry key
HKEY_LOCAL_MACHINE\ SAM HKEY_LOCAL_MACHINE\ SAM
On Windows 2000 and greater domain On Windows 2000 and greater domain controllers, password hashes are kept in controllers, password hashes are kept in the Active Directorythe Active Directory– %windir%\WindowsDS\ntds.dit%windir%\WindowsDS\ntds.dit
How to Get the HashesHow to Get the Hashes
Boot the target system to an alternate OS and Boot the target system to an alternate OS and copy the files to removable mediacopy the files to removable media
Copy the backup of the SAM file created by the Copy the backup of the SAM file created by the Repair Disk UtilityRepair Disk Utility– But this file is protected by SYSKEY encryption, which But this file is protected by SYSKEY encryption, which
makes it harder to crack (perhaps impossible)makes it harder to crack (perhaps impossible)– Note: SYSKEY also protects the original SAMNote: SYSKEY also protects the original SAM
But if you have Administrator access, SYSKEY can be But if you have Administrator access, SYSKEY can be cracked, unless you have moved the key off the computercracked, unless you have moved the key off the computer
– Links Ch 4u, 4v, 4wLinks Ch 4u, 4v, 4w
How to Get the HashesHow to Get the Hashes
Sniff Windows authentication exchangesSniff Windows authentication exchanges
Extract the password hashes from a Extract the password hashes from a running system with pwdump2running system with pwdump2– Can bypass SYSKEY protectionCan bypass SYSKEY protection– Injects a DLL into a highly privileged process Injects a DLL into a highly privileged process
in a running systemin a running system– Link Ch 4xLink Ch 4x
We'll use Ophcrack to do itWe'll use Ophcrack to do it
pwdump2 Countermeasures pwdump2 Countermeasures
There is no defense against pwdump2, 3, There is no defense against pwdump2, 3, 4, …4, …
But the attacker needs local Administrative But the attacker needs local Administrative rights to use themrights to use them
Cracking Passwords Cracking Passwords
The hash is supposed to be really difficult The hash is supposed to be really difficult to reverseto reverse– NTLM hashes are really hard to breakNTLM hashes are really hard to break– But Windows still uses LM Hashes for But Windows still uses LM Hashes for
backwards compatibilitybackwards compatibility– They are turned off by default in VistaThey are turned off by default in Vista
Brute Force v. DictionaryBrute Force v. Dictionary
There are two techniques for cracking There are two techniques for cracking passwordspasswords– Brute ForceBrute Force
Tries all possible combinations of charactersTries all possible combinations of characters
– DictionaryDictionaryTries all the words in a word list, such as able, Tries all the words in a word list, such as able, baker, cow…baker, cow…
May try variations such as ABLE, Able, @bl3, etc.May try variations such as ABLE, Able, @bl3, etc.
Password-Cracking Password-Cracking Countermeasures Countermeasures
Strong passwords – not dictionary words, Strong passwords – not dictionary words, long, complexlong, complex
Add non-printable ASCII characters like Add non-printable ASCII characters like (NUM LOCK) ALT255 or (NUM LOCK) (NUM LOCK) ALT255 or (NUM LOCK) ALT-129 ALT-129
LSADump LSADump
Local Security Authority (LSA) Secrets Local Security Authority (LSA) Secrets – Contains unencrypted logon credentials for Contains unencrypted logon credentials for
external systemsexternal systems– Available under the Registry subkey of Available under the Registry subkey of
HKEY_LOCAL_MACHINE\SECURITY\Policy\HKEY_LOCAL_MACHINE\SECURITY\Policy\SecretsSecrets
– Encrypted when the machine is off, but Encrypted when the machine is off, but decrypted and retained in memory after login decrypted and retained in memory after login
Contents of LSA SecretsContents of LSA Secrets
Service account passwords in Service account passwords in plaintext.plaintext. – Accounts in external domainsAccounts in external domains
Cached password hashes of the last ten Cached password hashes of the last ten users to log on to a machineusers to log on to a machineFTP and web-user plaintext passwords FTP and web-user plaintext passwords Remote Access Services (RAS) dial-up Remote Access Services (RAS) dial-up account names and passwordsaccount names and passwordsComputer account passwords for domain Computer account passwords for domain accessaccess
Scary DemoScary Demo
Boot Win XP, log in with your usual Admin Boot Win XP, log in with your usual Admin acctacctChange your passwordChange your passwordUse Cain to dump the LSA Secrets – your Use Cain to dump the LSA Secrets – your password is just right there in the password is just right there in the DefaultPasswordDefaultPasswordLog in as a different Administrator userLog in as a different Administrator userThe LSA Secrets show your other The LSA Secrets show your other account's password!account's password!– Link Ch 4z01Link Ch 4z01
LSA Secrets Countermeasures LSA Secrets Countermeasures
There's not much you can do—Microsoft There's not much you can do—Microsoft offers a patch but it doesn't help muchoffers a patch but it doesn't help much– Microsoft KB Article ID Q184017 (link Ch Microsoft KB Article ID Q184017 (link Ch
4z02)4z02)
Vista seems far less vulnerableVista seems far less vulnerable
Local Admin rights can lead to Local Admin rights can lead to compromise of other accounts that compromise of other accounts that machine has logged in tomachine has logged in to
Previous Logon Cache Dump Previous Logon Cache Dump
If a domain member cannot reach the domain If a domain member cannot reach the domain controller, it performs an offline logon with controller, it performs an offline logon with cached credentialscached credentials
The last ten domain logons are stored in the The last ten domain logons are stored in the cache, in an encrypted and hashes formcache, in an encrypted and hashes form
The tool CacheDump can reverse the encryption The tool CacheDump can reverse the encryption and get the hashed passwordsand get the hashed passwords– Download it at link Ch 4z03Download it at link Ch 4z03– More info at links Ch 4z04, 4z05More info at links Ch 4z04, 4z05
CacheDump Results CacheDump Results
John the Ripper can crack these hashes John the Ripper can crack these hashes with brute-force and dictionary attackswith brute-force and dictionary attacks– Another cracking tool is cachebf (link Ch z06)Another cracking tool is cachebf (link Ch z06)
Previous Logon Cache Dump Previous Logon Cache Dump Countermeasures Countermeasures
You need Administrator or SYSTEM You need Administrator or SYSTEM privileges to get the hashesprivileges to get the hashes
You can also adjust the Registry to You can also adjust the Registry to eliminate the cached credentialseliminate the cached credentials– But then users won't be able to log in when a But then users won't be able to log in when a
when a domain controller is not accessible when a domain controller is not accessible
Remote Control and Back Doors Remote Control and Back Doors
Command-line Remote Control Tools Command-line Remote Control Tools
Netcat for WindowsNetcat for Windows– Download it at link Ch 3dDownload it at link Ch 3d– Use this syntax to listen on port 8080, and execute Use this syntax to listen on port 8080, and execute
cmdcmd
– Add –d for stealth mode (no interactive console)Add –d for stealth mode (no interactive console)– Obviously this is very dangerous—remote control with Obviously this is very dangerous—remote control with
no logonno logon
Connecting to the nc ListenerConnecting to the nc Listener
On another machine connect with On another machine connect with – TELNET TELNET IP IP 80808080
– You get a shell on the other machineYou get a shell on the other machine
– Works on VistaWorks on Vista
PsExecPsExec
From SysInternals (now part of Microsoft)From SysInternals (now part of Microsoft)
Allows remote code execution (with a Allows remote code execution (with a username and password)username and password)– Link Ch 4z07Link Ch 4z07
Graphical Remote Control Graphical Remote Control
The Windows Built-in Terminal Services The Windows Built-in Terminal Services (aka Remote Desktop) listens on port (aka Remote Desktop) listens on port 33893389– It's not on by defaultIt's not on by default
VNC is free and very commonly used for VNC is free and very commonly used for graphic remote controlgraphic remote control– Can easily be installed remotelyCan easily be installed remotely– Link Ch 4z08Link Ch 4z08
Remote Access TrojansRemote Access Trojans
There are a lot of them, includingThere are a lot of them, including– Poison Ivy (link Ch 4z09)Poison Ivy (link Ch 4z09)– GoToMyPC (link Ch 4z10)GoToMyPC (link Ch 4z10)– LogMeIn Hamachi (link Ch 4z11)LogMeIn Hamachi (link Ch 4z11)
Remote Control Countermeasures Remote Control Countermeasures
Prevent attackers from gaining Prevent attackers from gaining administrator rights on your machineadministrator rights on your machine
You can find and stop running remote You can find and stop running remote control clients with malware scans, looking control clients with malware scans, looking for unusual network connections or trafficfor unusual network connections or traffic– It can be very hard if the connections are It can be very hard if the connections are
hidden by a rootkithidden by a rootkit
Port Redirection Port Redirection
Fpipe is a port redirection tool from Fpipe is a port redirection tool from FoundstoneFoundstone– Link Ch 4z12Link Ch 4z12
General Countermeasures to General Countermeasures to Authenticated CompromiseAuthenticated Compromise
Once a system has been compromised Once a system has been compromised with administrator privileges, you should with administrator privileges, you should just reinstall it completelyjust reinstall it completely– You can never be sure you really found and You can never be sure you really found and
removed all the backdoorsremoved all the backdoors
But if you want to clean it, here are But if you want to clean it, here are techniques:techniques:
Suspicious FilesSuspicious Files
Known dangerous filenames like nc.exeKnown dangerous filenames like nc.exe
Run antivirus softwareRun antivirus software
Use Tripwire or other tools that identify Use Tripwire or other tools that identify changes to system fileschanges to system files– Link Ch 4z13Link Ch 4z13
Suspicious Registry EntriesSuspicious Registry Entries
Look for registry keys that start known Look for registry keys that start known backdoors like"backdoors like"– HKEY_USERS\.DEFAULT\Software\HKEY_USERS\.DEFAULT\Software\
ORL\WINVNC3 ORL\WINVNC3 – HKEY_LOCAL_MACHINE\SOFTWARE\HKEY_LOCAL_MACHINE\SOFTWARE\
Net Solutions\NetBus Server Net Solutions\NetBus Server
A Back-Door Favorite: Autostart A Back-Door Favorite: Autostart Extensibility Points (ASEPs) Extensibility Points (ASEPs)
Ways to Make a Program Run at Ways to Make a Program Run at Startup in VistaStartup in Vista
Registry keysRegistry keys– Run or RunOnce or Policies\Explorer\RunRun or RunOnce or Policies\Explorer\Run– Load valueLoad value– RunServices or RunServicesOnceRunServices or RunServicesOnce– Winlogon or BootExecuteWinlogon or BootExecute
Scheduled TasksScheduled Tasks
Win.iniWin.ini
Group PolicyGroup Policy
Shell service objectsShell service objects
Logon scriptsLogon scripts
Suspicious PortsSuspicious Ports
Use Use netstat -aonnetstat -aon to view network to view network connectionsconnections
Software ExplorerSoftware Explorer
Part of Windows Defender in VistaPart of Windows Defender in Vista
Covering TracksCovering Tracks
Once intruders have Administrator or Once intruders have Administrator or SYSTEM-equivalent privileges, they will:SYSTEM-equivalent privileges, they will:– Hide evidence of intrusionHide evidence of intrusion– Install backdoorsInstall backdoors– Stash a toolkit to use for regaining control in Stash a toolkit to use for regaining control in
the future and to use against other systemsthe future and to use against other systems
Disabling Auditing Disabling Auditing
The auditpol /disable command will stop The auditpol /disable command will stop auditingauditing
Auditpol /enable will turn it back on againAuditpol /enable will turn it back on again– Auditpol is included in VistaAuditpol is included in Vista– Part of the Resource Kit for earlier versions Part of the Resource Kit for earlier versions
(XP, NT, 2000 Server)(XP, NT, 2000 Server)
Clearing the Event Log Clearing the Event Log
ELsave – command-line log clearing toolELsave – command-line log clearing tool– Written for Windows NTWritten for Windows NT– Link Ch 4z15Link Ch 4z15
Hiding FilesHiding Files
Attrib +h filenameAttrib +h filename– Sets the Hidden bit, which hides files Sets the Hidden bit, which hides files
somewhatsomewhat
Alternate Data StreamsAlternate Data Streams– Hide a file within a fileHide a file within a file– A NT feature designed for compatibility with A NT feature designed for compatibility with
MacintoshMacintosh
ADS With Binary FilesADS With Binary Files
You need the cp command (supposedly in You need the cp command (supposedly in the Resource Kit, although I can't find it the Resource Kit, although I can't find it available free online)available free online)
To detect alternate data streams, use To detect alternate data streams, use LADS (link Ch 4z16)LADS (link Ch 4z16)
RootkitsRootkits
Rootkits are the best way to hide files, Rootkits are the best way to hide files, accounts, backdoors, network accounts, backdoors, network connections, etc. on a machineconnections, etc. on a machine
More on rootkits in a later chapterMore on rootkits in a later chapter
Windows Security Features Windows Security Features
Keep Up with Patches Keep Up with Patches Group PolicyGroup Policy– Allows customized security settings in Allows customized security settings in
domainsdomains
IPSec filters can be used to block IPSec filters can be used to block unwanted network trafficunwanted network traffic– Windows Firewall is easier to useWindows Firewall is easier to use– Windows Firewall With Advanced Security is Windows Firewall With Advanced Security is
greatly enhanced in Vistagreatly enhanced in Vista
Least PrivilegeLeast Privilege
Most Windows users use an Most Windows users use an Administrative accout all the timeAdministrative accout all the time– Very poor for security, but convenientVery poor for security, but convenient– For XP, 2003, and earlier: log on as a limited For XP, 2003, and earlier: log on as a limited
user, use runas to elevate privileges as user, use runas to elevate privileges as neededneeded
– For Vista and Server 2008, this process is For Vista and Server 2008, this process is automated by User Account Controlautomated by User Account Control
Encrypting File System (EFS) Encrypting File System (EFS)
Can encrypt files or foldersCan encrypt files or folders
This protects critical files from intrudersThis protects critical files from intruders
In Vista, BitLocker Drive Encryption is In Vista, BitLocker Drive Encryption is much strongermuch stronger– Only on Enterprise and Ultimate EditionOnly on Enterprise and Ultimate Edition– BUT: there is a way to crack BitLocker by BUT: there is a way to crack BitLocker by
taking the key out of RAM (link Ch 4z17)taking the key out of RAM (link Ch 4z17)
top related