Hacking Windows

Hacking Windows

Justin Bell

Department of Computer ScienceUniversity of Wisconsin, Platteville

[email protected]

TopicsThis presentation will explore some high-profile intrusions along with the general methodology behind hacking techniques. The presentation will also cover some specific examples of attacks and vulnerable services.

• Definitions

• Famous Hacks

• Breaking In

• Malicious Code

• Terminal Services

• Denial of Service

Definitions:

Hacker: someone who attempts to gain unauthorized access into a computer system.

Hacking: the process of attempting to gain and possibly achieving access to computer systems by an unauthorized user.

Famous Hacks• Bank Hack

– Johan, 20 years old from Estonia

– Gained access through a limited “guest account”

– Was able to access services that allowed him to download the SAM file

– Once this file was decrypted Johan had login access to all the web accounts for the entire bank.

Famous Hacks• Security firm

– Two 22 year old hackers from London

– Through enumeration found open ports

– This told them it was a windows server.

– Asked the server for user names then did a dictionary attack

– Hacked into a personal laptop connected to the system through the guest account

Famous Hacks

• Hacking Comunities

– Hackers Against Child Pornography

• Takes down child pornography rings after

notifying international police.

– Nashville 2600

– HAL2001 (Hackers At Large

Breaking In

• Profiling

– “Casing the Place”

– Finding a System To Hack into and figuring

out what’s open and what is being used.

– Foot-Printing

– Scanning

– Enumeration

Breaking In• Footprinting

– Finding out everything from the outside, before

any access is actually gained

– Documentation is extremely important

• Finding the Posture

– Internet Posture

– Intranet Posture

– Extranet Posture

Breaking In – Footprinting

• whois info

– Can be done manually

– Services like www.ARIN.net

• University of Wisconsin – Platteville

– Clients can do batch whois queries for

hackers that don’t have a specific

target

• whois info

– Company Name

– Administrator’s name

– Administrator’s Account Name

• Can deduce other account names

– Site Creation Date

• Gives info on Legacy systems that may be running

Breaking In – Footprinting

• Internet Search Engines

– Google is the easiest because of its massive

size

– Search for default file paths

• C:\inetpub

• TSweb/default.htm

– Now the hacker knows the weaknesses of the site and

what port to attack : 3389

Breaking In – Footprinting

• Finding ports

– Easiest way to access a system and

establish a connection

– Tools will scan all possible ports

– If default ports are used the hacker can gain

knowledge of services that are running

• If a hacker sees port 389 open he can assume the target is

running an LDAP server

Breaking In – Scanning

• Find valid usernames or file shares

– Takes advantage of default windows

services

• Domain Controller lookup

• Exploited by a free Microsoft tool

called nltest

Breaking In – Enumeration

• NLTEST Output

– C:\>nltest /whowill:ESS bob [20:58:55] Mail

message 0 sent successfully (\MAILSLOT\NET\GETDC939)

[20:58:55] Response 0: S:\\NET1 D:ESS A:bob (Act found) The

command completed successfully

– C:\>nltest /whowill:testd test [21:26:13]

Response 0: S:\\TEST2 D:TESTD A:test (Act found) [21:26:15] Mail

message 0 sent successfully (\MAILSLOT\NET\GETDC295)

The command completed successfully

Breaking In – Enumeration

• NLTEST Output

– C:\>nltest /dclist:testd

List of DCs in Domain testd

\\TEST2 (PDC)

\\TEST1

The command completed successfully

Breaking In – Enumeration

• Goal of all hacks

• Highest possible Escalation is the Domain or Forest Admin as well as the Local Admin

• All Windows Accounts are stored in the “SAM” (Security Accounts Manager)

• Stores valid users, groups and passwords in an encrypted database.

• Hashed, then encrypted with a 128 bit key called “SYSKEY”

Breaking In – Privilege Escalation

Breaking In – Privilege Escalation

Breaking In – Privilege Escalation• More than one user can be running

processes at any given time

– Individual SIDs ( Security IDs) are given

to each process so Windows knows the

privilege level it can operate at.

– Can be a user or “SYSTEM” “LOCAL

SERVICE” or “DEFAULT LOGON”

accounts

Breaking In – Privilege Escalation• Because every process needs to access the

SAM it has been the top target for Hackers.

• There have been numerous “bugs” in the encryption that have allowed the SAM to be cracked.

• Since this is just a file, it can be copied and moved to another system.

• Then it can either be cracked or have a brute force attack to find passwords.

Breaking In – Privilege Escalation

• Once a single account is broken the hacker will try to infiltrate many different accounts in case the one he knows is changed.

• This can be done by watching for keys typed or cracking network SAM files

• “John the Ripper” by “Solar Designer”

• Searching for files on the system containing the words “password,” “access,” “logon” or “Administrator”

Malicious Code

• Viruses

• Worms

• Trojan Horses

Malicious Code - Viruses

• “Segments of code that attach themselves to existing programs and perform some predetermined actions when the host program is executed.”

• Piggy-back other files, no way to spread on their own – needs a “host”

• The “host” passes the infected file to some new “host” who runs the file on another system.

Malicious Code - Viruses• Usually try to copy themselves throughout a

system making them difficult to remove.

• A single Virus can copy many different viruses to many different files.

• Can do things as harmless as report internet activity to an outside source

• Can do things as harmful as copy passwords, format a system, or replace words in e-mails.

• Chernobyl – Deletes Flash Bios Memory

Malicious Code - Worms

• Similar to Viruses, but they contain a mechanism to spread through a computer network without the assistance of other programs or people.

• Spread Extremely quickly

• Hard to remove because they re-install right away from other machines

Malicious Code - Worms

• Internet Worm – Installed repeatedly

• LoveBug

– Flooded the Internet with e-mails in May 2000

with the subject, ILOVEYOU

– When attachment was opened it sent itself to

other systems and ruined system files

Malicious Code – Trojan Horses

• Malicious programs packaged within other seemingly useful programs

• Hidden like the Trojans waiting in the giant wooden horse

• Can perform the advertised function, or just the malicious code

• Hard to pin-point exactly what program the Trojan is hiding in.

Malicious Code – Trojan Horses

• RAT – Remote Access Tool– Installed through a web site– When executed, installs back door for

the site administrator– Administrator just looks through the

list of IP addresses that accessed the site

Terminal Services

• Provide Remote Access for Hacker• Using the usernames gained through

enumeration the only thing needed is a password. If the hacker cracked the SAM the system is open.

• Administrator accounts can not be locked out leaving them open to brute force attacks.

• ProbTS and TS Grinder help find and exploit Terminal Services Connections

Denial of Services (DoS)

• Over-load the server to render it unable to accept any additional connections

• Effectiveness of attacks are seriously limited by the hardware and internet connection of the attacker

• DoS attacks exploit the fact that the target can’t tell if it’s legitimate traffic or not, so it has to respond to everything

Distributed Denial of Services (DDoS)• Perform the same functions as a DoS, but from

many computers at the same time• Performed through machines infested with

Trojan Horses or Worms• Limited only by the number of machines

infected• Feburary 2000 – first major DDoS

– Targeted Google and Microsoft– Took down both sites for a little more than a day– Originated in computer labs from two major

California Universities

Conclusion

• Hacking is a lucrative, multinational, criminal occupation

• As Computer Science or Software Engineering Professionals we must strive to make sure everything we produce is safe against hackers

• Through understanding the methodology of hackers it’s easier to protect systems from them

Questions???