Embed Size (px)
DESCRIPTION
Hacking Windows. Justin Bell. Department of Computer Science University of Wisconsin, Platteville [email protected]. - PowerPoint PPT Presentation
Citation preview
Hacking Windows
Justin Bell
Department of Computer ScienceUniversity of Wisconsin, Platteville
TopicsThis presentation will explore some high-profile intrusions along with the general methodology behind hacking techniques. The presentation will also cover some specific examples of attacks and vulnerable services.
• Definitions
• Famous Hacks
• Breaking In
• Malicious Code
• Terminal Services
• Denial of Service
Definitions:
Hacker: someone who attempts to gain unauthorized access into a computer system.
Hacking: the process of attempting to gain and possibly achieving access to computer systems by an unauthorized user.
Famous Hacks• Bank Hack
– Johan, 20 years old from Estonia
– Gained access through a limited “guest account”
– Was able to access services that allowed him to download the SAM file
– Once this file was decrypted Johan had login access to all the web accounts for the entire bank.
Famous Hacks• Security firm
– Two 22 year old hackers from London
– Through enumeration found open ports
– This told them it was a windows server.
– Asked the server for user names then did a dictionary attack
– Hacked into a personal laptop connected to the system through the guest account
Famous Hacks
• Hacking Comunities
– Hackers Against Child Pornography
• Takes down child pornography rings after
notifying international police.
– Nashville 2600
– HAL2001 (Hackers At Large
Breaking In
• Profiling
– “Casing the Place”
– Finding a System To Hack into and figuring
out what’s open and what is being used.
– Foot-Printing
– Scanning
– Enumeration
Breaking In• Footprinting
– Finding out everything from the outside, before
any access is actually gained
– Documentation is extremely important
• Finding the Posture
– Internet Posture
– Intranet Posture
– Extranet Posture
Breaking In – Footprinting
• whois info
– Can be done manually
– Services like www.ARIN.net
• University of Wisconsin – Platteville
– Clients can do batch whois queries for
hackers that don’t have a specific
target
• whois info
– Company Name
– Administrator’s name
– Administrator’s Account Name
• Can deduce other account names
– Site Creation Date
• Gives info on Legacy systems that may be running
Breaking In – Footprinting
• Internet Search Engines
– Google is the easiest because of its massive
size
– Search for default file paths
• C:\inetpub
• TSweb/default.htm
– Now the hacker knows the weaknesses of the site and
what port to attack : 3389
Breaking In – Footprinting
• Finding ports
– Easiest way to access a system and
establish a connection
– Tools will scan all possible ports
– If default ports are used the hacker can gain
knowledge of services that are running
• If a hacker sees port 389 open he can assume the target is
running an LDAP server
Breaking In – Scanning
• Find valid usernames or file shares
– Takes advantage of default windows
services
• Domain Controller lookup
• Exploited by a free Microsoft tool
called nltest
Breaking In – Enumeration
• NLTEST Output
– C:\>nltest /whowill:ESS bob [20:58:55] Mail
message 0 sent successfully (\MAILSLOT\NET\GETDC939)
[20:58:55] Response 0: S:\\NET1 D:ESS A:bob (Act found) The
command completed successfully
– C:\>nltest /whowill:testd test [21:26:13]
Response 0: S:\\TEST2 D:TESTD A:test (Act found) [21:26:15] Mail
message 0 sent successfully (\MAILSLOT\NET\GETDC295)
The command completed successfully
Breaking In – Enumeration
• NLTEST Output
– C:\>nltest /dclist:testd
List of DCs in Domain testd
\\TEST2 (PDC)
\\TEST1
The command completed successfully
Breaking In – Enumeration
• Goal of all hacks
• Highest possible Escalation is the Domain or Forest Admin as well as the Local Admin
• All Windows Accounts are stored in the “SAM” (Security Accounts Manager)
• Stores valid users, groups and passwords in an encrypted database.
• Hashed, then encrypted with a 128 bit key called “SYSKEY”
Breaking In – Privilege Escalation
Breaking In – Privilege Escalation
Breaking In – Privilege Escalation• More than one user can be running
processes at any given time
– Individual SIDs ( Security IDs) are given
to each process so Windows knows the
privilege level it can operate at.
– Can be a user or “SYSTEM” “LOCAL
SERVICE” or “DEFAULT LOGON”
accounts
Breaking In – Privilege Escalation• Because every process needs to access the
SAM it has been the top target for Hackers.
• There have been numerous “bugs” in the encryption that have allowed the SAM to be cracked.
• Since this is just a file, it can be copied and moved to another system.
• Then it can either be cracked or have a brute force attack to find passwords.
Breaking In – Privilege Escalation
• Once a single account is broken the hacker will try to infiltrate many different accounts in case the one he knows is changed.
• This can be done by watching for keys typed or cracking network SAM files
• “John the Ripper” by “Solar Designer”
• Searching for files on the system containing the words “password,” “access,” “logon” or “Administrator”
Malicious Code
• Viruses
• Worms
• Trojan Horses
Malicious Code - Viruses
• “Segments of code that attach themselves to existing programs and perform some predetermined actions when the host program is executed.”
• Piggy-back other files, no way to spread on their own – needs a “host”
• The “host” passes the infected file to some new “host” who runs the file on another system.
Malicious Code - Viruses• Usually try to copy themselves throughout a
system making them difficult to remove.
• A single Virus can copy many different viruses to many different files.
• Can do things as harmless as report internet activity to an outside source
• Can do things as harmful as copy passwords, format a system, or replace words in e-mails.
• Chernobyl – Deletes Flash Bios Memory
Malicious Code - Worms
• Similar to Viruses, but they contain a mechanism to spread through a computer network without the assistance of other programs or people.
• Spread Extremely quickly
• Hard to remove because they re-install right away from other machines
Malicious Code - Worms
• Internet Worm – Installed repeatedly
• LoveBug
– Flooded the Internet with e-mails in May 2000
with the subject, ILOVEYOU
– When attachment was opened it sent itself to
other systems and ruined system files
Malicious Code – Trojan Horses
• Malicious programs packaged within other seemingly useful programs
• Hidden like the Trojans waiting in the giant wooden horse
• Can perform the advertised function, or just the malicious code
• Hard to pin-point exactly what program the Trojan is hiding in.
Malicious Code – Trojan Horses
• RAT – Remote Access Tool– Installed through a web site– When executed, installs back door for
the site administrator– Administrator just looks through the
list of IP addresses that accessed the site
Terminal Services
• Provide Remote Access for Hacker• Using the usernames gained through
enumeration the only thing needed is a password. If the hacker cracked the SAM the system is open.
• Administrator accounts can not be locked out leaving them open to brute force attacks.
• ProbTS and TS Grinder help find and exploit Terminal Services Connections
Denial of Services (DoS)
• Over-load the server to render it unable to accept any additional connections
• Effectiveness of attacks are seriously limited by the hardware and internet connection of the attacker
• DoS attacks exploit the fact that the target can’t tell if it’s legitimate traffic or not, so it has to respond to everything
Distributed Denial of Services (DDoS)• Perform the same functions as a DoS, but from
many computers at the same time• Performed through machines infested with
Trojan Horses or Worms• Limited only by the number of machines
infected• Feburary 2000 – first major DDoS
– Targeted Google and Microsoft– Took down both sites for a little more than a day– Originated in computer labs from two major
California Universities
Conclusion
• Hacking is a lucrative, multinational, criminal occupation
• As Computer Science or Software Engineering Professionals we must strive to make sure everything we produce is safe against hackers
• Through understanding the methodology of hackers it’s easier to protect systems from them
Questions???
