Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

CNIT 123: 8: Desktop and Server OS Vulnerabilites

Sam Bowne
Sam Bowne

Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Second Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 1133935613 Teacher: Sam Bowne Twitter: @sambowne Website: https://samsclass.info/123/123_F16.shtml

1 of 67
Download to read offline
Hands-On Ethical Hacking and Network Defense
 Second Edition Chapter 8 Desktop and Server OS Vulnerabilities Last updated 3-14-15 Last updated 10-6-16
Objectives • After reading this chapter and completing the exercises, you will be able to: – Describe vulnerabilities of Windows and Linux operating systems – Identify specific vulnerabilities and explain ways to fix them – Explain techniques to harden systems against Windows and Linux vulnerabilities
Windows OS Vulnerabilities
Windows OS Vulnerabilities • Many Windows OSs have serious vulnerabilities – Windows 2000 and earlier • Administrators must disable, reconfigure, or uninstall services and features – Windows XP, Vista; Server 2003, 2008, and 2012; Windows 7, 8, and 10 • Most services and features are disabled by default
CVE List • Link Ch 8zk
Windows File Systems • File system – Stores and manages information • User created • OS files needed to boot – Most vital part of any OS • Can be a vulnerability
File Allocation Table • Original Microsoft file system – Supported by nearly all desktop and server OS's – Standard file system for most removable media • Other than CDs and DVDs – Later versions provide for larger file and disk sizes • Most serious shortcoming – Doesn't support file-level access control lists (ACLs) • Necessary for setting permissions on files • Multiuser environment use results in vulnerability
NTFS • New Technology File System (NTFS) – First released as high-end file system • Added support for larger files, disk volumes, and ACL file security • Subsequent Windows versions – Included upgrades for compression, journaling, file- level encryption, and self-healing • Alternate data streams (ADSs) – Can “stream” (hide) information behind existing files • Without affecting function, size, or other information – Several detection methods
ADS Demo
Remote Procedure Call • Interprocess communication mechanism – Allows a program running on one host to run code on a remote host • Worm that exploited RPC – Conficker worm • Microsoft Baseline Security Analyzer – Determines if system is vulnerable due to an RPC- related issue
Pass The Hash
Credential Re-Use (link Ch 8zh)
Silos (link Ch 8zh)
NetBIOS • Software loaded into memory – Enables computer program to interact with network resource or device • NetBIOS isn’t a protocol – Interface to a network protocol • NetBios Extended User Interface (NetBEUI) – Fast, efficient network protocol – Allows NetBIOS packets to be transmitted over TCP/IP – NBT is NetBIOS over TCP
NetBIOS (cont’d.) • Systems running newer Windows OSs – Vista, Server 2008, Windows 7, and later versions – Share files and resources without using NetBIOS • NetBIOS is still used for backward compatibility – Companies use old machines
Server Message Block • Used to share files – Usually runs on top of: • NetBIOS • NetBEUI, or • TCP/IP • Several hacking tools target SMB – L0phtcrack’s SMB Packet Capture utility and SMBRelay • It took Microsoft seven years to patch these
Server Message Block (cont’d.) • SMB2 – Introduced in Windows Vista – Several new features – Faster and more efficient • Windows 7 – Microsoft avoided reusing code – Still allowed backward capability • Windows XP Mode – Spectacular DoS vulnerabilities • Links Ch 8za-8zc
Laurent Gaffié's Fuzzer • Look how easy it is! • From Link Ch 8zb
Common Internet File System • Standard protocol – Replaced SMB for Windows 2000 Server and later – SMB is still used for backward compatibility – Described as just a renaming of SMB by Wikipedia (link Ch 8z) • Remote file system protocol – Enables sharing of network resources over the Internet • Relies on other protocols to handle service announcements – Notifies users of available resources
Common Internet File System (cont’d.) • Enhancements – Locking features – Caching and read-ahead/write-behind – Support for fault tolerance – Capability to run more efficiently over dial-up – Support for anonymous and authenticated access • Server security methods – Share-level security (folder password) – User-level security (username and password)
Common Internet File System (cont’d.) • Attackers look for servers designated as domain controllers – Severs handle authentication • Windows Server 2003 and 2008 – Domain controller uses a global catalog (GC) server • Locates resources among many objects
Domain Controller Ports • By default, Windows Server 2003 and 2008 domain controllers using CIFS listen on the following ports – DNS (port 53) – HTTP (port 80) – Kerberos (port 88) – RPC (port 135) – NetBIOS Name Service (port 137) – NetBIOS Datagram Service (port 139) – LDAP (port 389) – HTTPS (port 443) – SMB/ CIFS (port 445) – LDAP over SSL (port 636) – Active Directory global catalog (port 3268)
Null Sessions • Anonymous connection established without credentials – Used to display information about users, groups, shares, and password policies – Necessary only if networks need to support older Windows versions • To enumerate NetBIOS vulnerabilities use: – Nbtstat, Net view, Netstat, Ping, Pathping, and Telnet commands
Web Services • IIS installs with critical security vulnerabilities – IIS Lockdown Wizard • Locks down IIS versions 4.0 and 5.0 • IIS 6.0 and later versions – Installs with a “secure by default” mode – Previous versions left crucial security holes • Keeping a system patched is important • Configure only needed services
SQL Server • Many potential vulnerabilities – Null System Administrator (SA) password • SA access through SA account • SA with blank password by default on versions prior to SQL Server 2005 – Gives attackers administrative access • Database and database server
Buffer Overflows • Data is written to a buffer and corrupts data in memory next to allocated buffer – Normally, occurs when copying strings of characters from one buffer to another • Functions don't verify text fits – Attackers run shell code • C and C++ – Lack built-in protection against overwriting data in memory
Passwords and Authentication • Weakest security link in any network – Authorized users • Most difficult to secure • Relies on people – Companies should take steps to address it
Passwords and Authentication (cont’d.) • Comprehensive password policy is critical – Should include: • Change passwords regularly • Require at least six characters (too short!) • Require complex passwords • Passwords can’t be common words, dictionary words, slang, jargon, or dialect • Passwords must not be identified with a user • Never write it down or store it online or in a file • Do not reveal it to anyone • Use caution when logging on and limit reuse
Passwords and Authentication (cont’d.) • Configure domain controllers – Enforce password age, length, and complexity • Password policy aspects that can be enforced: – Account lockout threshold • Set number of failed attempts before account is disabled temporarily – Account lockout duration • Set period of time account is locked out after failed logon attempts • Disable LM Hashes
Tools for Identifying Vulnerabilities in Windows
Tools for Identifying Vulnerabilities in Windows • Many tools are available – Using more than one is advisable • Using several tools – Helps pinpoint problems more accurately
Built-in Windows Tools • Microsoft Baseline Security Analyzer (MBSA) – Capable of checking for: • Patches • Security updates • Configuration errors • Blank or weak passwords
Figure 8-1 Checks available in MBSA
Table 8-2 Checks performed by MBSA in full-scan mode
Table 8-2 Checks performed by MBSA in full-scan mode (cont’d.)
Using MBSA • System must meet minimum requirements – Before installing • After installing, MBSA can: – Scan itself – Scan other computers remotely – Be scanned remotely
Best Practices for Hardening Windows Systems
Best Practices for Hardening Windows Systems • Penetration tester – Finds and reports vulnerabilities • Security tester – Finds vulnerabilities – Gives recommendations for correcting them
Patching Systems • Best way to keep systems secure – Keep up to date • Attackers take advantage of known vulnerabilities • Options for small networks – Accessing Windows Update manually – Configure Automatic Updates • Options for large networks – Systems Management Server (SMS) – Windows Software Update Service (WSUS) • Third-party patch management solutions
Antivirus Solutions • Antivirus solution is essential – Small networks • Desktop antivirus tool with automatic updates – Large networks • Require corporate-level solution • Antivirus tools – Almost useless if not updated regularly
PUPs (Potentially Unwanted Programs) • Programs that come bundled with freeware • Not technically viruses or illegal • Most antivirus won't block them by default
• Link Ch 8zi, 8zj
Enable Logging and Review Logs Regularly • Important step for monitoring critical areas – Performance – Traffic patterns – Possible security breaches • Can have negative impact on performance • Review regularly – Signs of intrusion or problems • Use log-monitoring tool
Disable Unused Services and Filtering Ports • Disable unneeded services • Delete unnecessary applications or scripts – Unused applications are invitations for attacks • Reducing the attack surface – Open only what needs to be open, and close everything else • Filter out unnecessary ports – Make sure perimeter routers filter out ports 137 to 139 and 445
Other Security Best Practices • Other practices include: – Delete unused scripts and sample applications – Delete default hidden shares – Use different naming scheme and passwords for public interfaces – Be careful of default permissions – Use appropriate packet-filtering techniques – Use available tools to assess system security – Disable Guest account
Other Security Best Practices (cont’d.) • Other practices include (cont’d.): – Rename (or disable) default Administrator account – Make sure there are no accounts with blank passwords – Use Windows group policies – Develop a comprehensive security awareness program – Keep up with emerging threats
Microsoft Security Intelligence Report, Volume 20 July through December, 2015
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
Linux OS Vulnerabilities
Linux OS Vulnerabilities • Linux can be made more secure – Awareness of vulnerabilities – Keep current on new releases and fixes • Many versions are available – Differences ranging from slight to major • It’s important to understand basics – Run control and service configuration – Directory structure and file system – Basic shell commands and scripting – Package management
Samba • Open-source implementation of CIFS – Created in 1992 • Allows sharing resources over a network – Security professionals should have basic knowledge of SMB and Samba • Many companies have a mixed environment of Windows and *nix systems • Used to “trick” Windows services into believing *nix resources are Windows resources
Tools for Identifying Linux Vulnerabilities • CVE Web site – Source for discovering possible attacker avenues Table 8-4 Linux vulnerabilities found at CVE
Tools for Identifying Linux Vulnerabilities (cont’d.) • OpenVAS can enumerate multiple OSs – Security tester using enumeration tools can: • Identify a computer on the network by using port scanning and zone transfers • Identify the OS by conducting port scanning • Identify via enumeration any logon accounts • Learn names of shared folders by using enumeration • Identify services running
Figure 8-5 Viewing security warning details
Figure 8-6 OpenVAS revealing a security hole resulting from a Firefox vulnerability
Figure 8-7 OpenVAS revealing a security hole resulting from a DHCP client vulnerability
Checking for Trojan Programs • Most Trojan programs perform one or more of the following: – Allow remote administration of attacked system – Create a file server on attacked computer • Files can be loaded and downloaded – Steal passwords from attacked system • E-mail them to attacker – Log keystrokes • E-mail results or store them in a hidden file the attacker can access remotely
Checking for Trojan Programs (cont’d.) • Linux Trojan programs – Sometimes disguised as legitimate programs – Contain program code that can wipe out file systems – More difficult to detect today • Protecting against identified Trojan programs is easier • Rootkits containing Trojan binary programs – More dangerous – Attackers hide tools • Perform further attacks • Have access to backdoor programs
More Countermeasures Against Linux Attacks • Most critical tasks: – User awareness training – Keeping current – Configuring systems to improve security
User Awareness Training • Inform users – No information should be given to outsiders • Knowing OS makes attacks easier – Be suspicious of people asking questions • Verify who they are talking to • Call them back
Keeping Current • As soon as a vulnerability is discovered and posted – OS vendors notify customers • Upgrades • Patches – Installing fixes promptly is essential • Linux distributions – Most have warning methods
Secure Configuration • Many methods to help prevent intrusion – Vulnerability scanners – Built-in Linux tools – Free benchmark tools • Center for Internet Security – Security Blanket • Trusted Computer Solutions

More Related Content

CNIT 123: 8: Desktop and Server OS Vulnerabilites

  • 1. Hands-On Ethical Hacking and Network Defense
 Second Edition Chapter 8 Desktop and Server OS Vulnerabilities Last updated 3-14-15 Last updated 10-6-16
  • 2. Objectives • After reading this chapter and completing the exercises, you will be able to: – Describe vulnerabilities of Windows and Linux operating systems – Identify specific vulnerabilities and explain ways to fix them – Explain techniques to harden systems against Windows and Linux vulnerabilities
  • 4. Windows OS Vulnerabilities • Many Windows OSs have serious vulnerabilities – Windows 2000 and earlier • Administrators must disable, reconfigure, or uninstall services and features – Windows XP, Vista; Server 2003, 2008, and 2012; Windows 7, 8, and 10 • Most services and features are disabled by default
  • 6. Windows File Systems • File system – Stores and manages information • User created • OS files needed to boot – Most vital part of any OS • Can be a vulnerability
  • 7. File Allocation Table • Original Microsoft file system – Supported by nearly all desktop and server OS's – Standard file system for most removable media • Other than CDs and DVDs – Later versions provide for larger file and disk sizes • Most serious shortcoming – Doesn't support file-level access control lists (ACLs) • Necessary for setting permissions on files • Multiuser environment use results in vulnerability
  • 8. NTFS • New Technology File System (NTFS) – First released as high-end file system • Added support for larger files, disk volumes, and ACL file security • Subsequent Windows versions – Included upgrades for compression, journaling, file- level encryption, and self-healing • Alternate data streams (ADSs) – Can “stream” (hide) information behind existing files • Without affecting function, size, or other information – Several detection methods
  • 10. Remote Procedure Call • Interprocess communication mechanism – Allows a program running on one host to run code on a remote host • Worm that exploited RPC – Conficker worm • Microsoft Baseline Security Analyzer – Determines if system is vulnerable due to an RPC- related issue
  • 14. NetBIOS • Software loaded into memory – Enables computer program to interact with network resource or device • NetBIOS isn’t a protocol – Interface to a network protocol • NetBios Extended User Interface (NetBEUI) – Fast, efficient network protocol – Allows NetBIOS packets to be transmitted over TCP/IP – NBT is NetBIOS over TCP
  • 15. NetBIOS (cont’d.) • Systems running newer Windows OSs – Vista, Server 2008, Windows 7, and later versions – Share files and resources without using NetBIOS • NetBIOS is still used for backward compatibility – Companies use old machines
  • 16. Server Message Block • Used to share files – Usually runs on top of: • NetBIOS • NetBEUI, or • TCP/IP • Several hacking tools target SMB – L0phtcrack’s SMB Packet Capture utility and SMBRelay • It took Microsoft seven years to patch these
  • 17. Server Message Block (cont’d.) • SMB2 – Introduced in Windows Vista – Several new features – Faster and more efficient • Windows 7 – Microsoft avoided reusing code – Still allowed backward capability • Windows XP Mode – Spectacular DoS vulnerabilities • Links Ch 8za-8zc
  • 18. Laurent Gaffié's Fuzzer • Look how easy it is! • From Link Ch 8zb
  • 19. Common Internet File System • Standard protocol – Replaced SMB for Windows 2000 Server and later – SMB is still used for backward compatibility – Described as just a renaming of SMB by Wikipedia (link Ch 8z) • Remote file system protocol – Enables sharing of network resources over the Internet • Relies on other protocols to handle service announcements – Notifies users of available resources
  • 20. Common Internet File System (cont’d.) • Enhancements – Locking features – Caching and read-ahead/write-behind – Support for fault tolerance – Capability to run more efficiently over dial-up – Support for anonymous and authenticated access • Server security methods – Share-level security (folder password) – User-level security (username and password)
  • 21. Common Internet File System (cont’d.) • Attackers look for servers designated as domain controllers – Severs handle authentication • Windows Server 2003 and 2008 – Domain controller uses a global catalog (GC) server • Locates resources among many objects
  • 22. Domain Controller Ports • By default, Windows Server 2003 and 2008 domain controllers using CIFS listen on the following ports – DNS (port 53) – HTTP (port 80) – Kerberos (port 88) – RPC (port 135) – NetBIOS Name Service (port 137) – NetBIOS Datagram Service (port 139) – LDAP (port 389) – HTTPS (port 443) – SMB/ CIFS (port 445) – LDAP over SSL (port 636) – Active Directory global catalog (port 3268)
  • 23. Null Sessions • Anonymous connection established without credentials – Used to display information about users, groups, shares, and password policies – Necessary only if networks need to support older Windows versions • To enumerate NetBIOS vulnerabilities use: – Nbtstat, Net view, Netstat, Ping, Pathping, and Telnet commands
  • 24. Web Services • IIS installs with critical security vulnerabilities – IIS Lockdown Wizard • Locks down IIS versions 4.0 and 5.0 • IIS 6.0 and later versions – Installs with a “secure by default” mode – Previous versions left crucial security holes • Keeping a system patched is important • Configure only needed services
  • 25. SQL Server • Many potential vulnerabilities – Null System Administrator (SA) password • SA access through SA account • SA with blank password by default on versions prior to SQL Server 2005 – Gives attackers administrative access • Database and database server
  • 26. Buffer Overflows • Data is written to a buffer and corrupts data in memory next to allocated buffer – Normally, occurs when copying strings of characters from one buffer to another • Functions don't verify text fits – Attackers run shell code • C and C++ – Lack built-in protection against overwriting data in memory
  • 27. Passwords and Authentication • Weakest security link in any network – Authorized users • Most difficult to secure • Relies on people – Companies should take steps to address it
  • 28. Passwords and Authentication (cont’d.) • Comprehensive password policy is critical – Should include: • Change passwords regularly • Require at least six characters (too short!) • Require complex passwords • Passwords can’t be common words, dictionary words, slang, jargon, or dialect • Passwords must not be identified with a user • Never write it down or store it online or in a file • Do not reveal it to anyone • Use caution when logging on and limit reuse
  • 29. Passwords and Authentication (cont’d.) • Configure domain controllers – Enforce password age, length, and complexity • Password policy aspects that can be enforced: – Account lockout threshold • Set number of failed attempts before account is disabled temporarily – Account lockout duration • Set period of time account is locked out after failed logon attempts • Disable LM Hashes
  • 30. Tools for Identifying Vulnerabilities in Windows
  • 31. Tools for Identifying Vulnerabilities in Windows • Many tools are available – Using more than one is advisable • Using several tools – Helps pinpoint problems more accurately
  • 32. Built-in Windows Tools • Microsoft Baseline Security Analyzer (MBSA) – Capable of checking for: • Patches • Security updates • Configuration errors • Blank or weak passwords
  • 33. Figure 8-1 Checks available in MBSA
  • 34. Table 8-2 Checks performed by MBSA in full-scan mode
  • 35. Table 8-2 Checks performed by MBSA in full-scan mode (cont’d.)
  • 36. Using MBSA • System must meet minimum requirements – Before installing • After installing, MBSA can: – Scan itself – Scan other computers remotely – Be scanned remotely
  • 37. Best Practices for Hardening Windows Systems
  • 38. Best Practices for Hardening Windows Systems • Penetration tester – Finds and reports vulnerabilities • Security tester – Finds vulnerabilities – Gives recommendations for correcting them
  • 39. Patching Systems • Best way to keep systems secure – Keep up to date • Attackers take advantage of known vulnerabilities • Options for small networks – Accessing Windows Update manually – Configure Automatic Updates • Options for large networks – Systems Management Server (SMS) – Windows Software Update Service (WSUS) • Third-party patch management solutions
  • 40. Antivirus Solutions • Antivirus solution is essential – Small networks • Desktop antivirus tool with automatic updates – Large networks • Require corporate-level solution • Antivirus tools – Almost useless if not updated regularly
  • 41. PUPs (Potentially Unwanted Programs) • Programs that come bundled with freeware • Not technically viruses or illegal • Most antivirus won't block them by default
  • 42. • Link Ch 8zi, 8zj
  • 43. Enable Logging and Review Logs Regularly • Important step for monitoring critical areas – Performance – Traffic patterns – Possible security breaches • Can have negative impact on performance • Review regularly – Signs of intrusion or problems • Use log-monitoring tool
  • 44. Disable Unused Services and Filtering Ports • Disable unneeded services • Delete unnecessary applications or scripts – Unused applications are invitations for attacks • Reducing the attack surface – Open only what needs to be open, and close everything else • Filter out unnecessary ports – Make sure perimeter routers filter out ports 137 to 139 and 445
  • 45. Other Security Best Practices • Other practices include: – Delete unused scripts and sample applications – Delete default hidden shares – Use different naming scheme and passwords for public interfaces – Be careful of default permissions – Use appropriate packet-filtering techniques – Use available tools to assess system security – Disable Guest account
  • 46. Other Security Best Practices (cont’d.) • Other practices include (cont’d.): – Rename (or disable) default Administrator account – Make sure there are no accounts with blank passwords – Use Windows group policies – Develop a comprehensive security awareness program – Keep up with emerging threats
  • 47. Microsoft Security Intelligence Report, Volume 20 July through December, 2015
  • 55. Linux OS Vulnerabilities • Linux can be made more secure – Awareness of vulnerabilities – Keep current on new releases and fixes • Many versions are available – Differences ranging from slight to major • It’s important to understand basics – Run control and service configuration – Directory structure and file system – Basic shell commands and scripting – Package management
  • 56. Samba • Open-source implementation of CIFS – Created in 1992 • Allows sharing resources over a network – Security professionals should have basic knowledge of SMB and Samba • Many companies have a mixed environment of Windows and *nix systems • Used to “trick” Windows services into believing *nix resources are Windows resources
  • 57. Tools for Identifying Linux Vulnerabilities • CVE Web site – Source for discovering possible attacker avenues Table 8-4 Linux vulnerabilities found at CVE
  • 58. Tools for Identifying Linux Vulnerabilities (cont’d.) • OpenVAS can enumerate multiple OSs – Security tester using enumeration tools can: • Identify a computer on the network by using port scanning and zone transfers • Identify the OS by conducting port scanning • Identify via enumeration any logon accounts • Learn names of shared folders by using enumeration • Identify services running
  • 59. Figure 8-5 Viewing security warning details
  • 60. Figure 8-6 OpenVAS revealing a security hole resulting from a Firefox vulnerability
  • 61. Figure 8-7 OpenVAS revealing a security hole resulting from a DHCP client vulnerability
  • 62. Checking for Trojan Programs • Most Trojan programs perform one or more of the following: – Allow remote administration of attacked system – Create a file server on attacked computer • Files can be loaded and downloaded – Steal passwords from attacked system • E-mail them to attacker – Log keystrokes • E-mail results or store them in a hidden file the attacker can access remotely
  • 63. Checking for Trojan Programs (cont’d.) • Linux Trojan programs – Sometimes disguised as legitimate programs – Contain program code that can wipe out file systems – More difficult to detect today • Protecting against identified Trojan programs is easier • Rootkits containing Trojan binary programs – More dangerous – Attackers hide tools • Perform further attacks • Have access to backdoor programs
  • 64. More Countermeasures Against Linux Attacks • Most critical tasks: – User awareness training – Keeping current – Configuring systems to improve security
  • 65. User Awareness Training • Inform users – No information should be given to outsiders • Knowing OS makes attacks easier – Be suspicious of people asking questions • Verify who they are talking to • Call them back
  • 66. Keeping Current • As soon as a vulnerability is discovered and posted – OS vendors notify customers • Upgrades • Patches – Installing fixes promptly is essential • Linux distributions – Most have warning methods
  • 67. Secure Configuration • Many methods to help prevent intrusion – Vulnerability scanners – Built-in Linux tools – Free benchmark tools • Center for Internet Security – Security Blanket • Trusted Computer Solutions