Home > Security > Defending Windows Networks – Day 3

Defending Windows Networks – Day 3

Day 3….

Class started out today with Lab 6: Password Auditing.  There were 4 exercises that revolved around using either LC5 or Cain & Able to crack passwords.  The exercises were as follows:

  1. Password auditing with LC5
  2. Using LC5 to audit passwords on a Domain Controller
  3. Using Cain & Able and Rainbow tables
  4. Importing and exporting password hash text files

The coolest exercise by far was using Rainbow tables to crack the passwords that were uncrackable using LC5.  Karl has a small collection of Rainbow tables that he allowed us to use during this exercise. 

Section 7: “Account Discovery”

End user comprise can lead to the following information

  • AD name
  • User\password
  • Local Administrator\password

Having the ability to gain access to the admin account and password allows the hacker free rein to access most desktops in the environment and use something like fgdump to gather more info. 

He described how such a limited compromise can lead to further exploitation is an example of how a hacker group were able to gain admin rights to a bank web site.  They were unable to move further into the bank system via the web site but realized that they would be able to convince bank customers who used the site to download an update that was supposed to “protect them” while banking online.  The download was not an update but a trojan, and once installed allowed the hackers to upload additional software to all infected machines.  They then sold this ability to other hacker groups who paid to have their software installed as well.   Once this was finally detected these client machines had thousands of trojans installed which led to numerous instances of identify theft,  stolen passwords and the ability to compromise other networks where these machines resided.

Were now are discussing best practices for an account naming strategy.   Although it is best practice to rename the default adminstrator account there are ways to enumerate it’s true identity using such tools as sid2user or user2sid.  Each account is given a unique security identifier (SID) upon creation.  Below is an example of how to use the whoami /user command to enumerate the currently logged on users SID:


Certain accounts, however will always have identical relative identifiers regardless of the domain where they reside such as the default administrator which always ends in 500 as can be seen above.  Another vulnerability is the possiblity to view all members of the Domain\Enterprise\Adminstrators groups using the windows Search utility.  Two things can be done to prevent these types of enumeration:

  • Use Group Policy to disable anonymous access account enumeration (sid2user\user2sid useless now)
  • Remove the Authenticated Users group from the security tab of the Administrator account or Administrators group (windows search will not show memebers)

Group Policy setting to disable anonymous SIN/Name translation:

Another best practice is to use Group Policy to rename the default local administrator account and Guest:

Remove Authenticate Users group from security tab: 

Lab 7 : “Account Discovery

This lab contains the following exercises:

  1. Using LANguard for account discovery
  2. Using Redbutton for account discovery
  3. Using Group Policy to secure windows systems from anaymous account discovery
  4. Using AD to reveal members of the admins group
  5. Setting security in AD to prevent admin account discovery

In the past I’ve demonstrated several times how to use the sid2user\user2sid tools.  These tools however are rendered useless in server 2008 as it’s default build is more secure. 

Section 8: “Trojan Horse”

Trojan  horse apps are small programs that hackers embed in other files and typically distribute via email and file sharing networks.  Other means of distribution include browser add-ons, patches and players.  There are certain file types that can make easy hosts for Trojans:

  • .exe
  • .zip
  • .src
  • .wma
  • .wmv
  • .mov

The hardest ones to detect are the .wma\.wmv\.mov.  This is due to their ability to include instructions on where to go and download the required codec to view the movie, all done without user intervention or permission.    Even if permission is required the user will most likely install it because they don’t know otherwise.  One of the most popular, most updated and well know trojan is BackOffice.

Exercise 8: “Gaining Control with a Trojan Horse

  1. Using a simple trojan
  2. Hiding a trojan in a host file

 Exercise 2 was very scary.  It took almost no time to use a program like Yet Another Binder to place a trojan inside the Matrix screen saver.  The goal now of a hacker would be to convince someone to download and run it.  There is no install required and the trojan comes to life the minute the screen saver is activated.  I then was able to use Netbus to connect and control the box.  I had written a previous article regarding “Free is something of the past” in which I explained my reasons for recommending that users install a more advanced and complete solution to protecting themselves while on the Internet and that free AV’s like AVG will no longer provide the protection they need.  Not only is hacking becoming  more sophisticated but the old tools are now available alowing children to compile these programs.  Any parent with a child is at risk of having their own children spy on them now.  As long as the child has direct physical access to the machine they ultimately own it.  Only under the most extreme measure can you protect yourself from this kind of intrusion.

Categories: Security
  1. June 30, 2014 at 12:27 am

    My brother suggested I might like this blog.

    He was entirely right. This post actually made my day. You can not imagine just how much time I had spent for this info!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: