Home > Security > Defending Windows Networks – Day 4

Defending Windows Networks – Day 4

Day 4…..

Section 9: Defeating and Defending the Firewall

After a brief description of a firewall’s basic funtionality, we discussed some of the most commonly used ports that should be blocked outgoing via the firewall:

  • 23 – telnet
  • 88 – kerberos
  • 135 – rpc
  • 139 – netbios
  • 445 – cifs (smb)
  • 3268 – gc
  • 3269 – gc
  • 3389 – rdp

The reasoning for blocking these ports is to prevent a reverse connecting trojan, once installed, from connecting back to the hackers box.  Each restricted port provides another barrier which the hacker must circumvent.  Although this is a minor detail it still falls withing the realm of best practices.  So what ports do need to be open in order to provide internet resource functionality. Below is a list of ports that would most likely be permitted:

  • 25 –  smtp
  • 53 – dns
  • 80 – http
  • 443 – http

There would most likely be a few more ports depending on the needs of the organization but these ports would provide Internet and email access of which both are required in today’s corporate environment. 

 Lab 9: Reverse Connection Trojans

  1. Preparing the Lab System VMs
  2. Using the Reverse Connecting Trojan
  3. Use Yet Another Binder and BO2K Together

This lab was similiar to lab 8. 

Section 10: Defending Against Other Windows Exploits

One of the best security measures that can be implemented to limit our attack surface is to install all required security patches and service packs as advised by Microsoft of any other vendor for which we  have their software installed. 

Buffer overflows were some of the original attacks used to compromise a system.  This required an indepth knowledge of programming which limited the scope of individuals capable of performing such attacks.  There are now tools such as Metasploit (free) which can be used to launch known exploits against a target with limited or no knowledge of programming what so ever.  I just watched a demonstration where an exploit was used to create a user and add them to the adminstrators group on the remote system.  Granted the system was a Windows 2000 server but what’s important is that this hack would have failed if the box was fully patched.

Not only does Metasploit permit a non programmer to compromise a remote machine with relative ease, but it also provides the code used to perform the hack.  This allows the hacker to learn how it was done by examining the code so it’s also an educational too as well. 

There are several ways to automate the install of approved patches and updates in a windows environment:

  • Widows Server Update Server (WSUS)
  • System Center Essentials (SCE)
  • System Center Configuration Manager (SCCM)

Lab 10: Using Metasploit

  1. Exploring the Metasploit Framework
  2. Using the metaspoit Framework against a Target
  3. Other Target systems

This exercise used Metasploit to add a user to a remote windows 2000 server using the ms06_n40_netapi exploit, as we demonstrated earlier by Karl.  An inital search for vulnerabilities found on a win 2000 machine diplays the ms06 exploit to be used.   Once you have choosen the specific exploit to try double clicking it opens us a wizard.   This allows you to decide the OS type upon which the exploit should be tried as well as which specific action to perform, such as add user (choosen below), create a remote shell or use RDP to open a remote session. The only info required now is the destination address and the user\password to be created.   Once this is info is choosen clicking on forward begins the hack.   I was ultimately able to create the user as well as use additional exploits to connect using RDP and remote shell.  This is truly assembly line…automated hacking.  Very little knowledge is required to use this tool which means children can have a field day attacking and compromising machines all day long.  The lesson to be learned here is that patching a system is critical.  I would even go so far to say that it supercedes other security measures in precedence of implementation. 

Proof of Concept Exercise

 So now the challenge has come, as I assumed it would eventually.  Karl provided us with the some helpful information that he was able to retrieve using fgdump.  The following info is from the fgdump log file:
— fgdump session started on 10/15/2008 at 11:26:43 —
— Command line used: fgdump —
— Session ID: 2008-10-15-15-26-43 —
Starting dump on 192.168.33.192

** Beginning local dump **
OS (192.168.33.192): Microsoft Windows XP Professional Service Pack 2 (Build 2600) 
Passwords dumped successfully
Cache dumped successfully

—–Summary—–

Failed servers:
NONE

Successful servers:
192.168.33.192

Total failed: 0
Total successful: 1

The second file contained the results for a pwdump which dumps the password LM & NTLM hashes as seen below:

alan.williams:””:””:54EFE73AD39140061D71060D896B7A46:50F80BC2DD53977DC12E62A47FA89936
bruce.allen:””:””:192952D20C6387390252988B7F3344D2:D791EA573757EE12FA62301C8C731716
donna.miller:””:””:1D78D1BE16E7B685417EAF50CFAC29C3:37C5A55D91F32C7B7E7917A2128E8F5E
gloria.stevens:””:””:3A73C6AEDE34096054E7DD20734381A2:848B7B06FE806E66B6FF73181C647729
harvey.griffen:””:””:F259B08FB884FC036AC880E74F6A4030:4A9F9DAB27AA32FC0E755991D25A3FA5
kara.thompson:””:””:4AAAE0837EFDAECCBA05464FA3D7F5C8:B2FD02C490D462F9145CC1643A2E785F
mike.billings:””:””:1DD7C4F9D60B760E1104594F8C2EF12B:74658CED156CA88541E12B33FAA40FD7
pete.lawton:””:””:684E71A8F720071FFDCFC2AFB2D1BE34:E2EFB65DE9D2EF3BB22B5C337517B3A0
tony.knottsworth:””:””:AB036EB55A7F7FB17820C2EDEF86CC9B:CFEDF9AC49131F4DD53B5E20879AF3E9

This was all the info he provided and from this we were supposed to compromise the box and gain access to a users bank account info.  To keep things simple I’ve documented only the steps used to compromise the box and have left out any issues I encountered during the process.

  1. Used both Cain & Able and LC5 to crack the passwords.  What LC5 couldn’t crack C&A was able to using Rainbowtables
  2. Ran GFI Languard and Zenmap against the IP address taken from the fgdump log file and looked for open ports
  3. Discovered the following open ports:  139, 445, 3389 (139\445 = file sharing , 3389 = Remote Desktop)
  4. I then tried mapping a network drive from the command promt as follows: net use * \\192.168.33.192\c$.  I tried all user accounts until i found the one that worked
  5. Browsed that users Documents & Settings folder (XP) and discovered from their Favorites that they most likely did peronal banking online
  6. Browsed further into their profile and discovered Outlook Express mail had been setup
  7. Copied over the Outlook Express folder to my machine and imported the folders
  8. Examied their Inbox and discovered an email from their bank which contained their account name
  9. Used account name from email along with the cracked password and I was able to access their account

There isn’t a class that I’ve taught were I didn’t discuss the default shares that exist on every Windows machine known to man.  The C$ is a hidden share which provides access to the whole C: drive, provided you have a username\password that can authenticate.  Most students are unaware of this as well as being able to use this to connect remotely.  A simple command like Net Share (done from command promt) will reveal all shares (hidden or not) that exist on the local machine.  The following are the 3 default shares:

  • C$ (c:\)
  • ADMIN$ (c:\windows)
  • IPC$ (used for Interprocess communication)

If you have any additional drives or volumes then they also will be shared.   Accompany that with an Administrator account and no password and the situation is ripe for exploitation.

Advertisements
Categories: Security
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: