Lesson 9 Common Windows Exploits - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

Lesson 9 Common Windows Exploits

Description:

Incident Response – PowerPoint PPT presentation

Number of Views:139
Avg rating:3.0/5.0
Slides: 32
Provided by: Kau106
Category:

less

Transcript and Presenter's Notes

Title: Lesson 9 Common Windows Exploits


1
Lesson 9Common Windows Exploits
2
Overview
  • Top 20 Exploits
  • Common Vulnerable Ports
  • Detecting Events

3
SANS/FBI Top 20 List
  • Publish list of the Twenty Most Critical Internet
    Security Vulnerabilities
  • www.sans.org/top20
  • Updated in October (or sooner if necessary)
  • Thousands use this list to close up holes in
    their system
  • Most incidents traced back to Top 20 list

4
SANS/FBI Top 20 List
  • Based on facts, attackers
  • are opportunistic
  • take the easiest and most convenient route
  • exploit the best-known flaws with the most
    effective and widely available attack tools
  • count on organizations not fixing the holes

5
SANS/FBI Top 20 List
  • List broken down into two sections
  • Two Top Ten lists
  • Ten most commonly exploited vulnerable services
    in Windows
  • Ten most commonly exploited vulnerable services
    in Unix

6
W1 Internet Information Services (IIS)
  • IIS prone to vulnerabilities in three major
    classes
  • Failure to handle unanticipated requests
  • Buffer overflows
  • Sample applications
  • Target port TCP Port 80 (http)

7
Failure to Handle Unanticipated Requests
  • IIS has a problem handling improperly formed HTTP
    requests
  • Web folder traversal (unicode)
  • Allows
  • view of the source code of scripted applications
  • view of files outside the Web document root
  • view of files Web server has been instructed not
    to serve
  • execution of arbitrary commands on the server
  • deletion of files, uploading of rootkits,
    creation of backdoors

8
Buffer Overflows
  • Many ISAPI and SSI extensions vulnerable to
    buffer overflows
  • .asp / .htr / .idq / printer
  • A carefully crafted request from a remote
    attacker may results in
  • Denial of Service
  • Execution of arbitrary code and/or commands in
    the Web servers user context
  • through the IUSR_servername account (like
    anonymous)

9
W2 Microsoft SQL Server
  • Microsoft SQL Server contains several serious
    vulnerabilities that allow remote attackers to
  • obtain information
  • alter database content
  • compromise SQL servers
  • compromise server hosts
  • Theres Was an MSSQL worm released in May 2002

10
W2 Microsoft SQL Server
  • Target port TCP port 1433
  • OSs affected
  • Microsoft SQL Server 7.0
  • Microsoft SQL Server 2000
  • Microsoft SQL Server Engine 2000

11
W2 Microsoft SQL Server
  • How to detect a compromise
  • First thing youll see is the probing or
    fishing for information
  • Probes on port 1433
  • Attacker is looking for those boxes that respond
    positively to a probe on port 1433
  • tells them box is listening (or has the port
    open) on port 1433

12
W3 General Windows Authentication
  • Accounts with No Passwords or Weak Passwords
  • Only protection is to have a strong password and
    good password habits
  • With advent of Windows XP consider everyday
    accounts at user privilege

13
W3 LAN Manager Authentication
  • Most current Windows environments have no need
    for LAN Manager (weak hashing)
  • Most use NTLM now
  • But Windows NT, 2000, and XP do have LM by
    default
  • LM has a very weak encryption scheme
  • Wont take a hacker long to crack passwords

14
W3 Unprotected Windows Networking
Shares(NetBios)
  • OSs affected
  • Windows 95, Windows 98, Windows NT, Windows Me,
    Windows 2000, and Windows XP
  • Main objective
  • gather info about guest host names
  • try these guest host names with null passwords
    until one works
  • attacker will then attempt to download the entire
    database of userids and/or passwords

15
W4 Internet Explorer
  • Consequences can include
  • Disclosure of cookies
  • Disclosure of local files or data
  • Execution of local programs
  • Download and execution of arbitrary code
  • Complete takeover of vulnerable system
  • Most Critical

16
W4 Internet Explorer
  • Default web browser installed on MS Windows
    platforms
  • All existing IEs have critical vulnerabilities
  • A malicious web administrator can design web
    pages to exploit these vulnerabilities
  • Just need someone to browse the web page

17
W4 Internet Explorer
  • Vulnerabilities can be categorized into multiple
    classes
  • Web page spoofing
  • ActiveX control vulnerabilities
  • Active scripting vulnerabilities
  • MIME-type and content-type misinterpretation
  • Buffer overflows

18
W5 Unprotected Windows Networking
Shares(NetBios)
  • MS Windows provides a host machine with the
    ability to share files or folders across a
    network
  • Underlying mechanism of this feature is the
  • Server Message Block (SMB) protocol, or the
  • Common Internet Files System (CIFS) protocol
  • Target Port TCP Port 139

19
W5 Anonymous Logon -- Null Sessions
  • This vulnerability is very similar to the one
    described before in Netbios
  • Attacker is looking for a host name with a null
    password
  • Attacker uses IPC (called IPC shares) with a
    double-double quote () in place of a password

20
W6 Microsoft Data Access Components
(MDAC)--Remote Data Services
  • RDS component in older versions of MDAC has flaws
    that allow a remote user to run commands locally
    with administrative privileges
  • This exploit is readily used to deface Web pages
  • Check Web Server Logs to make sure

21
W7 Windows Scripting Host (WSH)
  • Permits any text file with a .vbs extension to
    be executed as a Visual Basic script
  • A typical worm propagates by including a VBScript
    as the contents of another file and executes when
    that file is viewed or in some cases previewed

22
The Other 3
  • W8 Outlook and Outlook Express
  • W9 P2P File Sharing
  • W10 Simple Network Mgt Protocol

23
Common Vulnerable Ports
  • Login Services
  • telnet (port 23/tcp)
  • SSH (port 22/tcp)
  • FTP (port 21/tcp)
  • NetBIOS (port 139/tcp)
  • rlogin (port 512 - 514/tcp)

24
Common Vulnerable Ports
  • RPC and NFS
  • portmap/rpcbind (port 111/tcp and udp)
  • NFS (port 2049/tcp and udp)
  • lockd (port 4045/tcp and udp)
  • Xwindows
  • port 6000/tcp through 6255/tcp

25
Common Vulnerable Ports
  • Naming services
  • DNS (port 53/udp) for all machines that are not
    DNS servers
  • DNS (port 53/tcp) for zone transfer requests
  • LDAP (port 389/tcp and udp)

26
Common Vulnerable Ports
  • Mail
  • SMTP (port 25/tcp) for all machines that are not
    external mail relays
  • POP (port 109/tcp and port 110/tcp)
  • IMAP (port 143/tcp)

27
Common Vulnerable Ports
  • Web
  • HTTP (port 80/tcp)
  • SSL (port 443/tcp) except to external Web servers
  • HTTP proxies
  • port 8000/tcp
  • port 8080/tcp
  • port 8888/tcp

28
Common Vulnerable Ports
  • Small services
  • ports below 20/tcp and udp
  • time (port 37/tcp and udp)
  • Miscellaneous
  • TFTP (port 69/udp)
  • Finger (port 79/tcp)
  • NNTP (port 119/tcp)

29
Common Vulnerable Ports
  • Miscellaneous (continued)
  • NTP (port 123/udp)
  • LPD (port 515/tcp)
  • syslog (port 514/udp)
  • SNMP (port 161/tcp and udp, and port 162/tcp and
    udp)
  • BGP (port 179/tcp)
  • SOCKS (port 1080/tcp)

30
Common Vulnerable Ports
  • ICMP
  • block incoming echo requests (ping and Windows
    traceroute)
  • block outgoing echo replies, time exceeded,
    and destination unreachable
  • except packet too big messages

31
How To Detect and Investigate
  • http//www.sans.org/top20/tools04.pdf
  • Run an IDS and review logs for common
    signaturesespecially IIS hacks
  • Aggressively review web server logs
  • Ensure FTP application logging turned onthen
    review FTP logs
  • Know your networkand know what is abnormal
Write a Comment
User Comments (0)
About PowerShow.com