Connectionswindowsnt

windowsnt  时间:2021-03-29  阅读:()
HackingWindowsNT(UsingUNIX)HansVandeLooyPreambleAndDisclaimerFAlotofthevulnerabilitiesdescribedinthispresentationcanbefixed,butarestillpresentintheworldoutside.
Pointingtheseouttoadministratorsistheonlyreasonforincludingtheminthispresentation.
FCrackingmaybeacriminaloffenseandprosecutedbylawinyourcountry.
JContentsFSomeSecurityStatisticsFNoHolyWars;Please!
FWindowsNTSecurityHolesWellKnown(UNIX)ToolsFPitfallAvoidanceInstallingBaselineSecurityFInternetReferencesFConclusionSomeSecurityStatisticsWhydoyouneedNetworkandSystemSecurityRecentSecurityStatisticsFNetworkSecurityisaseriousissueformostorganisations–30%ofrespondentsreportedsystempenetrationbyoutsiders–55%oforganisationssurveyedreportincreasedattacksby"insiders"–32%ofrespondentsreportedseriousincidentstolawenforcement-previouslyonly17%–20%increaseinattacksfromtheoutsidesince1996thankstoe-commerceSource1999CSI/FBIComputerCrimeandSecuritySurveyNoHolyWars;Please!
StrengthsandweaknessesofWindowsNTandUNIXServerConfigurationFWindowsNT(4.
0)–IIS4.
0–ProxyServer2.
0–FTPinISS4.
0–Exchange5.
5–Exchange5.
5/IIS4.
0–DNS(basedon4.
9)–Exchange5.
5–DHCP(build-in)–SMB(build-in)–build-in"IPsecurity"FUNIX(BSD4.
4/Linux)–Apache1.
3.
6–Squid2.
1–(WU-)FTP2.
4.
2–Sendmail8.
9.
3orPostfix–POP/IMAP(ie.
Imap4.
4)–Bind8.
2–INN1.
7.
2orDiablo1.
15–ISCDHCP2.
b1.
6–Samba2.
0.
2orNFS–ipfworipfilterComparingWindowsNTandUNIXFWindowsNT(4.
0)–SingleUser,MultiTaskingOS;usableasserverandworkstation–Microsoftdefinesstandard–ApplicationscreatedbyMicrosoftandmajorcorporations–Nosourcecodeavailable–LotsofsecurityholesFUNIX(BSD4.
4/Linux)–MultiUser,MultiTaskingOS;usableasserverandworkstation–Standardsdefinedbycommunity–Applicationscreatedbycommunityandmajorcorporations–Sourcecodeavailableforreview–LotsofsecurityholesAvailabilityOfSourceCodeFEnablespeerreviewof"Features"FHistoryrevealsalotofsecurityholesfoundFUnavailability(Security-through-Obscurity)doesnotguaranteemoresecurityFWhohasstudiedeverypieceofsourcecodefromamajorOperatingSystemkernel(i.
e.
LinuxorBSD)orApplication(i.
e.
PGP)Let'sTalkAboutMarketingLies,DamnedLiesandMarketingHowToManipulateTheTruthWithMarketingFC2Security–WindowsNT3.
51isC2certifiedasanOperatingSystem,NOTasaTrustedNetworkComponent(orangebook,notredbook)1FMicrosoftisbecomingmoreSecurityAware–Microsofthasneededtorecallseveralsecuritypatchesinthepastduetotheproblemstheycreated1HotNews:AtInfoSecurityNT4.
0receivedUKE3/FC-2certificationHackerNewsReactionRecentMicrosoftAdvisorySoMuchForSupportOnlineAndTheL0phtSoapboxWindowsNTSecurityHolesWhatyoushouldknowaboutyoursystemWindowsNTSecurityHolesFDenialOfServiceFLocalExploitsFGainingAdministratorRightsFPasswordCrackingFNetworkVulnerabilitiesFRemoteExploitsFKnownMicrosoftSoftwareVulnerabilities(IIS,Exchange,PPTP,Macro's…)DenialOfServiceLame(buteffective)AttacksDenialOfService(1)FPingO'Dead(Packet-size>=65510bytes)FSYNFloodingFLAND(SYNwheresource=destination)FFraggle(UDPBroadcast)FSmurf(TCP/IPBroadcast)FICMP-DoS(ICMPEchoReplyFloodinfo)FTeardrop(IPFragmentOverlapBug)PingO'DeadFAliases/Variations:FatPing,SSPing,Jolt,IceNewkFDescription:Sendsseriesof(highlyfragmented)oversized(size>=65510bytes)ICMP_ECHOpacketsovertheconnection.
FResult:Thesystemcannotre-assemblethemfastenoughandlocksupWinNukeFAliases/Variations:OOBNukeFDescription:SendsapacketwithanURGENTflagsetandpointingtoOutofBanddata.
FResult:BlueScreen(virtualdevicedriver)NukeFAliases/Variations:Click,ICMPNuke,WinFreezeFDescription:Thisattacktriestoconvinceyourcomputerthatishaslostitsconnection.
Thecomputerthendisconnectsfromtheportspecified.
FResult:Connectionresetbypeer,ConnectionrefusedorHostunreachableBonkFAliases/Variations:Boink,Newtear,Teardrop2FDescription:ThisattacksendsIPfragmentsresultinginamalformedUDPheaderpacket.
FResult:SystemscrasheswithBlueScreenofDeadTeardropFAliases/Variations:Tear,TCP/IPFragmentoverlap,Nestea(forLinux)FDescription:ThisattacksendsoverlappingIPfragmentsthatthesystemcannotre-assemble.
FResult:SystemwillenterCatatonicStateorCrashandRebootLandFAliases/Variations:LatierraFDescription:SendsaSYNpacketwheresourceaddressequalsdestinationaddresssothevictimwilltrytorespondtoitself.
FResult:ExtremeSlowdown,EnterCatatonicState.
SmurfFAliases/Variations:ICMPFlood,Pingflood,Fraggle,Pong,PapaSmurfFDescription:PerpetratorsendsalargeamountofICMP_ECHOtrafficatbroadcastaddresses,allhavingspoofedsourceaddressesofVictim.
TrafficwillbemultipliedbyhostsonthatIPnetwork.
FResult:Connectionsdropped,EnterCatatonicStateSYNFloodingFAliases/Variations:FDescription:Connectionsareopenedinrapidsuccession,buthandshakeisnotcompleted,thusfillingupqueues.
FResult:ExtremeSlowdown/EnterCatatonicStateDenialOfService(2)FCPUAttack(Telnettoporttobeconfused)–DNS(53-1character+CR)–RPCSS(135-±10characters+disconnect)–INETINFO(1031)FDNSDoS–SenditaDNSresponsewhenitdidnotmakeaqueryandDNSwillcrash.
FISSCrash(GET.
.
/.
.
)–andanotherone(stillworkswithSP4):$telnetlocalhostchargen|ncyour-iis-hosthttpDenialOfService(3)FSystemCallInsecurity–KernellocatedinNTOSKRNL.
EXE–KERNEL32.
DLLjustlike"libc"inUNIX–NTDLL.
DLLusedbyKERNEL32.
DLL(SimplefunctionstoperformactualSyscalls)FInvalidparametersresultinBSOD,thususerscancrashthewholesystemandmaygainadditionalrights!
FSource:SolarDesignermessagetoNTBUGTRAQLocalExploitsWhattodowithconsoleaccessLocalExploitsFNTFSC:\WINNTdefaultpermissionsareFullControlforEveryone,whilemostsubdirectorieshaveChangeControlFAdministratoraccount(alwaysSID500)hasfullcontrolovercompletesystemFSecurityAccountManager(SAM)containsalluseraccountinformationFServicePack3solvedalot(butnotall)ofsecurityrelatedproblems(NeedSP-5now!
)SecurityAccessManagerFContainsboththeLanManager(DES)andtheWindows/NT(MD4)hashvaluesFNormallystoredin:C:\WINNT\system32\config\Sam(Lockedduringnormaloperation)FBackupmadeduringcreationofanEmergencyRepairDiskatlocation:C:\WINNT\repair\sam.
_FAlsoavailableontheERDSAMReplacementFRenameWINNT/system32/LOGON.
SCRFCopyMUSRMGR.
EXEtoLOGON.
SCRFWaitforscreensavertokickin.
.
.
(usermanagerwillallowyoutochangeanypasswords)FReplaceLOGON.
SCRtonormallocationAdministratorRightsFGetAdminwrittenbyKonstantinSobolevattachestotheWinLogonprocesstogiveanaccountAdministratorrights–Crash4.
exewillallowGetAdmintoworkonSP3patchedmachinesbyrearrangingafewthingsonthestacktoallowGetAdmintoworkFSecholemodifiesOpenProcessAPIandsuccessfullyrequestsDebugrightstogiveAdministratorrights(testedunderSP4)PasswordCrackingFSinceMicrosoftdoesnotsaltduringhashgeneration,onceapotentialpasswordhasgeneratedahash,itcanbecheckedagainstALLaccountsFAllcurrentNTcrackerstakeadvantageofthisFSeveralfreewareandsharewareproductsareavailableontheInternetSomePasswordCrackersFL0phtcrack2.
5–GatherandcrackNTpasswordhashesdirectlythroughSAM(databaseorbackup)orbymonitoringSMBnetworkactivity–Beware:8characterpassword=one7characterpasswordsandaoneletterpasswordFJohntheRipper1.
7/Crack5.
x–UNIXpasswordcrackersthatcanalsohandleWindowsNTpasswords(when"dumped"inrightformat)KnownDLLsList(1)FCoreOSDLLsarekeptinvirtualmemoryandsharedbetweentheprogramsrunningonthesystemFOSreferencesadatastructurecalledtheKnownDLLslisttodeterminethelocationoftheDLLinvirtualmemoryFWindowsNTprotectsin-memoryDLLsagainstmodification,butallowsalluserstoreadfromandwritetotheKnownDLLslistKnownDLLsList(2)FLoadintomemoryamaliciousDLLthathasthesamenameasasystemDLL,thenchangetheentryintheKnownDLLslisttopointtothemaliciouscopyFProgramsthatrequestthesystemDLLwillinsteadbedirectedtothemaliciouscopyFWhencalledbyaprogramwithsufficientlyhighprivileges,itcouldtakeanydesiredactionBufferOverflows(1)FBecame"popular"onUNIXafterarticlespublishedbyAleph1andMudgeFDavidLitchfield(a.
k.
a.
mnemonix)published"RASBufferOverrunExploitandTutorial"and"Winhlp32BufferOverrunExploitandAnalysis"http://www.
infowar.
co.
uk/mnemonix/ntbufferoverruns.
htmBufferOverflows(2)FDildog(cDc)wrote"TheTaoofWindowsBufferOverflow"(http://www.
cultdeadcow.
com/cDc_files/cDc-351/)–Acompletepictureofbufferoverflows,howtheywork,andhowtocodeyourownexploitsforMicrosoftoperatingsystemsFAssumption:Thiswillbethe"nextcraze"RemoteExploitsSecureNetworkingisanartC2MyazzFAnothercomputerspoofstheclientintosendingaclear-textpasswordtotheserver,bypassingallpasswordencryption–ThesoftwarelistensforSMBnegotiations,andupondetectingone,sendsasinglepackettotheclientinstructingittodowngradeitsconnectionattempttoacleartextlevel–PasswordisretrievedwhiletheclientissuccessfullyconnectedtotheNTserverHowToUseLanManagerHashFLanManagerhashisapasswordequivalentinachallenge-responseprotocolFAmodified(Samba)clientwithaccesstouncrackedNTpassworddatabasecanusethisinformationtoauthenticatetotheserverManInTheMiddleAttackFNmapprovidesthefollowingcomment:–TCPSequencePrediction:Class=trivialtimedependencyDifficulty=0(Trivialjoke)Remoteoperatingsystemguess:WindowsNT4/Win95/Win98FSMBHijackingshouldbepossible,butnoknownexploits(Yet…)–Complexspoofingjobthesessionhastobehijackedatthetransportlevel(gettingalloftheACK/NACKnumberingcorrect)theTreeID(TID)andUserID(UID)wouldhavetobespoofedaswell(atredirectorandserverlevel)Microsoft'sImplementationofPPTPFPPTPcanbeusedforthecreationofVPNsFBruceSchneierandMudgepublished"CryptanalysisofMicrosoft'sPoint-to-PointTunnelingProtocol"FThepaperdidnotfindflawswithPPTP,onlyMicrosoft'simplementationofitFPhrack53containedanotherpaperbyAleph1entitled"TheCrumblingTunnel"Microsoft'sPPTPFlawsFThesecurityflawsallowsniffingpasswordsacrossthenetworkandbreakingtheencryptionthatprotectsthetunnelingprotocolFRecommendationbySchneier:UseIPSec(or3rdpartyimplementationofPPTP)insteadMicrosoft'sRemainingPPTPIssues(1)FTheentiresessionand/orpacketisnotencryptedFTherearestill"pieces"visibletosniffing,suchasDNSserveraddresses–Thisispartiallyduetothefactthattheentirenegotiationprocessis"onthewire"–ControloftheencryptedsessionishandledviathisseparateconnectionsMicrosoft'sRemainingPPTPIssues(2)FTheconnectionthat"controls"thesessionisnotauthenticated,makingitvulnerabletoDenialofService–Theconcernhereisthatwedonothavecontrolovertheclientconfigurationatalltimes,andthatthesessioncouldbeinterruptedfollowedbysomespoofingto"dummydown"toMS-CHAPv1withitsweakerencryptionalaLanManhashesastheclientattemptstore-connectMicrosoft'sRemainingPPTPIssues(3)FThenatureofthechallenge-responsestillplacesallofthematerialusedduringthegenerationofsessionkeysontothewire(Keyspaceislessthan128bits)–Onlythepasswordisprotectedinthissense,sothekeyisonlyasstrongasthepassword–Thismeansthatofflinecryptoanalysisofasessioncouldrevealtheuserpassword–Tofurtherthetheoryanentireencryptedsessioncouldbe"decrypted"offlineScannersPointandClickToolsfromtheInternetRemoteScannersFOgre(Rhino9Team)–SimplePortandVulnerabilityScannerFNAT(AndrewTridgell)–BruteForceNetBIOSAuditingToolFNTIS(DavidLitchfield)–GreatNTInformationScannerFRedButton(MidwesternCommerce,Inc.
)–NetBIOSAuditingToolFLogsonremotelytoaTargetcomputerwithoutUserName/PasswordFUnauthorizedaccesstosensitiveinformationstoredinfilesystemandregistryavailabletoEveryonegroupcanbeobtainedFDeterminescurrentnameofBuilt-inAdministratoraccountFReadsseveralregistryentriesFListsallshares(includingthehiddenones)RedButtonNetBusPro2.
0FAccordingtotheauthor(Carl-FredrikNeikter)NetBusProisaeasy-to-useremoteadministrationandspytoolFFeaturesforremoteadministrationinclude:–Filemanager,RegistrymanagerandApplicationRedirectFSpyingfeaturesinclude:–Capturescreen,Listenkeyboard,CapturecameraimageandRecordsoundMacro'sandSomeOtherVulnerabilitiesUserFriendlyorCrackerFriendlyMacro'sFVariousapplicationscontainaverypowerfulMACROlanguagecapableofdoingfile-I/OandcallingWin32APIsFPerfectforwritingvirii/worms(AnyoneheardofMelissaorPrettyPark)FWindowsHelpfiles(.
HLP)arecapableofrunningDLLsOtherVulnerabilitiesFRASandRRASVulnerability–UsercredentialsarecachedinRegistryregardlessofwhethercheckboxisselectedordeselected.
(LisaO'Connor,MartinDolphin,andJoeGreene)FInterestingspecialkey-combinationsusableonalocked-downsystem:–Ctrl-Shift-ESCstartsTaskManager(likeCtrl-Alt-Del)–Alt-TABtochooseActiveWindowUsing(UNIX)ToolsTohackWindowsNTsystemsAlternateOperatingSystemFFloppy-disk(orbootableCDROM)canbeusedtobootalternativeOperatingSystem(TrinuxorPicoBSD)FOfflineNTPasswordEditorbyPetterNordahl-Hagen;availableasLinuxbootdiskcontainingascriptthatleadsyouthroughthecompleteprocessNetCatFSwissArmyKnifeofHackerTools(canactbothasclientandaslistener)FNTversioncanbindtoportsinfrontofprocessesalreadylistening(Crackercanfilterinterestingdatabeforepassingiton)FAlsousefulforAdministratorsSambaFAnotherfinetooldevelopedbyAndyTridgellFSambatalksSMB;integratesUNIXandNTinaLanManagerenvironmentFAtoollikeSambaandinformationfrom"CIFS:CommonInsecuritiesFailScrutiny"byHobbit(L0pht)willguideyoutoEnlightenmentPitfallAvoidanceKeepingyoursystem(more)secureBasicSecurity(ConfuseTheWannabe's)FSetBIOSPasswordFBootfromC:notfromA:orCD-ROMFDisableorremovefloppydrivefromsystemFIfpossibleremoveCDROMdrivesFNotREALSecurity!
UseitjusttofiltertheanklebitersfromtheexpertsFileSystemSecurityFUseNTFSwhereverpossible–AllowsuseofAccessControlLists–IsmorerobustduringcrashesFFATprovidesnoprotectionatall(i.
e.
deleteSAMdatabaseandreboot)FTherearetoolsthatallowaccesstoNTFSfromDOS(ntfsdos.
exe)orUNIX(Linuxntfs)WatchThoseFilePermissionsFCopyingletsafileinheritthepermissionsfromthedestinationdirectory(useSCOPYinstead)FMovingafilepreservestheexistingfilepermissionsFThismayresultin"fullcontrol"accessfor"everybody"whenthisisnotwantedSomeNTAdministrationToolsFChroniclev1.
0(Rhino9Team)–ServicePackandHotFixScannerFNTInfoScan(DavidLitchfielda.
k.
a.
.
Mnemonic)–SecurityScanner(SATAN)forNTServersFScanNT(MWC)–SimpleNTPasswordCheckerUserneedsextraprivileges:ActaspartoftheOS,Replaceaprocessleveltoken,IncreasequotasWindowsNTSecurity101FTheseFineDocumentsWillBeOfGreatHelp:–WindowsNTWardocbyRhino9TeamAlsoavailableinhandy3ComPalmDocformat–NSAWindowsNTSecurityGuidelines–SANSInstituteNTSecurityStepByStepInternetReferencesWhereyoucanfindmoreinformationInternetReferences(1)FNTSecurity–mail-to:ntsecurity@iss.
netFNTBugtraq–mail-to:ntbugtraq@listserv.
ntbugtraq.
com–http://ntbugtraq.
ntadvice.
comFPacketStormSecurity–http://www.
genocide2600.
com/~tattoomanFHackerNewsNetwork–http://www.
hackernews.
comInternetReferences(2)FL0htHeavyIndustries–http://www.
l0pht.
comFComputerEmergencyResponseTeam–http://www.
cert.
orgFMicrosoftCorporation–http://www.
microsoft.
com/securityFHackFAQ–http://www.
genocide2600.
com/~tattooman/hacking-textfiles/hack-faq/index.
html(nodirectaccess;-)ConclusionKeepSecurityInMindWindowsNTSecurity.
.
.
FIsdefinitivelynotasgoodasMicrosoftwantsustobelieveFIsatbestasgoodassecurityonaUNIXsystemFVulnerabilitiesfoundeveryweekinspiteofMicrosoft'sSecurityThroughObscurityStrategyThe"Best"IsStillToCome.
.
.
FWindows2000willconsistofmorethan27millionlinesofcode(andlotsofchanges)Thinkaboutit!
JLinux2.
0consistsof1.
5millionlinesofcodeNT3.
5hadabout5millionlinesofcodeTHANKYOU!
AnyQuestions

ProfitServer$34.56/年,西班牙vps、荷兰vps、德国vps/不限制流量/支持自定义ISO

profitserver怎么样?profitserver是一家成立于2003的主机商家,是ITC控股的一个部门,主要经营的产品域名、SSL证书、虚拟主机、VPS和独立服务器,机房有俄罗斯、新加坡、荷兰、美国、保加利亚,VPS采用的是KVM虚拟架构,硬盘采用纯SSD,而且最大的优势是不限制流量,大公司运营,机器比较稳定,数据中心众多。此次ProfitServer正在对德国VPS(法兰克福)、西班牙v...

Bluehost美国虚拟主机2.95美元/月,十八周年庆年付赠送顶级域名和SSL证书

Bluehost怎么样,Bluehost好不好,Bluehost成立十八周年全场虚拟主机优惠促销活动开始,购买12个月赠送主流域名和SSL证书,Bluehost是老牌虚拟主机商家了,有需要虚拟主机的朋友赶紧入手吧,活动时间:美国MST时间7月6日中午12:00到8月13日晚上11:59。Bluehost成立于2003年,主营WordPress托管、虚拟主机、VPS主机、专用服务器业务。Blueho...

HostMem,最新优惠促销,全场75折优惠,大硬盘VPS特价优惠,美国洛杉矶QuadraNet机房,KVM虚拟架构,KVM虚拟架构,2核2G内存240GB SSD,100Mbps带宽,27美元/年

HostMem近日发布了最新的优惠消息,全场云服务器产品一律75折优惠,美国洛杉矶QuadraNet机房,基于KVM虚拟架构,2核心2G内存240G SSD固态硬盘100Mbps带宽4TB流量,27美元/年,线路方面电信CN2 GT,联通CU移动CM,有需要美国大硬盘VPS云服务器的朋友可以关注一下。HostMem怎么样?HostMem服务器好不好?HostMem值不值得购买?HostMem是一家...

windowsnt为你推荐
金评媒朱江雷克萨斯中国朱江简历vc组合有一首歌好像是什么昆虫组合?跟青春有关好像。叫什么了硬盘的工作原理硬盘的工作原理?是怎样存取数据的?冯媛甑冯媛甄详细资料haole018.comhttp://www.haoledy.com/view/32092.html 轩辕剑天之痕11、12集在线观看www.niuav.com在那能找到免费高清电影网站呢 ?www.se333se.com米奇网www.qvod333.com 看电影的效果好不?175qq.comkf.qq.com.地址是什么鹤城勿扰齐齐哈尔,又叫鹤城吗?惠丰吧毕节医药高等专科可以专升本吗
godaddy域名解析 hostigation 荣耀欧洲 vps.net 外贸主机 paypal认证 双12活动 台湾谷歌地址 个人域名 空间论坛 七夕快乐英文 已备案删除域名 台湾谷歌 江苏双线服务器 韩国代理ip 免费蓝钻 云服务是什么意思 tracker服务器 架设代理服务器 web服务器有哪些 更多