Connectionswindowsnt
windowsnt 时间:2021-03-29 阅读:(
)
HackingWindowsNT(UsingUNIX)HansVandeLooyPreambleAndDisclaimerFAlotofthevulnerabilitiesdescribedinthispresentationcanbefixed,butarestillpresentintheworldoutside.
Pointingtheseouttoadministratorsistheonlyreasonforincludingtheminthispresentation.
FCrackingmaybeacriminaloffenseandprosecutedbylawinyourcountry.
JContentsFSomeSecurityStatisticsFNoHolyWars;Please!
FWindowsNTSecurityHolesWellKnown(UNIX)ToolsFPitfallAvoidanceInstallingBaselineSecurityFInternetReferencesFConclusionSomeSecurityStatisticsWhydoyouneedNetworkandSystemSecurityRecentSecurityStatisticsFNetworkSecurityisaseriousissueformostorganisations–30%ofrespondentsreportedsystempenetrationbyoutsiders–55%oforganisationssurveyedreportincreasedattacksby"insiders"–32%ofrespondentsreportedseriousincidentstolawenforcement-previouslyonly17%–20%increaseinattacksfromtheoutsidesince1996thankstoe-commerceSource1999CSI/FBIComputerCrimeandSecuritySurveyNoHolyWars;Please!
StrengthsandweaknessesofWindowsNTandUNIXServerConfigurationFWindowsNT(4.
0)–IIS4.
0–ProxyServer2.
0–FTPinISS4.
0–Exchange5.
5–Exchange5.
5/IIS4.
0–DNS(basedon4.
9)–Exchange5.
5–DHCP(build-in)–SMB(build-in)–build-in"IPsecurity"FUNIX(BSD4.
4/Linux)–Apache1.
3.
6–Squid2.
1–(WU-)FTP2.
4.
2–Sendmail8.
9.
3orPostfix–POP/IMAP(ie.
Imap4.
4)–Bind8.
2–INN1.
7.
2orDiablo1.
15–ISCDHCP2.
b1.
6–Samba2.
0.
2orNFS–ipfworipfilterComparingWindowsNTandUNIXFWindowsNT(4.
0)–SingleUser,MultiTaskingOS;usableasserverandworkstation–Microsoftdefinesstandard–ApplicationscreatedbyMicrosoftandmajorcorporations–Nosourcecodeavailable–LotsofsecurityholesFUNIX(BSD4.
4/Linux)–MultiUser,MultiTaskingOS;usableasserverandworkstation–Standardsdefinedbycommunity–Applicationscreatedbycommunityandmajorcorporations–Sourcecodeavailableforreview–LotsofsecurityholesAvailabilityOfSourceCodeFEnablespeerreviewof"Features"FHistoryrevealsalotofsecurityholesfoundFUnavailability(Security-through-Obscurity)doesnotguaranteemoresecurityFWhohasstudiedeverypieceofsourcecodefromamajorOperatingSystemkernel(i.
e.
LinuxorBSD)orApplication(i.
e.
PGP)Let'sTalkAboutMarketingLies,DamnedLiesandMarketingHowToManipulateTheTruthWithMarketingFC2Security–WindowsNT3.
51isC2certifiedasanOperatingSystem,NOTasaTrustedNetworkComponent(orangebook,notredbook)1FMicrosoftisbecomingmoreSecurityAware–Microsofthasneededtorecallseveralsecuritypatchesinthepastduetotheproblemstheycreated1HotNews:AtInfoSecurityNT4.
0receivedUKE3/FC-2certificationHackerNewsReactionRecentMicrosoftAdvisorySoMuchForSupportOnlineAndTheL0phtSoapboxWindowsNTSecurityHolesWhatyoushouldknowaboutyoursystemWindowsNTSecurityHolesFDenialOfServiceFLocalExploitsFGainingAdministratorRightsFPasswordCrackingFNetworkVulnerabilitiesFRemoteExploitsFKnownMicrosoftSoftwareVulnerabilities(IIS,Exchange,PPTP,Macro's…)DenialOfServiceLame(buteffective)AttacksDenialOfService(1)FPingO'Dead(Packet-size>=65510bytes)FSYNFloodingFLAND(SYNwheresource=destination)FFraggle(UDPBroadcast)FSmurf(TCP/IPBroadcast)FICMP-DoS(ICMPEchoReplyFloodinfo)FTeardrop(IPFragmentOverlapBug)PingO'DeadFAliases/Variations:FatPing,SSPing,Jolt,IceNewkFDescription:Sendsseriesof(highlyfragmented)oversized(size>=65510bytes)ICMP_ECHOpacketsovertheconnection.
FResult:Thesystemcannotre-assemblethemfastenoughandlocksupWinNukeFAliases/Variations:OOBNukeFDescription:SendsapacketwithanURGENTflagsetandpointingtoOutofBanddata.
FResult:BlueScreen(virtualdevicedriver)NukeFAliases/Variations:Click,ICMPNuke,WinFreezeFDescription:Thisattacktriestoconvinceyourcomputerthatishaslostitsconnection.
Thecomputerthendisconnectsfromtheportspecified.
FResult:Connectionresetbypeer,ConnectionrefusedorHostunreachableBonkFAliases/Variations:Boink,Newtear,Teardrop2FDescription:ThisattacksendsIPfragmentsresultinginamalformedUDPheaderpacket.
FResult:SystemscrasheswithBlueScreenofDeadTeardropFAliases/Variations:Tear,TCP/IPFragmentoverlap,Nestea(forLinux)FDescription:ThisattacksendsoverlappingIPfragmentsthatthesystemcannotre-assemble.
FResult:SystemwillenterCatatonicStateorCrashandRebootLandFAliases/Variations:LatierraFDescription:SendsaSYNpacketwheresourceaddressequalsdestinationaddresssothevictimwilltrytorespondtoitself.
FResult:ExtremeSlowdown,EnterCatatonicState.
SmurfFAliases/Variations:ICMPFlood,Pingflood,Fraggle,Pong,PapaSmurfFDescription:PerpetratorsendsalargeamountofICMP_ECHOtrafficatbroadcastaddresses,allhavingspoofedsourceaddressesofVictim.
TrafficwillbemultipliedbyhostsonthatIPnetwork.
FResult:Connectionsdropped,EnterCatatonicStateSYNFloodingFAliases/Variations:FDescription:Connectionsareopenedinrapidsuccession,buthandshakeisnotcompleted,thusfillingupqueues.
FResult:ExtremeSlowdown/EnterCatatonicStateDenialOfService(2)FCPUAttack(Telnettoporttobeconfused)–DNS(53-1character+CR)–RPCSS(135-±10characters+disconnect)–INETINFO(1031)FDNSDoS–SenditaDNSresponsewhenitdidnotmakeaqueryandDNSwillcrash.
FISSCrash(GET.
.
/.
.
)–andanotherone(stillworkswithSP4):$telnetlocalhostchargen|ncyour-iis-hosthttpDenialOfService(3)FSystemCallInsecurity–KernellocatedinNTOSKRNL.
EXE–KERNEL32.
DLLjustlike"libc"inUNIX–NTDLL.
DLLusedbyKERNEL32.
DLL(SimplefunctionstoperformactualSyscalls)FInvalidparametersresultinBSOD,thususerscancrashthewholesystemandmaygainadditionalrights!
FSource:SolarDesignermessagetoNTBUGTRAQLocalExploitsWhattodowithconsoleaccessLocalExploitsFNTFSC:\WINNTdefaultpermissionsareFullControlforEveryone,whilemostsubdirectorieshaveChangeControlFAdministratoraccount(alwaysSID500)hasfullcontrolovercompletesystemFSecurityAccountManager(SAM)containsalluseraccountinformationFServicePack3solvedalot(butnotall)ofsecurityrelatedproblems(NeedSP-5now!
)SecurityAccessManagerFContainsboththeLanManager(DES)andtheWindows/NT(MD4)hashvaluesFNormallystoredin:C:\WINNT\system32\config\Sam(Lockedduringnormaloperation)FBackupmadeduringcreationofanEmergencyRepairDiskatlocation:C:\WINNT\repair\sam.
_FAlsoavailableontheERDSAMReplacementFRenameWINNT/system32/LOGON.
SCRFCopyMUSRMGR.
EXEtoLOGON.
SCRFWaitforscreensavertokickin.
.
.
(usermanagerwillallowyoutochangeanypasswords)FReplaceLOGON.
SCRtonormallocationAdministratorRightsFGetAdminwrittenbyKonstantinSobolevattachestotheWinLogonprocesstogiveanaccountAdministratorrights–Crash4.
exewillallowGetAdmintoworkonSP3patchedmachinesbyrearrangingafewthingsonthestacktoallowGetAdmintoworkFSecholemodifiesOpenProcessAPIandsuccessfullyrequestsDebugrightstogiveAdministratorrights(testedunderSP4)PasswordCrackingFSinceMicrosoftdoesnotsaltduringhashgeneration,onceapotentialpasswordhasgeneratedahash,itcanbecheckedagainstALLaccountsFAllcurrentNTcrackerstakeadvantageofthisFSeveralfreewareandsharewareproductsareavailableontheInternetSomePasswordCrackersFL0phtcrack2.
5–GatherandcrackNTpasswordhashesdirectlythroughSAM(databaseorbackup)orbymonitoringSMBnetworkactivity–Beware:8characterpassword=one7characterpasswordsandaoneletterpasswordFJohntheRipper1.
7/Crack5.
x–UNIXpasswordcrackersthatcanalsohandleWindowsNTpasswords(when"dumped"inrightformat)KnownDLLsList(1)FCoreOSDLLsarekeptinvirtualmemoryandsharedbetweentheprogramsrunningonthesystemFOSreferencesadatastructurecalledtheKnownDLLslisttodeterminethelocationoftheDLLinvirtualmemoryFWindowsNTprotectsin-memoryDLLsagainstmodification,butallowsalluserstoreadfromandwritetotheKnownDLLslistKnownDLLsList(2)FLoadintomemoryamaliciousDLLthathasthesamenameasasystemDLL,thenchangetheentryintheKnownDLLslisttopointtothemaliciouscopyFProgramsthatrequestthesystemDLLwillinsteadbedirectedtothemaliciouscopyFWhencalledbyaprogramwithsufficientlyhighprivileges,itcouldtakeanydesiredactionBufferOverflows(1)FBecame"popular"onUNIXafterarticlespublishedbyAleph1andMudgeFDavidLitchfield(a.
k.
a.
mnemonix)published"RASBufferOverrunExploitandTutorial"and"Winhlp32BufferOverrunExploitandAnalysis"http://www.
infowar.
co.
uk/mnemonix/ntbufferoverruns.
htmBufferOverflows(2)FDildog(cDc)wrote"TheTaoofWindowsBufferOverflow"(http://www.
cultdeadcow.
com/cDc_files/cDc-351/)–Acompletepictureofbufferoverflows,howtheywork,andhowtocodeyourownexploitsforMicrosoftoperatingsystemsFAssumption:Thiswillbethe"nextcraze"RemoteExploitsSecureNetworkingisanartC2MyazzFAnothercomputerspoofstheclientintosendingaclear-textpasswordtotheserver,bypassingallpasswordencryption–ThesoftwarelistensforSMBnegotiations,andupondetectingone,sendsasinglepackettotheclientinstructingittodowngradeitsconnectionattempttoacleartextlevel–PasswordisretrievedwhiletheclientissuccessfullyconnectedtotheNTserverHowToUseLanManagerHashFLanManagerhashisapasswordequivalentinachallenge-responseprotocolFAmodified(Samba)clientwithaccesstouncrackedNTpassworddatabasecanusethisinformationtoauthenticatetotheserverManInTheMiddleAttackFNmapprovidesthefollowingcomment:–TCPSequencePrediction:Class=trivialtimedependencyDifficulty=0(Trivialjoke)Remoteoperatingsystemguess:WindowsNT4/Win95/Win98FSMBHijackingshouldbepossible,butnoknownexploits(Yet…)–Complexspoofingjobthesessionhastobehijackedatthetransportlevel(gettingalloftheACK/NACKnumberingcorrect)theTreeID(TID)andUserID(UID)wouldhavetobespoofedaswell(atredirectorandserverlevel)Microsoft'sImplementationofPPTPFPPTPcanbeusedforthecreationofVPNsFBruceSchneierandMudgepublished"CryptanalysisofMicrosoft'sPoint-to-PointTunnelingProtocol"FThepaperdidnotfindflawswithPPTP,onlyMicrosoft'simplementationofitFPhrack53containedanotherpaperbyAleph1entitled"TheCrumblingTunnel"Microsoft'sPPTPFlawsFThesecurityflawsallowsniffingpasswordsacrossthenetworkandbreakingtheencryptionthatprotectsthetunnelingprotocolFRecommendationbySchneier:UseIPSec(or3rdpartyimplementationofPPTP)insteadMicrosoft'sRemainingPPTPIssues(1)FTheentiresessionand/orpacketisnotencryptedFTherearestill"pieces"visibletosniffing,suchasDNSserveraddresses–Thisispartiallyduetothefactthattheentirenegotiationprocessis"onthewire"–ControloftheencryptedsessionishandledviathisseparateconnectionsMicrosoft'sRemainingPPTPIssues(2)FTheconnectionthat"controls"thesessionisnotauthenticated,makingitvulnerabletoDenialofService–Theconcernhereisthatwedonothavecontrolovertheclientconfigurationatalltimes,andthatthesessioncouldbeinterruptedfollowedbysomespoofingto"dummydown"toMS-CHAPv1withitsweakerencryptionalaLanManhashesastheclientattemptstore-connectMicrosoft'sRemainingPPTPIssues(3)FThenatureofthechallenge-responsestillplacesallofthematerialusedduringthegenerationofsessionkeysontothewire(Keyspaceislessthan128bits)–Onlythepasswordisprotectedinthissense,sothekeyisonlyasstrongasthepassword–Thismeansthatofflinecryptoanalysisofasessioncouldrevealtheuserpassword–Tofurtherthetheoryanentireencryptedsessioncouldbe"decrypted"offlineScannersPointandClickToolsfromtheInternetRemoteScannersFOgre(Rhino9Team)–SimplePortandVulnerabilityScannerFNAT(AndrewTridgell)–BruteForceNetBIOSAuditingToolFNTIS(DavidLitchfield)–GreatNTInformationScannerFRedButton(MidwesternCommerce,Inc.
)–NetBIOSAuditingToolFLogsonremotelytoaTargetcomputerwithoutUserName/PasswordFUnauthorizedaccesstosensitiveinformationstoredinfilesystemandregistryavailabletoEveryonegroupcanbeobtainedFDeterminescurrentnameofBuilt-inAdministratoraccountFReadsseveralregistryentriesFListsallshares(includingthehiddenones)RedButtonNetBusPro2.
0FAccordingtotheauthor(Carl-FredrikNeikter)NetBusProisaeasy-to-useremoteadministrationandspytoolFFeaturesforremoteadministrationinclude:–Filemanager,RegistrymanagerandApplicationRedirectFSpyingfeaturesinclude:–Capturescreen,Listenkeyboard,CapturecameraimageandRecordsoundMacro'sandSomeOtherVulnerabilitiesUserFriendlyorCrackerFriendlyMacro'sFVariousapplicationscontainaverypowerfulMACROlanguagecapableofdoingfile-I/OandcallingWin32APIsFPerfectforwritingvirii/worms(AnyoneheardofMelissaorPrettyPark)FWindowsHelpfiles(.
HLP)arecapableofrunningDLLsOtherVulnerabilitiesFRASandRRASVulnerability–UsercredentialsarecachedinRegistryregardlessofwhethercheckboxisselectedordeselected.
(LisaO'Connor,MartinDolphin,andJoeGreene)FInterestingspecialkey-combinationsusableonalocked-downsystem:–Ctrl-Shift-ESCstartsTaskManager(likeCtrl-Alt-Del)–Alt-TABtochooseActiveWindowUsing(UNIX)ToolsTohackWindowsNTsystemsAlternateOperatingSystemFFloppy-disk(orbootableCDROM)canbeusedtobootalternativeOperatingSystem(TrinuxorPicoBSD)FOfflineNTPasswordEditorbyPetterNordahl-Hagen;availableasLinuxbootdiskcontainingascriptthatleadsyouthroughthecompleteprocessNetCatFSwissArmyKnifeofHackerTools(canactbothasclientandaslistener)FNTversioncanbindtoportsinfrontofprocessesalreadylistening(Crackercanfilterinterestingdatabeforepassingiton)FAlsousefulforAdministratorsSambaFAnotherfinetooldevelopedbyAndyTridgellFSambatalksSMB;integratesUNIXandNTinaLanManagerenvironmentFAtoollikeSambaandinformationfrom"CIFS:CommonInsecuritiesFailScrutiny"byHobbit(L0pht)willguideyoutoEnlightenmentPitfallAvoidanceKeepingyoursystem(more)secureBasicSecurity(ConfuseTheWannabe's)FSetBIOSPasswordFBootfromC:notfromA:orCD-ROMFDisableorremovefloppydrivefromsystemFIfpossibleremoveCDROMdrivesFNotREALSecurity!
UseitjusttofiltertheanklebitersfromtheexpertsFileSystemSecurityFUseNTFSwhereverpossible–AllowsuseofAccessControlLists–IsmorerobustduringcrashesFFATprovidesnoprotectionatall(i.
e.
deleteSAMdatabaseandreboot)FTherearetoolsthatallowaccesstoNTFSfromDOS(ntfsdos.
exe)orUNIX(Linuxntfs)WatchThoseFilePermissionsFCopyingletsafileinheritthepermissionsfromthedestinationdirectory(useSCOPYinstead)FMovingafilepreservestheexistingfilepermissionsFThismayresultin"fullcontrol"accessfor"everybody"whenthisisnotwantedSomeNTAdministrationToolsFChroniclev1.
0(Rhino9Team)–ServicePackandHotFixScannerFNTInfoScan(DavidLitchfielda.
k.
a.
.
Mnemonic)–SecurityScanner(SATAN)forNTServersFScanNT(MWC)–SimpleNTPasswordCheckerUserneedsextraprivileges:ActaspartoftheOS,Replaceaprocessleveltoken,IncreasequotasWindowsNTSecurity101FTheseFineDocumentsWillBeOfGreatHelp:–WindowsNTWardocbyRhino9TeamAlsoavailableinhandy3ComPalmDocformat–NSAWindowsNTSecurityGuidelines–SANSInstituteNTSecurityStepByStepInternetReferencesWhereyoucanfindmoreinformationInternetReferences(1)FNTSecurity–mail-to:ntsecurity@iss.
netFNTBugtraq–mail-to:ntbugtraq@listserv.
ntbugtraq.
com–http://ntbugtraq.
ntadvice.
comFPacketStormSecurity–http://www.
genocide2600.
com/~tattoomanFHackerNewsNetwork–http://www.
hackernews.
comInternetReferences(2)FL0htHeavyIndustries–http://www.
l0pht.
comFComputerEmergencyResponseTeam–http://www.
cert.
orgFMicrosoftCorporation–http://www.
microsoft.
com/securityFHackFAQ–http://www.
genocide2600.
com/~tattooman/hacking-textfiles/hack-faq/index.
html(nodirectaccess;-)ConclusionKeepSecurityInMindWindowsNTSecurity.
.
.
FIsdefinitivelynotasgoodasMicrosoftwantsustobelieveFIsatbestasgoodassecurityonaUNIXsystemFVulnerabilitiesfoundeveryweekinspiteofMicrosoft'sSecurityThroughObscurityStrategyThe"Best"IsStillToCome.
.
.
FWindows2000willconsistofmorethan27millionlinesofcode(andlotsofchanges)Thinkaboutit!
JLinux2.
0consistsof1.
5millionlinesofcodeNT3.
5hadabout5millionlinesofcodeTHANKYOU!
AnyQuestions
racknerd从成立到现在发展是相当迅速,用最低的价格霸占了大部分低端便宜vps市场,虽然VPS价格便宜,但是VPS的质量和服务一点儿都不拉跨,服务器稳定、性能给力,尤其是售后方面时间短技术解决能力强,估计这也是racknerd这个品牌能如此成功的原因吧! 官方网站:https://www.racknerd.com 多种加密数字货币、信用卡、PayPal、支付宝、银联、webmoney,可...
对于如今的云服务商的竞争着实很激烈,我们可以看到国内国外服务商的各种内卷,使得我们很多个人服务商压力还是比较大的。我们看到这几年的服务商变动还是比较大的,很多新服务商坚持不超过三个月,有的是多个品牌同步进行然后分别的跑路赚一波走人。对于我们用户来说,便宜的服务商固然可以试试,但是如果是不确定的,建议月付或者主力业务尽量的还是注意备份。HostYun 最近几个月还是比较活跃的,在前面也有多次介绍到商...
关于HostYun主机商在之前也有几次分享,这个前身是我们可能熟悉的小众的HostShare商家,主要就是提供廉价主机,那时候官方还声称选择这个品牌的机器不要用于正式生产项目,如今这个品牌重新转变成Hostyun。目前提供的VPS主机包括KVM和XEN架构,数据中心可选日本、韩国、香港和美国的多个地区机房,电信双程CN2 GIA线路,香港和日本机房,均为国内直连线路,访问质量不错。今天和大家分享下...
windowsnt为你推荐
网红名字被抢注我想问这个网红 名字叫什么 讲一下谢谢了比肩工场大运比肩主事,运行长生地是什么意思?月神谭给点人妖。变身类得小说。网站检测请问论文检测网站好的有那些?www.e12.com.cn有什么好的高中学习网?partnersonline我家Internet Explorer为什么开不起来www.zhiboba.com网上看nbabaqizi.cc曹操跟甄洛是什么关系hao.rising.cn如何解除瑞星主页锁定(hao.rising.cn). 不想用瑞星安全助手关键词分析怎么样分析关键词?
备案未注册域名 最便宜虚拟主机 x3220 GGC 腾讯云数据库 国外php空间 100m免费空间 vip购优汇 网络空间租赁 服务器合租 免费邮件服务器 国内域名 万网注册 乐视会员免费领取 广东服务器托管 fatcow reboot xendesktop 免费网络电视软件 海贼王789 更多