Connectionswindowsnt
windowsnt 时间:2021-03-29 阅读:(
)
HackingWindowsNT(UsingUNIX)HansVandeLooyPreambleAndDisclaimerFAlotofthevulnerabilitiesdescribedinthispresentationcanbefixed,butarestillpresentintheworldoutside.
Pointingtheseouttoadministratorsistheonlyreasonforincludingtheminthispresentation.
FCrackingmaybeacriminaloffenseandprosecutedbylawinyourcountry.
JContentsFSomeSecurityStatisticsFNoHolyWars;Please!
FWindowsNTSecurityHolesWellKnown(UNIX)ToolsFPitfallAvoidanceInstallingBaselineSecurityFInternetReferencesFConclusionSomeSecurityStatisticsWhydoyouneedNetworkandSystemSecurityRecentSecurityStatisticsFNetworkSecurityisaseriousissueformostorganisations–30%ofrespondentsreportedsystempenetrationbyoutsiders–55%oforganisationssurveyedreportincreasedattacksby"insiders"–32%ofrespondentsreportedseriousincidentstolawenforcement-previouslyonly17%–20%increaseinattacksfromtheoutsidesince1996thankstoe-commerceSource1999CSI/FBIComputerCrimeandSecuritySurveyNoHolyWars;Please!
StrengthsandweaknessesofWindowsNTandUNIXServerConfigurationFWindowsNT(4.
0)–IIS4.
0–ProxyServer2.
0–FTPinISS4.
0–Exchange5.
5–Exchange5.
5/IIS4.
0–DNS(basedon4.
9)–Exchange5.
5–DHCP(build-in)–SMB(build-in)–build-in"IPsecurity"FUNIX(BSD4.
4/Linux)–Apache1.
3.
6–Squid2.
1–(WU-)FTP2.
4.
2–Sendmail8.
9.
3orPostfix–POP/IMAP(ie.
Imap4.
4)–Bind8.
2–INN1.
7.
2orDiablo1.
15–ISCDHCP2.
b1.
6–Samba2.
0.
2orNFS–ipfworipfilterComparingWindowsNTandUNIXFWindowsNT(4.
0)–SingleUser,MultiTaskingOS;usableasserverandworkstation–Microsoftdefinesstandard–ApplicationscreatedbyMicrosoftandmajorcorporations–Nosourcecodeavailable–LotsofsecurityholesFUNIX(BSD4.
4/Linux)–MultiUser,MultiTaskingOS;usableasserverandworkstation–Standardsdefinedbycommunity–Applicationscreatedbycommunityandmajorcorporations–Sourcecodeavailableforreview–LotsofsecurityholesAvailabilityOfSourceCodeFEnablespeerreviewof"Features"FHistoryrevealsalotofsecurityholesfoundFUnavailability(Security-through-Obscurity)doesnotguaranteemoresecurityFWhohasstudiedeverypieceofsourcecodefromamajorOperatingSystemkernel(i.
e.
LinuxorBSD)orApplication(i.
e.
PGP)Let'sTalkAboutMarketingLies,DamnedLiesandMarketingHowToManipulateTheTruthWithMarketingFC2Security–WindowsNT3.
51isC2certifiedasanOperatingSystem,NOTasaTrustedNetworkComponent(orangebook,notredbook)1FMicrosoftisbecomingmoreSecurityAware–Microsofthasneededtorecallseveralsecuritypatchesinthepastduetotheproblemstheycreated1HotNews:AtInfoSecurityNT4.
0receivedUKE3/FC-2certificationHackerNewsReactionRecentMicrosoftAdvisorySoMuchForSupportOnlineAndTheL0phtSoapboxWindowsNTSecurityHolesWhatyoushouldknowaboutyoursystemWindowsNTSecurityHolesFDenialOfServiceFLocalExploitsFGainingAdministratorRightsFPasswordCrackingFNetworkVulnerabilitiesFRemoteExploitsFKnownMicrosoftSoftwareVulnerabilities(IIS,Exchange,PPTP,Macro's…)DenialOfServiceLame(buteffective)AttacksDenialOfService(1)FPingO'Dead(Packet-size>=65510bytes)FSYNFloodingFLAND(SYNwheresource=destination)FFraggle(UDPBroadcast)FSmurf(TCP/IPBroadcast)FICMP-DoS(ICMPEchoReplyFloodinfo)FTeardrop(IPFragmentOverlapBug)PingO'DeadFAliases/Variations:FatPing,SSPing,Jolt,IceNewkFDescription:Sendsseriesof(highlyfragmented)oversized(size>=65510bytes)ICMP_ECHOpacketsovertheconnection.
FResult:Thesystemcannotre-assemblethemfastenoughandlocksupWinNukeFAliases/Variations:OOBNukeFDescription:SendsapacketwithanURGENTflagsetandpointingtoOutofBanddata.
FResult:BlueScreen(virtualdevicedriver)NukeFAliases/Variations:Click,ICMPNuke,WinFreezeFDescription:Thisattacktriestoconvinceyourcomputerthatishaslostitsconnection.
Thecomputerthendisconnectsfromtheportspecified.
FResult:Connectionresetbypeer,ConnectionrefusedorHostunreachableBonkFAliases/Variations:Boink,Newtear,Teardrop2FDescription:ThisattacksendsIPfragmentsresultinginamalformedUDPheaderpacket.
FResult:SystemscrasheswithBlueScreenofDeadTeardropFAliases/Variations:Tear,TCP/IPFragmentoverlap,Nestea(forLinux)FDescription:ThisattacksendsoverlappingIPfragmentsthatthesystemcannotre-assemble.
FResult:SystemwillenterCatatonicStateorCrashandRebootLandFAliases/Variations:LatierraFDescription:SendsaSYNpacketwheresourceaddressequalsdestinationaddresssothevictimwilltrytorespondtoitself.
FResult:ExtremeSlowdown,EnterCatatonicState.
SmurfFAliases/Variations:ICMPFlood,Pingflood,Fraggle,Pong,PapaSmurfFDescription:PerpetratorsendsalargeamountofICMP_ECHOtrafficatbroadcastaddresses,allhavingspoofedsourceaddressesofVictim.
TrafficwillbemultipliedbyhostsonthatIPnetwork.
FResult:Connectionsdropped,EnterCatatonicStateSYNFloodingFAliases/Variations:FDescription:Connectionsareopenedinrapidsuccession,buthandshakeisnotcompleted,thusfillingupqueues.
FResult:ExtremeSlowdown/EnterCatatonicStateDenialOfService(2)FCPUAttack(Telnettoporttobeconfused)–DNS(53-1character+CR)–RPCSS(135-±10characters+disconnect)–INETINFO(1031)FDNSDoS–SenditaDNSresponsewhenitdidnotmakeaqueryandDNSwillcrash.
FISSCrash(GET.
.
/.
.
)–andanotherone(stillworkswithSP4):$telnetlocalhostchargen|ncyour-iis-hosthttpDenialOfService(3)FSystemCallInsecurity–KernellocatedinNTOSKRNL.
EXE–KERNEL32.
DLLjustlike"libc"inUNIX–NTDLL.
DLLusedbyKERNEL32.
DLL(SimplefunctionstoperformactualSyscalls)FInvalidparametersresultinBSOD,thususerscancrashthewholesystemandmaygainadditionalrights!
FSource:SolarDesignermessagetoNTBUGTRAQLocalExploitsWhattodowithconsoleaccessLocalExploitsFNTFSC:\WINNTdefaultpermissionsareFullControlforEveryone,whilemostsubdirectorieshaveChangeControlFAdministratoraccount(alwaysSID500)hasfullcontrolovercompletesystemFSecurityAccountManager(SAM)containsalluseraccountinformationFServicePack3solvedalot(butnotall)ofsecurityrelatedproblems(NeedSP-5now!
)SecurityAccessManagerFContainsboththeLanManager(DES)andtheWindows/NT(MD4)hashvaluesFNormallystoredin:C:\WINNT\system32\config\Sam(Lockedduringnormaloperation)FBackupmadeduringcreationofanEmergencyRepairDiskatlocation:C:\WINNT\repair\sam.
_FAlsoavailableontheERDSAMReplacementFRenameWINNT/system32/LOGON.
SCRFCopyMUSRMGR.
EXEtoLOGON.
SCRFWaitforscreensavertokickin.
.
.
(usermanagerwillallowyoutochangeanypasswords)FReplaceLOGON.
SCRtonormallocationAdministratorRightsFGetAdminwrittenbyKonstantinSobolevattachestotheWinLogonprocesstogiveanaccountAdministratorrights–Crash4.
exewillallowGetAdmintoworkonSP3patchedmachinesbyrearrangingafewthingsonthestacktoallowGetAdmintoworkFSecholemodifiesOpenProcessAPIandsuccessfullyrequestsDebugrightstogiveAdministratorrights(testedunderSP4)PasswordCrackingFSinceMicrosoftdoesnotsaltduringhashgeneration,onceapotentialpasswordhasgeneratedahash,itcanbecheckedagainstALLaccountsFAllcurrentNTcrackerstakeadvantageofthisFSeveralfreewareandsharewareproductsareavailableontheInternetSomePasswordCrackersFL0phtcrack2.
5–GatherandcrackNTpasswordhashesdirectlythroughSAM(databaseorbackup)orbymonitoringSMBnetworkactivity–Beware:8characterpassword=one7characterpasswordsandaoneletterpasswordFJohntheRipper1.
7/Crack5.
x–UNIXpasswordcrackersthatcanalsohandleWindowsNTpasswords(when"dumped"inrightformat)KnownDLLsList(1)FCoreOSDLLsarekeptinvirtualmemoryandsharedbetweentheprogramsrunningonthesystemFOSreferencesadatastructurecalledtheKnownDLLslisttodeterminethelocationoftheDLLinvirtualmemoryFWindowsNTprotectsin-memoryDLLsagainstmodification,butallowsalluserstoreadfromandwritetotheKnownDLLslistKnownDLLsList(2)FLoadintomemoryamaliciousDLLthathasthesamenameasasystemDLL,thenchangetheentryintheKnownDLLslisttopointtothemaliciouscopyFProgramsthatrequestthesystemDLLwillinsteadbedirectedtothemaliciouscopyFWhencalledbyaprogramwithsufficientlyhighprivileges,itcouldtakeanydesiredactionBufferOverflows(1)FBecame"popular"onUNIXafterarticlespublishedbyAleph1andMudgeFDavidLitchfield(a.
k.
a.
mnemonix)published"RASBufferOverrunExploitandTutorial"and"Winhlp32BufferOverrunExploitandAnalysis"http://www.
infowar.
co.
uk/mnemonix/ntbufferoverruns.
htmBufferOverflows(2)FDildog(cDc)wrote"TheTaoofWindowsBufferOverflow"(http://www.
cultdeadcow.
com/cDc_files/cDc-351/)–Acompletepictureofbufferoverflows,howtheywork,andhowtocodeyourownexploitsforMicrosoftoperatingsystemsFAssumption:Thiswillbethe"nextcraze"RemoteExploitsSecureNetworkingisanartC2MyazzFAnothercomputerspoofstheclientintosendingaclear-textpasswordtotheserver,bypassingallpasswordencryption–ThesoftwarelistensforSMBnegotiations,andupondetectingone,sendsasinglepackettotheclientinstructingittodowngradeitsconnectionattempttoacleartextlevel–PasswordisretrievedwhiletheclientissuccessfullyconnectedtotheNTserverHowToUseLanManagerHashFLanManagerhashisapasswordequivalentinachallenge-responseprotocolFAmodified(Samba)clientwithaccesstouncrackedNTpassworddatabasecanusethisinformationtoauthenticatetotheserverManInTheMiddleAttackFNmapprovidesthefollowingcomment:–TCPSequencePrediction:Class=trivialtimedependencyDifficulty=0(Trivialjoke)Remoteoperatingsystemguess:WindowsNT4/Win95/Win98FSMBHijackingshouldbepossible,butnoknownexploits(Yet…)–Complexspoofingjobthesessionhastobehijackedatthetransportlevel(gettingalloftheACK/NACKnumberingcorrect)theTreeID(TID)andUserID(UID)wouldhavetobespoofedaswell(atredirectorandserverlevel)Microsoft'sImplementationofPPTPFPPTPcanbeusedforthecreationofVPNsFBruceSchneierandMudgepublished"CryptanalysisofMicrosoft'sPoint-to-PointTunnelingProtocol"FThepaperdidnotfindflawswithPPTP,onlyMicrosoft'simplementationofitFPhrack53containedanotherpaperbyAleph1entitled"TheCrumblingTunnel"Microsoft'sPPTPFlawsFThesecurityflawsallowsniffingpasswordsacrossthenetworkandbreakingtheencryptionthatprotectsthetunnelingprotocolFRecommendationbySchneier:UseIPSec(or3rdpartyimplementationofPPTP)insteadMicrosoft'sRemainingPPTPIssues(1)FTheentiresessionand/orpacketisnotencryptedFTherearestill"pieces"visibletosniffing,suchasDNSserveraddresses–Thisispartiallyduetothefactthattheentirenegotiationprocessis"onthewire"–ControloftheencryptedsessionishandledviathisseparateconnectionsMicrosoft'sRemainingPPTPIssues(2)FTheconnectionthat"controls"thesessionisnotauthenticated,makingitvulnerabletoDenialofService–Theconcernhereisthatwedonothavecontrolovertheclientconfigurationatalltimes,andthatthesessioncouldbeinterruptedfollowedbysomespoofingto"dummydown"toMS-CHAPv1withitsweakerencryptionalaLanManhashesastheclientattemptstore-connectMicrosoft'sRemainingPPTPIssues(3)FThenatureofthechallenge-responsestillplacesallofthematerialusedduringthegenerationofsessionkeysontothewire(Keyspaceislessthan128bits)–Onlythepasswordisprotectedinthissense,sothekeyisonlyasstrongasthepassword–Thismeansthatofflinecryptoanalysisofasessioncouldrevealtheuserpassword–Tofurtherthetheoryanentireencryptedsessioncouldbe"decrypted"offlineScannersPointandClickToolsfromtheInternetRemoteScannersFOgre(Rhino9Team)–SimplePortandVulnerabilityScannerFNAT(AndrewTridgell)–BruteForceNetBIOSAuditingToolFNTIS(DavidLitchfield)–GreatNTInformationScannerFRedButton(MidwesternCommerce,Inc.
)–NetBIOSAuditingToolFLogsonremotelytoaTargetcomputerwithoutUserName/PasswordFUnauthorizedaccesstosensitiveinformationstoredinfilesystemandregistryavailabletoEveryonegroupcanbeobtainedFDeterminescurrentnameofBuilt-inAdministratoraccountFReadsseveralregistryentriesFListsallshares(includingthehiddenones)RedButtonNetBusPro2.
0FAccordingtotheauthor(Carl-FredrikNeikter)NetBusProisaeasy-to-useremoteadministrationandspytoolFFeaturesforremoteadministrationinclude:–Filemanager,RegistrymanagerandApplicationRedirectFSpyingfeaturesinclude:–Capturescreen,Listenkeyboard,CapturecameraimageandRecordsoundMacro'sandSomeOtherVulnerabilitiesUserFriendlyorCrackerFriendlyMacro'sFVariousapplicationscontainaverypowerfulMACROlanguagecapableofdoingfile-I/OandcallingWin32APIsFPerfectforwritingvirii/worms(AnyoneheardofMelissaorPrettyPark)FWindowsHelpfiles(.
HLP)arecapableofrunningDLLsOtherVulnerabilitiesFRASandRRASVulnerability–UsercredentialsarecachedinRegistryregardlessofwhethercheckboxisselectedordeselected.
(LisaO'Connor,MartinDolphin,andJoeGreene)FInterestingspecialkey-combinationsusableonalocked-downsystem:–Ctrl-Shift-ESCstartsTaskManager(likeCtrl-Alt-Del)–Alt-TABtochooseActiveWindowUsing(UNIX)ToolsTohackWindowsNTsystemsAlternateOperatingSystemFFloppy-disk(orbootableCDROM)canbeusedtobootalternativeOperatingSystem(TrinuxorPicoBSD)FOfflineNTPasswordEditorbyPetterNordahl-Hagen;availableasLinuxbootdiskcontainingascriptthatleadsyouthroughthecompleteprocessNetCatFSwissArmyKnifeofHackerTools(canactbothasclientandaslistener)FNTversioncanbindtoportsinfrontofprocessesalreadylistening(Crackercanfilterinterestingdatabeforepassingiton)FAlsousefulforAdministratorsSambaFAnotherfinetooldevelopedbyAndyTridgellFSambatalksSMB;integratesUNIXandNTinaLanManagerenvironmentFAtoollikeSambaandinformationfrom"CIFS:CommonInsecuritiesFailScrutiny"byHobbit(L0pht)willguideyoutoEnlightenmentPitfallAvoidanceKeepingyoursystem(more)secureBasicSecurity(ConfuseTheWannabe's)FSetBIOSPasswordFBootfromC:notfromA:orCD-ROMFDisableorremovefloppydrivefromsystemFIfpossibleremoveCDROMdrivesFNotREALSecurity!
UseitjusttofiltertheanklebitersfromtheexpertsFileSystemSecurityFUseNTFSwhereverpossible–AllowsuseofAccessControlLists–IsmorerobustduringcrashesFFATprovidesnoprotectionatall(i.
e.
deleteSAMdatabaseandreboot)FTherearetoolsthatallowaccesstoNTFSfromDOS(ntfsdos.
exe)orUNIX(Linuxntfs)WatchThoseFilePermissionsFCopyingletsafileinheritthepermissionsfromthedestinationdirectory(useSCOPYinstead)FMovingafilepreservestheexistingfilepermissionsFThismayresultin"fullcontrol"accessfor"everybody"whenthisisnotwantedSomeNTAdministrationToolsFChroniclev1.
0(Rhino9Team)–ServicePackandHotFixScannerFNTInfoScan(DavidLitchfielda.
k.
a.
.
Mnemonic)–SecurityScanner(SATAN)forNTServersFScanNT(MWC)–SimpleNTPasswordCheckerUserneedsextraprivileges:ActaspartoftheOS,Replaceaprocessleveltoken,IncreasequotasWindowsNTSecurity101FTheseFineDocumentsWillBeOfGreatHelp:–WindowsNTWardocbyRhino9TeamAlsoavailableinhandy3ComPalmDocformat–NSAWindowsNTSecurityGuidelines–SANSInstituteNTSecurityStepByStepInternetReferencesWhereyoucanfindmoreinformationInternetReferences(1)FNTSecurity–mail-to:ntsecurity@iss.
netFNTBugtraq–mail-to:ntbugtraq@listserv.
ntbugtraq.
com–http://ntbugtraq.
ntadvice.
comFPacketStormSecurity–http://www.
genocide2600.
com/~tattoomanFHackerNewsNetwork–http://www.
hackernews.
comInternetReferences(2)FL0htHeavyIndustries–http://www.
l0pht.
comFComputerEmergencyResponseTeam–http://www.
cert.
orgFMicrosoftCorporation–http://www.
microsoft.
com/securityFHackFAQ–http://www.
genocide2600.
com/~tattooman/hacking-textfiles/hack-faq/index.
html(nodirectaccess;-)ConclusionKeepSecurityInMindWindowsNTSecurity.
.
.
FIsdefinitivelynotasgoodasMicrosoftwantsustobelieveFIsatbestasgoodassecurityonaUNIXsystemFVulnerabilitiesfoundeveryweekinspiteofMicrosoft'sSecurityThroughObscurityStrategyThe"Best"IsStillToCome.
.
.
FWindows2000willconsistofmorethan27millionlinesofcode(andlotsofchanges)Thinkaboutit!
JLinux2.
0consistsof1.
5millionlinesofcodeNT3.
5hadabout5millionlinesofcodeTHANKYOU!
AnyQuestions
数脉科技怎么样?数脉科技品牌创办于2019,由一家从2012年开始从事idc行业的商家创办,目前主营产品是香港服务器,线路有阿里云线路和自营CN2线路,均为中国大陆直连带宽,适合建站及运行各种负载较高的项目,同时支持人民币、台币、美元等结算,提供支付宝、微信、PayPal付款方式。本次数脉科技给发来了新的7月促销活动,CN2+BGP线路的香港服务器,带宽10m起,配置E3-16G-30M-3IP,...
前几天还在和做外贸业务的网友聊着有哪些欧洲机房的云服务器、VPS商家值得选择的。其中介绍他选择的还是我们熟悉的Vultr VPS服务商,拥有比较多达到17个数据中心,这不今天在登录VULTR商家的时候看到消息又新增一个新的机房。这算是第18个数据中心,也是欧洲VPS主机,地区是瑞典斯德哥尔摩。如果我们有需要欧洲机房的朋友现在就可以看到开通的机房中有可以选择瑞典机房。目前欧洲已经有五个机房可以选择,...
HostMem近日发布了最新的优惠消息,全场云服务器产品一律75折优惠,美国洛杉矶QuadraNet机房,基于KVM虚拟架构,2核心2G内存240G SSD固态硬盘100Mbps带宽4TB流量,27美元/年,线路方面电信CN2 GT,联通CU移动CM,有需要美国大硬盘VPS云服务器的朋友可以关注一下。HostMem怎么样?HostMem服务器好不好?HostMem值不值得购买?HostMem是一家...
windowsnt为你推荐
sonicchat深圳哪里有卖汽车模型?funnymudpee京东的显卡什么时候能降回正常价格啊,想买个1060firetrap我淘宝店还是卖二单就被删,怎么回事!西部妈妈网我爸妈在云南做非法集资了,钱肯定交了很多,我不恨她们。他们叫我明天去看,让我用心的看,,说是什么...www.haole012.com012.qq.com是真的吗125xx.com115xx.com是什么意思www.zhiboba.com网上看nbabaqizi.cc讲讲曾子杀猪的主要内容!www.toutoulu.comWWW【toutoulu】cOM怎么搜不到了?到哪里能看到toutoulu视频?www4399com4399小游戏 请记住本站网站 4399.url
老左 hawkhost 42u标准机柜尺寸 阿里云代金券 嘉洲服务器 小米数据库 架设服务器 日本bb瘦 国外代理服务器软件 isp服务商 中国电信宽带测速网 web服务器安全 我的世界服务器ip 摩尔庄园注册 酸酸乳 网页加速 阿里云个人邮箱 最新优惠 godaddy中文 建站论坛 更多