Connectionswindowsnt
windowsnt 时间:2021-03-29 阅读:(
)
HackingWindowsNT(UsingUNIX)HansVandeLooyPreambleAndDisclaimerFAlotofthevulnerabilitiesdescribedinthispresentationcanbefixed,butarestillpresentintheworldoutside.
Pointingtheseouttoadministratorsistheonlyreasonforincludingtheminthispresentation.
FCrackingmaybeacriminaloffenseandprosecutedbylawinyourcountry.
JContentsFSomeSecurityStatisticsFNoHolyWars;Please!
FWindowsNTSecurityHolesWellKnown(UNIX)ToolsFPitfallAvoidanceInstallingBaselineSecurityFInternetReferencesFConclusionSomeSecurityStatisticsWhydoyouneedNetworkandSystemSecurityRecentSecurityStatisticsFNetworkSecurityisaseriousissueformostorganisations–30%ofrespondentsreportedsystempenetrationbyoutsiders–55%oforganisationssurveyedreportincreasedattacksby"insiders"–32%ofrespondentsreportedseriousincidentstolawenforcement-previouslyonly17%–20%increaseinattacksfromtheoutsidesince1996thankstoe-commerceSource1999CSI/FBIComputerCrimeandSecuritySurveyNoHolyWars;Please!
StrengthsandweaknessesofWindowsNTandUNIXServerConfigurationFWindowsNT(4.
0)–IIS4.
0–ProxyServer2.
0–FTPinISS4.
0–Exchange5.
5–Exchange5.
5/IIS4.
0–DNS(basedon4.
9)–Exchange5.
5–DHCP(build-in)–SMB(build-in)–build-in"IPsecurity"FUNIX(BSD4.
4/Linux)–Apache1.
3.
6–Squid2.
1–(WU-)FTP2.
4.
2–Sendmail8.
9.
3orPostfix–POP/IMAP(ie.
Imap4.
4)–Bind8.
2–INN1.
7.
2orDiablo1.
15–ISCDHCP2.
b1.
6–Samba2.
0.
2orNFS–ipfworipfilterComparingWindowsNTandUNIXFWindowsNT(4.
0)–SingleUser,MultiTaskingOS;usableasserverandworkstation–Microsoftdefinesstandard–ApplicationscreatedbyMicrosoftandmajorcorporations–Nosourcecodeavailable–LotsofsecurityholesFUNIX(BSD4.
4/Linux)–MultiUser,MultiTaskingOS;usableasserverandworkstation–Standardsdefinedbycommunity–Applicationscreatedbycommunityandmajorcorporations–Sourcecodeavailableforreview–LotsofsecurityholesAvailabilityOfSourceCodeFEnablespeerreviewof"Features"FHistoryrevealsalotofsecurityholesfoundFUnavailability(Security-through-Obscurity)doesnotguaranteemoresecurityFWhohasstudiedeverypieceofsourcecodefromamajorOperatingSystemkernel(i.
e.
LinuxorBSD)orApplication(i.
e.
PGP)Let'sTalkAboutMarketingLies,DamnedLiesandMarketingHowToManipulateTheTruthWithMarketingFC2Security–WindowsNT3.
51isC2certifiedasanOperatingSystem,NOTasaTrustedNetworkComponent(orangebook,notredbook)1FMicrosoftisbecomingmoreSecurityAware–Microsofthasneededtorecallseveralsecuritypatchesinthepastduetotheproblemstheycreated1HotNews:AtInfoSecurityNT4.
0receivedUKE3/FC-2certificationHackerNewsReactionRecentMicrosoftAdvisorySoMuchForSupportOnlineAndTheL0phtSoapboxWindowsNTSecurityHolesWhatyoushouldknowaboutyoursystemWindowsNTSecurityHolesFDenialOfServiceFLocalExploitsFGainingAdministratorRightsFPasswordCrackingFNetworkVulnerabilitiesFRemoteExploitsFKnownMicrosoftSoftwareVulnerabilities(IIS,Exchange,PPTP,Macro's…)DenialOfServiceLame(buteffective)AttacksDenialOfService(1)FPingO'Dead(Packet-size>=65510bytes)FSYNFloodingFLAND(SYNwheresource=destination)FFraggle(UDPBroadcast)FSmurf(TCP/IPBroadcast)FICMP-DoS(ICMPEchoReplyFloodinfo)FTeardrop(IPFragmentOverlapBug)PingO'DeadFAliases/Variations:FatPing,SSPing,Jolt,IceNewkFDescription:Sendsseriesof(highlyfragmented)oversized(size>=65510bytes)ICMP_ECHOpacketsovertheconnection.
FResult:Thesystemcannotre-assemblethemfastenoughandlocksupWinNukeFAliases/Variations:OOBNukeFDescription:SendsapacketwithanURGENTflagsetandpointingtoOutofBanddata.
FResult:BlueScreen(virtualdevicedriver)NukeFAliases/Variations:Click,ICMPNuke,WinFreezeFDescription:Thisattacktriestoconvinceyourcomputerthatishaslostitsconnection.
Thecomputerthendisconnectsfromtheportspecified.
FResult:Connectionresetbypeer,ConnectionrefusedorHostunreachableBonkFAliases/Variations:Boink,Newtear,Teardrop2FDescription:ThisattacksendsIPfragmentsresultinginamalformedUDPheaderpacket.
FResult:SystemscrasheswithBlueScreenofDeadTeardropFAliases/Variations:Tear,TCP/IPFragmentoverlap,Nestea(forLinux)FDescription:ThisattacksendsoverlappingIPfragmentsthatthesystemcannotre-assemble.
FResult:SystemwillenterCatatonicStateorCrashandRebootLandFAliases/Variations:LatierraFDescription:SendsaSYNpacketwheresourceaddressequalsdestinationaddresssothevictimwilltrytorespondtoitself.
FResult:ExtremeSlowdown,EnterCatatonicState.
SmurfFAliases/Variations:ICMPFlood,Pingflood,Fraggle,Pong,PapaSmurfFDescription:PerpetratorsendsalargeamountofICMP_ECHOtrafficatbroadcastaddresses,allhavingspoofedsourceaddressesofVictim.
TrafficwillbemultipliedbyhostsonthatIPnetwork.
FResult:Connectionsdropped,EnterCatatonicStateSYNFloodingFAliases/Variations:FDescription:Connectionsareopenedinrapidsuccession,buthandshakeisnotcompleted,thusfillingupqueues.
FResult:ExtremeSlowdown/EnterCatatonicStateDenialOfService(2)FCPUAttack(Telnettoporttobeconfused)–DNS(53-1character+CR)–RPCSS(135-±10characters+disconnect)–INETINFO(1031)FDNSDoS–SenditaDNSresponsewhenitdidnotmakeaqueryandDNSwillcrash.
FISSCrash(GET.
.
/.
.
)–andanotherone(stillworkswithSP4):$telnetlocalhostchargen|ncyour-iis-hosthttpDenialOfService(3)FSystemCallInsecurity–KernellocatedinNTOSKRNL.
EXE–KERNEL32.
DLLjustlike"libc"inUNIX–NTDLL.
DLLusedbyKERNEL32.
DLL(SimplefunctionstoperformactualSyscalls)FInvalidparametersresultinBSOD,thususerscancrashthewholesystemandmaygainadditionalrights!
FSource:SolarDesignermessagetoNTBUGTRAQLocalExploitsWhattodowithconsoleaccessLocalExploitsFNTFSC:\WINNTdefaultpermissionsareFullControlforEveryone,whilemostsubdirectorieshaveChangeControlFAdministratoraccount(alwaysSID500)hasfullcontrolovercompletesystemFSecurityAccountManager(SAM)containsalluseraccountinformationFServicePack3solvedalot(butnotall)ofsecurityrelatedproblems(NeedSP-5now!
)SecurityAccessManagerFContainsboththeLanManager(DES)andtheWindows/NT(MD4)hashvaluesFNormallystoredin:C:\WINNT\system32\config\Sam(Lockedduringnormaloperation)FBackupmadeduringcreationofanEmergencyRepairDiskatlocation:C:\WINNT\repair\sam.
_FAlsoavailableontheERDSAMReplacementFRenameWINNT/system32/LOGON.
SCRFCopyMUSRMGR.
EXEtoLOGON.
SCRFWaitforscreensavertokickin.
.
.
(usermanagerwillallowyoutochangeanypasswords)FReplaceLOGON.
SCRtonormallocationAdministratorRightsFGetAdminwrittenbyKonstantinSobolevattachestotheWinLogonprocesstogiveanaccountAdministratorrights–Crash4.
exewillallowGetAdmintoworkonSP3patchedmachinesbyrearrangingafewthingsonthestacktoallowGetAdmintoworkFSecholemodifiesOpenProcessAPIandsuccessfullyrequestsDebugrightstogiveAdministratorrights(testedunderSP4)PasswordCrackingFSinceMicrosoftdoesnotsaltduringhashgeneration,onceapotentialpasswordhasgeneratedahash,itcanbecheckedagainstALLaccountsFAllcurrentNTcrackerstakeadvantageofthisFSeveralfreewareandsharewareproductsareavailableontheInternetSomePasswordCrackersFL0phtcrack2.
5–GatherandcrackNTpasswordhashesdirectlythroughSAM(databaseorbackup)orbymonitoringSMBnetworkactivity–Beware:8characterpassword=one7characterpasswordsandaoneletterpasswordFJohntheRipper1.
7/Crack5.
x–UNIXpasswordcrackersthatcanalsohandleWindowsNTpasswords(when"dumped"inrightformat)KnownDLLsList(1)FCoreOSDLLsarekeptinvirtualmemoryandsharedbetweentheprogramsrunningonthesystemFOSreferencesadatastructurecalledtheKnownDLLslisttodeterminethelocationoftheDLLinvirtualmemoryFWindowsNTprotectsin-memoryDLLsagainstmodification,butallowsalluserstoreadfromandwritetotheKnownDLLslistKnownDLLsList(2)FLoadintomemoryamaliciousDLLthathasthesamenameasasystemDLL,thenchangetheentryintheKnownDLLslisttopointtothemaliciouscopyFProgramsthatrequestthesystemDLLwillinsteadbedirectedtothemaliciouscopyFWhencalledbyaprogramwithsufficientlyhighprivileges,itcouldtakeanydesiredactionBufferOverflows(1)FBecame"popular"onUNIXafterarticlespublishedbyAleph1andMudgeFDavidLitchfield(a.
k.
a.
mnemonix)published"RASBufferOverrunExploitandTutorial"and"Winhlp32BufferOverrunExploitandAnalysis"http://www.
infowar.
co.
uk/mnemonix/ntbufferoverruns.
htmBufferOverflows(2)FDildog(cDc)wrote"TheTaoofWindowsBufferOverflow"(http://www.
cultdeadcow.
com/cDc_files/cDc-351/)–Acompletepictureofbufferoverflows,howtheywork,andhowtocodeyourownexploitsforMicrosoftoperatingsystemsFAssumption:Thiswillbethe"nextcraze"RemoteExploitsSecureNetworkingisanartC2MyazzFAnothercomputerspoofstheclientintosendingaclear-textpasswordtotheserver,bypassingallpasswordencryption–ThesoftwarelistensforSMBnegotiations,andupondetectingone,sendsasinglepackettotheclientinstructingittodowngradeitsconnectionattempttoacleartextlevel–PasswordisretrievedwhiletheclientissuccessfullyconnectedtotheNTserverHowToUseLanManagerHashFLanManagerhashisapasswordequivalentinachallenge-responseprotocolFAmodified(Samba)clientwithaccesstouncrackedNTpassworddatabasecanusethisinformationtoauthenticatetotheserverManInTheMiddleAttackFNmapprovidesthefollowingcomment:–TCPSequencePrediction:Class=trivialtimedependencyDifficulty=0(Trivialjoke)Remoteoperatingsystemguess:WindowsNT4/Win95/Win98FSMBHijackingshouldbepossible,butnoknownexploits(Yet…)–Complexspoofingjobthesessionhastobehijackedatthetransportlevel(gettingalloftheACK/NACKnumberingcorrect)theTreeID(TID)andUserID(UID)wouldhavetobespoofedaswell(atredirectorandserverlevel)Microsoft'sImplementationofPPTPFPPTPcanbeusedforthecreationofVPNsFBruceSchneierandMudgepublished"CryptanalysisofMicrosoft'sPoint-to-PointTunnelingProtocol"FThepaperdidnotfindflawswithPPTP,onlyMicrosoft'simplementationofitFPhrack53containedanotherpaperbyAleph1entitled"TheCrumblingTunnel"Microsoft'sPPTPFlawsFThesecurityflawsallowsniffingpasswordsacrossthenetworkandbreakingtheencryptionthatprotectsthetunnelingprotocolFRecommendationbySchneier:UseIPSec(or3rdpartyimplementationofPPTP)insteadMicrosoft'sRemainingPPTPIssues(1)FTheentiresessionand/orpacketisnotencryptedFTherearestill"pieces"visibletosniffing,suchasDNSserveraddresses–Thisispartiallyduetothefactthattheentirenegotiationprocessis"onthewire"–ControloftheencryptedsessionishandledviathisseparateconnectionsMicrosoft'sRemainingPPTPIssues(2)FTheconnectionthat"controls"thesessionisnotauthenticated,makingitvulnerabletoDenialofService–Theconcernhereisthatwedonothavecontrolovertheclientconfigurationatalltimes,andthatthesessioncouldbeinterruptedfollowedbysomespoofingto"dummydown"toMS-CHAPv1withitsweakerencryptionalaLanManhashesastheclientattemptstore-connectMicrosoft'sRemainingPPTPIssues(3)FThenatureofthechallenge-responsestillplacesallofthematerialusedduringthegenerationofsessionkeysontothewire(Keyspaceislessthan128bits)–Onlythepasswordisprotectedinthissense,sothekeyisonlyasstrongasthepassword–Thismeansthatofflinecryptoanalysisofasessioncouldrevealtheuserpassword–Tofurtherthetheoryanentireencryptedsessioncouldbe"decrypted"offlineScannersPointandClickToolsfromtheInternetRemoteScannersFOgre(Rhino9Team)–SimplePortandVulnerabilityScannerFNAT(AndrewTridgell)–BruteForceNetBIOSAuditingToolFNTIS(DavidLitchfield)–GreatNTInformationScannerFRedButton(MidwesternCommerce,Inc.
)–NetBIOSAuditingToolFLogsonremotelytoaTargetcomputerwithoutUserName/PasswordFUnauthorizedaccesstosensitiveinformationstoredinfilesystemandregistryavailabletoEveryonegroupcanbeobtainedFDeterminescurrentnameofBuilt-inAdministratoraccountFReadsseveralregistryentriesFListsallshares(includingthehiddenones)RedButtonNetBusPro2.
0FAccordingtotheauthor(Carl-FredrikNeikter)NetBusProisaeasy-to-useremoteadministrationandspytoolFFeaturesforremoteadministrationinclude:–Filemanager,RegistrymanagerandApplicationRedirectFSpyingfeaturesinclude:–Capturescreen,Listenkeyboard,CapturecameraimageandRecordsoundMacro'sandSomeOtherVulnerabilitiesUserFriendlyorCrackerFriendlyMacro'sFVariousapplicationscontainaverypowerfulMACROlanguagecapableofdoingfile-I/OandcallingWin32APIsFPerfectforwritingvirii/worms(AnyoneheardofMelissaorPrettyPark)FWindowsHelpfiles(.
HLP)arecapableofrunningDLLsOtherVulnerabilitiesFRASandRRASVulnerability–UsercredentialsarecachedinRegistryregardlessofwhethercheckboxisselectedordeselected.
(LisaO'Connor,MartinDolphin,andJoeGreene)FInterestingspecialkey-combinationsusableonalocked-downsystem:–Ctrl-Shift-ESCstartsTaskManager(likeCtrl-Alt-Del)–Alt-TABtochooseActiveWindowUsing(UNIX)ToolsTohackWindowsNTsystemsAlternateOperatingSystemFFloppy-disk(orbootableCDROM)canbeusedtobootalternativeOperatingSystem(TrinuxorPicoBSD)FOfflineNTPasswordEditorbyPetterNordahl-Hagen;availableasLinuxbootdiskcontainingascriptthatleadsyouthroughthecompleteprocessNetCatFSwissArmyKnifeofHackerTools(canactbothasclientandaslistener)FNTversioncanbindtoportsinfrontofprocessesalreadylistening(Crackercanfilterinterestingdatabeforepassingiton)FAlsousefulforAdministratorsSambaFAnotherfinetooldevelopedbyAndyTridgellFSambatalksSMB;integratesUNIXandNTinaLanManagerenvironmentFAtoollikeSambaandinformationfrom"CIFS:CommonInsecuritiesFailScrutiny"byHobbit(L0pht)willguideyoutoEnlightenmentPitfallAvoidanceKeepingyoursystem(more)secureBasicSecurity(ConfuseTheWannabe's)FSetBIOSPasswordFBootfromC:notfromA:orCD-ROMFDisableorremovefloppydrivefromsystemFIfpossibleremoveCDROMdrivesFNotREALSecurity!
UseitjusttofiltertheanklebitersfromtheexpertsFileSystemSecurityFUseNTFSwhereverpossible–AllowsuseofAccessControlLists–IsmorerobustduringcrashesFFATprovidesnoprotectionatall(i.
e.
deleteSAMdatabaseandreboot)FTherearetoolsthatallowaccesstoNTFSfromDOS(ntfsdos.
exe)orUNIX(Linuxntfs)WatchThoseFilePermissionsFCopyingletsafileinheritthepermissionsfromthedestinationdirectory(useSCOPYinstead)FMovingafilepreservestheexistingfilepermissionsFThismayresultin"fullcontrol"accessfor"everybody"whenthisisnotwantedSomeNTAdministrationToolsFChroniclev1.
0(Rhino9Team)–ServicePackandHotFixScannerFNTInfoScan(DavidLitchfielda.
k.
a.
.
Mnemonic)–SecurityScanner(SATAN)forNTServersFScanNT(MWC)–SimpleNTPasswordCheckerUserneedsextraprivileges:ActaspartoftheOS,Replaceaprocessleveltoken,IncreasequotasWindowsNTSecurity101FTheseFineDocumentsWillBeOfGreatHelp:–WindowsNTWardocbyRhino9TeamAlsoavailableinhandy3ComPalmDocformat–NSAWindowsNTSecurityGuidelines–SANSInstituteNTSecurityStepByStepInternetReferencesWhereyoucanfindmoreinformationInternetReferences(1)FNTSecurity–mail-to:ntsecurity@iss.
netFNTBugtraq–mail-to:ntbugtraq@listserv.
ntbugtraq.
com–http://ntbugtraq.
ntadvice.
comFPacketStormSecurity–http://www.
genocide2600.
com/~tattoomanFHackerNewsNetwork–http://www.
hackernews.
comInternetReferences(2)FL0htHeavyIndustries–http://www.
l0pht.
comFComputerEmergencyResponseTeam–http://www.
cert.
orgFMicrosoftCorporation–http://www.
microsoft.
com/securityFHackFAQ–http://www.
genocide2600.
com/~tattooman/hacking-textfiles/hack-faq/index.
html(nodirectaccess;-)ConclusionKeepSecurityInMindWindowsNTSecurity.
.
.
FIsdefinitivelynotasgoodasMicrosoftwantsustobelieveFIsatbestasgoodassecurityonaUNIXsystemFVulnerabilitiesfoundeveryweekinspiteofMicrosoft'sSecurityThroughObscurityStrategyThe"Best"IsStillToCome.
.
.
FWindows2000willconsistofmorethan27millionlinesofcode(andlotsofchanges)Thinkaboutit!
JLinux2.
0consistsof1.
5millionlinesofcodeNT3.
5hadabout5millionlinesofcodeTHANKYOU!
AnyQuestions
LayerStack(成立于2017年),当前正在9折促销旗下的云服务器,LayerStack的云服务器采用第 3 代 AMD EPYC™ (霄龙) 处理器,DDR4内存和企业级 PCIe Gen 4 NVMe SSD。数据中心可选中国香港、日本、新加坡和洛杉矶!其中中国香港、日本和新加坡分为国际线路和CN2线路,如果选择CN2线路,价格每月要+3.2美元,付款支持paypal,支付宝,信用卡等!...
昔日数据怎么样?昔日数据新上了湖北十堰云服务器,湖北十堰市IDC数据中心 母鸡采用e5 2651v2 SSD MLC企业硬盘 rdid5阵列为数据护航 100G高防 超出防御峰值空路由2小时 不限制流量。目前,国内湖北十堰云服务器,首月6折火热销售限量30台价格低至22元/月。(注意:之前有个xrhost.cn也叫昔日数据,已经打不开了,一看网站LOGO和名称为同一家,有一定风险,所以尽量不要选择...
80vps怎么样?80vps最近新上了香港服务器、美国cn2服务器,以及香港/日本/韩国/美国多ip站群服务器。80vps之前推荐的都是VPS主机内容,其实80VPS也有独立服务器业务,分布在中国香港、欧美、韩国、日本、美国等地区,可选CN2或直连优化线路。如80VPS香港独立服务器最低月付420元,美国CN2 GIA独服月付650元起,中国香港、日本、韩国、美国洛杉矶多IP站群服务器750元/月...
windowsnt为你推荐
淘宝门户分析淘宝网、三大门户网站、易趣、阿里巴巴属于哪种电子商务模式外挂购买什么外挂网好点vc组合洛天依的组合都有谁netlife熊猫烧香图片www.hao360.cn搜狗360导航网址是什么关键字关键字和一般标识符的区别seo优化工具SEO优化工具哪个好用点啊?www.niuav.com在那能找到免费高清电影网站呢 ?杨丽晓博客明星的最新博文www.toutoulu.com安装好派克滤芯后要检查其是否漏气
抗投诉vps主机 主机屋 腾讯云盘 免备案cdn 国外私服 Hello图床 国外在线代理 cpanel空间 idc是什么 东莞数据中心 服务器托管什么意思 河南移动网 中国电信测速网 吉林铁通 阿里云官方网站 云服务器比较 谷歌台湾 iki 网站加速 腾讯数据库 更多