Connectionswindowsnt

windowsnt  时间:2021-03-29  阅读:()
HackingWindowsNT(UsingUNIX)HansVandeLooyPreambleAndDisclaimerFAlotofthevulnerabilitiesdescribedinthispresentationcanbefixed,butarestillpresentintheworldoutside.
Pointingtheseouttoadministratorsistheonlyreasonforincludingtheminthispresentation.
FCrackingmaybeacriminaloffenseandprosecutedbylawinyourcountry.
JContentsFSomeSecurityStatisticsFNoHolyWars;Please!
FWindowsNTSecurityHolesWellKnown(UNIX)ToolsFPitfallAvoidanceInstallingBaselineSecurityFInternetReferencesFConclusionSomeSecurityStatisticsWhydoyouneedNetworkandSystemSecurityRecentSecurityStatisticsFNetworkSecurityisaseriousissueformostorganisations–30%ofrespondentsreportedsystempenetrationbyoutsiders–55%oforganisationssurveyedreportincreasedattacksby"insiders"–32%ofrespondentsreportedseriousincidentstolawenforcement-previouslyonly17%–20%increaseinattacksfromtheoutsidesince1996thankstoe-commerceSource1999CSI/FBIComputerCrimeandSecuritySurveyNoHolyWars;Please!
StrengthsandweaknessesofWindowsNTandUNIXServerConfigurationFWindowsNT(4.
0)–IIS4.
0–ProxyServer2.
0–FTPinISS4.
0–Exchange5.
5–Exchange5.
5/IIS4.
0–DNS(basedon4.
9)–Exchange5.
5–DHCP(build-in)–SMB(build-in)–build-in"IPsecurity"FUNIX(BSD4.
4/Linux)–Apache1.
3.
6–Squid2.
1–(WU-)FTP2.
4.
2–Sendmail8.
9.
3orPostfix–POP/IMAP(ie.
Imap4.
4)–Bind8.
2–INN1.
7.
2orDiablo1.
15–ISCDHCP2.
b1.
6–Samba2.
0.
2orNFS–ipfworipfilterComparingWindowsNTandUNIXFWindowsNT(4.
0)–SingleUser,MultiTaskingOS;usableasserverandworkstation–Microsoftdefinesstandard–ApplicationscreatedbyMicrosoftandmajorcorporations–Nosourcecodeavailable–LotsofsecurityholesFUNIX(BSD4.
4/Linux)–MultiUser,MultiTaskingOS;usableasserverandworkstation–Standardsdefinedbycommunity–Applicationscreatedbycommunityandmajorcorporations–Sourcecodeavailableforreview–LotsofsecurityholesAvailabilityOfSourceCodeFEnablespeerreviewof"Features"FHistoryrevealsalotofsecurityholesfoundFUnavailability(Security-through-Obscurity)doesnotguaranteemoresecurityFWhohasstudiedeverypieceofsourcecodefromamajorOperatingSystemkernel(i.
e.
LinuxorBSD)orApplication(i.
e.
PGP)Let'sTalkAboutMarketingLies,DamnedLiesandMarketingHowToManipulateTheTruthWithMarketingFC2Security–WindowsNT3.
51isC2certifiedasanOperatingSystem,NOTasaTrustedNetworkComponent(orangebook,notredbook)1FMicrosoftisbecomingmoreSecurityAware–Microsofthasneededtorecallseveralsecuritypatchesinthepastduetotheproblemstheycreated1HotNews:AtInfoSecurityNT4.
0receivedUKE3/FC-2certificationHackerNewsReactionRecentMicrosoftAdvisorySoMuchForSupportOnlineAndTheL0phtSoapboxWindowsNTSecurityHolesWhatyoushouldknowaboutyoursystemWindowsNTSecurityHolesFDenialOfServiceFLocalExploitsFGainingAdministratorRightsFPasswordCrackingFNetworkVulnerabilitiesFRemoteExploitsFKnownMicrosoftSoftwareVulnerabilities(IIS,Exchange,PPTP,Macro's…)DenialOfServiceLame(buteffective)AttacksDenialOfService(1)FPingO'Dead(Packet-size>=65510bytes)FSYNFloodingFLAND(SYNwheresource=destination)FFraggle(UDPBroadcast)FSmurf(TCP/IPBroadcast)FICMP-DoS(ICMPEchoReplyFloodinfo)FTeardrop(IPFragmentOverlapBug)PingO'DeadFAliases/Variations:FatPing,SSPing,Jolt,IceNewkFDescription:Sendsseriesof(highlyfragmented)oversized(size>=65510bytes)ICMP_ECHOpacketsovertheconnection.
FResult:Thesystemcannotre-assemblethemfastenoughandlocksupWinNukeFAliases/Variations:OOBNukeFDescription:SendsapacketwithanURGENTflagsetandpointingtoOutofBanddata.
FResult:BlueScreen(virtualdevicedriver)NukeFAliases/Variations:Click,ICMPNuke,WinFreezeFDescription:Thisattacktriestoconvinceyourcomputerthatishaslostitsconnection.
Thecomputerthendisconnectsfromtheportspecified.
FResult:Connectionresetbypeer,ConnectionrefusedorHostunreachableBonkFAliases/Variations:Boink,Newtear,Teardrop2FDescription:ThisattacksendsIPfragmentsresultinginamalformedUDPheaderpacket.
FResult:SystemscrasheswithBlueScreenofDeadTeardropFAliases/Variations:Tear,TCP/IPFragmentoverlap,Nestea(forLinux)FDescription:ThisattacksendsoverlappingIPfragmentsthatthesystemcannotre-assemble.
FResult:SystemwillenterCatatonicStateorCrashandRebootLandFAliases/Variations:LatierraFDescription:SendsaSYNpacketwheresourceaddressequalsdestinationaddresssothevictimwilltrytorespondtoitself.
FResult:ExtremeSlowdown,EnterCatatonicState.
SmurfFAliases/Variations:ICMPFlood,Pingflood,Fraggle,Pong,PapaSmurfFDescription:PerpetratorsendsalargeamountofICMP_ECHOtrafficatbroadcastaddresses,allhavingspoofedsourceaddressesofVictim.
TrafficwillbemultipliedbyhostsonthatIPnetwork.
FResult:Connectionsdropped,EnterCatatonicStateSYNFloodingFAliases/Variations:FDescription:Connectionsareopenedinrapidsuccession,buthandshakeisnotcompleted,thusfillingupqueues.
FResult:ExtremeSlowdown/EnterCatatonicStateDenialOfService(2)FCPUAttack(Telnettoporttobeconfused)–DNS(53-1character+CR)–RPCSS(135-±10characters+disconnect)–INETINFO(1031)FDNSDoS–SenditaDNSresponsewhenitdidnotmakeaqueryandDNSwillcrash.
FISSCrash(GET.
.
/.
.
)–andanotherone(stillworkswithSP4):$telnetlocalhostchargen|ncyour-iis-hosthttpDenialOfService(3)FSystemCallInsecurity–KernellocatedinNTOSKRNL.
EXE–KERNEL32.
DLLjustlike"libc"inUNIX–NTDLL.
DLLusedbyKERNEL32.
DLL(SimplefunctionstoperformactualSyscalls)FInvalidparametersresultinBSOD,thususerscancrashthewholesystemandmaygainadditionalrights!
FSource:SolarDesignermessagetoNTBUGTRAQLocalExploitsWhattodowithconsoleaccessLocalExploitsFNTFSC:\WINNTdefaultpermissionsareFullControlforEveryone,whilemostsubdirectorieshaveChangeControlFAdministratoraccount(alwaysSID500)hasfullcontrolovercompletesystemFSecurityAccountManager(SAM)containsalluseraccountinformationFServicePack3solvedalot(butnotall)ofsecurityrelatedproblems(NeedSP-5now!
)SecurityAccessManagerFContainsboththeLanManager(DES)andtheWindows/NT(MD4)hashvaluesFNormallystoredin:C:\WINNT\system32\config\Sam(Lockedduringnormaloperation)FBackupmadeduringcreationofanEmergencyRepairDiskatlocation:C:\WINNT\repair\sam.
_FAlsoavailableontheERDSAMReplacementFRenameWINNT/system32/LOGON.
SCRFCopyMUSRMGR.
EXEtoLOGON.
SCRFWaitforscreensavertokickin.
.
.
(usermanagerwillallowyoutochangeanypasswords)FReplaceLOGON.
SCRtonormallocationAdministratorRightsFGetAdminwrittenbyKonstantinSobolevattachestotheWinLogonprocesstogiveanaccountAdministratorrights–Crash4.
exewillallowGetAdmintoworkonSP3patchedmachinesbyrearrangingafewthingsonthestacktoallowGetAdmintoworkFSecholemodifiesOpenProcessAPIandsuccessfullyrequestsDebugrightstogiveAdministratorrights(testedunderSP4)PasswordCrackingFSinceMicrosoftdoesnotsaltduringhashgeneration,onceapotentialpasswordhasgeneratedahash,itcanbecheckedagainstALLaccountsFAllcurrentNTcrackerstakeadvantageofthisFSeveralfreewareandsharewareproductsareavailableontheInternetSomePasswordCrackersFL0phtcrack2.
5–GatherandcrackNTpasswordhashesdirectlythroughSAM(databaseorbackup)orbymonitoringSMBnetworkactivity–Beware:8characterpassword=one7characterpasswordsandaoneletterpasswordFJohntheRipper1.
7/Crack5.
x–UNIXpasswordcrackersthatcanalsohandleWindowsNTpasswords(when"dumped"inrightformat)KnownDLLsList(1)FCoreOSDLLsarekeptinvirtualmemoryandsharedbetweentheprogramsrunningonthesystemFOSreferencesadatastructurecalledtheKnownDLLslisttodeterminethelocationoftheDLLinvirtualmemoryFWindowsNTprotectsin-memoryDLLsagainstmodification,butallowsalluserstoreadfromandwritetotheKnownDLLslistKnownDLLsList(2)FLoadintomemoryamaliciousDLLthathasthesamenameasasystemDLL,thenchangetheentryintheKnownDLLslisttopointtothemaliciouscopyFProgramsthatrequestthesystemDLLwillinsteadbedirectedtothemaliciouscopyFWhencalledbyaprogramwithsufficientlyhighprivileges,itcouldtakeanydesiredactionBufferOverflows(1)FBecame"popular"onUNIXafterarticlespublishedbyAleph1andMudgeFDavidLitchfield(a.
k.
a.
mnemonix)published"RASBufferOverrunExploitandTutorial"and"Winhlp32BufferOverrunExploitandAnalysis"http://www.
infowar.
co.
uk/mnemonix/ntbufferoverruns.
htmBufferOverflows(2)FDildog(cDc)wrote"TheTaoofWindowsBufferOverflow"(http://www.
cultdeadcow.
com/cDc_files/cDc-351/)–Acompletepictureofbufferoverflows,howtheywork,andhowtocodeyourownexploitsforMicrosoftoperatingsystemsFAssumption:Thiswillbethe"nextcraze"RemoteExploitsSecureNetworkingisanartC2MyazzFAnothercomputerspoofstheclientintosendingaclear-textpasswordtotheserver,bypassingallpasswordencryption–ThesoftwarelistensforSMBnegotiations,andupondetectingone,sendsasinglepackettotheclientinstructingittodowngradeitsconnectionattempttoacleartextlevel–PasswordisretrievedwhiletheclientissuccessfullyconnectedtotheNTserverHowToUseLanManagerHashFLanManagerhashisapasswordequivalentinachallenge-responseprotocolFAmodified(Samba)clientwithaccesstouncrackedNTpassworddatabasecanusethisinformationtoauthenticatetotheserverManInTheMiddleAttackFNmapprovidesthefollowingcomment:–TCPSequencePrediction:Class=trivialtimedependencyDifficulty=0(Trivialjoke)Remoteoperatingsystemguess:WindowsNT4/Win95/Win98FSMBHijackingshouldbepossible,butnoknownexploits(Yet…)–Complexspoofingjobthesessionhastobehijackedatthetransportlevel(gettingalloftheACK/NACKnumberingcorrect)theTreeID(TID)andUserID(UID)wouldhavetobespoofedaswell(atredirectorandserverlevel)Microsoft'sImplementationofPPTPFPPTPcanbeusedforthecreationofVPNsFBruceSchneierandMudgepublished"CryptanalysisofMicrosoft'sPoint-to-PointTunnelingProtocol"FThepaperdidnotfindflawswithPPTP,onlyMicrosoft'simplementationofitFPhrack53containedanotherpaperbyAleph1entitled"TheCrumblingTunnel"Microsoft'sPPTPFlawsFThesecurityflawsallowsniffingpasswordsacrossthenetworkandbreakingtheencryptionthatprotectsthetunnelingprotocolFRecommendationbySchneier:UseIPSec(or3rdpartyimplementationofPPTP)insteadMicrosoft'sRemainingPPTPIssues(1)FTheentiresessionand/orpacketisnotencryptedFTherearestill"pieces"visibletosniffing,suchasDNSserveraddresses–Thisispartiallyduetothefactthattheentirenegotiationprocessis"onthewire"–ControloftheencryptedsessionishandledviathisseparateconnectionsMicrosoft'sRemainingPPTPIssues(2)FTheconnectionthat"controls"thesessionisnotauthenticated,makingitvulnerabletoDenialofService–Theconcernhereisthatwedonothavecontrolovertheclientconfigurationatalltimes,andthatthesessioncouldbeinterruptedfollowedbysomespoofingto"dummydown"toMS-CHAPv1withitsweakerencryptionalaLanManhashesastheclientattemptstore-connectMicrosoft'sRemainingPPTPIssues(3)FThenatureofthechallenge-responsestillplacesallofthematerialusedduringthegenerationofsessionkeysontothewire(Keyspaceislessthan128bits)–Onlythepasswordisprotectedinthissense,sothekeyisonlyasstrongasthepassword–Thismeansthatofflinecryptoanalysisofasessioncouldrevealtheuserpassword–Tofurtherthetheoryanentireencryptedsessioncouldbe"decrypted"offlineScannersPointandClickToolsfromtheInternetRemoteScannersFOgre(Rhino9Team)–SimplePortandVulnerabilityScannerFNAT(AndrewTridgell)–BruteForceNetBIOSAuditingToolFNTIS(DavidLitchfield)–GreatNTInformationScannerFRedButton(MidwesternCommerce,Inc.
)–NetBIOSAuditingToolFLogsonremotelytoaTargetcomputerwithoutUserName/PasswordFUnauthorizedaccesstosensitiveinformationstoredinfilesystemandregistryavailabletoEveryonegroupcanbeobtainedFDeterminescurrentnameofBuilt-inAdministratoraccountFReadsseveralregistryentriesFListsallshares(includingthehiddenones)RedButtonNetBusPro2.
0FAccordingtotheauthor(Carl-FredrikNeikter)NetBusProisaeasy-to-useremoteadministrationandspytoolFFeaturesforremoteadministrationinclude:–Filemanager,RegistrymanagerandApplicationRedirectFSpyingfeaturesinclude:–Capturescreen,Listenkeyboard,CapturecameraimageandRecordsoundMacro'sandSomeOtherVulnerabilitiesUserFriendlyorCrackerFriendlyMacro'sFVariousapplicationscontainaverypowerfulMACROlanguagecapableofdoingfile-I/OandcallingWin32APIsFPerfectforwritingvirii/worms(AnyoneheardofMelissaorPrettyPark)FWindowsHelpfiles(.
HLP)arecapableofrunningDLLsOtherVulnerabilitiesFRASandRRASVulnerability–UsercredentialsarecachedinRegistryregardlessofwhethercheckboxisselectedordeselected.
(LisaO'Connor,MartinDolphin,andJoeGreene)FInterestingspecialkey-combinationsusableonalocked-downsystem:–Ctrl-Shift-ESCstartsTaskManager(likeCtrl-Alt-Del)–Alt-TABtochooseActiveWindowUsing(UNIX)ToolsTohackWindowsNTsystemsAlternateOperatingSystemFFloppy-disk(orbootableCDROM)canbeusedtobootalternativeOperatingSystem(TrinuxorPicoBSD)FOfflineNTPasswordEditorbyPetterNordahl-Hagen;availableasLinuxbootdiskcontainingascriptthatleadsyouthroughthecompleteprocessNetCatFSwissArmyKnifeofHackerTools(canactbothasclientandaslistener)FNTversioncanbindtoportsinfrontofprocessesalreadylistening(Crackercanfilterinterestingdatabeforepassingiton)FAlsousefulforAdministratorsSambaFAnotherfinetooldevelopedbyAndyTridgellFSambatalksSMB;integratesUNIXandNTinaLanManagerenvironmentFAtoollikeSambaandinformationfrom"CIFS:CommonInsecuritiesFailScrutiny"byHobbit(L0pht)willguideyoutoEnlightenmentPitfallAvoidanceKeepingyoursystem(more)secureBasicSecurity(ConfuseTheWannabe's)FSetBIOSPasswordFBootfromC:notfromA:orCD-ROMFDisableorremovefloppydrivefromsystemFIfpossibleremoveCDROMdrivesFNotREALSecurity!
UseitjusttofiltertheanklebitersfromtheexpertsFileSystemSecurityFUseNTFSwhereverpossible–AllowsuseofAccessControlLists–IsmorerobustduringcrashesFFATprovidesnoprotectionatall(i.
e.
deleteSAMdatabaseandreboot)FTherearetoolsthatallowaccesstoNTFSfromDOS(ntfsdos.
exe)orUNIX(Linuxntfs)WatchThoseFilePermissionsFCopyingletsafileinheritthepermissionsfromthedestinationdirectory(useSCOPYinstead)FMovingafilepreservestheexistingfilepermissionsFThismayresultin"fullcontrol"accessfor"everybody"whenthisisnotwantedSomeNTAdministrationToolsFChroniclev1.
0(Rhino9Team)–ServicePackandHotFixScannerFNTInfoScan(DavidLitchfielda.
k.
a.
.
Mnemonic)–SecurityScanner(SATAN)forNTServersFScanNT(MWC)–SimpleNTPasswordCheckerUserneedsextraprivileges:ActaspartoftheOS,Replaceaprocessleveltoken,IncreasequotasWindowsNTSecurity101FTheseFineDocumentsWillBeOfGreatHelp:–WindowsNTWardocbyRhino9TeamAlsoavailableinhandy3ComPalmDocformat–NSAWindowsNTSecurityGuidelines–SANSInstituteNTSecurityStepByStepInternetReferencesWhereyoucanfindmoreinformationInternetReferences(1)FNTSecurity–mail-to:ntsecurity@iss.
netFNTBugtraq–mail-to:ntbugtraq@listserv.
ntbugtraq.
com–http://ntbugtraq.
ntadvice.
comFPacketStormSecurity–http://www.
genocide2600.
com/~tattoomanFHackerNewsNetwork–http://www.
hackernews.
comInternetReferences(2)FL0htHeavyIndustries–http://www.
l0pht.
comFComputerEmergencyResponseTeam–http://www.
cert.
orgFMicrosoftCorporation–http://www.
microsoft.
com/securityFHackFAQ–http://www.
genocide2600.
com/~tattooman/hacking-textfiles/hack-faq/index.
html(nodirectaccess;-)ConclusionKeepSecurityInMindWindowsNTSecurity.
.
.
FIsdefinitivelynotasgoodasMicrosoftwantsustobelieveFIsatbestasgoodassecurityonaUNIXsystemFVulnerabilitiesfoundeveryweekinspiteofMicrosoft'sSecurityThroughObscurityStrategyThe"Best"IsStillToCome.
.
.
FWindows2000willconsistofmorethan27millionlinesofcode(andlotsofchanges)Thinkaboutit!
JLinux2.
0consistsof1.
5millionlinesofcodeNT3.
5hadabout5millionlinesofcodeTHANKYOU!
AnyQuestions

云基Yunbase无视CC攻击(最高500G DDoS防御),美国洛杉矶CN2-GIA高防独立服务器,

云基yunbase怎么样?云基成立于2020年,目前主要提供高防海内外独立服务器,欢迎各类追求稳定和高防优质线路的用户。业务可选:洛杉矶CN2-GIA+高防(默认500G高防)、洛杉矶CN2-GIA(默认带50Gbps防御)、香港CN2-GIA高防(双向CN2GIA专线,突发带宽支持,15G-20G DDoS防御,无视CC)。目前,美国洛杉矶CN2-GIA高防独立服务器,8核16G,最高500G ...

Linode十八周年及未来展望

这两天Linode发布了十八周年的博文和邮件,回顾了过去取得的成绩和对未来的展望。作为一家运营18年的VPS主机商,Linode无疑是有一些可取之处的,商家提供基于KVM架构的VPS主机,支持随时删除(按小时计费),可选包括美国、英国、新加坡、日本、印度、加拿大、德国等全球十多个数据中心,所有机器提供高出入网带宽,最低仅$5/月($0.0075/小时)。This month marks Linod...

提速啦(24元/月)河南BGP云服务器活动 买一年送一年4核 4G 5M

提速啦的来历提速啦是 网站 本着“良心 便宜 稳定”的初衷 为小白用户避免被坑 由赣州王成璟网络科技有限公司旗下赣州提速啦网络科技有限公司运营 投资1000万人民币 在美国Cera 香港CTG 香港Cera 国内 杭州 宿迁 浙江 赣州 南昌 大连 辽宁 扬州 等地区建立数据中心 正规持有IDC ISP CDN 云牌照 公司。公司购买产品支持3天内退款 超过3天步退款政策。提速啦的市场定位提速啦主...

windowsnt为你推荐
百花百游百花百游的五滴自游进程同一服务器网站服务器建设:一个服务器有多个网站该如何设置?www.gegeshe.com有什么好听的流行歌曲ww.66bobo.com谁知道11qqq com被换成哪个网站33tutu.comDnf绝望100鬼泣怎么过www.884tt.com刚才找了个下电影的网站www.ttgame8.com,不过好多电影怎么都不能用QQ旋风或者是迅雷下在呢?莱姿蔓圣诗蔓有祛痘功效吗云鹏清1840年-1901年西方强逼中国签订了哪些不平等合约悠达网有什么好的校园网购,推荐一下。东力奥互联网的创始人是谁?
老域名 com域名价格 vps服务器 北京vps 域名备案批量查询 七牛优惠码 冰山互联 免费mysql 卡巴斯基官方免费版 hinet 美国堪萨斯 流媒体加速 香港亚马逊 google搜索打不开 香港博客 ping值 winserver2008下载 建站行业 傲盾代理 卡巴斯基免费版下载 更多