Hands-On Ethical

Hacking and Network

Defense
Chapter 8
Microsoft Operating System Vulnerabilities
 Objectives
Tools to assess Microsoft system
vulnerabilities
Describe the vulnerabilities of Microsoft
operating systems and services
Techniques to harden Microsoft systems
against common vulnerabilities
Best practices for securing Microsoft
systems
2
Tools to Identify Vulnerabilities
on Microsoft Systems
Many tools are available for this task
 Using more than one tool is advisable
Using several tools help you pinpoint
problems more accurately

3
 Built-in Microsoft Tools
Microsoft Baseline Security Analyzer
(MBSA)
Winfingerprint
HFNetChk

4
 Microsoft Baseline Security
Analyzer (MBSA)
Effective tool that checks for
 Patches
 Security updates
 Configuration errors
 Blank or weak passwords
 Others
MBSA supports remote scanning
 Associated product must be installed on scanned
computer
5
MBSA Results

6
7
8
 MBSA Versions
2.x for Win 2000 or later & Office XP or
later
1.2.1 if you have older products
After installing, MBSA can
 Scan the local machine
 Scan other computers remotely
 Be scanned remotely over the Internet

9
 HFNetChk
HFNetChk is part of MBSA
 Available separately from Shavlik
Technologies
 Can be used to control the scanning more
precisely, from the command line

10
 Winfingerprint
Administrative tool
It can be used to scan network resources
Exploits Windows null sessions
Detects
 NetBIOS shares
 Disk information and services
 Null sessions

11
Winfingerprint
Can find
 OS detection
 Service packs and hotfixes
 Running Services
 See Proj X6 for Details

12
 Microsoft OS Vulnerabilities
Microsoft integrates many of its products into a
single package
 Such as Internet Explorer and Windows OS
 This creates many useful features
 It also creates vulnerabilities
Security testers should search for
vulnerabilities on
 The OS they are testing
 Any application running on the server

13
CVE (Common Vulnerabilities and
Exposures )
A list of standardized names for
vulnerabilities
Makes it easier to share information about
them
 cve.mitre.org (link Ch 8c)
 Demonstration: Search

14
Remote Procedure Call (RPC)
RPC is an interprocess communication
mechanism
 Allows a program running on one host to run code
on a remote host
Examples of worms that exploited RPC
 MSBlast (LovSAN, Blaster)
 Nachi
Use MBSA to detect if a computer is
vulnerable to an RPC-related issue
15
 NetBIOS
Software loaded into memory
 Enables a computer program to interact with a
network resource or other device
NetBIOS is not a protocol
 NetBIOS is an interface to a network protocol
 It’s sometimes called a session-layer protocol,
or a protocol suite (Links Ch 8d, 8e, 8f)

16
 NetBEUI
NetBIOS Extended User Interface
 Fast, efficient network protocol
 Allows NetBIOS packets to be transmitted
over TCP/IP
 NBT is NetBIOS over TCP

17
 NetBIOS (continued)
Newer Microsoft OSs do not need
NetBIOS to share resources
 NetBIOS is used for backward compatibility
 You can turn off NetBIOS for Windows 2000
and later (links Ch 8g & 8h)

18
Server Message Block (SMB)
Used by Windows 95, 98 and NT to share
files
Usually runs on top of NetBIOS, NetBEUI
or TCP/IP
Hacking tools
 L0phtcrack’s SMB Packet Capture utility
 SMBRelay
 Ettercap (see Project 23, Links Ch 8r & 8s)

19
Demonstration: ettercap

20
Common Internet File System
(CIFS)
CIFS replaced SMB for Windows 2000, XP,
and Windows 2003 Server
 SMB is still used for backward compatibility
CIFS is a remote file system protocol
 Enables computers to share network resources
over the Internet

21
Common Internet File System
(CIFS) (continued)
Enhancements over SMB
 Resource locking (if 2 people use the same
thing at once)
 Support for fault tolerance
 Capability to run more efficiently over dial-up
 Support for anonymous and authenticated
access

22
 Common Internet File System
(CIFS) (continued)
Server security methods
 Share-level security
A password assigned to a shared resource
 User-level security
An access control list assigned to a shared resource
Users must be on the list to gain access
 Passwords are stored in an encrypted form on the
server
But CIFS is still vulnerable (see link Ch 8n)
 Don’t let NetBIOS traffic past the firewall
23
 Understanding Samba
Open-source implementation of CIFS
 Created in 1992
Samba allows sharing resources over
multiple OSs
Samba accessing Microsoft shares can make
a network susceptible to attack
Samba is used to “trick” Microsoft services
into believing the *NIX resources are
Microsoft resources
24
 Samba is Built into Ubuntu
Click Places, Connect to Server
 Windows shares are marked with SMB

25
 Closing SMB Ports
Best way to protect a network from SMB
attacks
 Routers should filter out ports
137 to 139
445

26
 Default Installations
Windows 9x, NT, and 2000 all start out
with many services running and ports
open
 They are very insecure until you lock them
down
Win XP, 2003, and Vista are much more
secure by default
 Services are blocked until you open them

27
Passwords and Authentication
A comprehensive password policy is
critical
 Change password regularly
 Require passwords length of at least six
characters
 Require complex passwords
 Never write a password down or store it online
or on the local system
 Do not reveal a password over the phone
28
Passwords and Authentication
Configure domain controllers
 Enforce password age, length and complexity
 Account lockout threshold
 Account lockout duration
Start, Run, GPEDIT.MSC

29
IIS (Internet Information Services)
IIS 5 and earlier installs with critical security
vulnerabilities
 Run IIS Lockdown Wizard (link Ch 8p)
IIS 6.0 installs with a “secure by default”
posture
 Configure only services that are needed
 Windows 2000 ships with IIS installed by default
 Running MBSA can detect IIS running on your
network

30
IIS Buffer Overflows

31
 SQL Server
SQL vulnerabilities exploits areas
 The SA account with a blank password
 SQL Server Agent
 Buffer overflow
 Extended stored procedures
 Default SQL port 1433
Vulnerabilities related to SQL Server 7.0
and SQL Server 2000

32
 The SA Account
The SA account is the master account,
with full rights
SQL Server 6.5 and 7 installations do not
require setting a password for this account
SQL Server 2000 supports mixed-mode
authentication
 SA account is created with a blank password
 SA account cannot be disabled

33
 SQL Server Agent
Service mainly responsible for
 Replication
 Running scheduled jobs
 Restarting the SQL service
Authorized but unprivileged user can
create scheduled jobs to be run by the
agent

34
 Buffer Overflow
Database Consistency Checker in SQL
Server 2000
 Contains commands with buffer overflows
SQL Server 7 and 2000 have functions that
generate text messages
 They do not check that messages fit in the
buffers supplied to hold them
Format string vulnerability in the C runtime
functions
35
Extended Stored Procedures
Several of the extended stored procedures
fail to perform input validation
 They are susceptible to buffer overruns

36
 Default SQL Port 1443
SQL Server is a Winsock application
 Communicates over TCP/IP using port 1443
Spida worm
 Scans for systems listening on TCP port 1443
 Once connected, attempts to use the
xp_cmdshell
Enables and sets a password for the Guest account
Changing default port is not an easy task

37
Best Practices for Hardening
Microsoft Systems
Penetration tester
 Finds vulnerabilities
Security tester
 Finds vulnerabilities
 Gives recommendations for correcting found
vulnerabilities

38
 Patching Systems
The number-one way to keep your system
secure
 Attacks take advantage of known vulnerabilities
 Options for small networks
Accessing Windows Update manually
Automatic Updates
 This technique does not really ensure that all
machines are patched at the same time
 Does not let you skip patches you don’t want

39
 Patching Systems
Some patches cause problems, so they
should be tested first
Options for patch management for large
networks
 Systems Management Server (SMS)
 Software Update Service (SUS)
Patches are pushed out from the network
server after they have been tested

40
 Antivirus Solutions
An antivirus solution is essential
For small networks
 Desktop antivirus tool with automatic updates
For large networks
 Corporate-level solution
An antivirus tool is almost useless if it is
not updated regularly

41
 Enable Logging and Review
Logs Regularly
Important step for monitoring critical areas
 Performance
 Traffic patterns
 Possible security breaches
Logging can have negative impact on
performance
Review logs regularly for signs of intrusion or
other problems
 Use a log-monitoring tool
42
Disable Unused or Unneeded
Services
Disable unneeded services
Delete unnecessary applications or scripts
Unused applications or services are an
invitation for attacks
Requires careful planning
 Close unused ports but maintain functionality

43
Other Security Best Practices
 Use a firewall on each machine, and also a
firewall protecting the whole LAN from the
Internet
 Delete unused scripts and sample
applications
 Delete default hidden shares
 Use different names and passwords for
public interfaces

44
Other Security Best Practices
 Be careful of default permissions
For example, new shares are readable by all users in
Win XP
 Use available tools to assess system security
Like MBSA, IIS Lockdown Wizard, etc.
 Disable the Guest account
 Rename the default Administrator account
 Enforce a good password policy
 Educate users about security
 Keep informed about current threats
45