Reading notes-"Hacker Exposure" (3/8)

Part 2nd terminal and Server Attack Chapter 4th Attack Windows4.1 Overview

Mainly divided into three parts:

(1) Means of attack before obtaining legal status
(2) The means of attack after obtaining legal status
(3) Windows security Features

4.2 Means of attack before obtaining legal status

Ways to remotely compromise a Windows system include:

Authentication spoofing
Network Services
Client vulnerability
Device drivers

4.2.1 Authentication Spoofing Attack

1. Guessing and tampering with identity certificates is also still one of the easiest ways to get unauthorized access to Windows systems.

2. The traditional way to remotely attack Windows systems is to attack the Windows file and Print Sharing service, which runs on the SMB protocol. If the system is open to the SMB service, the most effective way to invade the system is an old but effective remote shared load.

3, if you only use the account name to login to the target system is not successful, may wish to try the "domain\account" syntax.

4. The blank password should be represented by two consecutive quotes ("").

5. Automated password guessing tools:

Enum, Brutus, THC Hydra, Medusa, venom venom can be exploited through WMI (Windows Device Manager).

6. Password Guessing tool Tsginder
By default, Tsginder is used to search for an administrator's password, but to guess the password for another user name is indicated by the-u switch.

7, Violent crack Terminal Services/Remote Desktop Services password Rdesktop
Run on most Unix platforms.

8, against the password guessing countermeasures:

(1) Use a network firewall to restrict access to potentially vulnerable services
(2) Use the Windows host-level firewall to restrict access to these services
(3) Disabling unnecessary services
(4) Develop and implement strong password policies
(5) Set the account lockout threshold and ensure that the threshold value is applied to the built-in Administrator account
(6) Log the account logon failure event and review the event log file periodically

9. Use a network firewall to restrict access to vulnerable services
Block access to unnecessary TCP and UDP ports on a network boundary firewall or router

10. Use Windows Firewall to restrict access to vulnerable services
Firewall rules define the level of protection, and implementation requires a full understanding of what applications are allowed and what applications are restricted.

11. Use of unnecessary services
On Windows Vista, Windows 7, and Windows2008 Sever, network protocols can be disabled or removed from the Network Connections folder.

12. Develop and implement strong password policies
Account policies can be found or run directly under Control Panel | Administrative Tools. The account policy feature allows the system administrator to forcibly disconnect the user from the server.

13. Implement a custom TS login banner
To prevent simple Terminal Services password cracking attacks, you can set a custom legal statement for Windows logins.
Tsgrinder you can still get all the sign-in banners before guessing the password by using the-B option, which can be a good habit, even if it doesn't work for password guessing attacks, but it also provides a potential basis for legal action.

14. Change the default TS port
Another way to mitigate TS password guessing is to block the default Terminal Server listening port.

15. Audit log
Enable auditing and check the logs regularly to see if there is evidence left by intruders.
Relevant tools involved:

DumpEL Tools
You can parse logs on a remote server to filter up to 10 time IDs
DUMPEVT Tools
You can export the entire security log file as appropriate to the format of an access or SQL database, but the tool cannot filter for specific events.
Event Comb Tool-multithreaded tools
Elm Tools
Provides centralized, real-time event log monitoring and notification capabilities to all versions of Windows and to syslog and SNMP for non-Windows systems.

16, eavesdropping on the network password Exchange communication
The attack tools that eavesdrop on windows are:

LM, NTLM, and Kerberos
The tools used to attack the LM authentication protocol are:
Cain, LCP, John the Ripper jumbo, and l0pthcrack with SMB packet capture capabilities.

17. Countermeasures against Windows identity authentication eavesdropping
(1) The key is to disable LM identity authentication.
(2) Reduce Kerberos eavesdropping attacks-choose a stronger password.

18. Man-in-the-middle attack
SMBRelay is able to capture network password hashes and import them into the Hack tool. An attacker could relay this connection and either connect back to the client that originated the connection, or connect back to any other server that can accept the certificate information provided by the client.

Common Vulnerability Attacks:

The attacker forces the victim to connect and authenticate to the attacker's own malicious SMB server; The HTML connection or the sending point sends the victim to a malicious Web server by using the SMB protocol to obtain the victim's data.

Common tools:

Squirtle, SmbRelay3 Cain Tools cannot implement full MITM attacks.

In an environment that relies on the NetBIOS naming protocol, the use of name spoofing can open the door to MITM attacks.

19. Countermeasures against MITM man-in-the-middle attack
(1) If both parties to the communication are members of the same Active Directory domain and the secure connection between the endpoints is implemented through the TPSEC policy, the Windows Firewall rules provide authenticated and encrypted protected communications.
(2) In order to respond to SMB certificate reflection attacks, ensure that all systems have adopted the patches in Microsoft Security Bulletin ms08-068.
(3) Disabling the Name Service service (NBNS) directly
(4) If you have to use NBNS, deploy a primary and an auxiliary Windows Internet Name Service in the network.

20. Pass the hash
A pass-through hash is a technical attack that an attacker authenticates with a remote server using the hash value of the LM and \ or NTLM of the user's password.

Countermeasures against the pass-through hash attack: the use of defense-in-depth technology is the best weapon.

21. Pass the Kerberos ticket
The pass-through Kerberos ticket attack was heard in Windows certificate editor time.

4.2.2 Remote non-authorized vulnerability discovery

1. Remote unauthorized exploit is intended to look for design and configuration vulnerabilities in the Windows software itself.

2. NETWORK Service Vulnerability Discovery
Common tools: Metsasploit

Metsasploit is one of the most popular framework tools and a powerful Windows security testing tool.

Countermeasures against exploitation of network server vulnerability
(1) Testing and timely installation of patches
(2) Blocking or shutting down a vulnerable remote service
(3) Enable logging and monitoring
(4) Prohibit access to a vulnerable TCP/IP port can reduce a number of vulnerabilities.
(5) It is very important to monitor the vulnerable system in advance and formulate the contingency response plan after being compromised.

Common Patch management Tools--sms

3, End-user Application Vulnerability discovery
Any one of the vulnerability modules can be used by an attacker to configure the selected payload as a button implant system for the victim.

Countermeasures against end-user application attacks
(1) Install a personal firewall, preferably including the management of external connections.
(2) Timely security patches for all relevant software
(3) Run anti-virus software that can automatically scan the system and update the antivirus software regularly.
(4) On the Control Panel, configure the Windows Internet Options appropriately.
(5) Run with minimum privileges
(6) Deploying a network firewall
(7) Read e-mail in plain text format
(8) Set up Office software as securely as possible
(9) Maintain a high level of vigilance when using the Internet
(10) Maintain the physical security of the computing equipment.

4. Device Driver Vulnerability Discovery
In order for the driver interface to efficiently access the hardware underlying, the drivers for these devices need to run in the operating system's highest privilege kernel mode. This attack succeeds only if the NIC is in a non-associative state.

Prevention countermeasures against driver Vulnerability discovery
(1) Timely installation of vendor-issued patches
(2) Disabling vulnerable features in high-risk environments
(3) Use the user-mode driver Framework (UMDF) to allow the driver to access the system kernel through a dedicated API in a low-privileged user mode.

4.3 attack means after obtaining legal status 4.3.1 privilege elevation

1. Common tools: Getadmin is an important privilege elevation attack tool for Windows NT4. The getadmin must be run interactively locally on the target system.

2. The basic technique used in this attack is "DLL injection".

3. The most important elevation of privilege offensive route is web browsing and e-mail processing.

4. The SYSTEM account has higher privileges than the administrator account. With administrator permissions, you get system permissions by opening a command-line shell with the Scheduler service for Windows (Scheduler).
Using the free PsExec tool even allows you to remotely access and use system permissions.

5, improve the rights to prevent countermeasures:
(1) Patching at the code level
(2) Check Interactive login permissions

4.3.2 Get and crack the password

1. Get Password hash value
On Windows systems, password hashes are stored in the Security Account Manager (SAM) of the Windows system. Sam is the key to the Windows system, which is relative to the/etc/passwd file on Unix systems. Cracking Sam is one of the most important tools in privilege elevation attack and trust-relationship attack activities.

2. Extract password hashes with Pwdump tool
Common tools are: Pwdump, pwdump3e, PWDUMP6
The Pwdump Series tool leverages the "DLL injection" technique to load its own code into another high-priority process space to extract the hash of the password.

3. Break the password
Cracked passwords can be broken down to look for weak hashing algorithms, clever guesses, and tools.
All Windows password hashes also face another flaw, that is, there is no salt.
There are two ways to provide input sources for password cracking: dictionaries and brute force cracking.

Dictionary cracking is the simplest mode of cracking. This mode requires an attacker to provide a list of passwords, in turn hashing them and comparing them to the list of hashes.
Brute force is the guessing of random strings generated using a given character set.

The fundamentals of Time-memory technology: Pre-loading all the computational work required for the hack into the pre-computed so-called rainbow hash table, using both a dictionary and brute force method.

Password-cracking tools commonly used on Windows platforms:

LCP, Cain and ophcrack based on rainbow tables
The Cachedump tool automatically extracts the login information that is cached in the machine, and Cain also has a built-in login information cache extraction tool.

4, password cracking attack prevention Countermeasures:
(1) Set "password maximum length" to 8 bits in security policy
(2) Security precautions also include policies that restrict password reuse and update expired passwords.
(3) Set off the function of saving the LM ciphertext.

5. Get the password in the cache
The LSA cache is located under the hkeyLOCALmachine\security\policy\secrets subkey in the registration table, and contains information about:

(1) Clear password for service account
(2) password hashes for the most recent 10 users are also cached here
(3) PlainText password for FTP and web users
(4) name and password of Remote Access Services dial-up account
(5) The computer account password used to access the domain

6. Countermeasures against obtaining passwords from cache
(1) must not allow the attacker to obtain administrator level privileges
(2) To avoid the use of high-privileged domain accounts on the local machine to start and run a variety of services
(3) Modify the registry information, the price Winlogon modified to 0 o'clock, mobile users can not access the domain controller will not be able to log in.

7. Export the hash value in memory
WCE can be an authentication certificate that is stored in memory by the Windows authentication subsystem.

Precautions against exporting hash values in memory:
Domain administrators should avoid using RDP to connect to unknown or security-aware systems to ensure that their password hashes are secure.

4.3.3 remote control and back door

1, Backdoor: Once obtained administrator permission, and obtained the password, the intruder will generally use a variety of remote control services to the control system's ability to consolidate.

2. Command line remote Control tool
Netcat is one of the easiest remote control backdoors that can be configured to listen on a particular port and start an executable program when a remote system is connected to the port. The syntax for starting netcat in stealth mode is as follows:

Nc-l-d-e cmd.exe-p 8080

To access the SMB service, PsExec will be the best tool.
For browser-based attacks, Metasploit also provides a way to exploit ActiveX vulnerabilities that can be performed through a hidden IEXPLORE.exe process in an HTTP connection.

3. Graphical Remote Control tool
Common employment: VNC (Virtual network computer)

4.3.4 Port Redirection

1, the remote control program based on the shell command, the premise of using them is that there must be a direct remote controlled connection. The principle is to listen to the specified port and forward the packet sent to the port to the specified second target.

2. Fpipe Tools
is a TCP source port forwarding/redirection tool. You can create a TCP data stream and allow you to specify a source port.
The basic function is port redirection. The coolest feature is the ability to specify a source port for the connection channel.

4.3.5 cover up the invasion trail.

1. Turn off audit function
Common tools: Resource Kit Tool The Brute Force AuditPol program allows them to easily turn off auditing functions.

2. Cleanup Event Log
Common tools: The Elsave program is a tool that clears the event log.

3. hidden files
(1) Attrib command
The simplest way to hide a file is to copy it to a subdirectory and hide it with the old DOS command attrib.

attrib +h [directory]

However, you can view them as long as you select the Show All Files option in the resource manager.

(2) Additional file streams
The NTFS file system used by the target system. You can use the Hacker Management Toolbox toolkit--to hide the information flow in a file.

4. Countermeasures against additional file streams
Common tools: Sfind programs can discover NTFS file streams, rootkits

4.3.6 General Defense: What to do if an attacker can "legitimately" log on to your system

1. After the top-right account in the system is stolen, the best strategy is to start reinstalling the system software with a trustworthy backup.

2. File name
Carefully check root.exe, Sensepost.exe, and various files that are similar in length to the Cmd.exe file.
One of the classic mechanisms used to detect and prevent malicious files residing in the system is to add anti-malware software.

3. Registry key
Use the command-line program REG.EXE to easily delete these primary keys on both the local system and the remote system.

4. Process
The scheduler service is used to start a malicious process, and scheduler can also be used to gain remote control over a system and to start various processes using the almighty system account.

5. Port
Regular use of the netstat command to check if there are unknown connections is the best way to find the backdoor.

4.4 Windows Security features 4.4.1 Windows Firewall

The "exception" setting is retained and a new "Advanced" tab is added to configure the firewall through Group Policy.

4.4.2 Automatic Updates

The most important means of external attacks is the timely release of Microsoft's patches and service packs.

4.4.3 Safety Center

Security Center lets you centrally view and configure critical system security features: Firewalls, Automatic Updates, anti-virus, Internet options.

4.4.4 Security Policy and Group Policy

The security test settings are primarily for stand-alone computers.
GPOs are the ultimate means of securing configuration of large-scale networks using Windows 2000 and later, and immediately refresh the policy with the Secedit tool.

4.4.5 Microsoft Security software MSE (Microsoft secure Esstentials)

The Microsoft security software MSE includes real-time protection, system browsing and cleanup, Trojan protection, Internet inspection systems, and automatic update capabilities.

4.4.6 Strengthening experience in disaster reduction toolkit

Strengthening the experience of disaster reduction the toolkit allows these technologies to be enabled or disabled on a per-process basis.

4.4.7 BitLocker and EFS

1. Encrypting File System EFS is a public key-based encryption mechanism that can encrypt file-level data on disk in real-time and transparently, and there must be a data recovery agent in place. The default data recovery agent in the system is the local managed account.
EFS enables users to physically access files on NTFS volumes without having to check for access.

2. BitLocker-driven encryption tool can occasionally block offline attacks on password resets for EFS.

4.4.8 Windows Resource Protection (WRP)

1, rely on access control list ACL to provide real-time protection for the system.

2, in the default configuration, only the following actions will accept WRP protected files.

3. One obvious weakness of WRP is that the administrator account can change the ACL that protects the resource, and its main purpose is to prevent the third party from installing the software to modify the files that have an important effect on the stability of the system.

4.4.9 integrity levels (Integrity level), UAC, and Pmie

Performing certain operations that require administrator privileges can lead to further authentication, which is higher than the access token associated with a standard user.

4.4.10 Data Execution Protection: DEP

The DEP mechanism consists of hardware and software collaboration, and the DEP mechanism automatically runs on hardware that meets its operational requirements, marking specific areas in memory as "not enforceable." The software-based DEP mechanism is implemented to block various attack methods that exploit the vulnerabilities in Windows exception handling mechanism.

4.4.11 Windows Services Security Hardening

5 things that Windows service programs are securely hardening:

(1) Service resource isolation
(2) Minimum privilege service
(3) Service reconfiguration
(4) Restricting network access
(5) Session 0 isolation

4.4.12 compiler-based feature enhancement

1, GS is a compile-time technology, to prevent the Windows platform stack buffer overflow caused by the vulnerability, GS by the local variable and return address on the stack between a random value to achieve this goal.

2. SAFESEH tools: Mainly used to ensure that exception handling is not exploited by hackers

3. The purpose of designing address space layout randomization (ASLR) is to use it to reduce the ability of hackers to predict memory addresses to obtain a large number of useful commands and control information.

About Practice Netcat Tools

The Netcat tool is available for Windows systems and Linux systems and will be summarized together with the next chapter's content.

Reading notes-"Hacker Exposure" (3/8)