A n a l y s i s Analyzing the Windows Operating System Non-volatile Information Data is preserved even though the system may be restarted, powered off, or the user logs off. Examples and sources: Internal or external hard drive USB flash drive Floppy disk CD-ROM Tape drive 02/04/2020 Computer Network Defense Course

2 Volatile Information Data may be lost if the system is restarted, powered off, or the user logs off. Examples and sources: RAM (System Memory) Active user processes and NT services DLL usage Caches (ARP/DNS/NetBIOS) Network connections (IP Addresses/Port usage) Network statistics (type and counts) Active device drivers System date and time? 02/04/2020

Computer Network Defense Course 3 CNDC Analysis Toolkit Contains O.S. and service pack specific tools Must be tailored to match your environment Contains other vendors tools (e.g. Sysinternals) Contains a few select third-party tools Allows analysis in a trusted environment Tools from systems hard drive may be compromised Tools available when needed 02/04/2020 Computer Network Defense Course 4

CNDC Analysis Toolkit Design Recommendations: Information can be collected various ways 02/04/2020 Using multiple techniques can be beneficial Use whats familiar/comfortable for you Use only approved tools for your environment !!! Use this classs as a reference, but build your own. ACERT maintains their Log Collector for analysis: Computer Network Defense Course 5

E x p l o i t Exploitation of the Windows Operating System Summary of Attack Footprint - Review Scan - Review Enumerate - Review Exploitation 02/04/2020 Computer Network Defense Course 7 Internet Footprinting - Summary Web Site Searches

Home page, Google, etc WHOIS Enumeration,, etc DNS Enumeration Nslookup, Dig, AXFR, etc Example: nslookup (ls -d Path Determination Traceroute, Visual Route, etc 02/04/2020 Computer Network Defense Course 8 Scanning - Summary IP/Port Scanning* Example: Nmap IP Addresses

Ping sweeps, etc Ports (TCP/UDP) and Services Version scanning, etc OS/Device Type and Version Ports, ICMP data, TCP/IP flags/settings, etc * note: The doesnt imply vulnerability scanning 02/04/2020 Computer Network Defense Course 9 Enumeration - Summary Detailed Information* Extracting as much detailed information as possible from a device or service.

Requires an active connection Examples: NetBIOS (null sessions using IPC$ share) LDAP (query active directory) SNMP (routers and managed switches) * note: This is often where the legal barrier is crossed 02/04/2020 Computer Network Defense Course 10 What this Class is About Exploitation Learning how various exploits work Analysis Software tools and methods for obtaining information Countermeasures

How to protect your self from attacks 02/04/2020 Computer Network Defense Course 11 Summary of Exploitation Obtain Access: Seek out the Administrator or System level accounts for local privileged access. Consolidation of power: Install additional tools to help obtain further influence. Data hiding techniques/eliminate evidence: Help hide the attackers activities. Denial of Service: Mount attack or done just in plain frustration

02/04/2020 Computer Network Defense Course 12 The Quest for Control Obstacles for the attacker: The attacker is limited if not Administrator Remote command execution is difficult Magic bullets can be difficult to come by Be aware of vendors security bulletins 02/04/2020 Computer Network Defense Course 13

Local -vs- Domain Accounts Attackers may find it easier to target local accounts. Less administration and auditing 02/04/2020 When was the last time the local Admin password was changed? Using identical user name/password for local Admin account on workstations. Example: cloning systems with Ghost. Computer Network Defense Course 14 Authentication Types LM (Any) Seven characters (x2) (upper case, #s, special)

NTLM (NT only) 14 Characters (upper/lower case, #s, special) NTLMv2 (NT4 sp4+, AD Client) message confidentiality (encryption) & integrity, 128-bit encryption, and NTLMv2 session security Default now for: XP sp3, Vista, and Windows 7 clients Kerberos (W2k+, AD Client) Authentication using shared secret or smartcard 02/04/2020 Computer Network Defense Course 15 Authentication Exploits Online password attacks Must have physical/network access Microsoft: TCP 139/445 (LM/NTLM), UDP 88 (Kerberos)

Example: net use \\x.x.x.x\ipc$ /user:[name] [password] Offline password attacks Must obtain a hash (i.e. Cain & Abel) Dictionary or brute force attack Pre-compute hash tables (i.e. Rainbow Crack) Session Hijacking/Replay Attacks Examples: SMB Relay, hijack Kerberos session ticket 02/04/2020 Computer Network Defense Course 16 Countermeasure: Authentication Exploits Auditing NT Security Event Log: Failed (and successful) logon attempts Good password policies:

Long/complex passwords that change frequently Alternate forms of authentication: Biometrics, smartcards, certificates, etc. Enable SMB Signing: Prevents session hijacking (LM/NTLM/Kerberos) Ref: Q230545 (Win98) & Q161372 (NT) K.B. Articles 02/04/2020 Computer Network Defense Course 17 Countermeasure: Authentication Exploits Disable Weak Authentication Types: HKLM\System\CurrentControlSet\Control\LSA

02/04/2020 Value: LMCompatabilityLevel (DWORD) = ? Domain Controller = 5, Client = 3 Disable LM hash storage in SAM (W2k SP2+) Sub-Key: NoLMHash Disable LM hash storage in A.D. (XP/W2k3) Value: NoLMHash (DWORD) = 1 Ref: Q299656 K.B. Article Computer Network Defense Course 18 Privilege Escalation Attacker currently has no/limited access. Cant run all tools from a typical user account. Attacker will want to escalate privileges: Exploit a higher privileged process/service

Exploit a higher privileged user Possible if vendor/administrator doesnt properly configure/secure an application or system. Equally possible using social engineering. 02/04/2020 Computer Network Defense Course 19 Privilege Escalation (example) DLL / Code Injection: Inserting new functions into another process. Example: Getadmin/Crash4 utilities Used DLL injection to hijack the Winlogon process Added user to local Administrators group 02/04/2020

Computer Network Defense Course 20 Privilege Escalation (example) Windows Debugging Interface: Monitor and change behavior of process. Example: DebPloit Attached to process as debugger and executes attackers command with process rights. System configuration flaw or quirk: Example: interpretation of long file names in Windows Using spaces (without quotes) can be problematic C:\program files\{some path}\... -or- c:\program.??? 02/04/2020

Computer Network Defense Course 21 Privilege Escalation (example) Buffer Overflows: Occurs when programs do not check input for appropriate length and type. Unexpected input overflows into other memory space. Stack-based overflow: Padding/machine code placed on stack by attacker and return address set to point to code. Other overflow types: Heap corruption, format string attacks, etc. 02/04/2020

Computer Network Defense Course 22 Stack Buffer Overflows Variable 1 Variable 2 16 Bytes Bytes Legal size data or128 padding Return 4Hijack Bytes

??? Bytes Payload Push data on stack Main Program: 1. Instruction 5. Vulnerable Function Kernel32.DLL [JMP ESP] read/copy command

6. Next instruction? 02/04/2020 Computer Network Defense Course 23 Buffer Overflows (cont) Typical usages: Local buffer overflow: 02/04/2020 Requires console access. Available to interactively logged-on users. Remote buffer overflow: Much more dangerous than local attack.

Requires no or little privilege. Can potentially be exploited from anywhere. Computer Network Defense Course 24 Countermeasure: Buffer Overflows Publishers have a critical role: Good coding practices by programmers. Using safe libraries. C/C++ more vulnerable than other languages. Microsofts Defenses: Data Execution Prevention (DEP): 02/04/2020 Added to Windows XP(sp2) & 2003(sp1).

Without proper hardware support it can be bypassed. Address Space Layout Randomization (ASLR) Compiler Options: /GS and /SafeSEH Computer Network Defense Course 25 Countermeasure: Privilege Escalation Keep your systems fully patched. Securely configured systems. Use updated antivirus software. Use host based IDS and Firewalls. Create a baseline for your systems.

02/04/2020 Computer Network Defense Course 26 Countermeasure: Privilege Escalation Configure services to run with the least amount of privilege necessary. Use the runas command: Temporarily increase or decrease (i.e. sandbox) your privileges to execute a specified program. User Account Control (UAC): System asks for confirmation when program is executed and requires administrative permissions or privileges.

Vista, Windows 7 and Server 2008 02/04/2020 Computer Network Defense Course 27 Physical Access Bypassing O.S. security and protections Dos/Windows based solutions: NTFSDOS 02/04/2020 DOS driver allows read-only access to NTFS Barts PE Builder

Creates a bootable Windows XP/2K3 CDROM Add in custom plugins for additional capabilities Computer Network Defense Course 28 Physical Access (cont) Linux based solutions: Captive NTFS drivers 02/04/2020 Wrapper for NT drivers allows full access to NTFS

Linux-NTFS drivers Limited read-write (overwrite) access to NTFS Fuse and NTFS-3G adds full read/write access Chntpw Offline password and registry editor Computer Network Defense Course 29 Countermeasure: Physical Access BIOS boot options: Hard drive only Disable temporary boot menu Password protect BIOS Encryption:

Encrypted File System (EFS) 02/04/2020 Will resetting password allow access? Full partition / hard drive encryption Computer Network Defense Course 30 Consolidation of Power If attackers reach this step: Attackers have Administrator or System level access on the

02/04/2020 victims system. Attackers might wish to install additional tools. The Administrator must try to identify what has been compromised on the system. Stopping intruders now is critical. Sorry its too Late Computer Network Defense Course 31 Information Gathering Identify access to critical data: Determine file and folder permissions:

02/04/2020 Example: icacls.exe File data searches: Example: find.exe or findstr.exe Registry data searches: Example: reg.exe Computer Network Defense Course 32 LSA Secrets Stores various forms of logon credentials: HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets Service account passwords in plain text Example: backup software Cached password hashes (default: last 10 users) FTP and web user passwords in plain text

RAS dial-up account names and passwords Computer account passwords for domain access 02/04/2020 Computer Network Defense Course 33 Cached Logons Cached domain logon credentials can be extracted and cracked in much the same way that programs like L0pht Crack work. CacheDump Extracts hashes from registry: HKLM\SECURITY\CACHE

cachebf Cracks hashes by brute force/dictionary attack. 02/04/2020 Computer Network Defense Course 34 Malicious Spyware Used to monitor an unsuspecting victims activities. Easily designed using various hooks in the Windows OS. Key/Mouse Loggers Screen Capture Utilities IE Usage and Browsing Habits

02/04/2020 COMPUTER NETWORK DEFENSE COURSE 35 Spyware (Key Loggers) Background App 1 Focused App 2 Win32 Subsystem #3 Background

App 3 Hoo k DLL Keylog.ex e Kernel #2 Driver/ Filter #1 Hardware 02/04/2020 s COMPUTER NETWORK DEFENSE COURSE 36 Sniffing/ARP Spoofing Allows an attacker to gain access to packets being sent over a switched network. ARP Cache Poisoning: Sending false ARP replies to victims in order to update their caches so traffic is forwarded to the attacker over a switched network. Switch Port Stealing: Sending layer2 packets to switch with the goal of

modifying the CAM table contents. ARP Cache Poisoning Switch Client aa-aa-aa-00-00-01 1 2 Server aa-aa-aa-00-00-02 3 Clients ARP Cache: aa-aa-aa-00-00-02 bb-aa-dd-00-00-03 Attacker bb-aa-dd-00-00-03 #1 ARP Request: Client Broadcast Who has ??? #2 ARP Reply: Server to Client = aa-aa-aa-00-00-02 #3 Gratuitous ARP Reply: Attacker to Client = bb-aa-dd-00.00.03 #4 Login Request: Client to Server Attacker Oopsattacker gets to see Victims

data 02/04/2020 COMPUTER NETWORK DEFENSE COURSE 38 Countermeasure: Sniffing/ARP Spoofing ARP Cache Poisoning: Monitor the network for excessive ARP traffic. Note: tools like Arpwatch monitor MAC usage. Use static entries in ARP cache. Switch Port Stealing: Monitor MAC addresses in CAM table. Use port security settings (Cisco)

02/04/2020 Static MAC entries in CAM table. 802.1x (Port based access control) Computer Network Defense Course 39 Countermeasure: Network Sniffing Encyption and Authentication SSL/TLS (Secure Socket Layer) Note: in certain cases SSL is vulnerable to hijacking using ARP Spoofing if the victim isnt aware. IPSec (IP Security) SSH (Secure Shell)

02/04/2020 Computer Network Defense Course 40 Data Hiding Techniques Alternate Data Streams: Attachable to files/directories/root drives. Locating alternate data streams 02/04/2020 Vista/Windows 7/Server 2008: DIR /R Third-party tools: (e.g. streams.exe from Sysinternals) Removing alternate data streams Streams are removed when main file/directory is deleted Move main file to non-NTFS partition (e.g. FAT/FAT32)

Third-party tools: (e.g. streams.exe from Sysinternals) Computer Network Defense Course 41 Data Hiding Techniques (cont) Locked Directories: Using reserved names for directories. Example: Com1, PRN, CON, etc Steganography: Hiding/embedding information in various types of data. Windows Shell Folders (virtual directories) Explorer/Search displays contents based on a database True contents may be hidden Recycle Bin Internet Explorer Cache 02/04/2020

Computer Network Defense Course 42 Eliminating Evidence Windows NT Event Log Primary form of host based auditing. Eventlog Service: eventlog.dll hosted by services.exe Difficult to disable once started. Easier to disable in the registry, reboot the system, and then edit the .evt binary files offline. Modifying event logs on a live system: Event logs can be cleared by user with proper privileges WinZapper used a form of DLL injection to remove selected entries on Win2k systems.

02/04/2020 Computer Network Defense Course 43 Countermeasure: Eliminating Evidence Monitor Event Logs Use software that monitors the Eventlog service and copies the events real time to a collection system. Example: NTsyslog ( Example: ELM ( Forward Event Logs Event collectors: Server 2003 R2, Vista sp1, Server 2008 Event source: XP sp2, Server 2003 sp1, Vista, Server 2008 02/04/2020

Computer Network Defense Course 44 Denial of Service DoS attacks: CPU utilization, memory or hard-drive space exhaustion, network flooding. DDoS attacks: Often uses a group of compromised systems (zombies) to coordinate a DoS attack. Example: TFN (variants), Trinoo, etc 02/04/2020 Computer Network Defense Course

45 M @ 1 @ r 3 Malware - Analyzing Malicious Code Alot of nice rootkit tech released to the public this year bootroot and the TLB desync trick both - spyware is really gonna suck next year... Quote: Greg Hoglund after Blackhat 2005 02/04/2020 Computer Network Defense Course 47 Malicious Code Types

Virus Worm Back Door Trojan Horse User-mode Rootkit Kernel-mode Rootkit 02/04/2020 Computer Network Defense Course 48

Viruses A self-replicating piece of code that attaches itself to other programs and usually requires human interaction to propagate. DOS or CP/M Executable .com Portable Executable (PE) format: .exe, .sys, .dll, .ocx, .cpl, .scr 02/04/2020 Computer Network Defense Course 49 Virus Infection Techniques

Boot Sector Viruses Master boot record (MBR) Partition boot record (PBR) Floppy boot record Companion Infection Same name/different extension Rename original Move program to NTFS file stream 02/04/2020 Computer Network Defense Course 50 Infection Techniques (cont) Overwriting Infection Techniques Overwrite complete/portion of file Destructive/un-repairable

Header 02/04/2020 VirusHost File Computer Network Defense Course 51 Infection Techniques (cont) Prepending Infection Techniques Inserts code at beginning of program Generally nondestructive Control passed to host after virus executes Header

02/04/2020 Viru s Host File Computer Network Defense Course 52 Infection Techniques (cont) Appending Infection Techniques Inserts code at end of program Generally nondestructive Modified PE header executes virus code Header

02/04/2020 Host File Computer Network Defense Course Viru s 53 Infection Techniques (cont) Infecting document files: The dangers of mixing code and data Object oriented programming Scriptable or macro supported documents: Microsoft Office WordPerfect StarOffice

AutoCAD 02/04/2020 Computer Network Defense Course 54 Virus Self-Preservation Stealth techniques Attrib +h, NTFS streams, intercept AV scan Polymorphism and Metamorphism Changing code to evade detection Antivirus Deactivation Load before AV or kill AV processes 02/04/2020

Computer Network Defense Course 55 Defending Against Viruses Antivirus Software Servers/workstations/Perimeter/Mobile Based on Virus Signatures Heuristics Detecting Virus characteristics Only somewhat successful thus far False positives and false negatives Integrity Verification Using digital signatures to detect changes 02/04/2020 Computer Network Defense Course 56

Defending Against (cont) Configuration Hardening Create a hostile environment for Viruses Restricting privileges/tightening DACLs Disabling system components Removing unnecessary services Disabling macros and scripting User education 02/04/2020 Computer Network Defense Course 57 Worms

Spreads across networks Like viruses, self replicates Requires little/no human intervention Exploits application flaw Sometimes sent via email 02/04/2020 Computer Network Defense Course 58 Worms (cont) Warhead (penetration) Buffer Overflow Exploit File-sharing Attack SMB, NFS, peer-to-peer programs E-mail

System misconfiguration / unneeded services Propagation Engine File transfer methods for moving the Worms code FTP, TFTP, HTTP, SMB, etc Target Selection Algorithm Address books, host lists, DNS, random IP 02/04/2020 Computer Network Defense Course 59 Worms (cont) Scanning Engine Example: testing port 80 for web server

Payload (purpose) Backdoor DDoS agent / zombie Remote processing Example: password cracking Steal information for the attacker Ethical Worm Patch management/deployment 02/04/2020 Computer Network Defense Course 60 Worms (cont)

Super Worms (improved techniques) Multiplatform Multiple delivery methods Infection before patch availability More efficient at spreading Polymorphic (change Worm appearance) Metamorphic (change Worm payload) 02/04/2020 Computer Network Defense Course 61 Defending Against Worms Antivirus Software A partial solution at best

Firewall and IDS At the network as well as the host level Good patch management scheme 02/04/2020 Computer Network Defense Course 62 Backdoors A program that allows attackers to bypass normal security controls on a system, thus gaining access on the attackers own terms. General categories of backdoors Local Privilege Escalation Remote command execution (Bo2k, Subseven, NetBus)

Remote shell access (Netcat) Remote GUI access (VNC) 02/04/2020 Computer Network Defense Course 63 Defending Against Backdoors Keeping systems patched Minimizing port usage on your networks Network based Firewalls and IDS packages Host Based Firewalls and IDS packages Digital signatures for programs accessing network Anomaly detection for unusual network traffic Beware of ICMP !!!

Port scanning your own networks Back doors with no listening port number??? 02/04/2020 Computer Network Defense Course 64 Trojan Horses A program that appears to have some useful or benign purpose, but really masks some hidden malicious functionality. Tries to blend in with normal programs Tricks person or computer into running attackers code Creative programming

Social engineering 02/04/2020 Computer Network Defense Course 65 Trojan Horses (cont) Trojan Methods Mimic names of legit programs Executable Wrappers Packs/compresses/encrypts a Trojan with a decoy Poison the source code Innocent Trojans Easter Eggs International developmentgood or bad? Co-opting (impersonating) legitimate software DLL injection, OLE, etc 02/04/2020

Computer Network Defense Course 66 Defending Against Trojan Apps Keeping track of whats running Processes, port usage, etc File integrityusing checksums Test and verifydistributors get hacked too! Source code is good, but Know what it is you are compiling Antivirus, host based FW/IDS can help 02/04/2020 Computer Network Defense Course 67

User-mode Rootkit Replaces or modifies programs run by users/administrators Why the lack of NT user-mode RootKits? Initial research was into Kernel-mode RootKits Windows File Protection Microsoft operating systems are closed source Difficulties in replicating GUI applications Windows API not as well documented MSDN does provide reference materials 02/04/2020

Computer Network Defense Course 68 User-mode Rootkit (cont) Possible NT Implementation Techniques Take advantage of modular aspects of the NT platforms designed by Microsoft Example: FakeGina.DLL (NT4/W2k) Code injection (e.g. Bo2k injection in Explorer) DLL injection and API hooking Requires Debugging privileges Replace existing executables (e.g. MSV1_0.DLL) Replaces/alters existing functionality Need to overcome Windows File Protection 02/04/2020 Computer Network Defense Course

69 User-mode Rootkit Techniques Program Attackers Code Attackers Code Windows Process Windows Module Figure 2: Code Injection/API Hooking Figure 1: Intercept Call to Module

02/04/2020 Computer Network Defense Course 70 User-mode Rootkit (cont) Attacking Windows File Protection (WPF) HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon SFCDllCacheDir Default cache = %windir%\system32\Dllcache SFCDisableKeys 0xFFFFFF9D (undocumented feature to disable WPF) HexEdit sfc.dll on W2k sp2+/XP/W2k3

Offline deletion (while OS is not up and running) Works until an actual SFC scan takes place Substitution method Replace file in DLL cache Delete file to be Rootkitd, WPF restores from cache Works until an actual SFC scan takes place 02/04/2020 Computer Network Defense Course 71 Kernel-mode Rootkit Usually either modifies the function/request itself or modifies the information returned. Examples:

Process #1 Process #2 Process #3 User Mode Ring 3 Win32 Subsystem Rootkit The NT Kernel Kernel

Mode Ring 0 Countermeasure: Rootkit Hardening your system Antivirus and host based firewalls/IDS Controlling Device Drivers: Integrity Protection Driver Driver Signing (Required in 64-bit Windows) Some research into Rootkit detection

02/04/2020 Computer Network Defense Course 73 Combination Maleware Combines various traits and techniques for increased effectiveness Example: Bugbear.B Combination worm, virus and backdoor Better at evading detection Increased resilience and durability 02/04/2020

Computer Network Defense Course 74 Summary Using a combination of Anti-virus, Firewalls, Intrusion Detection Systems and Anti-spyware will help defend against much of the malware out there. Perimeter defenses help against the outside attacker. Host based provides a second line of defense. Know your systems configurations: Keep a baseline for comparison. Worst case use a comparable system for reference 02/04/2020

Computer Network Defense Course 75 Summary (cont) Impossible to know about every exploit out there: Recognize patterns, know which tools to use. Even Antivirus/FW/IDS cant detect them all! Create a hostile environment for Malware: Support the principle of least privilege. Disable or remove that which is unnecessary. Block ports by rule, then allow by exception. 02/04/2020 Computer Network Defense Course 76

Recently Viewed Presentations

  • Planning for 2010-2011

    Planning for 2010-2011

    Christina Pelletier-RottoAsst. Principal 6th grade M-Z and 8th grade . Joana Richards Academic Dean . Tiffany Johnson Counselor 6th grade A-L and 8th grade Lesley Reichert Counselor 6th grade M-Z and 7th grade . Jenna Ross Special Education Coordinator
  • LP-Based Algorithms for Capacitated Facility Location

    LP-Based Algorithms for Capacitated Facility Location

    Nondeterministic Turing machines (NDTMs) Same definition as TMs except that. NDTM has . two. transition functions ?0and ?1and a special state called ???????. When NDTM computes a function we envision that at each computational step it makes an arbitrary choice...

    Dutch exchange system for goods and servicesParticipants pay with noppes. Why is this a frugal innovation? Interaction. Please settle in the SPG groups. Design frugal innovations. 3 rounds for designing frugal innovations: Technical frugal innovation.
  • 2015 HE EoE School of EM 8th Regional

    2015 HE EoE School of EM 8th Regional

    2015 HE EoE School of EM 8th Regional Faculty Day School of Emergency Medicine UK EM Training: 20 years Evolution 1995 'Calman' SpR, RITAs, Jnr Dr New Deal, EWTD 2005 'PMETB Order'- Articles 14: CESR route 2006 Foundation years -...
  • Fables, Parables, and Fairytales

    Fables, Parables, and Fairytales

    Fables, Parables, and Fairy Tales Mrs. Bonifay OCS English I Genre Different types of stories can be classified according to genre. Genre is a particular type or category of literature. Examples of genre include fairy tales, science fiction, biographies, legends,...
  • Plant Dichotomous Key - Chandler Unified School District

    Plant Dichotomous Key - Chandler Unified School District

    (15) A phylogenetic tree or evolutionary tree is a branching diagram or "tree" showing the inferred evolutionary relationships among various biological species or other entities based upon similarities and differences in their physical and/or genetic characteristics. (16) The taxa joined...


    Speed of Light Wave. Light is the FASTEST energy in the universe… nothing can travel as fast as light.
  • Personal Computers and Applications

    Personal Computers and Applications

    Digital (binary) representation of various common forms of data Using the proper units for measuring information Convert approximately between bits, bytes, Kilobytes, Megabytes, and Gigabytes Measuring speed, resolution and frequency Data is represented by binary digits (bits) organized into bytes...