Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Incident Response

advertisement 
Lesson 9
Common Windows Exploits
Overview
• Top 20 Exploits
• Common Vulnerable Ports
• Detecting Events
UTSA IS 3523 ID and Incident Response
SANS Top 20 Critical Security Controls
• Publish list of the Twenty Most Critical
Internet Security Vulnerabilities
• www.sans.org/top20
• Updated in October (or sooner if necessary)
• Thousands use this list to close up holes in
their system
• Most incidents traced back to Top 20 list
UTSA IS 3523 ID and Incident Response
SANS/FBI Top 20 List
• Based on facts, attackers
– are opportunistic
– take the easiest and most convenient route
– exploit the best-known flaws with the most
effective and widely available attack tools
– count on organizations not fixing the “holes”
UTSA IS 3523 ID and Incident Response
SANS/FBI Top 20 List
• List broken down into two sections
• Two Top Ten lists
– Ten most commonly exploited vulnerable
services in Windows
– Ten most commonly exploited vulnerable
services in Unix
UTSA IS 3523 ID and Incident Response
W1: Internet Information Services (IIS)
• IIS prone to vulnerabilities in three
major classes
– Failure to handle unanticipated requests
– Buffer overflows
– Sample applications
• Target port: TCP Port 80 (http)
UTSA IS 3523 ID and Incident Response
Failure to Handle Unanticipated Requests
• IIS has a problem handling improperly formed
HTTP requests
– Web folder traversal (unicode)
• Allows
– view of the source code of scripted applications
– view of files outside the Web document root
– view of files Web server has been instructed not to
serve
– execution of arbitrary commands on the server
• deletion of files, uploading of rootkits, creation of
backdoors
UTSA IS 3523 ID and Incident Response
Buffer Overflows
• Many ISAPI and SSI extensions vulnerable to
buffer overflows
– .asp / .htr / .idq / printer
• A carefully crafted request from a remote
attacker may results in
– Denial of Service
– Execution of arbitrary code and/or commands in the
Web server’s user context
• through the IUSR_servername account (like anonymous)
UTSA IS 3523 ID and Incident Response
W2: Microsoft SQL Server
• Microsoft SQL Server contains several
serious vulnerabilities that allow remote
attackers to
–
–
–
–
obtain information
alter database content
compromise SQL servers
compromise server hosts
• There’s Was an MSSQL worm released
in May 2002
UTSA IS 3523 ID and Incident Response
W2: Microsoft SQL Server
• Target port: TCP port 1433
• OS’s affected
– Microsoft SQL Server 7.0
– Microsoft SQL Server 2000
– Microsoft SQL Server Engine 2000
UTSA IS 3523 ID and Incident Response
W2: Microsoft SQL Server
• How to detect a compromise:
• First thing you’ll see is the “probing” or
“fishing” for information
– Probes on port 1433
– Attacker is looking for those boxes that
respond “positively” to a probe on port 1433
• tells them box is “listening” (or has the port
open) on port 1433
UTSA IS 3523 ID and Incident Response
W3: General Windows Authentication
• Accounts with No Passwords or Weak
Passwords
• Only protection is to have a strong password
and good password habits
• With advent of Windows XP consider
“everyday” accounts at user privilege
UTSA IS 3523 ID and Incident Response
W3: LAN Manager Authentication
• Most current Windows environments have
no need for LAN Manager (weak hashing)
– Most use NTLM now
• But Windows NT, 2000, and XP do have LM
by default
• LM has a very weak encryption scheme
• Won’t take a hacker long to crack passwords
UTSA IS 3523 ID and Incident Response
W3: Unprotected Windows Networking Shares
(NetBios)
• OS’s affected:
– Windows 95, Windows 98, Windows NT, Windows
Me, Windows 2000, and Windows XP
• Main objective:
– gather info about guest host names
– try these guest host names with null passwords until
one works
– attacker will then attempt to download the entire
database of userid’s and/or passwords
UTSA IS 3523 ID and Incident Response
W4: Internet Explorer
• Consequences can include
–
–
–
–
–
Disclosure of cookies
Disclosure of local files or data *
Execution of local programs *
Download and execution of arbitrary code *
Complete takeover of vulnerable system *
* Most Critical
UTSA IS 3523 ID and Incident Response
W4: Internet Explorer
• Default web browser installed on MS
Windows platforms
• All existing IE’s have critical vulnerabilities
• A malicious web administrator can design
web pages to exploit these vulnerabilities
– Just need someone to browse the web page
UTSA IS 3523 ID and Incident Response
W4: Internet Explorer
• Vulnerabilities can be categorized into
multiple classes
–
–
–
–
–
Web page spoofing
ActiveX control vulnerabilities
Active scripting vulnerabilities
MIME-type and content-type misinterpretation
Buffer overflows
UTSA IS 3523 ID and Incident Response
W5: Unprotected Windows Networking Shares
(NetBios)
• MS Windows provides a host machine
with the ability to share files or folders
across a network
• Underlying mechanism of this feature is
the
– Server Message Block (SMB) protocol, or the
– Common Internet Files System (CIFS)
protocol
• Target Port: TCP Port 139
UTSA IS 3523 ID and Incident Response
W5: Anonymous Logon -- Null Sessions
• This vulnerability is very similar to the
one described before in Netbios
• Attacker is looking for a host name with
a null password
• Attacker uses IPC$ (called IPC shares)
with a double-double quote (“”) in place
of a password
UTSA IS 3523 ID and Incident Response
W6: Microsoft Data Access Components
(MDAC)--Remote Data Services
• RDS component in older versions of MDAC
has flaws that allow a remote user to run
commands locally with administrative
privileges
• This exploit is readily used to deface Web
pages
• Check Web Server Logs to make sure
UTSA IS 3523 ID and Incident Response
W7: Windows Scripting Host (WSH)
• Permits any text file with a “.vbs” extension
to be executed as a Visual Basic script
• A typical worm propagates by including a
VBScript as the contents of another file and
executes when that file is viewed or in some
cases previewed
UTSA IS 3523 ID and Incident Response
The Other 3
W8: Outlook and Outlook Express
W9: P2P File Sharing
W10: Simple Network Mgt Protocol
UTSA IS 3523 ID and Incident Response
Common Vulnerable Ports
• Login Services
–
–
–
–
–
telnet (port 23/tcp)
SSH (port 22/tcp)
FTP (port 21/tcp)
NetBIOS (port 139/tcp)
rlogin (port 512 - 514/tcp)
UTSA IS 3523 ID and Incident Response
Common Vulnerable Ports
• RPC and NFS
– portmap/rpcbind (port 111/tcp and udp)
– NFS (port 2049/tcp and udp)
– lockd (port 4045/tcp and udp)
• Xwindows
– port 6000/tcp through 6255/tcp
UTSA IS 3523 ID and Incident Response
Common Vulnerable Ports
• Naming services
– DNS (port 53/udp) for all machines that are
not DNS servers
– DNS (port 53/tcp) for zone transfer requests
– LDAP (port 389/tcp and udp)
UTSA IS 3523 ID and Incident Response
Common Vulnerable Ports
• Mail
– SMTP (port 25/tcp) for all machines that are
not external mail relays
– POP (port 109/tcp and port 110/tcp)
– IMAP (port 143/tcp)
UTSA IS 3523 ID and Incident Response
Common Vulnerable Ports
• Web
– HTTP (port 80/tcp)
– SSL (port 443/tcp) except to external Web
servers
– HTTP proxies
• port 8000/tcp
• port 8080/tcp
• port 8888/tcp
UTSA IS 3523 ID and Incident Response
Common Vulnerable Ports
• “Small services”
– ports below 20/tcp and udp
– time (port 37/tcp and udp)
• Miscellaneous
– TFTP (port 69/udp)
– Finger (port 79/tcp)
– NNTP (port 119/tcp)
UTSA IS 3523 ID and Incident Response
Common Vulnerable Ports
• Miscellaneous (continued)
–
–
–
–
NTP (port 123/udp)
LPD (port 515/tcp)
syslog (port 514/udp)
SNMP (port 161/tcp and udp, and port
162/tcp and udp)
– BGP (port 179/tcp)
– SOCKS (port 1080/tcp)
UTSA IS 3523 ID and Incident Response
Common Vulnerable Ports
• ICMP
– block incoming “echo” requests (ping and
Windows traceroute)
– block outgoing “echo” replies, “time
exceeded,” and “destination unreachable”
• except “packet too big” messages
UTSA IS 3523 ID and Incident Response
How To Detect and Investigate
• http://www.sans.org/top20/tools04.pdf
• Run an IDS and review logs for common
signatures…especially IIS hacks
• Aggressively review web server logs
• Ensure FTP application logging turned
on…then review FTP logs
• Know your network…and know what is
abnormal
UTSA IS 3523 ID and Incident Response
Related documents
An Introduction to R and Statistics for Neuroscientists
An Introduction to R and Statistics for Neuroscientists
Expanded abstract
Expanded abstract
Across 2. HTTP 4. TCP 10. ports used for specific applications like
Across 2. HTTP 4. TCP 10. ports used for specific applications like
Q13 Why do manufacturers of network hardware and software follow
Q13 Why do manufacturers of network hardware and software follow
Chapter 9 - 2profs.net
Chapter 9 - 2profs.net
Introduction to Networking
Introduction to Networking
How to Send e-mail
How to Send e-mail
Download
advertisement