See the Happy Hacker web site at http://www.happyhacker.org
Your local firewall blocks you? Try http://happyhacker.org
About your editor
Quick Correction to Decembers HHWD
Internet Information Server Security
Opening Comments / About your editor
It was evident by reader response to the last Happy Hacker Windows
Digest (HHWD) that I did not do a good enough job introducing
myself. As many of you are aware your former editor KeyEdt89
left Windows Digest over his objections regarding AntiOnline's
complaint against PacketStorm Security and Harvard University.
I have volunteered some of my time to pick up the slack and get
WD moving again. Who am I? Well I go by the name Greggory Peck
and am an IT Professional employed with a fortune 500 company,
my primary responsibility is the creation of policies and procedures
as they relate to security, securing of all automated data processing
equipment, peripherals, network hardware/software, and the training
of my companies user community. I've been in or around the IT
industry for nearly 8 years. I decided college was not my gig
and elected the certification route. I currently hold a MCP,
MCP+I, MCSE and am pursuing my CCNA and CISSP. I have little
to no experience writing for an audience so I ask that you submit
any constructive criticism that you might have. I will be striving
to align topics that match the requests of the readers so if
you have a suggestion for some future topics make sure to send
them in. As any of you who follow the content of http://www.happyhacker.org
can deduce as editor of Windows Digest I'm automatically targeted
by many of the nasty evil crackers that are out there, but primarily
by the crackers who hide under the premise of being white hat
hackers. As such, I often receive some rather entertaining flaming
e-mail, some of which I will post for your reading pleasure in
future editions. I will be recovering some of the topics that
have been mentioned in past episodes in an attempt to reinforce
their importance. So if you see more material covering a topic
that has already been written about its because I feel its very
important that the topic be understood. So this opens the second
in hopefully a long run of upcoming windows digests.
L0pht to Merge with @Stake???
"The opportunity to join the first and only independent
'pure play' in the field of Internet security consulting is perfect
for the L0pht," according to Mudge, now @Stake's VP of R&D.
"@Stake's vendor neutrality, combined with open lines of
communication to the full spectrum of people dealing with online
security, allows us to remain true to our roots - security research
and execution which shatters industry myths and builds a totally
Hoping for a large performance increase with the implementation
of Win2K? If so you might be disappointed.
Plagued by TCP SYN-flooding attacks??? Run a Cisco router???
You might want to consider implementing the TCP Intercept feature.
Ever wondered how exactly to interpret a NTBugTraq or similar
advisory? What does it all mean? Why do I need to patch my systems?
Is your privacy on the Internet important to you? Want something
better than "Watch Dog" (Worthless IMHO). You might
want to look at Freedom.
Quick Correction to Decembers HHWD
I would like to thank KeyDet89 for challenging me on a particular
issue. I said last month that after establishing a null session
with a target you could just issue the
"local" and "global" commands to enumerate
account info on NT. KeyDet89 brought to my attention that it
doesn't work without passing further arguments such as target
destination which could be specified by machine name or IP address.
I was adamant and he further pushed the issue. This made me review
my material which I did so and I found conflicting information.
In some material it was necessary to pass the arguments, however
in RL (which is what counts) it is necessary. So... if it didn't
work for you last month try passing:
LOCAL Administrators \\<target ip or machine name>
Well we can't always be right, I encourage constructive criticism
and thought I'd take a moment to correct myself. Thanks again
for pointing this out to me KeyDet89.
(First and foremost to always give credit where credit is due
it should be noted that much of the following information was
taken from the book "Hacking Exposed - Network Security
Secrets & Solutions" written by McClure, Scambray, and
Kurtz with contributions from Eric Schultz. Information was summarized
and altered where possible to protect their copyright. The book
is definitely worth the meager $39.99 investment IMHO. A good
portion of information also came from Eric Schultz and George
Kurtz's presentation entiteled "Over the router through
the firewall to grandmothers house we go" and some from
personal experience as well.)
A number of hackers will concede that a successful hack is
comprised of largely 5 steps.
1. Target acquisition and information gathering
2. Getting your foot in the door (accessing system)
3. Privilege escalation
4. Covering your tracks
5. Planting back doors for future access
Typical Definition of Enumeration:
A mathematical set with a total ordering and no infinite descending
chains. A total ordering "<=" satisfies x <=
x; x <= y <= z => x <= z; x <= y <= x =>
x=y; and for all x, y, x <= y or y <= x. In addition, if
a set W is well-ordered then all non-empty subsets A of W have
a least element, i.e. there exists x in A such that for all y
in A, x <= y.
Thankfully, I have no intention of using the word enumeration
to refer to mathematics, for the purpose of this writing I will
use enumeration as defined by Eric Schultz in a discussion we
had at the 1999 BlackHat Conference, "extracting valid accounts
or exported resource names from systems". Enumeration in
the above definition would fall under bullet item number 1, target
acquisition and information gathering. Enumeration entails making
active connections to systems/network resources and making directed
queries. Do to the nature of how enumeration is often performed
if your network is equipped with some basic auditing tools it
can be detected and logged. Auditing is wonderful but in most
cases is still dependant on someone to interpret the logged or
audited information (I'm sure Systems Administrator's have nothing
better to do than to review lines and lines of audit logs) fortunately
for those IT shops that place an emphasis on security many modern
Intrusion Detection Systems will alert to many of the
enumeration techniques being used today.
Windows NT in a default configuration is configured to provide
just about any piece of information a cracker would desire, this
along with NT's growing popularity amongst companies as both
their primary network OS as well and their web serving platform
make an NT box a good target for a cracker. Some argue that NT's
inherent desires to give up its secrets so willingly is another
classic example of poor coding other believe its to simplify
interoperability and ease of use, regardless of which mind set
you are partial to the "features" exist and if you
neglect to take steps to remedy them a cracker could easily collect
enough information about your network to make a potential attack
successful. Generally speaking a cracker will be looking to obtain
the following types of information via enumeration: Network resources,
Shares, Users, Groups, Banners, and Applications.
It's important to note that most of the enumeration methods
I will mention take advantage of the ability to make anonymous
connections to IPC$. It was suggested that I provide more detail
as to what makes up an anonymous or null-session connection.
Simply, being able to make an anonymous connection to IPC$ and
not being required to supply credentials can be the single most
devastating security failure in NT providing a cracker with a
wealth of information. Establishing anonymous or null-session
connections with IPC$ is also known as the "Red Button"
vulnerability. If you refer back to the last issue of HHWD you
will see that the syntax for establishing an anonymous connection
Net use \\<target>\ipc$ "" /user:""
Once a cracker successfully establishes a null session they
can use any number of different tools to obtain information.
On your hacker LAN connect to one of your other machines with
a null-session and than issue the following commands:
Servers available in workgroup GP.
Server name Remark
The command was completed successfully.
C:\>net view \\beast
Shared resources at \\BEAST
Sharename Type Comment
NEW FOLDER Disk
The command was completed successfully.
As you can see Net View can provide a cracker with the machine
name of the target so he can than issue the second command which
will provide him with a list of both visible and hidden shares.
If a cracker is to further his penetration into your network
he will be needing a user name soon. Through his null session
he can enter the command
Nbtstat -A <target>
The above-mentioned command will allow the cracker to obtain
a list of user names, system names, and domains. By far one of
the best tools in a crackers toolkit is a tool known as DumpACL.
DumpACL can provide such information as remote shares, user names,
hashes, to which services are running on a given machine. Many
crackers will also use one of many different kinds of NETBIOS
scanners such as "Legion". The latest version of Legion
will attempt to connect to different shares and supports brute
force password hacking. I prefer to use DumpACL myself for the
majority of information I need in my day-to-day administrative
type duties. For information on how to use DumpACL from the command
prompt just read the accompanying help files that are included
So as you can see after establishing a null session with IPC$
its simple to get a machine name, domain name, hidden and visible
shares, and user ID's. Based on the types of shares that are
present a cracker can begin to guess at the particular functions
that the target machine performs. The cracker will also be armed
with a list of User ID's from either nbtstat, local and global
commands (see last edition of windows digest for more information)
or DumpACL. Other good enumerating tools worth mention are: epdump,
getmac, netdom, and netviewx. There is a wealth of information
on the Internet regarding the functions and abilities of each
of these tools.
Well great, now that a cracker can obtain lists of shared
resources, user names, netbios names, domain names, etc via a
null-session what can I do to prevent it? Luckily the solution
is not overly complicated or difficult. Filter TCP and UDP on
ports 135 through 139 on all network border devices. If your
running a stand-alone NT system connected to a public network
(Internet) just remove NetBIOS binding from the network stack
on the public interface under the network icon in the Control
Panel. You could also go into Advanced TCP/IP properties and
block traffic to the ports under the network icon of your Control
I will discuss SNMP (Simple Network Management Protocol) community
strings and the information that can be taken by a cracker do
to an insecure implementation of SNMP in another article at a
Unfortunately other than the occasional question
there were no real reader submissions. I encourage you, if you
have something you would like to discuss and feel comfortable
having it published please send it in!
More on Trojans
In case you haven't read the earlier digests a Trojan is a program
that states that it performs a particular function and in fact
though sometimes providing the stated function and sometimes
not, performs another function behind the scenes. I intend to
go into more detail in a future issue of HHWD, but I'm taking
this time here to request that if you have some information on
different types of Trojans and how best to remove them please
send it in. We would like to compile a master database of Trojans
along with there perspective fixes. It is not certain at this
time whether or not the Trojans will be made available but there
will certainly be information on detection, effects, cleaning,
etc. So consider this a request for information on Trojans, we
already have several to write about but I'm sure there are 1,000's
we have not yet seen.
IIS Security Issues and recommended configuration practices
The rapid growth of the Internet over the past few years has
left many companies and people struggling to get on the web.
So you run out and hire a host of graphic artists and web developers
to put together your company's crown jewel for this millennium.
Remember YOU are joining the millions of other people / companies
ON-LINE!!! Regardless of whether your company's entire business
relies on a database driven web application on your company website,
fit in, as a hobby, or to express a passion of yours nobody can
debate the importance that the information on that site not be
unexpectedly altered. There has been a rash of hacked web sites
out on the net from mom and pop grocery stores to the FBI and
Whitehouse. It's amazing just how many e-mails I receive that
paraphrased say simply "help me hack this web site or that
web site" it would certainly appear that it's the craze
with script kiddies and wannabe hackers. Yes, I say wannabe,
because true hackers don't run around the WWW defacing webpages,
as a ma
tter of fact many true hackers find this behavior very childish
and nothing more than bolstering the media's portrayal of the
evil hacker. The truth is hacking the "majority" of
websites is usually done with little effort or technical ability.
Though sometimes entertaining to see what these folks deface,
it should be noted that such obvious examples of childish behavior
only furthers the medias "hacker feeding frenzy" and
is generally frowned upon by many white-hat hackers. Many of
the offenders just make complete and total fools of themselves
(LoU, HFG, ULG) however as mentioned it can often be rather entertaining,
so you want to decide for yourself? You can check out http://www.antionline.com
for a list of hacked websites. If you are an aspiring hacker
you may want to look at groups such as Legions of the Underground,
Hacking for Girlies, and United Loan Gunmen, as examples of what
NOT to do. Sure they make occasional news in some small section
of the NY Times written by a journalist who just needs his next
story, but the fact remains that many of these groups have several
people in jail. So before you go thinking, wow LoU, HFG, ULG,
man they are elite, think about this, they must not have been
too good because they got caught. Groups such as these do nothing
but allow the media to start up its "hacker feeding frenzy".
Keep in mind though there may be some talent amongst some members
of such groups doesn't mean that they are "elite" or
uberhackers. Ok so I'm done ranting on the many so called "hacker
groups" out there, keep in mind these are just groups of
criminals and are not true hackers. So D00dz d0nt U ph3@r d3m
N0w? I mean come on give me a break!
So what can I do to prevent my web page from being hacked?
Well the answer is multi facetted. Wait a second, you just said
hacking websites is childish and often requires little knowledge.
Well the key here is that there are exceptions to ever rule.
Some of the common misnomers I've heard are "I have a Firewall
I'm secure", "I have an Intrusion Detection System
I'm secure", I have a dedicated security team I'm secure".
Well none of the above statements are true. Short of unplugging
your server, removing the hard drive, locking it in a huge vault,
throwing away the key and dropping it off into the ocean your
server will never be 100% secure. "There is ALWAYS a root
level compromise somewhere in your network -Simple Nomad."
You can however take a few things into consideration when installing
your IIS Server and in the design of your network infrastructure
and perimeter to help reduce the likelihood of your web page
being hacked by some of the more common attacks already out there
being used by script kiddies and crackers.
Read & Research
Read your corporate security policy.
Read the IIS4 Resource Kit Security Chapter
Read and subscribe to MS Notication Service
Configure Windows NT Settings to be more secure
(Taken from a MS Article w/ my comments)
Ensure to use the latest stable service pack and hotfixes.
(Evaluate them first)
Currently SP5 seems to work well.
Utilize the NTFS (NT File System) NTFS support's ACL's (Access
Control Lists0 allowing to to apply aspects of your corporate
security policy to an entire drive, directory, or down to the
Set NTFS ACL's, for a good list of how to configure ACL's
for a more secure server read "Windows NT Security Guidelines
- a study for NSA Research" by Trusted Systems Services
Do not run any unnecessary 16-bit applications. A secure server
should try to stick to 32 bit applications. By not running 16
bit applications you can also gain a small performance increase
by disabling NTFS 8.3 Naming schemes.
Set the system boot time to zero seconds. This prevents people
from attempting to load other hardware profiles or invoking special
commands found in ntbootldr.
Run IIS4.0 on a stand-alone server not PDC or BDC. By keeping
the IIS4.0 server on a Stand-Alone server you are putting an
additional step of security between the cracker and your SAM.
Your SAM will not be replicated or stored on a Stand-Alone Server.
[Editor's Note: Rather than pretty much retyping this entire
document interjecting my own comments etc, I decided to just
include the major key points for your review.
Step 1: General Information
Set up by
Step 2: Background Work
Read your corporate security policy
Configure hardware to meet security policy
Read the IIS4 Resource Kit Security Chapter
Subscribe to Microsoft Security Notification Service
Step 3: Windows NT 4.0 Settings
Latest Service Pack and Hot-fixes applied
Hard disk(s) formatted to NTFS
Set NTFS ACLs
Turn off NTFS 8.3 Name Generation
System boot time set to zero seconds
Set Domain controller type
OS/2 Subsystem removed
POSIX Subsystem removed
Remove All Net Shares
Audit for Success/Failed Logon/Logoff
Set Overwrite interval for Audit Log
Hide last logon user name
Display a legal notice before log on
Remove Shutdown button from logon dialog
Set Password length
Disable Guest account
Rename Administrator account
Allow network-only lockout for Administrator account
Check user accounts, group membership and privileges
Set a very strong password for Admin account
Restrict Anonymous Network Access
Prevent unauthenticated access to the registry
ACL and Monitor Critical Registry Keys
Change "Access this computer from the network" from
Everyone to Authenticated Users
Run SYSKEY Utility
Unbind NetBIOS from TCP/IP
Configure TCP/IP Filtering
Disable IP Routing
Move and ACL critical files
Remove Unused ODBC/OLE-DB Data Sources and Drivers
Step 4: Internet Information Server 4.0 Settings
Install minimal Internet services required
Set appropriate authentication methods
Set appropriate virtual directory permissions and partition Web
Executable content validated for trustworthiness
Set IP Address/DNS Address restrictions
Set up Secure Sockets Layer
Migrate new Root Certificates to IIS
Remove Non-trusted Root Certificates
Set Appropriate IIS Log file ACLs
Index Server only indexing documentation
Lock down Microsoft Certificate Server ASP Enrollment pages
Remove the iisadmpwd vdir
Remove Used Script Mappings
Disable RDS support
Disable or remove all sample applications
Disable or remove unneeded COM Components
Check <FORM> input
Disable calling the command shell with #exec
Disable 'Parent Paths'
Disable IP Address in Content-Location
Step 5: Install Scanner/Intrusion Software
Regularly run a security scanner on your Web server, such as
software from one of the companies listed.
Step 6: Update the Emergency Repair Disk
You should regularly update the ERD by running the RDISK tool.
[Editors Note: My thanks to the reader who submitted to me
the checklist from which this info was gleamed from.]
The sad truth is a vast majority of webpage/site hacks that
take place are do to inappropriately configured IIS4 or NT Installations
not some super wizzbang ultra cracker who is finding all new
vulnerabilities and literally hacking away at your servers for
hours on end. No not at all, typically they are simply enumerating
your server than going through their little list of exploits,
matching up the appropriate exploit with the target server. Each
of the above-recommended steps in securing an IIS4.0 installation
can be read about in more detail by doing a keyword search on
the topic in question at http://support.microsoft.com . Armed
with these new tips you may want to revisit your existing IIS
installation to address some of the recommendations listed above.
This is a list devoted to *legal* hacking! If anyone plans
to use any
information in this Digest or at our Web site to commit crime,
go away! We
like to put computer criminals behind bars where they belong!