What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Carolyn's most
popular book,
in 4th edition now!

For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

Windows Edition
Feb. 1999
_______________________________________________________________________
See the Happy Hacker web site at http://www.happyhacker.org
Your local firewall blocks you? Try http://happyhacker.org
_______________________________________________________________________
Opening Comments
About your editor
URLs
Quick Correction to Decembers HHWD
Enumeration? What???
Reader Submissions
Trojans
Internet Information Server Security
Editor's Comments
Opening Comments / About your editor


It was evident by reader response to the last Happy Hacker Windows Digest (HHWD) that I did not do a good enough job introducing myself. As many of you are aware your former editor KeyEdt89 left Windows Digest over his objections regarding AntiOnline's complaint against PacketStorm Security and Harvard University. I have volunteered some of my time to pick up the slack and get WD moving again. Who am I? Well I go by the name Greggory Peck and am an IT Professional employed with a fortune 500 company, my primary responsibility is the creation of policies and procedures as they relate to security, securing of all automated data processing equipment, peripherals, network hardware/software, and the training of my companies user community. I've been in or around the IT industry for nearly 8 years. I decided college was not my gig and elected the certification route. I currently hold a MCP, MCP+I, MCSE and am pursuing my CCNA and CISSP. I have little to no experience writing for an audience so I ask that you submit any constructive criticism that you might have. I will be striving to align topics that match the requests of the readers so if you have a suggestion for some future topics make sure to send them in. As any of you who follow the content of http://www.happyhacker.org and http://www.antionline.com can deduce as editor of Windows Digest I'm automatically targeted by many of the nasty evil crackers that are out there, but primarily by the crackers who hide under the premise of being white hat hackers. As such, I often receive some rather entertaining flaming e-mail, some of which I will post for your reading pleasure in future editions. I will be recovering some of the topics that have been mentioned in past episodes in an attempt to reinforce their importance. So if you see more material covering a topic that has already been written about its because I feel its very important that the topic be understood. So this opens the second in hopefully a long run of upcoming windows digests.

URL's

L0pht to Merge with @Stake???
"The opportunity to join the first and only independent 'pure play' in the field of Internet security consulting is perfect for the L0pht," according to Mudge, now @Stake's VP of R&D. "@Stake's vendor neutrality, combined with open lines of communication to the full spectrum of people dealing with online security, allows us to remain true to our roots - security research and execution which shatters industry myths and builds a totally new standard."
http://www.msnbc.com/news/353999.asp
http://www.l0pht.com
http://www.atstake.com

Hoping for a large performance increase with the implementation of Win2K? If so you might be disappointed.
http://www.microsoft.com/windows2000/guide/platform/performance/zdlabs.asp

Plagued by TCP SYN-flooding attacks??? Run a Cisco router??? You might want to consider implementing the TCP Intercept feature.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/scprt3/scdenial.htm

Ever wondered how exactly to interpret a NTBugTraq or similar advisory? What does it all mean? Why do I need to patch my systems?
http://www.ntobjectives.com/RemoteAttack5.ppt

Is your privacy on the Internet important to you? Want something better than "Watch Dog" (Worthless IMHO). You might want to look at Freedom.
http://www.zdnet.com/pcmag/stories/firstlooks/0,6763,2413285,00.html

Quick Correction to Decembers HHWD
I would like to thank KeyDet89 for challenging me on a particular issue. I said last month that after establishing a null session with a target you could just issue the
"local" and "global" commands to enumerate account info on NT. KeyDet89 brought to my attention that it doesn't work without passing further arguments such as target destination which could be specified by machine name or IP address. I was adamant and he further pushed the issue. This made me review my material which I did so and I found conflicting information. In some material it was necessary to pass the arguments, however in RL (which is what counts) it is necessary. So... if it didn't work for you last month try passing:

LOCAL Administrators \\<target ip or machine name>

Well we can't always be right, I encourage constructive criticism and thought I'd take a moment to correct myself. Thanks again for pointing this out to me KeyDet89.

Enumerating NT
(First and foremost to always give credit where credit is due it should be noted that much of the following information was taken from the book "Hacking Exposed - Network Security Secrets & Solutions" written by McClure, Scambray, and Kurtz with contributions from Eric Schultz. Information was summarized and altered where possible to protect their copyright. The book is definitely worth the meager $39.99 investment IMHO. A good portion of information also came from Eric Schultz and George Kurtz's presentation entiteled "Over the router through the firewall to grandmothers house we go" and some from personal experience as well.)

A number of hackers will concede that a successful hack is comprised of largely 5 steps.

1. Target acquisition and information gathering
2. Getting your foot in the door (accessing system)
3. Privilege escalation
4. Covering your tracks
5. Planting back doors for future access

Typical Definition of Enumeration:
A mathematical set with a total ordering and no infinite descending chains. A total ordering "<=" satisfies x <= x; x <= y <= z => x <= z; x <= y <= x => x=y; and for all x, y, x <= y or y <= x. In addition, if a set W is well-ordered then all non-empty subsets A of W have a least element, i.e. there exists x in A such that for all y in A, x <= y.

Thankfully, I have no intention of using the word enumeration to refer to mathematics, for the purpose of this writing I will use enumeration as defined by Eric Schultz in a discussion we had at the 1999 BlackHat Conference, "extracting valid accounts or exported resource names from systems". Enumeration in the above definition would fall under bullet item number 1, target acquisition and information gathering. Enumeration entails making active connections to systems/network resources and making directed queries. Do to the nature of how enumeration is often performed if your network is equipped with some basic auditing tools it can be detected and logged. Auditing is wonderful but in most cases is still dependant on someone to interpret the logged or audited information (I'm sure Systems Administrator's have nothing better to do than to review lines and lines of audit logs) fortunately for those IT shops that place an emphasis on security many modern Intrusion Detection Systems will alert to many of the
enumeration techniques being used today.

Windows NT in a default configuration is configured to provide just about any piece of information a cracker would desire, this along with NT's growing popularity amongst companies as both their primary network OS as well and their web serving platform make an NT box a good target for a cracker. Some argue that NT's inherent desires to give up its secrets so willingly is another classic example of poor coding other believe its to simplify interoperability and ease of use, regardless of which mind set you are partial to the "features" exist and if you neglect to take steps to remedy them a cracker could easily collect enough information about your network to make a potential attack successful. Generally speaking a cracker will be looking to obtain the following types of information via enumeration: Network resources, Shares, Users, Groups, Banners, and Applications.

It's important to note that most of the enumeration methods I will mention take advantage of the ability to make anonymous connections to IPC$. It was suggested that I provide more detail as to what makes up an anonymous or null-session connection. Simply, being able to make an anonymous connection to IPC$ and not being required to supply credentials can be the single most devastating security failure in NT providing a cracker with a wealth of information. Establishing anonymous or null-session connections with IPC$ is also known as the "Red Button" vulnerability. If you refer back to the last issue of HHWD you will see that the syntax for establishing an anonymous connection is

Net use \\<target>\ipc$ "" /user:""

Once a cracker successfully establishes a null session they can use any number of different tools to obtain information. On your hacker LAN connect to one of your other machines with a null-session and than issue the following commands:

C:\>net view
Servers available in workgroup GP.
Server name Remark
--------------------------------------------
\\BEAST GP
The command was completed successfully.

C:\>net view \\beast
Shared resources at \\BEAST

Sharename Type Comment
--------------------------------------------
NEW FOLDER Disk
The command was completed successfully.

As you can see Net View can provide a cracker with the machine name of the target so he can than issue the second command which will provide him with a list of both visible and hidden shares.
If a cracker is to further his penetration into your network he will be needing a user name soon. Through his null session he can enter the command

Nbtstat -A <target>

The above-mentioned command will allow the cracker to obtain a list of user names, system names, and domains. By far one of the best tools in a crackers toolkit is a tool known as DumpACL. DumpACL can provide such information as remote shares, user names, hashes, to which services are running on a given machine. Many crackers will also use one of many different kinds of NETBIOS scanners such as "Legion". The latest version of Legion will attempt to connect to different shares and supports brute force password hacking. I prefer to use DumpACL myself for the majority of information I need in my day-to-day administrative type duties. For information on how to use DumpACL from the command prompt just read the accompanying help files that are included with it.

So as you can see after establishing a null session with IPC$ its simple to get a machine name, domain name, hidden and visible shares, and user ID's. Based on the types of shares that are present a cracker can begin to guess at the particular functions that the target machine performs. The cracker will also be armed with a list of User ID's from either nbtstat, local and global commands (see last edition of windows digest for more information) or DumpACL. Other good enumerating tools worth mention are: epdump, getmac, netdom, and netviewx. There is a wealth of information on the Internet regarding the functions and abilities of each of these tools.

Well great, now that a cracker can obtain lists of shared resources, user names, netbios names, domain names, etc via a null-session what can I do to prevent it? Luckily the solution is not overly complicated or difficult. Filter TCP and UDP on ports 135 through 139 on all network border devices. If your running a stand-alone NT system connected to a public network (Internet) just remove NetBIOS binding from the network stack on the public interface under the network icon in the Control Panel. You could also go into Advanced TCP/IP properties and block traffic to the ports under the network icon of your Control Panel.

I will discuss SNMP (Simple Network Management Protocol) community strings and the information that can be taken by a cracker do to an insecure implementation of SNMP in another article at a later date.

Reader Submissions
Pffft… Unfortunately other than the occasional question there were no real reader submissions. I encourage you, if you have something you would like to discuss and feel comfortable having it published please send it in!

More on Trojans
In case you haven't read the earlier digests a Trojan is a program that states that it performs a particular function and in fact though sometimes providing the stated function and sometimes not, performs another function behind the scenes. I intend to go into more detail in a future issue of HHWD, but I'm taking this time here to request that if you have some information on different types of Trojans and how best to remove them please send it in. We would like to compile a master database of Trojans along with there perspective fixes. It is not certain at this time whether or not the Trojans will be made available but there will certainly be information on detection, effects, cleaning, etc. So consider this a request for information on Trojans, we already have several to write about but I'm sure there are 1,000's we have not yet seen.

IIS Security Issues and recommended configuration practices
The rapid growth of the Internet over the past few years has left many companies and people struggling to get on the web. So you run out and hire a host of graphic artists and web developers to put together your company's crown jewel for this millennium. Remember YOU are joining the millions of other people / companies ON-LINE!!! Regardless of whether your company's entire business relies on a database driven web application on your company website, fit in, as a hobby, or to express a passion of yours nobody can debate the importance that the information on that site not be unexpectedly altered. There has been a rash of hacked web sites out on the net from mom and pop grocery stores to the FBI and Whitehouse. It's amazing just how many e-mails I receive that paraphrased say simply "help me hack this web site or that web site" it would certainly appear that it's the craze with script kiddies and wannabe hackers. Yes, I say wannabe, because true hackers don't run around the WWW defacing webpages, as a ma
tter of fact many true hackers find this behavior very childish and nothing more than bolstering the media's portrayal of the evil hacker. The truth is hacking the "majority" of websites is usually done with little effort or technical ability. Though sometimes entertaining to see what these folks deface, it should be noted that such obvious examples of childish behavior only furthers the medias "hacker feeding frenzy" and is generally frowned upon by many white-hat hackers. Many of the offenders just make complete and total fools of themselves (LoU, HFG, ULG) however as mentioned it can often be rather entertaining, so you want to decide for yourself? You can check out http://www.antionline.com or http://www.attrition.org/mirror/attrition/index.html for a list of hacked websites. If you are an aspiring hacker you may want to look at groups such as Legions of the Underground, Hacking for Girlies, and United Loan Gunmen, as examples of what NOT to do. Sure they make occasional news in some small section of the NY Times written by a journalist who just needs his next story, but the fact remains that many of these groups have several people in jail. So before you go thinking, wow LoU, HFG, ULG, man they are elite, think about this, they must not have been too good because they got caught. Groups such as these do nothing but allow the media to start up its "hacker feeding frenzy". Keep in mind though there may be some talent amongst some members of such groups doesn't mean that they are "elite" or uberhackers. Ok so I'm done ranting on the many so called "hacker groups" out there, keep in mind these are just groups of criminals and are not true hackers. So D00dz d0nt U ph3@r d3m N0w? I mean come on give me a break!

So what can I do to prevent my web page from being hacked? Well the answer is multi facetted. Wait a second, you just said hacking websites is childish and often requires little knowledge. Well the key here is that there are exceptions to ever rule. Some of the common misnomers I've heard are "I have a Firewall I'm secure", "I have an Intrusion Detection System I'm secure", I have a dedicated security team I'm secure". Well none of the above statements are true. Short of unplugging your server, removing the hard drive, locking it in a huge vault, throwing away the key and dropping it off into the ocean your server will never be 100% secure. "There is ALWAYS a root level compromise somewhere in your network -Simple Nomad." You can however take a few things into consideration when installing your IIS Server and in the design of your network infrastructure and perimeter to help reduce the likelihood of your web page being hacked by some of the more common attacks already out there being used by script kiddies and crackers.

Read & Research

Read your corporate security policy.
Read the IIS4 Resource Kit Security Chapter
Read and subscribe to MS Notication Service

Configure Windows NT Settings to be more secure
(Taken from a MS Article w/ my comments)

Ensure to use the latest stable service pack and hotfixes. (Evaluate them first)
Currently SP5 seems to work well.

Utilize the NTFS (NT File System) NTFS support's ACL's (Access Control Lists0 allowing to to apply aspects of your corporate security policy to an entire drive, directory, or down to the file level.

Set NTFS ACL's, for a good list of how to configure ACL's for a more secure server read "Windows NT Security Guidelines - a study for NSA Research" by Trusted Systems Services Inc.

Do not run any unnecessary 16-bit applications. A secure server should try to stick to 32 bit applications. By not running 16 bit applications you can also gain a small performance increase by disabling NTFS 8.3 Naming schemes.

Set the system boot time to zero seconds. This prevents people from attempting to load other hardware profiles or invoking special commands found in ntbootldr.

Run IIS4.0 on a stand-alone server not PDC or BDC. By keeping the IIS4.0 server on a Stand-Alone server you are putting an additional step of security between the cracker and your SAM. Your SAM will not be replicated or stored on a Stand-Alone Server.

[Editor's Note: Rather than pretty much retyping this entire document interjecting my own comments etc, I decided to just include the major key points for your review.

Step 1: General Information
Server Name
Asset #
Setup Date
Manufacturer
Location
Set up by

Step 2: Background Work
Read your corporate security policy
Configure hardware to meet security policy
Read the IIS4 Resource Kit Security Chapter
Subscribe to Microsoft Security Notification Service

Step 3: Windows NT 4.0 Settings
Latest Service Pack and Hot-fixes applied
Hard disk(s) formatted to NTFS
Set NTFS ACLs
Turn off NTFS 8.3 Name Generation
System boot time set to zero seconds
Set Domain controller type
OS/2 Subsystem removed
POSIX Subsystem removed
Remove All Net Shares
Audit for Success/Failed Logon/Logoff
Set Overwrite interval for Audit Log
Hide last logon user name
Display a legal notice before log on
Remove Shutdown button from logon dialog
Set Password length
Disable Guest account
Rename Administrator account
Allow network-only lockout for Administrator account
Check user accounts, group membership and privileges
Set a very strong password for Admin account
Restrict Anonymous Network Access
Prevent unauthenticated access to the registry
ACL and Monitor Critical Registry Keys
Change "Access this computer from the network" from Everyone to Authenticated Users
Run SYSKEY Utility
Unbind NetBIOS from TCP/IP
Configure TCP/IP Filtering
Disable IP Routing
Move and ACL critical files
Synchronize Times
Remove Unused ODBC/OLE-DB Data Sources and Drivers

Step 4: Internet Information Server 4.0 Settings
Install minimal Internet services required
Set appropriate authentication methods
Set appropriate virtual directory permissions and partition Web application space
Executable content validated for trustworthiness
Set IP Address/DNS Address restrictions
Set up Secure Sockets Layer
Migrate new Root Certificates to IIS
Remove Non-trusted Root Certificates
Set Appropriate IIS Log file ACLs
Logging enabled
Index Server only indexing documentation
Lock down Microsoft Certificate Server ASP Enrollment pages
Remove the iisadmpwd vdir
Remove Used Script Mappings
Disable RDS support
Disable or remove all sample applications
Disable or remove unneeded COM Components
Check <FORM> input
Disable calling the command shell with #exec
Disable 'Parent Paths'
Disable IP Address in Content-Location

Step 5: Install Scanner/Intrusion Software
Regularly run a security scanner on your Web server, such as software from one of the companies listed.

Step 6: Update the Emergency Repair Disk
You should regularly update the ERD by running the RDISK tool.

[Editors Note: My thanks to the reader who submitted to me the checklist from which this info was gleamed from.]

The sad truth is a vast majority of webpage/site hacks that take place are do to inappropriately configured IIS4 or NT Installations not some super wizzbang ultra cracker who is finding all new vulnerabilities and literally hacking away at your servers for hours on end. No not at all, typically they are simply enumerating your server than going through their little list of exploits, matching up the appropriate exploit with the target server. Each of the above-recommended steps in securing an IIS4.0 installation can be read about in more detail by doing a keyword search on the topic in question at http://support.microsoft.com . Armed with these new tips you may want to revisit your existing IIS installation to address some of the recommendations listed above.

This is a list devoted to *legal* hacking! If anyone plans to use any
information in this Digest or at our Web site to commit crime, go away! We
like to put computer criminals behind bars where they belong!

______________________________________________________________

 © 2013 Happy Hacker All rights reserved.