Analysis of Windows 2000 Server - Case Study Example

Traditional human roles are migrating to the cyber domains in lieu of the simpli and the ease offered in dealing with bulk affairs through automation. However, this mass migration is presenting its own unique challenges for all kinds of systems and system administrators. While laws and conventions are well documented in the real world, there are still exploits that are available. In contrast the cyber domain is still recent and the exploits are widely available. However, the need to retain and protect private data is just as strong. In order to protect sensitive information, it is essential for any system administrator to be fully apprised of various threats and exploits that might undermine a system’s security and efficacy. (Moore, 2006) This text is designed to look into a particular exploit available on port 138 of a Windows 2000 server machine acting as a domain controller. Table of Contents Introduction The successful Windows NT (New Technology) platform was used by Microsoft to fabricate a new wave of operating systems most of which were centred on business needs. Windows 2000 emerged as the only successor to Window NT 4.0 and is the last OS to be branded with NT designations. (Microsoft, 1998) Four different editions of Windows 2000 were released which were Professional, Server, Advanced Server and Datacentre Server. Moreover, Windows 2000 was also sold as Advanced Server Limited Edition and Datacentre Server Limited Edition. (Microsoft, 2000) Each version of Windows 2000 was manufactured to target particular applications in the industry but all OS shared common features. These included new innovations such as the Microsoft Management Console as well as system administration applications that come with the OS by default. (Miles, 2000) Though security features were upgraded to protect Windows 2000 but certain vulnerabilities still remained. Vulnerabilities in Networks Some IT analysts have compared the security offered by Windows 2000 to an egg. The outside of the egg presents a fortified concept whereby the egg cannot be breached. However, the inside of the egg is fluid and susceptible to break down and separation as soon as the outer layer breaks down. In this sense, Windows 2000 is a little tough to beat on the outside but it is extremely fluid to exploit once the network’s DMZ or other security is breached. (Ethical Hacker Network, 2011) The most common way to intrude network machines is to scan ports and to exploit vulnerabilities in ports. Often the entire network spectrum is scanned for open as well as closed ports. Open ports are easiest to access. Nearly all contemporary OS possess the same distribution of ports although their exact designations may differ. Windows follows a common architecture for ports throughout its various OS schemes. Myriad ports are vulnerable but the NetBIOS ports are particularly vulnerable. These ports are listed below and are discussed further down the line to delineate their weakness. (Ethical Hacker Network, 2011) NetBIOS Port Applications 135 NetBIOS 137 NetBIOS – Name Service (NS) 138 NetBIOS – Datagram distribution service (DGM) 139 NetBIOS – Session Service (SSN) Typically two major services are vulnerable as first point impacts for attacks. These are the SMB (Server Message Block) protocol and NetBIOS over TCP / IP. Both services have the power to reveal large amounts of information related to the machine and the network in question. There is a dire need to shield these ports during use especially in server machines with un-patched OS installations. NetBIOS in particular is highly relevant for network mapping. (Boyce, 2006) This investigation is concerned with port 138 used for datagram services and so it will be looked into in more detail. Delineating NetBIOS, Datagram and Port 138 NetBIOS is the abbreviation for Network Basic Input and Output System and is an API (Application Program Interface) that aids the DOS (Disk Operating System) BIOS. Special functions for LANs (Local Area Networks) are included. NetBIOS was created by IBM in order to enable communication over LAN (Local Area Network). Windows has adopted a similar structure for network communication between different computers. To enable NetBIOS to communicate over a WAN (Wide Area Network) various protocols are utilised as outlined in the table above. The particular protocol in discussion in this text is TCP / IP (Transmission Control Protocol / Internet Protocol). (Kurose & Ross, 2008) The Datagram Service of NetBIOS is one of two different ways to conduct communication between applications. The other possible method is to utilise the NetBIOS Session Service. The advantage of using the Datagram Service is that is offers connection less communication that is broadcast oriented. It generally uses the UDP transport layer protocol through port 138. Using UDP ensures that the communication is fast thus more efficient although packet delivery is not guaranteed. (Management Link, 2011) Case Study Assumptions For the current case study it is assumed that the concerned machine is running Windows 2000 and is being used as a domain controller. The particular version of Windows 2000 being used is Advanced Server. The IP address of the machine is 192.168.204.13 and the only port visible to the intruder is TCP port 138. Moreover, the concerned server is not utilising IP-Sec or Kerberos at all and no service packs have been installed on the server in question. Way Forward The first step would be to create a complete picture of the network in question. This can be accomplished by utilising various tools that are commercially available. Based on the network discovery the attacker can decide on other tools to intrude in on the network. These tools could be specialised developments of part of the original OS such as nbstat. Using these tools the attacker can discover vulnerabilities and exploit them accordingly. These exploits can be used to gain access to the system and to manipulate it accordingly. The steps required to intrude a system are outlined below with specific details using the assumptions listed above. Analysis of Assumptions The first assumption is that the target machine is exposed at port 138 only. Although this is impracticable for a domain controller but to limit the scope of this study this assumption is considered valid. The other assumption is that the target system is utilising some form of firewall that tends to act as a gatekeeper. Another assumption being made is that the system has some kind of IDS (Intrusion Detection System) installed. This implies that the attacker would have to be careful in order to protect his identity for fear of backlash by network security devices. One method to avoid detection is to limit network traffic. In case of port 138 the network communication is broadcasting based so network traffic would be limited. Moreover, the machine to be attacked is not utilising IP-Sec or Kerberos. This ensures that the attacker would receive unencrypted information. Gathering Intel for Attack Network topology is essential to commencing an attack of any form at all. A host of different tools and resources could be utilised to gather pertinent network information. The use of such techniques is better known as “network foot printing” and the following information can be discerned reliably. network and address ranges; host names; exposed hosts; applications exposed on hosts; OS and application version information; patched states of both host and applications; structure of applications and structures of back end servers. Given that the machine to be attacked is a Windows based server it is pertinent to check for ICMP (Internet Control Message Protocol). If such services are deemed blocked then an estimate of the OS could be easily made given that ICMP was blocked by default after Windows 2003 Server. (Network Sorcery, 2011) If ICMP is responding then the network security is minimal at best and the attacker can easily gain a foothold. To check for ICMP the following command line could be utilised along with the relevant tools. c:\DiscoverHosts 192.168.204 192.168.204.13 In case that ICMP is blocked out multiple other tools could be utilised to gather network information. Perhaps the best tool in this regard is nmap which is available in GUI versions too. Nmap is capable of deep ended network surveillance including port activity along with OS discovery. Moreover, the state of the ports and possible security can easily be discovered. Typical command line and accompanying output is displayed below (in truncated format to display relevant sections only). C:\nmap –T4 –A –v –PE –PS22,25,80 -PA21,23,80,3389 192.168.204.1-255 Starting Nmap 5.59BETA1 ( http://nmap.org ) NSE: Loaded 63 scripts for scanning. NSE: Script Pre-scanning. Initiating Ping Scan Scanning 255 hosts [8 ports/host] Ping Scan Timing: About 14.98% done; Ping Scan Timing: About 29.46% done; Ping Scan Timing: About 44.17% done; Ping Scan Timing: About 58.65% done; Ping Scan Timing: About 73.09% done; Completed Ping Scan 206.69s elapsed (255 total hosts) Initiating SYN Stealth Scan Scanning 192.168.204.13 [1000 ports] Discovered open port 138/tcp on 192.168.204.13 Completed SYN Stealth Scan 27.99s elapsed (1000 total ports) Initiating OS detection (try #1) against 192.168.204.13 NSE: Script scanning 192.168.204.13 Initiating NSE Completed NSE, 10.08s elapsed Nmap scan report for 192.168.204.13 Host is up (0.024s latency) MAC Address: 00:14:A5:7C:30:E0 Warning: OSScan result may be unreliable because we could not find at least 1 open and 1 closed port Device Type: domain controller Running: Microsoft Windows 2000 OS details: Microsoft Windows Server 2000, Microsoft Windows Professional 2000, Microsoft Windows Advanced 2000 Uptime guess: 0.212 days Network Distance: 1 hop TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows The command line above shows that an intrusive scan is being performed for network discovery where OS detection has been enabled. An intrusive scan is being performed because our desired port 138 will not gather a lot of network traffic given its broadcast communication nature and all other ports are deemed closed. The use of “1-255” ensures that the entire domain would be searched for alive hosts and then the relevant hosts will be displayed. (Nmap, 2011) It can be clearly seen that the scan easily tracks out the class of the OS and the open port. In case any services were running on this port, the scanner could have well easily defined those too. The machine’s MAC address has been compromised too which could be used for impersonation later. Given the position of the machine as a DC (Domain Controller), impersonation by the attacker would ensure that the network could be redirected to any aims with relative ease. Accessing the Server In the case of this network the established topology is absolutely simple. Only one machine is attached to the system which is the DC. This machine will be attacked directly. Another possible step could be to use the RPC (Remote Procedural Call) DCOM (Distributed Component Object Model) scanner to find out how well patched the entire system is. This file “msrpcss.exe” can be executed directly from a machine given of course that it has been installed. However, this is being skipped under the assumption that the machine is in an un-patched state. The next step is to find and utilise a fitting exploit that could aid the attacker in getting into the system. The compulsion at hand is to utilise the port 138 structure only using TCP only. This communication now will be directed to IDS if there are any installed on the targeted machine. A useful tool in this regard is the “Retina DCOM Scanner” from eEye Digital Security. (eEye Security, 2004) This tool enables the concerned attacker to find out which exploits could successfully work on a machine given its patched state. However, this tool is relatively scarce to find and use now and will only respond to OS released before 2004. Using this tool on Windows 2000 in the current situation can be considered appropriate given its un-patched state but a well patched machine will yield no helpful results. Perhaps the simplest method to perform an exploit attack is to utilise the buffer overflow exploit. A buffer is a specified location where an application is allowed to store data. The size of the allocated buffer is limited. If the buffer is supplied with more data than it can possibly hold then there are chances that the buffer would overflow. This occurs in applications where the length of the data is not checked before assigning it to the buffer. As the excessive data streams into a buffer, it is removed and moved over to the system’s own stack for execution. This handshake between the application interface and the system interface has serious implications. The data that is consumed by the systems stack now gains system privileges to facilitate its execution. In any Windows architecture machine, the system has far greater privileges than the highest available administrator. Therefore, the system reigns supreme in a Windows based environment. This enables the swift execution of overflowed buffer data from the system stack without any checks or intrusions. General system intrusion exploits use this capability of buffer overflows to move malicious code and tools to the target system. The target system often executes the attacker’s intended data seamlessly. In most cases the intended attacker data is generally the command shell or tools for two way connectivity such as netcat. (Netcat, 2011) The exploit chosen for this case is a simple NetBIOS RPC based exploit which was developed by K Otik and tested largely by “derslacker”. This exploit works on Windows 2000 (all editions, un-patched), Windows Server 2003 and Windows XP SP0. (Exploit Database, 2011) The sample output of this exploit is shown below: root@derslacker:/home/exploits# ./win2K --help ############################### return into libc rpc exploit ins1der 2003 downloaded on www.k-otik.com *************************************** usage: ./win2K *************************************** targets: --------------------------------------- 0 Windows 2000 SP0 (english) --------------------------------------- root@derslacker:/home/exploits# ./win2K 192.168.204.13 Exploiting 192.168.204.13... Entering shell Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\Windows\system32> Securing a Foothold The output presented above clearly indicates that the attacker has managed to utilise the buffer overflow exploit to own the system. The level of privileges conferred must be verified before the attacker can proceed any further which can be established through the use of the “whoami” identification command. The sample output is shown below: C:\winnt\system32>whoami NT AUTHORITY\SYSTEM This indicates that the attacker has gained full system privileges. The output clearly reflects this by delineating that the attacker now has “system” privileges. As explained above, this stems from the fact that the current object model (command shell) has been executed through system privileges. Being the master of this system means that the attacker can now move forward and use the system as desired. For the moment, the attacker has a lone connection to the target computer. If this session terminates for any given reason then the attacker would have to retrace the steps outlined above. However, the attacker can use this connection to the system to gain a complete foothold by placing Trojans, worms, key loggers and other malicious software and code to establish communication with the targeted machine as desired. It is of course far more advisable to remove traces of the attack in order to cover up the attacker’s foot prints. This ensures that the attacker moves into and out of the system unhindered and undetected as desired. Typically traces are removed by removing any logs created during the attack and then by dissuading any further log creation. This can be achieved by using the eslave tool so that any event logs generated are effectively wiped out. (IBT, 1999) Moreover, the attacker can use the auditpol tool to stop further system audits that would give away his presence. (Microsoft, 2010) Most attacker choose to place tools like netcat so that they can reconnect to the system. Netcat is often seen as the Swiss army knife of network administrators and attacker alike. (MUTS, 2010) Conclusion Domain Controllers are an important part of any network given that they contain highly sensitive and private information that could be exploited in more ways than one. The demonstration of intrusion above indicates that an attacker could well easily enter an unprotected system with relative ease. The entire process would take no more than half an hour if the right kind of dedicated attacker were attempting intrusion. The need to boost network security is highly apparent given these findings. Moreover, it is pertinent to note that machines should be patched with all possible updates and all new exploits should be investigated thoroughly in order to avoid unwanted intrusions in any network. The presence of firewalls and DMZ controllers is not enough to avoid a well planned and executed attack. Bibliography Boyce, J., 2006. NetBIOS over TCP/IP in Windows 2000 Server. [Online] Available at: HYPERLINK "http://www.techrepublic.com/article/netbios-over-tcpip-in-windows-2000-server/6132055" http://www.techrepublic.com/article/netbios-over-tcpip-in-windows-2000-server/6132055 [Accessed 4 August 2011]. Cox, P. & Sheldon, T., 2001. Windows 2000 Security Handbook. Osborne. eEye Security, 2004. Retina DCOM Scanner Ver. 1.1.1. [Online] Available at: HYPERLINK "http://www.eeye.com/html/Research/Tools/RPCDCOM.html" http://www.eeye.com/html/Research/Tools/RPCDCOM.html [Accessed 3 August 2011]. Ethical Hacker Network, 2011. Anatomy of a Hack. [Online] Available at: HYPERLINK "http://www.ethicalhacker.net/content/view/8/2/" http://www.ethicalhacker.net/content/view/8/2/ [Accessed 29 July 2011]. Exploit Database, 2011. Exploits by k-otik. [Online] Available at: HYPERLINK "http://www.exploit-db.com/author/?a=292" http://www.exploit-db.com/author/?a=292 [Accessed 4 August 2011]. Fly Lib, 2011. Manual: Hacking Exposed (Unauthenticated Attacks). [Online] Available at: HYPERLINK "http://flylib.com/books/en/2.818.1.30/1/" http://flylib.com/books/en/2.818.1.30/1/ [Accessed 30 July 2011]. IBT, 1999. ELSave. [Online] Available at: HYPERLINK "http://www.ibt.ku.dk/jesper/ELSave/" http://www.ibt.ku.dk/jesper/ELSave/ [Accessed 31 July 2011]. ISS, 2008. Threat List. [Online] Available at: HYPERLINK "http://xforce.iss.net/xforce/alerts/id/168" http://xforce.iss.net/xforce/alerts/id/168 [Accessed 31 July 2011]. Kurose, J.F. & Ross, K.W., 2008. Computer Networking: A Top-Down Approach. 4th ed. Addison Wesley. Management Link, 2011. NetBIOS Datagram Service. [Online] Available at: HYPERLINK "http://www.managementlink.com/index.php/business-glossaries/Protocols-Glossary-8/N/NetBIOS-Datagram-Service-6419/" http://www.managementlink.com/index.php/business-glossaries/Protocols-Glossary-8/N/NetBIOS-Datagram-Service-6419/ [Accessed 4 August 2011]. Microsoft, 1998. Windows 2000 is a name that reflects NT's continued move to the technology mainstream.Windows 2000 is a name that reflects NT's continued move to the technology mainstream. [Online] Available at: HYPERLINK "http://www.microsoft.com/presspass/features/1998/10-27winma.mspx" http://www.microsoft.com/presspass/features/1998/10-27winma.mspx [Accessed 5 August 2011]. Microsoft, 2000. Gates Ushers in Next Generation of PC Computing With Launch of Windows 2000. [Online] Available at: HYPERLINK "http://www.microsoft.com/presspass/press/2000/Feb00/W2Kgatespr.mspx" http://www.microsoft.com/presspass/press/2000/Feb00/W2Kgatespr.mspx [Accessed 4 August 2011]. Microsoft, 2010. Auditpol. [Online] Available at: HYPERLINK "http://technet.microsoft.com/en-us/library/cc731451%28WS.10%29.aspx" http://technet.microsoft.com/en-us/library/cc731451%28WS.10%29.aspx [Accessed 31 July 2011]. Miles, S., 2000. Windows 2000 service pack nearing release. [Online] Available at: HYPERLINK "http://www.zdnetasia.com/windows-2000-service-pack-nearing-release-13024785.htm" http://www.zdnetasia.com/windows-2000-service-pack-nearing-release-13024785.htm [Accessed 4 August 2011]. Moore, R., 2006. Cybercrime: Investigating high technology computer crime. 1st ed. Cincinnati: Anderson Publishing. MUTS, 2010. Netcat 101. [Online] Available at: HYPERLINK "http://www.leetupload.com/database/Misc/Papers/NetCat_new.pdf" http://www.leetupload.com/database/Misc/Papers/NetCat_new.pdf [Accessed 31 July 2011]. Netcat, 2011. Netcat 1.10. [Online] Available at: HYPERLINK "http://nc110.sourceforge.net" http://nc110.sourceforge.net [Accessed 4 August 2011]. Netcat, 2011. Netcat 1.10. [Online] Available at: HYPERLINK "http://nc110.sourceforge.net/" http://nc110.sourceforge.net/ [Accessed 31 July 2011]. Network Sorcery, 2011. ICMP, Internet Control Message Protocol. [Online] Available at: HYPERLINK "http://www.networksorcery.com/enp/protocol/icmp.htm" http://www.networksorcery.com/enp/protocol/icmp.htm [Accessed 31 July 2011]. Nmap, 2011. Nmap: The Art of Port Scanning. [Online] Available at: HYPERLINK "http://nmap.org/nmap_doc.html" http://nmap.org/nmap_doc.html [Accessed 3 August 2011]. Read More