Microsoft Security Models and Exploits
| < Day Day Up > |
| Microsoft has used two models in its security:
The domain model is found in NT 4.0 or earlier. It has a primary domain controller (PDC) and one or more backup domain controllers (BDCs) that you can promote if the PDC fails. The PDC maintains all the accounts for the domain in a Security Accounts Manager (SAM) database that is synchronized with the BDC servers. An enterprise might have more than one domain, with trusts set up between them. The active directory (AD) model is found in Windows 2000 and Windows 2003. This model is hierarchical, and network resources are placed within a jet database for ease of administration. In the AD model, you can have multiple domain controllers (DCs). All user accounts are replicated across DC servers. A hierarchy is made through the use of forests, trees, and organizational units. Within organizational units are objects such as printers and user accounts. Regardless of the model used, the underlying kernel is similar among all Windows server platforms. However, with each new release of Windows, Microsoft hardens its server, making it more difficult for malicious hackers to attack its systems. Elevation TechniquesAs with Linux, many of the attacks against Microsoft Windows do not work unless you first have administrator access. To gain administrator access, you need to utilize an elevation technique that promotes your access from a normal user to that of a user with administrator privileges. The two methods of doing this are as follows:
PipeUpAdminPipeUpAdmin exploits a Windows 2000 Named Pipes bug to execute commands with SYSTEM privileges. PipeUpAdmin takes the account you are using, regardless of its current privilege level, and adds it to the local Administrator group. For example, if you are a normal user named pentest who does not have Administrator privileges, you can execute PipeUpAdmin and add yourself to the local Administrator group, as demonstrated in Example 13-3. Example 13-3. Using PipeUpAdmin to Gain Administrator Privilegesc:\pipeupadmin PipeUpAdmin Maceo <maceo @ dogmile.com> Copyright 2000-2001 dogmile.com The ClipBook service is not started. More help is available by typing NET HELPMSG 3521. Impersonating: SYSTEM The account: CP\pentest has been added to the Administrators group. c:\HKHK is a demonstration exploit for the NT Local Procedural Call bug addressed by Microsoft in http://www.microsoft.com/technet/security/bulletin/ms00-003.asp. It allows any local user to execute a command with SYSTEM privileges, regardless of the user privilege level. Its syntax is simple: hk commandFor example, if you are able to gain access to a system as the user named pentest but do not have Administrator rights, you can add yourself to the Administrator group with the following command: c:\hk cmd /c net localgroup Administrators /add pentest lsass pid & tid are: 47 -48 NtImpersonateClientofPort succeededHK works only on NT and unpatched Windows 2000 systems. RootkitsProbably the most popular rootkit for Windows platforms is the NT Rootkit. Unlike the Linux rootkits mentioned earlier, the NT Rootkit does not contain many tools or replace system files. Instead, the NT Rootkit lets you choose which files you want to hide. These can be Trojans or backdoor utilities such as SubSeven or NetCat. See Chapter 12, "Using Trojans and Backdoor Applications," for more information on Trojans. The NT Rootkit comes with two files:
You need to copy both of these files to your target system and run the deploy executable. This installs a new service called _root_. You can start the service with the following command: c:\net start _root_To stop the command, type the following: c:\net stop _root_At this point, you can hide any files that begin with _root_. For example, to hide the popular backdoor utility NetCat, rename it to _root_nc.exe. After you start the service, it does not show up in a directory listing. This is an excellent way to hide the fact that you have compromised a server. |
| < Day Day Up > |
EAN: 2147483647
Pages: 209