How to Hack Windows

Kurt Seifried

Security in a Microsoft environment is hard. Even if you do everything right, there is still a window of opportunity for attackers while Microsoft is working on security fixes. You can, however, harden your network quite a bit and keep most attackers out (and internal threats to a minimum). Something that comes as a surprise to many administrators is the number of "hacking" tools available for breaking into Windows networks -- tools which leverage more access once in and clean up the evidence.

If you are concerned about security, you should get rid of any Windows 9x and ME machines as soon as possible. This is something most enterprises have done, using NT and now Windows 2000. However, as networks expand and people connect via VPNs from home or while on the road, Windows 9x and ME may creep back "into" your network (if they are attached via VPN, then logically they are part of the LAN).

Boot Time

If an attacker can reboot the machine and boot from removable media, the game is already over. The attacker can then read and modify the contents of the system as desired. There are programs that allow modification of the administrator password, and there is a DOS driver for NTFS (NTFSDOS) that makes manipulating and copying files trivial (you could also do this with a Linux boot disk). Other available tools are "Remote Recover" and "NT Recover"; you can use them to boot "dead" NT machines, or one you want to break into. An attacker could boot the machine and back up the admin password (or simply grab C:\Winnt\repair\sam._. and run L0phtCrack against it). Then, the attacker could use Locksmith to replace the administrator password, boot the system, create another "superuser account", reset the administrative password to what it was, and clean up his tracks (using something like WinZapper, discussed later). Locking down the BIOS and restricting what the machine can boot from requires a lot of effort (each machine must be visited) but can prevent many problems.

Removable Media and Communication Ports

Unfortunately, restricting access to removable media and communications ports through the BIOS is not a solution for most environments. You would need to send a technician out to reboot the machine, enter the password, and make suitable modifications. An attacker (or careless user) can attach a modem to a system and configure it for dial-in access. This is great for working from home, but can also provide a nice back door for an attacker to get in. Parallel ports can be used to attack external CD burners, making theft of sensitive material that much easier. Most offices would let you carry a CD home, but many would notice if you started sending out gigabytes of files via email or ftp (or so one would hope).

Since there is no built-in facility for this type of access control in Windows, you must purchase third-party commercial software. One such package is SecureNT, which allows you to restrict access to specific removable media and communications ports by user or group, and can be centrally controlled over the network. Even the venerable floppy disk can be used to move data out, SecureNT has an option to log what is copied to floppy disk and make a copy in a protected directory (you can later check these directories for sensitive information).

Executable Content

Hacking into Windows 9x and ME is relatively easy because once you get past any perimeter security and execute a piece of code on the target machine, you can do pretty much anything. There is no concept of users or file security in Windows 9x or ME; practically speaking, everyone has administrator privileges. Windows NT is just as bad by default. The default file permission on the NT installation directory (usually C:\Winnt\) is Everyone:full control, and critical directories such as System32 have Everyone:Change permissions. Unless you tighten these permissions, the same situation occurs. Any code that is executed can easily modify system components giving an attacker full access. Unfortunately, many programs, such as Microsoft Office and Corel Office suite, want to write files to directories such as System32, so restricting access to them can cause problems.

So, how does the remote attacker get code to run on your machine? A favorite method is to send the code via email, and we all know how successful several email-borne viruses have been. There are a number of flaws in popular email programs, such as Outlook, Eudora, and Netscape. Older versions can be made to execute content without prompting the user, so keeping these up to date is important. The next step would be to use an anti-virus scanner. However, if the attacker is using a new or sufficiently modified virus, he can usually slip it past anti-virus software. A common problem with anti-virus software is that although the software can usually uncompress and scan most file formats, there are many formats that are not supported. One that got some attention recently was NeoLite; NeoLite allows a developer to compress binaries and ship them to end users, which worked surprisingly well for viruses also. A defender can then use software such as Finjan's SurfinShield, which actively monitors what the downloaded content is trying to do and helps prevent code from formatting your hard drive. This also applies to Web pages; users can easily be enticed to visit Web pages where executable content can be placed. Older versions of both Netscape and MSIE contain numerous flaws in their Java and Java script implementations that attackers can exploit.

Ironically, some "security" programs can be used to gain administrative privileges. McAfee VirusScan 4.5 under NT starts up a service that scans data for viruses, however they forgot to quote the path to the executable. So, if you place a binary called "common.exe" in the C:\Program Files\ directory, that program will be run at start time. Fortunately, the default permissions in Windows 2000 make this harder. Since this program runs with "Local System" privileges, it can do just about anything. One defense newly available to prevent users from running malicious programs is SecureExe. SecureExe is relatively simple in concept. First, a database is created containing the program name (and full path) and a cryptographically secure hash (using SHA1). Then when a user tries to run the program, it must match the name; and more importantly, it must match the signature of the program. This prevents attackers and users from replacing a binary on their system (such as notepad.exe), then asking an administrator to troubleshoot a problem that results in their running the trojaned program in question.

File and Registry Permissions

The default settings in NT's file permissions and registry ACLs make it exceedingly easy for an attacker to gain access, elevate privileges, modify the system, and place trojans. Generally speaking, you can change the permissions from "Everyone" to "Authenticated Users"; however, this will still allow any logged in user to modify most files. The next step would be to change the "Authenticated Users" permissions from Change to Read; however, there are numerous files and directories in C:\WINNT and C:\Program Files to which users must be able to write for applications to work properly. The "Cookies" directory and "Temporary Internet Files" must be writeable if you want the user to be able to browse the Web for example. This will only keep out honest users; an attacker may attempt to boot the machine from a floppy disk, or use some local or remote exploit to gain more access. The same goes for permissions on the registry -- the default permissions are reasonable, but they could be tightened up considerably.

Using the built-in tool, regedt32, is a bad idea if you want to change many registry permissions, because you must click on each one and change the permissions. A much better solution would be to download the free version of RegDACL (or buy the full version) and script any changes. (Chances are you will want to make the same changes on all your machines.) In most cases, you can change "Everyone" to "Authenticated Users"; however, you should back up your registry first. One critical component of NT is the SAM (Security Accounts Manager). This is rather unprotected by default, with a copy of the SAM database sitting in C:\WINNT\repair\sam._.. To protect this, you can change the permissions, but you should also enable strong encryption on the SAM (once you have done this you cannot go back). Simply run the "syskey" program and choose "Encryption Enabled".

The Network

There are several extremely popular network services for NT -- file and print services (in which I also include authentication services, etc.), IIS (WWW primarily), and Exchange and MS-SQL. I'll start with the file and print sharing and authentication services since everything else ties into those. If a remote user can connect to the server (i.e., ports 137 to 139) then he or she can find out almost everything about your server and the domain it is in. Using a tool such as CIS, it is possible to get a list of every user, group, memberships, when the password on an account was last changed, and how many times the account has been used. This is invaluable information for attackers. They can attempt to brute force passwords on accounts, and unless you have enabled auditing for failed logins, you won't ever notice. Also, because the default password policy is very lax, even if you do tighten it, you can only specify a minimum length. You cannot specify any requirements such as "must contain upper and lower case characters as well as numbers". Attackers will also be able to glean information such as shares, the number and layout of disks, which service pack is installed, and more. Here is part of a scan of an NT Web server that I choose at random (names have been changed to protect the not-so innocent):

 Group Information

 Group Name      : Domain Admins
 Users
 Administrator
 michael
 poor
 william2

 Group Name      : Domain Guests
 Users
 Guest

 Group Name      : Domain Users
 Users
 Administrator
 LITTLEMAN$
 IUSR_LITTLEMAN
 IWAM_LITTLEMAN
 michael
 poor
 scotty
 william
 michelle
 john
 SQLAgentCmdExec
 william2
 tempadmin
 tempadmin2
 tempadmin3
 happyfry

 WARNING - Null session can be established to \\10.3.0.10\IPC$

 Share Name      :C$
 Share Type      :Default Disk Share
 Comment :Default share

 Share Name      :E$
 Share Type      :Default Disk Share
 Comment :Default share

 Share Name      :F$
 Share Type      :Default Disk Share
 Comment :Default share

 Share Name      :G$
 Share Type      :Default Disk Share
 Comment :Default share

 Share Name      :H$
 Share Type      :Default Disk Share
 Comment :Default share

 Share Name      :I$
 Share Type      :Default Disk Share
 Comment :Default share

 Share Name      :littleman_net
 Share Type      :Disk
 Comment :

 Share Name      :wwwroot
 Share Type      :Disk
 Comment         :

 Share Name      :data
 Share Type      :Disk
 Comment         :

 Share Name      :PWRCHUTE
 Share Type      :Disk
 Comment         :

 Share Name      :print$
 Share Type      :Disk
 Comment         :Printer Drivers

You should also disable anonymous connections. Fortunately, this isn't to difficult. Simply go to the "HKEY_LOCAL_MACHINE" hive and in \System\CurrentControlSet\Control\Lsa create a REG_DWORD called "RestrictAnonymous" with the value of "1". Unfortunately, attackers can still use the IPC$ share to find out about the server's configuration. Although the IPC$ share can easily be disabled, doing so will break many things (such as logging in to the network). You should probably only delete the IPC$ share on Web servers and other machines that you will not be logging into. On the machine in question, simply run net share IPC$ /delete. You can put this in a .bat file and have it run at startup. To disable the automatic administrative shares (such as, C$, D$), go to the "HKEY_LOCAL_MACHINE" hive and in \System\CurrentControlSet\Services\LanmanServer\Parameters create a REG_DWORD called "AutoShareServer" (for NT Server) or "AutoShareWks" (for NT Workstation) with the value "0".

IIS

IIS has a terrible history of security problems. The most recent (as of late October) is the Unicode vulnerability, which allows an attacker to run arbitrary code on the server, making it trivial in most environments to take over the machine. If an attacker has local access (or worse yet a valid user account), there are numerous tricks that can be used to gain administrative privileges. Even Microsoft's Web servers have been hit a few times with vulnerabilities, some of which they fixed months ago. The best security measure you can take with IIS is to religiously keep the software up to date. The next step would be to check out Microsoft's security page for products, get IISLock.exe, and use it. You should also get the security checklists for IIS 4 and 5. Also disable #exec in Web pages so that malicious Web authors can't call system commands. A bug found in IIS 4.0 allows asp files to run any command as SYSTEM. At Web hosting sites with tens of thousands of sites, this can be very destructive. Simply:

<SCRIPT LANGUAGE="[large_buffer_of_2220_characters_or_more]" \
  RUNAT="Server"></SCRIPT>

MS-SQL

MS-SQL's biggest problem is that by default the "sa" account has no password. The sa account has a lot of power; it can create, and drop and modify tables. More importantly (to an attacker), it can run system commands on the server, making it trivial for an attacker to get administrator privileges. Most of the servers running MS-SQL that are connected directly to the Internet (e.g., at co-hosting facilities) seem to have no sa password (I was unable to find one that was protected in my quick searching). This makes it trivial for an attacker to take over your server. See the resource links below for information on how to password the account.

Exchange Server

Exchange server also has numerous problems (or "Features" according to MS). For example, Exchange validates incoming email only by the domain (e.g., example.org), and not the full email address (user@example.org). So, there is no way to block incoming email to valid users only. Because the default is to attempt delivery for 48 hours, any single piece of email sent in to a non-existent user will clog up the system for 2 days. Thus, it is trivial to send several hundred thousand emails to non-existent users on the system and cause severe problems. To remove the emails, you must stop the server, check the log files, and manually remove all the messages -- which is basically an impossible task. Another option is to shorten the delivery-attempt time; however, this won't prevent the emails from coming in and taking up space on the system. One permanent solution is to place a mail gateway in front of the Exchange server, which can validate incoming email by user or domain name, and reject email that is bound for a non-existent user. This will also reduce exposure of the Exchange server and make it much harder for an attacker to exploit its security flaws.

Trojans and Cleanup

Once an attacker has broken in, they may choose to simply deface your Web site or commit some other act of vandalism. We hope they will do something extremely obvious that results in someone noticing the intrusion. A savvy attacker will put backdoors into the system; these may range from Back Orifice 2000, which offers extensive control to tini, a 3k backdoor coded in assembler. There are also "legitimate" backdoors that could be placed. They could simply install a service such as IIS with known remote holes. To make matters worse, there is now a publicly accessible tool called WinZapper, which allows attackers to selectively clean out log entries once they have gained administrator access. The good news is that the public version of the tool is limited. Once the event log has been modified, the event viewer will not work until the machine is rebooted. A file called "dummy.dat" is then left over, which contains an original copy of the event log. However, modified versions of WinZapper without these limitations will be available to some attackers. So, you cannot rely on log files once an attacker has gained administrator access (this is also true by default on most UNIX systems). Finally, many attackers will install a network sniffer allowing them to snoop passwords (see Sys Admin's May 2000 edition for Crypto 101). The other way to help prevent sniffing is to use switches instead of hubs, but this is by no means completely secure.

Summary

Microsoft products are generally designed for ease of use and features instead of security. This approach sells software, but it has also created a legacy of insecure computer systems that are extremely difficult to secure. With the proliferation of Web sites, it is now possible for someone with almost no computer experience (beyond double-clicking and using a Web browser) to break into many machines. It is also becoming increasingly common for people to post security advisories without contacting the vendor. The increases the window of exposure between the problem being announced and a fix being available. Currently, most installations do not have very deep defenses. It is becoming increasingly critical to address security issues as more avenues of attack are opened up to attackers by new technologies.

Resources

http://ntsecurity.nu/toolbox/ -- WinZapper, winfo, DelGuest, FakeGINA, and more

http://www.cerberus-infosec.co.uk/cis.shtml -- CIS (formerly NTInfoScan), excellent NT scanner

http://www.bo2k.com/ - Back Orifice 2000

http://www.conclave.com/ntsafe/ -- NTSafe, Windows NT Configuration Auditor

http://www.securewave.com/html/products.html -- SecureNT and SecureEXE

http://www.somarsoft.com/ -- DumpSec, DumpEvt, and DumpReg

http://www.winternals.com/products/index.shtml -- NTFSDOS, Locksmith, and more

http://www.l0pht.com/l0phtcrack/ -- L0pht Crack, password cracker

http://www.heysoft.de/index.htm -- RegDACL

http://www.securityportal.com/research/exploits/microsoft/ -- Exploits for various Microsoft products

http://www.microsoft.com/technet/security/prodtech.asp -- Microsoft Security - Products and Technologies

http://msdn.microsoft.com/library/psdk/sql/1_server_4.htm -- Changing the sa password in MS-SQL

http://securityportal.com/topnews/weekly/microsoft.html -- Weekly Microsoft security digest

http://corporate.windowsupdate.microsoft.com/en/default.asp -- For corporations (you can download and save updates from this URL)

Kurt Seifried is senior analyst for SecurityPortal and somewhat confused as to what that actually means. His primary interests are security, crypto, privacy, and sushi. He may be reached at: seifried@securityportal.com.