HackNotes Windows Security Portable Reference phần 2 docx

Common NetBIOS Name Table Definitions[nbname] UNIQUE Workstation Service on host [nbname] [domain] GROUP System is member of [domain] GROUP Master Browser [nbname] UNIQUE [nbname]

Port Number Protocol Description

Common NetBIOS Name Table Definitions

[nbname] <00> UNIQUE Workstation Service on host [nbname]

[domain] <00> GROUP System is member of [domain]

<\\ MSBROWSE > <01> GROUP Master Browser

[nbname] <01> UNIQUE

[nbname] <03> UNIQUE

Messenger Service[username] <03> UNIQUE Messenger Service for user [username]

[nbname] <06> UNIQUE Remote Access Services

[nbname] <1F> UNIQUE Network DDE Service

[nbname] <20> UNIQUE (File) Server Service

[nbname] <21> UNIQUE Remote Access Services Client service

[nbname] <31> UNIQUE

Modem Sharing ServerModem Sharing Client[nbname] <43> UNIQUE SMS Client Remote Control

[nbname] <44> UNIQUE SMS Administrator Remote Control Tool

[nbname] <45> UNIQUE SMS Client Remote Chat program

[nbname] <46> UNIQUE SMS Clients Remote Transfer service

[nbname] <6A> UNIQUE Microsoft Exchange Internet Mail

Connector service[nbname] <87> UNIQUE Microsoft Exchange Mail Transfer Agent

[nbname] <BE> UNIQUE Network Monitor Agent

[nbname] <BF> UNIQUE Network Monitor Application

[domain] <1B> UNIQUE Domain Master Browser

[domain] <1C> GROUP Domain Controller

[domain] <1D> UNIQUE Master Browser

[domain] <1E> GROUP Browser Service Elections

Windows Security Fundamentals: Concepts

Security Identifier Alphanumerical representation of a Windows

system or domain and the associated user orgroup identifier, known as an RID

Built-in accounts

Default accounts

Each Windows operating system ships with anumber of user contexts installed by default Alist of these accounts is presented after this table

database responsible for storing group and useraccount details

Password hashing Process of generating a cryptographic representation

of a password Most password hashes are reversible (one-way hash), so the only way torecover a password is by using a brute-force ordictionary attack and applying the hash

Subsystem (LSASS) and the Security ReferenceMonitor (SRM), the Local Security Authority isthe system responsible for enforcing Windowssystem security

Windows Security Fundamentals: Concepts RC13

Windows Default User Accounts

SYSTEM, Local System The core operating system user context; unlimited

local system access

LOCAL SERVICE Service user context with more restricted local

permissions; can authenticate to remote systems

as an anonymous user

NETWORK SERVICE Service user context with more restricted local

permissions; can authenticate to remote systemswith the system’s computer account

Administrator Default super-user; can be renamed but retains its

default SID

IUSR_systemname Service account created for Internet Information

Services

IWAM_systemname Service account created for processes spawned

by Internet Information Services

TsInternetUser Terminal Services user context

SUPPORT_xxxxxxxx User context for Help and Support Services in

Windows XP and 2003

Guest Limited privilege account; disabled by default

Windows Authentication Methods

Windows Authentication

LM (LAN Manager) Though a challenge/response system, the simplicity

of the LM hash meant that the original password hashcould be quickly recovered from the wire, where it could

be brute forced (or dictionaried) in short order

NTLM Improvements in the base password hash translated to

better challenge/response format Original password hashcan still be brute forced, but nowhere near as quickly

NTLMv2 NTLMv1 challenge/response is further encrypted with a

128-bit key Very difficult to brute force

Kerberos Widely accepted as a secure authentication protocol,

exact methods vary by implementation Can becaptured and brute forced, but process is very slow

Windows Authentication Methods RC15

Common Security Identifiers (SIDs)

Security Identifiers (SIDs) Description

S-1-5-[domain SID]-500 Administrator built-in account

S-1-5-[domain SID]-501 Guest built-in account

S-1-5-[domain SID]-1000 Default SID of first account on a local system or

Windows NT domain Active Directory assigns SIDgroupings for each domain in the forest, so userRIDs are not predictable

Note: A complete list of common SIDs is available in Microsoft KB article 243330 at

http://support.microsoft.com/?kbid=243330.

Windows NT File System Permissions

Full Control Allows one-click enabling of all permissions; not

present in Windows 2000

Traverse Folder / Execute File Permits access (change directory) to a subdirectory

or execution of a given file

List Folder / Read Data Permits user to obtain a directory listing when

applied to a directory or read access when applied

to a file

Read Attributes Allows viewing file attributes Read Only and Hidden

Read Extended Attributes Allows viewing file attributes Archive, Indexing,

Compression, and Encryption

Create Files / Write Data Permits user to create new files or to write data

(when applied to a directory or a file, accordingly)

Create Folders / Append Data Permits user to create subdirectories or add data to

an existing file (when applied to a directory or a file,accordingly)

Write Attributes Allows user to change the Read-Only or Hidden

attributes

Write Extended Attributes Allows user to change the Archive, Indexing,

Compression, and Encryption attributes

Delete Subfolders and Files Permits user to delete files or directories below this

object

Read Permissions Permits user to view the SIDs associated with an

object to determine permissions for other users andgroups (DACLs)

Change Permissions Permits a user to add or remove permissions for an

object

Take Ownership Allows a user to assume ownership of the object,

effectively allowing full control Take Ownershipmust be exercised by the user; however, simplyassigning a user permission to take ownership doesnot transfer ownership

Windows NT File System Permissions RC17

Useful Character Encodings

Hexadecimal ASCII Characters

Useful Character Encodings RC19

Common Special Character Encodings

Double-encoding is accomplished by making the first pass of decoding expose %

characters Any hexadecimal-encoded character can be double-encoded by preceding

it with %25, the representation of %.

Testing for Internet Information Services ISAPI

Applications

Default ISAPI Mapping Mapping Test (Use with netcat)

Web-Based Password

Reset (.htr)

Probe: GET /anything.htr HTTP/1.0 [cr] [cr]

Response: <html>Error: The requested file could not

be found </html>

Index Server (.idq, ida) Probe: GET /anything.idq HTTP/1.0 [cr] [cr]

Response: <HTML>The IDQ file anything.idq could not

be found…

Internet Data Connection

(.idc)

Probe: GET /anything.idc HTTP/1.0 [cr] [cr]

Response: <body><h1>Error Performing Query</h1>

The query file <b>/null.idc</b> could not be opened…

Webhits (.htw) Probe: GET /anything.htw HTTP/1.0 [cr] [cr]

Probe: GET /anything.printer HTTP/1.0 [cr] [cr]

Response: <b>Error in web printer install.</b>

Server-Side Includes

(.stm, shtm, shtml)

Probe: GET /anything.stm HTTP/1.0 [cr] [cr]

Response: <body><h1>404 Object Not

Probe: GET /_vti_bin/shtml.dll HTTP/1.0 [cr] [cr]

Response: <HTML><BODY>Cannot run the FrontPage

Server Extensions’ Smart HTML interpreter on thisnon-HTML page: &quot;&quot;</BODY></HTML>

Frontpage

Extensions—fpcount.exe

Probe: GET /_vti_bin/fpcount.exe HTTP/1.0 [cr] [cr]

Response: <head><title>Error in CGI

Probe: GET /_vti_inf.html HTTP/1.0 [cr] [cr]

Response: …<p>In the HTML comments, this page

contains configuration information that the FrontPageExplorer and FrontPage Editor need to…

Testing for Internet Information Services ISAPI Applications RC21

Security-Related Group Policy Settings*

* Note that some options may not be available in all Windows operating systems.

Password Management

Configuration\Windows Settings\SecuritySettings\Account Policies\Password PolicyEnforce Password History How many hashes remembered to prevent password

re-use, recommended setting 5+

Maximum Password Age Maximum length of time a user can wait before being

forced to change passwords Recommended setting30–90 days depending on system sensitivity

Minimum Password Age Minimum period of time before a user can change

their password Set to 15+ days to prevent users fromcycling through remembered passwords to get back

to their favorite

Minimum Password Length Fewest number of characters allowed in a password

Recommend a minimum of eight characters, more ifcomplexity is not enforced

Password Must Meet

Complexity Requirements

When enabled, Windows verifies complexity of newpasswords using the password filter librarypassfilt.dll(which can be replaced) Default password filterrequires a minimum of six characters, with acharacter from three of the character classes: [a–z],[A–Z], [0–9], and special characters

Login Failure Management

Configuration\Windows Settings\SecuritySettings\Account Policies\Account Lockout PoliciesAccount Lockout Duration Controls the amount of time between when an

account is locked in response to invalid login attemptsand when the account is automatically unlocked bythe operating system Any setting higher than a fewminutes will result in helpdesk calls when a legitimateuser accidentally locks out their account, but lowvalues can allow a patient attacker to mount along-term password guessing attack Recommendedsetting 30–60 minutes

Login Failure Management

Account Lockout Threshold Number of failed logins before account is locked out

Setting should vary depending on passwordcomplexity settings Systems using two-factorauthentication can set this fairly high, whereassystems with no complexity limit should keep thenumber low

Reset Account Lockout

Counter After

Determines how long the system remembers failedlogin attempts Should be set high enough to makepassword guessing unusable Recommended setting:

30 minutes

System Audit Policies

Configuration\Windows Settings\SecuritySettings\Local Policies\Audit PolicyAudit Account Logon Events This option allows logging of any time that the local

system is used to authenticate an account, even

if the logon is attempted on another computer

Recommended minimum: Failure

Audit Account Management Logs any change to a user account—creation,

modification, or deletion Recommended minimum:

Success, Failure

Audit Logon Events Logs any local system logon events Recommended

minimum: Failure

Audit Policy Change Controls whether or not to audit all changes to local

system policies, whether introduced due to user activity

or otherwise Recommended minimum: Failure

Audit Privilege Use Determines whether or not to audit events where a

user or process takes advantage of a local systemright Privilege use occurs frequently, so auditing thiscategory can introduce a lot of log noise

Recommended setting: No auditing

Audit System Events Determines whether to record items such as system

startup/shutdown or other major events

Recommended setting: Success, Failure

Security-Related Group Policy Settings RC23

Miscellaneous Options

Configuration\Windows Settings\SecuritySettings\Local Policies\Security Options

2000 and XP/2003, and some options are unavailable

Interactive Logon: Do Not

Display Last User Name

When enabled, prevents information leakage from localattackers pressingCTRL-ALT-DELto find legitimateusernames Recommended setting: Enabled

Network Access: Allow

Anonymous SID/Name

Translation

This option enables remote systems to conduct SIDlookups and is used by programs like sid2user toenumerate users when anonymous SAM enumeration

is disabled Recommended setting: Disabled

Network Access: Let Everyone

Permissions Apply to

Anonymous Users

This setting prevents privileges for the Everyonebuilt-in group from being applied to anonymous users

Recommended setting: Disabled

Network Access: Do Not Allow

Anonymous Enumeration of

SAM Accounts (and Shares)

Specifies whether or not to allow anonymous users tolist user accounts and/or SMB shares being offered

on the system Recommended setting: Enabled

Network Security: Do Not

Store LAN Manager Hash

Value on Next Password

Change

Specifies whether or not Windows should continuesupporting LM authentication If enabled, system will

no longer store LM hash, so Windows 9x clients will

be unable to authenticate without the DirectoryServices client Recommended setting: Enabled

Miscellaneous Options

Network Security: LAN

Manager Authentication Level

Determines how system responds to networkauthentication requests Defaults to allowing

LM authentication on Windows 2000 and XP

Recommended setting: Send NTLM Response Only(or higher)

Shutdown: Clear Virtual

Memory Pagefile

If enabled, Windows flushes the swapfile onshutdown Although sensitive application shoulduse non-paged memory for security operations, it

is possible for sensitive information to be included

in the pagefile

System Cryptography: Use

FIPS Compliant Algorithms

for Encryption, Hashing,

and Signing

Forces all cryptographic functions to use algorithms inline with Federal Information Processing Standards

Most notably, this enables 3DES encryption for EFS

Security-Related Group Policy Settings RC25

Saeven Whois http://www.saeven.net/sware

Port Scanning Utilities

nmap-win32 Port Scanner (CLI) http://www.insecure.org/nmap/nmap_download.html

ScanLine Port Scanner (CLI) http://www.foundstone.com/resources/freetools.htm

MingSweeper Port

Scanner (GUI)

http://www.hoobie.net/tools

WPSweep Ping Sweep

tool (CLI)

http://www.ntsecurity.nu/toolbox

Service Enumeration Utilities

Basic Clients (ftp, telnet, net,

UCD-SNMP Win32 http://sourceforge.net/projects/net-snmp

SolarWinds Tools http://www.solarwinds.net/Download-Tools.htm

Microsoft Windows

Resource Kits

http://www.microsoft.com/windows2000/techinfo/

reskit/default.asphttp://www.microsoft.com/windowsserver2003/

techinfo/reskit/resourcekit.mspx

User Enumeration Tools

sid2user / user2sid http://www.chem.msu.su/~rudnyi/NT/

http://www.ntbugtraq.comDumpUsers http://www.ntsecurity.nu/toolbox

Password Cracking Tools

LC4 (commercial) http://www.atstake.com

Cain & Abel http://www.oxid.it/cain.html

KerbCrack, KerbSniff http://ntsecurity.nu/toolbox

SQL Enumeration and Password Testing Tools

SQLPing v2.2 http://www.sqlsecurity.com

ForceSQL v2.0 http://www.nii.co.in/tools.html

Terminal Services Tools

ProbeTS, TSEnum http://www.hammerofgod.com/download.htm

WinDump (Win32 tcpdump tool) http://windump.polito.it

WinPcap (packet capture library) http://winpcap.polito.it

IIS Security Tools

IIS Lockdown Tool

URLScan v2.0

http://www.microsoft.com/technet/security/tools/

tools/locktool.aspURLScan v2.5 http://www.microsoft.com/technet/security/tools/

tools/urlscan.aspMetaEdit v2.2 http://support.microsoft.com/default.aspx?scid=

Quick Command Lines

Packet Capture

of packet contents

snort -v ip proto 50 || ip proto 51 Capture all IPSec traffic

snort -v host 10.0.0.1 && tcp && port 80 Capture all HTTP traffic to and from

10.0.0.1

snort -v -X src tcp && port 445 Capture and dump contents of all direct

SMB responses (source port of TCP/445)

snort -v -X tcp && ((src port 80 || src port

443) || (dst port 23 || dst port 25))

Capture and dump contents of all HTTP

or HTTPS responses, or telnet or SMTPrequests