Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours

Transcription

1 Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours Introduction The following lab allows the trainee to obtain a more in depth knowledge of network security and related network security vulnerabilities. This Lab progresses on from Lab1, therefore it is essential that all tasks have been successfully completed in Lab1 before attempting Lab2. This Lab will demonstrate some of the main security issues in relation to protecting the privacy of data (in particular multimedia documents) on a local area network. These will include: Trojan Horse - Downloading a multimedia application from a server, which contains a Trojan horse program. This will create a back-door allowing the hacker complete control of the victim system from a remote location. Password Hacking - Using a Linux boot disk to grab a Security Accounts Manager (SAM) file from a Windows NT System. Password Cracking - Using a password Dictionary Attack to decrypt Windows NT security hashes contained within an encrypted SAM file. This Lab will also demonstrate how the security, of a local area network host can be improved by installing, configuring and testing a production release of the latest Tiny Personal Firewall distribution. Aims This Lab is split into three main sections. The aims of each section are as follows: Section 1 - Remote Trojan Horse Attack To exploit security vulnerabilities of a network Client host using a remote Trojan Horse program called Netbus. Section 2 - Off-Line Attack (Physical Security) To exploit physical vulnerabilities of the network server using password hacking/cracking tools. Password Grabber - Grabs Windows NT user accounts (SAM file) wcrack32 - Windows NT Hash Password Cracker Section 3 - Personal Firewall Prevention To install and configure a production release of the TINY firewall distribution. 85

2 Prerequisites In order to complete this lab within the time of three hours it is necessary to have a basic understanding of the following: Windows 95/98 and NT Server (NTFS) operating system platforms Network architecture models, in particular the local area network (LAN) client/server model TCP/IP protocols System BIOS configuration It is also necessary to have successfully completed all tasks in Lab 1. Software Required Netbus.exe - Trojan Horse client application game.exe - Trojan Horse server application Password Grabber boot disk - Grabs NT system SAM accounts expand.exe - encrypted code expander SAMdump.exe - SAM hash extractor wcrack32.exe - Hash Password Cracker pf2.exe - Tiny Personal Firewall distribution Hardware Required 3 10/100Mbps Ethernet network Adapters 3 cat 5 network cables 1 4-way non-switched hub 3 IBM compatible PCs each with a minimum of: 32Mb RAM 120MHz Intel or 150MHz Cyrix equivalent CPU The network will comprise two client hosts running Windows 95/98, and one server host running Windows NT Server 4.0. All network hosts will be connected to a non-switched hub using cat 5 network cables operating at a bit rate of 10/100Mps. 86

3 SECTION 1 REMOTE NETBUS TROJAN HORSE ATTACK Network Trojan Horse programs (commonly referred to as Trojans) are one of the greatest security threats to individuals and institutional networks. By installing a Trojan horse on a system, computer hackers can potentially go anywhere, see anything and do anything they want with your system. Your multimedia documents and your most intimate and personal documents are no longer safe. The Netbus Trojan is intelligently designed to elude most firewalls by using ports which are not usually blocked by network firewall security software or proxy servers. Security experts have stated that Netbus can outsmart most anti-virus and Trojan Horse detection programs also. Trojan Horse (Netbus v1.7) Netbus consists of two main parts, a client application and a server application. The client application, running on one system (the hacker), can be used to monitor and control a second system (the victim) running the server application. There are numerous operations that the client application can perform on the target system. These include the following: Open/Close CD-ROM Show optional BMP/JPG image Start optional application Key Press Sniffing Control the mouse Shut down Windows Download/Upload/Delete files The Netbus Trojan has a built in port scanner which can be used to scan for possible backdoors on systems. It can also scan Class C addresses by adding +Number of ports to the end of the target address for example will scan through 255. Netbus Trojan Installation In order for Netbus to work, the server application must be installed on the target system. This involves executing the server application on the target system. The server application is a single executable file called game.exe, which is approximately 350kb in size. Copy the game.exe multimedia application to the winnt\inetpub\ftproot directory on the IIS FTP server. On Client A access the IIS FTP server. Download the game.exe file selecting the Open this file from its current location option. The game.exe program is a Trojan Horse that installs the Netbus server when executed without the user knowing. It does this in the background while also loading a simple little multimedia application called whack_a_mole where you beat moles over the head as shown in Figure 1. The whack_a_mole application creates a copy of itself in the Windows system directory and adds a value containing its filename to the Windows registry. By doing so, the server application always starts whenever Windows starts, and thus is always active. The server application does not appear in the Windows list of running processes. 87

4 Figure 1 whack_a_mole game Using the Netbus Trojan The target system on which the Netbus server is installed must be running either Windows 95 or Windows 98. The server application will not run on Windows NT. From the Client B system, run the Netbus.exe client application and connect to the Client A system using the IP address Make sure the port number is as shown in Figure 2. To connect press the Connect button. Figure 2 Netbus Client Application This will issue a password prompt - type ecoli. The No connection notice will then change to Connected to (ver 1.70) as shown in Figure 3. You are now connected to Client A and in complete control. Try opening the CD-ROM tray of Client A by pressing the Open CD-ROM button. Take some time to become familiar with the general functions of this Trojan. 88

5 Figure 3 Netbus Client Application Connected to Client A Obstacles limiting the threat of the Netbus Trojan attack The server application game.exe must be installed on the target system. This requires the user of the system to either deliberately install this application or be tricked into doing so. The attacker must know the IP address of the victim system. Although the attacker can use the client application to perform a search through a range of IP addresses, this is infeasible due to the fact that there are four billion possible IP addresses (IPv4). A firewall between the target system and the attacker virtually makes it impossible for the attacker to communicate with the target system. Most companies have firewalls in place. By following safe networking practices, for example, not downloading multimedia documents or running executable applications from unknown sources, users can protect themselves from the potential threat. SECTION 2 - OFF-LINE ATTACKS (PHYSICAL SECURITY) If you have a resource, which needs to be protected, the single most important type of protection is physical security. Without physical security there can be no security. There are various off-line physical attacks to which a system is susceptible. One of the most dangerous attacks is committed by the Password Grabber. Password Grabber The Password Grabber is a Linux boot disk, which has Windows NT file system drivers and software that will read and store the system registry and if desired rewrite the password hashes for any account including the Administrators. To make this tool even more alarming it has the ability to restore the initial root password after the attack has been committed. Due to the fact that the hacker would have root privileges they could delete all log entries relating to the server being shutdown (if it was operational at the time) or steal, modify files etc. Loading Password Grabber Environment Boot the Windows NT system from the floppy disk labelled Password Grabber. The Boot From Floppy option will have to be enabled in the system BIOS. Various text messages will appear informing you of the use of the software etc. A General Setup Complete message - press enter. 89

6 General information relating to the utility - Press enter. When prompted for SCSI drivers - press n then enter. You will now have to specify the directory in which your Windows NT installation resides. To specify the first partition on the first hard disk type /dev/hda1. Remove the floppy disk when prompted and press enter. Grabbing The NT SAM File Insert a formatted disk into the floppy drive - press enter. To initiate a copy of the current system password file - press enter. When prompted to specify the backup directory select default (winnt/system32/config) - press enter. A list of files displaying the contents of the Windows NT config directory will be shown. The file named SAM contains the PASSWORD information. When prompted to Backup or Restore - press b then enter To save the SAM file - type SAM then enter. You have now saved a copy of the current system password file. This will be cracked later. Remove the floppy disk when prompted and press enter. When prompted to specify the full path to the SAM file select default (winnt/system32/config) - press enter. A list of all user accounts on the system will be shown. When prompted for a username to change - type! to quit the program. Press CTRL-ALT-DEL to reboot the system when prompted (ensure all floppy disks are removed). SAM File Conversion At present the SAM file contains encoded information. This information will have to be converted into a format which is compatible with a password cracker program. This is a twostage process achieved by using two software programs called expand.exe and SAMdump.exe. The expand.exe program is used to first expand the code in the SAM file to a format which is compatible with the SAMdump.exe program. The output of the expand.exe program is redirected to a specified file. The SAMdump program is then used to extract the hashes from the specified file and redirect them to a text file. Copy the SAM password file from the floppy disk to the passcrack directory. Copy expand.exe and SAMdump.exe to the passcrack directory. Now start MSDOS-prompt and type: C:\>cd winsecurity\passcrack C:\winsecurity\passcrack>expand SAM passgrab This redirects the output of the expand.exe program to a file called passgrab. To extract and redirect the password hashes from the passgrab file Type: C:\winsecurity\passcrack>SAMdump passgrab > samhashes.txt This redirects the output of the SAMdump.exe program to a file called samhashes.txt. Open the samhashes.txt file in a text editor to see the usernames and the hashes. The file samhashes.txt is the file the password cracker program called wcrack32 cracks. 90

7 Limiting the threat of the Password Grabber Attack This method of attack requires the hacker to have physical access to the server system console and an accessible floppy drive. This is however, commonly quite possible in the case of small and middle-sized companies. One method of limiting this type of attack is to ensure the option Boot from Floppy is disabled in the system BIOS settings. It is also good practice to ensure the system BIOS is password protected. Although the combination of these methods, is by no means full proof (due to the fact that there are plenty of BIOS password crackers available) to prevent this type of attack it does considerably limit the threat. The best solution is to lock the server system in a secure location with extremely tight guidelines on which individual(s) are permitted to access the location. Cracking Windows NT Hashes (wcrack32) The wcrack32 program is a Windows NT system hash password cracker. It boasts an extremely fast cracking speed and six cracking methods. Installation of wcrack32 Copy the files wcrack32.exe and bigwordlist.txt to the passcrack directory. Double click on the wcrack32 executable icon to initiate the installation process. Choose installation defaults. To start wcrack32 click on Start Programs MobiusWare wcrack32 wcrack32. This will launch the wcrack32 interface as shown in Figure 4. Configuration of wcrack32 Click Browse Password File and point this to the samhashes.txt file in the passcrack directory. Click Browse Dictionary File and point this to the bigwordlist.txt file in the passcrack directory. Select Start from the File drop down menu. Figure 4 - wcrack32 Interface By default wcrack32 will perform a dictionary crack if no alternative cracking method is selected. The bigwordlists.txt file supplies wcrack32 with a massive list of words. It will crack easy passwords i.e. words which are in a standard dictionary in approximately 60 seconds depending upon the speed of the system. An example of a successful password crack is shown in Figure 5. 91

8 Limiting the threat of wcrack32 Figure 5 - wcrack32 Cracked Passwords There are many ways to limit the chance of wcrack32 cracking your system passwords. Choose a password that is at least eight characters long. This should be long enough to discourage a brute-force attack. In general, a good password will have a mix of lower- and upper-case characters, numbers, and punctuation marks. Unfortunately, passwords like this are often hard to remember and result in people writing them down. Never write your passwords down. You have now demonstrated how easy it is to grab the SAM password file from an NT system when the hacker has physical access to the console. You have also learned how to convert a SAM password file (using expand.exe) into a format, which is compatible with the SAMdump password hash extractor program. You redirected the output of the SAMdump program to a text file, which was used by wcrack32 to crack the users passwords of the Windows NT system. 92

9 SECTION 3 - PERSONAL FIREWALL PREVENTION The Tiny Personal Firewall represents smart, easy to use personal security technology that can greatly improve the security of personal computers against hackers. It is built on the proven WinRoute Pro, ICSA certified security technology and is used by the US Air Force to protect 500,000 personal systems. Tiny Personal Firewall If the Tiny Personal Firewall is configured correctly it will prevent the Netbus server application on Client A being accessible by the Netbus client application on Client B. This prevention method is achieved by analysing the header of all packets as they pass through the network adapter, and deciding the fate of each packet based on certain parameters. The firewall filter may decide to deny the packet (i.e. discard the packet as if it had never received it) or accept the packet (i.e. let the packet go through). The fate of a packet is based on a set of configurable filter rules. These rules use parameters such as source and destination IP addresses, port numbers and protocols. Installing the Tiny Personal Firewall Create a new directory called firewall on the C:\> drive of the Client A system. Copy the file pf2.exe to the firewall directory. Double Click the pf2.exe icon to initiate the Tiny Firewall installation process. Select the default option for all installation prompts. Restart the system when prompted. Configuring the Tiny Personal Firewall To start the Tiny firewall click Start Programs Tiny Personal Firewall Personal Firewall Administration. This will launch the Tiny Personal Firewall Administration window as shown in Figure 6. Figure 6 Tiny Personal Firewall Administration Click on the Advanced button. This will launch the Firewall Configuration window as shown in Figure 7. 93

10 Delete all the pre-configured rules by selecting the rule and pressing the Delete button. These rules are not required and if not removed will complicate the firewall configuration process. Ensure the Firewall Configuration window corresponds to Figure 8. Figure 7 - Firewall Initial Configuration Figure 8 - Firewall with no rules defined The most effective method of securing a system when configuring a personal firewall is to permit only desired traffic and then deny all other traffic. This is achieved using filter rules. Click on the Add button to add a new rule. This should launch the filter rule window as shown in Figure 8. Configure the filter rule window to correspond to Figure 8. This will permit Client A full Outgoing access to the network. 94

11 Figure 8 Full Outgoing Network Access We are now going to permit access to Client A from the Server system only. This will prevent Client B from connecting to the Netbus Server application on Client A. This will also prevent Client B from pinging Client A. Configure a new filter rule to correspond to Figure 9. Try pinging Client A from the server system. This should work. Try pinging Client A from Client B. This should not work. Using Client B, attempt to connect to the Netbus Server application on Client A. This should not work. Figure 8 Server Incoming Network Access Only As an extra security measure it is good practice to insert a rule which explicitly denies all incoming traffic to Client A which does not match the above rules. 95

12 Configure a new filter rule to correspond to Figure 9. Using Client A make sure you can still access either the FTP or HTTP documents from the Server system. Figure 9 Deny all other incoming traffic The configured filter rules should be as shown in Figure 10. The order of the filter rules is extremely important because the fate of a packet is determined when it matches the first rule. Thus, if the DENY rule was placed first, all packets from all addresses including the server would be denied. Figure 10 Final Firewall Rules 96

13 Conclusion This lab should have made you aware of security vulnerabilities, which a local area network is susceptible to and security measures, which can be taken to limit the threat of these attacks. Overall, this lab has demonstrated the following: The methods, which hackers use to compromise the security of a local area network by using hacking/cracking software tools. The network security measures, which can be implemented to reduce the risk of network attacks. Securing a network client host using the Tiny Personal Firewall. LAB 2 QUESTIONS 1. List three obstacles, which limit the threat of the Netbus Trojan. 2. What is the function of the expand.exe and SAMdump.exe programs? 3. What parameters are typically used by a filtering firewall to decide the fate of a packet? 4. Explain how a Personal Firewall can improve the security of a network client host. 5. In relation to the hacking/cracking tools used in this lab. What legitimate uses could they serve? 97