Class Presentation


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Class Presentation

  1. 1. IDSC 4490 – Advanced Networking Lecture 5 – Windows NT and 2000 from Security Perspective Alok Gupta Dept. of IDSC
  2. 2. A word on Windows 9x <ul><li>Windows 3x and Windows 9x were more single user oriented and hence the security was of minimal concern. </li></ul><ul><li>Windows 3x and 9x passwords were stored in a ???.PWL file and could easily be cracked with many password cracking utilities including Cain , L0phtCrack . </li></ul>
  3. 3. Windows 2000 Architecture
  4. 4. Windows 2000 User Mode <ul><li>Provides subsystems for user interaction </li></ul><ul><ul><li>We’ll focus on security subsystem </li></ul></ul><ul><ul><li>The Security subsystem coordinates with Win32 subsystem and Active Directory that acts as a central nervous system </li></ul></ul><ul><ul><li>Windows 2000 has a Security Support Provider Interface (SSPI) that supports a variety of different authentication mechanisms </li></ul></ul>
  5. 5. Security Support Provider Interface (SSPI)
  6. 6. Security Protocols <ul><li>NTLM – Windows NT LAN Manager security protocol </li></ul><ul><ul><li>For backward compatibility with older Microsoft products </li></ul></ul><ul><li>Kerberos – A third party encryption scheme </li></ul><ul><ul><li>More on it when we do encryption </li></ul></ul><ul><li>SSL – Secure Sockets Layer </li></ul><ul><ul><li>Application level security </li></ul></ul><ul><li>Multiple (third party) authentication using certificates </li></ul>
  7. 7. Kernel Mode <ul><li>Kernel mode is reserved for fundamental operating system functionality such as access to memory and hardware </li></ul><ul><li>Security Reference Monitor is most important from our perspective </li></ul><ul><ul><li>Makes sure appropriate users and program are the only ones to be able to access particular files and directories by checking permissions </li></ul></ul><ul><ul><li>It also captures events by writing to event logs </li></ul></ul>
  8. 8. Fundamental NT/2000 Concepts <ul><li>Domains </li></ul><ul><ul><li>A group of one or more Windows machine(s) that share an authentication database </li></ul></ul><ul><ul><li>Domain users can be provided access to domain resources on many machines </li></ul></ul><ul><ul><li>Domain controllers authenticate users using Security Accounts Manager (SAM) </li></ul></ul><ul><ul><li>The password information is scrambled using one-way function (hash) </li></ul></ul>
  9. 9. NT/2000 Passwords <ul><li>NT stored passwords directly in SAM database (until service pack 3) </li></ul><ul><ul><li>Relatively easier to crack </li></ul></ul><ul><li>Windows 2000 uses another layer of encryption using SYSKEY </li></ul><ul><ul><li>Uses 128 bit key to encrypt the hashes </li></ul></ul><ul><ul><li>More difficult to crack </li></ul></ul>
  10. 10. Windows 2000 Network Structure <ul><ul><li>Beyond domain Windows 2000 uses concepts called: </li></ul></ul><ul><ul><ul><li>Trees – Naming convention, e.g., as a tree can have many domains such as, </li></ul></ul></ul><ul><ul><ul><li>Forests – collection of trusted and untrusted trees that are linked together such as and </li></ul></ul></ul>
  11. 11. Domain, Trees and Forests Domain Tree Forest
  12. 12. Sharing <ul><li>Sharing is a major advantage of Windows NT/2000 </li></ul><ul><li>Shares can be established using Network Neighborhood, My Network Places, etc. in Windows mode or by using following command </li></ul><ul><li>C: et use * IP address or hostname][share name] [password | *] [/USER:[domainname]username] </li></ul><ul><li>Note: ipc$ is the root default share for administrative account </li></ul>
  13. 13. NT/2000 Groups
  14. 14. Defining Users (1)
  15. 15. Defining Users (2)
  16. 16. Defining Security Policies
  17. 17. Default Accounts <ul><li>Administrator </li></ul><ul><ul><li>Also is a security vulnerability since the account name is known </li></ul></ul><ul><ul><li>The account name is usually changed </li></ul></ul><ul><li>Guest </li></ul><ul><ul><li>Disabled by default </li></ul></ul>
  18. 18. NT/2000 Vulnerabilities <ul><li>Finding out what’s on a network </li></ul><ul><li>C: et view /domain:[domain_name] </li></ul><ul><li>Find out more by </li></ul><ul><li>C: btstat –A [IP Number] </li></ul><ul><li>Use Third-party tools such as </li></ul><ul><li>nbtscan (usage  C: btscan [IP range using / or -] </li></ul>
  19. 19. NT/2000 Vulnerabilities <ul><li>Can use </li></ul><ul><li>net use computername]ipc$ &quot;&quot; /u:&quot;&quot; </li></ul><ul><li>to create a null session </li></ul><ul><li>If null session can be created a host of information can be downloaded </li></ul><ul><li>Automated tools such as Winfo exist </li></ul><ul><ul><li>User Accounts </li></ul></ul><ul><ul><li>Shares </li></ul></ul><ul><ul><li>Workstation and trusted accounts </li></ul></ul>
  20. 20. Enumerating a Host <ul><li>Use </li></ul><ul><ul><li>DumpSec </li></ul></ul><ul><ul><li>WalkSam </li></ul></ul><ul><ul><li>UserInfo </li></ul></ul><ul><ul><li>UserDump </li></ul></ul><ul><ul><li>GetAcct </li></ul></ul><ul><li>Many of these tools can automatically figure out administrative account using RID of 500 </li></ul>
  21. 21. A Comprehensive Security Tool <ul><li>Languard Network Scanner </li></ul><ul><ul><li>Scans large networks by sending UDP query status to every IP. </li></ul></ul><ul><ul><li>Lists NETBIOS name table for each responding computer. </li></ul></ul><ul><ul><li>Provides NETBIOS hostname, currently logged username & MAC address. </li></ul></ul><ul><ul><li>Enumerates all shares on the remote computer (including printers, administrative shares C$,D$,ADMIN$). </li></ul></ul><ul><ul><li>Identifies crackable passwords (share level security) on Windows 9x. Tests password strength on Windows 9x/NT/2k systems using a dictionary of commonly used passwords. </li></ul></ul><ul><ul><li>Identifies well known services (such as www/ftp/telnet/smtp...). </li></ul></ul>