Analysis and Exploiting Windows and Linux Security

Analysis and Exploiting
Windows and Linux
security
Shubham Dubey (14ucs114)
Harshit Agrawal (14ucs046)
Shubham Kasaudhan (14ucs118)
Department of Computer Science and Engineering
The LNM Institute of Information Technology, Jaipur
December 2017
http://tinyurl.com/security1o1 December 2017 1 / 17Analysis windows and Linux

Outline
1 Introduction
Current State of Art
2 Literature Survey
Existing recent solutions
3 Proposed Work
Proposed solution to the problem
Discussions and Future Work
Discussions on the results
Future Work

What is the problem
http://tinyurl.com/security1o1 Analysis windows and Linux December 2017 3 / 17
More than 70% of Desktop users running Windows
but GNU/Linux based distributions is widely used in
Servers
Constant Malware attacks in Windows system make
users to look for better alternative.
Linux Users feel secure but Are they really safe
from malware and exploits?
It is worth to know how most common features are
implemented in both systems and how secure
actually they are.

Outline
1 Introduction
Current State of the Art
2 Literature Survey
3 Proposed Work
5
Future Work

Research has been done previously on different standalone
features but not as a comparison point of view.
Stacey Quandt has a great article on the same at linux.com but
lacks a depth comparison.
Topic covered include patch management, logging, authentication,
protocols used, acl etc.
A research paper “WINDOWS AND LINUX OPERATING
SYSTEMS
FROM A SECURITY PERSPECTIVE” [link] by Youssef Bassil is
also a great read.

Topic covered doesn't include the whole architecture of system.
Audience can’t judge how the system overall differs in security.
Practicality is missing.
Our solution include how different parts of these os are differ and
how they can be exploited because of lacks of security or the way
these feature are implemented.
Disclaimer is we are not providing head to head comparison result.

Outline
1 Introduction
2 Literature Survey
3 Proposed Work
5
Future Work

Topics we will cover
 Login Security
 Program Execution
 Kernel Security
 Vulnerability used by malware
 Few miscellaneous
Our Approach is to break these topic into two part
Working
Issues and Exploits/Attacks

Architecture difference
GNU/Linux is open source whereas windows is proprietary
and closed.
Linux kernel is monolithic. Windows (NT) kernel contains
hybrid kernel.
Everything in Linux is file. Windows define most things as
objects(//remove it// process,threads etc).
Windows uses registry for saving application configure.
Linux uses text files(/etc/) to save configurations.
Both have standard account(ring 3) and admin account
(ring 0) but there is different way these permission applied.

http://tinyurl.com/security1o1 December 2017 10 /Analysis windows and Linux
Windows Login
Windows stores password in SAM file(C:windows
system32configSAM) and at registry HKLM/SAM.
SAM file is encrypted. Decryption happen using syskey.
Password stored in two form
LM hash and an NT hash.
NTLM(NT hash) uses
Message Digest 4
(MD4) algorithm.
LM hash uses DES->

Exploiting Windows Login
Weakness in LM Hash
DES broken in 1997.
Password is non Case Sensitive.
Word length is fix(14 char).
Weakness in NT Hash
As of 2007, an attack can generate collisions in less than
2 MD4 hash operations.
No salting is used.

Exploiting Windows Login
Possible attacks
Lookup at cached credentials
Windows caches the credentials of last 10 to 50 users.
Tools are available to extract those cached data.
This can be turned on/off HKEY LOCAL MACHINE
SoftwareMicrosoftWindows NTCurrentVersionWinlogon
Pass the Hash
Password hashes are loaded in lsass(responsible for
enforcing the security policy).
Your job to crack a logon will be much easy if you only
needed hash to authenticate.
If none works then brute force,dictionary, rainbow attack
are always there. Or copy SAM by turned off system.

Linux Login
Linux saves credentials on a plain text file at /etc/shadow
Most current systems use sha-512 hash algorithm.
Linux use salting to increase the strength of password hash.
PAM is used for authentication and related tasks for
different services.

Exploiting Linux Login
/etc/passwd file is used to store user details which is global
readable.
Desktop Linux Password Stealer
Password is transfer from keyboard to PAM for verification
through policykit.
So policykit or any other desktop service working in
background can be MITM to get password.

PROGRAM EXECUTION

Windows Program loading
CreateProcess family of functions is used for process
creation.
Windows create object for every process which hash all
the details of that process.
Win32 subsystem is called by Kernel32.dll which do the
initialization of process and thread.
KiInitializeContextThread, is called for builds the initial
context of the thread and the thread's kernel stack.

Exploiting Windows Program loading
Search Path Injection
ApplicationName is the process name which can be NULL.
CommandLine are the command line arguments.

Search Path Injection
If ApplicationName is null then CreateProcess will treat
first argument of CommandLine as the app name.
If you want to run "c:program filessub dirprogram name"
your system will look for exe at these places and run them.

Token Stealing using EPROCESS
Windows represents
each process in
memory by
EPROCESS block.
-------------------------->

Token Stealing using EPROCESS
In older system EPROCESS block is at 0xffdff000,
but due to ASLR the address can be random.
NtQuerySystemInformation can be used in latest system
to get EPROCESS address.
Traverse to this Doubly link list to reach pid 4 and
get the address of its token.
Copy the token to escalate privilege for that process.

Dll injection using LdrpInitializeProcess
Microsoft Application Verifier is loaded with program
used as runtime verification tool.
Application Verifier can be replaced by custom verifier
by creating a set of registry keys.
ntdll!LdrInitializeThunk initializing the process also load
verifier to the application memory.
Our Costum verifier load before any other dll loads,
also it is persist.

Linux Program loading
To run a program, a process will call a function from
the exec family.
execve directly transfer control to kernel where loader
is present.
linux_binprm kernel structure do the initialization and
allocation part.
Control transfer from kernel to _start.

Linux Program loading

Exploiting Linux Program loading
Buffer overflow using environment variable
Shellcode can be loaded to program memory by passing
it as environment variable.
Address of EGG can be found by simple program.

Exploiting Linux Program loading
Buffer overflow using environment variable
Program can be exploited by overflowing buffer[10]
and replacing return address with shellcode address.

Outline
1 Introduction
2 Literature Survey
3 Proposed Work
4 Discussion and Future Work
Discussion on the results
Future Work
5

Completed windows login and linux login,
program execution in different system and
exploitation.
There were some challenges like exploiting
the program loading in Winodows , resource
collection, different system environment
requirement that we face during the project.

Future work and time-line
Memory management security(in
Program Execution)
Kernel security
Vulnerability used by malware

Analysis and Exploiting Windows and Linux Security

More Related Content

What's hot

Similar to Analysis and Exploiting Windows and Linux Security

Recently uploaded

Analysis and Exploiting Windows and Linux Security