Recent Ransomware attack on may 2017 has put different IT professional on doubt that wheather is it still secure to use Windows operating system on production enviornment or they have to start looking at its alternative linux based operating system as replacement. The people of linux community are happy that they didn't get affected by this large scale Wannacry Ransomware attack but inside the community a discussion is still on that Did this type of attack can also happen in linux based os?
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Analysis and Exploiting Windows and Linux Security
1. Analysis and Exploiting
Windows and Linux
security
Shubham Dubey (14ucs114)
Harshit Agrawal (14ucs046)
Shubham Kasaudhan (14ucs118)
Department of Computer Science and Engineering
The LNM Institute of Information Technology, Jaipur
December 2017
http://tinyurl.com/security1o1 December 2017 1 / 17Analysis windows and Linux
2. Outline
1 Introduction
Current State of Art
2 Literature Survey
Existing recent solutions
3 Proposed Work
Proposed solution to the problem
Discussions and Future Work
Discussions on the results
Future Work
http://tinyurl.com/security1o1 December 2017 2 / 17Analysis windows and Linux
3. What is the problem
http://tinyurl.com/security1o1 Analysis windows and Linux December 2017 3 / 17
More than 70% of Desktop users running Windows
but GNU/Linux based distributions is widely used in
Servers
Constant Malware attacks in Windows system make
users to look for better alternative.
Linux Users feel secure but Are they really safe
from malware and exploits?
It is worth to know how most common features are
implemented in both systems and how secure
actually they are.
4. Outline
1 Introduction
Current State of the Art
2 Literature Survey
Existing recent solutions
3 Proposed Work
Proposed solution to the problem
5
Discussions and Future Work
Discussions on the results
Future Work
http://tinyurl.com/security1o1 December 2017 4 / 17Analysis windows and Linux
5. Existing recent solutions
Research has been done previously on different standalone
features but not as a comparison point of view.
Stacey Quandt has a great article on the same at linux.com but
lacks a depth comparison.
Topic covered include patch management, logging, authentication,
protocols used, acl etc.
A research paper “WINDOWS AND LINUX OPERATING
SYSTEMS
FROM A SECURITY PERSPECTIVE” [link] by Youssef Bassil is
also a great read.
http://tinyurl.com/security1o1 December 2017 5 / 17Analysis windows and Linux
6. Existing recent solutions
Topic covered doesn't include the whole architecture of system.
Audience can’t judge how the system overall differs in security.
Practicality is missing.
Our solution include how different parts of these os are differ and
how they can be exploited because of lacks of security or the way
these feature are implemented.
Disclaimer is we are not providing head to head comparison result.
http://tinyurl.com/security1o1 December 2017 6 / 17Analysis windows and Linux
7. Outline
1 Introduction
Current State of the Art
2 Literature Survey
Existing recent solutions
3 Proposed Work
Proposed solution to the problem
5
Discussions and Future Work
Discussions on the results
Future Work
http://tinyurl.com/security1o1 December 2017 7 / 17Analysis windows and Linux
8. Proposed solution to the problem
Topics we will cover
http://tinyurl.com/security1o1 December 2017 8 / 17Analysis windows and Linux
Login Security
Program Execution
Kernel Security
Vulnerability used by malware
Few miscellaneous
Our Approach is to break these topic into two part
Working
Issues and Exploits/Attacks
9. Proposed solution to the problem
http://tinyurl.com/security1o1 December 2017 9 / 17Analysis windows and Linux
Architecture difference
GNU/Linux is open source whereas windows is proprietary
and closed.
Linux kernel is monolithic. Windows (NT) kernel contains
hybrid kernel.
Everything in Linux is file. Windows define most things as
objects(//remove it// process,threads etc).
Windows uses registry for saving application configure.
Linux uses text files(/etc/) to save configurations.
Both have standard account(ring 3) and admin account
(ring 0) but there is different way these permission applied.
10. Proposed solution to the problem
http://tinyurl.com/security1o1 December 2017 10 /Analysis windows and Linux
Windows Login
Windows stores password in SAM file(C:windows
system32configSAM) and at registry HKLM/SAM.
SAM file is encrypted. Decryption happen using syskey.
Password stored in two form
LM hash and an NT hash.
NTLM(NT hash) uses
Message Digest 4
(MD4) algorithm.
LM hash uses DES->
11. Proposed solution to the problem
http://tinyurl.com/security1o1 December 2017 11 /Analysis windows and Linux
Exploiting Windows Login
Weakness in LM Hash
DES broken in 1997.
Password is non Case Sensitive.
Word length is fix(14 char).
Weakness in NT Hash
As of 2007, an attack can generate collisions in less than
2 MD4 hash operations.
No salting is used.
12. Proposed solution to the problem
http://tinyurl.com/security1o1 December 2017 12 /Analysis windows and Linux
Exploiting Windows Login
Possible attacks
Lookup at cached credentials
Windows caches the credentials of last 10 to 50 users.
Tools are available to extract those cached data.
This can be turned on/off HKEY LOCAL MACHINE
SoftwareMicrosoftWindows NTCurrentVersionWinlogon
Pass the Hash
Password hashes are loaded in lsass(responsible for
enforcing the security policy).
Your job to crack a logon will be much easy if you only
needed hash to authenticate.
If none works then brute force,dictionary, rainbow attack
are always there. Or copy SAM by turned off system.
13. Proposed solution to the problem
http://tinyurl.com/security1o1 December 2017 13 /Analysis windows and Linux
Linux Login
Linux saves credentials on a plain text file at /etc/shadow
Most current systems use sha-512 hash algorithm.
Linux use salting to increase the strength of password hash.
PAM is used for authentication and related tasks for
different services.
14. Proposed solution to the problem
http://tinyurl.com/security1o1 December 2017 14 /Analysis windows and Linux
Exploiting Linux Login
/etc/passwd file is used to store user details which is global
readable.
Desktop Linux Password Stealer
Password is transfer from keyboard to PAM for verification
through policykit.
So policykit or any other desktop service working in
background can be MITM to get password.
15. Proposed solution to the problem
http://tinyurl.com/security1o1 December 2017 15 /Analysis windows and Linux
PROGRAM EXECUTION
16. Proposed solution to the problem
http://tinyurl.com/security1o1 December 2017 16 /Analysis windows and Linux
Windows Program loading
CreateProcess family of functions is used for process
creation.
Windows create object for every process which hash all
the details of that process.
Win32 subsystem is called by Kernel32.dll which do the
initialization of process and thread.
KiInitializeContextThread, is called for builds the initial
context of the thread and the thread's kernel stack.
17. Proposed solution to the problem
http://tinyurl.com/security1o1 December 2017 17 /Analysis windows and Linux
Exploiting Windows Program loading
Search Path Injection
ApplicationName is the process name which can be NULL.
CommandLine are the command line arguments.
18. Proposed solution to the problem
http://tinyurl.com/security1o1 December 2017 18 /Analysis windows and Linux
Exploiting Windows Program loading
Search Path Injection
If ApplicationName is null then CreateProcess will treat
first argument of CommandLine as the app name.
If you want to run "c:program filessub dirprogram name"
your system will look for exe at these places and run them.
19. Proposed solution to the problem
http://tinyurl.com/security1o1 December 2017 19 /Analysis windows and Linux
Exploiting Windows Program loading
Token Stealing using EPROCESS
Windows represents
each process in
memory by
EPROCESS block.
-------------------------->
20. Proposed solution to the problem
http://tinyurl.com/security1o1 December 2017 20 /Analysis windows and Linux
Exploiting Windows Program loading
Token Stealing using EPROCESS
In older system EPROCESS block is at 0xffdff000,
but due to ASLR the address can be random.
NtQuerySystemInformation can be used in latest system
to get EPROCESS address.
Traverse to this Doubly link list to reach pid 4 and
get the address of its token.
Copy the token to escalate privilege for that process.
21. Proposed solution to the problem
http://tinyurl.com/security1o1 December 2017 21 /Analysis windows and Linux
Exploiting Windows Program loading
Dll injection using LdrpInitializeProcess
Microsoft Application Verifier is loaded with program
used as runtime verification tool.
Application Verifier can be replaced by custom verifier
by creating a set of registry keys.
ntdll!LdrInitializeThunk initializing the process also load
verifier to the application memory.
Our Costum verifier load before any other dll loads,
also it is persist.
22. Proposed solution to the problem
http://tinyurl.com/security1o1 December 2017 22 /Analysis windows and Linux
Linux Program loading
To run a program, a process will call a function from
the exec family.
execve directly transfer control to kernel where loader
is present.
linux_binprm kernel structure do the initialization and
allocation part.
Control transfer from kernel to _start.
23. Proposed solution to the problem
http://tinyurl.com/security1o1 December 2017 23 /Analysis windows and Linux
Linux Program loading
24. Proposed solution to the problem
http://tinyurl.com/security1o1 December 2017 24 /Analysis windows and Linux
Exploiting Linux Program loading
Buffer overflow using environment variable
Shellcode can be loaded to program memory by passing
it as environment variable.
Address of EGG can be found by simple program.
25. Proposed solution to the problem
http://tinyurl.com/security1o1 December 2017 25 /Analysis windows and Linux
Exploiting Linux Program loading
Buffer overflow using environment variable
Program can be exploited by overflowing buffer[10]
and replacing return address with shellcode address.
26. Outline
1 Introduction
Current State of the Art
2 Literature Survey
Existing recent solutions
3 Proposed Work
Proposed solution to the problem
4 Discussion and Future Work
Discussion on the results
Future Work
5
http://tinyurl.com/security1o1 December 2017 26 /Analysis windows and Linux
27. Discussions on the results
Completed windows login and linux login,
program execution in different system and
exploitation.
There were some challenges like exploiting
the program loading in Winodows , resource
collection, different system environment
requirement that we face during the project.
http://tinyurl.com/security1o1 December 2017 27 /Analysis windows and Linux
28. Future work and time-line
Memory management security(in
Program Execution)
Kernel security
Vulnerability used by malware
http://tinyurl.com/security1o1 December 2017 28 /Analysis windows and Linux