SlideShare a Scribd company logo

Analysis and Exploiting Windows and Linux Security

Download as ODP, PDF
Shubham Dubey
Shubham Dubey

Recent Ransomware attack on may 2017 has put different IT professional on doubt that wheather is it still secure to use Windows operating system on production enviornment or they have to start looking at its alternative linux based operating system as replacement. The people of linux community are happy that they didn't get affected by this large scale Wannacry Ransomware attack but inside the community a discussion is still on that Did this type of attack can also happen in linux based os?

Technology
1 of 28
Analysis and Exploiting Windows and Linux security Shubham Dubey (14ucs114) Harshit Agrawal (14ucs046) Shubham Kasaudhan (14ucs118) Department of Computer Science and Engineering The LNM Institute of Information Technology, Jaipur December 2017 http://tinyurl.com/security1o1 December 2017 1 / 17Analysis windows and Linux
Outline 1 Introduction Current State of Art 2 Literature Survey Existing recent solutions 3 Proposed Work Proposed solution to the problem Discussions and Future Work Discussions on the results Future Work http://tinyurl.com/security1o1 December 2017 2 / 17Analysis windows and Linux
What is the problem http://tinyurl.com/security1o1 Analysis windows and Linux December 2017 3 / 17 More than 70% of Desktop users running Windows but GNU/Linux based distributions is widely used in Servers Constant Malware attacks in Windows system make users to look for better alternative. Linux Users feel secure but Are they really safe from malware and exploits? It is worth to know how most common features are implemented in both systems and how secure actually they are.
Outline 1 Introduction Current State of the Art 2 Literature Survey Existing recent solutions 3 Proposed Work Proposed solution to the problem 5 Discussions and Future Work Discussions on the results Future Work http://tinyurl.com/security1o1 December 2017 4 / 17Analysis windows and Linux
Existing recent solutions Research has been done previously on different standalone features but not as a comparison point of view. Stacey Quandt has a great article on the same at linux.com but lacks a depth comparison. Topic covered include patch management, logging, authentication, protocols used, acl etc. A research paper “WINDOWS AND LINUX OPERATING SYSTEMS FROM A SECURITY PERSPECTIVE” [link] by Youssef Bassil is also a great read. http://tinyurl.com/security1o1 December 2017 5 / 17Analysis windows and Linux
Existing recent solutions Topic covered doesn't include the whole architecture of system. Audience can’t judge how the system overall differs in security. Practicality is missing. Our solution include how different parts of these os are differ and how they can be exploited because of lacks of security or the way these feature are implemented. Disclaimer is we are not providing head to head comparison result. http://tinyurl.com/security1o1 December 2017 6 / 17Analysis windows and Linux
Outline 1 Introduction Current State of the Art 2 Literature Survey Existing recent solutions 3 Proposed Work Proposed solution to the problem 5 Discussions and Future Work Discussions on the results Future Work http://tinyurl.com/security1o1 December 2017 7 / 17Analysis windows and Linux
Proposed solution to the problem Topics we will cover http://tinyurl.com/security1o1 December 2017 8 / 17Analysis windows and Linux  Login Security  Program Execution  Kernel Security  Vulnerability used by malware  Few miscellaneous Our Approach is to break these topic into two part Working Issues and Exploits/Attacks
Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 9 / 17Analysis windows and Linux Architecture difference GNU/Linux is open source whereas windows is proprietary and closed. Linux kernel is monolithic. Windows (NT) kernel contains hybrid kernel. Everything in Linux is file. Windows define most things as objects(//remove it// process,threads etc). Windows uses registry for saving application configure. Linux uses text files(/etc/) to save configurations. Both have standard account(ring 3) and admin account (ring 0) but there is different way these permission applied.
Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 10 /Analysis windows and Linux Windows Login Windows stores password in SAM file(C:windows system32configSAM) and at registry HKLM/SAM. SAM file is encrypted. Decryption happen using syskey. Password stored in two form LM hash and an NT hash. NTLM(NT hash) uses Message Digest 4 (MD4) algorithm. LM hash uses DES->
Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 11 /Analysis windows and Linux Exploiting Windows Login Weakness in LM Hash DES broken in 1997. Password is non Case Sensitive. Word length is fix(14 char). Weakness in NT Hash As of 2007, an attack can generate collisions in less than 2 MD4 hash operations. No salting is used.
Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 12 /Analysis windows and Linux Exploiting Windows Login Possible attacks Lookup at cached credentials Windows caches the credentials of last 10 to 50 users. Tools are available to extract those cached data. This can be turned on/off HKEY LOCAL MACHINE SoftwareMicrosoftWindows NTCurrentVersionWinlogon Pass the Hash Password hashes are loaded in lsass(responsible for enforcing the security policy). Your job to crack a logon will be much easy if you only needed hash to authenticate. If none works then brute force,dictionary, rainbow attack are always there. Or copy SAM by turned off system.
Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 13 /Analysis windows and Linux Linux Login Linux saves credentials on a plain text file at /etc/shadow Most current systems use sha-512 hash algorithm. Linux use salting to increase the strength of password hash. PAM is used for authentication and related tasks for different services.
Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 14 /Analysis windows and Linux Exploiting Linux Login /etc/passwd file is used to store user details which is global readable. Desktop Linux Password Stealer Password is transfer from keyboard to PAM for verification through policykit. So policykit or any other desktop service working in background can be MITM to get password.
Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 15 /Analysis windows and Linux PROGRAM EXECUTION
Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 16 /Analysis windows and Linux Windows Program loading CreateProcess family of functions is used for process creation. Windows create object for every process which hash all the details of that process. Win32 subsystem is called by Kernel32.dll which do the initialization of process and thread. KiInitializeContextThread, is called for builds the initial context of the thread and the thread's kernel stack.
Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 17 /Analysis windows and Linux Exploiting Windows Program loading Search Path Injection ApplicationName is the process name which can be NULL. CommandLine are the command line arguments.
Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 18 /Analysis windows and Linux Exploiting Windows Program loading Search Path Injection If ApplicationName is null then CreateProcess will treat first argument of CommandLine as the app name. If you want to run "c:program filessub dirprogram name" your system will look for exe at these places and run them.
Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 19 /Analysis windows and Linux Exploiting Windows Program loading Token Stealing using EPROCESS Windows represents each process in memory by EPROCESS block. -------------------------->
Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 20 /Analysis windows and Linux Exploiting Windows Program loading Token Stealing using EPROCESS In older system EPROCESS block is at 0xffdff000, but due to ASLR the address can be random. NtQuerySystemInformation can be used in latest system to get EPROCESS address. Traverse to this Doubly link list to reach pid 4 and get the address of its token. Copy the token to escalate privilege for that process.
Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 21 /Analysis windows and Linux Exploiting Windows Program loading Dll injection using LdrpInitializeProcess Microsoft Application Verifier is loaded with program used as runtime verification tool. Application Verifier can be replaced by custom verifier by creating a set of registry keys. ntdll!LdrInitializeThunk initializing the process also load verifier to the application memory. Our Costum verifier load before any other dll loads, also it is persist.
Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 22 /Analysis windows and Linux Linux Program loading To run a program, a process will call a function from the exec family. execve directly transfer control to kernel where loader is present. linux_binprm kernel structure do the initialization and allocation part. Control transfer from kernel to _start.
Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 23 /Analysis windows and Linux Linux Program loading
Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 24 /Analysis windows and Linux Exploiting Linux Program loading Buffer overflow using environment variable Shellcode can be loaded to program memory by passing it as environment variable. Address of EGG can be found by simple program.
Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 25 /Analysis windows and Linux Exploiting Linux Program loading Buffer overflow using environment variable Program can be exploited by overflowing buffer[10] and replacing return address with shellcode address.
Outline 1 Introduction Current State of the Art 2 Literature Survey Existing recent solutions 3 Proposed Work Proposed solution to the problem 4 Discussion and Future Work Discussion on the results Future Work 5 http://tinyurl.com/security1o1 December 2017 26 /Analysis windows and Linux
Discussions on the results Completed windows login and linux login, program execution in different system and exploitation. There were some challenges like exploiting the program loading in Winodows , resource collection, different system environment requirement that we face during the project. http://tinyurl.com/security1o1 December 2017 27 /Analysis windows and Linux
Future work and time-line Memory management security(in Program Execution) Kernel security Vulnerability used by malware http://tinyurl.com/security1o1 December 2017 28 /Analysis windows and Linux

Recommended

Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacksBalaji Rajasekaran
 
Sans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sampleSans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sampleMichel Coene
 
Report on forensics tools
Report on forensics toolsReport on forensics tools
Report on forensics toolsVishnuPratap7
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationzeroSteiner
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacksUltraUploader
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Bug Finding - K.K.Mookhey
Bug Finding - K.K.MookheyBug Finding - K.K.Mookhey
Bug Finding - K.K.Mookheyamiable_indian
 
Digital Forensic Assignment Help
Digital Forensic Assignment HelpDigital Forensic Assignment Help
Digital Forensic Assignment HelpGlobal Web Tutors
 

Recommended

Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacksBalaji Rajasekaran
 
Sans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sampleSans london april sans at night - tearing apart a fileless malware sample
Sans london april sans at night - tearing apart a fileless malware sampleMichel Coene
 
Report on forensics tools
Report on forensics toolsReport on forensics tools
Report on forensics toolsVishnuPratap7
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationzeroSteiner
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacksUltraUploader
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Bug Finding - K.K.Mookhey
Bug Finding - K.K.MookheyBug Finding - K.K.Mookhey
Bug Finding - K.K.Mookheyamiable_indian
 
Digital Forensic Assignment Help
Digital Forensic Assignment HelpDigital Forensic Assignment Help
Digital Forensic Assignment HelpGlobal Web Tutors
 
CMIT 321 QUIZ 3
CMIT 321 QUIZ 3CMIT 321 QUIZ 3
CMIT 321 QUIZ 3HamesKellor
 
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsDEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsFelipe Prado
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisRoberto Suggi Liverani
 
Dll injection
Dll injectionDll injection
Dll injectionKarlFrank99
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windowsdkaya
 
.NET for hackers
.NET for hackers.NET for hackers
.NET for hackersAntonio Parata
 
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)William Liang
 
Software security
Software securitySoftware security
Software securityRoman Oliynykov
 
Comparison of Windows and Linux Operating Systems in Advanced Features
Comparison of Windows and Linux Operating Systems in Advanced FeaturesComparison of Windows and Linux Operating Systems in Advanced Features
Comparison of Windows and Linux Operating Systems in Advanced FeaturesIJERA Editor
 
Faster Computing was impressed with your presentation. The company.pdf
Faster Computing was impressed with your presentation. The company.pdfFaster Computing was impressed with your presentation. The company.pdf
Faster Computing was impressed with your presentation. The company.pdframizmemonahmedabado1
 
Module 18 (linux hacking)
Module 18 (linux hacking)Module 18 (linux hacking)
Module 18 (linux hacking)Wail Hassan
 
How to protect my cloud workload from Ransomware?
How to protect my cloud workload from Ransomware?How to protect my cloud workload from Ransomware?
How to protect my cloud workload from Ransomware?Raphael Bottino
 
Essay About ISS 418 Lab 7 And 8
Essay About ISS 418 Lab 7 And 8Essay About ISS 418 Lab 7 And 8
Essay About ISS 418 Lab 7 And 8Paula Smith
 
Big Data Management Analytics And Management Essay
Big Data Management Analytics And Management EssayBig Data Management Analytics And Management Essay
Big Data Management Analytics And Management EssayAmy Alexander
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malwareYury Chemerkin
 
Windows Kernel & Driver Development
Windows Kernel & Driver DevelopmentWindows Kernel & Driver Development
Windows Kernel & Driver DevelopmentMarcus Botacin
 
App locker
App lockerApp locker
App lockerConcentrated Technology
 
Linux v/s Windows
Linux v/s WindowsLinux v/s Windows
Linux v/s WindowsSukhdeep Singh
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Comparisons And Contrasts Of Windows Ce, Windows Xp, And...
Comparisons And Contrasts Of Windows Ce, Windows Xp, And...Comparisons And Contrasts Of Windows Ce, Windows Xp, And...
Comparisons And Contrasts Of Windows Ce, Windows Xp, And...Cecilia Lucero
 
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesBruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesPriyanka Aash
 
BPotter-L1-05
BPotter-L1-05BPotter-L1-05
BPotter-L1-05webuploader
 

More Related Content

What's hot

DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsDEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsFelipe Prado
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisRoberto Suggi Liverani
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windowsdkaya
 
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)William Liang
 

What's hot (8)

CMIT 321 QUIZ 3
CMIT 321 QUIZ 3CMIT 321 QUIZ 3
CMIT 321 QUIZ 3
 
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsDEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
 
Dll injection
Dll injectionDll injection
Dll injection
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
 
.NET for hackers
.NET for hackers.NET for hackers
.NET for hackers
 
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)
An introduction to the linux kernel and device drivers (NTU CSIE 2016.03)
 
Software security
Software securitySoftware security
Software security
 

Similar to Analysis and Exploiting Windows and Linux Security

Comparison of Windows and Linux Operating Systems in Advanced Features
Comparison of Windows and Linux Operating Systems in Advanced FeaturesComparison of Windows and Linux Operating Systems in Advanced Features
Comparison of Windows and Linux Operating Systems in Advanced FeaturesIJERA Editor
 
Faster Computing was impressed with your presentation. The company.pdf
Faster Computing was impressed with your presentation. The company.pdfFaster Computing was impressed with your presentation. The company.pdf
Faster Computing was impressed with your presentation. The company.pdframizmemonahmedabado1
 
Module 18 (linux hacking)
Module 18 (linux hacking)Module 18 (linux hacking)
Module 18 (linux hacking)Wail Hassan
 
How to protect my cloud workload from Ransomware?
How to protect my cloud workload from Ransomware?How to protect my cloud workload from Ransomware?
How to protect my cloud workload from Ransomware?Raphael Bottino
 
Essay About ISS 418 Lab 7 And 8
Essay About ISS 418 Lab 7 And 8Essay About ISS 418 Lab 7 And 8
Essay About ISS 418 Lab 7 And 8Paula Smith
 
Big Data Management Analytics And Management Essay
Big Data Management Analytics And Management EssayBig Data Management Analytics And Management Essay
Big Data Management Analytics And Management EssayAmy Alexander
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malwareYury Chemerkin
 
Windows Kernel & Driver Development
Windows Kernel & Driver DevelopmentWindows Kernel & Driver Development
Windows Kernel & Driver DevelopmentMarcus Botacin
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Comparisons And Contrasts Of Windows Ce, Windows Xp, And...
Comparisons And Contrasts Of Windows Ce, Windows Xp, And...Comparisons And Contrasts Of Windows Ce, Windows Xp, And...
Comparisons And Contrasts Of Windows Ce, Windows Xp, And...Cecilia Lucero
 
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesBruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesPriyanka Aash
 
Information Technology ITM1
Information Technology ITM1Information Technology ITM1
Information Technology ITM1Aram Mohammed
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
Modern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - BerlinModern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - BerlinDjalal Harouni
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
 
File inflection techniques
File inflection techniquesFile inflection techniques
File inflection techniquesSandun Perera
 

Similar to Analysis and Exploiting Windows and Linux Security (20)

Comparison of Windows and Linux Operating Systems in Advanced Features
Comparison of Windows and Linux Operating Systems in Advanced FeaturesComparison of Windows and Linux Operating Systems in Advanced Features
Comparison of Windows and Linux Operating Systems in Advanced Features
 
Faster Computing was impressed with your presentation. The company.pdf
Faster Computing was impressed with your presentation. The company.pdfFaster Computing was impressed with your presentation. The company.pdf
Faster Computing was impressed with your presentation. The company.pdf
 
Module 18 (linux hacking)
Module 18 (linux hacking)Module 18 (linux hacking)
Module 18 (linux hacking)
 
How to protect my cloud workload from Ransomware?
How to protect my cloud workload from Ransomware?How to protect my cloud workload from Ransomware?
How to protect my cloud workload from Ransomware?
 
Essay About ISS 418 Lab 7 And 8
Essay About ISS 418 Lab 7 And 8Essay About ISS 418 Lab 7 And 8
Essay About ISS 418 Lab 7 And 8
 
Big Data Management Analytics And Management Essay
Big Data Management Analytics And Management EssayBig Data Management Analytics And Management Essay
Big Data Management Analytics And Management Essay
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
 
Windows Kernel & Driver Development
Windows Kernel & Driver DevelopmentWindows Kernel & Driver Development
Windows Kernel & Driver Development
 
App locker
App lockerApp locker
App locker
 
Linux v/s Windows
Linux v/s WindowsLinux v/s Windows
Linux v/s Windows
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Comparisons And Contrasts Of Windows Ce, Windows Xp, And...
Comparisons And Contrasts Of Windows Ce, Windows Xp, And...Comparisons And Contrasts Of Windows Ce, Windows Xp, And...
Comparisons And Contrasts Of Windows Ce, Windows Xp, And...
 
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesBruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
 
BPotter-L1-05
BPotter-L1-05BPotter-L1-05
BPotter-L1-05
 
Information Technology ITM1
Information Technology ITM1Information Technology ITM1
Information Technology ITM1
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
Neww
NewwNeww
Neww
 
Modern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - BerlinModern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - Berlin
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 
File inflection techniques
File inflection techniquesFile inflection techniques
File inflection techniques
 

Recently uploaded

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

Analysis and Exploiting Windows and Linux Security

  • 1. Analysis and Exploiting Windows and Linux security Shubham Dubey (14ucs114) Harshit Agrawal (14ucs046) Shubham Kasaudhan (14ucs118) Department of Computer Science and Engineering The LNM Institute of Information Technology, Jaipur December 2017 http://tinyurl.com/security1o1 December 2017 1 / 17Analysis windows and Linux
  • 2. Outline 1 Introduction Current State of Art 2 Literature Survey Existing recent solutions 3 Proposed Work Proposed solution to the problem Discussions and Future Work Discussions on the results Future Work http://tinyurl.com/security1o1 December 2017 2 / 17Analysis windows and Linux
  • 3. What is the problem http://tinyurl.com/security1o1 Analysis windows and Linux December 2017 3 / 17 More than 70% of Desktop users running Windows but GNU/Linux based distributions is widely used in Servers Constant Malware attacks in Windows system make users to look for better alternative. Linux Users feel secure but Are they really safe from malware and exploits? It is worth to know how most common features are implemented in both systems and how secure actually they are.
  • 4. Outline 1 Introduction Current State of the Art 2 Literature Survey Existing recent solutions 3 Proposed Work Proposed solution to the problem 5 Discussions and Future Work Discussions on the results Future Work http://tinyurl.com/security1o1 December 2017 4 / 17Analysis windows and Linux
  • 5. Existing recent solutions Research has been done previously on different standalone features but not as a comparison point of view. Stacey Quandt has a great article on the same at linux.com but lacks a depth comparison. Topic covered include patch management, logging, authentication, protocols used, acl etc. A research paper “WINDOWS AND LINUX OPERATING SYSTEMS FROM A SECURITY PERSPECTIVE” [link] by Youssef Bassil is also a great read. http://tinyurl.com/security1o1 December 2017 5 / 17Analysis windows and Linux
  • 6. Existing recent solutions Topic covered doesn't include the whole architecture of system. Audience can’t judge how the system overall differs in security. Practicality is missing. Our solution include how different parts of these os are differ and how they can be exploited because of lacks of security or the way these feature are implemented. Disclaimer is we are not providing head to head comparison result. http://tinyurl.com/security1o1 December 2017 6 / 17Analysis windows and Linux
  • 7. Outline 1 Introduction Current State of the Art 2 Literature Survey Existing recent solutions 3 Proposed Work Proposed solution to the problem 5 Discussions and Future Work Discussions on the results Future Work http://tinyurl.com/security1o1 December 2017 7 / 17Analysis windows and Linux
  • 8. Proposed solution to the problem Topics we will cover http://tinyurl.com/security1o1 December 2017 8 / 17Analysis windows and Linux  Login Security  Program Execution  Kernel Security  Vulnerability used by malware  Few miscellaneous Our Approach is to break these topic into two part Working Issues and Exploits/Attacks
  • 9. Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 9 / 17Analysis windows and Linux Architecture difference GNU/Linux is open source whereas windows is proprietary and closed. Linux kernel is monolithic. Windows (NT) kernel contains hybrid kernel. Everything in Linux is file. Windows define most things as objects(//remove it// process,threads etc). Windows uses registry for saving application configure. Linux uses text files(/etc/) to save configurations. Both have standard account(ring 3) and admin account (ring 0) but there is different way these permission applied.
  • 10. Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 10 /Analysis windows and Linux Windows Login Windows stores password in SAM file(C:windows system32configSAM) and at registry HKLM/SAM. SAM file is encrypted. Decryption happen using syskey. Password stored in two form LM hash and an NT hash. NTLM(NT hash) uses Message Digest 4 (MD4) algorithm. LM hash uses DES->
  • 11. Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 11 /Analysis windows and Linux Exploiting Windows Login Weakness in LM Hash DES broken in 1997. Password is non Case Sensitive. Word length is fix(14 char). Weakness in NT Hash As of 2007, an attack can generate collisions in less than 2 MD4 hash operations. No salting is used.
  • 12. Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 12 /Analysis windows and Linux Exploiting Windows Login Possible attacks Lookup at cached credentials Windows caches the credentials of last 10 to 50 users. Tools are available to extract those cached data. This can be turned on/off HKEY LOCAL MACHINE SoftwareMicrosoftWindows NTCurrentVersionWinlogon Pass the Hash Password hashes are loaded in lsass(responsible for enforcing the security policy). Your job to crack a logon will be much easy if you only needed hash to authenticate. If none works then brute force,dictionary, rainbow attack are always there. Or copy SAM by turned off system.
  • 13. Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 13 /Analysis windows and Linux Linux Login Linux saves credentials on a plain text file at /etc/shadow Most current systems use sha-512 hash algorithm. Linux use salting to increase the strength of password hash. PAM is used for authentication and related tasks for different services.
  • 14. Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 14 /Analysis windows and Linux Exploiting Linux Login /etc/passwd file is used to store user details which is global readable. Desktop Linux Password Stealer Password is transfer from keyboard to PAM for verification through policykit. So policykit or any other desktop service working in background can be MITM to get password.
  • 15. Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 15 /Analysis windows and Linux PROGRAM EXECUTION
  • 16. Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 16 /Analysis windows and Linux Windows Program loading CreateProcess family of functions is used for process creation. Windows create object for every process which hash all the details of that process. Win32 subsystem is called by Kernel32.dll which do the initialization of process and thread. KiInitializeContextThread, is called for builds the initial context of the thread and the thread's kernel stack.
  • 17. Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 17 /Analysis windows and Linux Exploiting Windows Program loading Search Path Injection ApplicationName is the process name which can be NULL. CommandLine are the command line arguments.
  • 18. Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 18 /Analysis windows and Linux Exploiting Windows Program loading Search Path Injection If ApplicationName is null then CreateProcess will treat first argument of CommandLine as the app name. If you want to run "c:program filessub dirprogram name" your system will look for exe at these places and run them.
  • 19. Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 19 /Analysis windows and Linux Exploiting Windows Program loading Token Stealing using EPROCESS Windows represents each process in memory by EPROCESS block. -------------------------->
  • 20. Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 20 /Analysis windows and Linux Exploiting Windows Program loading Token Stealing using EPROCESS In older system EPROCESS block is at 0xffdff000, but due to ASLR the address can be random. NtQuerySystemInformation can be used in latest system to get EPROCESS address. Traverse to this Doubly link list to reach pid 4 and get the address of its token. Copy the token to escalate privilege for that process.
  • 21. Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 21 /Analysis windows and Linux Exploiting Windows Program loading Dll injection using LdrpInitializeProcess Microsoft Application Verifier is loaded with program used as runtime verification tool. Application Verifier can be replaced by custom verifier by creating a set of registry keys. ntdll!LdrInitializeThunk initializing the process also load verifier to the application memory. Our Costum verifier load before any other dll loads, also it is persist.
  • 22. Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 22 /Analysis windows and Linux Linux Program loading To run a program, a process will call a function from the exec family. execve directly transfer control to kernel where loader is present. linux_binprm kernel structure do the initialization and allocation part. Control transfer from kernel to _start.
  • 23. Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 23 /Analysis windows and Linux Linux Program loading
  • 24. Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 24 /Analysis windows and Linux Exploiting Linux Program loading Buffer overflow using environment variable Shellcode can be loaded to program memory by passing it as environment variable. Address of EGG can be found by simple program.
  • 25. Proposed solution to the problem http://tinyurl.com/security1o1 December 2017 25 /Analysis windows and Linux Exploiting Linux Program loading Buffer overflow using environment variable Program can be exploited by overflowing buffer[10] and replacing return address with shellcode address.
  • 26. Outline 1 Introduction Current State of the Art 2 Literature Survey Existing recent solutions 3 Proposed Work Proposed solution to the problem 4 Discussion and Future Work Discussion on the results Future Work 5 http://tinyurl.com/security1o1 December 2017 26 /Analysis windows and Linux
  • 27. Discussions on the results Completed windows login and linux login, program execution in different system and exploitation. There were some challenges like exploiting the program loading in Winodows , resource collection, different system environment requirement that we face during the project. http://tinyurl.com/security1o1 December 2017 27 /Analysis windows and Linux
  • 28. Future work and time-line Memory management security(in Program Execution) Kernel security Vulnerability used by malware http://tinyurl.com/security1o1 December 2017 28 /Analysis windows and Linux