SlideShare a Scribd company logo

OS-Anatomy-Article

Condition Zebra (CONZebra)
Condition Zebra (CONZebra)

The document summarizes common methods used to attack Windows NT operating systems and gain unauthorized access. It describes exploits like the "getadmin" hack that allows gaining administrator privileges by taking advantage of flaws in how the system handles memory addresses and permissions. Other attacks aim to crack encrypted passwords stored in the registry or conduct denial-of-service attacks by overwhelming systems with fragmented packets or network loops. The document stresses the importance of maintaining up-to-date security patches, implementing intrusion detection, and having policies and tools to constantly monitor for the latest threats.

1 of 4
Download to read offline
Anatomy of an Operating System Attack Drew Williams Product Manager, Intruder Alert HIDS / Co-founder, Information Security SWAT Team AXENT Technologies April 9, 1998 More organizations move to the Internet as their primary means of business communications every day. As technology expands the way we do business, that same technology is being turned to misuse. A clear leader in advanced technology is Microsoft’s NT operating system. Conversely, as more businesses turn to Windows NT, it has become a favorite target for computer hackers to exploit. The two primary reasons for attacking a system are ultimately to gain access to the system with administrator privileges and to disrupt computer operations and services. With administrator privileges, an attacker has free reign of the system that’s being compromised. Hackers can copy, change or delete information, reconfigure systems operations— even execute other programs to gain access to the rest of the systems on the network. The getadmin hack allowed an unprivileged user to gain administrator privileges. Last year, while Americans were celebrating Independence Day, a fellow named “Konstantin Sobolev” reported that Microsoft’s NT system service (NtAddAtom), does not check the memory address of its output, if the NtGlobalFlag is set to “DEBUG.” This event results in the possibility of writing to any space of kernel memory. GetAdmin takes advantage of this first by setting the NtGlobalFlag, and injecting a .dll into the winlogon process (which possesses SYSTEM privileges). With these privileges the winlogon process now adds the user to the Administrator group.—This "hole" can allow almost any type of program to be run, resulting in the attacker having complete access to an organization’s network. Four days after this flaw was first reported, Microsoft released the getadmin “hotfix.” However, within a few hours a new version of the getadmin attack was released, which worked around Microsoft's hotfix. (The hotfix patched the kernel to not allow the NtGlobalFlag to be changed unless the user already had Administrator privileges.)—The new getadmin used another area of memory (which allowed instructions to be executed at ring 0 privilege and changed the NtGlobalFlag to DEBUG). The result: Administrator privileges, again! Another method of gaining access to a system is to access a users id and password. User information, including passwords, are stored in the system’s registry. A cadre of engineers with a
knack for hackgin, called “L0pht Heavy Industries,” revealed a method to dump the registry and crack Microsoft's Lanman password encryption. With the latest version of L0phtcrack (available at L0pht’s home page), an attacker can also "sniff" the network to gather user id's and passwords. Microsoft uses a very weak hash algorithm as part of the NT Lanman. L0phtcrack 2.0 can de-crypt paswords with only A-Z characters in less than 5 hours and passwords with A-Z,0-9 in under 62 hours—Although Microsoft released the LM-Hash fix, this is rendered useless when running Windows 95 or Windows 3.11 (both still utilize the original hash). Another favorite hacker target is the NT Registry. For example, when sharing any system resources with Windows 95, the hacker program called “CracksSharePW” takes advantage of the share password entries stored in the registry at SOFTWAREMicrosoftWindows CurrentVersionNetworkLanMan. These are also encrypted with an extremely weak cipher, and the password hash is a simple XOR. In the previously mentioned situations, attacks could have been thrawted by enforcing strict password policys, utilizing security software that monitors systems file changes, and by protecting direct access to an organization’s sytems with a properly secured firewall—and a methodology for continual intrusion detection. In another set of common hacker scenarios, an attacker disrupts computer operations with a DoS (Denial-of-Service) attack, which is usually a deliberate attack, which includes allowing another system on the network to impersonate the downed system. Following are a couple of real-life example. . . In early November 1997, a group of hackers found a serious bug in the fragmented packet assembly routines in the TCP/IP code. When a fragmented packet is sent that overlaps the previous packet the attacked system will slow down dramatically or completely crash. The program code to this was immediately made public, and called the “Teardrop attack.” Microsoft’s original fix was again quicky circumvented with the release of new teardrop version, which worked by including false size information—This has since been fixed by Microsoft’s “newest” tear fix. In another example of a Dos technique, the “Land Attack” compromises another bug in the Microsoft TCP/IP software. IP packets travel to a system, where the source address and port are the same as the destination. This process obviously confuses the system into re-sending packets back to itself in an endless loop, which ultimately renders a network completely useless. The only real “prevention” from these type of attacks are to verify the latest fixes are installed throughout the system by continuously auditing the system. Currently, more than 100 Windows NT exploits are available via the Internet. To best protect a system, security administrators should implement security software that keeps track of the latest security information, monitors the entire network—not just selected segments—and when necessary, encrypt all critical data.
To protect from external attack, administrators should ensure their networks are protected with a properly configured firewall and install intrusion detection software to maintain a flexible level of awareness (one that takes into consideration new attacks without requiring new coded versions). Many resources are available to keep abreast of current threats, a few web sites available are: http://www.axent.com/ http://www.icsa.org/ http://www.l0pht.com/ http://www.rootshell.com/ http://www.ntshop.org . . . Security problems will continue as long as Organization “A” wants to keep information or resources hidden from Organization “B”—or as long as curiosity or self interest continue to provide the adequate motivation to lead people where they’re not supposed to go. The tools that hackers use are easily accessible, and the targets flourish. So the situation begs the question for security administrators to ask themselves, “How secure are we?” Measuring acceptable risk against cost to productivity is not a single-point decision- making process. Administrators need to be constantly made aware of new threats and system vulnerabilities. Today’s attack strategies—like today’s news events—do not necessarily reflect tomorrow’s technological advances or new hacks. So what’s the best way to protect the organization? Here are a few suggestions: 1. Establish a solid security policy, organization-wide, which effectively addresses all security “points of interest” throughout the enterprise. 2. Maintain a constant effort of making sure the organization stays within compliance of its respective policy. There are a handful of vendors who provide top-notch, multi-platform security management tools (like AXENT’s Enterprise Security Manager). 3. Ensure that some mechanism for monitoring in real-time, the entire network, and a means to 4. send immediate notification upon detecting an intrusion is in place and working 24x7. The ideal intrusion detection model would provide a single point for monitoring and management purposes, while directly involving all devices, nodes and segments of the network in the intrusion detection process. 5. Keep the security structure flexible enough to move with the security “trends,” and don’t rely on hard-coded solutions that are outdated almost as soon as they’re released. Conclusion: Don’t wait until you lose Like having auto insurance, nobody really “benefits” from security precautions until an “accident” occurs. However, with the price-conscious solutions readily available from the world’s leading vendors in network security, coupled with scores of security advisory groups, administrators and executives can take the upper hand in protecting their organizations from
unnecessary security risks. So the question isn’t just, “How secure are you?” It’s more, “How responsible for security are you willing to be?”. Drew Williams manages AXENT Technologies’ Information Security SWAT team, which researches and publishes information on how to protect networks from security attacks. SWAT’s research can be accessed freely at www.axent.com. # # # # #

Recommended

Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
Santosh Khadsare
 
Computer security: hackers and Viruses
Computer security: hackers and VirusesComputer security: hackers and Viruses
Computer security: hackers and Viruses
Wasif Ali Syed
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1
Byres Security Inc.
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
INSIGHT FORENSIC
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attack
Ajinkya Nikam
 
NSA and PT
NSA and PTNSA and PT
NSA and PT
Rahmat Suhatman
 
What is Network Security?
What is Network Security?What is Network Security?
What is Network Security?
Faith Zeller
 

Recommended

Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
Santosh Khadsare
 
Computer security: hackers and Viruses
Computer security: hackers and VirusesComputer security: hackers and Viruses
Computer security: hackers and Viruses
Wasif Ali Syed
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1
Byres Security Inc.
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
INSIGHT FORENSIC
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attack
Ajinkya Nikam
 
NSA and PT
NSA and PTNSA and PT
NSA and PT
Rahmat Suhatman
 
What is Network Security?
What is Network Security?What is Network Security?
What is Network Security?
Faith Zeller
 
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Quick Heal Technologies Ltd.
 
Network Security
Network SecurityNetwork Security
Network Security
forpalmigho
 
Mnx solutions cybersecurity presentation monroe mi
Mnx solutions cybersecurity presentation monroe miMnx solutions cybersecurity presentation monroe mi
Mnx solutions cybersecurity presentation monroe mi
nwilkens
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
AlienVault
 
Wireless network security threats countermeasure
Wireless network security threats countermeasureWireless network security threats countermeasure
Wireless network security threats countermeasureEdie II
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
IRJET- Study of Hacking and Ethical Hacking
IRJET- Study of Hacking and Ethical HackingIRJET- Study of Hacking and Ethical Hacking
IRJET- Study of Hacking and Ethical Hacking
IRJET Journal
 
Evolution of ransomware
Evolution of ransomwareEvolution of ransomware
Evolution of ransomware
Charles Steve
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart Stuxnet
Gil Megidish
 
Threat predictions 2011
Threat predictions 2011 Threat predictions 2011
Threat predictions 2011
Trend Micro
 
Stuxnet
StuxnetStuxnet
Stuxnet
Shishir Aryal
 
Wannacry & Petya ransomware
Wannacry & Petya ransomwareWannacry & Petya ransomware
Wannacry & Petya ransomware
Raghavendra P.V
 
Rashed al kamdah network security threats
Rashed al kamdah network security threatsRashed al kamdah network security threats
Rashed al kamdah network security threats
rashidalkamdah
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and SolutionsColin058
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the future
Hardeep Bhurji
 
Stealthy Threats Driving a New Approach to IT Security
Stealthy Threats Driving a New Approach to IT SecurityStealthy Threats Driving a New Approach to IT Security
Stealthy Threats Driving a New Approach to IT Security
Intel IT Center
 
Bash software bug could be bigger threat than heartbleed, experts warn
Bash software bug could be bigger threat than heartbleed, experts warnBash software bug could be bigger threat than heartbleed, experts warn
Bash software bug could be bigger threat than heartbleed, experts warn
Michael Holt
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data BreachKunal Sharma
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.
Anuj Khandelwal
 
Chapter 6 network security
Chapter 6 network securityChapter 6 network security
Chapter 6 network security
Syaiful Ahdan
 
Daniels ib13 ppt_14
Daniels ib13 ppt_14Daniels ib13 ppt_14
Daniels ib13 ppt_14
Moises Cielak
 
12 ознак вчителя
12 ознак вчителя12 ознак вчителя
12 ознак вчителя
Alla_Oleynik
 

More Related Content

What's hot

Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Quick Heal Technologies Ltd.
 
Network Security
Network SecurityNetwork Security
Network Security
forpalmigho
 
Mnx solutions cybersecurity presentation monroe mi
Mnx solutions cybersecurity presentation monroe miMnx solutions cybersecurity presentation monroe mi
Mnx solutions cybersecurity presentation monroe mi
nwilkens
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
AlienVault
 
Wireless network security threats countermeasure
Wireless network security threats countermeasureWireless network security threats countermeasure
Wireless network security threats countermeasureEdie II
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
IRJET- Study of Hacking and Ethical Hacking
IRJET- Study of Hacking and Ethical HackingIRJET- Study of Hacking and Ethical Hacking
IRJET- Study of Hacking and Ethical Hacking
IRJET Journal
 
Evolution of ransomware
Evolution of ransomwareEvolution of ransomware
Evolution of ransomware
Charles Steve
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart Stuxnet
Gil Megidish
 
Threat predictions 2011
Threat predictions 2011 Threat predictions 2011
Threat predictions 2011
Trend Micro
 
Stuxnet
StuxnetStuxnet
Stuxnet
Shishir Aryal
 
Wannacry & Petya ransomware
Wannacry & Petya ransomwareWannacry & Petya ransomware
Wannacry & Petya ransomware
Raghavendra P.V
 
Rashed al kamdah network security threats
Rashed al kamdah network security threatsRashed al kamdah network security threats
Rashed al kamdah network security threats
rashidalkamdah
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and SolutionsColin058
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the future
Hardeep Bhurji
 
Stealthy Threats Driving a New Approach to IT Security
Stealthy Threats Driving a New Approach to IT SecurityStealthy Threats Driving a New Approach to IT Security
Stealthy Threats Driving a New Approach to IT Security
Intel IT Center
 
Bash software bug could be bigger threat than heartbleed, experts warn
Bash software bug could be bigger threat than heartbleed, experts warnBash software bug could be bigger threat than heartbleed, experts warn
Bash software bug could be bigger threat than heartbleed, experts warn
Michael Holt
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data BreachKunal Sharma
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.
Anuj Khandelwal
 
Chapter 6 network security
Chapter 6 network securityChapter 6 network security
Chapter 6 network security
Syaiful Ahdan
 

What's hot (20)

Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
 
Network Security
Network SecurityNetwork Security
Network Security
 
Mnx solutions cybersecurity presentation monroe mi
Mnx solutions cybersecurity presentation monroe miMnx solutions cybersecurity presentation monroe mi
Mnx solutions cybersecurity presentation monroe mi
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
 
Wireless network security threats countermeasure
Wireless network security threats countermeasureWireless network security threats countermeasure
Wireless network security threats countermeasure
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
IRJET- Study of Hacking and Ethical Hacking
IRJET- Study of Hacking and Ethical HackingIRJET- Study of Hacking and Ethical Hacking
IRJET- Study of Hacking and Ethical Hacking
 
Evolution of ransomware
Evolution of ransomwareEvolution of ransomware
Evolution of ransomware
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart Stuxnet
 
Threat predictions 2011
Threat predictions 2011 Threat predictions 2011
Threat predictions 2011
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
Wannacry & Petya ransomware
Wannacry & Petya ransomwareWannacry & Petya ransomware
Wannacry & Petya ransomware
 
Rashed al kamdah network security threats
Rashed al kamdah network security threatsRashed al kamdah network security threats
Rashed al kamdah network security threats
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and Solutions
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the future
 
Stealthy Threats Driving a New Approach to IT Security
Stealthy Threats Driving a New Approach to IT SecurityStealthy Threats Driving a New Approach to IT Security
Stealthy Threats Driving a New Approach to IT Security
 
Bash software bug could be bigger threat than heartbleed, experts warn
Bash software bug could be bigger threat than heartbleed, experts warnBash software bug could be bigger threat than heartbleed, experts warn
Bash software bug could be bigger threat than heartbleed, experts warn
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data Breach
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.
 
Chapter 6 network security
Chapter 6 network securityChapter 6 network security
Chapter 6 network security
 

Viewers also liked

Daniels ib13 ppt_14
Daniels ib13 ppt_14Daniels ib13 ppt_14
Daniels ib13 ppt_14
Moises Cielak
 
12 ознак вчителя
12 ознак вчителя12 ознак вчителя
12 ознак вчителя
Alla_Oleynik
 
Agc wp-hselimparaffincontamlos
Agc wp-hselimparaffincontamlosAgc wp-hselimparaffincontamlos
Agc wp-hselimparaffincontamlos
AGC International, LLC
 
A review on stabilization of soil using bio enzyme
A review on stabilization of soil using bio enzymeA review on stabilization of soil using bio enzyme
A review on stabilization of soil using bio enzyme
eSAT Journals
 
Agc wp-hydroscavprincop
Agc wp-hydroscavprincopAgc wp-hydroscavprincop
Agc wp-hydroscavprincop
AGC International, LLC
 
Agc wp-hydroscavredwasteoil
Agc wp-hydroscavredwasteoilAgc wp-hydroscavredwasteoil
Agc wp-hydroscavredwasteoil
AGC International, LLC
 
External sources of recruitment p1
External sources of recruitment p1External sources of recruitment p1
External sources of recruitment p1
Abdulla Afeef
 
INDUSTRIAL ATTACHMENT REPORT BBM_11_11_12
INDUSTRIAL ATTACHMENT REPORT BBM_11_11_12INDUSTRIAL ATTACHMENT REPORT BBM_11_11_12
INDUSTRIAL ATTACHMENT REPORT BBM_11_11_12Brian Bor
 
Exodus 19
Exodus 19Exodus 19
Exodus 19
pegbaker
 

Viewers also liked (9)

Daniels ib13 ppt_14
Daniels ib13 ppt_14Daniels ib13 ppt_14
Daniels ib13 ppt_14
 
12 ознак вчителя
12 ознак вчителя12 ознак вчителя
12 ознак вчителя
 
Agc wp-hselimparaffincontamlos
Agc wp-hselimparaffincontamlosAgc wp-hselimparaffincontamlos
Agc wp-hselimparaffincontamlos
 
A review on stabilization of soil using bio enzyme
A review on stabilization of soil using bio enzymeA review on stabilization of soil using bio enzyme
A review on stabilization of soil using bio enzyme
 
Agc wp-hydroscavprincop
Agc wp-hydroscavprincopAgc wp-hydroscavprincop
Agc wp-hydroscavprincop
 
Agc wp-hydroscavredwasteoil
Agc wp-hydroscavredwasteoilAgc wp-hydroscavredwasteoil
Agc wp-hydroscavredwasteoil
 
External sources of recruitment p1
External sources of recruitment p1External sources of recruitment p1
External sources of recruitment p1
 
INDUSTRIAL ATTACHMENT REPORT BBM_11_11_12
INDUSTRIAL ATTACHMENT REPORT BBM_11_11_12INDUSTRIAL ATTACHMENT REPORT BBM_11_11_12
INDUSTRIAL ATTACHMENT REPORT BBM_11_11_12
 
Exodus 19
Exodus 19Exodus 19
Exodus 19
 

Similar to OS-Anatomy-Article

Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
Raghav Bisht
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
shreyng
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linux
Hammad Ahmed Khawaja
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
Wail Hassan
 
Ethical hacking.docx
Ethical hacking.docxEthical hacking.docx
Ethical hacking.docx
HabeebUllah10
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in
maribethy2y
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516Yasser Mohammed
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
belsis
 
ethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.pptethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.ppt
ricagip499
 
Todd Deshane's PhD Proposal
Todd Deshane's PhD ProposalTodd Deshane's PhD Proposal
Todd Deshane's PhD ProposalTodd Deshane
 
The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking
- Mark - Fullbright
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
Raghav Bisht
 
Checking Windows for signs of compromise
Checking Windows for signs of compromiseChecking Windows for signs of compromise
Checking Windows for signs of compromise
Cal Bryant
 
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)
TzahiArabov
 

Similar to OS-Anatomy-Article (20)

Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linux
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
Ethical hacking.docx
Ethical hacking.docxEthical hacking.docx
Ethical hacking.docx
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in
 
Hacking
HackingHacking
Hacking
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
APT - Project
APT - Project APT - Project
APT - Project
 
ethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.pptethical-hacking-18092013112412-ethical-hacking.ppt
ethical-hacking-18092013112412-ethical-hacking.ppt
 
Todd Deshane's PhD Proposal
Todd Deshane's PhD ProposalTodd Deshane's PhD Proposal
Todd Deshane's PhD Proposal
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
 
Ch11
Ch11Ch11
Ch11
 
The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
Checking Windows for signs of compromise
Checking Windows for signs of compromiseChecking Windows for signs of compromise
Checking Windows for signs of compromise
 
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)
 

More from Condition Zebra (CONZebra)

Weathering the Storm of IT Security Compliance
Weathering the Storm of IT Security ComplianceWeathering the Storm of IT Security Compliance
Weathering the Storm of IT Security ComplianceCondition Zebra (CONZebra)
 

More from Condition Zebra (CONZebra) (6)

AXENT-Everything-IDS
AXENT-Everything-IDSAXENT-Everything-IDS
AXENT-Everything-IDS
 
Host-Based IDS LLifecycle
Host-Based IDS LLifecycleHost-Based IDS LLifecycle
Host-Based IDS LLifecycle
 
2 Day MOSTI Workshop
2 Day MOSTI Workshop2 Day MOSTI Workshop
2 Day MOSTI Workshop
 
BYOD eBook Part 1 DREW
BYOD eBook Part 1 DREWBYOD eBook Part 1 DREW
BYOD eBook Part 1 DREW
 
BO2K Byline
BO2K BylineBO2K Byline
BO2K Byline
 
Weathering the Storm of IT Security Compliance
Weathering the Storm of IT Security ComplianceWeathering the Storm of IT Security Compliance
Weathering the Storm of IT Security Compliance
 

OS-Anatomy-Article

  • 1. Anatomy of an Operating System Attack Drew Williams Product Manager, Intruder Alert HIDS / Co-founder, Information Security SWAT Team AXENT Technologies April 9, 1998 More organizations move to the Internet as their primary means of business communications every day. As technology expands the way we do business, that same technology is being turned to misuse. A clear leader in advanced technology is Microsoft’s NT operating system. Conversely, as more businesses turn to Windows NT, it has become a favorite target for computer hackers to exploit. The two primary reasons for attacking a system are ultimately to gain access to the system with administrator privileges and to disrupt computer operations and services. With administrator privileges, an attacker has free reign of the system that’s being compromised. Hackers can copy, change or delete information, reconfigure systems operations— even execute other programs to gain access to the rest of the systems on the network. The getadmin hack allowed an unprivileged user to gain administrator privileges. Last year, while Americans were celebrating Independence Day, a fellow named “Konstantin Sobolev” reported that Microsoft’s NT system service (NtAddAtom), does not check the memory address of its output, if the NtGlobalFlag is set to “DEBUG.” This event results in the possibility of writing to any space of kernel memory. GetAdmin takes advantage of this first by setting the NtGlobalFlag, and injecting a .dll into the winlogon process (which possesses SYSTEM privileges). With these privileges the winlogon process now adds the user to the Administrator group.—This "hole" can allow almost any type of program to be run, resulting in the attacker having complete access to an organization’s network. Four days after this flaw was first reported, Microsoft released the getadmin “hotfix.” However, within a few hours a new version of the getadmin attack was released, which worked around Microsoft's hotfix. (The hotfix patched the kernel to not allow the NtGlobalFlag to be changed unless the user already had Administrator privileges.)—The new getadmin used another area of memory (which allowed instructions to be executed at ring 0 privilege and changed the NtGlobalFlag to DEBUG). The result: Administrator privileges, again! Another method of gaining access to a system is to access a users id and password. User information, including passwords, are stored in the system’s registry. A cadre of engineers with a
  • 2. knack for hackgin, called “L0pht Heavy Industries,” revealed a method to dump the registry and crack Microsoft's Lanman password encryption. With the latest version of L0phtcrack (available at L0pht’s home page), an attacker can also "sniff" the network to gather user id's and passwords. Microsoft uses a very weak hash algorithm as part of the NT Lanman. L0phtcrack 2.0 can de-crypt paswords with only A-Z characters in less than 5 hours and passwords with A-Z,0-9 in under 62 hours—Although Microsoft released the LM-Hash fix, this is rendered useless when running Windows 95 or Windows 3.11 (both still utilize the original hash). Another favorite hacker target is the NT Registry. For example, when sharing any system resources with Windows 95, the hacker program called “CracksSharePW” takes advantage of the share password entries stored in the registry at SOFTWAREMicrosoftWindows CurrentVersionNetworkLanMan. These are also encrypted with an extremely weak cipher, and the password hash is a simple XOR. In the previously mentioned situations, attacks could have been thrawted by enforcing strict password policys, utilizing security software that monitors systems file changes, and by protecting direct access to an organization’s sytems with a properly secured firewall—and a methodology for continual intrusion detection. In another set of common hacker scenarios, an attacker disrupts computer operations with a DoS (Denial-of-Service) attack, which is usually a deliberate attack, which includes allowing another system on the network to impersonate the downed system. Following are a couple of real-life example. . . In early November 1997, a group of hackers found a serious bug in the fragmented packet assembly routines in the TCP/IP code. When a fragmented packet is sent that overlaps the previous packet the attacked system will slow down dramatically or completely crash. The program code to this was immediately made public, and called the “Teardrop attack.” Microsoft’s original fix was again quicky circumvented with the release of new teardrop version, which worked by including false size information—This has since been fixed by Microsoft’s “newest” tear fix. In another example of a Dos technique, the “Land Attack” compromises another bug in the Microsoft TCP/IP software. IP packets travel to a system, where the source address and port are the same as the destination. This process obviously confuses the system into re-sending packets back to itself in an endless loop, which ultimately renders a network completely useless. The only real “prevention” from these type of attacks are to verify the latest fixes are installed throughout the system by continuously auditing the system. Currently, more than 100 Windows NT exploits are available via the Internet. To best protect a system, security administrators should implement security software that keeps track of the latest security information, monitors the entire network—not just selected segments—and when necessary, encrypt all critical data.
  • 3. To protect from external attack, administrators should ensure their networks are protected with a properly configured firewall and install intrusion detection software to maintain a flexible level of awareness (one that takes into consideration new attacks without requiring new coded versions). Many resources are available to keep abreast of current threats, a few web sites available are: http://www.axent.com/ http://www.icsa.org/ http://www.l0pht.com/ http://www.rootshell.com/ http://www.ntshop.org . . . Security problems will continue as long as Organization “A” wants to keep information or resources hidden from Organization “B”—or as long as curiosity or self interest continue to provide the adequate motivation to lead people where they’re not supposed to go. The tools that hackers use are easily accessible, and the targets flourish. So the situation begs the question for security administrators to ask themselves, “How secure are we?” Measuring acceptable risk against cost to productivity is not a single-point decision- making process. Administrators need to be constantly made aware of new threats and system vulnerabilities. Today’s attack strategies—like today’s news events—do not necessarily reflect tomorrow’s technological advances or new hacks. So what’s the best way to protect the organization? Here are a few suggestions: 1. Establish a solid security policy, organization-wide, which effectively addresses all security “points of interest” throughout the enterprise. 2. Maintain a constant effort of making sure the organization stays within compliance of its respective policy. There are a handful of vendors who provide top-notch, multi-platform security management tools (like AXENT’s Enterprise Security Manager). 3. Ensure that some mechanism for monitoring in real-time, the entire network, and a means to 4. send immediate notification upon detecting an intrusion is in place and working 24x7. The ideal intrusion detection model would provide a single point for monitoring and management purposes, while directly involving all devices, nodes and segments of the network in the intrusion detection process. 5. Keep the security structure flexible enough to move with the security “trends,” and don’t rely on hard-coded solutions that are outdated almost as soon as they’re released. Conclusion: Don’t wait until you lose Like having auto insurance, nobody really “benefits” from security precautions until an “accident” occurs. However, with the price-conscious solutions readily available from the world’s leading vendors in network security, coupled with scores of security advisory groups, administrators and executives can take the upper hand in protecting their organizations from
  • 4. unnecessary security risks. So the question isn’t just, “How secure are you?” It’s more, “How responsible for security are you willing to be?”. Drew Williams manages AXENT Technologies’ Information Security SWAT team, which researches and publishes information on how to protect networks from security attacks. SWAT’s research can be accessed freely at www.axent.com. # # # # #