Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Class Presentation


Published on

  • Be the first to comment

  • Be the first to like this

Class Presentation

  1. 1. IDSC 4490 – Advanced Networking Lecture 5 – Windows NT and 2000 from Security Perspective Alok Gupta Dept. of IDSC
  2. 2. A word on Windows 9x <ul><li>Windows 3x and Windows 9x were more single user oriented and hence the security was of minimal concern. </li></ul><ul><li>Windows 3x and 9x passwords were stored in a ???.PWL file and could easily be cracked with many password cracking utilities including Cain , L0phtCrack . </li></ul>
  3. 3. Windows 2000 Architecture
  4. 4. Windows 2000 User Mode <ul><li>Provides subsystems for user interaction </li></ul><ul><ul><li>We’ll focus on security subsystem </li></ul></ul><ul><ul><li>The Security subsystem coordinates with Win32 subsystem and Active Directory that acts as a central nervous system </li></ul></ul><ul><ul><li>Windows 2000 has a Security Support Provider Interface (SSPI) that supports a variety of different authentication mechanisms </li></ul></ul>
  5. 5. Security Support Provider Interface (SSPI)
  6. 6. Security Protocols <ul><li>NTLM – Windows NT LAN Manager security protocol </li></ul><ul><ul><li>For backward compatibility with older Microsoft products </li></ul></ul><ul><li>Kerberos – A third party encryption scheme </li></ul><ul><ul><li>More on it when we do encryption </li></ul></ul><ul><li>SSL – Secure Sockets Layer </li></ul><ul><ul><li>Application level security </li></ul></ul><ul><li>Multiple (third party) authentication using certificates </li></ul>
  7. 7. Kernel Mode <ul><li>Kernel mode is reserved for fundamental operating system functionality such as access to memory and hardware </li></ul><ul><li>Security Reference Monitor is most important from our perspective </li></ul><ul><ul><li>Makes sure appropriate users and program are the only ones to be able to access particular files and directories by checking permissions </li></ul></ul><ul><ul><li>It also captures events by writing to event logs </li></ul></ul>
  8. 8. Fundamental NT/2000 Concepts <ul><li>Domains </li></ul><ul><ul><li>A group of one or more Windows machine(s) that share an authentication database </li></ul></ul><ul><ul><li>Domain users can be provided access to domain resources on many machines </li></ul></ul><ul><ul><li>Domain controllers authenticate users using Security Accounts Manager (SAM) </li></ul></ul><ul><ul><li>The password information is scrambled using one-way function (hash) </li></ul></ul>
  9. 9. NT/2000 Passwords <ul><li>NT stored passwords directly in SAM database (until service pack 3) </li></ul><ul><ul><li>Relatively easier to crack </li></ul></ul><ul><li>Windows 2000 uses another layer of encryption using SYSKEY </li></ul><ul><ul><li>Uses 128 bit key to encrypt the hashes </li></ul></ul><ul><ul><li>More difficult to crack </li></ul></ul>
  10. 10. Windows 2000 Network Structure <ul><ul><li>Beyond domain Windows 2000 uses concepts called: </li></ul></ul><ul><ul><ul><li>Trees – Naming convention, e.g., as a tree can have many domains such as, </li></ul></ul></ul><ul><ul><ul><li>Forests – collection of trusted and untrusted trees that are linked together such as and </li></ul></ul></ul>
  11. 11. Domain, Trees and Forests Domain Tree Forest
  12. 12. Sharing <ul><li>Sharing is a major advantage of Windows NT/2000 </li></ul><ul><li>Shares can be established using Network Neighborhood, My Network Places, etc. in Windows mode or by using following command </li></ul><ul><li>C: et use * IP address or hostname][share name] [password | *] [/USER:[domainname]username] </li></ul><ul><li>Note: ipc$ is the root default share for administrative account </li></ul>
  13. 13. NT/2000 Groups
  14. 14. Defining Users (1)
  15. 15. Defining Users (2)
  16. 16. Defining Security Policies
  17. 17. Default Accounts <ul><li>Administrator </li></ul><ul><ul><li>Also is a security vulnerability since the account name is known </li></ul></ul><ul><ul><li>The account name is usually changed </li></ul></ul><ul><li>Guest </li></ul><ul><ul><li>Disabled by default </li></ul></ul>
  18. 18. NT/2000 Vulnerabilities <ul><li>Finding out what’s on a network </li></ul><ul><li>C: et view /domain:[domain_name] </li></ul><ul><li>Find out more by </li></ul><ul><li>C: btstat –A [IP Number] </li></ul><ul><li>Use Third-party tools such as </li></ul><ul><li>nbtscan (usage  C: btscan [IP range using / or -] </li></ul>
  19. 19. NT/2000 Vulnerabilities <ul><li>Can use </li></ul><ul><li>net use computername]ipc$ &quot;&quot; /u:&quot;&quot; </li></ul><ul><li>to create a null session </li></ul><ul><li>If null session can be created a host of information can be downloaded </li></ul><ul><li>Automated tools such as Winfo exist </li></ul><ul><ul><li>User Accounts </li></ul></ul><ul><ul><li>Shares </li></ul></ul><ul><ul><li>Workstation and trusted accounts </li></ul></ul>
  20. 20. Enumerating a Host <ul><li>Use </li></ul><ul><ul><li>DumpSec </li></ul></ul><ul><ul><li>WalkSam </li></ul></ul><ul><ul><li>UserInfo </li></ul></ul><ul><ul><li>UserDump </li></ul></ul><ul><ul><li>GetAcct </li></ul></ul><ul><li>Many of these tools can automatically figure out administrative account using RID of 500 </li></ul>
  21. 21. A Comprehensive Security Tool <ul><li>Languard Network Scanner </li></ul><ul><ul><li>Scans large networks by sending UDP query status to every IP. </li></ul></ul><ul><ul><li>Lists NETBIOS name table for each responding computer. </li></ul></ul><ul><ul><li>Provides NETBIOS hostname, currently logged username & MAC address. </li></ul></ul><ul><ul><li>Enumerates all shares on the remote computer (including printers, administrative shares C$,D$,ADMIN$). </li></ul></ul><ul><ul><li>Identifies crackable passwords (share level security) on Windows 9x. Tests password strength on Windows 9x/NT/2k systems using a dictionary of commonly used passwords. </li></ul></ul><ul><ul><li>Identifies well known services (such as www/ftp/telnet/smtp...). </li></ul></ul>