Read an Excerpt
Chapter 4: Hacking Windows 95/98
The most important thing for a network administrator or end user to realize about Windows 95/98 (hereafter Win 9x) is that it was not designed to be a secure operating system like its cousin Windows NT. In fact, it seems that Microsoft went out of its way in many instances to sacrifice security for ease of use when planning the architecture of Windows 9x.
This becomes double jeopardy for administrators and security-unaware end users. Not only is Win 9x easy to configure, but the people most likely to be configuring it are unlikely to take proper precautions (like good password selection).
Furthermore, that unwary end user could be providing a back door into your corporate LAN, or could be storing sensitive information on a home PC connected to the Internet. With the increasing adoption of cable and DSL high-speed, always-on Internet connectivity, this problem is only going to get worse. Whether you are an administrator or you use Win 9x to surf the Net and access your company's network from home, you need to understand the tools and techniques that will likely be deployed against you.
Fortunately, Win 9x's simplicity also works to its advantage security-wise. Because it was not designed to be a true multiuser operating system, it has extremely limited remote administration features. It is impossible to execute commands remotely on Win 9x systems using built-in tools, and remote access to the Win9x Registry is only possible if access requests are first passed through a security provider such as a Windows NT or Novell NetWare server. This is called user-level security, versus the locally stored, username/password-based share-level security that is the default behavior of Win 9x. (Win 9x cannot act as a user-level authentication server.)
Thus, there are only two ways for attackers to "own" a Win 9x system (that is, gain complete control over it): trick the system's operator into executing code of their choice, or gain physical access to the system's console. We have divided this chapter according to these two approaches, remote and local.
In the first section, we will see that Win 9x's architecture makes it nearly impossible to attack from a remote location unless the system owner makes key errors. The second part of the chapter, on local Win 9x exploits, will demonstrate that if someone gains physical access to your Win 9x system, many other wonderful options become available to attackers.
Win 9X Remote Exploits
Remote exploitation techniques for Win 9x fall into four basic categories: direct connection to a shared resource (including dial-up resources), installation of backdoor server daemons, exploitation of known server application vulnerabilities, and denial of service. Note that three of these situations require some misconfiguration or poor judgment on the part of the Win 9x system user or administrator, and are thus easily remedied.
System Hacking Case Study: The Art of Gaining Access
The first leg of our journey through the catacombs of hackerdom is complete: we've seen how targets are selected, probed for vulnerabilities, and gradually exposed for takeover. Once the crust has been pierced, there's nothing left but the cream filling, right? Wrong-contrary to popular accounts, information systems can be difficult to break into if configured properly. After all, they are only cold-hearted machines that do not easily yield to cajolery, trickery, bribery, brute force, or the threat thereof. In the following pages, however, we will see that human thoughtlessness, laziness, or just plain ignorance lead to most system compromises. Only occasionally do inherent architectural flaws give easy access to a system, and usually they are quickly patched (although we'll talk about some that aren't, since they are invariably present on most networks).
Perhaps the most common security flaw encountered is poor username/password management. Usernames and passwords are the most widely deployed keys to the information kingdom, and most approaches to system hacking involve trying to get at them in any way possible.
One of the most renowned hackers of our time, Kevin Mitnick, understood this paradigm well. Often regarded as a technical genius, Mitnick was probably just as skilled at nontechnical means of obtaining user credentials on systems he targeted. He is alleged to have broken into computers at Digital Equipment Corp., Sun Microsystems Inc., Motorola Inc., Netcom On-Line Communication Services, Inc., an eclectic ISP known as The Well in Northern California, and perhaps many more. As with most hacks, many of the techniques he employed are not public knowledge, but what does seem clear is that he collected and leveraged lists of usernames and passwords from all the systems he penetrated. The 1996 federal indictment against him was primarily based on his unauthorized possession of passwords for computers at Sun, the University of Southern California, Novell Inc., Motorola, Fujitsu Ltd., and NEC Ltd. See http://www.kevinmitnick.com/ for more information about Kevin Mitnick, or pick up the excellent book The Fugitive Game, by Jonathan Littman.
Once infested, a network is extremely difficult to rid of such an unauthorized presence. Mitnick's infiltration of The Well was rumored to be so extensive that he caused system slowdowns with the resources he consumed. He reportedly attained root, or superuser, status on critical systems.
This should be warning enough to motivate system administrators to tighten password policies and regularly audit user compliance. If you still aren't convinced, read on to see how easy it can be to crack entire networks once a single user account has been compromised.
Direct Connection to Win 9x Shared Resources
This is the most obvious and easily breached doorway into a remote Win 9x system. There are three mechanisms Win 9x provides for direct access to the system: file and print sharing, the optional dial-up server, and remote Registry manipulation. Of these, remote Registry access requires fairly advanced custornization and user-level security, and is rarely encountered on systems outside of a corporate LAN.
One skew on the first mechanism of attack is to observe the credentials passed by a remote user connecting to a shared resource on a Win 9x system. Since users frequently reuse such passwords, this often yields valid credentials on the remote box as well. Even worse, it exposes other systems on the network to attack.
Hacking Win 9x File and Print Sharing
Risk Rating: 8
We aren't aware of any techniques to take advantage of Win 9x print sharing (not considering joyriding on the target system's shared printer), so this section will deal exclusively with Win 9x file sharing.
We've already covered some tools and techniques that intruders might use for scanning networks for Windows disk shares (see Chapter 3), and noted that some of these also have the capability to attempt password-guessing attacks on these potential entry points. One of those is Legion from the Rhino9 group. Besides the ability to scan an IP address range for Windows shares, Legion also comes with a "BF tool" that will guess passwords provided in a text file and automatically map those that it correctly guesses. BF stands for "brute force," but this is more correctly called a dictionary attack since it is based on a password list. One tip: the Save Text button in the main Legion scanning interface dumps found shares to a text file list, facilitating cut and paste into the BF tool's Path parameter text box, as Figure 4-1 shows.
The damage that intruders can do depends on the directory that is now mounted. Critical files may exist in that directory, or some users may have shared out their entire root partition, making the life of the hackers easy indeed. They can simply plant devious executables into the %systemroot%\Start Menu\Programs\Startup. At the next reboot, this code will be launched (see upcoming sections in this chapter on Back Orifice for an example of what malicious hackers might put in this directory). Or, the PWL file(s) can be obtained for cracking (see later in this chapter).
FILE SHARE HACKING COUNTERMEASURES Fixing this problem is easy-turn off file sharing on Win 9x machines! For the system administrator who's worried about keeping tabs on a large number of systems, we suggest using the System Policy Editor (POLEDIT.EXE) utility to disable file and print sharing across all systems. POLEDIT.EXE, shown in Figure 4-2, is available with the Windows 9x Resource Kit, or Win 9x RK, but can also be found in the \tools\reskit\netadmin\ directory on most Win 9x CD-ROMs, or at http://support.microsoft.com/support/kb/articles/Q135/3/15.asp.
If you must enable file sharing, use a complex password of eight alphanumeric characters (this is the maximum allowed by Win 9x) and include metacharacters (such as [ ! @ # $ % &) or non-printable ASCII characters. It's also wise to append a $ symbol, as Figure 4-3 shows, to the name of the share to prevent it from appearing in the Network Neighborhood, in the output of net view commands, and even in the results of a Legion scan.
Replaying the Win 9x Authentication Hash
Risk Rating: 7
On January 5, 1999, the group known as the LOpht released a security advisory that pointed out a flaw in the Windows 9x network file sharing authentication routines (see http://www.10pht.com/ advisories/95replay.txt). While testing the new release of their notorious LOphtcrack password eavesdropping and cracking tool (see Chapter 5), they noted that Win 9x with file sharing enabled reissues the same "challenge" to remote connection requests during a given 15-minute period. Since Windows uses a combination of the username and this challenge to hash (cryptographically scramble) the password of the remote user, and the username is sent in cleartext, attackers could simply resend an identical hashed authentication request within the 15-minute interval and successfully mount the share on the Win 9x system. In that time period, the hashed password value will be identical.
Although this is a classic cryptographic mistake that Microsoft should have avoided, it is difficult to exploit. The LOpht advisory alludes to the possibility of modifying the popular Samba Windows networking client for UNIX (http://www.samba.org/) to manually reconstruct the necessary network authentication traffic. The programming skills inherent in this endeavor, plus the requirement for access to the local network segment to eavesdrop on the specific connection, probably set too high a barrier for widespread exploitation of this problem. Perhaps this is why Microsoft has not issued a fix, but that shouldn't ever be an excuse. So, try not to lose too much sleep over all those defenseless Win 9x shares out there, OK?
Hacking Win 9x Dial-Up Servers
Risk Rating: 8
The Windows Dial-Up Server applet included with Win 9x, shown in Figure 4-4, is another one of those mixed blessings for sys admins. Any user can become a back door into the corporate LAN by attaching a modem and installing the inexpensive Microsoft Plus! for Windows 95 add-on package that includes the Dial-Up Server components (it now comes with the standard Win 98 distribution).
A system so configured is almost certain to have file sharing enabled, since this is the most common way to perform useful work on the system. It is possible to enumerate and guess passwords (if any) for the shares on the other end of the modem, just as we demonstrated over the network in the previous section on file share hacking, assuming that no dial-up password has been set.
Win 9xDIAL-UP HACKING COUNTERMEASURES Not surprisingly, the same defenses hold true: don't use the Win 9x Dial-Up Server, and enforce this across multiple systems with the System Policy Editor. If dial-up capability is absolutely necessary, set a password for dial-in access, require that it be encrypted using the Server Type dialog box in the Dial-Up Server Properties, or authenticate using user-level security (that is, pass through authentication to a security provider such as a Windows NT domain controller or NetWare server). Set further passwords on any shares (using good password complexity rules), and hide them by appending the $ symbol to the share name.
Intruders who successfully crack a Dial-Up Server and associated share passwords are free to pillage whatever they find. However, they will be unable to progress further into the network because Win 9x cannot route network traffic. It's also important to remember that Dial-Up Networking (DUN) isn't just for modems anymore-Microsoft bundles Virtual Private Networking (VPN) capabilities (see Chapter 8) in with DUN, so we thought we'd touch on one of the key security upgrades available for Win 9x's built-in VPN capabilities. It's called Dial-Up Networking Update 1.3 (DUN 1.3), and it allows Win 9x to connect more securely with Windows NT VPN servers. This is a no-brainer: if you use Microsoft's VPN technology, get DUN 1.3. If you are a North American user, we recommend getting the 128-bit version from http://mssecure.www.conxion.com/cgi-bin/ntitar.pl. Win 95 users must first download the 40-bit DUN 1.3 from http://www.microsoft.com/windows95/downloads/, and then obtain the 128-bit upgrade utility from the previous site. DUN 1.3 is also critical for protecting against denial of service (DoS) attacks, as we shall see shortly. We'll discuss other dial-up and VPN vulnerabilities in Chapter 8.
Remotely Hacking the Win 9x Registry
Risk Rating: 4
Unlike Windows NT, Win 9x does not provide the built-in capability for remote access to the Registry. However, it is possible if the Microsoft Remote Registry Service is installed (found in the \admin\nettools\remotreg directory on the Windows 9x distribution CD-ROM). The Remote Registry Service also requires user-level security to be enabled, and thus will at least require a valid username for access. If attackers were lucky enough to stumble upon a system with the Remote Registry installed, access to a writeable shared directory, and were furthermore able to guess the proper credentials to access the Registry, they'd basically be able to do anything they wanted to the target system. Does this hole sound easy to seal? Heck, it sounds hard to create to us-if you're going to install the Remote Registry Service, pick a good password. Otherwise, don't install the service, and sleep tight knowing that remote Win 9x Registry exploits just aren't going to happen in your shop.
Win 9x and Network Management Tools
Risk Rating: 4
Last but not least of the potential remote exploits uses the Simple Network Management Protocol (SNMP). In Chapter 3, we touched on how SNMP can be used to enumerate information on Windows NT systems running SNMP agents configured with default community strings like public. Win 9x will spill similar information if the SNMP agent is installed (from the \tools\reskit\netadmin\snmp directory on Win 9x media). Unlike NT, however, Win 9x does not include Windows-specific information such as user accounts and shares in its SNMP version 1 MIB. Opportunities for exploitation are limited via this avenue.