So, the question I’m asking you is Are You Hackable? If you read the following, you should get a good idea whether your computer is secure or not. People say that any person is hackable, which I do not agree with. There are certain standards you must meet to be hacked. I am not talking about remote crashing and such, I am talking about getting rooted. That is much more worse then just a simple error saying you must restart etc. Which can just be patched. Keep in mind, this is not talking about Web Server side hacking.
Windows 95/98/ME
Well, as we all know it, these are by far the worst Windows off of the 9x system ever made. The problem with Windows 9X is the way the kernel processes data with the CPU. Instead of just ending a task, closing it out, terminating it, freeing any possibility of lockup from that program, it will instead continue processing the data, eventually killing your RAM and the whole PC will either blue error screen about “Your computer is busy, press any button to continue.” or just straight up lockup. Another bad thing about Win9x is the authentication is uses to protect the PC from anyone logging on. There really is no protection at all. Simple cancel from the login box, delete the users .pwl file and re-make it if you really must. Another, is the fact it is based off of FAT32. I will cover this is a new article some time.
Where 9x lacks stability, it increase in security. Why do I say this? Because Win9X does not come with any remote services installed by default. Services can allow an attacker methods of getting inside of the PC, hence open port. If you do not have File Sharing Enabled through NetBIOS, then you should not worry about being rooted by a direct attack. You can be tricked into accepting a Trojan, which a program like The Cleaner can scan for this ( http://www.moosoft.com ). I am not saying that you are 100% protected with just an installation of Win9X. I still recommend a firewall or router to protect yourself from the internet in general, not just malicious attackers. With all this viruses and worms going around, it would be wise to have something to stop there attempts to upload through shares etc.
If your PC is running slow or sluggish, this is the sign of a possible Trojan, virus, or just a lot of unneeded programs running in the background. You may check your processes by pressing Control+Alt+Del one time. If you are running well over 10 processes, I believe this is way to many. With Windows 9x, you should only have explorer and systray loaded, unless you have a program that loads for your video card or sound other then a SysTray. You should be very cautious of what these processes do. You may get a program called Ace Utilities ( http://www.acelogix.com ). It has a built in Startup Manager which allows you to see what starts up and also can attempt to indemnify unwanted processes. Simply uncheck the ones you are not sure what they do, or do a Google search on each standalone process. You will find all of the information you need.
If you are curious as to what ports are open, run my port scanner on your PC and use the Description Ports so that it may tell you what the possible open port is. Get it http://www.moorer-software.com/PortScanner.exe. If you have 139 open, then you should turn this off. In order to do this do the following:
1) Right click on My Network Places
2) File and Print Sharing
3) Uncheck mark anything selected, to make sure this is not enabled.
4) Remove the File sharing protocol from the list.
I can not stress more that if you have NetBIOS enabled, and shared files out, a user may simple issue \\YOURIP and see the shared files, if prompted for a password there are many tools out there to brute force the SMB Logins. A lot of Win9x users do not supply strong passwords. So, always keep a good password if you have NetBIOS enabled. With Windows 9X, you ONLY must supply a password, there are no need for any usernames. This is another reason the authentication is horrible. There has been known exploits, such as the short password vulnerability where the user only needed to supply like the first 3 digits of the password and they have access.
Windows 2000/XP
The most stable and reliable Windows OS would have to be anything based off of the NT kernel. Being Windows 2000/XP/2003, if you startup you will notice “Built off NT technology.” Which is a good thing. When I mentioned how 9X does not kill the process directly from the memory, making it unstable, win2k/XP allow this process to be killed, once killed it is directly taken out of the memory and RAM is freed up. Also, the priority of the CPU Usage is not randomly thrown around to each process, like in Win9X. You may actually set the priority for how much CPU Usage you want the application to consume.
Now, this is the most vulnerable OS for windows, default out of the package. You must do a lot of modifying to the OS before you achieve decent security. Why is this so? Well, because of the all the remote services running on the machine, for administration and networking reasons. Since this OS is designed for the work environment there will be a lot of features like this enabled. If you want a full list of services and descriptions go to http://www.blackviper.com/WinXP/service411.htm. This guy did an awesome job of describing whether or not the service may be shut down and such. The ones that I recommend to be set to manual, for security reasons, are the following:
Help and Support
Indexing Service
Messenger
NetMeeting Remote Desktop Sharing
Remote Access Connection Manager
Remote Access Auto Connection Manager
Remote Registry
Telnet
Terminal Services
Universal Plug and Play Device Host
Each one of these can allow access if not root access into your PC. Most of these services are enabled by default. So, in order to disable them, do the following:
1) Start—> Run—> compmgmt.msc /s
2) Services and Applications
3) Services
4) Right click on each service
5) Go to properties
6) Set the Startup Method to manual for each service you wish to stop at re-boot.
7) Hit apply then stop.
Once these have been disabled, your PC should be a lot more secure over the internet. Now, if you are wanting to stop even more services that are not needed, read that link that I provided above..
There are so many vulnerabilities inside of NetBIOS enabled 2k/XP machines. Things such as the null ipc exploit, which can trick the remote machine into thinking its an authenticated session. Once the user establishes a remote connection to the IPC$ share, they can retrieve things like usernames, groups, shares, services, registry information and so forth. Some people ask why this is such a problem, well let me tell you exact what the person could do. If they successfully retrieve the users, groups, shares and so forth, they are just in the process of what they are about to do. They are doing simple vuln. testing steps. Look at the screenshot below of what it can look like for a vulnerable user:
http://www.moorer-software.com/screenshots/nipc.jpg
With this information, an attacker can possibly grab more information to help then get into your PC. You can see all the information that is given about the users. Sometimes a user places there password inside of the Full Name, whether its backwards, plain text, or a phrase. It is possible and I have seen them do such things before. So, how do I stop people from establishing a null session to me?
We will need to set the permission to who can access the IPC$ share. I created a simple registry file, so if you have no knowledge in this area, just simple execute it.
Windows 2000:
http://www.moorer-software.com/regs/null%20win2k.reg
Windows XP:
http://www.moorer-software.com/regs/null%20xp.reg
Another really nasty exploit, that has been released recently is the RPC exploit. A user can completely root your PC, having administrator access inside of a shell. The way to disable this, without the need of any patches, is to completely disable the DCOM, which it uses to access the PC.
http://www.moorer-software.com/regs/dcom.reg
Disabling NetBIOS is a must also, if you have no need for it. The method is a little different this time.
1) Start—> Control Panel—> Network Connections—> Local Area Network 1 ( depending on how many NICs you have and which one uses the net )
2) Right click on it and go to Properties
3) Double click on TCP/IP
4) Go to Advanced
5) Click on the WINS tab
6) Disable NetBIOS Over TCP/IP then just hit ok as needed.
If you decide to enable NetBIOS, make sure to turn off the automatic creation of the Administrators shares ( C$, D$ etc. ). This is the number one checked share on a remote PC for an attack, since he can have root access to your files. Also, rename your Administrator account to something different then “Administrator” or “Admin”. An attacker who use going to run brute force attacks through NetBIOS will target Administrator, since this is the power users account. Keep a good strong password, do not use simple letters or words. The fact that without a firewall, or anything to monitor you, when a NetBIOS attack is launched, the Event Viewer can view the incorrect logins, but not the origin of the attacks, just the username/pass attempted. This makes it very hard to track the person. So, a firewall to monitor the 139 TPC/UDP ports. Something to look into is called IPSec which can block/limit access through ports, very good for protecting open ports, or limit them.
These are just basic exploits that people could run against you, definitely, MOST definitely not the FULL list. I do not want to cover it ALL. I think you have the basic idea of why you should protect the idea.
Firewalls and Tools
To check what ports are opened, you can either get my MooreR NetStat, which will show you which processes are assigned to each port. If you do not like that want, get the Foundstone software called FPort. It is very awesome. If you want a good firewall, get Sygate. This program is awesome, has the built in options to see the running ports and processes. It is a very good and stable firewall, no exploit have been known to get around it. Linux has been known to be the best firewall if you install it on a machine that you do not use. I’ve herd that its so powerful it can do features such as disable host resolving. If you’re not able to do this, and you do NOT have dial up, get a router with a good built in firewall. It is by far the best option for a firewall.
You might ask yourself why a router is better then a software firewall? If you use a software firewall, everything is going through your connection, directly to the firewall log, you just can not see it. So, if you are to flood the software firewall so much that the log can not keep updating itself fast enough, it could lock up or freeze, possibly crash the kernel. With a router, this is not the situation. You hook your broadband connection into a router, the router filters all the traffic out before it hits your computer. The logging inside the router is all hardware based, in order to crash a router with packets, it will more then likely have to be a DDoS, but even those are highly unlikely to crash the built in firewall.
There are many more problems out there that I might of not addressed to you. This should give you a basic understanding..
I may add onto this later.
Windows 95/98/ME
Well, as we all know it, these are by far the worst Windows off of the 9x system ever made. The problem with Windows 9X is the way the kernel processes data with the CPU. Instead of just ending a task, closing it out, terminating it, freeing any possibility of lockup from that program, it will instead continue processing the data, eventually killing your RAM and the whole PC will either blue error screen about “Your computer is busy, press any button to continue.” or just straight up lockup. Another bad thing about Win9x is the authentication is uses to protect the PC from anyone logging on. There really is no protection at all. Simple cancel from the login box, delete the users .pwl file and re-make it if you really must. Another, is the fact it is based off of FAT32. I will cover this is a new article some time.
Where 9x lacks stability, it increase in security. Why do I say this? Because Win9X does not come with any remote services installed by default. Services can allow an attacker methods of getting inside of the PC, hence open port. If you do not have File Sharing Enabled through NetBIOS, then you should not worry about being rooted by a direct attack. You can be tricked into accepting a Trojan, which a program like The Cleaner can scan for this ( http://www.moosoft.com ). I am not saying that you are 100% protected with just an installation of Win9X. I still recommend a firewall or router to protect yourself from the internet in general, not just malicious attackers. With all this viruses and worms going around, it would be wise to have something to stop there attempts to upload through shares etc.
If your PC is running slow or sluggish, this is the sign of a possible Trojan, virus, or just a lot of unneeded programs running in the background. You may check your processes by pressing Control+Alt+Del one time. If you are running well over 10 processes, I believe this is way to many. With Windows 9x, you should only have explorer and systray loaded, unless you have a program that loads for your video card or sound other then a SysTray. You should be very cautious of what these processes do. You may get a program called Ace Utilities ( http://www.acelogix.com ). It has a built in Startup Manager which allows you to see what starts up and also can attempt to indemnify unwanted processes. Simply uncheck the ones you are not sure what they do, or do a Google search on each standalone process. You will find all of the information you need.
If you are curious as to what ports are open, run my port scanner on your PC and use the Description Ports so that it may tell you what the possible open port is. Get it http://www.moorer-software.com/PortScanner.exe. If you have 139 open, then you should turn this off. In order to do this do the following:
1) Right click on My Network Places
2) File and Print Sharing
3) Uncheck mark anything selected, to make sure this is not enabled.
4) Remove the File sharing protocol from the list.
I can not stress more that if you have NetBIOS enabled, and shared files out, a user may simple issue \\YOURIP and see the shared files, if prompted for a password there are many tools out there to brute force the SMB Logins. A lot of Win9x users do not supply strong passwords. So, always keep a good password if you have NetBIOS enabled. With Windows 9X, you ONLY must supply a password, there are no need for any usernames. This is another reason the authentication is horrible. There has been known exploits, such as the short password vulnerability where the user only needed to supply like the first 3 digits of the password and they have access.
Windows 2000/XP
The most stable and reliable Windows OS would have to be anything based off of the NT kernel. Being Windows 2000/XP/2003, if you startup you will notice “Built off NT technology.” Which is a good thing. When I mentioned how 9X does not kill the process directly from the memory, making it unstable, win2k/XP allow this process to be killed, once killed it is directly taken out of the memory and RAM is freed up. Also, the priority of the CPU Usage is not randomly thrown around to each process, like in Win9X. You may actually set the priority for how much CPU Usage you want the application to consume.
Now, this is the most vulnerable OS for windows, default out of the package. You must do a lot of modifying to the OS before you achieve decent security. Why is this so? Well, because of the all the remote services running on the machine, for administration and networking reasons. Since this OS is designed for the work environment there will be a lot of features like this enabled. If you want a full list of services and descriptions go to http://www.blackviper.com/WinXP/service411.htm. This guy did an awesome job of describing whether or not the service may be shut down and such. The ones that I recommend to be set to manual, for security reasons, are the following:
Help and Support
Indexing Service
Messenger
NetMeeting Remote Desktop Sharing
Remote Access Connection Manager
Remote Access Auto Connection Manager
Remote Registry
Telnet
Terminal Services
Universal Plug and Play Device Host
Each one of these can allow access if not root access into your PC. Most of these services are enabled by default. So, in order to disable them, do the following:
1) Start—> Run—> compmgmt.msc /s
2) Services and Applications
3) Services
4) Right click on each service
5) Go to properties
6) Set the Startup Method to manual for each service you wish to stop at re-boot.
7) Hit apply then stop.
Once these have been disabled, your PC should be a lot more secure over the internet. Now, if you are wanting to stop even more services that are not needed, read that link that I provided above..
There are so many vulnerabilities inside of NetBIOS enabled 2k/XP machines. Things such as the null ipc exploit, which can trick the remote machine into thinking its an authenticated session. Once the user establishes a remote connection to the IPC$ share, they can retrieve things like usernames, groups, shares, services, registry information and so forth. Some people ask why this is such a problem, well let me tell you exact what the person could do. If they successfully retrieve the users, groups, shares and so forth, they are just in the process of what they are about to do. They are doing simple vuln. testing steps. Look at the screenshot below of what it can look like for a vulnerable user:
http://www.moorer-software.com/screenshots/nipc.jpg
With this information, an attacker can possibly grab more information to help then get into your PC. You can see all the information that is given about the users. Sometimes a user places there password inside of the Full Name, whether its backwards, plain text, or a phrase. It is possible and I have seen them do such things before. So, how do I stop people from establishing a null session to me?
We will need to set the permission to who can access the IPC$ share. I created a simple registry file, so if you have no knowledge in this area, just simple execute it.
Windows 2000:
http://www.moorer-software.com/regs/null%20win2k.reg
Windows XP:
http://www.moorer-software.com/regs/null%20xp.reg
Another really nasty exploit, that has been released recently is the RPC exploit. A user can completely root your PC, having administrator access inside of a shell. The way to disable this, without the need of any patches, is to completely disable the DCOM, which it uses to access the PC.
http://www.moorer-software.com/regs/dcom.reg
Disabling NetBIOS is a must also, if you have no need for it. The method is a little different this time.
1) Start—> Control Panel—> Network Connections—> Local Area Network 1 ( depending on how many NICs you have and which one uses the net )
2) Right click on it and go to Properties
3) Double click on TCP/IP
4) Go to Advanced
5) Click on the WINS tab
6) Disable NetBIOS Over TCP/IP then just hit ok as needed.
If you decide to enable NetBIOS, make sure to turn off the automatic creation of the Administrators shares ( C$, D$ etc. ). This is the number one checked share on a remote PC for an attack, since he can have root access to your files. Also, rename your Administrator account to something different then “Administrator” or “Admin”. An attacker who use going to run brute force attacks through NetBIOS will target Administrator, since this is the power users account. Keep a good strong password, do not use simple letters or words. The fact that without a firewall, or anything to monitor you, when a NetBIOS attack is launched, the Event Viewer can view the incorrect logins, but not the origin of the attacks, just the username/pass attempted. This makes it very hard to track the person. So, a firewall to monitor the 139 TPC/UDP ports. Something to look into is called IPSec which can block/limit access through ports, very good for protecting open ports, or limit them.
These are just basic exploits that people could run against you, definitely, MOST definitely not the FULL list. I do not want to cover it ALL. I think you have the basic idea of why you should protect the idea.
Firewalls and Tools
To check what ports are opened, you can either get my MooreR NetStat, which will show you which processes are assigned to each port. If you do not like that want, get the Foundstone software called FPort. It is very awesome. If you want a good firewall, get Sygate. This program is awesome, has the built in options to see the running ports and processes. It is a very good and stable firewall, no exploit have been known to get around it. Linux has been known to be the best firewall if you install it on a machine that you do not use. I’ve herd that its so powerful it can do features such as disable host resolving. If you’re not able to do this, and you do NOT have dial up, get a router with a good built in firewall. It is by far the best option for a firewall.
You might ask yourself why a router is better then a software firewall? If you use a software firewall, everything is going through your connection, directly to the firewall log, you just can not see it. So, if you are to flood the software firewall so much that the log can not keep updating itself fast enough, it could lock up or freeze, possibly crash the kernel. With a router, this is not the situation. You hook your broadband connection into a router, the router filters all the traffic out before it hits your computer. The logging inside the router is all hardware based, in order to crash a router with packets, it will more then likely have to be a DDoS, but even those are highly unlikely to crash the built in firewall.
There are many more problems out there that I might of not addressed to you. This should give you a basic understanding..
I may add onto this later.
0 Comments:
Post a Comment