Microsoft

Lock IT Down: Expose holes in your network by using the tools of the hacker trade

Develop a knowledge of some of the most used hacker tools and develop a strong defense against them.


Whether it’s because they can’t afford an upgrade or because this OS has proven to be especially reliable and stable, the fact remains that a lot of companies are still using Windows NT 4.0. Unfortunately, hackers are still focusing on Windows NT as well. Because Windows NT has been around for so long, hackers have had a lot of time to develop numerous utilities to attack it. In this Daily Drill Down, I’d like to provide an overview of some of these tools and how you can develop a strong defense against them.

Why is NT such a big target?
Windows NT faces two major hurdles in terms of security: loads of code and too much time in the wrong hands. Its amount of code presents the first problem. Windows NT is a feature-rich operating system, and all of its features are based on large chunks of code. Statistically, the more lines of code that a program has, the greater the chance that bugs and security holes exist in the code. To make matters worse, Windows NT 4.0 has been around for five years. This means that hackers have had five long years to scrutinize virtually every aspect of the operating system. Furthermore, a five-year-old operating system contains a lot of obsolete technology. Features that were considered to be absolutely secure five years ago are very insecure by today’s standards.

As hackers find security holes, they often post their knowledge of the holes on popular hacker Web sites. Posting the information publicly makes the information available to other hackers to use and build upon. Because Windows NT is GUI-based, when a new hack technique is discovered, hackers often write a simple GUI-based application that is designed to allow others to use the technique with minimal difficulty. These GUI-based hacks tend to be popular because they require less skill than hack techniques that require the download, modification, and compilation of source code.

As you can see, Windows NT has a lot of things working against it in the way of security. However, there is some good news. Microsoft constantly keeps an eye on Windows NT security threats. Any time that a new security hole is discovered and verified, Microsoft creates a hot fix that’s designed to patch the security hole. Any time that a new service pack is released, the service pack contains all of the hot fixes that have been released up to the time that the service pack is released. Therefore, if you apply the latest service pack and any hot fixes that have come about since the time that the service pack was released, then you can feel reasonably confident in the code behind the operating system.

Do it yourself
In the end, though, I’ve found that the only way to really secure Windows NT is to become a hacker myself. I make it a point to download a variety of hacker tools and use them against my own network. There are several reasons for doing this. First, using hacker tools is perhaps the most effective way to test hot fixes. If Microsoft tells you that applying a particular hot fix will fix a security vulnerability, would you rather take them at their word, or would you prefer to check things out for yourself?

Another reason for hacking your own network is because it is often just as effective, if not more so, than a traditional security audit. Think about it: A security audit concentrates on areas of weak security that are potentially vulnerable. However, if you use the same tools as the hackers use, you can see exactly what a hacker would see. The hacker tools aren’t simply informing you of some abstract setting that could be a potential vulnerability. Instead, you’re seeing true vulnerabilities that you have already managed to exploit.

Since using hacker tools is one of the best methods for testing security, the question remains, which hacker tools should you use and where do you get them? For better or worse, because of the massive growth of the Internet, hacker tools are easier to come by today than ever before.

ERD Commander Professional
The first tool that I’d like to talk about isn’t marketed as a hacker tool, but rather as an administrative utility. ERD Commander Professional from Winternals Software has the ability to completely bypass Windows NT’s security and access just about any server resource without resistance. You can even use this utility to modify permissions or reset passwords.

The biggest drawback to ERD Commander Professional is that it works by booting the system to a command prompt, therefore bypassing the Windows NT or Windows 2000 operating system. This means that in order for someone to be able to hack your server with this utility, he or she must have physical access to the server. Once someone has physical access to the server, there’s absolutely nothing standing between him or her and total access.

So why did I just tell you about this utility if it requires the hacker to have physical access to the server? Because security patches are only a small part of the battle for security, and other issues, such as physical security, must also be addressed in order to fully secure your system. ERD Commander Professional is a perfect example of this point, because there are no security patches that will stop it. Because ERD Commander Professional works from outside of the Windows operating system, any security patches that are applied to Windows are bypassed by the utility.

Your only defense against this type of utility is good physical security. There’s a lot to physical security, but at the very least, your server needs to be behind a locked door.

Red Button
Another hacker tool that you need to be concerned about is Red Button. Red Button doesn’t grant anyone access to anything. Instead, the utility is designed to help the hacker gather information about your server. All that a hacker needs to get started is a copy of Red Button and the server’s host name or IP address.

To use Red Button, begin by downloading a copy of the program, which you can do by clicking here. Then unzip it and run the Setup program. Setup will add a shortcut to your Start menu. Now, use the shortcut to run the program.

As you can see in Figure A, Red Button is very simple to use. Just click the Select Server button and enter a computer name or an IP address. Now the only thing left to do is to click the big red Go button. Upon clicking Go, Red Button will use an anonymous connection to the host PC to derive information from it. In Figure B, you can see that Red Button was able to derive the name of every share point on my server. You’ll also notice at the top of Figure B, there’s a section labeled Built-in Administrator Account. Red Button isn’t displaying any information in this field because I’m running Windows 2000 in Native Mode. However, had I been querying a Windows NT machine, Red Button would display the name of the Administrator’s account, even if it had been renamed.

Figure A
For both hackers and administrators, Red Button is extremely easy to use.


Figure B
Red Button reveals all of the share points on a server and may also reveal the name of the Administrator's account.


Although Red Button doesn’t directly provide hackers with access to your system, it does give them a lot of valuable information. So how do you protect yourself from a Red Button query? First, as always, make sure that you’ve installed the latest hot fixes. Next, disable TCP port 139 and UDP ports 137 and 138 at your firewall. This will prevent someone from the outside world from being able to use Red Button against you. Finally, if you’ve got machines that aren’t providing file or print services, you could try disabling the Server service.

Cerberus Internet Scanner
Another information-gathering hacker utility is Cerberus Internet Scanner, sometimes referred to as CIS. CIS is similar to Red Button but is much more powerful. After you download CIS, which you can do here, you don’t have to run an installation program to use it. You can run CIS directly from the directory to which you unzipped it. However, in order for CIS to run, the folder containing the program must contain a subfolder called Reports. The ZIP file contains an empty Reports folder, but some decompression utilities don’t reproduce empty folders.

When you run CIS, you’ll see a big, empty, white screen with a few icons at the top. You must use the icons to select the host computer that you want to monitor. Next, select the various types of scans that you want to run against the host. Finally, click the Scan button. CIS will attach to the host and compile a series of reports based on the system that you’ve chosen to scan. In Figure C, you can see a list of the reports that were compiled after a scan of one of my test machines.

Figure C
CIS compiles many different reports about the host system.


As you look at the various reports, there are two things that you might find a bit frightening. First, the sheer amount of information that has been ascertained is overwhelming. Second, the fact that all of this information was compiled without the use of any login credentials is especially fearsome.

With this in mind, let’s look at a few of the reports that CIS generated. I recommend first looking at the NetBIOS report. Like Red Button, CIS tells you the names of all of the shares on the server. However, CIS also tells you the share type and the share’s purpose. Next, CIS tells you all of the groups contained on the machine and which users belong to the various groups. Finally, the utility provides you with some very disturbing information on the individual user accounts. As you look at the account information shown in Figure D, keep in mind that the information came off of a Windows 2000 Server that was completely up-to-date on security patches.

Figure D
CIS's NetBIOS report gives you information on share points, group memberships, and on individual user accounts.


Another report that you’ll likely find disturbing is the NT Registry report. CIS scans the registry of the host machine and reports on vulnerabilities that it finds. As you can see in Figure E, the report tells what the key does, what the key is set to, and who has permissions to make changes to a key.

Figure E
The NT Registry report contains some very sensitive information.


So how do you protect your system against this type of scanning? First, begin by taking all of the same precautions that I recommended for protecting yourself against a Red Button scan. This will make CIS much less effective. Next, go through the reports with a fine-tooth comb. For most of the security holes that CIS finds, it also offers recommendations for patching those holes.

Conclusion
Sometimes the best way to protect your servers against Windows NT security vulnerabilities is to become a hacker yourself. Use hackers’ various tools to see what your system looks like from their perspective. Once you can see what the hackers see, you can develop a specialized defense against their attacks. These utilities can help you test and retest your network until you’ve closed all of the most damaging holes.

Editor's Picks

Free Newsletters, In your Inbox