It can happen to you
Remember that the art of hacking doesn't have to focus solely on fancy code injection, address spoofing and virtual server hopping. In fact, many -- if not most -- of the breaches carried out against Windows-based systems are simplistic issues. It usually boils down to power users tweaking their systems, and that introduces vulnerabilities and administrators not having the resources or technology to apply patches in a timely manner. This is exactly the stuff you want to focus on during your Windows security testing. They are your highest payoff tasks. When and if you get the time, then you can dig in looking at minute nuances that someone may exploit in your environment a hundred years from now.
Like its predecessors, Windows Vista can be exploited in numerous ways by an external hacker or rogue insider. Here are some approaches that hackers use:
- Scan for open ports looking for running services that can be probed further.
- Establish null sessions and enumerate the OS to detect various system configuration settings.
- Gain access to the network via ARP poisoning using Cain & Abel in order to glean Windows passwords and other passwords off the wire.
- Gain physical access to a Vista desktop or laptop system and obtain the password hashes out of the SAM (Security Accounts Manager) database files using a tool such as BartPE and then loading the hashes into a password cracking tool such as Elcomsoft's Proactive Password Auditor. Or, as an alternate, you can use Elcomsoft's new all-in-one bootable solution based on WindowsPE called Elcomsoft System Recovery. This will allow you (or an attacker) to reset the list of local user accounts, view account privileges, grant administrator privileges to any account, reset accounts, reset passwords and more.
- Connect to Windows shares with previously cracked or easy-to-guess passwords and copy and/or delete sensitive files.
- Exploit a missing patch and obtain a remote command prompt using Metasploit or CORE IMPACT.
Remember, all it takes is your users installing software or making very minor configuration changes to their Vista systems to create big problems. Even if you have an enterprise domain, air-tight GPOs and a formal acceptable use policy banning anything and everything you can imagine, you're still going to have issues with Vista on your network.
Likewise, once Vista-based systems are outside of your control (for example, at a user's home, hotels or coffee shops), it only takes one disabled firewall, one shared directory or one missing patch for Vista to be abused and network security to be compromised.
About the author: Kevin Beaver is an independent information security
consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and
specializes in performing information security assessments revolving
around compliance and IT governance. Kevin has authored/co-authored six
books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well asThe Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels audiobook series. You can reach Kevin at
email@example.com>. This was first published in January 2007
This was first published in January 2007