Tip

Hack into Windows Vista to test security features

In addition to its pretty interface and fast load times, Windows Vista has several new security features to keep the bad guys and the bad code at bay. Many security features such as the Windows Firewall, Windows Update and Windows Defender are enabled by default. Pings, port scans and even in-depth vulnerability scanning turn up very little on a default Vista installation.

The security of Vista
  • Does Vista mean the end of malware?

  • End-to-end encryption for Windows Vista systems: BitLocker
  • That's fine and dandy, but it's not the real world. Testing for vulnerabilities on a default install of the operating system (OS) is one thing, but once you get users on board and software is installed, drives are shared and other complexities are thrown into the mix, then there's plenty of room for attacks…secure OS or not.

    It can happen to you

    Remember that the art of hacking doesn't have to focus solely on fancy code injection, address spoofing and virtual server hopping. In fact, many -- if not most -- of the breaches carried out against Windows-based systems are simplistic issues. It usually boils down to power users tweaking their systems, and that introduces vulnerabilities and administrators not having the resources or technology to apply patches in a timely manner. This is exactly the stuff you want to focus on during your Windows security testing. They are your highest payoff tasks. When and if you get the time, then you can dig in looking at minute nuances that someone may exploit in your environment a hundred years from now.

    Like its predecessors, Windows Vista can be exploited in numerous ways by an external hacker or rogue insider. Here are some approaches that hackers use:

    • Scan for open ports looking for running services that can be probed further.

    • Establish null sessions and enumerate the OS to detect various system configuration settings.

    • Gain access to the network via ARP poisoning using Cain & Abel in order to glean Windows passwords and other passwords off the wire.

    • Gain physical access to a Vista desktop or laptop system and obtain the password hashes out of the SAM (Security Accounts Manager) database files using a tool such as BartPE and then loading the hashes into a password cracking tool such as Elcomsoft's Proactive Password Auditor. Or, as an alternate, you can use Elcomsoft's new all-in-one bootable solution based on WindowsPE called Elcomsoft System Recovery. This will allow you (or an attacker) to reset the list of local user accounts, view account privileges, grant administrator privileges to any account, reset accounts, reset passwords and more.

    • Connect to Windows shares with previously cracked or easy-to-guess passwords and copy and/or delete sensitive files.

    • Exploit a missing patch and obtain a remote command prompt using Metasploit or CORE IMPACT.

    Remember, all it takes is your users installing software or making very minor configuration changes to their Vista systems to create big problems. Even if you have an enterprise domain, air-tight GPOs and a formal acceptable use policy banning anything and everything you can imagine, you're still going to have issues with Vista on your network.

    Likewise, once Vista-based systems are outside of your control (for example, at a user's home, hotels or coffee shops), it only takes one disabled firewall, one shared directory or one missing patch for Vista to be abused and network security to be compromised.

    About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well asThe Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels audiobook series. You can reach Kevin at kbeaver@principlelogic.com>.

    This was first published in January 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.