In addition to its pretty interface and fast load times, Windows Vista has several new security features to keep the bad guys and the bad code at bay. Many security features such as the Windows Firewall, Windows Update and Windows Defender are enabled by default. Pings, port scans and even in-depth vulnerability scanning turn up very little on a default Vista installation.
That's fine and dandy, but it's not the real world. Testing for vulnerabilities on a default install of the operating system (OS) is one thing, but once you get users on board and software is installed, drives are shared and other complexities are thrown into the mix, then there's plenty of room for attacks…secure OS or not.
It can happen to you
Remember that the art of hacking doesn't have to focus solely on fancy code injection, address spoofing and virtual server hopping. In fact, many -- if not most -- of the breaches carried out against Windows-based systems are simplistic issues. It usually boils down to power users tweaking their systems, and that introduces vulnerabilities and administrators not having the resources or technology to apply patches in a timely manner. This is exactly the stuff you want to focus on during your Windows security testing. They are your highest payoff tasks. When and if you get the time, then you can dig in looking at minute nuances that someone may exploit in your environment a hundred years from now.
Like its predecessors, Windows Vista can be exploited in numerous ways by an external hacker or rogue insider. Here are some approaches that hackers use:
- Scan for open ports looking for running services that can be probed further.
- Establish null sessions and enumerate the OS to detect various system configuration settings.
- Gain access to the network via ARP poisoning using Cain & Abel in order to glean Windows passwords and other passwords off the wire.
- Gain physical access to a Vista desktop or laptop system and obtain the password hashes out of the SAM (Security Accounts Manager) database files using a tool such as BartPE and then loading the hashes into a password cracking tool such as Elcomsoft's Proactive Password Auditor. Or, as an alternate, you can use Elcomsoft's new all-in-one bootable solution based on WindowsPE called Elcomsoft System Recovery. This will allow you (or an attacker) to reset the list of local user accounts, view account privileges, grant administrator privileges to any account, reset accounts, reset passwords and more.
- Connect to Windows shares with previously cracked or easy-to-guess passwords and copy and/or delete sensitive files.
- Exploit a missing patch and obtain a remote command prompt using Metasploit or CORE IMPACT.
Remember, all it takes is your users installing software or making very minor configuration changes to their Vista systems to create big problems. Even if you have an enterprise domain, air-tight GPOs and a formal acceptable use policy banning anything and everything you can imagine, you're still going to have issues with Vista on your network.
Likewise, once Vista-based systems are outside of your control (for example, at a user's home, hotels or coffee shops), it only takes one disabled firewall, one shared directory or one missing patch for Vista to be abused and network security to be compromised.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well asThe Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheelsaudiobook series. You can reach Kevin at firstname.lastname@example.org>.