![Sharing Sharing is a major advantage of Windows NT/2000 Shares can be established using Network Neighborhood, My Network Places, etc. in Windows mode or by using following command C:\net use * \\[IP address or hostname]\[share name] [password | *] [/USER:[domainname\]username] Note: ipc$ is the root default share for administrative account](https://image.slidesharecdn.com/class-presentation3435/85/Class-Presentation-12-320.jpg)
![NT/2000 Vulnerabilities Finding out what’s on a network C:\net view /domain:[domain_name] Find out more by C:\nbtstat –A [IP Number] Use Third-party tools such as nbtscan (usage C:\nbtscan [IP range using / or -]](https://image.slidesharecdn.com/class-presentation3435/85/Class-Presentation-18-320.jpg)
![NT/2000 Vulnerabilities Can use net use \\[computername]\ipc$ "" /u:"" to create a null session If null session can be created a host of information can be downloaded Automated tools such as Winfo exist User Accounts Shares Workstation and trusted accounts](https://image.slidesharecdn.com/class-presentation3435/85/Class-Presentation-19-320.jpg)
Class Presentation
- 1. IDSC 4490 – Advanced Networking Lecture 5 – Windows NT and 2000 from Security Perspective Alok Gupta Dept. of IDSC
- 2. A word on Windows 9x Windows 3x and Windows 9x were more single user oriented and hence the security was of minimal concern. Windows 3x and 9x passwords were stored in a ???.PWL file and could easily be cracked with many password cracking utilities including Cain , L0phtCrack .
- 4. Windows 2000 User Mode Provides subsystems for user interaction We’ll focus on security subsystem The Security subsystem coordinates with Win32 subsystem and Active Directory that acts as a central nervous system Windows 2000 has a Security Support Provider Interface (SSPI) that supports a variety of different authentication mechanisms
- 5. Security Support Provider Interface (SSPI)
- 6. Security Protocols NTLM – Windows NT LAN Manager security protocol For backward compatibility with older Microsoft products Kerberos – A third party encryption scheme More on it when we do encryption SSL – Secure Sockets Layer Application level security Multiple (third party) authentication using certificates
- 7. Kernel Mode Kernel mode is reserved for fundamental operating system functionality such as access to memory and hardware Security Reference Monitor is most important from our perspective Makes sure appropriate users and program are the only ones to be able to access particular files and directories by checking permissions It also captures events by writing to event logs
- 8. Fundamental NT/2000 Concepts Domains A group of one or more Windows machine(s) that share an authentication database Domain users can be provided access to domain resources on many machines Domain controllers authenticate users using Security Accounts Manager (SAM) The password information is scrambled using one-way function (hash)
- 9. NT/2000 Passwords NT stored passwords directly in SAM database (until service pack 3) Relatively easier to crack Windows 2000 uses another layer of encryption using SYSKEY Uses 128 bit key to encrypt the hashes More difficult to crack
- 10. Windows 2000 Network Structure Beyond domain Windows 2000 uses concepts called: Trees – Naming convention, e.g., xyz.com as a tree can have many domains such as sales.xyz.com, support.xyz.com Forests – collection of trusted and untrusted trees that are linked together such as abc.com and xyz.com
- 11. Domain, Trees and Forests Domain Tree Forest
- 12. Sharing Sharing is a major advantage of Windows NT/2000 Shares can be established using Network Neighborhood, My Network Places, etc. in Windows mode or by using following command C:\net use * \\[IP address or hostname]\[share name] [password | *] [/USER:[domainname\]username] Note: ipc$ is the root default share for administrative account
- 13. NT/2000 Groups
- 17. Default Accounts Administrator Also is a security vulnerability since the account name is known The account name is usually changed Guest Disabled by default
- 18. NT/2000 Vulnerabilities Finding out what’s on a network C:\net view /domain:[domain_name] Find out more by C:\nbtstat –A [IP Number] Use Third-party tools such as nbtscan (usage C:\nbtscan [IP range using / or -]
- 19. NT/2000 Vulnerabilities Can use net use \\[computername]\ipc$ "" /u:"" to create a null session If null session can be created a host of information can be downloaded Automated tools such as Winfo exist User Accounts Shares Workstation and trusted accounts
- 20. Enumerating a Host Use DumpSec WalkSam UserInfo UserDump GetAcct Many of these tools can automatically figure out administrative account using RID of 500
- 21. A Comprehensive Security Tool Languard Network Scanner Scans large networks by sending UDP query status to every IP. Lists NETBIOS name table for each responding computer. Provides NETBIOS hostname, currently logged username & MAC address. Enumerates all shares on the remote computer (including printers, administrative shares C$,D$,ADMIN$). Identifies crackable passwords (share level security) on Windows 9x. Tests password strength on Windows 9x/NT/2k systems using a dictionary of commonly used passwords. Identifies well known services (such as www/ftp/telnet/smtp...).