Posts Tagged ‘Windows security’

Spawning A CMD Prompt From MS Word or Excel

October 15th, 2009

This is an old trick, but I still see a number of Administrators that think they have locked users out of the command prompt by simply removing the icon from the menu and disabling the Start–> Run option. In this post I’ll discuss how to create a command prompt with Visual Basic for Applications (VBA), as well as how to mitigate (although never completely eliminate) the risk of someone achieving access to the prompt.

Creating a command prompt with VBA

This technique will work with any application that supports VBA, but I’m specifically going to use Microsoft Word in my example. Here’s what you need to do:

  1. Launch Microsoft Word
  2. Press “ALT-F11” to launch the VBA editor
  3. Double click “ThisDocument” in the left pane
  4. When the editor window appears, type in the text shown in Figure #1
  5. Press the “F5” key
Figure 1: Our simple VB script

Figure 1: Our simple VB script

You should see a command prompt window appear in your task bar. Here’s a copy of the code you need in step 4 so you can copy/paste:

Sub GetCMD()

Shell “cmd.exe cmd.exe”

End Sub

How to prevent VBA from spawning a command prompt

Execution of the command prompt can be disabled with the Group Policy Editor tool. Here are the steps:

  1. Click Start –> Run
  2. Type in “gpedit.msc” (without the quotes)
  3. Click User Configuration –> Administrative Templates –> System
  4. Search down the list for “Prevent access to the command prompt” and double click it

You have two options available to you:

  • Enable/Disable access to the command prompt
  • Yes/No Disable command prompt scripting process

If you only disable the first option, direct access to cmd.exe is prevented but a smart user can still get to it via a batch file. To prevent script access, need to disable the second option as well. This prevents ALL scripting however and can play havoc in many environments. Also, both of these settings will apply to the Administrator account as well. This can make admin and troubleshooting far more difficult.

Even with both options disabled, a user can still get around these settings by using command.com instead of cmd.exe. To fix this, you need to restrict access to command.com via user permissions. If you are still running some old 16-bit apps, this fix will break them.

All of these steps do not completely solve the problem however. A user who knows what they are doing with debug can simply copy cmd.exe to another location and modify it so a prompt is achieved when using it to run a bogus command. So we also have to delete “debug.exe”.

Even then, a savvy programmer can create an executable to get around all of the above security checks. So we need to remove all ability to copy or write to the drive as well. Needless to say we have a pretty useless computer at that point.

Exec Summary

If someone smart has access to your system, it is doubtful you will be able to prevent him or her from getting to the command line. The Group Policy Editor can most certainly make it more difficult, but the tool simply reduces the risk of attack. You cannot completely eliminate the risk without severely hampering the system’s operation and usefulness.

No comments »

Posted in 4-notice, Windows Security

Tags:

Hiding A Backdoor Behind An Active Windows Listening Port

September 3rd, 2009

Its a common technique. You suspect one of your systems has been compromised, so you run a port scanner against the system. The hope is that if the system is backdoored you will identify an undocumented listening port. But what if a clever attacker hides the backdoor in plain site? What if they hide the backdoor behind an existing port you actually expect to see listening on the system? Unfortunately this is far too easy to accomplish if the host is running Windows.

The UNIX way

On a UNIX or Linux system, listening ports are always opened exclusively. In other words, if a mail process opens up TCP/25 to accept inbound mail connections, any other application that attempts to listen on TCP/25 will receive a bind error and be denied access. The only way the second application can bind to TCP/25, is to first kill off the mail process using the port. So only one application at a time is ever permitted access to a listening socket.

The Windows way

In Windows, exclusive access to a listening port is optional. Its perfectly legal to have multiple applications listening on the same TCP or UDP port. This of course can simplify the process of setting up a backdoor behind an existing application.

With Windows, exclusivity of socket access is actually a process that has been evolving over the years. Windows 95, 98 and ME actually had no way to open a port exclusively. There was nothing one application could do to prevent another from attaching to the same listening port. For versions of Windows between NT and XP, it is possible to request exclusive port access via the SO_EXCLUSIVEADDRUSE option. If exclusive access is not specifically requested however, the default is to fall back to providing shared access.

With Windows 2003 and later, the default is exclusive port access unless both applications specifically request shared access via the SO_REUSEADDR option. The exception is that if the same account is used to launch both applications, shared access is still possible unless exclusive access is specifically requested. This means that if a savvy attacker can launch their backdoor via the system account, this enhanced security will usually be defeated.

Try it yourself

To test how this works, you’ll need a copy of the Windows version of Netcat. Copy nc.exe into one of the directories in your path statement. Once you do, open a command prompt and try the following command:

C:\>nc -l -p 135

Can’t grab 0.0.0.0:135 with bind

We just told Netcat to listen (-l) on TCP port (-p) 135. When Windows first boots up, Microsoft RPC opens TCP/135 with the SO_EXCLUSIVEADDRUSE option set. Thus if any application (like Netcat) tries to listen on TCP/135, it receives the bind error shown above. This is the type of behavior we would like to see all of the time.

Now try opening a port that is not already in use:

C:\>nc -l -p 1234

It should appear as if the command is hanging (command prompt does not return). This tells you that Netcat is now listening on port TCP/1234. To verify this, open a second command prompt and type the command:

C:\>netstat -an | find “1234″

TCP 0.0.0.0:1234 0.0.0.0:0 LISTENING

This shows us that Netcat is now listening on TCP/1234 on all network interfaces.

When Netcat opens a listening port it does not request exclusive access to the port. This means it is possible to bind Netcat to an existing listening port that has not already been opened exclusively. To test this, open a third and fourth command prompt. Enter the same Netcat command into each that you run within the first command prompt. Each command should execute without error.

Does this mean Netcat is listening multiple times? Go back to the second command prompt window and try the following command:

C:\>netstat -aon | find “1234″

TCP 0.0.0.0:1234 0.0.0.0:0 LISTENING 448

TCP 0.0.0.0:1234 0.0.0.0:0 LISTENING 3044

TCP 0.0.0.0:1234 0.0.0.0:0 LISTENING 3016

We’ve added in the “o” switch which prints out the process ID for the application holding open the listening port. Note that a different instance of Netcat is responsible for each of the open listening ports. Because Netcat does not require exclusive access to the port, we can listen on the port multiple times.

So what happens when someone tries to connect to the port? Try it and find out using the following command:

C:\>nc 127.0.0.1 1234

This is a test

You should see the text “This is a test” appear in only one instance of the Netcat listeners. If you leave this session active and open (yet another) command prompt and type:

C:\>nc 127.0.0.1 1234

This is test 2

You should see this text appear in a different instance of the Netcat listener.

What have we learned

Since Windows does not require applications to have exclusive access to a listening port, its possible to have a malicious backdoor sitting behind a legitimate application, on the same listening port. This makes the backdoor undetectable when performing a port scan. In order to connect to the backdoor you must first busy out the legitimate application with an active session, but this is easy to achieve.

No comments »

Posted in 2-alert, Windows Security

Tags:

Leveraging the Windows “runas” command

July 28th, 2009

Sometimes we can be our own worst enemy. I’ve written a bit about Malware and how infection rates are through the roof. If you look at the one thing you can do to make a Malware author’s life easier, its logon to your Windows system as an Administrator equivalent.

This problem was solved long ago on UNIX and Linux systems via tools like su and sudo. You used to have an excuse for running Admin equivalent on Windows. Microsoft made it extremely difficult to perform IT functions unless you were a high level account. This problem was resolved years ago with the runas command however, so its time we took control of this potential security hole.

Why is it important to use runas

When you are logged on as an Administrator equivalent, you have full god/goddess rights to the local system, and possibly the whole network. This means that your credentials are capable of doing anything. If a Malware author drops something nasty on your system, they have the same level of access that you do. Administrators used to mitigate this threat by being careful about what they clicked on. Today however Malware can come at you through trusted sites. By running with a lower level of permissions, you can help reduce the magnitude of a Malware attack.

What does runas do for me?

When you execute the runas command, only applications running beneath it have high level permissions. So for example let’s say we leverage runas to launch the User Manager. The User Manager application will have Administrator level privileges but the rest of our system environment will not. If User Manager is open when an attacker delivers nasty Malware via your browser, the Malware will be constrained to the level of access granted by your regular user account because the browser is still running with lower level permissions.

Using runas via the GUI

One of the simplest ways to leverage the runas command is via shortcuts. In my last post I gave a list of common Windows administrator tools. Simply create a shortcut on your desktop for each tool you need to use. When you need to run the tool, right click the icon and select “Run as…” from the pop up menu (it should be the second option). This will produce the window shown in Figure #1. Simply supply the credential for your high level account and the tool will launch as it normally does.

runas

Note that in Figure #1 I’m logging on as Administrator. In an ideal world, each admin will have a dedicated administrator account (like cbrenton-admin or similar). This will make it much easier to create a proper audit trail of changes.

Using runas from the command line

Along with the GUI interface, you can leverage runas from the command line as well. The simplest solution is to place a command prompt shortcut on your desktop and launch it as specified above. If you already have a command prompt session going, you can leverage the runas command directly. The syntax is:

runas /user:<high level account name> <command we wish to run>

If we wish to generate a new command prompt with high permissions, we can do that too. The syntax is:

runas /user:<high level account name> c:\windows\system32\cmd.exe

This will produce output similar to Figure #2. Note that we have simply leveraged runas to spawn a new command prompt session. Now anything run within this new command prompt will be executed with higher permissions.

runas-command-line

Exec Summary

Today there is no excuse for logging into Windows as an administrator equivalent. By leveraging the runas command along with some shortcuts, IT folks can still get the job done while refraining from being their own worst enemy.

No comments »

Posted in 3-err, Windows Security

Tags:

Quick Access To Windows Admin Tools

July 28th, 2009

In my last post I talked about how using the Windows GUI can at times be cumbersome. If you administer a Windows network, you are frequently leveraging the Windows admin tools. Here are some tips to make that task a bit easier.

List of Tools

Here’s a list of the most commonly used Window’s admin tools as well as the command needed to launch them:

  • Add/Remove Programs = appwiz.cpl
  • Certificate Manager = certmgr.msc
  • Computer Manager = compmgmt.msc
  • Control Panel = control.exe
  • Copy screen to clipboard = <ctrl><Print Scrn>
  • Copy active window to clipboard = <ctrl><alt><Print Scrn>
  • Device Manager = devmgmt.msc
  • Event Viewer = eventvwr.msc
  • File Explorer = explorer.exe
  • File Signature Verification = sigverif.exe
  • Group Policy Editor = gpedit.msc
  • MS Management Console = mmc
  • Network Properties = control netconnections
  • Performance Monitor = perfmon.msc
  • Registry Editor = regedt32.exe
  • Security Center = wscui.cpl
  • User Manager = lusrmgr.msc
  • Security Policy Editor = secpol.msc
  • Services Screen = services.msc
  • Solitaire = sol.exe
  • System Config Utility = msconfig.exe
  • Task Manager = taskmgr.exe
  • Task Manager = <ctrl><shift><esc>
  • Task Scheduler = control schedtasks
  • User Manager = lusrmgr.msc

Quick Launch Options

Here are some tips for making each of the above easily accessible:

  1. Click Start –> Run then type in the command listed above
  2. Press <Windows key><r> then type in the command listed above
  3. Create a desktop shortcut
  4. Create a taskbar shortcut
  5. Create a single program group so everything is in one place

No comments »

Posted in 4-notice, Windows Security

Tags:

Dealing With Malware On Windows (Part 2) – Long Live Application Control

July 13th, 2009

Application control, sometimes called application white listing, gives you granular control of which applications are permitted to run on each of your systems. Not only can this replace your A/V solution, it can keep rogue users and license issues in check as well.

How does application control work?

The concept is relatively straightforward. You identify which application you want each of your users to be able to run and the software takes care of enforcing that policy. One of the nice things about application control software is that you usually get far more customization capability than A/V. For example with many A/V solutions I may be forced to completely disable A/V in order to run an application listed as malicious in the signature database (say I’m an Auditor that needs to do port scanning or password cracking). With application control, I can usually get as granular as writing policies on a per user, per system, per location level (for example the Auditor can only run the port scanner from a specific system when its attached to one specific network segment). This is cool because unlike A/V I don’t have to disable the software, thus exposing myself to risk, just to simply do my job.

What to look for in application control software

There’s a couple of things you need to look at when evaluating an application control product. First, you need to look at how files are identified. Are they simply looking at file names stored in a specific location, or are they running multiple hash algorithms to authenticate the file is in fact properly identified? You also want to look at what’s involved with approving files for use and how the system deals with patches.

For example, one of my favorite products is Parity from Bit9 Software. They start by referencing a file database with over 6 billion entries and counting. While that might seem like overkill, think of how many file are involved if you just want to approve Microsoft Office for use and include all versions and all patch levels. All of a sudden 6 billion entries does not seem that far-fetched.

Unfortunately a file database is not going to be enough. You need some way to approve custom scripts and executables, as well as deal with real time patch files. For example Adobe checks for patches whenever a user launches the application. If they happen to do this right at the exact minute a patch is released, the patch file info will not yet be propagated into the file database. What Parity does is permit you to approve software based on it being digitally signed. For example we can create an exception that says, “If the file is not in the database but has been digitally signed by us or Adobe, it’s OK for use”.

Protecting Supervisory Control And Data Acquisition (SCADA) Networks

This is a very cool solution for control networks. For example those networks running the grid, municipal services, military stuff, etc., which are not suppose to be connected to the Internet. The lack of connectivity creates a catch-22. You’ve disconnected from the Internet to help protect the network but how do you update your A/V signatures with no Internet access? With Parity this is a non-issue. You simply digitally sign all software required on the control network, write a rules saying only digitally signed software can be executed, and you are done. No signatures or updates to worry about, just re-sign new software as you wish to deploy it on the network.

Parity has some other cool features as well like the ability to track file execution or the ability to control which removable drives can be used (by model, by user and by level of access). I’m starting to feel like a sales person however, so I’ll leave it to the reader if they want to learn more. ;)

The dirty little secret

So why is it we are not seeing A/V vendors dump their signatures and jump on the application control bandwagon? I do not work for an A/V vendor so I can only speculate. I do however own stock in a few of them and will say that as soon as I see this trend occur I’m selling my stock. Think of it this way, where is the true cost in your A/V solution? Is it in the initial purchase price of the client, or is it in the monthly/annual subscription fee you pay for signatures?  Companies loooove reoccurring revenue streams because they mean predictable income with zero sales effort. Stockholders (like myself) love reoccurring revenue streams because “higher income + less up front costs = higher profit”. Note in the last example I discussed protecting a network without the need for signature updates. If users went this route it would have a serious financial impact on each A/V vendor’s bottom line.

The bad stuff

Now some caveats. You would probably want to use the file database if available, even if this means paying for a different subscription service. Digitally signing everything is fine on a network where the applications are infrequently changed (like SCADA) but in a typical corporate environment your job title would turn into “the Admin who’s always signing software”.

Also, application control simply regulates which applications are run on the system. Its not very helpful if an approved application gets whacked via a buffer overflow or the like. So patching is still a must and you will probably want to run a Host-based Intrusion Protection System (HIPS) to be completely locked down. Still, with application control you end up with a far more secure posture than sticking with that old carburetor A/V software.

No comments »

Posted in 3-err, Malware, Windows Security

Tags:

Uber Geek Your Windows Laptop

July 12th, 2009

Thought some folks might find this useful. I’ve noticed that over the last few years working with the Windows command line has become a bit of a lost art. This is too bad as you can do some really cool stuff. This instructional is geared towards those folks that do not know the power of working from “the dark place”. There are general tips for setup, how to perform common task, common error codes and how to resolve them, as well as batch file basics.

This is relatively low level material, but IMHO its a great primer for those who have not spent a lot of time working at the command line.

Enjoy!

C

Uber Geek Your Windows Laptop

No comments »

Posted in 4-notice, Windows Security

Tags:

Dealing With Malware On Windows (Part 1) – Why Anti-Virus Is A Dying Technology

July 11th, 2009

Sometimes a technology outlives its usefulness. A good example is the automobile carburetor. While we have known the performance gains and fuel savings of multi-port direct fuel injection for decades, some (NASCAR!) still cling to the use of the outdated, yet familiar carburetor. Much the same has occurred with the technology to fight Malware. Anti-virus has become the “carburetor” of keeping malicious code off of our systems.

What is A/V software?

Anti-virus is still primarily a signature based system. In other words, we define a code pattern that we want to detect and then search memory or the hard disk for that pattern. This is referred to as “application black listing”, because we are defining the bad applications we want to keep off of the system.

Where do A/V signatures come from?

Typically an A/V customer will become infected and report the problem to their vendor. The A/V vendor can then generate a pattern, which permits their other clients to be protected from this same strain. Its also possible for the signature to get generated if the code is found in the wild prior to release, or if another vendor generates a signature.

What about heuristics?

Heuristics looks at suspect behavior and then white lists known to be good applications. For example we may check all attempts to create a user account on the system and then check to see if the application is a known administrator tool. This technology has some really cool potential, but it also has a number of flaws. The primary problem, and the reason heuristics sees little to no use, is the fact that its prone to false positives. Try to use a 3rd party tool to manage your user accounts and the A/V heuristic engine is probably going to block it.

The business model of Malware

When anti-virus was first developed, Malware had two specific traits:

  1. Malware distribution was slower than signature distribution.
  2. Malware writers were mostly script kiddies attempting mass propagation.

Neither one of these items are applicable in today’s environments. Symantec states that in 2009 they are averaging a new Malware signature every eight seconds.   For F-Secure, this frequency is closer to a new signature every four seconds. Do you update youy A/V every 4-8 seconds? Does your A/V vendor even release a new signature file every 4-8 seconds? You see the problem. Even if you diligently update A/V every night, 11,000-20,000 new signatures and pieces of Malware have ticked by.

But let’s talk a bit more about item #2; script kiddies and mass propagation. Around 2001 or so I noticed a change in the Malware world. The folks who really knew what they were doing stopped doing mass release. Think about it, most Malware writers usually start when they are very young. When you are still in school and living at home, its trivial to release your code for free. At some point however you need to get a job and start earning some income. When you personally reached that place in life, what did you do? For most of us, it involves looking at what we are good at and trying to match that up to a high paying job.

So if you are good at writing Malware, where are the high paying jobs? Some possibilities:

  • Extortion – Steal info and sell it back.
  • Espionage – Steal info for a competing company, government, etc.
  • Steal data with value in the wild – bank logon, credit card info, etc.
  • Resell botnet and Malware services – Become a gun for hire. Typically spam distribution of DDoS.

While we still have some number of script kiddies doing mass propagation (think of them as Malware writers in training), the smart attackers have turned it into a profitable business model. When it’s a business model, the code of course has monetary value. This means an attacker will not risk mass propagation of high end Malware code. They are going to sit on it and only use it when there is the potential for a high rate of financial return. So we can’t count on the truly nasty stuff being mass propagated anymore. The stuff you need to worry about most is used in a targeted fashion.

Why does my A/V fail so often?

A couple of problems should be immediately apparent with the above model. To start, because we are black listing bad applications, the assumption is everything else is OK. If we do not have a signature identifying the application as malicious, we assume it is safe to run. This means that all Malware without a signature is free to infect the system. This model also assumes some level of acceptable losses. Typically there is a lag time between when systems get infected and when we get a signature to protect ourselves. This could be hours, days or in some cases even months.

Problems under the hood

One of the biggest issues with A/V software is the signatures. Most of us would not even consider purchasing a NIDS or NIPS which does not provide access to the signatures, but that’s exactly what you get with an A/V system. This leads to little to no sanity checking of signatures within the industry, as well as limited customization capability. For example I have yet to see an A/V vendor give me the ability to let my network administrator group run a password cracking tool from known to be secure machines. If I have any customization capability at all it is a tedious process to get specific applications approved for use, and even then enforcement is limited.

So where do we go from here?

With all these problems, its no wonder that application control (sometimes called application white listing) is starting to replace A/V software as the tool of choice for controlling Malware. I’ll get into application control in part 2 of this post.

5 comments »

Posted in 3-err, Malware, Windows Security

Tags: