Tools for carrying out attacks on Microsoft OS.

Tools for carrying out attacks on Microsoft OS.

Tools for carrying out attacks on Microsoft OS

The use of communication channels of open telecommunications networks (including the Internet) as an information exchange medium in distributed information support, control and management systems poses a real threat to the data stored and processed in such systems.

In cases where standard tools of various general-purpose network operating systems are used for remote connection of users, interception of information during authentication can be used by intruders to gain unauthorized access to local area network resources. The availability of specialized software and hardware on the information security market that meets the requirements of national cryptographic standards allows for significant improvement of the security properties of common network operating systems. At the same time, the use of strong cryptographic algorithms for data protection in the communication channel and special access control models to information resources during their storage and processing allows for the prevention of violations of confidentiality and integrity of data arrays.

Attacks on information availability are currently an increasingly real threat. As a rule, such attacks do not result in data arrays being compromised or destroyed. However, the provision of timely service to legitimate users, the operation of application systems, and the management of distributed processes become impossible, at least for the duration of the information impact.

The TCP/IP protocol family, which is currently widely used to build distributed systems and intranets, was developed as a basis for information interaction more than a quarter of a century ago. The basic mechanisms of TCP/IP were generally formed by the early 1980s and were intended to ensure the delivery of data packets between different operating systems using heterogeneous, unreliable communication channels. Despite the support from the Advanced Research Projects Agency (ARPA) of the US Department of Defense for a certain period of time, the Internet actually originated in the research community and absorbed the traditions of openness of the academic world. As a result, the basic concepts of the TCP/IP protocols, according to a number of requirements, contradict modern ideas about computer security. This is reflected in the increasingly widespread attacks on the availability of information, exploiting the vulnerability of the basic Internet protocols. In addition, there are typical weaknesses in the implementation of the TCP/IP protocols, inherited by modern network operating systems. In 1997 alone, Microsoft released seven official patches for the TCP/IP stack of the Windows NT operating system, aimed at eliminating the possibility of attacks that exploit the vulnerability of the basic information exchange protocols.

The strict policy of protecting «know-how» information and applying double standards, pursued by a number of leading manufacturers of «system-forming» software in order to achieve an unconditional victory in the competitive struggle, leads to the concealment of important information about the architecture of complex systems, the strength of cryptographic algorithms, etc. under the heading of corporate secrets. As a result of this approach, attackers are armed with dangerous means of information influence on large arrays of data until the corresponding vulnerabilities are discovered and published by independent researchers. Examples of the weaknesses of closed algorithms that have been identified include the cloning of a GSM cellular phone by researchers at the University of California, Berkeley, in April 1998; a detailed cryptanalysis by Counterpane Systems in June of the same year; multiple attacks on Microsoft's implementation of the point-to-point tunneling protocol for creating virtual private PPTP networks; and a number of other facts that became possible due to attempts by manufacturers to keep their developments secret. In addition, in a number of areas, non-commercial open-source projects are coming to the forefront, providing free access to the details of the construction of their competitive systems. For example, the Linux operating system, distributed without source code, in some cases provides a significant advantage in productivity and reliability for a lower price compared to computer «monsters». The expanding influence of such projects on the software industry is causing concern among some commercial software manufacturers. In particular, an internal memorandum of Microsoft is known, expressing a strategy for combating projects using the principles of open source software development, including the Linux OS (the so-called «Halloween Documents», dated October 1998).

The traditional method of establishing the properties of software security functions, inherited from the times of the state monopoly on information security, is the certification of information security tools for compliance with security requirements, which are regulated by regulatory documents. Such documents can be national standards or operate in the territory of several states. In the latter case, multilateral agreements are concluded on mutual recognition by member states of the results of certification tests conducted by national certification centers. Examples of national standards are the RD of the State Technical Commission of Russia and TCSEC of the USA. Since the early 90s, the ITSEC standard has been in effect, jointly developed and adopted by Great Britain, France, Germany and the Netherlands. In June 1999, the International Organization for Standardization ISO adopted a new international standard ISO 15408 «Criteria for assessing the security of information technology».

In each of the specified standards, authorized organizations conduct an independent assessment of the properties of various products in the field of information technology. Thus, on October 7, 1997, the Novell IntranetWare network operating system (Netware 4.11 Server) as part of IntranetWare Support Pack 3A, as well as Directory Service Update DS.NLM b5.90, DSREPAIR.NLM V4.48 and ROLLCALLNLM V4.10 received a certificate for compliance with the C2 security class (in the network interpretation) of the American TCSEC standard. Microsoft had also previously certified Windows NT for compliance with the C2 class requirements of this standard. In March 1999, the three-year process of certifying Windows NT for compliance with the requirements of Class 3 of the RD STC «Nuclear Materials Management and Control Systems» was completed (certificate No. 206 dated December 3, 1998). In addition, on April 28, 1999, the Logica certification center (Great Britain) issued a certificate of conformity for the Windows NT Server and Workstation 4.0 operating systems, including Service Pack 3.0 and gina-fix fixes, in accordance with the requirements of class E3/F-C2 of the ITSEC standard.

The compliance of Windows NT with high security requirements, confirmed by certification tests, was the basis for the adoption of this system by the NATO bloc. In order to organize a secure network for the transmission of tactical military data, the Supreme Command of the United Forces of Europe during the operation in Bosnia decided to deploy the Cronos system (Microsoft Windows NT Server Supports Secure Communications for NATO Operations, microsoft/security/resources/NATOCaseStudy.asp) of distributed information based on Windows NT. Cronos currently includes local networks, each of which consists of several servers running Windows NT Server 4.0 and Exchange 5.5, as well as from 29 to 300 Windows NT Workstations with the Office 95/97 package. The local networks are connected using cryptographic means into a single distributed information system based on the NCP/IP protocol. In total, 5,000 users, 150 servers and 3,000 workstations located at 47 NATO troop command posts, including the national commands of Great Britain, Germany, Italy and the United States, as well as in Bosnia and Herzegovina, exchange classified tactical military data via the Cronos system.

It should be noted that the assessment of the protective properties of information systems is carried out not only by their existing functional capabilities that meet the required security indicators, but also on the basis of provisions arising from the model of the «environment» of this class of systems. The description of the environment is a mandatory condition for modern standards in the field of information security and serves to determine threats to information resources, taking into account the technology of information processing in this system, the requirements for the composition and configuration of hardware and software, as well as organizational and technical support and other conditions of the system's operation. At the same time, the higher the level of security, the more stringent the requirements are for the conditions and procedure for operating the system. Consequently, the guarantee of the security of the information resources of a certified system is strict compliance of the conditions and procedure for operating this system with the environment provided for by the certificate.

The SMB (Server Message) protocol is a packet format for information exchange between the operating systems (OS) Windows NT Server, OS/2 Lan Server, Microsoft Lan Manager and their clients. During the release of various versions of Windows NT by Microsoft, the SMB protocol was also improved: new versions (dialects) were developed, representing a consistent solution to the basic protocol.

The LANMAN-2 dialect protocols are used to exchange information between workstations running Windows 3.11 for Workgroups, Windows 95/98 and Windows NT. The sequence of network information exchange during user network authentication is shown in Fig. 1.

Research of the SMB protocol and detailed study of the process of network authentication of the user, implemented on the basis of this protocol, allowed to identify some features of access to network resources.

Network authentication of the LANMAN-2 dialect allows encrypted passwords to be transmitted using the «request-response» scheme. In this case, the server transmits to the client the information with which the latter converts the user's password for sending it over the communication channel. Since the server's request is transmitted over the network in clear text and information about the algorithm used to convert the user's password is known, it becomes possible to carry out an attack associated with selecting the user's password.

Description: due to the use of the DES encryption algorithm by the Windows NT OS, password selection is associated with significant computational and time costs.

It is much more effective to impose a server request on the client and use the password conversion algorithm values ​​pre-calculated on a certain word and a known server request.

When the attacker «Bob» sees the user «Alice»'s request to access the server, he forges the original server address and sends «Alice» the imposed ban. «Alice» transforms her password and sends it to the server address. In this case, «Bob» gets access to the transformed password and compares its value with the previously calculated possible options. In the case when the original dictionary contained the password «Alice» and such a password is the only one, «Bob» receives the password «Alice» (Fig. 2).

Consequences: An attacker who has the ability to monitor a user's traffic and interact with the server faster than the latter can obtain information about the user's password. If equivalent passwords are available, the total testing method can be used. Protective measures: Since the described attack uses widely available means, the use of adequate protective measures is extremely difficult, unless you consider a ban on the wide dissemination of information via communication channels.

As noted above, the LAN MAN dialect's network authentication allows encrypted passwords to be transmitted using a challenge-response scheme. However, for compatibility with earlier dialects, SMB supports the ability to authenticate network users using cleartext passwords.

Description: User «Alice» wants to access the server. Then the attacker «Bob», who has the ability to monitor «Alice's» traffic and interact with the server faster than «Alice», can obtain her password. The attack is carried out as follows (Fig. 3):

1. «Alice» sends a request to connect to the server.

2. Bob replaces the protocol index in the server's SMBNegprot packet with a dialect that does not use password transformation and sends the packet to Alice.

3. Alice's software passes the cleartext password to the server.

4. Bob receives Alice's password and connects to the server.

5. Alice does not receive a response from the server and tries to reconnect.

The consequences and protective measures are similar to the previous section.

One of the most vulnerable areas of the Windows NT OS at present is the mechanisms for storing and transmitting user-authenticating information via communication channels. Since the encryption algorithms used in Windows NT networks are well described and studied, it is possible to use fairly effective tools to gain unauthorized access.

Description: Windows NT user authentication uses registration information stored in the system as cryptographic transformations of user passwords. The transformed user password (called the password hash function) is the only information on the basis of which Windows NT decides whether it is possible to establish a correspondence between a real user and the subject of the access control system. Password images are stored in the SAM registration record manager database. Access to password images can be obtained in various ways, for example:

• read access for the administrator to the password images of all users stored in the system resource registry (LOCAL MACHINESECURITYSAM key):

• read access for all users to the latest backup copy of the SAM database, which contains password images of some users, including the administrator (file C:WinntRepeirSAM):

• random access to the password images of all users on a disk with the FAT file system when loading an OS other than Windows NT (file C:WinntSystem32ConfigSAM);

• random access to password images of all users on a disk with the MTFS file system when loading Linux OS (file C:WinntSystem32 ConfigSAM);

• read access to password images of users during the transmission of their authentication information over the network.

After obtaining access to password images in the manner described or in some other way, it is possible to use password selection technology, which consists of determining the value that, after transformation according to a known algorithm, coincides with the given image. The selection technology can be carried out using dictionaries of probable passwords, the total search method, and also a hybrid method (a combination of dictionary words with partial search).

The tools currently distributed on the Internet (for a fee and free of charge) allow implementing fairly effective password selection technologies on conventional computing equipment. Thus, the LOphtCrack program from LOphtHeavy Industries, Inc. on a Pentium II 450 MHz computer reveals any alphanumeric passwords in 24 hours.

The most dangerous is the possibility of using the specified tool to capture and decode network information exchange. If an intruder has access to a certain segment of the computer network cable system, he can obtain information about the password images of all users whose workstations send or receive information on this segment. Since such «eavesdropping» of the transmission medium, as a rule, cannot be detected, the use of weak network authentication algorithms significantly increases the risk of unauthorized access.

Consequences: An attacker who has gained access to a user's password image can guess the user's password. Protective measures: They can be divided into categories corresponding to possible channels for attackers to gain access to Windows NT user password images. However, attackers are increasingly acquiring new tools and methods for accessing password images both during their storage and during transmission over communication channels. For example, in Service Pack 3 for Windows NT 4.0, Microsoft offered a new means of ensuring security when storing password images in SAM by additionally encrypting them using a 128-bit key. However, several independent researchers have discovered the vulnerability of this technology and have implemented corresponding attacks in their software.

In addition to Lm-fix for Service Pack 3, Microsoft proposed a method for increasing the security of password images when transmitting them over cable systems by abandoning the LANMAN-2 dialect of the SMB protocol and using the most advanced NTLM dialect. At the same time, currently available password cracking tools cannot perform calculations in an acceptable time. However, abandoning the LANMAN-2 dialect means that it is impossible to use Windows NT Workgroups 3.11 and Windows 95 as workstation operating systems. In Service Pack 4, Microsoft proposed the SMB-NTLMv2 protocol dialect, which uses HMAC-MD5 encryption with a 128-bit key to protect information transmitted during authentication. Thus, using Windows NT 4.0 Workstation with Service Pack 4 installed as workstation software allows for the most robust protection of authentication information.