Blackhat Day 1 - Windows Lose or Draw

Today was day one of Blackhat here in Las Vegas. Let me just start by saying I'd forgotten how much I dislike the Vegas strip. In concept, I guess it seems cool: flashing lights, dazzling fountains, and fabulous buffets, but when you actually get here it really just turns out to be flashing prostitutes, dizzying second hand smoke, and a flabulous mass of sweaty, scantily clad tourists. Not such a pretty thing. Oh and not being a gambler, it bugs me that everything is geared towards trying to force you into the casino. All recreational activities end at 8pm (unless its a weekend, then its 6pm) to try and shuffle you onto the gaming floor for more smoke filled bliss then you can shake a stack of hooker pamphlets at (and yea, although there are less than last time I was here, the hand slappers are still alive and well - just wait 'til dark).

Oh well, I am made to suffer these things for a very noble cause. Hacking. Or rather, hacking deterence. The first of my two Blackhat courses was an "Ultimate Hacking" course taught by Foundstone, a security consulting and development company currently owned by McAffee. To say it was eye opening would be an understatement. Today's class (the first of 2 days) covered Windows exploits and how to hack a Windows host. Having never really become intimately involved with current Windows hacking practices I finally became completely and utterly convinced of the adament arguments posted by all those "Unix groupies" (into which I am slowly converting) about how insecure Windows is. Well, tomorrow we cover Unix exploits, so we will be able to compare the two after that, but for now, I am somewhat awestruck at how profound the techniques are for compromising Windows.

It seems to me that in its attempts to make everything so easily accessed and manipulated, there were some major security oversights in Windows. In fact, most of the tools needed to enumerate and fingerprint hosts and users are actually built in Windows utilities that are left open by default. Really, most attacks (minus any password cracking) can be done successfully using only internal Windows tools.

I will give you one example of said tool. This is the 'net' command. I am most familiar with it for its use as a method for spamming all the machines on a network with a message using the 'net send' option. However, it becomes even more useful when you use it to exploit a Windows "feature" (Microsoft claims it is such) that allows a host to create a null connection to another host to exchange information. The problem with this is that the information shared is very plentiful and can quickly allow an attacker to profile the host, domain, and users stored on it. This command consists of the following run from the command line:

net use \\hostnameorip\$ipc "" \u:/""

The connection, once established can then be viewed using:

net use

Once created a plethera of other commands and tools can be used to profile the host. That's really all I can give you at the moment (gotta respect that Foundstone non-disclosure agreement), but it is a pretty powerful bit of info. You should check out Foundstone's website for some more cool tools and tips. I'm really looking forward to checking out the Unix hacks in tomorrow's class. Stay tuned for a recap on those soon.