|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] weak linux firewall?
|
1. You have netbios open. A tremendous amount of enumeration can be done
via netbios, including what services you have running on your win2k box.
This is done by connecting to IPC$ which can be done with a null user. Once
this is done, win2k becomes a veritable fountain of information.
There are also several ways to break in and create a netbios back door.
2. A default install of win2k, even professional, will install IIS. IIS
needs umteen patches to make it safe. A default install of this will allow
anyone to come in through http port 80 and do a complete take over of your
machine.
Once a compromise is made via either of these routes, getting the
administrator password is a snap through many freely available tools. There
are tools that unless you have the very latest service packs and and patches
can grab the SAM (Microsoft equivalent of the shadow file in unix). Problem
with this is for backwards compatability, the password hashes are stored in
two 7 charachter hashes instaead of one 14 character hash. Maximum time to
brute force a really good password from a SAM file is about 24hr.
Solutions.
1. patch win2k to the hilt.
2. close off netbios if possible. There are tools that can dump the SAM
right over the network.
3. Close off HTTP 80 or disable IIS or make damn sure your patches are up to
date.
Also on the Linux side. Unless you have a very new installation of linux or
have kept up with security patches,
you may be running versions of FTP, SSH, Telnet, and the Printer daemon that
are vulnerable to root compromise. These vulnerabilities would also affect
other types of Unix boxes behind your firewall.
The fact is, for every port you have open on your firewall, there is a root
level vulnerability on either Microsoft or Linux unless you are up to date
on your patching.
Bottom line, it is not the fault of the firewall if you have ports open
through which a compromise is easy.
Try here for some research.
http://www.securityfocus.com
----- Original Message -----
From: "Samantha Samuel" <ssamuel@taz.cs.wcupa.edu>
To: "Philadelphia Linux User's Group" <plug@lists.phillylinux.org>
Sent: Monday, April 01, 2002 9:54 AM
Subject: [PLUG] weak linux firewall?
> For reasons that are not important I have win2k on a partition. My
> firewall is a linux box that has only the following ports open.
>
> Port State Service
> 21/tcp open ftp
> 22/tcp open ssh
> 80/tcp open http
> 139/tcp open netbios-ssn
> 515/tcp open printer
> 6000/tcp open X11
> 6004/tcp open X11:4
>
> When surfing the internet last night, I saw an ad that claimed my pc was
> insecure and had a snapshot of my hd, that had a pic of my folders and the
> size of my partition. Now this worries me. I know it was a pic of my comp,
> and not some generic pc because of this one folder I had.
>
> Does anyone have any thoughts on how someone could have gotten past the
> firewall and peeked into my machine?
>
> Thanks.
> --
> Samantha
> -------
> Real programmers do not comment their code. If it was hard to write, it
> should be hard to understand.
>
> http://taz.cs.wcupa.edu/~ssamuel
>
>
>
> ______________________________________________________________________
> Philadelphia Linux Users Group - http://www.phillylinux.org
> Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
> General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
>
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|