Como os hackers conseguem descobrir senhas de compartilhamentos do Windows 95/98/ME

Como os hackers conseguem descobrir senhas de compartilhamentos do Windows...

Aula 13 - Como os hackers conseguem descobrir senhas de compartilhamentos do Windows 95/98/ME

INTRODUÇÃO

Esta aula demonstra como os hackers descobrem, remotamente, senhas de compartilhamentos do Windows 9x/ME através de um ataque originado do Windows 2000. O primeiro passo é descobrir quais são os compartilhamentos que estão disponíveis na máquina alvo. Para isto, use a ferramenta de auditoria, “LANguard Network Scanner”:

ftp://ftp.languard.com/lannetscan2.exe

Depois do download, instale o utilitário:

Em seguida execute-o e digite no campo “to:”o número do IP da máquina que você pretende descobrir os recursos que estão sendo compartilhados - supondo que a máquina alvo seja uma estação Windows 98 com IP 192.168.0.4, digite:

192.168.0.4

Depois, clique sobre o botão “SCAN”:

Após a execução do “scan” a primeira linha do LANguard informa que o nome da máquina alvo (NETBIOS NAME) é “ESTACAO4” e que ela está rodando o Windows98/SE:

Agora, vamos ao que interessa: descobrir os compartilhamentos disponíveis na estação assim como as suas senhas de acesso. Para isto, comece expandindo o item Shares:

De acordo com o exemplo da figura acima, existe um compartilhamento chamado MEUSDOCS. Para descobrir sua senha, clique com o botão direito do mouse sobre ele e escolha Crack Password. De acordo com a resposta do LANguard a senha do compartilhamento é POWER:

Com a senha em mãos, o recurso pode ser acessado naturalmente...

sem nenhuma restrição:

PROTEGENDO O WINDOWS 95/98/ME CONTRA O ATAQUE QUE DESCOBRE SENHAS DE COMPARTILHAMENTO

A Microsoft liberou um patch que elimina uma vulnerabilidade de segurança que permite a um usuário malicioso acessar arquivos compartilhados pelo Windows 95, 98, 98 Second Edition e Windows ME sem conhecer a senha associada ao compartilhamento. What’s this bulletin about?

Microsoft Security Bulletin MS00-072 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows 95, 98, 98 Second Edition, and Windows Me. Through a special utility, the vulnerability could allow a malicious user to connect to a password protected file share on any of the products listed above without knowing the entire password. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What’s the scope of the vulnerability?

This is a privacy compromise vulnerability. The vulnerability could potentially allow unauthorized access to a user's password protected file share through the use of a malicious client utility without requiring a user to know the complete password for the share.

For customers using File and Print Sharing within a corporate environment, care should be taken when enabling this service. Microsoft recommends that user-level access permissions be granted to shares rather than share level permissions based on passwords. A still more robust solution is to use a Windows NT or Windows 2000 system as a file server.

What causes the vulnerability?

There is a flaw in the way the File and Print Sharing service implements password protection for a directory when that directory is shared over a network using share level access. The flaw could allow a malicious program to gain access to that share without knowing the complete password.

What is the File and Print Sharing Service?

The Microsoft Windows 9x and Windows Me family of products incorporate peer to peer networking capabilities that enable share level security on a file share. In other words a client can act like a server and vice versa in any Windows networking environment. Windows 9x and Windows Me offers share level access control to file shares and user-level access control when the Windows 9x or Windows Me system is part of a Windows NT domain.

Only share level security suffers from this vulnerability since only share level security uses passwords as the security mechanism for protecting the share.

I understand about sharing files, but what’s the difference between share level and user-level access?

Share level security provides a password controlled gate to protected resources. The advantage of this security paradigm is that it allows granting access to a large number of people with very little effort. However, it is not very secure, since the password is widely distributed and there is no notion of personal accountability. Windows NT's security paradigm is based on granting access to individuals each of whom has an account. This paradigm allows fine-grained control over per-user access and allows individual accountability. The disadvantage is that you must create a user account for each user you want to grant access to and you must grant that user the access (either directly or by adding the user to an appropriate group).

Note: User-level access permissions are only available on Windows 9x and Windows Me machines when they are part of a Windows NT domain.

What would this vulnerability allow a malicious user to do?

If a malicious user could exploit this vulnerability, they would be able to retrieve, modify, or delete any file within that share.

What protection does a password provide?

A password is like a lock on your door. It provides protection against unauthorized entry while still allowing you access. However the vulnerability that affects the password protection on a Windows 9x or Windows Me file share would allow unauthorized access, by a user who exploits a malicious client utility, without requiring that the user know the password for that share.

Who should use the patch?

Microsoft recommends that anyone with File and Print sharing enabled and using share level access on a Windows 9x or Windows Me system consider installing the patch.

What does the patch do?

The patch eliminates the vulnerability by eliminating the flaw in the password mechanism.

Where can I get the patch?

The download location for the patch is provided in the "Patch Availability" section of the security bulletin .

How do I use the patch?

The Knowledge Base article contains detailed instructions for applying the patch to your site.

How can I tell if I installed the patch correctly?

The Knowledge Base article provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about this issue?

  • Microsoft has delivered a patch that eliminates the vulnerability.

  • Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.

  • Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.

  • Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?

The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?

Microsoft Product Support Services can provide assistance with this or any other product support issue.

Para proteger seu sistema Windows 95/98/ME desta vulnerabilidade, você deve instalar um dos patches fornecidos pela Microsoft:

Escolha o patch que corresponda à versão do seu sistema e instale-o:

Quando a instalação do patch for concluída, reinicie o Windows para que a atualização tenha efeito:

Depois, tente um novo ataque contra a máquina protegida:

Observe na figura acima que agora o ataque não foi bem sucedido. Dessa forma, concluímos a demonstração da eficiência dos patches 273991USA5.EXE, 273991USA8.EXE e 273991USAM.EXE que corrigem a vulnerabilidade que permite descobrir senhas de compartilhamentos do Windows 95/98/ME.

Comentários