Step 2: Use good information and good tools to get rolling

Step 2: Use good information and good tools to get rolling

When it comes to finding and exploiting security vulnerabilities in Windows, you need two things. The first is knowledge of new security vulnerabilities issued via vendors' and researchers' bulletins. You can subscribe to numerous vulnerability lists including Microsoft's own Security Update Alerts

    Requires Free Membership to View

    Login

    When you register, my team of editors will also send you the latest expert resources covering pertinent IT topics such as Windows server backup and recovery, server administration, storage management, infrastructure security, virtualization, Hyper-V, Active Directory and Group Policy.

    Cathleen A. Gagne, Senior Editorial Director

    By submitting your registration information to SearchWindowsServer.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchWindowsServer.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

as well as the VulnWatch Vulnerability Disclosure List. By knowing that certain Windows server-centric vulnerabilities exist, you'll know what to be on the lookout for.

Second, you need the right security tools to complement the knowledge factor. You cannot depend on them completely, but they do serve an important purpose in testing for vulnerabilities. Speaking of that, one interesting thing I'm finding of late is that many of the highly visible exploits integrated into tools such as Metasploit and CORE IMPACT often are not tested for by various freeware and commercial vulnerability scanners -- at least after the first several days of release. An example of this is the recent Windows Routing and Remote Access remote code execution vulnerability (MS06-025). Currently, it does not show up using several well-known vulnerability scanners but yet can be easily compromised using Metasploit as I'll demonstrate below.

This underscores the fact that up-to-date information is highly-beneficial and not all security tools are going to test for the latest and greatest exploits.

To start testing, you could look for a vulnerability as basic as a Windows null session. Figure 2 shows the results of a basic SuperScan null session scan of a Windows 2000 Server.


Figure 2

Notice that the enumeration was successful -- something that comes as a default "feature" in Windows 2000. Figure 3 shows how Qualys Inc.'s QualysGuard vulnerability scanner can root out missing patches and other issues from a server it knows nothing about otherwise.


Figure 3

Note the various issues with Windows server processes and services such as RPC and the TCP/IP stack -- a couple of which I find very often on even the most "currently patched" servers.


Hacking server processes and services

 Home: Introduction
 Step 1:  Home in on your target
 Step 2: Use good information and good tools to get rolling
 Step 3:  Drive your point home

ABOUT THE AUTHOR
Kevin Beaver (CISSP), is an information security consultant, expert witness, as well as a seminar leader and keynote speaker with Atlanta-based Principle Logic, LLC. Kevin can be reached at www.principlelogic.com.

This was first published in July 2006