ch16.htm

Maximum Security (First Edition) 网络安全 英文版

<H4><FONT COLOR="#000077"><B>Resources at </B><TT>Shareware.org</TT></FONT></H4>
<P>This page is the home of Integrity Master, an NCSA-certified security tool. It
can be found here:

<UL>
	<LI><A HREF="http://www.shareware.org/seds.htm"><TT>http://www.shareware.org/seds.htm</TT></A>
</UL>

<H2><FONT COLOR="#000077"><B>Windows and Windows for Workgroups</B></FONT></H2>
<P>Basic security within Windows and Windows for Workgroups is (and always has been)
seriously lacking. Password protection relies on the PWL files that are generated
when a user creates his password. These files need not be decrypted or even attacked.
They can simply be deleted. That alone makes the PWL scheme ineffective.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>In certain instances (when, for
	example, the cracker is seeking to gain access to a server), deletion will not do
	the trick. However, deleting one password allows the cracker to at least reach the
	local workstation, at which point he can crack other passwords. 
<HR>


</BLOCKQUOTE>

<P>Briefly, I want to address the encryption routine and general environment behind
the PWL file. First, the process uses two different functions: one to encrypt and
store the password, another to retrieve it. Those are, respectively:

<UL>
	<LI><TT>WNetCachePassword()</TT>
	<LI><TT>WNetGetCachedPassword()</TT>
</UL>

<P>The password remains cached. A programmer on your network can write a program
that will get the password of another user by using functions identical to <TT>WNetCachePassword()</TT>
and <TT>WNetGetCachedPassword()</TT>. The only restriction is that the targeted user
must be logged in at the time the program is executed (so the password can be trapped).
The password can then be cached out to another area of memory. Having accomplished
this, your programmer can bypass the password security scheme by using that cached
version of the password.</P>
<P>Likewise, you may be able to force the cached password into the swap file. Reportedly,
this technique reveals the password. (Nonetheless, this is a cumbersome and wasteful
method; there are other, easier ways to do it.)


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>One method is where multiple passwords
	are added to the password database at high speed. You could technically use a utility
	similar to Claymore to do this. Using this technique, you fill the available space
	for passwords (255 of them, actually). This causes an overflow, and the routine then
	discards older passwords. 
<HR>


</BLOCKQUOTE>

<P>But again, unless the cracker is seeking access to a Windows NT server via a Windows
for Workgroups box, this is academic. In most cases, the password files can simply
be deleted. Because there is no default file access control (or restrictions) in
Window for Workgroups, the PWL files do not stand a chance.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>This is vastly different from UNIX
	or even Windows NT in real NTFS mode, where certain files are protected from read,
	write, or execute calls from unauthorized users. For example, in UNIX, the file <TT>/etc/passwd</TT>
	may indeed be readable (though, the system administrator ought to be using shadowing).
	However, no one without root privileges can access or write to that file. 
<HR>


</BLOCKQUOTE>

<P>Windows for Workgroups, in its out-of-the-box state, provides no protection for
those PWL files. Using a utility such as PAC.exe (or Ledbetter's find.exe), you can
go to a prompt on a Windows for Workgroups workstation and disable all passwords
on the network with a single command line. The process would take no more than two
to three seconds. The command would be</P>
<PRE><FONT COLOR="#0066FF">pac /I /s *.pwl /k
</FONT></PRE>
<P>or</P>
<PRE><FONT COLOR="#0066FF">find *.pwl -v
</FONT></PRE>
<P>Having executed these commands, the network is yours for the asking. This problem
has been carried into the Windows 95 distribution. As explained on the Tip of the
Month page at Ronster's Compendium:

<DL>
	<DD>Did You Forget Your Password? If you forget your Windows 95 password, just press
	Escape at the Password Dialog Box, bring up the MS-DOS prompt and enter <TT>DIR *.PWL</TT>
	from your windows folder (<TT>C:\WINDOWS&gt;</TT> prompt) to find your <TT>.PWL</TT>
	files. Delete the one with your logon ID in front of it. Restart your system and
	enter a new password when prompted.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Check out Ronster's Compendium's<I>
	</I>Tip of the Month page at <A HREF="http://199.44.114.223/rharri/tips.htm"><TT>http://199.44.114.223/rharri/tips.htm</TT></A>.
	
<HR>
</P>

</BLOCKQUOTE>

<P>This problem was not heavily publicized because Windows security was not an issue
relevant to the Internet. However, almost immediately after Windows 95 (with rich,
new Internet functionality) was released, the issue appeared in national magazines.
In fact, many news stories concentrated not only on Microsoft's failure to protect
such files, but also on the weak password scheme employed. As Eamonn Sullivan noted
in his article &quot;Win 95 Password Caching Flawed&quot; (published in <I>PC Week</I>,
December 8, 1995):

<DL>
	<DD>The password-caching scheme used in Windows 95 has a serious flaw that can make
	it easy for hackers to discover network and E-mail passwords...Source code illustrating
	the problem was distributed on the Internet last week. PC Week Labs compiled the
	source code on a Sun Microsystems Computer Co. SPARCStation and was able to decrypt
	several Windows 95 password files. Decrypting the files and discovering the passwords
	took less than a second, although the source code inexplicably did not work on some
	password files.
</DL>

<P>However, I need not cover this subject further, for there are utilities currently
available that will crack PWL files. Here is one:
<H4><FONT COLOR="#000077"><B>Glide</B></FONT></H4>
<P>Glide cracks PWL files. It comes with the CPP file for those interested in examining
it. The cracking party enters the filename (PWL) and the username associated with
it. This utility is quite effective (it works at a command prompt in a shell window
or at a DOS prompt). It can be found online here:

<UL>
	<LI><A HREF="http://www.iaehv.nl/users/rvdpeet/unrelate/glide.zip"><TT>http://www.iaehv.nl/users/rvdpeet/unrelate/glide.zip</TT></A>
</UL>

<P>With respect to Internet security, Microsoft Windows and Windows 3.11 are not
so relevant. This is because the majority of implementations of the TCP/IP stack
on these two systems do not include server software. Thus, someone connecting to
the Net via TCPMAN, for example, is really nothing but a dead IP address from a cracker's
point of view. There are no outbound services running and therefore there is nothing
to connect to. That situation changes, however, if server software is loaded. Following
is one utility that can assist in strengthening that rather weak state of security.
<H4><FONT COLOR="#000077"><B>KDeskTop (Keep Out)</B></FONT></H4>
<P>KDeskTop protects your desktop in Windows. One interesting feature is that it
disables your ability to execute a warm reboot from the Windows environment. It provides
password protection for your Windows desktop (on boot into the Windows environment,
this program issues a login prompt). It can be found here:

<UL>
	<LI><A HREF="http://www.anaplastic.com/kdesk.zip"><TT>http://www.anaplastic.com/kdesk.zip</TT></A>
</UL>

<H2><FONT COLOR="#000077"><B>Windows 95</B></FONT></H2>
<P>Windows 95 harbors many of the same security flaws that Windows and Windows for
Workgroups do. For example, even though Microsoft has provided a new system of managing
the password process, the password problem is still an issue. Although Microsoft
hints that its new system will improve security, it does not. The password protection
scheme is no more robust than the one in Windows for Workgroups.</P>
<P>Reportedly, the way to password-protect a Windows 95 workstation is to set the
properties so that password caching is disabled and to enable user customization
of desktop preferences. The process takes no time at all:

<DL>
	<DD><B>1. </B>Open the Control Panel and choose the Network option.<BR>
	<BR>
	<B>2. </B>If the Primary Network Logon option is not already set to Windows Logon,
	you should set it to this option (see Figure 16.3).
</DL>

<P><A NAME="03"></A><A HREF="03.htm"><B>FIGURE 16.3.</B></A> <I><BR>
Set Primary Network Logon to Windows Logon.</I>

<DL>
	<DD><B>3. </B>Change the password and desktop settings. This is accomplished by opening
	the Control Panel and going to the Passwords Properties window (see Figure 16.4).
</DL>

<P><A NAME="04"></A><A HREF="04.htm"><B>FIGURE 16.4.</B> </A><I><BR>
By default, Windows 95 sets the user profiles so that all users utilize the same
preferences and desktop settings. This must be changed.</I>

<DL>
	<DD><B>4. </B>At the Password tab window, change the settings so that you can specify
	your own desktop preferences (see Figure 16.5).
</DL>

<P><A NAME="05"></A><A HREF="05.htm"><B>FIGURE 16.5.</B> </A><I><BR>
Select the option that allows users to specify their own preferences and desktop
settings.</I>

<DL>
	<DD><B>5. </B>Reboot the machine. You have just completed a process that many specialists
	suggest will effectively password-protect your machine. But will it? Hardly.
</DL>

<P>If a cracker were to breeze through your department and see such a machine so
configured, it would take him less than two minutes to undermine this scheme. His
steps would be as follows:

<DL>
	<DD><B>1. </B>Turn the machine off.<BR>
	<BR>
	<B>2. </B>Turn it back on and allow it to go through the initial boot phase (that
	is, let the machine continue until it recognizes the drives and until the Windows
	95 screen comes up).<BR>
	<BR>
	<B>3. </B>While the Windows 95 screen is still visible, the cracker executes a warm
	reboot procedure (this must occur while Windows 95 is attempting to load the initial
	system and drivers).<BR>
	<BR>
	<B>4. </B>When the machine reboots, it will not load Windows 95. Instead, it will
	display a screen that offers to start the machine in several different modes, including
	safe mode and command-line mode.<BR>
	<BR>
	<B>5. </B>The cracker chooses safe mode and proceeds to the Registry editor (by executing
	<TT>regedit</TT>). Once in the Registry editor, the cracker can do anything he likes
	(including disabling the options you set in the procedure outlined previously).
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>One excellent way to bypass the password
	security on networked boxes, particularly security schemes set with the Policy editor,
	is to simply pull the plug (remove the Ethernet card temporarily or unplug it from
	the machine). When Windows reboots, you will encounter errors, and you may be forced
	to go into safe mode (much depends on whether you are using third-party drivers on
	the box). In any event, in safe mode or normal mode, you can proceed to kill all
	the password protection. 
<HR>


</BLOCKQUOTE>

<P>Many Microsoft security models are fragile. Consider Microsoft Access, the standard
package for building business databases. Access uses a language called Access Basic.
It is an extremely powerful package, often used to create multiuser databases. The
newer versions of Access are incredibly fluid in the manipulation of data.</P>
<P>Access performs authentication based on an internal security identifier (SID).
This SID is derived from running the username and the personal identifier (PID) through