Introduction to Microsoft Windows based Security, 101:
I’d like to assume you know about your computer, how it functions, and you can do a little more than type a document. That you know about file folders, drive letters, maybe even what a hard drive is and a ethernet card or wireless connection. I’d also like you to understand Task Manager, what a process is, and the basics of network connections – such as what an IP is and a port is, what a DNS record is, and what a route is. Also, it would be nice if you understood how to execute a Command shell, how to look up stuff in the registry, and
Now if you don’t know the above things, then take about 4 hours one night and do a search on your internet and just get comfortable with these concepts – make sure you know how to do the basics such as moving and copying files at the very least. Go there. Now. Don’t continue reading until you understand this. Ok good. You’re back. Now moving forward.
What I would like you to do is rethink what the computer actually is. Don’t think of your computer as being a static unthinking thing. Think of it as an extension or mirror of you. Your computer has a CPU – a Central Processing Unit. Don’t you as well? It’s called your brain! Your computer has a hard drive, and you do too – it’s called your body. Your computer has peripheral devices also known as the mouse, the keyboard, the touchpad, the monitor, the camera, the sound – and you do too – your hands, your feet, your eyes, your ears and so on. Now this is not to say you are a computer, there are some out there who would like you to believe that you are, but rest assured you are far more than that – a living, breathing thing, and the computer is the ‘tool’ we use to access other things.
With this said, the key to computer hacking is understanding how the system works in it’s entirety. Many hackers hack for money, glory, maybe even the notoriety. These are known as black hat hackers. I spent much of my time converting these hackers over. Then there’s a group called the White Hat Hackers. Now I won’t go telling you they are all Anonymous, but most in Anonymous are what you would classify as White Hat Hackers – we are here to learn, to become our potential as an individual and as a society, and while we are human as well and clearly don’t mind having our ego stroked, we are primarily motivated by shaping a healthier, wealthier, and more fun existence for ourselves as individuals first and foremost, we are entitled to our individualistic experience, and secondly existence as we know it. With that said, we had sacrificed short term gains and watched and listened to the rhetoric and propaganda and learned who’s who to change the game. To ‘own’ the game you could say.
Every hacker has a toolkit. I’ll show you my toolkit in a bit. But for every hacker, the toolkit starts with understanding a few basic commands available on every windows based machine. I’ll only go through my two favorites.
Netstat – the command line TCP connections utility
Netstat is a very useful tool for determining who’s connected to your computer using something called UDP and/or TCP connections. UDP Connections are things like ‘Pings’, and TCP connections carry ‘Conversations’ via ports such as HTTP (port 80) (for your web pages), POP and SMTP (for your email connections if you don’t use something like Google), and FTP (21 or 23 or both I think) (for large file transfers). These ‘Conversations are also known as ‘Protocols’. Pings are a perfectly useless commands nowadays if you’re hacking from outside of a network which you usually are – so I won’t get into it’s lack of utility nowadays.
Right about now I’d suggest putting this down again, and reading up on Protocols, what they do, why they do it – and while it’s not necessary to understand the ‘construct’ of protocols, it’s a nice to have for when we get into sniffing.
What happens when we run a the command line utility is we get a list of
all most UDP/TCP connections to and from our machine. Here’s an example ‘run’:
As you can see, there’s the initial command executed “Netstat -aon”. What these parameters (aon) tell netstat is that you want -a addresses only -o the associated process id of the connection and -n addresses in numeric format (the creator of this screen shot wanted to hide the names of the porn sites he was surfing). From left to right you have the protocol being used for the connection, the local IP address assigned to the connection to ‘listen’ on and the associated port, the remote or destination IP for this connection and it’s associated port, the ‘state’ of the connection – is it active, disconnected, or waiting for a connection, and finally – the process id for who/what is using this connection
Now let’s say you have a mysterious connection when everything is shut down on your system. If you know how to use task manager, you can pull that up, and reference the PID listed and hunt down the task to find out what’s going on.
In Windows Task Manager, under the ‘view’ menu, select the ‘Select Columns’. This pops up the dialog box where you can select “PID (Process Identifier)”, which you can will then show up as an available column under the “Processes” Tab. From there, Be sure you have ‘Show Processes from All Users’ selected (it’s the button at the bottom of the task manager) – and then look for the mysterious process’s PID and the process image name associated with it. Use your internet to find out more information on processes and what they do.
NSLookup – The Name Space Lookup utility
Whenever you visit a web site, let’s say google, behind the scenes there’s a translation occurring that takes that name and translates it to a number so your computer knows where to send the information. This is no different than having programmed in the name of the person you have onto your phone, so you don’t have to remember the number.
With netstat above, we used the ‘-a’ option, which tells netstat NOT to do a name lookup, because sometimes these lookups can be quite slow. That’s ALL nslookup does, is translate a name to a number. That’s it. But it’s rather useful when you’re trying to use other tools we’ll get to later.
Here’s an example of an nslookup run:
When you do an nslookup, you get two distinct IPs – one is the name server responsible for maintaining the translation of the name to the ip, that’s the first part of the response received, and the second part is the destination address itself for the site you looked up. Your ‘default server’ is a reference to you and your resolving host, so ignore that.
Just keep this command in mind. Play with it a bit (that’s what she said). You’ll need this later.
Here’s a few other important commands to remember, but these aren’t as important in working with other computers, but they certainly help you understand your computer more:
IPConfig – This command provides you all your local (on your computer) TCP Network connectivity information and your local interfaces.
Nbtstat and Route – These commands are both marginally useful to obtain routing information for the computer and for remote computers. More often than not, both fail to provide useful information and nbtstat rarely works reliably for remote hosts.
Tasklist and Taskkill – GREAT commands used for looking up the tasks that are displayed in the task manager from the command line, and taskkill is a VERY useful command to eliminate a process and it’s process tree (all underlying processes) quickly and painlessly.
ping and pathping – Look, let’s face it. These commands used to work great. But with personal and corporate firewalls filtering out most UDP for fear of a SYN Flood – otherwise known by the telltale ‘giveaway’ of a hacker wanna-be Barrett Brown who probably knows nothing of hacking – the DDOS attack ( Direct Denial of Service – this was coined by the media ) …. these commands are utterly useless.
WMIC and powershell – Boy, the things you can do with these once you’ve obtained adminstrative access to a machine. With these bad boys, you can control any computer beyond what was previously imaginable. Beautiful, beautiful commands. Nuff said. Research it yoself.
“Re-Connect with your computer”
Microsoft has a great set of tools called Sysinternals. These tools can be directly downloaded here. Now once you’ve downloaded the file, unzip it in a directory you’re familiar with (you BETTER remember directories by now!).
First and foremost, run every command from this suite ‘As Administrator’. Use your internet to find out how. If you have any issues with these commands and you haven’t done this, then first I’ll virtually slap you, then I’ll tell you to re-read this paragraph.
With that said, I am referring you to these tools as a way to ‘get to know’ your computer. I’ll describe the ones I find important, but I want to leave it up to you to find and learn about what’s important to you.
Overview of important programs in this zip file:
TCPView – Hands down, the best program in the suite, this utility does what netstat at the command line does, only better. It tells you ALL KNOWN (and non filtered) connections coming into and out of your machine, for all protocols, and a real time log of volume of information coming to and from you and your destination host. A kick ass command to keep up and running just to see who and what is hitting your machine.
Procexp – This command is a close second for me in determining everything you ever wanted to know about what a process is doing – how much memory it’s consuming, what files it has opened, what sub processes it may own, the company name and detail information about the process, who has security rights, tcp connections, build information, even all the data within the process itself. It’s quite.. shall we say.. nifty for the start of reverse engineering malware and then hacking the sloppy hackers (which constitute about 95% of the hackers out there).
Autoruns – Now this one is a favorite of mine for one reason: It helps you understand what’s processes and dll’s are running ‘behind the scenes’ when you right click on a file in your windows explorer or when windows first starts up. Dive into this one a bit, but be careful, you can screw things up pretty quick if you start going through and wantonly deleting or disabling things. Yep. I’ve completely disabled my windows by this baby.
The rest of the programs in the Sysinternals Suite are mostly useful, with the exception of a few such as rootkitrevealer – it doesn’t detect any newer generation rootkits at all.. My suggestion is you take the time between now and my next blog entry, and you just get accustomed to these tools and how they work. What they do. How your system functions. How it communicates. Where it communicates. And really – just learn about how your system works inside and out.
On my next entry, I’ll dive into specific details about the hacking tools, but before I leave you, here’s this little hint of what’s coming next:
Have you ever heard of wardriving? It’s when you drive down the road, slowly with your laptop on your passenger’s seat, and you are looking for wireless networks, preferably the unsecured kind. Why? Because once you have a hold of an external network device, you have access to all the machines which are behind it. And when the ‘gatekeeper’ is unsecured, well then, we have a LOT easier time figuring out the ‘lay of the land’ behind that machine, and can do system scans using a tool called nMap fishing for areas you can use an exploit to access the machine, and once you have a hold of that machine, you’ve got yourself another computer on your botnet. I’ll get into more detail on that tool in my next BLOG entry.
One of my favorite sites is Nirsoft, which provides tools for hacking I’ll get more into next time. Microsoft does not offer the ‘out of the box’ capability to look at what’s going on with your wireless devices. And for our wardriving efforts, Nirsoft, has just the utility we need – the WirelessNetview utility does just that. Download it here.
Here’s a sample screenshot:
Now what this does is it shows all wireless devices within range of your machine. That’s the first column. The second column shows the signal strength last received, and the third is an average since the time the device came online. The other pertinent columns are Security Enabled (no is preferable, but there are ways by that), and Cipher (If security is enabled, it tells us what we need to hack through). The other columns are ‘good to know’, but what’s important is understanding the signal strength if you are wardriving, you can figure out how to get yourself closest to the device without being seen, and the ‘tools’ you will need to crack open the secured connection if it’s secured. If it aint, well you almost be golden.
I’ll get into more on that later.