home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
WINMX Assorted Textfiles
/
Ebooks.tar
/
Text - Tech - OS - NT - security guide 06.txt
< prev
next >
Wrap
Text File
|
2003-09-27
|
7KB
|
125 lines
NT security guideSection 06
File and Directory Access
06-1. How is file and directory security enforced?
06-2. What is NTFS?
06-3. Are there are vulnerabilities to NTFS and access controls?
06-4. What is Samba and why is it important?
06-5. I hack remotely. Once in, how can I do all that GUI stuff?
06-1. How is file and directory security enforced?
Since files and directories are considered objects (same as services), the
security is managed at an "object" level.
An access-control list (ACL) contains information that controls access to an
object or controls auditing of attempts to access an object. It begins with a
header contains information pertaining to the entire ACL, including the revision
level, the size of the ACL, and the number of access-control entries (ACEs) in
the list.
After the header is a list of ACEs. Each ACE specifies a trustee, a set of
access rights, and flags that dictate whether the access rights are allowed,
denied, or audited for the trustee. A trustee can be a user account, group
account, or a logon account for a service program.
A security descriptor can contain two types of ACLs: a discretionary ACL (DACL)
and a system ACL (SACL).
In a DACL, each ACE specifies the types of access that are allowed or denied for
a specified trustee. An object's owner controls the information in the object's
DACL. For example, the owner of a file can use a DACL to control which users can
have access to the file, and which users are denied access.
If the security descriptor for an object does not have a DACL, the object is not
protected and the system allows all attempts to access the object. However, if
an object has a DACL that contains no ACEs, the DACL does not grant any access
rights. In this case, the system denies all attempts to access the object.
In a SACL, each ACE specifies the types of access attempts by a specified
trustee that cause the system to generate audit records in the system event log.
A system administrator controls the information in the object's SACL. An ACE in
a SACL can generate audit records when an access attempt fails, when it
succeeds, or both.
To keep track of the individual object, a Security Identifier (SID) uniquely
identify a user or a group.
A SID contains:
User and group security descriptors
48-bit ID authority
Revision level
Variable subauthority values
A privilege is used to control access to a service or object more strictly than
is normal with discretionary access control. Privileges provide access to
services rarely needed by most users. For example, one type of privilege might
give access for backups and restorals, another might allow the system time to be
changed.
06-2. What is NTFS?
NTFS is the Windows NT special file system. This file system is tightly
integrated into Windows security -- it is what allows access levels to be set
from the directory down to individual files within a directory.
06-3. Are there are vulnerabilities to NTFS and access controls?
Not so much vulnerabilities as there are quirks -- quirks that can be exploited
to a certain degree.
For example, let's say the system admin has built a home directory for you on
the server, but has disallowed the construction of directories or files that you
wish to make available to the group Everyone. You are wanting to make this
special directory so that you can easily retrieve some hack tools but you are
cut off. However, if the sys admin left you as the owner of the home directory,
you can go in and alter its permissions. This is because as long as you are the
owner or Administrator you still control the file. Oh sure, you may get a few
complaints from the system when you are doing it, but it can be done.
Since NTFS has security integrated into it, there are not too many ways around
it. The main one requires access to the physical system. Boot up the system on a
DOS diskette, and use NTFSDOS.EXE. It will allow you to access an NTFS volume
bypassing security.
The last quirk is that if you have a directory with Full Control instead of
RWXDPO permissions, then you get a hidden permission called File Delete Child.
FDC cannot be removed. This means that all members of the group Everyone can
delete any read-only file in the directory. Depending on what the directory
contains, a hacker can replace a file with a trojan.
06-4. What is Samba and why is it important?
Samba is a freeware app developed by Andy Tridgell. It is a great tool for
helping integrate Unix into Microsoft Windows and Lan Manager environments. The
main idea is that you can, with Samba, allow a Unix machine to access file and
directories. The other handy thing about Samba is that like most Unix freeware
you get the source code.
Most hackers seem to have Linux up and running, so loading up Samba allows you
several tactical advantages. A number of the exploits described here require
access to a privileged port (<1024). If you are root on your own Linux box, you
can start exploits from those needed ports. A lot of the tests in the NMRC lab
were conducted using Samba. In fact when World Star Holdings Ltd in Canada had
their lame Cybertest '96 contest on June 12th, yours truly used Samba to break
in (but I wasn't first).
Samba talks SMB and can directly access Windows NT hardware, and Hobbit
(hobbit@avian.org) has put together a very interesting paper entitled "CIFS:
Common Insecurities Fail Scrutiny". It is highly recommended reading for admins
and hackers alike. Included in the paper are details and source patches to allow
easier attacking on NT.
Studying the source code of Samba taught me a lot, but Hobbit's paper puts
everything in a whole new light. It provides some well documented basics on how
a lot of the communications work, detailing exactly WHY certain protocols and
behaviours are vulnerable to abuse.
Get Samba and read its documentation. Read Hobbit's paper and apply the patches.
Period.
06-5. I hack remotely. Once in, how can I do all that GUI stuff?
The main problem is adjusting NT file security attributes. Some utilities are
available with NT that can be used, but I'd recommend using the NT Command Line
Security Utilities. They include:
saveacl.exe - saves file, directory and ownership permissions to a file
restacl.exe - restores file permissions and ownership from a saveacl file
listacl.exe - lists file permissions in human readable format
swapacl.exe - swaps permissions from one user or group to another
grant.exe - grants permissions to users/groups on files
revoke.exe - revokes permissions to users/groups on files
igrant.exe - grants permisssions to users/groups on directories
irevoke.exe - revokes permissions to users/groups on directories
setowner.exe - sets the ownership of files and directories
nu.exe - 'net use' replacement, shows the drives you're connected to
The latest version can be found at ftp://ftp.netcom.com/pub/wo/woodardk/.