Port Number Protocol Description 5800+ TCP VNC 5900+ TCP VNC 6272 TCP TROJAN secretservice 6667 TCP IRC (Internet Relay Chat) TROJAN various 6969 TCP TROJAN net controller 8000–8001 TCP HTTP Alternate 8080 TCP HTTP Alternate 8961 TCP TROJAN aok-backdoor 12345 TCP TROJAN netbus Trend Micro virus management 17300 TCP TROJAN kuang-2 18181–7 TCP, UDP Checkpoint OPSEC 20034 TCP TROJAN netbus2 31337 UDP TROJAN backorifice 32771 TCP Solaris RPC portmapper (High) 33567–8 TCP TROJAN lionworm 33911 TCP TROJAN spirit 34324 TCP TROJAN big-gluck 36794 TCP TROJAN bugbear 37237 TCP TROJAN mantis 40421 TCP TROJAN agent-40421 43188 TCP ReachOut (remote control) 60008 TCP TROJAN lionworm 61348 TCP TROJAN bunker hill 61603 TCP TROJAN bunker hill 63485 TCP TROJAN bunker hill 65421 TCP TROJAN jade Common Ports and Services RC 11 HackNote / Windows Security Portable Reference / O’Dea / 222785-0 / RefCenter Common Ports and Services Reference Center P:\010Comp\HackNote\785-0\rc.vp Friday, June 13, 2003 5:57:57 PM Color profile: Generic CMYK printer profile Composite Default screen Common NetBIOS Name Table Definitions NetBIOS Name Type Description [nbname] <00> UNIQUE Workstation Service on host [nbname] [domain] <00> GROUP System is member of [domain] <\\ __MSBROWSE__> <01> GROUP Master Browser [nbname] <01> UNIQUE [nbname] <03> UNIQUE Messenger Service [username] <03> UNIQUE Messenger Service for user [username] [nbname] <06> UNIQUE Remote Access Services [nbname] <1F> UNIQUE Network DDE Service [nbname] <20> UNIQUE (File) Server Service [nbname] <21> UNIQUE Remote Access Services Client service [nbname] <22> UNIQUE [nbname] <23> UNIQUE [nbname] <24> UNIQUE Microsoft Exchange Interchange Microsoft Exchange Store Microsoft Exchange Directory [nbname] <30> UNIQUE [nbname] <31> UNIQUE Modem Sharing Server Modem Sharing Client [nbname] <43> UNIQUE SMS Client Remote Control [nbname] <44> UNIQUE SMS Administrator Remote Control Tool [nbname] <45> UNIQUE SMS Client Remote Chat program [nbname] <46> UNIQUE SMS Clients Remote Transfer service [nbname] <6A> UNIQUE Microsoft Exchange Internet Mail Connector service [nbname] <87> UNIQUE Microsoft Exchange Mail Transfer Agent [nbname] <BE> UNIQUE Network Monitor Agent [nbname] <BF> UNIQUE Network Monitor Application [domain] <1B> UNIQUE Domain Master Browser [domain] <1C> GROUP Domain Controller [domain] <1D> UNIQUE Master Browser [domain] <1E> GROUP Browser Service Elections <INet~Services> <1C> GROUP Internet Information Services <IS~[nbname]> <00> UNIQUE Internet Information Services RC 12 Reference Center HackNote / Windows Security Portable Reference / O’Dea / 222785-0 / RefCenter P:\010Comp\HackNote\785-0\rc.vp Friday, June 13, 2003 5:57:58 PM Color profile: Generic CMYK printer profile Composite Default screen Windows Security Fundamentals: Concepts Concept Summary Security Identifier Alphanumerical representation of a Windows system or domain and the associated user or group identifier, known as an RID. Built-in accounts Default accounts Each Windows operating system ships with a number of user contexts installed by default. A list of these accounts is presented after this table. SAM The Windows Security Accounts Manager database responsible for storing group and user account details. Password hashing Process of generating a cryptographic representation of a password. Most password hashes are non- reversible (one-way hash), so the only way to recover a password is by using a brute-force or dictionary attack and applying the hash. LSA Comprised of the Local Security Authority Subsystem (LSASS) and the Security Reference Monitor (SRM), the Local Security Authority is the system responsible for enforcing Windows system security. Windows Security Fundamentals: Concepts RC 13 HackNote / Windows Security Portable Reference / O’Dea / 222785-0 / RefCenter Windows Security Fundamentals: Concepts Reference Center P:\010Comp\HackNote\785-0\rc.vp Friday, June 13, 2003 5:57:58 PM Color profile: Generic CMYK printer profile Composite Default screen Windows Default User Accounts Default Accounts Description SYSTEM, Local System The core operating system user context; unlimited local system access. LOCAL SERVICE Service user context with more restricted local permissions; can authenticate to remote systems as an anonymous user. NETWORK SERVICE Service user context with more restricted local permissions; can authenticate to remote systems with the system’s computer account. Administrator Default super-user; can be renamed but retains its default SID. IUSR_ systemname Service account created for Internet Information Services. IWAM_ systemname Service account created for processes spawned by Internet Information Services. TsInternetUser Terminal Services user context. SUPPORT_ xxxxxxxx User context for Help and Support Services in Windows XP and 2003. Guest Limited privilege account; disabled by default. RC 14 Reference Center HackNote / Windows Security Portable Reference / O’Dea / 222785-0 / RefCenter P:\010Comp\HackNote\785-0\rc.vp Friday, June 13, 2003 5:57:58 PM Color profile: Generic CMYK printer profile Composite Default screen Windows Authentication Methods Windows Authentication Protocols Description LM (LAN Manager) Though a challenge/response system, the simplicity of the LM hash meant that the original password hash could be quickly recovered from the wire, where it could be brute forced (or dictionaried) in short order. NTLM Improvements in the base password hash translated to better challenge/response format. Original password hash can still be brute forced, but nowhere near as quickly. NTLMv2 NTLMv1 challenge/response is further encrypted with a 128-bit key. Very difficult to brute force. Kerberos Widely accepted as a secure authentication protocol, exact methods vary by implementation. Can be captured and brute forced, but process is very slow. Windows Authentication Methods RC 15 HackNote / Windows Security Portable Reference / O’Dea / 222785-0 / RefCenter Windows Authentication Methods Reference Center P:\010Comp\HackNote\785-0\rc.vp Friday, June 13, 2003 5:57:58 PM Color profile: Generic CMYK printer profile Composite Default screen Common Security Identifiers (SIDs) Security Identifiers (SIDs) Description S-1-1-0 Everyone automatic group S-1-5-1 Dialup users automatic group S-1-5-2 Network users automatic group S-1-5-3 Batch users automatic group S-1-5-4 Interactive users automatic group S-1-5-6 Service users automatic group S-1-5-11 Authenticated users automatic group S-1-5-[domain SID]-500 Administrator built-in account S-1-5-[domain SID]-501 Guest built-in account S-1-5-[domain SID]-1000 Default SID of first account on a local system or Windows NT domain. Active Directory assigns SID groupings for each domain in the forest, so user RIDs are not predictable. Note: A complete list of common SIDs is available in Microsoft KB article 243330 at http://support.microsoft.com/?kbid=243330. RC 16 Reference Center HackNote / Windows Security Portable Reference / O’Dea / 222785-0 / RefCenter P:\010Comp\HackNote\785-0\rc.vp Friday, June 13, 2003 5:57:58 PM Color profile: Generic CMYK printer profile Composite Default screen Windows NT File System Permissions Permissions Description Full Control Allows one-click enabling of all permissions; not present in Windows 2000. Traverse Folder / Execute File Permits access (change directory) to a subdirectory or execution of a given file. List Folder / Read Data Permits user to obtain a directory listing when applied to a directory or read access when applied to a file. Read Attributes Allows viewing file attributes Read Only and Hidden. Read Extended Attributes Allows viewing file attributes Archive, Indexing, Compression, and Encryption. Create Files / Write Data Permits user to create new files or to write data (when applied to a directory or a file, accordingly). Create Folders / Append Data Permits user to create subdirectories or add data to an existing file (when applied to a directory or a file, accordingly). Write Attributes Allows user to change the Read-Only or Hidden attributes. Write Extended Attributes Allows user to change the Archive, Indexing, Compression, and Encryption attributes. Delete Subfolders and Files Permits user to delete files or directories below this object. Delete Permits user to delete this object. Read Permissions Permits user to view the SIDs associated with an object to determine permissions for other users and groups (DACLs). Change Permissions Permits a user to add or remove permissions for an object. Take Ownership Allows a user to assume ownership of the object, effectively allowing full control. Take Ownership must be exercised by the user; however, simply assigning a user permission to take ownership does not transfer ownership. Windows NT File System Permissions RC 17 HackNote / Windows Security Portable Reference / O’Dea / 222785-0 / RefCenter Windows NT File System Permissions Reference Center P:\010Comp\HackNote\785-0\rc.vp Friday, June 13, 2003 5:57:58 PM Color profile: Generic CMYK printer profile Composite Default screen Useful Character Encodings Hexadecimal ASCII Characters RC 18 Reference Center HackNote / Windows Security Portable Reference / O’Dea / 222785-0 / RefCenter Character Hexadecimal Space 20 !21 "22 #23 $24 %25 &26 '27 (28 )29 *2A +2B ,2C -2D .2E /2F 030 131 232 333 434 535 636 737 Character Hexadecimal 838 939 :3A ;3B <3C =3D >3E ?3F @40 A 41 B 42 C 43 D 44 E 45 F 46 G 47 H 48 I 49 J 4A K 4B L 4C M 4D N 4E O 4F P:\010Comp\HackNote\785-0\rc.vp Friday, June 13, 2003 5:57:58 PM Color profile: Generic CMYK printer profile Composite Default screen Useful Character Encodings RC 19 HackNote / Windows Security Portable Reference / O’Dea / 222785-0 / RefCenter Useful Character Encodings Reference Center Character Hexadecimal P 50 Q 51 R 52 S 53 T 54 U 55 V 56 W 57 X 58 Y 59 Z 5A [5B \5C ]5D ^5E _5F `60 a61 b62 c63 d64 e65 f66 g67 Character Hexadecimal h68 i69 j6A k6B l6C m6D n6E o6F p70 q71 r72 s73 t74 u75 v76 w77 x78 y79 z7A {7B |7C }7D ~7E DEL 7F P:\010Comp\HackNote\785-0\rc.vp Friday, June 13, 2003 5:57:58 PM Color profile: Generic CMYK printer profile Composite Default screen Common Special Character Encodings Unicode Encoding Value %C0%AF %C1%9C %E0%80%AF / %C0%DC %E0%80%DC \ %C0%A5 %E0%80%A5 % %C0%A7 %E0%80%A7 ' %C0%A0 %E0%80%A0 Space %C0%AB %E0%80%AB + %C0%BF %E0%80%BF ? Double Encoding Double-encoding is accomplished by making the first pass of decoding expose % characters. Any hexadecimal-encoded character can be double-encoded by preceding it with %25, the representation of %. RC 20 Reference Center HackNote / Windows Security Portable Reference / O’Dea / 222785-0 / RefCenter P:\010Comp\HackNote\785-0\rc.vp Friday, June 13, 2003 5:57:59 PM Color profile: Generic CMYK printer profile Composite Default screen [...]... 1 92. 168.100.1 1 92. 168.100 .25 4 20 00 Ping sweep 1 92. 168.100.1 -25 4 with a 2 second timeout nmap -sP -PE 1 92. 168.100.1 -25 4 Ping sweep sl -n 1 92. 168.100.1 -25 4 Ping sweep nmap -sT -p 23 ,25 ,80,139,445,1433 1 92. 168.100.1 -25 4 Simple Windows port TCP port scan sl -t 23 ,25 ,80,139,445,1433 1 92. 168.100.1 -25 4 Simple Windows port TCP port scan nmap -sU -p 53,137,161,500,1434 1 92. 168.100.1 -25 4 Simple Windows UDP port scan... Security Tools IIS Lockdown Tool URLScan v2.0 http://www.microsoft.com/technet /security/ tools/ tools/locktool.asp URLScan v2.5 http://www.microsoft.com/technet /security/ tools/ tools/urlscan.asp MetaEdit v2 .2 http://support.microsoft.com/default.aspx?scid= KB;EN-US ;23 2068 Useful Tools Snort-win 32 RC 28 Reference Center Quick Command Lines Port Scanning Description wpsweep 1 92. 168.100.1 1 92. 168.100 .25 4... as shown here: E: \HackNotes> nslookup Default Server: testlab.a&p.com Address: 1 92. 168. 32. 1 > server ns1.targetdom.com Default Server: ns1.targetdom.com Address: 1 72. 16.31.144 > ls -d hacknotes. com [ns1.targetdom.com] hacknotes. com SOA ns1.targetdom.com admin.ns1.targetdom.com (20 030 325 21 10800 3600 604800 300) hacknotes. com MX 30 mail .hacknotes. com hacknotes. com NS ns1.targetdom.com hacknotes. com A 10.19.89.130... Success, Failure Security- Related Group Policy Settings Location Reference Center Account Lockout Threshold RC 24 Reference Center Miscellaneous Options Location Local Computer Policy\Computer Configuration \Windows Settings \Security Settings\Local Policies \Security Options Note The naming convention differs between Windows 20 00 and XP /20 03, and some options are unavailable in Windows 20 00 Accounts: Rename... [name].msc Reference Microsoft Management Console Center Figure RC -2 After adding the Snap-Ins you use most, you can save your console definition as an msc file This figure shows some common Snap-Ins defined as a single console, MyConsole.msc RC 32 Reference Center Online References General Security Archives Web Site SecurityFocus http://www.securityfocus.com PacketStorm Security http://packetstormsecurity.nl... http://www.solarwinds.net/Download-Tools.htm Microsoft Windows Resource Kits http://www.microsoft.com /windows2 000/techinfo/ reskit/default.asp http://www.microsoft.com/windowsserver2003/ techinfo/reskit/resourcekit.mspx User Enumeration Tools sid2user / user2sid http://www.chem.msu.su/~rudnyi/NT/ http://www.ntbugtraq.com DumpUsers http://www.ntsecurity.nu/toolbox GetAcct http://www.securityfriday.com Useful Tools RC 27 Password Cracking... Explorer and FrontPage Editor need to… Reference Testing for Internet Information Center Services ISAPI Applications Default ISAPI Mapping RC 22 Reference Center Security- Related Group Policy Settings* * Note that some options may not be available in all Windows operating systems Password Management Location Local Computer Policy\Computer Configuration \Windows Settings \Security Settings\Account Policies\Password... http://ntsecurity.nu/toolbox SQL Enumeration and Password Testing Tools SQLPing v2 .2 http://www.sqlsecurity.com ForceSQL v2.0 http://www.nii.co.in/tools.html Terminal Services Tools http://www.hammerofgod.com/download.htm Custom Environments Cygwin http://www.cygwin.com Reference Center ProbeTS, TSEnum Packet Capture Utilities http://www.snort.org Ethereal http://www.ethereal.com WinDump (Win 32 tcpdump... this enables 3DES encryption for EFS Reference Center Network Security: LAN Manager Authentication Level Security- Related Group Policy Settings RC 26 Reference Center Useful Tools Tool Source Footprinting Tools Sam Spade http://www.samspade.org GTWhois http://www.geektools.com/software.php Saeven Whois http://www.saeven.net/sware Port Scanning Utilities nmap-win 32 Port Scanner (CLI) http://www.insecure.org/nmap/nmap_download.html... of all direct SMB responses (source port of TCP/445) snort -v -X tcp && ((src port 80 || src port 443) || (dst port 23 || dst port 25 )) Capture and dump contents of all HTTP or HTTPS responses, or telnet or SMTP requests WinPcap/libpcap Filter Reference RC 29 WinPcap/libpcap Filter Reference Description host [ip address] Match packets to or from [ip address] net [network number] Match packets to or . Windows Security Portable Reference / O’Dea / 22 2785-0 / RefCenter Character Hexadecimal Space 20 !21 " ;22 #23 $24 %25 & ;26 &apos ;27 (28 )29 *2A +2B ,2C -2D .2E /2F 030 131 23 2 333 434 535 636 737 Character. Description wpsweep 1 92. 168.100.1 1 92. 168.100 .25 4 20 00 Ping sweep 1 92. 168.100.1 -25 4 with a 2 second timeout. nmap -sP -PE 1 92. 168.100.1 -25 4 Ping sweep. sl -n 1 92. 168.100.1 -25 4 Ping sweep. nmap -sT -p 23 ,25 ,80,139,445,1433 1 92. 168.100.1 -25 4 Simple. http://support.microsoft.com/default.aspx?scid= KB;EN-US ;23 2068 Useful Tools RC 27 HackNote / Windows Security Portable Reference / O’Dea / 22 2785-0 / RefCenter Useful Tools Reference Center P:10CompHackNote785-0 c.vp Friday, June 13, 20 03