If someone hacks a listening service running as System... How to prevent?

In another thread:

Is this possible? How to prevent?

Come on experts dont be shy...

 

You can disable unnecessary services to prevent against local attacks. But don't worry about that.

Closing ports is more important if you're worried about being hacked.

Honestly, if someone is trying to hack your computer and they aren't some little script kiddie there's very little you can do to prevent it.

Firewall + Closed ports is the best you can do against an attack.

 

Assuming someone has made his way onto your PC giving him a command prompt. The next thing he will do is bring over his tools using TFTP or FTP. These 2 are command line programs available on XP Home and above. What I've done to combat this is to use cacls to remove the Users group from accessing these programs, so that a limited user can't access them. So the hacker can't use them either.

 

Hi AlexC,

Please see the site in my signature line about closing listening ports. Some of those instructions only work on XP.

 

Actually, just using a firewall, software or hardware, is all that's needed to prevent this. That's why when the blaster worm infected so many pc's years ago, it was due to XP's firewall being disabled by default in SP1, so the vulnerable DCOM RPC service was exposed.

 

However, some people set their firewall profile to private in Win7 because they are behind a NAT router. Then their ports are exposed by the host firewall.

If somehow an attacker gets a foothold on one PC in the LAN, ( maybe thru some vector like email attachment), then he can go and attack other PCs.

 

NAT with no port forwarding to the listening services.

Sul.

 

protip guys... there isn't **** you can do if they're actually a decent hacker.

 

I´ll read it. thanks!

 

Sorry, but I disagree. Its actually the other way around. A well locked down machine in conjunction with decent network security is almost impossible to penetrate through purely technical means.

The stage has changed so that purely technical attacks are extremely difficult. I'm not saying its impossible, but you'd probably need a string of 0-day attacks on both hardware and software.. and a few weeks of dedicated time to penetrate a secure setup (if at all). Social engineering is typically leveraged to get around such security, and the idea is to avoid trying to break through defenses (instead, you "go around" them).

Devices that host common services are a different ball game. In some ways it might actually be harder to hack a corporate network due to the large number of openly available attack vectors. Your home networks with NAT, hardware SPI, and software firewall are not low hanging fruit..

Unless we are talking about physical access, there is plenty you can do to prevent being hacked.

 

The best way to prevent listening services from being attacked is to not have them. If you don't need it, shut it off. If you have a legitimate need for a service to receive incoming connections, limit it to only the IP addresses that it needs to listen for, aka IP specific firewall rules. When possiblle, restrict the port and allowed protocols as well. This reduces your attack surface and is where a software firewall shines.

If a service needs to receive connections from all over, like a server or Tor node, isolate that app or service as much as possible from the OS. Limit it's parent-child permissions and if possible, the files, folders it has access to. This is isolating and hardening the attack surface that you can't eliminate. It will often prevent a compromised app or service from compromising the rest of your system.

I use a similar approach but with different tools. Access to the command prompt and related tools is limited to administrator use only. The PCs runs in user mode with a password required for administrative access. Enforced by HIPS.

 

Hi Noone Particular,

How do you accomplish that? Do you mean via Sandboxie or virtual machines ?

What are parent-child permissions?

 

There are seriously tons of exploits that can be taken advantage of. Really, closing your ports is a great way to defend yourself but if they're actually an experienced hacker and they're motivated they will get through.

 

Both of those are viable options. Servers work quite well in a virtual environment. Not sure about Tor in a virtual environment. The number of connections it makes could cause problems. Restricted accounts that limit access to the system core are another tool, as is classic HIPS.

A parent process is the one that starts another process. A child process is the process that is launched by another. In Windows, the parent process for most user apps is explorer.exe. Clicking the browser icon on your desktop makes the browser a child process of explorer.exe. When you open a PDF in your browser, the PDF reader becomes a child process of the browser.

Any application or service that listens on an open port is part of the attack surface. Any user application that connects to sites beyond your control or opens files from unknown or unverified sources is also part of the attack surface. It's a basic fact that there is no bulletproof code. All software is vulnerable. If the vulnerabilities are known to attackers, they will be used to compromise that app, and the underlying system if it's accessible to them.

Several of the classic HIPS give the user the ability to specify the allowed parent and child permissions for each allowed executable. Windows built in tools enable the user to create a whitelist of allowed processes. With the parent-child settings in classic HIPS, the user can create a separate whitelist for each executable on the system, allowing much more detailed control. By limited the allowed child processes to only what is necessary for each attack surface app or service (often none at all are necessary) an attackers ability to use that compromised app to gain access to the rest of the system is greatly restricted or eliminated entirely. When combined with a default-deny policy that prevents unknown code from running, the code that exploits a vulnerability in an application doesn't automatically result in a compromised system. If the security policy is well thought out, the exploit code often gains the attacker nothing at all, being stopped at the attack surface application.

This type of approach works very well with the parts of the attack surface that are by necessity exposed. It is not a good substitute for reducing the attack surface. By far, the single best thing you can do to harden a system is to give an attacker as little as possible to target to start with.

 

That is vague enough that I'll ask for some citation on what you are proposing.

I have some experience in the matter, and I'm aware that there exists ways to penetrate firewalls (packet fragmentation, uncommon protocols, etc)... but what you are talking about is simply not going to be achieved without several 0-day attacks on old and refined forms of security.

First, you have your typical router. The first barrier to get through is the NAT. This, in itself, is not a trivial thing to do. For one, its hard for an attacker to differentiate between different internal machines due to the nature of NAT. They also need to discover the internal address scheme and defeat the non-direct routing of packets to the destination. This may not even be possible, depending on the equipment you have.

Then you have the stateful packet inspection firewall on the router. Not only does it open and close the ports based on host initiation and closing of a session, but it also will perform a deeper inspection to make sure the packet isn't malformed and otherwise valid..

So, to get through the hardware alone, its not going to be easy... In fact, there is a high likelihood of failure based on this alone. Of course, one could exploit a router weakness (i.e. hack the router), the firewall/NAT might not work properly (considering its cheap home equipments), or use a technique that the cheap firewall might not handle properly.

Assuming you do this, you now have to get the packet accepted by the host machine. Aside from having a vulnerable service, you need to actually bypass the windows firewall (or the one bundled with the security product they bought). By default, you have open ports to file sharing, but not much else. Now, in addition to breaching the outside firewall, the same exact packet must breach the software firewall. It will often be the case that the same method may not work on a separate firewall. In other words, if you manage to get a packet through a hardware firewall, it will likely be stopped by the software firewall.

Finally, if you manage to craft magic packets that get through both firewalls, they must typically do more than just reach the destination. You see, its one thing to get a packet through a firewall, but its another to get a stream of properly formed packets through. You need to carry on communication with the host, and this might mean properly GUESSING SEQ and ACK numbers (since its entirely possible you won't receive return traffic due to bypassing NAT).

Finally, the exploit has to actually work on a vulnerable service at the application level. Sure, you got all the packets there, but it actually needs to break something and deliver a payload... something that will make access to the data easy.

I'm not going to say no one could ever do that, because hey - you never know. Most likely it would involve a lot of luck, and some very specific exploits that are not publicly known..

In a practical sense, no one is even going to try and break this security. Its not going to happen. You'd find a better way to do what you need to do. Maybe, try to get upstream and poison their DNS results... then replace something they attempt to download with something malicious... Or access their wifi and try to gain access to an administrative share through password guessing or a dictionary attack..

Those attacks have defenses too, and they require a LOT of work. It might mean weaks or months. Good hacking means finding the easiest way in, and most of the time it can take a while to just properly evaluate the situation. Its not like the movies, where there are ways through any security barrier. There are plenty of things you just can't crack through.

If it were me, I'd much rather have a shot at a corporate network than Joe Schmoe's laptop (which doesn't host anything). There are plenty attacks against apache, IIS, mysql, etc. You can communicate with a service that is openly available, and then exploit it... On the other hand - breaking through a series of firewalls (even consumer grade), completely blind of what services are on the other side, is not realistic. If anyone out there is even close to being that good, I haven't met them... but if such a person exists, they'd make a fortune in the security field.

 

Holy moly...

I'll get to that one in the morning...

 

Back in the day, when broadband first started coming online and routers were first being used, a lot of talk was focused on firewalls and open ports vs stealthed ports. I remember digging into the topic quite heavily and one thing stuck in my mind - hackers look for vulnerabilities. They scan many addresses and log which ones have a weak spot, then try to target the weak spots. If you expose no weak spots due to the router, it makes it harder and thus the hacker chooses easier prey.

If a hacker port scans 1,000 IP addresses, and finds that 25 of them are answering on a certain port, etc, why would he choose one of the other IP addresses to target unless he knows where that IP actually leads to? He could spend a lot of time breaking through my defenses only to find out most of my services and ports are not online. And further, if he actually found a weakness and exploited it, I have no information worth obtaining - no account infos, nothing but some pictures, some music, a few movies, and lots of white papers and code - hardly worth the effort. Maybe he wants to turn me into a botnet or something. But where is the payoff?

I don't believe most of us are at a great threat from an actual hacker these days. Those with ports forwarded might see some more exposure perhaps. I think the true hackers are going to spend thier time on the easy marks, and even then I doubt even 25% of successful hacks gain them much.

It is far easier to compromise a website, then trick the user into allowing them to have root than to hack into thier machines. And I believe that is why that trend is so prevelant right now.

Sul.

EDIT: Now all that being said, it still is a good idea to think smart, or as some might say, use some common sense. For example I have some computers set up with TightVNC or RDP, and they need ports opened. However, I modify the listening port to a non-standard one, and in the rotuer I forward yet a different external port to the non-standard internal port, and I create rules stating that only my static IPs are allowed for that forwarded port. On to of that I make sure the password is pretty strong. Not to say it is fool proof, but with a little common sense on my part of not fully trusting anything, and a few small steps taken, pretty much ensures there will not be an issue.

 

Well I'm not saying it isn't haha that's why I said "if they're motivated."

 

A private PC isn't likely to be targeted unless you give an attacker a reason. Not including reasons caused by running off at the mouth (going to one of their IRC channels and saying they're a bunch of amateur kiddies who couldn't hack thru a wet paper bag for instance) you'd need to have something that they want. I can't think of many realistic ways that this would happen between individuals, short of a white hat/black hat battle (probably started by someone with a big mouth). Start including governments, businesses, industries, etc, and the list of reasons becomes more probable. If it was known that you had evidence of corruption, illegal activities of the management or gov't authorities, were a dissident, etc, then someone might have a reason to try to get access to your system. It is possible to give someone a motive to come after you but it's not something most people will ever face. Then again, if you're in possession of such data, the real questions should be:
1, How and why did you let this be known?
2, Why would you have this data on an online PC?
Any PC containing or accessing data this sensitive should be default-deny protected and stripped of as many vulnerable apps and components as possible. That data should also be encrypted.

 

From actual experience, I can tell you that most cracking attempts are an uphill battle. A lot of people seem to assume, like you, that the balance of power is in favor of the hacker. It really is the other way around.. There is plenty that is impossible, even to the most skilled penetrators. That is why you have to hone on the viable attack vectors. Going through security is going to result in wasted time. You try to find a way to avoid the security..

 

I'm going by what a hacker who I know has shown me. I'm not disagreeing with what you're saying.