Once installed, I basically poked around a bit, looking at security-related settings that might be of interest to pentesters.<\/p>\n
Installation Process<\/strong><\/p>\n The install went pretty smoothly: next-next-install style.\u00a0 The only hicup was needing to install the VMWare Tools before the network connection would work.<\/p>\n You have to change your password before logging on for first time.\u00a0 I’d like to figure out what the password was before it was changed.\u00a0 Unfortuantely, as the network wasn’t configured I wasn’t able to log in remotely.\u00a0 My guess would be that the password is blank and that remote users can’t use blank passwords (making it secure by default).\u00a0 It’d be nice to verify this, though.<\/p>\n Network Footprint<\/strong><\/p>\n How susceptible is this thing to remote attacks out-of-the-box?\u00a0 Well, not very…<\/p>\n After you’ve got the network working, it will automatically DHCP.\u00a0 Since production servers generally don’t DHCP, I didn’t dwell on this.\u00a0 Next you’ll notice that the host-based Firewall is on by default.\u00a0 No UDP, no TCP, no ICMP, nothing.<\/p>\n I fingerprinted<\/a> it using ARP and the stack looks like Linux or Vista:<\/p>\n IPv6 is enabled by default.\u00a0 This might be an interesting area to investigate, but I haven’t done so yet.\u00a0 Presumably it will auto-configure and presumably the Firewall will protect it.\u00a0 It’s worth checking at some point, though.<\/p>\n Next, I disabled the Firewall\u00a0 to check what an unfiltered box would look like from a network perspective.\u00a0 I began by turning off the Firewall service in services.msc.\u00a0 This doesn’t work.\u00a0 You need to leave the service running and disable it from control panel – otherwise it fails safe and continues to filter traffic.\u00a0 Quite smart really – though not what I expected.<\/p>\n Here are the services bound to all interfaces (0.0.0.0):<\/p>\n ICMP: Echo,Timestamp<\/p>\n TCP ports (IPv4 and IPv6): 139, 445, 49152, 49153, 49154, 49155, 49156<\/p>\n UDP ports: 123, 500, 5355<\/p>\n These are bound to the LAN IP only: 137, 138<\/p>\n It’s interesting to note that UDP scan are very SLOOWWW against 2008.\u00a0 This is very different to 2000, 2003, XP where boxes were a dream to port scan if they weren’t running a host-based Firewall.\u00a0 Windows 2008 is rate-limiting its ICMP Port Unreachables.\u00a0 This is pretty normal among other OSs and make pentesters jobs harder. \ud83d\ude41<\/p>\n The newer TCP and UDP services (5355, 49152-49156) will be important to understand as 2008 gets rolled out.\u00a0 Vista also has similar ports open.\u00a0 I’ve not looked at Vista much, but Symantac have written a very good paper<\/a> on the Vista attack surface.\u00a0\u00a0 They have a nice description of the additional ports.<\/p>\n Here’s the banner you get when you connect with smbclient:<\/p>\n $ smbclient \/\/10.0.0.1\/c$ -U% I’m not sure why “Service Pack 1” appears in the banner.\u00a0 Odd for an RC0 release.<\/p>\n Windows Services<\/strong><\/p>\n 45 Windows services are started by default.\u00a0 Note that this is for a server that isn’t running a Web server, FTP server, or any other kind of network service.<\/p>\n I wonder which ones are acutally needed.\u00a0 I guess most people will simply leave them all enabled.<\/p>\n Dumping Password Hashes<\/strong><\/p>\n The good news (well bad news if you’re a pentester) is that use of LANMAN hashes is disabled by default: Windows will not store the LANMAN hash of your password.\u00a0 This is going to make cracking passwords much, much more difficult in future.<\/p>\n Don’t get me wrong, I’m not saying that NTLM password hashes are super-secure; I’m just saying that they’re much more secure than LANMAN hashes (they can be longer than 7 chars and are case sensitive for a start).<\/p>\n It’s probably worth getting a good set of rainbow tables<\/a> if you haven’t already.<\/p>\n PwdumpX<\/a> v1.0 worked well:<\/p>\n Pwdump2 doesn’t work.\u00a0 This is not a great surprise since it no longer works on up-to-date XP and 2003.\u00a0 However, the good news is that it doesn’t crash 2008!\u00a0 Good news for pentesters and pentestees alike.<\/p>\n PwdumpX also dumps the LSA secrets.\u00a0 This showed something that looks vaguely interesting.\u00a0 I initially set my password to “root” after installation.\u00a0 I later found the string “ROOT#123” under DefaultPassword in the LSA secrets.\u00a0 Is this a coicidence, or is my password stored in the DefaultPassword field?:<\/p>\n Upon changing my password the DefaultPassword did not change.\u00a0 This is good news as even if your initial password is saved (as it seems to be in my case), subsequent passwords are not saved in the same way.\u00a0 I came across this post<\/a> talking about a more serious version of this problem on Windows XP.<\/p>\n User Accounts<\/strong><\/p>\n Nothing interesting here:<\/p>\n Administrator Shares<\/strong><\/p>\n The default shares are what you’d expect:<\/p>\n Default Tools<\/strong> This will make post-exploitation activity a bit more painful.\u00a0 ftp.exe is still present though and Read & Execute permissions are granted to the Users group.<\/p>\n Password policy: No auditing<\/p>\n Everyone can access from network<\/p>\n Optional Services<\/strong>$ sudo arp-fingerprint -o '-I vmnet1' 10.0.0.0\r\n10.0.01\u00a0\u00a0 01010100000\u00a0\u00a0\u00a0\u00a0 Linux 2.2, 2.4, 2.6, Vista<\/pre>\n
\nDomain=[WORKGROUP] OS=[Windows Server (R) 2008 Standard 6001 Service Pack 1, v.275] Server=[Windows Server (R) 2008 Standard 6.0]<\/p>\nC:> pwdump 127.0.0.1 + +<\/pre>\n
![\"2008-root\"](\"..\/2008-root.png\" "\\"2008-root\\"")
<\/p>\n
\nGuest (disabled)<\/p>\n\n
\nSome tools NOT installed by default:<\/p>\n\n
Misc Security Settings<\/h3>\n
\nNo password complexity
\nNo password history
\nNo account lockout<\/p>\n
\nI haven’t looked much at IIS or any of the other services yet.\u00a0 One thing caught my eye about Terminal Services, though: It’s clearly explained at install time that two way of setting up Terminal Services authentication:<\/p>\n