bueno, no se si me kalificareis de lamer o de kualkier kosa, pero kiero kompartir esta informacion con vosotros, ya k nadie comparte, pos yo si, a continuacion os paso un documento k encontre (concretamente en astalavista). Lo he provado y funciona, en XP no, da bastantes pistas para empezar, creo k voy aprendiendo :-p (NOTA: esta en ingles...)
----------------------------------------------------------------------
Windows 2000 Security?
Diary of a Windows 2000 hack and the dangers.
by Avoid N F8
With special thanks going to GreyZone for technical support along the way
First of all I would like to say thank you to all of those who have come before me and taken the time to put there thoughts on paper and ideas into code to be published freely. I hope this opens up some eyes as others have opened mine. Many people have asked me why I use or am even concerned about security on a Microsoft system and my answer is simple. When my mother can install configure and run her business on Linux then I wont concern myself with windows anymore. My mother, who cant install kids games and calls me at least three times a week for information on little things, on Linux? Yeah Right!! How many users can actually run Linux and when I say users I mean USERS…you know the ones that call help desk about their coffee cup holder constantly closing. We’ve all heard them, yet they are the backbone of today’s computer world. All of are information, that we as security administrators hold dear, at one time or another is solely in the hands of the user. Maybe it’s on his laptop as he is working on it in an airport hotel. Maybe it is on his home systems that he uses to telecommute. In any case it is out of our hands and in there’s and chances are very good that it is on a Microsoft system, not on our ultra secure Linux/Unix/NT Firewall protected Web servers with tape backup and fault tolerant raid systems. Lets not forget about the home office user. Why should you concern yourself about them? Well let’s ask some simple questions. Does your insurance agent work out of his home? What about your stockbroker, or perhaps your banker? This is why I concern myself solely with Microsoft Security. Why do I hack from a Microsoft box? That is also simple. Its because its what my son would use and thousands of other script kiddies out there who would have no regard for what there doing or destroying. These are the ones we have to stop first. Because if they can find a way to compromise network security then they will undoubtedly wreak havoc by deleting everything we hold dear. Now with that said lets get to work
The Goal:
I wanted to see how secure Windows 2000 was, so I decided to go about it, as a basic NT hacker would have under NT 4.0, to see if Microsoft closed the holes. I think you’ll be surprised as I was to see that not only did they not close the holes instead they added a GAPING hole to the system. Please note that this approach was run on a Windows 2000 Professional system and will not work on a windows 98 or 95 system. I am an MCSE so Microsoft has seen fit to provide me with beta copies for evaluation. Below is my evaluation. They may not like it but oh well.
The Approach:
The first thing I needed was a list of possible targets running Windows 2000 in a normal user/home type environment that were installed by the average user. Since this isn’t a publicly released OS yet I figured the best place to go would be the software piracy channels on IRC better known as “warez” channels. I set up an IP scanner in these channels and by the next morning had a list of some 6000 individual IP addresses. Now these addresses are both dial up and full time connections. Not what I need for a fast test so I parsed these for the first octet of “24” known to normally be cable connections or other full time access accounts. This brought the list down to about 700. Now I need to separate NT/2000 from windows 98/95 machines. For this I used Winfingerprint 2.10 by vacuum@technotronic.com & Mike@eEye.com. This brought the list down to 213 NT/2000 machines (it is difficult at this stage to tell the difference between the two remotely). Now to start the attack.
I decided to go about this with the standard methods and programs that are available as freeware and readily available as my intent was to see if 2000 in the home environment would be safe and secure for the average user or would be a detriment to security. For this I first used CIS (formerly) NTInfoScan by David Litchfield of Cerberus Information Security.
Table 1.1 is the output that I got on a fairly consistent basis from the 2000 machines (57 of a total of approximately 78 windows 2000 machines or 73% tested)
Table 1.1
Cerberus Internet Scanner
Results
for
24.?.?.? (changed to protect the innocent)
by David Litchfield
Cerberus Information Security
NetBIOS
Share Information
Share Name : IPC$
Share Type : Default Pipe Share
Comment : Remote IPC
WARNING - Null session can be established to \\24.?.?.?\IPC$
Share Name : ADMIN$
Share Type : Default Disk Share
Comment : Remote Admin
Share Name : C$
Share Type : Default Disk Share
Comment : Default share
Account Information
Account Name :Administrator
The Administrator account is an ADMINISTRATOR, and the password was changed 3 days ago. This account has been used 2 times to logon. The default Administrator account has not been renamed. Consider renaming this account and removing most of its rights. Use a different account as the admin account.
Comment :Account upgraded from Windows 95 or Windows 98
User Comment :
Full name :Administrator
Account Name :Guest
The Guest account is a GUEST, and the password was
changed 0 days ago. This account has been used 0 times to logon.
Comment :Built-in account for guest access to the computer/domain
User Comment :
Full name :
Account Name :USER1
The USER1 account is an ADMINISTRATOR, and the password was
changed 3 days ago. This account has been used 22 times to logon.
Comment :Account upgraded from Windows 95 or Windows 98
User Comment :
Full name :USER1
WARNING Administrator's password is blank
WARNING USER1's password is blank
Two things struck me as odd. First was that the Administrator and another user (who is also an administrator) password was blank. Second that these accounts were upgraded from Windows 98 or 95 as it says in the comment field. This got me curious so I decided to study it further. I upgraded one of my 98 machines to 2000 professional. This machine was in a peer-to-peer workgroup with windows logon set as the primary network logon. The upgrade process and how smooth it went impressed me. I upgraded this, like a normal user would, by hitting ok to every prompt and was impressed at how little it asked me. It went through the install and rebooted coming to a screen that asked me to set a password for all new Windows 2000 accounts. It showed me a list of accounts it said were created in the upgrade and that I should type a password to be used for all of the listed accounts. Being the typical user and remembering the hint from my windows 98 install about passwords saying something about “hint: if you don’t want to see this screen again then just hit enter” I hit [ENTER]. Sure enough the OK key was highlighted and it brings up a window stating that I have not entered a password and it is unsafe to set a blank password on accounts that have full access to my computer. Am I sure I want to do this. Hmm …(typical user mode on) No one ever gets in my house and uses my computer that I don’t want to and I don’t like entering passwords. Again remembering the hint from 98 and hit [ENTER]. Logon screen. Now I have two accounts set up with administrative access to this machine with blank passwords. This test was again confirmed when I had three other normal (not computer wizards) upgrade the same machine from 98 to 2000 each time resulting in 2 accounts with out passwords. Hmm I don’t like this at all. I must remember to post a company wide memo about this so my users don’t make this mistake at home. For now let’s get back to the attack.
Well back to the attack and even more security flaws.
Next I connected to these machines through a session by going to dos and typing
net use \\machineIP\ipc$ “” /user:Administrator”” this opens a session to the machine telling it That I am the Administrator and giving it the password of Blank “”. And received the following results
C:\>net use \\24.?.?.?\IPC$ "" /user:Administrator
The command completed successfully.
I am now connected to this machine as an administrator and could map the drives and browse them as I would my own…nothing unusual so far except Microsoft hasn’t cleaned up the old security holes…they are still there and kicking. Determined to go on and try to find something good about 2000 I dig deeper.
Next I open computer manager (Photo 1.2) and connect to his machine. Hmm I can’t add accounts it seems as the local user groups are disabled remotely (BRAVO)
Photo 1.2
This out of the way I dive deeper into computer management and find that disk management is also inaccessible so I can’t format his drives remotely (Again Bravo). So I dig deeper then under services I notice Telnet (photo 1.3). Microsoft set this item to be installed by default on Windows 2000 professional? Why does a workstation user need a telnet server by default? It seems to me that this should be an option to be installed by a user when it is needed, not a default setting that the user is unaware of. It’s not started by default, but it is set to log on as Localsystem. Curious I dove even deeper
Photo 1.3
I look at the properties of the service (photo.1.4) and find that not only can I start the service but also I can set it to Automatic on boot up.
Photo 1.4
Now this service will start at boot up and is running as localsystem. Hmmm surely Microsoft did something to stop me from logging into this machine and being able to execute any command I want…. They did !! Whew… its called NTLM authentication and telnet is set to validate by NTLM only by default. And only windows 2000 telnet will authenticate NTLM. What does that mean? It means that if there computer doesn’t recognize who you are by your login and password and know that your from a trusted domain then it wont let you on there system…hmmm bravo? …Not quite!!! As I looked into the telnet service on my machine I went to administrative tools and started the Telnet Server Administration console. Seeing the option to change the registry settings I grew worried. Sure enough there it is, Option 7 NTLM, and setting it to 1 will authenticate with NTLM when it can and if it fails it will use clear text thus any telnet client will connect. To verify my suspicions I fired up regedit and was able to connect to the remote machine’s registry and there under the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0 was the key NTLM …a quick modification of the value from 2 to 1 and then restarted the telnet server session.
The Result:
A minute later and I am logged on to this machine through telnet!!!! Now I have full control over this machine including the right to set user accounts and format the drives (so much for the earlier bravo’s) as well as the right to run code on this machine including launch attacks from this machine without the users knowledge. A few commands later and I have a User account set up (using net user /add command) with administrator rights (using net localgroup /add) and have created a hidden dir from which to launch attacks. Using the DOS FTP client I log on to my ftp site and download the code I need to run and set up a Scheduler (using the AT command) to run the code in early mornings so no one will notice, then FTP me the results back… hmm too easy…TOO DANGEROUS.
Some of you may ask why is it so dangerous to have telnet running? Well Lets say I hack into your machine and from there telnet to www.whitehouse.gov and redo the web page with an anti government hate page telling the world how much you hate the president and wish he was dead. The server of course logs these things and the IP number they come from, which in this case, is your IP not mine. Now, two days later, while your calmly trying to install that new scanner you just bought and reading the directions because you don’t understand all this computer gibberish, there is a knock at your door by some guys in black suits. See the danger now?
My thoughts:
In retrospect it is my opinion that at the very least c:\winnt\system32\tlntsvr.exe should be deleted, as the average user does not need this service. Further all accounts on the 2000 professional OS that are upgraded from Windows 98/95 should be set to log on locally only and file and printer sharing should be disabled. Remote registry editing and computer management should also be disabled by default as they are in 95/98. These are the items that should not have been installed by default and should have been put in as an option pack to be installed by knowledgeable users only when needed.
How many users are going to buy 2000 in it s release on Feb 17th? How many will upgrade there home system or laptop to 2000? And because of this how many machines will be vulnerable on Feb 18th?
With the Internet connection speeds into today’s world being faster than most small networks of 5 years ago we have to start looking at the internet security of the home users computer just like it was an office computer. As a matter of instance most home users computers now have business information stored on them as well as tons of other information we don’t want to let out. Windows 95/98 wasn’t the greatest operating system in the world but the only way you could gain access to it was to implant a back door in the system by a Trojan horse or if the user had installed and configured file and printer sharing and set the shares to no password. In the latter of the two this was a conscious effort by the user and the user usually new the consequences. Now that the user has upgraded his fairly secure machine to windows 2000 these rights have been taken from him. He now installs file and printer sharing by default. Since the user had no password on his windows 98 machine he assumes that he doesn’t need one in 2000 and installs without one. Now we have two administrator accounts with a password. All of the users drives are shared and accessible to all users via the Internet and the high-speed connection that almost everyone has either through cable connections or ADSL. To me, this shows that Microsoft is losing the end user outlook and focusing on corporate America. This in itself is not a bad thing, if it were to focus solely on corporate America. But they don’t, they focus on corporate America and the end user as one huge demographic. Not every end user has a security administrator in the family they can call on to come and secure their new operating system so that their son or daughter can browse the web in privacy. Not everybody can call the family computer expert to come set there cable connection up so that they can keep the business contact list free from spying eyes, nor should they have to. Microsoft seems to have lost site of the end user and there security needs. They surely have lost site of their technical ability and understanding. The installation of Telnet Server by default in a workstation shows that they have also lost site of their software needs in the home and workplace.
What should have been done? In my opinion if the product was upgraded from a 95 or 98 machine then 2000 should have done what an upgrade is supposed to do and install the components needing an upgrade. If file and printer sharing and remote registry management were not installed on the old Computer then why is it installing it on the new one without asking us or even warning us of the dangers involved? This product doesn’t upgrade, it over writes all the security settings that have kept my users information safe for the past 5 years.
Avoid N F8
MCSE
Comments or suggestions may be sent to avoindf8@hotmail.com
----------------------------------------------------------------------
Este no lo he provado, pero pensandolo cro k podria funcionar, aunke el admin de el servidor seria un poko descuidado... ahi va
Johnny Hacker has a Windows NT Server at home. Why? Because he knows if he's going to hack NT he's best using the same type of computer...it gives him all the necessary tools. He has installed RAS and has a dial-up connection to the Internet. One morn ing, around 2:00am he dials into the Internet...his IP address is dynamically assigned to him. He opens up a Command Prompt window and gets down to work. He knows www.company.com's web server is running IIS. How? Because he once did a search on "batch fil es as CGI" using Excites search engine. That phrase is in Chapter 8 of Internet Information Server's on-line help....and unfortunately it's been indexed by Excite's spider...now Johnny has a list of around 600 web servers running IIS.
He ftps to www.company.com. He isn't even sure yet if the server is running the ftp service. He knows if he gets a connection refused message it wont be...he's in luck though...the following appears on the screen :
C:\ftp www.company.com
Connected to www.company.com.
220 saturn Microsoft FTP Service (Version 3.0).
User (www.comapny.com:(none)):
This connection message tells him something extremely important : The NetBIOS name of the server : SATURN. From this he can deduce the name of the anonymous internet account that is used by NT to allow people to anonymously u se the WWW, FTP and Gopher services on the machine. If the default account hasn't been changed, and he knows that it is very rare if it has been changed, the anonymous internet account will be called IUSR_SATURN. This information will be needed later if h e's to gain Administrator access to the machine. He enters "anonymous" as the user and the following appears :
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
Johnny often tries the "guest" account before using "anonymous" as the user. A fresh install of NT has the "guest" account disabled but some admins enable this account....and the funny thing is they usually put a weak password on it such as 'guest' or no password at all. If he manages to gain access to the ftp service with this account he has a valid NT user account....everything that the "guest" account has access to...so does Johnny, and sometimes that can be almost everything. He knows he can acces s their site now...but there is still a long way to go yet....even at this point he still might not get access. At this point he doesn't even supply a password...he just presses enter and gets a message stating that the Anonymous user is logged in. First off he types "cd /c" because some admins will make the the root of the drive a virtual ftp directory and leave the default alias name : "/c". Next he sees whether he can actually "put" any files onto the site ie. is the write permission enabled for this f tp site. He's in luck. Next he types "dir" to see what he has access to. He chuckles to himself when he sees a directory called "CGI-BIN". Obviously the Webmaster of the NT machine has put this here with the rest of the WWW site so he can remotely make ch anges to it. Johnny knows that the CGI-BIN has the "Execute" permission so if he can manage to put any program in here he can run it from his web browser. He hopes that the Webmaster hasn't, using NTFS file-level security, cut off write access to the anon ymous internet account to this directory...even though he knows there are sometimes ways round this. He changes to the CGI-BIN directory and then changes the type to I by using the command "binary". Then he types "put cmd.exe". He's in luck..he gets the f ollowing response :
200 PORT command successful.
150 Opening BINARY mode data connection for CMD.EXE.
226 Transfer complete.
208144 bytes sent in 0.06 seconds (3469.07 Kbytes/sec)
Next he puts getadmin.exe and gasys.dll into the same directory. With these three files in place he doesn't even gracefully "close" the ftp session; he just closes the Command Prompt window. With a smile on his face he leans back and lights a smoke, savouring the moment...he knows he has them.... After crunching the cigarette out in an overflowing ashtray he connects to AOL. He does this because if logging is enabled on the NT machine the IP addres s of AOL's proxy server will be left and not his own...not that it really matters because soon he'll edit the logfile and wipe all traces of his presence. Opening up the web browser he enters the following URL :
After about a fifteen second wait the following appears on his web browser:
CGI Error
The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are:
Congratulations , now account IUSR_SATURN have administrator rights!
He has just made the anonymous internet account a local administrator and consequently using this account he can do pretty much what he wants to. Firstly though, he has to create an account for himself that he can use to connect to the NT server using NT Explorer and most of the Administrative tools. He can't use the IUSR_SATURN account because he doesn't know the randomly generated password. To create an account he enters the following URL:
www.company.com/cgi-bin/cmd.exe?/c%20c:\…0news%20/add
He has just created an account called "cnn" with the password "news". To make the account a local administrator he enters the following URL:
It has taken him less than ten minutes to do all of this. He disconnects from AOL and clicks on start, goes upto find and does a search for the computer www.company.com. After about a minute the computer is found :
Next he right clicks on the "computer" and then clicks on Explore. NT Explorer opens and after a little wait Johnny is prompted for a user-name and password. He enters "cnn" and "news". Moments later he is connected. Admin rights for the computer www. company.com are appended to his own security access token...now he can do anything. Using User Manager for Domains he can retrieve all the account information; he can connect to the Internet Service Manager; he can view Server Manager...first though, usin g NT Explorer he maps a drive to the hidden system share C$. He changes to the Winnt\system32\logfiles directory and opens up the logfile for that day. He deletes all of the log entries pertaining to his "visit" and saves it. If he gets any message about sharing violations all he has to do is change the date on the computer with the following URL:
company.com/cgi-bin/cmd.exe?/c%20date%2002/02/98
Next, using the Registry Editor he connects to the registry on the remote computer. Then using L0phtcrack he dumps the SAM (the Security Accounts Manager - holds account info) on the NT server and begins cracking all the passwords on the machine. Using the Task Manager he sets the priority to Low because L0phtcrack is fairly processor intensive (NB L0phtcrack ver 2.0 sets the priority to Low anyway) and there is still a few thing he must do to hide the fact that that some-one has gained entry. He deletes cmd.exe, getadmin.exe and gasys.dll from the cgi-bin, then he checks the security event log for the remote NT server using Event Viewer to see if he's left any traces there. Finally using User Manager for Domains he removes admin rights from the IUSR_SATURN account and deletes the cnn account he created a few moments earlier. He doesn't need this account anymore....L0phtcrack will be able to brute force all the accounts. Next time he connects to this machine it will be using the Administrator account. He breaks his connection to the Internet and sets 10phtcrack's priority to High, leaves it running and heads to bed...Looking at his alarm clock : it's just passed 2:30am....Sighing to himself, he mumbles, "Sheesh, I'm getting slow!" and falls asleep with a grin on his face.
Este es en plan historia, pero bueno, es interesante leerlo, espero k os guste, y si no os gusta le dais a la flecha de atras, pero no me insulteis :-|
un saludo
