 |
Recommendations for Administrators |
||
|
[Windows 95 Fixes ] [Denial of Service] [Password/Account ] [IIS Exploits ] [Useful Programs ] |
||
Windows 95 & NT Denial of Service Attacks |
Files |
|
Ping of Death: Jolt/SSPING: land.c: Out Of Band (Winnuke): |
|
The Ping of Death fix is included within Service Pack 3 Teardrop2 Fix for NT IP DoS Attack Patch for 95 Winsock 1.1 IP DoS Attack Patch for 95 Winsock 2 vtcpupd.exe (Also Needed for 95) Linux patch |
|
WinNT Simple TCP/IP Services -- Windows NT Denial of Service Attack |
Files |
|
A malicious attack may be mounted against Windows NT computers with the
Simple TCP/IP Services installed. The attack consists of a flood of UDP
datagrams sent to the subnet broadcast address with the destination port
set to 19 (chargen) and a spoofed source IP address. The Windows NT computers running
Simple TCP/IP services respond to each broadcast, creating a flood of UDP
datagrams. Symptoms: As your computer is being attacked there may be a jump in bandwidth utilization on a subnet containing Windows NT computers and performance may suffer. A network analyzer shows a large amount of UDP traffic, typically from port 19 (chargen). |
Microsoft's Chargen Fix |
CrashNT -- NTFS Attack |
Related |
| The program, developed by Martin Stiemerling, runs in a command window using a single parameter: a drive letter of an NTFS partition. Example command line: "crash d:". Martin says the NTFS partition must have at least one file in it for the program to work. | CrashNT |
SYN Flood -- Windows NT Denial of Service Attack |
Related |
|
A TCP connection request (SYN) is sent to the target computer. The source IP address in the packet is "spoofed," or replaced with an address that is not in use on the Internet, or that belongs to another computer. An attacker will send many of these TCP SYNs to tie up as many resources as possible on the target computer. Upon receiving the connection request, the target computer allocates resources to handle and track the new connection, then responds with a "SYN-ACK". In this case, the response is sent to the "spoofed" non- existent IP address. No response is received to the SYN-ACK. A default-configured Windows NT 3.5x or 4.0 computer will retransmit the SYN-ACK 5 times, doubling the time-out value after each retransmission. The initial time-out value is three seconds, so retries are attempted at 3, 6, 12, 24, and 48 seconds. After the last retransmission, 96 seconds are allowed to pass before the computer gives up on receiving a response, and deallocates the resources that were set aside earlier for the connection. The total elapsed time that resources are in use is 189 seconds. How to Verify Your Computer is Under a SYN Attack If you suspect that your computer is the target of a SYN attack, you can type the following command at a command prompt to view connections in the "SYN_RECEIVED" state:
netstat -n -p tcp
This command may cause the following text to appear on your screen:
Active Connections
Proto Local Address Foreign Address State
TCP 127.0.0.1:1030 127.0.0.1:1032 ESTABLISHED
TCP 127.0.0.1:1032 127.0.0.1:1030 ESTABLISHED
TCP 10.57.8.190:21 10.57.14.154:1256 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1257 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1258 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1259 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1260 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1261 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1262 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1263 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1264 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1265 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1266 SYN_RECEIVED
TCP 10.57.8.190:4801 10.57.14.221:139 TIME_WAIT
If a large number of connections are in the SYN_RECEIVED state, it is possible that the system is under attack. A network analyzer can be used to track the problem down further, and it may be necessary to contact your Internet Service Provider for assistance in attempting to trace the source.The effect of tying up connection resources varies, depending upon the TCP/IP stack and applications listening on the TCP port. For most stacks, there is a limit on the number of connections that can be in the half-open (SYN_RECEIVED) state. Once the limit is reached for a given TCP port, the target computer responds with a reset to all further connection requests until resources are freed. |
Neptune SYN Attack |
RedButton -- Windows NT Exploit |
Related |
| NTSecurity Description: Logs on remotely to a Target computer without presenting any User Name and Password Shows that unauthorized access to sensitive information stored in file system and registry available to Everyone group can be obtained. Determines the current name of Built -in Administrator account (thus demonstrating that it is useless to rename it) Reads several registry entries (i.e. it displays the name of Registered Owner) Lists all shares (including the hidden ones) Shows that identifier Everyone includes not only legitimate users of the network but everyone. |
RedButton |
Microsoft RedButton Fix |
|
Lan Manager Authentication Exploit |
Related |
| Windows NT supports the following two types of challenge/response
authentication: - LanManager (LM) challenge/response - Windows NT challenge/response To allow access to servers that only support LM authentication, Windows NT clients currently send both authentication types. Here is a description of the challenge that takes place over the network when a client, such as a Windows 95 machine, connects to an NT Server.
[assuming initial setup etc...]
8byte "random" challenge
Client <---------------------- Server
OWF1 = pad Lanman OWF with 5 nulls
OWF2 = pad NT OWF with 5 nulls
resp = E(OWF1, Chal) E(OWF2, Chal)
48byte response (24byte lanman 24byte nt)
Client -----------------------> Server
The client takes the OWF ( all 16 bytes of it) and pads with 5 nulls.
From this point it des ecb encrypts the, now 21byte, OWF with the
8byte challenge. The resulting 24byte string is sent over to the
server who performs the same operations on the OWF stored in it's
registry and compares the resulting two 24byte strings. If they
match the user used the correct passwd.
Using l0phtcrack 1.5's sniffer logs of NT logons, you can retrieve the
plaintext passwords. This does not require an account on the NT machine
nor does it require previous knowledge of the ADMINISTRATOR password.
So even if you have installed Service Pack 3 and enabled SAM encryption
your passwords are still vulnerable if they go over the network.
Microsoft developed a patch that supports a new registry key that allows
clients to be configured to send only Windows NT authentication.
The new registry parameter was added to the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA
Value: LMCompatibilityLevel
Value Type: REG_DWORD - Number
Valid Range: 0,1,2
Default: 0
Description: This parameter specifies the type of authentication to be
used.
Level 0 Send LM and Windows NT authentication (default).
Level 1 Send Windows NT authentication and LM authentication only if the
server requests it.
Level 2 Never send LM authentication.
If a Windows NT client selects level 2, it cannot connect to servers that
support only LM authentication, such as Windows 95 and Windows for
Workgroups.
|
l0pthcrack 1.5 |
Microsoft Password Filter Information Disable LM Fix |
|
SMB Downgrade -- Windows NT Exploit |
Files |
| When a Microsoft networking client creates a new connection to an NT Server, it is possible for another computer on the same physical network to `spoof' the Microsoft client into sending a clear-text password to the NT Server, bypassing all password encryption and allowing the client's clear-text password to be discovered by any other device on the same physical network. his program actually runs on a Windows based system loaded with Novell ODI style drivers running in promiscuous mode. Once active, the software listens for SMB negotiations, and upon detecting one, the software sends a single packet to the client instructing it to downgrade its connection attempt to a clear text level - at which point the client silently obeys by sending its password in clear readable text. Once this happens this little piece of software actually grabs the password as it travels over the wire and displays it on the screen. The client is successfully connected to the NT Server, and the user remains none-the-wiser that its password has just been grabbed. | C2MYAZZ |
Disable LM Fix |
|
GETADMIN -- Windows NT Exploit |
|
| Getadmin.exe works because of a problem in a low-level kernel routine that causes a global flag to be set which allows calls to NtOpenProcessToken to succeed regardless of the current users permissions. This in turn allows a user to attach to any process running on the system, including a process running in the system's security context, such as WinLogon. Once attached to such a process, a thread can be started in the security context of the process. In the specific case of GetAdmin, it attaches to the WinLogon process, which is running in the system's security context, and makes standard API calls that add the specified user to the administrators group. It is important to note that any account which has been granted the rights to "Debug Programs" will always be able to run Getadmin.exe successfully, even after the application of the hotfix. This is because the "Debug Programs" right allows a user to attach to any process. The "Debug Programs" right is initially granted to Administrators and should be only granted to fully trusted users. Also, if Getadmin.exe is run with an account that is already a member of the administrators local group, it will still work (even after applying the hotfix). This is by design. Members of the administrators group always have the rights to make the calls GetAdmin needs in order to succeed. | GETADMIN |
GETADMIN Fix |
|
Double Dot -- Windows NT IIS 3.0 Exploit |
|
| A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory. A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script. By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests. "DOUBLE DOT" Bug allows intruder to access any file on the same partition where your wwwroot directory is located (assuming that IIS_user has permission to read this file). It also allows intruder to execute any executable file on the same partition where your scripts directory is located (assuming that IIS_user has permission to execute this file). If cmd.exe file can be executed than it also allows intruder to execute any command and read any file on any partition (assuming that IIS_user has permission to read or execute this file). | Microsoft IIS 3.0 Service Pack 3 Fix |
ASP Exploit -- Windows NT Active Server Page Exploit |
|
| Description: To download an unprocessed ASP file, simply append a period to the asp URL. For example: http://www.domain1.com/default.asp becomes http://www.domain1.com/default.asp. With the period appendage, Internet Information Server (IIS) will send the unprocessed ASP file to the Web client, wherein the source to the file can be examined at will. If the source includes any security parameter designed to allow access to other system processes, such as an SQL database, they will be revealed. |
|
Index Server Exploit -- Windows NT IIS 3.0 Exploit |
|
|
If the system administrator has left the default sample files on the Internet Information server, a hacker would have the opportunity of narrowing down their search for a username and password. A simple query of a popular search engine shows about four hundred websites that have barely modified versions of the sample files still installed and available.
This file is called queryhit.htm. Many webmasters have neglected to modify the search fields to only search certain directories and avoid the script directories.
Once one of these sites is located a search performed can easily narrow down the files a hacker would need to find a username and password. Using the sample search page it is easy to specify only files that have the word password in them and are script files (.asp or .idc files, cold fusion scripts, even .pl files are good).
The URL the hacker would try is http://servername/samples/search/queryhit.htm then the hacker would search with something like "#filename=*.asp"
When the results are returned not only can one link to the files but also can look at the "hits" by clicking the view hits link that uses the webhits program. This program bypasses the security set by IIS on script files and allows the source to be displayed.
Even if the original samples are not installed or have been removed a hole is still available to read the script source. If the server has Service Pack 2 fully installed (including Index Server) they will also have webhits.exe located in the path
http://servername/scripts/samples/search/webhits.exe
This URL can preface another URL on that server and display the contents of the script.
To protect your server from this problem remove the webhits.exe file from the server, or at least from it's default directory. I also recommend that you customize your server search pages and scripts (.idq files) to make sure they only search what you want - such as plain .HTM or .HTML files. Index Server is a wonderful product but be sure you have configured it properly. |
|
IIS Denial of Service -- Windows NT IIS 3.0 Exploit |
|
|
Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." |
|
NetBIOS Tools Programs |
|
|
NBTSTAT reports NetBIOS statistics and connections over TCP/IP.
NBTSTAT -A Lists the remote machine's name table given its IP address.
How can this information be a security risk? If a Microsoft Windows 95 or NT
internet user has shared their local drive, their information is vulnerable. Nbtstat -a nodename or Nbtstat -A ipaddress If you get: Host not found. The machine does not have any NetBIOS Shares. If you get: NetBIOS Remote Machine Name Table Name Type Status ------------------------------------------ COMPUTERNAME <00> UNIQUE Registered WORKGROUP <1E> GROUP Registered MAC Address = 00-00-00-00-00-00The system may be vulnerable. To verify vulnerablility: Add the ip address and COMPUTERNAME to LMHOSTS. Windows 95 machines C:\WINDOWS\LMHOSTS Windows NT machines C:\WINNT\SYSTEM32\DRIVERS\ETC\LMHOSTS EXAMPLE LMHOSTS: 123.123.123.123 COMPUTERNAME 234.234.234.234 NEXTCOMPUTERNow click Start, Find, Computers and search for the COMPUTERNAME added in the LMHOSTS file. Once the computer is located, you will see the available shares. Users should not allow the Group Everyone Full Control. This is a major security risk. NetBIOS Security Kit v1.0 nat is a tool written to perform various security checks on systems offering the NetBIOS file sharing service. nat will attempt to retrieve all information availible from the remote server, and attempt to access any services provided by the server. sharepw This program takes an 'encrypted' Windows 95 share password and decrypts it. Look at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan to find a machine's shares. Within the data for each share are two registry entries, Parm1enc and Parm2enc. Parm1enc is the "Full access" password. Parm2enc is the "Read only" password. |
|
Password Crackers for Microsoft Products |
|
|
l0pthcrack 1.5 (See Lan Manager Authentication Exploit) 95sscrk Microsoft Windows 95 Screen Saver Cracker (includes Windows 3.1 Screen Saver Cracker too) wordcrk Microsoft Word Password Cracker Glide Windows 95 .PWL Password Cracker Revelation Windows 95 Password Cracker Scannt from NTSecurity.com The NT administrator account does not have the account lockout feature that other user accounts do. If administrator is allowed to logon from the network, a share or service can be attacked with password guessing without fear of account lockout. This attack can go unnoticed as failed logins are not logged in the event viewer by default. |
|
TCP/UDP Port Scanners and Listeners |
|
| Skream's Port Listener | |
| Packetboy Sniffer | |
| Hobbit's Netcat (Runs under NT) | |
| Asmodeus | |
NTInternals Programs |
NTInternals NTFSDOS v2.0 Allows you to boot a DOS diskette and READ an NTFS Partition NTRegmon v3.2displays all registry activity taking place on a Windows NT System NTFilemon v3.1displays all file activity taking place on a Windows NT System NTRecover Evaluation NT machines that fail to boot because of data corruption, improperly installed software or hardware, or faulty configuration, can be accessed and recovered using standard administrative tools, as if the machine were up and running. Using an adjacent NT-based computer connected by a serial cable |
| Linux NTFS Driver NT secured filesystem (NTFS) can be read from Linux, bypassing filesystem security. |
|
Microsoft Windows NT 4.0 Service Packs and Hotfixes |
Securing Windows NT Windows NT Service Pack 3 Post Service Pack 3 HotFixes Some of these HotFixes only apply to specific services, applications, or configurations. Do not simply go and apply every HotFix you can find, they're made to fix a particular problem and when put on systems that do not meet the criteria of the problem, the results may be unpredictable. 2Gcrash only on machines where RAM exceeds 1.7 GB IDE Fix If your computer supports the shut down and power down feature and you are experiencing "CHKDSK runs as your computer starts and reports a dirty volume." or "Blue Screen" Joystick Fix Fixes foot pedal calibration problem when attached to game port. NDIS Fix Fixes NDIS miniport driver problem Pent Fix Intel processor invalid instruction fix Roll Up Fix Group of Hotfixes for Exchange 5.5 and IIS 4.0 SAG Fix EBCDIC character fix DNS fix only on machines running Microsoft DNS IIS fix only on machines running Microsoft Internet Information Server versions 2.0 and 3.0 LSA fix Fixes a problem that occurs when a remote client connects to the Local Security Authority over a named pipe and passes an incorrect buffer size (fragment length). ASP fix (only on machines running Active Server Pages version 1.0b on Microsoft Internet Information Server (IIS) version 3.0) ASP fix (only on machines running Microsoft Internet Information Server (IIS) version 4.0) LM fix (only to disable LanMan password hashes being sent) GetAdmin fix Stops getadmin attack described on this page Includes the java-fix and dblclick-fix SimpTCP fixStops Chargen Denial of Service Attack Wins fix (only on machines running WINS Service) SCSI fix (SCSI Fault Tolerant Systems Fix) Zip fix (only on machines with Zip drives) wan fix fixes problem copying files via RAS over a SLIP winsupd fix Fixes problem with invalid UDP frames directed to any computer running WINS Teardrop 2 Fix for NT This fix includes the OOB, ICMP, and LAND Denial of Service Fixes |
Microsoft Windows 95 Service Packs and Hotfixes |
|
|
Windows 95 Service Pack 1 Windows 95 Password List Update Windows 95 Winsock2 Upgrade IP DoS Attack Patch for 95 Winsock 1.1 IP DoS Attack Patch for 95 Winsock 2 vtcpupd.exe (Also Needed for 95) |
|
|
|