The Hack FAQ

15.0 NT Client Attacks


This section deals with attacking NT remotely.


15.1 What is GetAdmin.exe and Crash4.exe?

GetAdmin.exe is a program written by Konstantin Sobolev. It exploits a subfunction in NtAddAtom that does not check the address of the output. By altering where the output can be written to, GetAdmin adds a user to the Administrators group. It works on NT 4.0.

The easiest way to use it is to simply copy it to \TEMP (along with its DLL, GASYS.DLL) and run it like so: GETADMIN GUEST (or whatever account you wish to add).

This will add Guest to the Administrators group.

GetAdmin will add domain accounts on a primary domain controller and even other domain accounts. Since it is a command line tool, it will work across a telnet session if you've uploaded it to the target.

There is a post SP3 Hot Fix available from Microsoft that defeats this if loaded.

Crash4.exe will allow GetAdmin to work on SP3 patched machines. Simply run Crash4 and followed by GetAdmin as previously mentioned. Crash4 rearranges a few things on the stack to allow GetAdmin to work.

15.2 Should I even try for local administrator access?

Oh yes. A lot of NT administrators do not understand that when an NT box joins a domain, if they left that administrator password blank, it doesn't get "filled in" or "overwritten". Belonging to a domain does NOT turn off local users.

If you gain local administrator, try some of these tricks (these will work with the default settings after installation on the target):

15.3 I have guest remote access. How can I get administrator access?

The easiest way is to run GetAdmin as mentioned above, but here is an older tricks for basic NT 3.51, which as some has some stuff read/writeable by default. You could edit the association between an application and the data file extension using regedt32. First off, you should write a Win32 app that does nothing but the following -

net user administrator biteme /y
notepad %1 %2 %3 %4 %5

In a share you have read/write access to, upload it. Now change the association between .txt files and notepad to point to the location of the uploaded file, like \\ThisWorkstation\RWShare\badboy.exe.

Now wait for the administrator to launch a text file by double clicking on it, and the password becomes "biteme".

Of course, if the Sys Admin is smart they will have removed write permission from Everyone for HKEY_CLASSES_ROOT, only giving out full access to creator\owner.

15.4 What about %systemroot%\system32 being writeable?

Well, this can be exploited on NT 4.0 by placing a trojaned FPNWCLNT.DLL in that directory. This file typically exists in a mixed NT/Netware environment. First compile the exploit code written by Jeremy Allison ([email protected]) and call the resulting file FPNWCLNT.DLL. A pointer to the exploit code is in the Resources section. Now wait for the user names and passwords to get written to a file in \temp.

If you load this on a Primary Domain Controller, you'll get EVERYBODY'S password. You have to reboot the server after placing the trojan in %systemroot%\system32.

ISS (www.iss.net) has a security scanner for NT which will detect the trojan DLL, so you may wish to consider adding in extra junk to the above code to make the size of the compiled DLL match what the original was, and using a CRC matcher program (several exist on the Internet) to make the CRC between the trojan and the real version match. This will prevent the current shipping version of ISS's NT scanner from picking up the trojan.

It should be noted that by default the group Everyone has default permissions of "Change" in %systemroot\system32, so any DLL that is not in use by the system could be replaced with a trojan DLL that does something else.

15.5 What if the permissions are restricted on the server?

By default the NT administrator account does not have a lockout feature like normal users accounts, to prevent a denial-of-service attack on the administrator account. Since failed logins are not logged by default, you could possibly gain administrator access by sheer brute force.

If the Sys Admin runs passprop.exe they can turn on the lockout feature of Administrator.

15.6 What exactly does the NetBios Auditing Tool do?

Developed by Secure Networks Inc., it comes in pre-compiled Win32 binary form as well as the complete source code. It is the "SATAN" of NetBios based systems.

Here is a quote from Secure Networks Inc about the product -

"The NetBIOS Auditing Tool (NAT) is designed to explore the NETBIOS file-sharing services offered by the target system. It implements a stepwise approach to gather information and attempt to obtain file system-level access as though it were a legitimate local client.

"The major steps are as follows:

"A UDP status query is sent to the target, which usually elicits a reply containing the Netbios 'computer name'. This is needed to establish a session. The reply also can contain other information such as the workgroup and account names of the machine's users. This part of the program needs root privilege to listen for replies on UDP port 137, since the reply is usually sent back to UDP port 137 even if the original query came from some different port.

"TCP connections are made to the target's Netbios port [139], and session requests using the derived computer name are sent across. Various guesses at the computer name are also used, in case the status query failed or returned incomplete information. If all such attempts to establish a session fail, the host is assumed invulnerable to NETBIOS attacks even if TCP port 139 was reachable.

"Provided a connection is established Netbios 'protocol levels' are now negotiated across the new connection. This establishes various modes and capabilities the client and server can use with each other, such as password encryption and if the server uses user-level or share-level Security. The usable protocol level is deliberately limited to LANMAN version 2 in this case, since that protocol is somewhat simpler and uses a smaller password keyspace than NT.

"If the server requires further session setup to establish credentials, various defaults are attempted. Completely blank usernames and passwords are often allowed to set up 'guest' connections to a server; if this fails then guesses are tried using fairly standard account names such as ADMINISTRATOR, and some of the names returned from the status query. Extensive username/password checking is NOT done at this point, since the aim is just to get the session established, but it should be noted that if this phase is reached at all MANY more guesses can be attempted and likely without the owner of the target being immediately aware of it.

"Once the session is fully set up, transactions are performed to collect more information about the server including any file system 'shares' it offers.

"Attempts are then made to connect to all listed file system shares and some potentially unlisted ones. If the server requires passwords for the shares, defaults are attempted as described above for session setup. Any successful connections are then explored for writeability and some well-known file-naming problems [the ".." class of bugs].

"If a NETBIOS session can be established at all via TCP port 139, the target is declared 'vulnerable' with the remaining question being to what extent. Information is collected under the appropriate vulnerability at most of these steps, since any point along the way be blocked by the Security configurations of the target. Most Microsoft-OS based servers and Unix SAMBA will yield computer names and share lists, but not allow actual file-sharing connections without a valid username and/or password. A remote connection to a share is therefore a possibly serious Security problem, and a connection that allows WRITING to the share almost certainly so. Printer and other 'device' services offered by the server are currently ignored."

If you need more info on NAT, too bad, 'cause it looks like no one's mirrored it. Even so, many similar tools can be found on Packetstorm and elsewhere.

15.7 What is the "Red Button" bug?

MWC has released an exploit that allows the following to occur -- the registry of a remote machine can be accessed, a list of users AND of shares can be obtained, even if the intruder hasn't logged in.

There is a built in user called "anonymous" that is usually used for communication between machines. This exploit takes advantage of the fact that anonymous is a member of the group Everyone. Because of this, the following can be done:

Using this access a trojan could be loaded, since often the group Everyone has access to application software.

It is possible that a Sys Admin could have unbound NetBios from the interface. This would disallow some access. Typically at a security aware site you would find the machines outside the firewall, like the Web server or FTP server configured this way (and all other access blocked by the firewall. However if you compromise the machine this could be a handy partial backdoor -- especially if you are using one machine as a "drop" during an attack.

The bug can manually be done -- no exploit code needed. Try this from a 4.00 workstation:

net use \\targetserver\ipc$ "" /user:""

Now run User Manager, Event Viewer, Registry Editor, or simply use the net command to target the remote machine.

The administrator account's SID always ends in -500 (Guest is -501) so find that and you have the administrator account, even if renamed. The built-in local groups (documented and undocumented) always have the same SID, so check out your own machine first and compare -- especially if some of these have been renamed.

If all the users are moved from the Everyone group, you not be able to exploit this. For you admins out there, ISS has released a tool to automate this "move users out of Everyone" process. And admins you should check and see what shares that Everyone can get to.

The exploit code can found at http://packetstormsecurity.org/NT/audit/redbutton.nt.weakness.shower.zip.

ISS's tool can be found at http://ftp.cerias.purdue.edu/pub/tools/windows/everyone2user.exe.

15.8 What about forging DNS packets for subversive purposes?

Sure. ;-)

By forging UDP packets, NT name server caches can be compromised. If recursion is allowed on the name server, you can do some nasty things. Recursion is when a server receives a name server lookup request for a zone or domain for which is does not serve. This is typical how most setups for DNS are done.

So how do we do it? We will use the following example:

We are root on ns.nmrc.org, IP 10.10.10.1. We have pirate.nmrc.org with an address of 10.10.10.2, and bait.nmrc.org with an address of 10.10.10.3. Our mission? Make the users at lame.com access pirate.nmrc.org when they try to access www.lamer.net.

Okay, assume automation is at work here to make the attack smoother...

With a little creativity, you can also do other exciting things like reroute (and make copies of) email, denial of service (tell lame.com that www.lamer.net doesn't exist anymore), and other fun things.

Supposedly SP 3 fixes this.

15.9 What about shares?

The main thing to realize about shares is that there are a few that are invisible. Administrative shares are default accounts that cannot be removed. They have a $ at the end of their name. For example C$ is the administrative share for the C: partition, D$ is the administrative share for the D: partition. WINNT$ is the root directory of the system files.

By default since logging is not enabled on failed attempts and the administrator doesn't get locked out from false attempts, you can try and try different passwords for the administrator account. You could also try a dictionary attack. Once in, you can get at basically anything.

15.10 How do I get around a packet filter-based firewall?

If the target NT box is behind a firewall that is doing packet filtering (which is not considered firewalling by many folks) and it does not have SP3 loaded it is possible to send it packets anyway. This involves sending decoy IP packet fragments with specially crafted headers that will be "reused" by the malicious IP packet fragments. This is due to a problem with the way NT's TCP/IP stack handles reassembling fragmented packets. As odd as this sounds, example code exists to prove it works. See the web page at insecure.org's sploit database for details.

How does it bypass the packet filter? Typically packet filtering only drops the fragmented packet with the offset of zero in the header. The example source forges the headers to get around this, and NT happily reassembles what does arrive.

15.11 I hack from my Linux box. How can I do all that GUI stuff on remote NT servers?

Try and get familiar with the net use and net user commands before attacking.

The main problem is adjusting NT file security attributes. Some utilities are available with NT that can be used, but I'd recommend using the NT Command Line Security Utilities. They include:

saveacl.exe
saves file, directory and ownership permissions to a file
restacl.exe
restores file permissions and ownership from a saveacl file
listacl.exe
lists file permissions in human readable format
swapacl.exe
swaps permissions from one user or group to another
igrant.exe
grants permisssions to users/groups on directories
irevoke.exe
revokes permissions to users/groups on directories
setowner.exe
sets the ownership of files and directories
audit.exe
add and remove audit triggers to files and directories
regilstacl.exe
print registry subkey security to the screen
reggrant.exe
grant access to users and groups on registry subkeys
regrevoke.exe
revoke access from users and groups on subkeys
regsetowner.exe
change registry subkey ownership
regswapacl.exe
swaps permissions from one user group to another
regaudit.exe
add and delete audit triggers on keys
sharelistacl.exe
list permissions on a local or remote share
sharegrant.exe
grant permissions to a local or remote share
sharerevoke.exe
revoke permissions from a local or remote share
ntuser.exe
manipulate account and group properties
nu.exe
'net use' replacement. shows connected drives.

Listacl and reglistacl also display the current auditing state of files, directories, and regisrty keys.

Each of the programs contains a built-in help screen. Just run any of the programs with a "-h" argument and the help screen will be displayed. Most utlilities support a "-r" option for recursive options throughout the program.

The collection is $45 (USD), it is shareware, but well worth the price. Even if the set only included the ntuser.exe utility, it would still be worth the money.

Check out Pedestal Software to download the collection.

15.12 What's the story with WinGate?

While not exactly a Windows NT-only issue, it seriously affects Windows 95 users as many have installed this product. WinGate is a product that allows IP masquerading through a single Windows 95/98/NT box onto the Internet. WinGate comes in three flavors -- WinGate Home, Wingate Standard, and WinGate Pro. It is so popular for home users because with a few points and clicks the entire home network can be talking to the Internet through a single PC that has a modem attached. The home version is also around $40 for 3 users, making it very cheap.

Older versions are still around, including WinGate Lite, which are free. Older versions are also subject to denial of service. Telnetting repeatedly to localhost from a WinGate will crash it as it eventually runs out of resources. Connecting to port 2080 and dumping in about 2K of junk will crash WinGate.

Pointing your web browser to a WinGate machine via port 8010 will either give you the error message of "connection cannot be established" or you will be returned a list of files on the target system. Ouch. Here's an example:

http://www.server.com:8010/c:/ (NT/Win9x)
http://www.server.com:8010// (NT/Win9x)
http://www.server.com:8010/..../ (Win9x)

Attackers and spammers will use improperly configured WinGates (read default settings) to bounce through and hide their real source location.

For those of you actually using WinGate, I recommend using a cheap old 386 with 8MB RAM, an 80MB hard drive, and a free Unix flavor loaded up instead. Use *that* as your gateway to the Internet, not WinGate. You can probably find someone to *give* you the hardware, you can configure it a lot safer than WinGate, and it's a little more cool. However if you must use WinGate be sure to go into the Gatekeeper program, and adjust the policies so that "Everyone" can only access from localhost and internal machines.

15.13 How do I find these buggy WinGates I can use?

Go to Altavista and do a search for "wingate scanner". This should point you in the right direction. As this is a popular bounce point of an attack for IRC script kids, especially those trying to hide their true identity and location, I recommend serious virus scanning of anything you download in compiled form.


Top | Next: NT Denial of Service | Previous: NT Console Attacks | Table of Contents