There are several different components. Each has a role within the overall NT security model. Because of the amount and complexity of components in the security model, not only should the individual components be explored, but how they work together should be explored.
This is also known as the Security Subsystem. It is the central component of NT security. It handles local security policy and user authentication. LSA also handles generating and logging audit messages.
SAM handles user and group accounts 12412f524m , and provides user authentication for LSA.
SRM enforces access validation and auditing for LSA. It checks user accounts as the user tries to access various files, directories, etc, and either allows or denies access. Auditing messages are generated as a result. The SRM contains a copy of the access validation code to ensure that resources are protected uniformly throughout the system, regardless of resource type.
An important part of the security model, the UI is mainly all that the end user sees, and is how most of the administration can be performed.
First, a user logs on. When this happens, NT creates a token object that represents that user. Each process the user runs is associated with this token (or a copy of it). The token-process combination is refered to as a subject. As subjects access objects such as files and directories, NT checks the subject's token with the Access Control List (ACL) of the object and determines whether to allow the access or not. This may also generate an audit message.
Each NT workstation participates in either a workgroup or a domain. Most companies will have NT workstations participate in a domain for management of the resource by the administrator.
A domain is one or more servers running NT server with all of the servers functioning as a single system. The domain not only contains servers, but NT workstations, Windows for Workgroups machines, and even LAN Manager 2.x machines. The user and group database covers ALL of the resources of a domain.
Domains can be linked together via trusted domains. The advantage of trusted domains is that a user only needs one user account and password to get to resources across multiple domains, and administrators can centrally manage the resources.
A workgroup is simply a grouping of workstations that do not belong to a domain. A standalone NT workstation is a special case workgroup.
User and group accounts 12412f524m are handled differently between domain and workgroup situations. User accounts can be defined on a local or domain level. A local user account can only logon to that local computer, while a domain account can logon from any workstation in the domain.
Global group accounts are defined at a domain level. A global group account is an easy way to grant access to a subset of users in a domain to, say, a single directory or file located on a particular server within the domain. Local group accounts are defined on each computer. A local group account can have global group accounts and user accounts as members.
In a domain, the user and group database is "shared" by the servers. NT workstations in the domain DO NOT have a copy of the user and group database, but can access the database. In a workgroup, each computer in the workgroup has its own database, and does not share this information.
Microsoft maintains a large online database of fixes for operating systems and applications. These fixes are refered to as Service Packs. NT has its share, and typically the latest Service Pack has the latest fixes, including security patches.
Installing a Service Pack is NOT something to be taken lightly -- to turn on or off some features involves some Registry editing. Installation can in some circumstances disable or cause conflicts. Often after a new product has been loaded, even a Microsoft product, you must reinstall the Service Pack. For this reason, LAN administrators often neglect the timely installation of Service Packs. For the hacker, this is a decided advantage -- especially if the site has numerous NT servers and workstations in need of patching. One day maybe Microsoft will make Service Pack installation a little less painless, but until then you will find MANY locations will be either under-patched or not patched at all.
Typically Service Packs are fairly well tested, although this is no guarantee everything is "fixed". Admins should not place 100% of their faith in them, but then hackers should not underestimate their value in closing holes.
Service Pack locations are listed in Section 10-6.
A Hot Fix is what is released between Service Pack releases. A Hot Fix is generally released to address a specific problem or condition. Some Hot Fixes may have a prerequisite of a certain Service Pack, and are typically included in the next Service Pack.
Once again, some of the Hot Fixes are downright dangerous to monkey around with, and many LAN folks will simply neglect installation especially at large NT shops. And once again this is good news for the hacker.
Hot Fixes are not as well tested as the Service Packs are -- often they are released after headline-grabbing security flaws are announced, so they are often rushed to press.
Hot Fix locations are listed in Section 10-6>.
I'm not going to get into a bunch of detail on this. There are far better places to go for the info, but I will state this -- running the c2config utility to "lock down" your system will not protect you if you want to run third party software, use the floppy drive, or connect to the network. It is simply a marketing tactic used by Microsoft. The C2 tested configuration had no network access and no floppy drive. Who wants to use that?
I can see some value in running the c2config utility and "opening up" the system as needed to make it useable, but this is a lot of work and beyond the scope of what I'm discussing here.
There are a number of built-in local groups can do various functions, some which would be better off being left to the Administrator. Administrators can do everything, but the following groups' members can do a few extra items (I only verified this on 4.0):
Also members of these groups can login at the console. As you explore this FAQ and possibly someone else's server, remember these permissions. Gaining a Server Operator account and placing a trojan that activates after a remote shutdown could get you Administrator.
Like 01-7, I only verified these on 4.0. And remember, Administrators are deities. Otherwise, if it isn't here, the group doesn't have access.
\(root),
\SYSTEM32, \WIN32APP
-
Server Operators and Everyone can read and execute files, display permissions
on files, and do some changing on file attributes.
\SYSTEM32\CONFIG
- Everyone can list filenames in this
directory.
\SYSTEM32\DRIVERS,
\SYSTEM\REPL
- Server
Operators have full access, Everyone has read access.
\SYSTEM32\SPOOL
- Server Operators and Print Operator have full
access, Everyone has read access.
\SYSTEM32\REPL\EXPORT
- Server Operators can read and execute files,
display permissions on files, and do some changing on file attributes.
Replicator has read access.
\SYSTEM32\REPL\IMPORT
- Server Operators and Replicator can read and
execute files, display permissions on files, and do some changing on file
attributes. Everyone has read access.
\USERS
- Account Operators can read, write, delete,
and execute. Everyone can list filenames in this directory.
\USERS\DEFAULT
- Everyone has read, write, and execute.
The following tools have the following default group restrictions in 4.0:
Disk
Administrator
- Must be a
member of the Administrators group.
Event Log
- Anyone can run Event Viewer, but only members
of the Administrators group can clear logs or view the Security Log.
Backup
- Anyone can backup a file they have normal
access to, but only the Administrators and Backup Operators can over override normal
access.
User Manager
- Users and Power Users can create and manage
local groups.
User Manager for
Domains
- Users and Power
Users can create and manage local groups if logged on at the server console,
otherwise it is restricted to Administrators and Account Operators.
Server Manager
- Only Administrators, Domain Admins, and Server Operators can use this on domains they
have an account on. Account Operators can only add new accounts to the domain.
Some features in Server Manager can only be used by the Administrators and
Domain Admins.
There are two accounts that come with NT out of the box -- administrator and guest. In a network environment, I have run into local administrator access unpassworded, since the Sys Admin thought that global accounts ruled over local ones. Therefore it is possible to gain initial access to an NT box by using its local administrator account with no password.
Guest is another common unpassworded account, although recent shipments of NT disable the account by default. While it is possible that some companies will delete the guest account, some applications require it. If Microsoft Internet Studio needs to access data on another system, it will use guest for that remote access.
It is possible that a Sys Admin will create a new account, give that account the same access as an administrator, and then remove part of the access to the administrator account. The idea here is that if you don't know the administrator account name, you can't get in as an administrator.
Typing "NBTSTAT -A ipaddress" will give you the new administrator account, assuming they are logged in. A bit of social engineering could get them to log in as well. nbtstat will also give you other useful information such as services running, the NT domain name, the nodename, and the ethernet hardware address.
See also section 05-6 which discusses a bug that allows you to get the new administrator account name.
Use the Offline NT Password Editor by Petter Nordahl-Hagen. You need to download Petter's code to your Linux machine (you DO have one of those, don't you?) and compile it using a libDES and MD4 library. Now mount the NT drive read/write and follow the instructions in the readme. The instructions are pretty easy to follow, especially if you know enough to get to the point to use them ;-)
Actually, to make things easier, Petter has built a bootdisk image that steps you through the entire thing. I'll be the first to admit that Petter's code is as dangerous as hell, but it does work and I had no problems. YMMV.
Consider using GetAdmin.exe (section 04-5) and go from there if you are too paranoid or fearful of booting up Linux to get to an NT machine.
The location of what you need is in \\WINNT\SYSTEM32\CONFIG\SAM which is the location of the security database. This is usually world readable by default, but locked since it is in use by system compotents. It is possible that there are SAM.SAV files which could be readable. If so, these could be obtained for the purpose of getting password info.
During the installation of NT a copy of the password database is put in \\WINNT\REPAIR. Since it was just installed, only the Administrator and Guest accounts will be there, but maybe Administrator is enough -- especially if the Administrator password is not changed after installation.
If the Sys Admin updates their repair disks, or you get a hold of a copy of the repair disks, you can get password database. The file is SAM._ in the ERD directory.
If you are insane, you can go poking around in the SAM secret keys. First, schedule service to logon as LocalSystem and allow it to interact with the desktop, and then schedule an interactive regedt32 session. The regedt32 session will be running as LocalSystem and you can play around in the secret keys. However, if you change some stuff this might be very bad. You have to be Administrator to do this, though, so for the hacker you need to walk up to the machine while the Administrator is logged in and distract them by telling them they're giving away Microsoft t-shirts in the lobby (this doesn't always work ;-).
First off, it should be explained that the passwords are technically not located on the server, or in the password database. What IS located there is a one-way hash of the password. Let me explain...
Two one-way hashes are stored on the server -- a Lan Manager password, and a Windows NT password. Lan Manager uses a 14 byte password. If the password is less than 14 bytes, it is concantenated with 0's. It is converted to upper case, and split into 7 byte halves. An 8 byte odd parity DES key is constructed from each 7 byte half. Each 8 byte DES key is encrypted with a "magic number" (0x4B47532140232425 encrypted with a key of all 1's). The results of the magic number encryption are concantenated into a 16 byte one way hash value. This value is the Lan Manager "password".
A regular Windows NT password is derived by converting the user's password to Unicode, and using MD4 to get a 16 byte value. This hash value is the NT "password".
So to crack NT passwords, the username and the corresponding one way hashes (Lan Man and NT) need to be extracted from the password database. Instead of going out and writing some code to do this, simply get a copy of Jeremy Allison's PWDUMP, which goes through SAM and gets the information for you. PWDUMP does require that you are an Administrator to get stuff out of the registry, but if you can get ahold of copies of the security database from another location (see Section ) you can use those.
Obviously from this point you can use one of several cracking utilities to perform either a brute force or dictionary attack on either the Lan Man or NT password. Several freeware products are available on the Internet. They include:
Cracker Author(s) Compiles on... NotesA brute force cracker simply tries all possible passwords from legal characters until it gets the password. From a cracker perspective, this is usually very time consuming. L0phtcrack 1.5, a brute force cracker, makes certain assumptions and reduces this time down considerably.
As pointed out in section 03-2, the Lan Manager password concantenated to 14 bytes, and split in half. The halves can be worked on individually. If the password was originally only 7 characters or less, that second half is always 0xAAD3B435B51404EE. To further ease brute force cracking, since a substantial reduction in bits occurs during the deriving of the 8 byte DES key from the 7 byte key, less keys have to be tried. Also since the password is converted to upper case before one way encrypting it, Lan Manager password cracking does not have to take into consideration the possibility of lower case letters. L0phtcrack incorporates techniques to exploit all of these possibilities.
By cracking the Lan Manager password first, the NT password can be brute forced to determine the proper case of each alpha character.
Initital tests of L0phtcrack show its brute force capability to be quite admirable. A brute force of Administrator on the NMRC dedicated cracking machine took 7 days (some Unix passwords have been worked on for 3 weeks before being cracked). The NMRC dedicated cracking machine is running Slackware on a 486 DX50, so this is quite quite fast by NMRC standards.
The latest version, L0phtCrack 1.5, is even faster.
All three of the password crackers listed in section 03-2 can do dictionary attacks. A dictionary attack is simply takes a list of dictionary words, and one at a time encrypts them using the same encryption algorithm NT uses to check and see if they encrypt to the same one way hash. If the hashes are equal, the password is considered cracked. The best of these dictionary crackers is the Crack 5.0 NT port, namely because of the strength of the mutation filters. These filters allow you to change "idiot" to "1d10t" and other advanced variations to get the most from a word list.
Although L0phtcrack doesn't do the permutations like Crack, there are several ways you can "pre-treat" a word list, in particular you can use the DOS-based TPU. This utility does a number of filter operations, so with the right amount of creativity you can create a pretty substantial list.
Actually it depends on your resources and your needs. If you simply need to crack a password and there is no real time limit (just raw CPU to waste) then brute force is the way to go. If you need a password quickly, using a wordlist might shorten your time. In general, a swipe with a couple of decent word lists will get some, permutations can get a few more, and the rest can be simply brute forced. Watch what the cracked passwords are. If you can spot a pattern, such as all lower case with 2 numbers at least six characters long, this may give you some clues for what to feed your brute forcer.
There are several freeware utilities that allow for password changing with rules enforced. These range from the simple passwd utility by Alex Frink to Microsoft's own utilities. The NT Server 4.0 Resource Kit has a utility called Passprop that enforces random passwords. Also on Service Pack 2 is a DLL called PASSFILT that will does basically the same thing.
As long as you can get in as Administrator, you are basically vulnerable. Microsoft has gradually increased its security for the SAM files and the hashes, but as things like L0phtCrack are quickly improved and Microsoft insists on backward compatibility with LAN Manager-style logins, things will be vulnerable. In fact, the latest L0phtCrack can take input from stored sniffer traces to use as the source for its password cracking. So for you sys admins out there, keep absolutely current of Service Packs and Hot Fixes. For you hackers out there, well, it's a big bright world ;-)
Let's say an admin is checking the last time certain users have logged in by doing a NET USER /DOMAIN. Is the info accurate? Most of the time it will NOT be.
Most users do not login directly to the Primary Domain Controller (PDC), they login to a Backup Domain Controller (BDC). BDCs do NOT contain readonly versions of SAM, they contain read-write versions. To keep the already ungodly amount of network traffic down, BDCs do not tell the PDC that they have an update of the last login time until a password change has been done. And the NET USER /DOMAIN command checks the PDC, so last login time returned from this command could be wildly off (it could even show NEVER).
As a hacker, if you happen to know that password aging is not enforced, then you can bet that last login times will probably not be very accurate.
There are a few advantages to having direct console access. First off, try the hacks listed in sections 05-1, , and . especially may not work across a network if the administrator is not allowed to login except at the console. And a brute force attack from the console will run a lot quicker than across the network anyway.
Obviously gaining access to the file system from the console is much easier than across a network, especially if the Sys Admin is trying to keep you out.
Try booting up the system from an MS-DOS diskette, and running NTFSDOS.EXE to access the NTFS file system. Currently this software is read only, so it is only good for getting copies of existing data. Linux is another OS that will read an NTFS file system, but "simply loading Linux" on a "spare partition" is usually impractical, and hardly simple if you are not familiar with it. See section 02-3 for an easier Linux method.
NetMon is Microsoft's Network Monitor. It is a sniffer that runs under NT, and being a sniffer if you have to ask why you care, well, never mind ;-)
NetMon is protected by a password scheme on version 3.51 that has nothing to do with regular NT security. In Phrack 48 file 15, AON and daemon9 have not only cracked the encryption scheme, they have written exploits for it as well. Check Section for the location of the exploit code (it includes full source including a Unix version in case you do not have an NT compiler).
By the way, compared to other commercial sniffers, NetMon sucks.
If the console you have stumbled on is a domain controller (or you have simply hooked one up), try these steps to get a list of accounts on the target machine:
1. From the USER MANAGER, create a trusting relationship with the target.
2. Enter whatever when asked for a password. Don't fret when it doesn't work. The target is now on your trusting list.
3. Launch NT Explorer and right click on any folder.
4. Select SHARING.
5. From the SHARED window, select ADD.
6. From the ADD menu, select your target NT server.
7. You will now see the entire group listing of the target.
8. Select SHOW USERS and you will see the entire user listing, including full names and descriptions.
This gives you a list of user accounts to target for individual attack. By studying the group memberships, you can even make decisions about who will have more privileges than others.
GetAdmin.exe is a program written by Konstantin Sobolev. It exploits a subfunction in NtAddAtom that does not check the address of the output. By altering where the output can be written to, GetAdmin adds a user to the Administrators group. It works on NT 4.0.
The easiest way to use it is to simply copy it to \TEMP (along with its DLL, GASYS.DLL) and run it like so: GETADMIN GUEST (or whatever account you wish to add).
This will add Guest to the Administrators group.
GetAdmin will add domain accounts on a primary domain controller and even other domain accounts. Since it is a command line tool, it will work across a telnet session.
There is a post SP3 Hot Fix available from Microsoft that defeats this if loaded.
It is possible that some type of filtering might be in place to prevent uploading or downloading of files. To circumvent this, try renaming the executable with some other extension. For example START GETADMIN.XXX GUEST will work fine if EXEs are a problem.
Oh yes. A lot of NT administrators do not understand that when an NT box joins a domain, if they left that administrator password blank, it doesn't get "filled in" or "overwritten". Belonging to a domain does NOT turn off local users.
If you get local administrator, check out the exploit code in section to get more access elsewhere.
If you gain local administrator, try some of these tricks (these will work with the default settings after installation on the target):
Basic NT 3.51 has some stuff read/writeable by default. You could edit the association between an application and the data file extension using regedt32. First off, you should write a Win32 app that does nothing but the following -
In a share you have read/write access to, upload it. Now change the association between .txt files and notepad to point to the location of the uploaded file, like \\ThisWorkstation\RWShare\badboy.exe.
Now wait for the administrator to launch a text file by double clicking on it, and the password becomes "biteme".
Of course, if the Sys Admin is smart they will have removed write permission from Everyone for HKEY_CLASSES_ROOT, only giving out full access to creator\owner.
If the system is 4.0, see section 04-5 regarding the use of GetAdmin.exe.
Well, this can be exploited on NT 4.0 by placing a trojaned FPNWCLNT.DLL in that directory. This file typically exists in a Netware environment. First compile this exploit code written by Jeremy Allison ([email protected]) and call the resulting file FPNWCLNT.DLL. Now wait for the user names and passwords to get written to a file in \temp.
<
windows.h><
stdio.h><
stdlib.h>If you load this on a Primary Domain Controller, you'll get EVERYBODY'S password. You have to reboot the server after placing the trojan in %systemroot%\system32.
ISS (www.iss.net) has a security scanner for NT which will detect the trojan DLL, so you may wish to consider adding in extra junk to the above code to make the size of the compiled DLL match what the original was. This will prevent the current shipping version of ISS's NT scanner from picking up the trojan.
It should be noted that by default the group Everyone has default permissions of "Change" in %systemroot\system32, so any DLL that is not in use by the system could be replaced with a trojan DLL that does something else.
By default the NT administrator account does not have a lockout feature like normal users accounts, to prevent a denial-of-service attack on the administrator account. Since failed logins are not logged by default, you could possibly gain administrator access by sheer brute force.
If the Sys Admin runs passprop.exe they can turn on the lockout feature of Administrator.
Developed by Secure Networks Inc., it comes in pre-compiled Win32 binary form as well as the complete source code. It is the "SATAN" of NetBios based systems.
Here is a quote from Secure Networks Inc about the product -
"The NetBIOS Auditing Tool (NAT) is designed to explore the NETBIOS file-sharing services offered by the target system. It implements a stepwise approach to gather information and attempt to obtain file system-level access as though it were a legitimate local client.
"The major steps are as follows:
"A UDP status query is sent to the target, which usually elicits a reply containing the Netbios 'computer name'. This is needed to establish a session. The reply also can contain other information such as the workgroup and account names of the machine's users. This part of the program needs root privilege to listen for replies on UDP port 137, since the reply is usually sent back to UDP port 137 even if the original query came from some different port.
"TCP connections are made to the target's Netbios port [139], and session requests using the derived computer name are sent across. Various guesses at the computer name are also used, in case the status query failed or returned incomplete information. If all such attempts to establish a session fail, the host is assumed invulnerable to NETBIOS attacks even if TCP port 139 was reachable.
"Provided a connection is established Netbios 'protocol levels' are now negotiated across the new connection. This establishes various modes and capabilities the client and server can use with each other, such as password encryption and if the server uses user-level or share-level Security. The usable protocol level is deliberately limited to LANMAN version 2 in this case, since that protocol is somewhat simpler and uses a smaller password keyspace than NT.
"If the server requires further session setup to establish credentials, various defaults are attempted. Completely blank usernames and passwords are often allowed to set up 'guest' connections to a server; if this fails then guesses are tried using fairly standard account names such as ADMINISTRATOR, and some of the names returned from the status query. Extensive username/password checking is NOT done at this point, since the aim is just to get the session established, but it should be noted that if this phase is reached at all MANY more guesses can be attempted and likely without the owner of the target being immediately aware of it.
"Once the session is fully set up, transactions are performed to collect more information about the server including any file system 'shares' it offers.
"Attempts are then made to connect to all listed file system shares and some potentially unlisted ones. If the server requires passwords for the shares, defaults are attempted as described above for session setup. Any successful connections are then explored for writeability and some well-known file-naming problems [the ".." class of bugs].
"If a NETBIOS session can be established at all via TCP port 139, the target is declared "vulnerable" with the remaining question being to what extent. Information is collected under the appropriate vulnerability at most of these steps, since any point along the way be blocked by the Security configurations of the target. Most Microsoft-OS based servers and Unix SAMBA will yield computer names and share lists, but not allow actual file-sharing connections without a valid username and/or password. A remote connection to a share is therefore a possibly serious Security problem, and a connection that allows WRITING to the share almost certainly so. Printer and other 'device' services offered by the server are currently ignored."
If you need more info on NAT, try looking at this web location:
https://www.secnet.com/ntinfo/ntaudit.htmlMWC has released an exploit that allows the following to occur -- the registry of a remote machine can be accessed, a list of users AND of shares can be obtained, even if the intruder hasn't logged in.
There is a built in user called "anonymous" that is usually used for communication between machines. This exploit takes advantage of the fact that anonymous is a member of the group Everyone. Because of this, the following can be done:
Using this access a trojan could be loaded, since often the group Everyone has access to application software (see sections and for ideas here).
It is possible that a Sys Admin could have unbound NetBios from the interface. This would disallow some access. Typically at a security aware site you would find the machines outside the firewall, like the Web server or FTP server configured this way (and all other access blocked by the firewall. However if you compromise the machine this could be a handy partial backdoor -- especially if you are using one machine as a "drop" during an attack.
The bug can manually be done -- no exploit code needed. Try this from a 4.00 workstation:
Now run User Manager, Event Viewer, Registry Editor, or simply use the net command to target the remote machine.
The administrator account's SID always ends in -500 (Guest is -501) so find that and you have the administrator account, even if renamed. The built-in local groups (documented and undocumented) always have the same SID, so check out your own machine first and compare -- especially if some of these have been renamed.
If all the users are moved from the Everyone group, you not be able to exploit this. For you admins out there, ISS has released a tool to automate this "move users out of Everyone" process. And admins you should check and see what shares that Everyone can get to.
MWC's web site is https://www.ntsecurity.com, and the exploit code can be found there.
ISS's tool can be found at ftp://ftp.iss.net/everyone2users.exe.
Sure. ;-)
By forging UDP packets, NT name server caches can be compromised. If recursion is allowed on the name server, you can do some nasty things. Recursion is when a server receives a name server lookup request for a zone or domain for which is does not serve. This is typical how most setups for DNS are done.
So how do we do it? We will use the following example:
We are root on ns.nmrc.org, IP 10.10.10.1. We have pirate.nmrc.org with an address of 10.10.10.2, and bait.nmrc.org with an address of 10.10.10.3. Our mission? Make the users at lame.com access pirate.nmrc.org when they try to access www.lamer.net.
Okay, assume automation is at work here to make the attack smoother...
With a little creativity, you can also do other exciting things like reroute (and make copies of) email, denial of service (tell lame.com that www.lamer.net doesn't exist anymore), and other fun things.
Supposedly Service Pack 3 fixes this.
The main thing to realize about shares is that there are a few that are invisible. Administrative shares are default accounts that cannot be removed. They have a $ at the end of their name. For example C$ is the administrative share for the C: partition, D$ is the administrative share for the D: partition. WINNT$ is the root directory of the system files.
By default since logging is not enabled on failed attempts and the administrator doesn't get locked out from false attempts, you can try and try different passwords for the administrator account. You could also try a dictionary attack. Once in, you can get at basically anything.
If the target NT box is behind a firewall that is doing packet filtering (which is not considered firewalling by many folks) and it does not have SP3 loaded it is possible to send it packets anyway. This involves sending decoy IP packet fragments with specially crafted headers that will be "reused" by the malicious IP packet fragments. This is due to a problem with the way NT's TCP/IP stack handles reassembling fragmented packets. As odd as this sounds, example code exists to prove it works. See the web page at https://www.dataprotect.com/ntfrag for details.
How does it bypass the packet filter? Typically packet filtering only drops the fragmented packet with the offset of zero in the header. The example source forges the headers to get around this, and NT happily reassembles what does arrive.
Since files and directories are considered objects (same as services), the security is managed at an "object" level.
An access-control list (ACL) contains information that controls access to an object or controls auditing of attempts to access an object. It begins with a header contains information pertaining to the entire ACL, including the revision level, the size of the ACL, and the number of access-control entries (ACEs) in the list.
After the header is a list of ACEs. Each ACE specifies a trustee, a set of access rights, and flags that dictate whether the access rights are allowed, denied, or audited for the trustee. A trustee can be a user account, group account, or a logon account for a service program.
A security descriptor can contain two types of ACLs: a discretionary ACL (DACL) and a system ACL (SACL).
In a DACL, each ACE specifies the types of access that are allowed or denied for a specified trustee. An object's owner controls the information in the object's DACL. For example, the owner of a file can use a DACL to control which users can have access to the file, and which users are denied access.
If the security descriptor for an object does not have a DACL, the object is not protected and the system allows all attempts to access the object. However, if an object has a DACL that contains no ACEs, the DACL does not grant any access rights. In this case, the system denies all attempts to access the object.
In a SACL, each ACE specifies the types of access attempts by a specified trustee that cause the system to generate audit records in the system event log. A system administrator controls the information in the object's SACL. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both.
To keep track of the individual object, a Security Identifier (SID) uniquely identify a user or a group.
A SID contains:
A privilege is used to control access to a service or object more strictly than is normal with discretionary access control. Privileges provide access to services rarely needed by most users. For example, one type of privilege might give access for backups and restorals, another might allow the system time to be changed.
NTFS is the Windows NT special file system. This file system is tightly integrated into Windows security -- it is what allows access levels to be set from the directory down to individual files within a directory.
Not so much vulnerabilities as there are quirks -- quirks that can be exploited to a certain degree.
For example, let's say the system admin has built a home directory for you on the server, but has disallowed the construction of directories or files that you wish to make available to the group Everyone. You are wanting to make this special directory so that you can easily retrieve some hack tools but you are cut off. However, if the sys admin left you as the owner of the home directory, you can go in and alter its permissions. This is because as long as you are the owner or Administrator you still control the file. Oh sure, you may get a few complaints from the system when you are doing it, but it can be done.
Since NTFS has security integrated into it, there are not too many ways around it. The main one requires access to the physical system. Boot up the system on a DOS diskette, and use NTFSDOS.EXE. It will allow you to access an NTFS volume bypassing security.
The last quirk is that if you have a directory with Full Control instead of RWXDPO permissions, then you get a hidden permission called File Delete Child. FDC cannot be removed. This means that all members of the group Everyone can delete any read-only file in the directory. Depending on what the directory contains, a hacker can replace a file with a trojan.
Samba is a freeware app developed by Andy Tridgell. It is a great tool for helping integrate Unix into Microsoft Windows and Lan Manager environments. The main idea is that you can, with Samba, allow a Unix machine to access file and directories. The other handy thing about Samba is that like most Unix freeware you get the source code.
Most hackers seem to have Linux up and running, so loading up Samba allows you several tactical advantages. A number of the exploits described here require access to a privileged port (<1024). If you are root on your own Linux box, you can start exploits from those needed ports. A lot of the tests in the NMRC lab were conducted using Samba. In fact when World Star Holdings Ltd in Canada had their lame Cybertest '96 contest on June 12th, yours truly used Samba to break in (but I wasn't first).
Samba talks SMB and can directly access Windows NT hardware, and Hobbit ([email protected]) has put together a very interesting paper entitled "CIFS: Common Insecurities Fail Scrutiny". It is highly recommended reading for admins and hackers alike. Included in the paper are details and source patches to allow easier attacking on NT.
Studying the source code of Samba taught me a lot, but Hobbit's paper puts everything in a whole new light. It provides some well documented basics on how a lot of the communications work, detailing exactly WHY certain protocols and behaviours are vulnerable to abuse.
Get Samba and read its documentation. Read Hobbit's paper and apply the patches. Period.
The main problem is adjusting NT file security attributes. Some utilities are available with NT that can be used, but I'd recommend using the NT Command Line Security Utilities. They include:
saveacl.exe - saves file, directory and ownership permissions to a fileThe latest version can be found at ftp://ftp.netcom.com/pub/wo/woodardk/.
If a user has locked their local workstation using CTRL+ALT+DEL, and you can log in as an administrator, you will have a window of a few seconds where you will see the user's desktop, and even manipulate things. This trick works on NT 3.5 and 3.51, unless the latest service pack has been loaded.
If the service pack has been loaded, but it's still 3.X, try the following.
If an older version of LANMAN is being used, passwords are sent plaintext (see section 10-02 for details). However, more common are shares that are passworded. Accessing these shares sends passwords in the clear.
Any traditional protocols (FTP and telnet for example) that send passwords in the clear could be sniffed, and it is quite possible that a user's FTP password is the same as their regular NT account password.
Hopefully it is a web server, and they've simply stated proudly "we're running NT", but don't expect that...
Port scanning will find some. Typically you'll see port 135 open. This is no guarantee it's not Windows 95, however. Using Samba you should be able to connect and query for the existence of HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT and then check \CurrentVersion\CurrentVersion to determine the version running. If guest is enabled, try this first as Everyone has read permissions here by default.
Port 137 is used for running NetBios over IP, and since in the Windows world NetBios is used, certainly you can expect port 137 to be open if IP is anywhere in use around NT.
Another possible indication is checking for port 139. This tells you your target is advertising an SMB resource to share info, but it could be any number of things, such as a Windows 95 machine or even Windows for Workgroups. These may not be entirely out of the question as potential targets, but if you are after NT you will have to use a combination of the aforementioned techniques coupled with some common sense.
To simplify this entire process, Secure Networks Inc. has a freeware utility called NetBios Auditing Tool. This tool's intent is to test NetBios file sharing configurations and passwords on remote systems. It is discussed more in detail in section 05-5.
Try Shade. It allows you to create an encrypted disk device inside a file. This "device" can then be formatted using either NTFS or FAT and used as a regular disk. Shade encrypts on every write operation and decrypts on every read operation to this new device.
Look for Shade at: https://softwinter.bitbucket.co.il/shade.html
I was playing around in the registry,
looking for odd things, and found this strange entry under <
System\CurrentControlSet\Services\MSFTPSVC\Parameters>:
<
EnablePortAttack: REG_DWORD: >If set to 1, you can do passive connections depending on the TCP port you use. A passive connection is where you can connect to FTP site alice.com, and from there connect to site bob.com. It is used by hackers because any odd connections at bob.com will appear in logs as coming from alice.com. Most typical is a port scan.
A port scanner for doing this from a Unix box can be found at:
06-3 for details.If you are running smbmount with version 2.0.25 of Linux, you can crash an NT server. smbmount is intended to be run on Linux 2.0.28 or higher, so it doesn't work right on 2.0.25. You also need a legit user account. Running as root, type smbmount //target/service /mnt -U client_name, followed by ls /mnt will hang the shell on Linux (no biggie) and blue screen the target server (biggie).
The final DOS I'm aware of involves Microsoft's DNS on NT 4.0 server. If you send it a DNS response when it did not make a query, DNS will crash. The latest service pack fixes this problem.
The Registry is the central core registrar for Windows NT. Each NT workstation for server has its own Registry, and each one contains info on the hardware and software of the computer it resides on. For example, comm port definitions, Ethernet card settings, desktop setting and profiles, and what a particular user can and cannot do are stored in the Registry. Remember those ugly system INI files in Windows 3.1? Well, they are all included with even more fun stuff into one big database called the Registry in NT.
Of interest to hackers is the fact that all access control and assorted parameters are located in the Registry. While I'm tempted to discuss just that portion of the Registry, I'll briefly cover everything for completeness but put the fun stuff up front.
The Registry contains thousands of individual items of data, and are grouped together into "keys" or some type of optional value. These keys are grouped together into subtrees -- placing like keys together and making copies of others into separate trees for more convenient system access.
The Registry is divided into four separate subtrees. These subtrees are called HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, and HKEY_USERS. We'll go through them from most important to the hacker to least important to the hacker.
First and formost is the HKEY_LOCAL_MACHINE subtree. It contains five different keys. These keys are as follows:
The second most important main key is HKEY_USERS. It contains a subkey for each local user who accesses the system, either locally or remotely. If the server is a part of a domain and logs in across the network, their subkey is not stored here, but on a Domain Controller. Things such as Desktop settings and user profiles are stored here.
The third and fourth main keys, HKEY_CURRENT_USER and HKEY_CLASSES_ROOT, contain copies of portions of HKEY_USERS and HKEY_LOCAL_MACHINE respectively. HKEY_CURRENT_USER contains exactly would you would expect, a copy of the subkey from HKEY_USERS of the currently logged in user. HKEY_CLASSES_ROOT contains a part of HKEY_LOCAL_MACHINE, specifically from the SOFTWARE subkey. File associations, OLE configuration and dependency information.
Hives are the major subdivisions of all of these subtrees, keys, subkeys, and values that make up the Registry. They contains "related" data. Look, I know what you might be thinking, but this is just how Microsoft divided things up -- I'm just relaying the info, even I don't know exactly what all the advantages to this setup are. ;-)
All hives are stored in %systemroot%\SYSTEM32\CONFIG. The major hives and their files are as follows:
Hackers should look for the SAM file, with the SAM.LOG file as a secondary target. This contains the password info.
Who the hell knows why it's this way? ;-)
The main reason is a step towards central administration and combining all that crap from SYSTEM.INI, WIN.INI, and other "legacy" Windows 3.x config stuff into one database. Then nice and neat individual GUI applications could be used to manipulate the data contained inside. And with the idea of a "domain" there are some "centralized" functionalities that are a little more convenient.
Is it better than Windows 3.x? This is debatable, although in my personal opinion I'd say yes. Were the design functions met? Probably not. While the Registry tries to be all things to all subcomponents of a domain, it does tend to smell like there were too many cooks in Microsoft's kitchen and simply not enough spoons. Some functions seem to be well suited for the Registry, some not. It is certainly not "portable" like Novell's NDS, that is you will probably never find the Registry running on a Unix system, whereas Novell's NDS is a much simpler design and is quite portable. Both schemes have their place -- NDS does not contain or manage OS info at the Desktop level and the Registry does.
Who wins? My guess is the people currently offering training classes in any modern OS are probably loving this because it is so complex, therefore it is guaranteed income. And hackers also win, because this is a complex environment where one wrong parameter setting or one Hot Fix not loaded could mean free and easy access.
My main advice to hackers is to play around with the Registry before the attack, because as you go further and further into an NT environment, you stand more chances of screwing things up, which is an easy way to make yourself known.
You get passwords. First use a copy of SAMDUMP.EXE to extract the user info out of it. You do not need to import this data into the Registry of your home machine to play with it. You can simply load it up into one of the many applications for cracking passwords, such as L0phtCrack. See section 3 for more info on NT passwords and cracking them.
While there are dozens of WWW sites with information, here is a list of some that deal mainly with NT Security, or with some of the tools discussed in this FAQ.
WWW:
https://www.somarsoft.com/
https://www.ntsecurity.com/
https://listserv.ntbugtraq.com/
https://www.ntresearch.com/
https://www.ntinternals.com/
https://www.intrusion.com/
https://www.iss.net/
https://samba.anu.edu.au/pub/samba/samba.html
https://home.eunet.no/~pnordahl/ntpasswd/
https://www.dataprotect.com/ntfrag/
FTP:
ftp://ftp.netcom.com/pub/wo/woodardk/
Tons o' newsgroups....
NT Security:
comp.os.ms-windows.nt.admin.security
Security in general:
comp.security.announce
comp.security.firewalls
comp.security.misc
NT in general:
comp.os.ms-windows.networking.misc
comp.os.ms-windows.networking.ras
comp.os.ms-windows.networking.tcp-ip
comp.os.ms-windows.networking.win95
comp.os.ms-windows.networking.windows
comp.os.ms-windows.nt.admin.misc
comp.os.ms-windows.nt.admin.networking
comp.os.ms-windows.nt.advocacy
comp.os.ms-windows.nt.announce
comp.os.ms-windows.nt.misc
comp.os.ms-windows.nt.pre-release
comp.os.ms-windows.nt.setup.hardware
comp.os.ms-windows.nt.setup.misc
comp.os.ms-windows.nt.software.backoffice
comp.os.ms-windows.nt.software.compatibility
comp.os.ms-windows.nt.software.services
comp.os.ms-windows.programmer.networks
comp.os.ms-windows.programmer.nt.kernel-mode
Web stuff where NT could be mentioned:
comp.infosystems.www.authoring.cgi
comp.infosystems.www.servers.misc
comp.infosystems.www.servers.ms-windows
Microsoft's newsgroups:
microsoft.public.windowsnt.40beta
microsoft.public.windowsnt.apps
microsoft.public.windowsnt.domain
microsoft.public.windowsnt.dsmnfpnw
microsoft.public.windowsnt.fsft
microsoft.public.windowsnt.mac
microsoft.public.windowsnt.mail
microsoft.public.windowsnt.misc
microsoft.public.windowsnt.print
microsoft.public.windowsnt.protocol.misc
microsoft.public.windowsnt.protocol.ras
microsoft.public.windowsnt.protocol.tcpip
microsoft.public.windowsnt.setup
The NT-security mailing list:
To subscribe, send a message with SUBSCRIBE in the body to [email protected].
NT-BugTraq:
Like the BugTraq list, this is a full disclosure list. Send "subscribe ntbugtraq firstname lastname" (without the quotes) in the body of a message to [email protected].
The NT Security FAQ -- geared toward administrators:
https://www.it.kth.se/~rom/ntsec.html<
windows.h><
stdio.h>NT Password Cracking Decrypted By Ankit Fadia [email protected]
So you got administrator privileges on a NT box and now want to take over the entire Network, but for that you need to get the list of accounts that you would use and their respective passwords. So, what do you do?
Well, the NT Security Accounts Manager or the SAM holds the key, and this manual explores how exactly you would go about the process of extracting and 'cracking' passwords from the Windows NT SAM and other related information.
The NT Security Accounts Manager or the NT SAM is to Windows NT what the /etc/passwd file is to Unix systems. The SAM stores the list of usernames of all accounts and their respective passwords in encrypted form of all Local Users or all users on that particular domain. (Varies according to what the system is used for.) Cracking the SAM or in other words cracking the encrypted passwords stored by it is all you need to do in your quest to control the entire Network.
Although the latest encryption algorithm implemented by Microsoft NT is quite good, there is a flaw or rather a backward compatibility feature, which can easily be exploited to crack the passwords. You see, this new algorithm has been adopted only recently. Earlier, Microsoft used to implement a one-way encryption standard or hashing. Now even the newer versions of the operating system in order to maintain backward compatibility with Windows 9x etc have to store the old hash along with the new. Now, the older hash function has already been reverse engineered or cracked and is widely used to crack the NT passwords.
L0phtcrack is the utility, which we will be using in this manual to crack the Windows NT passwords. It is available at https://www.l0pht.com/l0phtcrack L0phtcrack is probably the most easy to use and the most effective utility available to crack NT passwords. L0phtCrack can import the required SAM data in many forms. It can extract the SAM data from raw SAM files, from compressed backup SAM files (SAM._), from remote systems using administrator access and even by sniffing hashes being transferred over networks.
Before you actually get down to using L0phtCrack, you need to obtain the SAM file. Microsoft uses a file called SAM to store the SAM data on Windows NT. This file can be found at:
%systemroot%\system32\config
This particular directory is locked throughout the time when Windows NT is running. The information stored by this file has actually been extracted from the Windows NT registry. The original source of the data stored by this file is the following registry key:
HKEY_LOCAL_MACHINE\SAM
This key cannot be accessed by any account. Even the administrator account does not allow access to it. However, like all security features this feature too can be over-ridden. Infact there are several ways of getting the SAM data, and in this manual I will try and elaborate on all of these methods.
When you use the NT Repair Utility (rdisk) with the /s argument to backup the important information regarding the system configuration to a floppy disk, then a compressed copy of the SAM data file is created in the %systemroot%\repair directory under the filename: SAM._
Although a good system administrator will not forget to delete this file, however, in some cases inexperienced system administrators do tend to forget to delete it. As this backup copy of the SAM file is in the compressed form, you need to expand it before you can use it. One can expand the compressed back copy of the SAM using the following command:
C:\>expand sam._ sam
NOTE: If you use the latest version of L0phtCrack, you need not go through the process of expanding the compressed backup copy of the SAM, as there is a built in option, which automatically does it for you.
The basis of this section is the fact that the SAM file is locked throughout the time Windows NT is running. So in other words, access to the SAM file should not be restricted when Windows NT is not running. Right? So, all you now need to do is boot into an alternate operating system, the most commonly used for such a purpose would be a DOS running on a floppy which has the COPY utility on it. So, basically what one needs to do is create a bootable floppy, which has DOS running on it. Then you need to change the BIOS settings and enable boot from the floppy disk. Once you have booted into DOS, you could use the Copy utility to get the SAM file.
However, this process is not as easy as it above, but again not too difficult. You see, more often than not a target system running Windows NT would be running on an NTFS-formatted partition. So, while you create the bootable floppy, what you need to keep in mind if the fact that it should be able to read NTFS partitions. There is a NTFS file system driver called NTFSDOS, which will do the trick in such scenarios. It basically works by mounting NTFS partitions as logical drives, in effect, making all the files on the target system vulnerable to being read (including the SAM file).
You can get NTFSDOS from https://www.sysinternals.com/
** ** *******
HACKING TRUTH: NTFSDOS makes all files on the target system vulnerable
to being read. Now, wouldn't it be wonderful if you could write to the target
system as well. Well, NTRecover and NTLocksmith again from https://www.sysinternals.com
give you limited write capabilities.
There is yet another way of in which booting into an alternate OS can be helpful. One could also boot into say a Linux boot disk and carry out the same procedure.
If you have administrator privileges on a Windows NT system, then you could easily dump the password hashes from the SAM hive in the registry into a UNIX password file format. (The format followed by the /etc/passwd file)
The most commonly used utility, which can accomplish this task, is pwdump. The newer versions of L0phtCrack again have a built in feature, which extracts hashes directly from the registry.
So how can one protect the SAM hive from getting dehashed? (Is that a word?) Until Service Pack 2 was released, Windows NT was using a 40-bit encryption key. However, this was easily and widely cracked. With the release of Service Pack 2, a nifty feature was introduced which was aimed at enhancing the SAM encryption. It was called SYSKEY. It replaced the original 40-bit encryption key with the 128-bit encryption key. One can run SYSKEY by the following the below process:
Click on Start > Run
Type 'syskey' (without the quotes) in the space provided.
Both pwdump and L0phtCrack fail to surpass the encryption key established by SYSKEY. So is a system with SYSKEY established not vulnerable to being dehashed? Well, no. Pwdump2, which is a sort of a sequel to pwdump is easily able to surpass SYSKEY's enhanced encryption key.
HACKING TRUTH: Ok, I am really scared, is there any way in which I can make the task of the attacker a bit difficult. Well yes. If the attacker is using L0phtcrack, then performing the following trick can help to a great extent. You see, L0phtcrack does not show Nonprintable ASCII characters. What I mean by that is if certain Nonprintable ASCII characters are places in a password, then they are not showed when viewed in L0phtcrack. Some examples of Nonprintable ASCII characters are: (NUM LOCK) ALT-255 or (NUM LOCK) ALT-129
Besides playing with the SAM, the most widely used NT exploit, is the getadmin exploit. It is basically a utility, which adds a user to the local Administrator group. It uses a process called DLL injection to edit a process (winlogin), which has the ability to add users to the Administrator group. For complete details and information regarding the 'getadmin' exploit visit: https://www.ntsecurity.net/security/getadmin.htm
A post SP-3 hotfix has fixed the 'getadmin' hole. For more information regarding the fix and the exploit, read Knowledge Base article Q146965.
Another popular Windows NT exploit is the 'sechole' exploit. It too has working similar to the 'getadmin' exploit and adds a user to the Administrator group. . For complete details and information regarding the 'getadmin' exploit visit: https://www.ntsecurity.net/security/sechole.htm One can easily fix the sechole hole by following fix made available by Microsoft. For more details read Knowledge Base article Q190288.
Well, that is all for now. Till next time, bye.
Have you sent me an email, which I haven't replied yet? Well, this kindly read following:
I apologize for not being able to get back to you. But, I assure you I will reply to you as soon as possible, please bear with me. In order to release the congestion of emails, you can now contact me via Instant Messaging Software. I use MSN Messenger and the email address which I use is: [email protected] (Do Not send mail to this address. I do not check this account.) . Simply download MSN Messenger or a Multi Messenger Platforms software and search for the above email address and add it to your contact list. Then the next time I am online you will be informed and you can post your question ot me. However, that doesn't mean I will not be answering my emails. I try and answer all my emails except questions like How to Hack Hotmail etc. However, most of the times my replies come real slow. Sorry. J
Ankit Fadia
https://hackingtruths.box.sk
To receive tutorials written by Ankit Fadia on Everything you ever dreamt of in your Inbox, join his mailing list by sending a blank email to: [email protected]
Netstat Made Easy By Ankit Fadia [email protected]
A lot of times, I hear people asking questions like, how to find out the IP of a friend? Or how to find out your own IP? How do I know, which ports are open on my system? How do I make sure whether my system is infected with a Trojan or not?
Well, for all above questions (and more) there is one simple answer: The Netstat command.
Microsoft has this weird tendency of hiding or making sure that such 'useful' utilities are not easily accessible to the users. However, they fail to understand that putting a utility in the Windows directory and not listing it anywhere does not make it hidden.
The 'Netstat' command is accessible through the command line prompt. Simply launch MSDOS and:
C:\cd windows
C:\windows>
NOTE: Normally, well, almost always, DOS opens by default in the Windows directory, however, for those of you whose default DOS directory is not Windows, the above would prove helpful.
Anyway, before we move on, we need to understand what exactly the Netstat command is used for. This command is by default used to get information on the open connections on your system (ports, protocols being used etc), incoming and outgoing data and also the ports of remote systems to which we are connected. 'Netstat' gets all this networking information by reading the kernel routing tables in the memory.
According to the RFC on Internet Tool Catalog, 'Netstat' is defined as:
'Netstat is a program that accesses network related data structures within the kernel, then provides an ASCII format at the terminal. Netstat can provide reports on the routing table, TCP connections, TCP and UDP "listens", and protocol memory management.'
Anyway, now that we know what Netstat is all about, we are in a position to start using it. Once, you have launched MSDOS, you can read the MSDOS help on Netstat by giving the following command:
C:\WINDOWS>netstat /?
Displays protocol statistics and current TCP/IP network connections.
NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]
-a Displays all connections and listening ports. (Server-side connections are normally not shown).
-e Displays Ethernet statistics. This may be combined with the -s option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto may be tcp or udp. If used with the
-s option to display per-protocol statistics, proto may be tcp, udp, or ip.
-r Displays the contents of the routing table.
-s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p
option may be used to specify a subset of the default.
interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to
stop redisplaying statistics. If omitted, netstat will print the current configuration information
once.
However, like always, the help provided by MSDOS, can be used only as a reference, it is not at all sufficient for a complete newbie.
So, let us try out each command and see the result and also understand what exactly happens when we execute it and what all the results displayed mean.
Firstly, we will start with the Netstat command with the -a argument.
Now, the '-a' option is used to display all open connections on the local machine. It also returns the remote system to which we are connected to, the port numbers of the remote system we are connected to (and the local machine) and also the type and state of connection we have with the remote system.
For Example,
C:\windows>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP ankit:1031 dwarfie.box.com:ftp ESTABLISHED
TCP ankit:1036 dwarfie.box.com:ftp-data TIME_WAIT
TCP ankit:1043 banners.egroups.com:80 FIN_WAIT_2
TCP ankit:1045 mail2.mtnl.net.in:pop3 TIME_WAIT
TCP ankit:1052 zztop.box.com:80 ESTABLISHED
TCP ankit:1053 mail2.mtnl.net.in:pop3 TIME_WAIT
UDP ankit:1025 *:*
UDP ankit:nbdatagram *:*
Now, let us take a single line from the above output and see what it stands for:
Proto Local Address Foreign Address State
TCP ankit:1031 dwarfie.box.com:ftp ESTABLISHED
Now, the above can be arranged as below:
Protocol: TCP (This can be Transmission Control Protocol or TCP, User Datagram Protocol or UDP or sometimes even, IP or Internet Protocol.)
Local System Name: ankit (This is the name of the local system that you set during the Windows setup.)
Local Port opened and being used by this connection: 1031
Remote System: dwarfie.box.com (This is the non-numerical form of the system to which we are connected.)
Remote Port: ftp (This is the port number of the remote system dwarfie.box.com to which we are connected.)
State of Connection: ESTABLISHED
'Netstat' with the '-a' argument is normally used, to get a list of open ports on your own system i.e. on the local system. This can be particularly useful to check and see whether your system has a Trojan installed or not. Yes, most good Antiviral software are able to detect the presence of Trojans, but, we are hackers, and need to software to tell us, whether we are infected or not. Besides, it is more fun to do something manually than to simply click on the 'Scan' button and let some software do it.
The following is a list of Trojans and the port numbers which they use, if you Netstat yourself and find any of the following open, then you can be pretty sure, that you are infected.
Port 12345(TCP) Netbus
Port 31337(UDP) Back Orifice
For complete list, refer to the Tutorial on Trojans at: hackingtruths.box.sk/manuals.htm
HACKING TRUTH: Some of you might me wondering, as to what the high port numbers after the local machine's name stand for?
Eg. ankit:1052
Port Numbers upto 1024 normally have a specific kind of service running on it. Infact there is a complete RFC on Assigned Port Numbers- RFC 1700.
However, port numbers over 1024 are used by your system to connect to remote computers. For Example, say your browser wants to establish a connection with www.hotmail.com, then what it will do is, it will take up a random port number above 1024, open it and use it to communicate with the Hotmail server.
OK, now let us move on further, to a variant of the above command, the Netstat -n
The Netstat -n command is basically the numerical form of the Netstat -a command. The main and probably the only difference between the two is that the former shows the addresses of the local and remote systems in numerical form (Hence -n) while the latter shows the addresses in non-numerical form.
Let us see an example to understand better:
C:\>netstat -n
Active Connections
Proto Local Address Foreign Address State
TCP 203.xx.251.161:1031 195.1.150.227:21 ESTABLISHED
TCP 203.xx.251.161:1043 207.138.41.181:80 FIN_WAIT_2
TCP 203.xx.251.161:1053 203.94.243.71:110 TIME_WAIT
TCP 203.xx.251.161:1058 195.1.150.227:20 TIME_WAIT
TCP 203.xx.251.161:1069 203.94.243.71:110 TIME_WAIT
TCP 203.xx.251.161:1071 194.98.93.244:80 ESTABLISHED
TCP 203.xx.251.161:1078 203.94.243.71:110 TIME_WAIT
Although this too gives us similar results, but there are some differences, mainly-:
If you read the alt.2600 newsgroup regularly or any other newsgroup for that, they you would probably have seems atleast 2-3 daily posting whose body read: How do I find out my own IP?
Well, this option of Netstat is most commonly used to do just that, find out your own IP. Also, some people somehow seem to feel more comfortable with numbers, than with understandable hostnames.
This form of Netstat does make life easier for us, as the port numbers are displayed, which makes relating to everything easier.
Getting the IP of a person is all, that one needs to be able to damage his system. So, basically Hiding your IP from hackers and getting the IP of the victim is some of the most important things that people are concerned with. Using IP Hiding facilities has become increasingly popular. However, are these so called IP Hiding totally anonymous services or software truly and perfectly Anonymous? There is only one answer: they are nowhere near totally anonymous. Consider the following example, to understand how lame some of such utilities are.
I Seek You or ICQ is one of the most popular chatting software around. With it not only comes easy pastime, but also security concerns. ICQ has an inbuilt IP Address Hider, which when enabled is supposedly able to hide your IP from the users you are chatting with. However, like most IP Hiding software, this too is nowhere near good. You can find out the IP Address of any ICQ user, even if IP Hiding has been enabled, by following the below process.
Launch MSDOS and type Netstat -n to get a list of already open ports and the IP's of the machines with which a connection has been established. Note down this list somewhere.
Now, launch ICQ and send a message to the victim.
While you are still chatting, go back to DOS and again give the Netstat -n command. You will find that a new IP signifying a new connection. This would be the IP Address of the victim. Get it?
Till now, both with the '-a' and '-n' argument, we saw that the connections returned or displayed on the screen, were not of a particular protocol. This means that connections of TCP, UDP or even IP were shown. However, say you want to see only those connections which belong to UDP, then you make use of the '-p' argument.
The general format of the Netstat command with the '-p' argument is as followed:
Netstat -p xxx
Where xxx can be either UDP or TCP. The usage of this argument will become clearer with the following example, which demonstrates how to view only TCP connections.
C:\>netstat -p tcp
Active Connections
Proto Local Address Foreign Address State
TCP ankit:1031 dwarfie.box.com:ftp ESTABLISHED
TCP ankit:1043 banners.egroups.com:80 FIN_WAIT_2
TCP ankit:1069 mail2.mtnl.net.in:pop3 TIME_WAIT
TCP ankit:1078 mail2.mtnl.net.in:pop3 TIME_WAIT
TCP ankit:1080 mail2.mtnl.net.in:pop3 TIME_WAIT
TCP ankit:1081 www.burstnet.com:80 FIN_WAIT_2
TCP ankit:1083 zztop.box.com:80 TIME_WAIT
This is basically nothing but a variation of the '-a' and '-n' commands.
Anyway, so let us move on to the arguments associated with 'netstat'.
Now, we come to the '-e' option of 'netstat'. Let us set what DOS returns, when this command is given:
C:\>netstat -e
Interface Statistics
Received Sent
Bytes 135121 123418
Unicast packets 419 476
Non-unicast packets 40 40
Discards 0 0
Errors 0 0
Unknown protocols 0
Well, sometimes the number of data packets sent and received is not shown properly by some faulty or un-compatible modems. During, such cases, this command comes handy. The output returned by it, is quite obvious. Also, it can be used to check for faulty downloads, or errors, which might have occurred during the TCP/IP, transfer process.
With this we come to the last argument associated with Netstat, the '-r' argument. This is not commonly used, and is a bit difficult to understand. I will simply give you an example of it in this manual. A proper and detailed description would be provided in another manual. Hacking using Routing Tables is considered to be very elite and not many people are comfortable using it. However, like all things associated with computers, it is not as difficult as it is projected to be.
C:\windows>netstat -r
Route Table
Active Routes:
Network Address Netmask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 203.94.251.161 203.94.251.161 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
203.94.251.0 255.255.255.0 203.94.251.161 203.94.251.161 1
203.94.251.161 255.255.255.255 127.0.0.1 127.0.0.1 1
203.94.251.255 255.255.255.255 203.94.251.161 203.94.251.161 1
224.0.0.0 224.0.0.0 203.94.251.161 203.94.251.161 1
255.255.255.255 255.255.255.255 203.94.251.161 203.94.251.161 1
Network Address Netmask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 203.94.251.161 203.94.251.161 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
203.94.251.0 255.255.255.0 203.94.251.161 203.94.251.161 1
203.94.251.161 255.255.255.255 127.0.0.1 127.0.0.1 1
203.94.251.255 255.255.255.255 203.94.251.161 203.94.251.161 1
224.0.0.0 224.0.0.0 203.94.251.161 203.94.251.161 1
255.255.255.255 255.255.255.255 203.94.251.161 203.94.251.161 1
Active Connections
Proto Local Address Foreign Address State
TCP ankit:1031 dwarfie.box.com:ftp ESTABLISHED
TCP ankit:1043 banners.egroups.com:80 FIN_WAIT_2
TCP ankit:1081 www.burstnet.com:80 FIN_WAIT_2
TCP ankit:1093 zztop.box.com:80 TIME_WAIT
TCP ankit:1094 zztop.box.com:80 TIME_WAIT
TCP ankit:1095 mail2.mtnl.net.in:pop3 TIME_WAIT
TCP ankit:1096 zztop.box.com:80 TIME_WAIT
TCP ankit:1097 zztop.box.com:80 TIME_WAIT
TCP ankit:1098 colo88.acedsl.com:80 ESTABLISHED
TCP ankit:1099 mail2.mtnl.net.in:pop3 TIME_WAIT
Well, I hope you liked this manual. Even if not, then you better do. ; ) Bye.
Ankit Fadia
[email protected] (I answer all my mails, however, not promptly.)
To receive tutorials on everything you dreamt of written by Ankit Fadia, join his mailing list, by sending an email to: [email protected]
Version 1.0 + some WinNT tips'n'tricks
by: zweistein
([email protected])
for: Security Writers Guild
Converted to HTML by Paya
MICROSOFT = Most
Intelligent Costumers Realise Our Software Only Fools Teenagers
Here are a few cool things that you can do with your Windoze
box (my longest text ever...):
NOTE: almost all the tricks from here involve editing the registry.
Please make backups (click on Start->Run and type 'regedit'
(without the 's) or 'RegEdt32' under WinNT admin and choose Registry->Export
registry. Then zip that file to make it smaller in size. Everything in here
will work ONLY for Win9x (the tricks for WinNT will work under WinNT only
(duh!)). Be prepared for the neXt version!!!
windows update is a cool win98 (you can run it and leave it and it will search for new drivers updates... on the internet) feature but you have to register win if you want to use it. not so good after all huh? well we are mean and we found a trick for bypassing the registration process:
-open
regedit (start->run and type regedit)
-find the key:
-if
this key doesn't exist create it (right click on the key from the upper list
that you have and select new->key)
-find the string value RegDone
-if it doesn't exist create it (right-click on the right pane and select
new->string value)
-change it's value to 1
-refresh the registry (hit f5) and restart the comp
-run windows update
-it shouldn't ask you to register anymore!
note: i think the procedure is a little bit different in win95 ask on bsrf's message board (blacksun.box.sk) or on SWG's message board (www.securitywriters.org)
restarting windows:
-right
click anywhere on the desktop (except on the icons) and select new->shortcut
-choose all the necessary options and in the "command line" box type
this:
without
the quotes
where the "C:\Windows" is your Windows path.
-note: this restarts windows without any warning
shutdown:
-right
click anywhere on the desktop (except on the icons) and select new->shortcut
-choose all the necessary options and in the "command line" box type
this:
without
the quotes
where the "C:\Windows" is your Windows path.
-note: this shutdowns windows without any warning
note: "choosing the necessary options" means giving a friendly name to the shortcut like "restart win" for restart or "shutdown win" for the shutdown procedure.
this
is a cool trick. listen...
to change the boot (start) splash screen:
-try
to find the logo.sys file. it should be on c:\. if it
exists backup it. rename the logo.sys to logo.bmp and open it in paint and edit it as you wish.
later save it as logo.bmp (256 colors)
on c:\. rename c:\logo.bmp to c:\logo.sys.
-if it doesn't exist follow these steps:
-open ms paint
-create a new bmp file 320(w)×400(h)
-create your own splash screen
-save the file as logo.bmp (256 color
bitmap!)
-go to c:\
-rename the file logo.bmp to logo.sys
-restart windows and you should see your own splash screen
-if the splash scr doesn't come up check the
dimensions (they have to be absolutely correct) and check if you saved the file
as 256 color bitmap! this is very important.
to change the shutdown 1 and 2 screens:
you know that you have 2 shutdown screens: one that says shutting down windows and looks like the splash boot screen and the other that says "it's now safe to turn off your computer". well you can change both. here's how:
-find
the files logos.sys and logow.sys
(find it by using the find option from start menu they must be in the windows
dir)
-backup the files and rename them to logos.bmp and logow.bmp
-open them in paint
-edit as you wish
-save the files as 256 color bmp's
-copy the bmp's you saved to the c:\windows (or your
windows dir) directory
-rename logos.bmp and logow.bmp
to logos.sys and logow.bmp
-shutdown your computer
-if you don't see the shutdown screens try to chek
are they saved in 256-color bmp and are their dimensions 320(w)×400(h)
-if this doesn't work either copy the files you backed up in your windows dir
thus replacing the files you created but then the default shutdown screens
come.
-launch
regedit.exe (go to start->run and type "regedit"
without the qoutes)
-note: for winnt ('cause this will be useful and on nt boxes) launch regedt32
-go to the following key in the registry:
-create
a new string value (by right-clicking in the right panel and choosing
new->string value
or something like that)
-Name it LegalNoticeCaption
-right click on it & select modify
-enter the text you want to see in the menu bar
-create another string value
-name it LegalNoticeText
-right click & select modify
-enter the text you want to see in the message box
note: this will pop up a message box before any user logs on
you
now those stupid icons like recycle bin network neighbohood
and others that you can't delete rename copy & paste? well here's a
solution...
first of all you need to know what is the clsid
(class id) value of the folder is. here are the most common:
My Briefcase:
Desktop:
(those guys from MS are sick look at these zeros!)
Control Panel:
Dial-Up networking:
Fonts:
My Computer:
Inbox:
Network Neighborhood:
Printers:
Recycle Bin:
MSN:
History:
these are 16-byte CLSID values of the folders. they are used to identify
themselves. they are like names to "real" folders. write them down
before you do anything in fact you can't do anything without them. now write
down the value of the folder you want to change. now i
will show you some tricks:
deleting the special folder from desktop:
these folders (entire list above) can't be renamed
deleted
copied
cut and pasted. now let's go through this step by step. first i'm gonna show you how to delete
those folders from desktop:
-write
down the clsid value of the folder you want to erase
from desktop
-launch regedit (start->run and type regedit (4 winnt regedt32)
-go to the following key in the registry:
-delete
that key
-press f5 to refresh the registry
-voila! the folder is past :)
note: if this doesn't work try the following key if exist:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\-follow
the steps above
adding copy
cut
paste
rename & delete to special folders:
ok
you managed to get rid of them but wouldn't it be better if we could add copy
cut
paste
rename & delete to these folders? of course it would. here are the
instructions:
-write
down the clsid value
-launch regedit (winnt -
regedt32)
-go to the following key:
-in
the right pane find a dword (it's the thing with
binary numbers like binary string value) named Attributes
-to add the rename option
change attributes value to:
50 01 00 20
-to add delete option
change it to:
60 01 00 20
-to add both rename & delete change it to:
70 01 00 20
-to add copy:
41 01 00 20
-to add cut:
42 01 00 20
-to add copy & cut:
43 01 00 20
-to add paste:
44 01 00 20
-to add copy & paste:
45 01 00 20
-to add cut & paste:
46 01 00 20
-to add cut
copy & paste:
47 01 00 20
-to change the menu back to default change it:
40 01 00 20
-press f5 to refresh the registry
-voila second time! right cilck on the folder you
changed (i suggest starting with recycle bin) and you
will find the options you added! cool isn't it???
adding
control panel to 1st-level of start menu:
it's pretty boring to access control panel isn't it. you have to
wait forever. well this tweak will shorten that time:
-right-click
on start menu and click explore
-create a new folder and name it:
-don't
forget the "." (period) sign after "l" in panel!
-voila! you have the control panel folder in the first-level start menu
-similarly you can add all special folders to start menu except my briefcase i think
now
say you have an account for your younger brother and a passworded
account for yourself. now you want to remove "run" and
"find" options from start menu 'cause your little bro knows the
command regedit :). well you can do it here's how:
remove find and run:
-launch
regedit (winnt - regedt32)
-go to the key:
-create
a new dword value named "NoFind"
(to remove Run name it "NoRun")
-right-click on the value and select "modify"
-change the value of the dword to 1
-to get the find and run commands back change the values to 0 or delete the dword-s
this
trick hasn't been tried on win98 but it should work (i
have win98 but i haven't tried it. this was taken
over from the ankit fadia's
win tips'n'secrets tutorial).
changing folder icons:
to change the folder icon for let's say your folder do this:
-create
a blank text file
-copy the following lines into it:
where
drive:\path\name.extension is your path to the icon.
-save the file as desktop.ini in the folder you want to change
-right click on the file and check the "hidden" and
"read-only" boxes to prevent the file from being erased
-yeah! your folder has a different icon!
change
the drive icon:
you can change the drive icons too (what do you think how do they
get the cool icon on the cd when you open "my
computer" instead the old boring default cd
icon?). follow these steps:
-create a text file with these ilnes in it:
[Autorun]where
drive:\path\name.extension is your path to the icon.
-save the file as 'autorun.inf' (without the quotes)
in the root of the drive who's icon you want to change (i.e. c:\).
-hey! my drive has a different icon yours doesn't!!! :)))
right
click on start menu you will get 3 options: open explore & find (if you
have winamp there will be winamp's
options and if you have an antivirus proggy you will have his options too). isn't that boring?
it's just waits to be changed. :)
adding a program to right-click menu
-open
regedit
-go to the key:
-create
a new key by right-clicking on the "shell" key and selecting
new->key
-type in the name of the application you want ot add
(we'll be adding notepad)
-create another key named command
-in the "default" string value (it's always there it's the first)
type in the path to the applicaton you want to use
(in our example: c:\windows\notepad.exe)
-press f5 to refresh the registry
-yo! i have notepad in my
right-click start menu!
removing programs & options from the right-click menu
in
our example we will remove find option. similary you
can remove any option or program you added:
-open regedit
-go to the key:
HKEY_CLASSES_ROOT\Directory\Shell\Find
-delete find
-note: do not delete open. then you will not be able to open any folders
in the start menu.
internet
eplorer has a hell lot of tweaks you can do. here are
the best:
change the ie-s window title:
-open
regedit (i'm fed up of
writing regedit...)
-go to the key:
-in
the right pane create a new string value called "Window Title"
(without the quotes)
-right click and select modify
-type in the new caption (window title)
-voila! refresh (f5) and open ie
you will find that the new caption is there!
-note: if this doesn't work (i discovered this
accidentaly it didn't work 4 me so i tried it and it worked...) go to the following key:
and follow the instructions above.
adding
background to ie and explorer:
-open regedit (...)
-go to the key:
-create
a new string value (in the right pane right-cilck and
select new->string value)
-Name it BackBitmap
-modify (right-click on the value and select modify) it to the path of the bmp
file that you wish to use.
-cool! refresh (f5) and you will have a background on the toolbars in ie and even in the standard explorer!
colourful
background:
outlook express has a cool feature colourful background. no biggy
it says in the tips of the day how to use this. but what if we could speed it
up...
-open
regedit
-go to the key:
-find
colorcycle in the left panel click on it
select edit->modify from the edit menu and change it's value to 1
-refresh the registry and restart win
-launch oe and open a new message
-hold down ctrl-shift and tap the z key to cycle trough background colors.
-yeah!
well
altough some of the tips written here could be used
for windows nt too i
decided to include a few tips and tricks for nt only.
here are they...
winnt security bug:
windows nt displays the last person who logged in
by default. this could be a security bug specially for those whos password is the same as their username. here's how to
fix it:
-launch
regedt32 under admin privilages
-go to this key:
-click
and select the reportbookok item and create a new
string value called DontDisplayLastUserName. modify
the value to 1.
-refresh the registry and restart
automatically
shutdown non-responding applications:
as in win9x every now and then some application stops responding. well here's
how to automatically kill a non-responding application in winnt:
-open
regedt32
-go to the following key:
-find
the value "autoendtasks"
-the default value is 20000 this means that non-resppnding
app will be automatically shut down after 20000 miliseconds
-change the value to fit your needs
winnt blue screen
when you get a blue screen under winnt your system will halt. here's how to change that so that the system automatically restarts after the blue screen:
-open
regedt32
-go to the following key:
-find
the dword autoreboot
-change it's value to 1 if you want that the computer to be automatically
restarted after blue death
-refresh and restart
zweistein for Security Writers Guild
[email protected]
THE HACK MAGAZINE: https://www.thehackhome.cjb.net
|