Attacking NT

[Anatra]

DISCLAIMER: With no intention this post wants to justify or to bear the violation of any sistems.
I hold deplorable the other people's systems violation, the use of belonging data to other individuals. If someone will misunderstand this Post I pray all the MODERATORS to Immediately delete it.
The only intention of this Post is that to make to understand how it's simple being of criminals and how much more difficult is to follow the correct way. Remember: ALLWAYS LIVE IN THE RIGHT WAY::: IF U DEMAND RESPECT U MUST GIVE RESPECT

Anatra aka Sitting Duck



Attack to the "heart" of Windows NT


The surest systems can also be violated. We analyze footstep after footstep an assault succeeded to a net NT with which it has arrived to enter the system

Many substantially consider Windows NT as a sure base. In reality absolute safety doesn't exist , also for the best of the operational systems. A virtual pseudo-safety exists from instead to consider to time, that asks for constant adjustments, refinements and periodic updatings showing its dynamic nature. Objective of this article is that to offer a series of you sprout and of suggestions to help to implement a correct safety politics, able to hold in consideration the least details and the details often held meaningless or even irrelevant. The problem of the safety is for a long time by now to the center of the debate of the computer community. This has also favored the boom of the concept of "all sure": proposed of solutions that respect and guarantee the safety of the datum and the present consumers on the net both it an intranet, internet or both. This has given origin to a real business and to a competition trained among the most greater producers of the computer systems for the safety. Nevertheless the problems remain and the technological acceleration imposed by the growth of the sector telecommunications continually baits of of it new.

It begins the assault. Let Analyze a practical example of attack giving us a computer with Windows 9x on which we will install two utilities: respectively the L0phtCrack (purchasable on www.l0pht.com) and Samdump, available easily on internet. As it plots NT we take a server PDC (Primary Domain Controller); in alternative you can also be opted for a workstation NT or a BDC (Backup Domain Controller). As material of consumption for our experiment two floppy are needed by 1,44Mb on which to install the portable Kit of attack. Gotten how much it serves us, we begin to transform one of the floppy in auto-boot with the simple dos command from the prompt: c:\windows:>format to: / s. Now they miss the programs to read the partitions NTFS (NTFSDOS.exe and NTFShlp.vxd). After having copied them in the floppy, we insert in the autoexec.bat the line of command ntfsdos / L:C where C is the disk ntfs on which the operating system is found. We have used besides the command Ramdisk to make a disk virtual resident in the ram (random access memory) to employ as area of support to copy you the sam (security account managers) and eventually to manipulate it. To make our kit more desirable we also add the good healthy pkzip.exe while pkunzip.exe or WinZip.exe we install it on the workstation Windows 9X.. Pkzip.exe could serve subsequently to compress in more diskettes the Sam of NT if this had to overcome the dimension of the diskette: we consider that if we are before to a net with a number of consumers raised in the Sam Nt contain 5K for every consumer that belong to the dominion. In our hands we have how much it serves us, we can begin the first phase of the operation "uncle SAM."

Phase 1:

Individualized the NT machine, we insert the floppy in the drive A., now we reboot it. This will make the floppy boot starting again with the prompt of MS-Dos. Now we move therefore on the disk NTFS with the command cd c:, we insert a formatted floppy and perfectly empty and therefore we perform the command cd c:\winnt\system32\config+. With a dir sam. we see the dimension: if inferior to the ability of the diskette as in our case let's copy it on the floppy with a copy sam. A: at this point it needs to extract the floppy and to extinguish and to reboot the NT machine, as if nothing pits. If the dimensions of the Sam overcome the ability of the floppy it is necessary to use the Pkzip.exe or ARJ.exe to compress it on more diskettes. The Sam copied in our test weighed around 20Kb treating of a machine that contains two consumers of default Guest and Administrator. The time for the whole operation is inferior to the minute, irrelevant for a small net: with some training the times go down anymore below the 30 seconds the necessary duration for the reboot hardware, to intend us the bootstrap.

Two tips to defend yourselves. Before continuing we see what countermeasures it would be opportune to adopt to this stings of our defense to limit the damages or to complicate the life to whom has intention to try to follow the way from us pointed out: 1) to disable the floppy boot of the server. To do this is enough to intervene from the bios and to choose as options of boot the disk c: the cd-rom doesn't even have to be bootable, otherwise some sly person could trick the obstacle making a copy of the floppy on cd. 2) not to leave unguarded or easily attainable the server: in our case it was not conclusive that was accessible being a test of laboratory, but we think about the server business NT. The remedy to this negligence is possible assuring the server in an area possibly guarded with checked access. Everything depend in function of importance of the data presents on the net and from the safety level that is wanted to implement.

Even on the base of the costs for the realization of a reserved space the second point cannot easily be realized by everybody while on the first one it should not be problems.

Phase 2

At this point we copy the Sam from the diskette in the work directory c:\TEMP:> of the Workstation Windows9X, where it had been installed the utilities (samdump.exe and L0phtcrack) together with the special files with the words of the dictionaries English ( or other languagies). From the prompt we digit C:temp:> SAMDUMP sam. > samok, now our new file samok. it contains the followings data:

Administrator:500:80541D5D5+ 8AAEAD7AAD3B435B51404EE:23F+ BF5C678DE19613BF9E7AC253480+s E6:Built-in account for administering the computer/domain:: Guest:501:NO PASSWORD*******************+ * *: No PASSWORD*******************+ * *: Built-in account for guest access to the computer/domain::

We notice besides that from the 20Kb its dimension is reduced to as soon as 1Kb, for which it could be useful to also perform it on the NT machine in the phase 1 to decrease the dimension of the Sam before compressing it. Good part of the job has been made: after having purchased it and recorded we perform the program L0phtCrack to proceed to the decoding of the passwords. From the menù file we go to load our dictionary and we perform a first search on the database of the words of the dictionary English or other, then to pass to brute force to guess the possible passwords remained still inviolated.

Sure is what it makes it such . The percentage of violations of the passwords caused to the use of common terms or simple words it reaches elevated values, this because even the user has not adequately been educated and because the "politics" of some passwords are not defined with prudence. If after the first passage the password have remained some key words to violate for demolishing the last barrier that separates us from the administrator we can pass to brute foce attack. To also make more difficulty to individualize the administrator flowing the copy of the Sam a good suggestion is that to rename it as a simple user of the net, with the same criterion of identification of the normal business user. However after the "brutal" activity of attack here is in clear the selected passwords.

If you find you in the same net, to violate the administrator is enough for you to access the system and the game is done. At this point you are able to operate without restrictions on the whole net. If then you are really good you can make a logon on the same machine from which you have copied the Sam, also because surely it will appear u the name of the last user that has done logon, to 90% the Administrator. At this porpose the system to eliminate the visualization of the last consumer that is connected it consists of precisely inserting in the registry the lace DontDisplayLastUserName in the following run: HKEY_LOCAL_MACHINE\SOFTWAR+ E\Microsoft\WindowsNT\Cu+ rrentVersion\Winlogon

Let Set then the lace with the value 1 and to the next logon the user's field will be empty.

Over the obvious one we have seen that with few operations we have succeeded in violating NT. In effects it can be held sure only what you makes it such. The discourse is also valid for other operational systems, is them Linux, Sun or other: whatever program that is used trusting only the configuration of base without adding some precaution it will never be really sure. Whoever has decided to undertake the profession of administrator of net (Network Administrator) or employed to the safety (Security Account Manager) must learn to be careful to the particular ones and the dangers hidden behind the obvious one or the too superficiality in facing problems. In circle Microsoft has passed by Windows NT 4.0 to Windows2000. You notices the maturation: the planners Microsoft have matured the experience on the clients and they are passed by the groups of work (Workgroup - Windows 3.x) to the Dominoes (Windows NT) to reach the concept of forests, trees and leaves (Windows2000). Their project therefore has had upward a development from the lower part, contrarily to the systems Unix that has departed from the server to reach the in general client. In substance it is positive the appointment to make also more and more the near and simple net in the applications server.

Copyright Sitting Duck for Antionline

[S3cur|ty4ng31]

I think its pretty much common sense that if you have physical access to any box then the box has been compromised.

Also it can be a lot easier to get a copy of the SAM from c:\winnt\repair. Granted this may not be completely up to date but it saves you a lot of time over your example.

[mohaughn]

Yeah. This has been discussed three or four times in just this past week. If you have physical access you can do just about anything you want to just about any OS.

[nihil]

Thankyou Anatra,

That was very interesting, and proves the need for physical security. I happen to have some faith in removable disks.............hard to attack a system that is not there.

I would like your opinion on:

CompuSec v.4.15

You can get this from http://www.ce-infosys.com

This would defeat your described exploit, as far as I can visualise?


Cheers

EDIT: The repair file is a weakness, but not as much as the Page File?....a decent outfit will not use the repair file, and if you change passwords once a week, I would not look on it as a good intelligence source.

As for physical access............not quite right....check out the concept of the freeware I have posted a link to

[mohaughn]

That looks like an interesting piece of software. Unfortunately the documents on their website really don't seem to have details on the hardware that is required. I'm guessing just a smartcode or token reader.

It would be interesting if anybody had any relevant links to tests of this software.

[catch]

I see these "attacks" all the time and as much as this may surprise people, at my work (and home as well) we do not have a single FDD. Not one in any system! Not only that, but nearly all of the systems have motherboards that don't even support booting from CD-ROM either.
Normal users are not allowed to shut the systems down either and if a system loses connectivity, an alarm is triggered.

This type of configuration is not at all rare either, at least half of the companies I have worked for/consulted at have had a very similar configuration. And you want to "individualize" a domain controller? hahahah

Also is english your second (third or next) language? Maybe if you dropped a little of the stylization it would be readable.

catch

[nihil]

Hi mohaughn,

I believe that it will work with NT4.0/2K/XP, but no others


Cheers

EDIT: Sorry mate, for the heavy duty version I believe that you need some sort of token/reader..............I was just wondering about the free version, to check the program logic/functionality?

[mohaughn]

catch- As the software is pretty much being marketted to laptop users I don't see where alarming comes into play. Yeah, with servers you don't need this type of protection. But when you are dealing with a CEO or CTO of a company, they want flexibility and security. In that particular instance this software could be very useful.

I also see no reason to comment on anybodies english. I do not see you posting in a foreign language, so no need to comment on those that are.

[catch]

I was not refering to the software link at all. Alarms are triggered if an internal work station is powered down at my work. the original article talks about domain controllers.

With laptops they should use roaming profiles, with no logon or profile caching, third party software isn't needed to protect them.

The original poster is most likely a native english speaker. they were just trying to give it more flare than was called for and in doing so made parts very difficult to read.

catch

[mohaughn]

Cesenatico is a town in Italy. Why would you think that an Italian, as in a citizen of Italy, is a native english speaker?