Security Risks Last Update: March 17, 1997 

This web site is dedicated to exposing security risks in an effort to educate the networking community. Use this information at your own discretion and risk, and certainly feel free to contribute if you'd like. Send all correspondence to: security@ntshop.net

While browsing this page, click on the symbol for information describing an exploit, and click on the symbol for information on defending against the exploit. The items in [ Blue ] reveal the classification, while the items in [ Red ] reveal the nature of possible attacks (from over a network, or from physical access). The symbol represents the newer additions to this page, while the symbol indicates the newest exploits discovered.

The information on the ensuing pages is updated frequently, and derived from many informational sources -- credit is given wherever possible. Thanks to all who report the hazards -- godspeed. To receive immediate email notification of new NT security problems and updates to this site, subscribe to our NTSD newsletter.

Trojans

The Potential Exploit Defending Yourself New Item! [ Trojan ] [ Physical & Network ]   Password Grabbing Trojans are now incredibly easy to create with new functionality in NT 4.0. The problem lies in the ability to call a .DLL upon the change of any password.

The Potential Exploit Defending Yourself New Item! [ Trojan ] [ Physical & Network ]   Reverting an ISAPI Script to the SYSTEM account (and level of authority) is a literal walk in the park for those in the know. Beware of ISAPI programs on your IIS Web servers.

The Potential Exploit Defending Yourself New Item! [ Trojan ] [ Physical & Network ]   Rollback.exe is a handy little tool for administrators, and for intruders unfortunately. Can you say "bye bye registry" ?

The Potential Exploit Defending Yourself New Item! [ Trojan ] [ Physical & Network ]   System DLLs Can Be Replaced causing untold damage and creating unforseen security holes.

The Potential Exploit Defending Yourself New Item! [ Trojan ] [ Physical & Network ]   Executable Files can be renamed with or without new extensions, and in some cases will run irregardless of the new name.

Applications

The Potential Exploit Defending Yourself New Exploit! [ App Attack ] [ Network ]   Windows 95 Passwords can be grabbed using an SMB server, and a little game of cat and mouse.

The Potential Exploit Defending Yourself New Exploit! [ App Attack ] [ Network ]   Internet Explorer has yet ANOTHER problem when running on NT 4.0. How about snagging your User ID, psw, NetBIOS hostname, NT domain name, IP address, et al ?

The Potential Exploit Defending Yourself New Exploit! [ App Attack ] [ Network ]   Shockwave Plugins may have more "shock" value than you anticipate. How about people being able to read your email at will? Tisk. Tisk.

The Potential Exploit Defending Yourself New Exploit! [ App Attack ] [ Network ]   Internet Explorer AND Netscape both have a nasty hole that can force an SMB negotiation, at which point your user ID and password are snagged.

The Potential Exploit Defending Yourself New Exploit! [ App Attack ] [ Network ]   Internet Explorer has a problematic hole if a user clicks on a malicious .url or .lnk hyperlink -- get the patch before your get zapped

The Potential Exploit Defending Yourself New Exploit! [ App Attack ] [ Network ]   Internet Explorer allows users to use URLs describing a remote directory and program that can be downloaded and launched almost automatically.

The Potential Exploit Defending Yourself New Exploit! [ App Attack ] [ Network ]   Internet Explorer has another hole that allows a malicious Web page to automatically run any program and/or issue commands on the user's system.

The Potential Exploit Defending Yourself New Exploit! [ App Attack ] [ Network ]  Active Server Pages can be easily downloaded before processing, which may reveal sensitive IDs and passwords.

The Potential Exploit Defending YourselfNew Item! [ App Attack ] [ Network ]  ActiveX Enabled Browsers have a vulnerability in that the controls inherit the permissions of the local user. Can you say "out of control" Web controls?

The Potential Exploit Defending Yourself [ App Attack ] [ Network ]  O'Reilly WebSite 1.1 has serious problems with the sample CGI programs. (where's that breeze coming from? ;-)

The Potential Exploit Defending Yourself [ App Attack ] [ Network ]   .BAT and .CMD files present a considerable risk if you're running older IIS software, and haven't patched your systems yet.

The Potential Exploit Defending Yourself [ App Attack ] [ Network ]   /..\.. on the end of a URL can present a considerable risk if you're running older IIS software, and haven't patched your systems yet.

The Potential Exploit Defending Yourself [ App Attack ] [ Network ]   Truncated files are a real possibility if you're running older IIS software, and haven't patched your systems.

The Potential Exploit Defending Yourself [ App Attack ] [ Network ]   Redirecting Output of a command can wreak havok on your site if you're running older IIS software, and haven't patched your systems yet.

The Potential Exploit Defending Yourself [ App Attack ] [ Network ]  Changes in Security in Microsoft Access Version 2.0 can allow a user to add objects to an Access database...

Passwords

The Potential Exploit Defending Yourself [ Pswd Attack ] [ Physical ]   SMS Netmon Passwords are easily cracked in today's world. There are at least two programs that can already do it easily.

The Potential Exploit Defending Yourself [ Pswd Attack] [ Physical ]   Password Grabbers can easily get your Windows, Windows for Workgroups, and Windows 95 passwords due to weak encryption.

The Potential Exploit Defending Yourself [ Pswd Attack] [ Physical ]   Unprotecting Word Documents apparently isn't as hard as you might think. Take a look...early versions of Word are a cake walk.

The Potential Exploit Defending Yourself [ Pswd Attack] [ Physical ]   Unprotecting Word 6 Documents apparently isn't all that hard either. Want a program to test your protection?

The Potential Exploit Defending Yourself [ Pswd Attack] [ Physical ]   Unprotecting WordPerfect Documents is apparently no more difficult than Word. Explanation and source codes are here...

The Potential Exploit Defending Yourself [ Pswd Attack] [ Physical ]   Unprotecting Excel Spreadsheets can be done quickly as well. This page tells you how for versions up to Excel 7.0.

The Potential Exploit Defending Yourself [ Pswd Attack] [ Physical ]   Unprotecting QuattroPro Spreadsheets can be cracked quickly too. This page tells you how for most versions including Corel Office 7.0.

The Potential Exploit Defending Yourself [ Pswd Attack] [ Physical ]   Unprotecting Lotus 1-2-3 Spreadsheets is just a easy. Geeez. This page tells you how for all versions.

The Potential Exploit Defending Yourself [ Pswd Attack] [ Physical ]   Quicken is a very popular tool for keeping financial records straight - if you have it you probably love it -- and so would I if I wanted to get in to your books! Your Quicken password is a useless defense....

COMING QUICK! - LANMAN 2.1 (and earlier) Challenge/Response Attack

COMING QUICK! - NT LM 0.12 Challenge/Response Attack

Direct Access

The Potential Exploit Defending Yourself New Item! [ Direct Access ] [ Physical ]   SNA Server is subject to a subtly dangerous problem where the first user's access permissions to shared folders is inherited by a second user.

The Potential Exploit Defending Yourself [ Direct Access ] [ Physical ]   NTFSDOS is a program that can mount NTFS partitions from a DOS based machine, bypassing all security permissions. Ouch.

The Potential Exploit Defending Yourself [ Direct Access ] [ Physical ]   Linux now supports the NTFS file system, which means this Unix variety could actually mount your NTFS partitions.

The Potential Exploit Defending Yourself [ Direct Access ] [ Physical ]   Windows 95 Netware Clients pose considerable risk if the system administrators are not incredibly careful.

Denial of Service

The Potential Exploit Defending Yourself New Exploit! [ DoS ] [ Network ]   Crashing IIS is yet another walk in the park, unless you've loaded the latest service packs. Beware.

The Potential Exploit Defending Yourself New Exploit! [ DoS ] [ Network ]   Forcing NT to use 100% CPU is not so hard to do - who knew all you needed was a Telnet client? Both NT 3.51 and 4.0 are vulnerable. Ouch.

The Potential Exploit Defending Yourself [ DoS ] [ Network ]   SYN Floods are one of the worst nightmares on the Internet today. If you come under this attack, you could be in for one heck of experience.

The Potential Exploit Defending Yourself [ DoS ] [ Network ]   Ping of Death will stop your TCP/IP stack in it's tracks everytime. Don't let this simple exploit get the best of you.

The Potential Exploit Defending Yourself New Item! [ DoS ] [ Network ]   The "dir ..\" command issued by a Samba client can crash NT 3.5 and 3.51

The Potential Exploit Defending Yourself New Item! [ DoS ] [ Physical ]   Users without permissions can delete files at the server, even after permissions have been seemingly set correctly. Watch out for this one....

COMING QUICK! - MetaInfo DNS Attack

COMING QUICK! - Microsoft DNS Attack

Snooping

The Potential Exploit Defending Yourself New Item! [ Snooping ] [ Network ]   NBTSTAT Command is incredibly revealing about your NT systems and network. Why give the intruder a head start?

The Potential Exploit Defending Yourself New Item! [ Snooping ] [ Network ]   Keystroke Grabbers are a nasty hazard, and if you have Windows 95 or regular Windows in your shop, watch out for these.

Man in the Middle

The Potential Exploit Defending Yourself New Exploit! [ MiM ] [ Network ]  Novell Netware is found in many NT shops today, since most people live in mixed environments. Well, one bright young man has succesfully written code that can excute a Man-in-the-Middle attack on Novell, completely taking over the user session, and here it is for your indulgence.

The Potential Exploit Defending Yourself New Item! [ MiM ] [ Network ]  The New CIFS file system is vulnerable to Man-in-the-Middle attacks. Read this before you assume it's bullet proof...

The Potential Exploit Defending Yourself New Item! [ MiM ] [ Network ]  The CIFS File System attack discussed in detail by Hobbit, complete with source code proving it can be done. (185K)

The Potential Exploit Defending Yourself New Item! [ MiM ] [ Network ]   Web Spoofing is a real possibility today -- and it's incrediblity hard to prevent.

COMING QUICK! - SMB Downgrade Attack

COMING QUICK! - Counterfeit Servers

Other Attacks

The Potential Exploit Defending Yourself [ Share Access ] [ Network ]   Samba clients, which run on Unix, can easily connect to your Windows base shares. Windows for Workgroups, and Windows 95 are especially vulnerable.

The Potential Exploit Defending Yourself [ Routing ] [ Network ]   Source Routing is nasty trick #1, and it's easy to stop cold -- if you've got the right stuff.

The Potential Exploit Defending Yourself [ Routing ] [ Network ]   ICMP Redirect is nasty trick #2, and it too is easy to prevent.

The Potential Exploit Defending Yourself [ Spoofing ] [ Network ]   IP Spoofing is nasty trick #3, and as you may have guessed, it's also easy to stop.

COMING QUICK! - Hijacked Connections

Other Resources

New Item! Click Here for more NT security related resources

This site has not yet been rated by the Major Motion Picture Industry of America.
[VDA]  Viewer Descression is Advised.
;-)

Copyright © 1994-97, Service Marks - MJE, Ltd. ALL RIGHTS RESERVED. Legal Stuff
All other marks are Copyrights and/or Trademarks of their respective owners.
0101-

Thanks to Bill Stout for encouraging the creation of this page,
which eventually lead to the creation of this entire Web site.

All connections to this network are monitored closely 24 hours a day, 7 days a week.
If this bothers you, then leave now or forever hold your peace.