Everhart, Glenn
From:	tfr@gmx.net
Sent:	Thursday, September 10, 1998 8:39 AM
To:	ntsecurity@iss.net
Subject:	[NTSEC] New way of hacking NT !!

TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net
Contact ntsecurity-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

Take, a look at this new exploit.
I found the text at http://come.to/UHA
It was in a Magazine, called "United Hackers Association Magazine",
they always talk about new exploits. 

If you want to subscribe it, go to :
http://www.getreminded.com/GRA/remote.asp?list_id=248942&function=add

Now, here is the text :

----

            4. Some Technics Of Hacking NT
               by mad55
               mad55@hotmail.com
               August 20, 1998
                                                 

As it slowly becomes more and more clear to those network people
that tons of security information about Unix can be found, but little to
none is available on windows NT. This paper will walk and
educate someone on the steps involved in some of todays most used windows
NT
exploits.

For the remainder of this paper I will refer to a few terms that you
should
know...
www.victim.com = The server you are trying to check the exploit on.
Also remember that when I say to type stuff it is case sensative.

These techniques are listed in no particular order, just how my brain was
thinking at the time.

Is it an NT server?

To check if a server is nt there are a few things you can do...
1. Telnet to it on port 21 (ftp) and see if it says nt.
2. Goto http://www.netcraft.com/cgi-bin/Survey/ whats and see what it
says for the server.
3. Check if the server simply says what it is running. (check their page)
4. Try NBTSTAT -A [ip address] and check the response.

If you really want to become familiar with better detection methods, you
should become more familiar with WindowsNT as an operating system. 

Common user names:
Administrator
Guest
mail

Password file locations:
\\WINNT\SYSTEM32\CONFIG\SAM
\\WINNT\REPAIR

Ok, so you found an NT server, now what?

Does it have file sharing?

To check if a server has file sharing you do the following...
1. dns www.victim.com and get the IP
2. goto a dos prompt and type: nbtstat -A IPADDRESS
You will get one of 2 things back:
A. Host not found. (if you get host not found, that is not exactly an
accurate error statement. If a router (or the NT server itself) has
clossed
of ports 137,138,139.. you will also get this error message. for more on
the
ports, check out the NetBIOS paper at the rhino9 site)
or you will get a listing somewhat like thins:
B. NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
TARGET <00> UNIQUE Registered
A DOMAIN <00> GROUP Registered
TARGET <03> UNIQUE Registered
TESTUSER <03> UNIQUE Registered
TARGET <20> UNIQUE Registered
A DOMAIN <1E> GROUP Registered

MAC Address = 00-60-97-35-C1-5C

If you got this then the remote computer has file sharing.
To try and access this file sharing you do one of 2 things.
1. edit the c:\windows\lmhosts (the LMHOSTS file is a flat text file
containing NetBIOS to IP address mappings) and add in a line at the very
top
that has the ip address then a space then the first unique name, in this
case target. So the lmhosts would look like this:
Servername(call it whatever you want) ServersIPAddress

Next click your start button then goto find then computer. Then in the
Named
box put in the first unique name, the name that you added to the lmhosts
file as the servername. Hit enter and hopefully a little icon of a
computer
will show up. Double click this icon. If the filesharing on the target
computer is passworded it will popup a password box. You can either try to
guess the password or brute force it. 

The second way to do filesharing is this...
drop to a dos prompt and type
net use \\IPADDRESSOFTARGETCOMPUTER\c$
what this will try to do is connect to the target computers shared drive
C.
c$ means drive C. This might prompt you for a password also.
You would be suprised how many people dont have passwords.

A word on ASP Viewing:
Say you goto www.victim.com/secretinfo.asp and it has forms or whatever
and
you are wonder hmm whats behind this asp code wonder if there is something
secret in it like passwords or something. To view the code inside a .asp
file you simply do the following:
http://www.victim.com/secrectinfo.asp.
Note: This is patched on newer systems (systems running service pack 2 or
3).

A word on Dumping directorys:
To break out of the wwwroot directory (the web server directory) simply
put
in the following: http://www.victim.com/..\.. (this may not work on IIS
3.0/NT 4.0 running service pack 3)

A quick note on the Find File Exploit:
This exploit is often used and works on a vast number of servers, its an
underground favorite.

By going to:
http://www.victim.com/samples/search/queryhit.htm
If it brings up a search page then the server is more than likely wide
open
for attack. In this field you can search for files and the deadliest part
is
that you can view these files.

So we maybe search for:
\\WINNT\SYSTEM32\CONFIG\SAM - thats the nt password file
\\WINNT\REPAIR - thats the backup nt password file
#filename=*.pwd - thats the frontpage server extensions password file.
Which
I will explain how to crack later.
another - any other keywords which might lead to intersting files that
they
dont want you to read.
Also play with:
http://www.victim.com/scripts/samples/search/webhits.exe

In depth FrontPage Hacking, mad55/super style:
Well these are the techniques that I know best. 

First off you must have frontpage! You cant hack the damn frontpage server
if you dont have frontpage. Get it at www.microsoft.com. Now you must also
understand how to connect to a server to see if it has a password etc...
Here are the steps to do that:

1. File
2. Open frontpage web
3. More Webs
4. Put the server name in the box below where it says "Select a web server
or disk location" then click list webs

Then 1 of 2 things will happen
1. It will say there is an error 505 etc..
2. It will list some folder names in the box below "front page web servers
found at location"
3. Double click one of the folders that it lists. If the Admin is lazy or
just stupid you wont even be prompted for a password and it will list the
remote computers files which from there you can drag and drop your new
hacked page.

First thing to do is find some nt servers. Here are 2 ways:
1. Goto www.yahoo.com or whatever and search for iisadmin
2. Goto www.yahoo.com or whatever and search for _vti_bin/_vti_aut/
Whatever your pleasure they will both return NT servers running IIS and
frontpage server extensions.

Ways of getting into a frontpage server mad55 style:

1. What many people dont know is the fact that most people dont even have
passwords set on there frontpage servers. So if you are bored enough and
lame enough you can goto www.yahoo.com and pull up a list of frontpage
servers and sit there and try to connect to them with no password.

2. Try this out: http://www.victim.com/_vti_pvt/service.pwd if you are
lucky
they messed up on file access rights and that will show you whats inside
sevice.pwd which is the frontpage password file. Cracking it will be
explained later.

3. This is by far the best way and the way that works most. As I said
before
there is a flaw that lets you search for files on the target computer and
view them no matter what access rights you have. So if this is true why
not
view the frontpage password file? We would do this as follows:
http://www.victim.com/samples/search/queryhit.htm

Then once at that page, in the search box we simply put in #filename=*.pwd
and then hit enter and it will hopefully show a list of links to .pwd
files.
Save these pwd files for later cracking. Now if a sysadmin was smart they
may have re-named the password file so that it is not .pwd at all. So to
find out where they hide the real password file we must basiclly find the
shadowed password file (bit of Unix for ya). We do the same as before with
the file search flaw except for this time we search for
#filename=#haccess.ctl
Now #haccess.ctl is the file that points to the frontpage password file.
The
contents of a default #haccess.ctl file are:

-FrontPage-

Options None


order deny,allow
deny from all

AuthName default_realm
AuthUserFile c:/frontpage\ webs/content/_vti_pvt/service.pwd
AuthGroupFile c:/frontpage\ webs/content/_vti_pvt/service.grp

The second to the last line is the most important. AuthUserFile = the
location of the real password file. So if it is:
AuthUserFile c:/frontpage\ webs/content/_vti_pvt/shadow.pas
We now know that the real password file is in shadow.pas so we would then
do
the search file exploit and this time search for #filename=shadow.pas

A normal service.pwd (frontpage password) would look like this:
mad55:jk53kjnb43
Where mad55 is the user name and jk53kjnb43 is the encrypted password.

Those are a few ways to get the frontpage password. Now your asking how do
we decrypt it? First I told people to try l0pht crack to see if it was the
same encryption but, it wasnt. It seems that the encryption for frontpage
passwords is the same as a passwd
file in unix. So basically you can use any unix passwd crack to crack
frontpage passwords. I think that Microsoft must have done this
because of frontpages unix support. To get the formating right for the
unix
passwd crackers you will want to take the frontpage password file
information say:

mad55:jk53kjnb43

and stick it in unix format:

mad55:jk53kjnb43:0:0:comments:/:/bin/bash

Ok so you've broke into www.victim.com and got the user and password. Now
you could be a tard and jump right into frontpage and connect and change
the
page and tell everyone how kewl you are and get busted within a week or,
you
could use the following techniques.

Here is the information for this example:
Server: www.victim.com
Server IP: 2.2.2.2
User: mad55
Pass: greenman


that all folks,next
mad55

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

            5. Exploit in Windows NT (local)
               by mad55
               mad55@hotmail.com
               August 24, 1998
                                                 

The following describes how any normal (non-administrative) user on a 
Windows NT system can
instantly gain administrative control for the entire machine by 
running a simple executable program.

You need to have a machine running the retail/free build of Windows NT 
4.0, 3.51, or
even Windows NT 5.0 beta -- either Workstation or Server will do. 

1. Login on your NT machine: Login as any non-admin user on the 
machine (even guest account
will do). You may verify that the logged in user does not possess 
admin privilege at this time by trying
to run the "windisk" program from the shell. This should fail since 
the user does not have admin
privilege. 

2. Copy: After logging in, copy the software (sechole.exe and 
admindll.dll) onto your hard disk in any
directory that allows you write and execute access. 

3. Run SecHole.Exe : After running the program, your system might 
become unstable or possibly
lock up. 

4. Reboot the machine if necessary: You will see that the non-admin 
user now belongs to the
Administrators group. This means that the user has complete admin 
control over that machine -- for
instance, you will be able to run programs like "windisk", create new 
users, delete existing users,
install drivers, even format hard disks.
in my opinion:
The sechole exploit is local in scope unless there is a service running 
on the system which is running
under a domain account. If it can attach to a service running under a 
context other than the local
system, the code could be executed as that user. It is fairly trivial 
to replace the DLL which comes
with the exploit to cause it to take other actions. However,the local 
user who has just become local admin can obtain the password of the 
domain user for the service and
obtain the rights of that user in that manner. The lsa2-fix makes 
this more difficult (though not
impossible).

Another area where sechole can be used to cause problems would be if 
ordinary users were allowed
to place HTML content directly onto the web server. The #exec 
directive causes a HTML page to
execute a command and direct the output to the client, and it is 
enabled by default in IIS 4.0. If a
user were to place sechole.exe, the DLL and a web page which invokes 
sechole onto a web server,
the IUSR_Machine account would then become admin. I would recommend 
disabling this feature for
any web site directories where non-administrative users are allowed 
to place files. 
The following describes how any normal (non-administrative) user on a 
Windows NT system can
instantly gain administrative control for the entire machine by 
running a simple executable program.

Note : SecHole is downloadable at http://come.to/UHA!

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-



---
Sent through Global Message Exchange - http://www.gmx.net