Windows NT Vulnerabilities by Bill Wall, Trident Data Systems ---------------------------------------------------------------------------- ActiveX ActiveX inherits the permissions of the user logged on locally to the machine the controls run on. Should be disabled unless trusted. Same with Java. No knowledge needed. Anonymous account One can read the registy of a remote machine and list the users and shares. The source of the problem is the built-in user known as anonymous. It is a member of the everyone group. A tool such as everyone2users could be used to change everyone to users for an entire registry tree. Minimal knowledge needed. ASP (Active Server Pages) A hole in ASP allows web clients to download unprocessed ASP files that may expose ids and passwords. Moderate knowledge needed. backup tape The backup tape may contain password equivalents that can be used by a modified client to authenticate to any NT server. You can also boot from a linux boot floppy and change any NT password. Moderate knowledge needed. .bat and .cmd These extensions allows a hacker to execute his own batch file. Moderate knowledge needed. BIND Windows NT using BIND as their domain server with recursion enabled can have its server altered and addresses and hostnames changed. Moderate knowledge needed. buffer overflow There are buffer overflow problems in the WebSite CGI example programs. It can be exploited with the /cgi-dos/args.cmd?"any dos command". Moderate knowledge needed. chargen One can cause a denial of service attack on port 19, chargen. This port should not be left open. No knowledge needed. CIFS (Common Internet Files System) Does not protect against a rogue server from getting the users password. Minimal knowledge needed. CPU Utilization/port Telnet to port 135 (location service), type 20 characters, hit enter, and disconnect. The server utilization will go to 100%. No knowledge needed. everyone account This allows too much access. Run a tool such as everyone2user to change the everyone account. File Manager On NT 3.51 a user who starts File Manager can see files in a folder for which he has no access permissions. FrontPage 1.1 The IUSR account is granted full control. It has a simple password. An unauthorized user could have write permission in an executable directory. Moderate knowledge needed. Internet Explorer A bug in IE allows websites to capture usernames and passwords from unsuspecting NT users who have Internet Explorer. Moderate knowledge needed. Internet Information Server Allows .bat and .cmd extensions and remote batch files. Moderate knowledge needed. JavaScript Rogue JavaScripts could lock up an NT server using Netscape. Minimum knowledge needed. LOphtCrack This program recovers the lanman and/or NT dialect MD4 plaintext password from output derived from the SAM directory. Minimal knowledge required. MS Access A user can read a database and paste it over the tables to allow access as a different user. Moderate knowledge needed. nbstat Can be used to return machine name, refresh netbios names, domain names, list users, list information on remote nodes, and aid in password guessing. Moderate knowledge needed. NETBIOS Unbind NETBIOS from the interface connected on the Interent. It is not needed for web or ftp servers. NetShield By installing the Remote NetShield console on a NT workstation (3.51), the user is given the ability to access any machine on your network. Moderate knowledge needed. NTCrack A password cracker for NT. Minimal knowledge needed. NTFS (NT Secured Filesystem) The Linux NTFS can be read from Linux, bypassing filesystem security. Moderate knowledge needed. NTLM Usernames and passwords can be captured via NTLM over HTTP. OOB (Out of Band) An OOB request on port 139 (netbios) will cause a denial of service. A hotfix and Servie Pack 3 fixes this problem. Minimal knowledge needed. passwords NT uses a weak encryption scheme. There are programs that uscramble the obfuscation scheme, revealing the hashed password. See CIAC H-45. Moderate knowledge required. Ping of Death Large packet pings can crash a 3.51 system. Minimal knowledge needed. ports Ports 135, 137, 138, and 139 are vulnerable (NetBios). Block. Port 135 when flooded causes 100% CPU utilization. PowerPoint The action setting on PowerPoint can cause someone to launch any executable program by clicking on or passing the cursor over any image or text. On the Internet, one could launch an FTP client to upload private documents to a web site. Minimal knowledge required. A patch is available from Microsoft. PWDump NT password cracker. Minimal knowledge needed. RedButton This enables a remote user to get unauthorized access to a part of the NT system including registy and file system. Minimal knowledge required. .reg files Files with the .reg extension write to the registry with current user privileges on open. Minimal knowledge needed. rollback Rollback.exe wipes out all registry entries and forces a reinstall of NT. Minimal knowledge needed. SAM (Security accounts Manager) The SAM< file has passwords. A back-up copy of the SAM file is created when the Emergency Repair Disk is updated. One can then obtain a copy of the password file. See CIAC H-45. Moderate knowledge required. Service Pack 3 Service Pack 3 (SP3) for NT breaks the mounting from a Unix server which uses Unix style passwords. A registry entry is needed to make samba work again. Shockwave Allows one to create a shockwave movie that will read through a user's email and load them to a server. Moderate knowledge needed. SID A user SID can be read from a database and pasted over a SID in the msysaccounts table, allowing access to a database as a different user. Moderate knowledge needed. SMB/CIFS Usernames and password hashes can be captured when sent via SMB/CIFS. smbclient There is a way to make an NT RPC crash with smbclient using a long username. Moderate knowledge needed. smbmount On Linux systems, and incorrectly working smbmount utility will crash the NT server. See bugtraq. Moderate knowledge needed. SYN flood attack Sending a large number of SYN commands can cause a denial of service. Minimal knowledge required. TCP/IP session dump Can be used to crash an NT system while responding to disk share requests for Linux clients. Moderate knowledge required. user list Intranet users are able to get an entire user list including descriptions and group memberships without permission. This can be accomplished by anyone that installs an NT server on there system. Moderate knowledge required. usrmgr The usrmgr.exe command can allow a non-priviliged user to create local groups. Moderate knowledge needed. WebSite There is a buffer overflow problem in some of the WebSite cgi files. See buffer overflow.