From: SMTP%"everhart@mail09.mitre.org" 22-JAN-1998 17:24:36.32 To: everhart@gce.com (everhart@gce.com) CC: Subj: FWD: Re: [NTSEC] Registry Security --===_tgate3_45146_96627030_=== Content-Type: text/plain; charset="us-ascii" ----- Forwarded message follows ----- Delivered-To: nt-out-link@iss.net Delivered-To: nt-out@iss.net X-Sender: blanton@is.rice.edu Date: Wed, 21 Jan 98 20:49:02 -0500 To: Freak , Windows NT BugTraq Mailing List , NT security From: Blanton Lewis Subject: Re: [NTSEC] Registry Security In-Reply-To: References: Precedence: bulk Reply-To: Blanton Lewis X-Loop: ntsecurity X-Comment: TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net X-Comment: DO NOT send subscribe/unsubscribe messages to ntsecurity@iss.net TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net Contact ntsecurity-owner@iss.net for help with any problems! --------------------------------------------------------------------------- lately i've noticed a *lot* of folks posting just plain junk, then discussions about the junk, etc. NTsecurity is almost useless now .. i vote for a moderator. ISS, are you listening? anyway, back to the topic that was being discussed on NTsecurity .. >Let me rephrase this, I understand that Asmodeus looks for some response >from a port and gives some generic response based on what it finds. But >it gets me curious about this. Im am more interested in the general >hacker somewhere trying to get to my registry. Im just wondering how/what >they would use to do it and if anyone out there has any experience with >this can let me know. Thanks again. i humbly apologize for any mistakes in my information ahead of time .. i'm trying my best to make sure that what i'm posting is true to the best of my knowledge & experience. now, on to the goodies. try this on a NT workstation, directed toward another NT workstation (let's assume SP3, all 'round) net use \\netBIOS-name\ipc$ "" /user:"" where netBIOS-name is the 'computer name' .. if you have to cross a router to get to the machine, you don't have WINS, and you aren't using DNS to resolve netBIOS names (obviously i'm assuming you're using TCP/IP), then use a lmhosts file (no extension) in \system32\drivers\etc and follow the example of lmhosts.sam in the same directory. the command creates a 'null', or 'anonymous' session. the group 'everyone' includes 'anonymous' users, so it will work even if your guest account is disabled. i stole this command from http://www.nmrc.org/faqs/nt/index.html, and thanks to simple nomad for a good FAQ to start with. i haven't had luck with all of these, but try using the following tools (there may be more) on the remote machine: 1) event viewer 2) user manager for domains 3) regedt32 details: 1) event viewer - according to 'securing windows NT installation' by microsoft, the ' .. default configuration allows guests and null log-ons ability [sic] to view event logs (system, and application logs).' obviously you're locked out of the security log. fix: (also from the same document) add a REG_DWORD with value name Restrict GuestAccess and value of 1 to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\[LogName] where LogName is Application or System. the same document also mentions that you should change the security on the key to allow access only to Administrators & System (so that someone can't remove the value). 2) user manager for domains - allows you to connect to a remote computer & see the user database, unlike user manager. you obviously can't change stuff, but it opens interesting possibilities .. i've had much less luck with this one than the other two. 3) registry editor - for example: need to get an account on that machine that the admin won't let you touch? just connect to its registry, go to HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion\Run, RunOnce, or Uninstall, and add a REG_SZ with value name 'net user /add'. these keys run in the system context when someone logs on, and all they'll see is a command shell pop open & immediately close. now, you have an account! this key, by default, will allow members of the 'everyone' group to Add Value, which is all you need to wreak a little havoc. fix: according to the same document referenced above, change the security to everyone:QueryValue,Enumerate Subkeys,Notify and Read Control (basically amounts to Read access, i believe). to prevent remote registry access in general, change permissions on the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg to whatever groups you think need remote registry access (not many, i'd imagine). by default, NT server only has Administrators here. there are ways to give certain groups limited access to the tree, also .. it's in the document. well, what are you waiting for? get the document if you haven't done any of this! by the way, if logon success is audited, it will show 'anonymous' logged in, in the security log .. finally, if the console is locked, some of these things don't seem to work .. can anyone comment (intelligently) on this? blanton p.s. i don't know what hotfixes will prevent .. the microsoft guide (much better than the original guide) is a good starting point (in my opinion), and it's much better than just SP3. it's at the following address: http://www.microsoft.com/ntserver/guide/secure_ntinstall.asp ----- End of forwarded message ----- --===_tgate3_45146_96627030_===-- ================== RFC 822 Headers ================== Return-Path: everhart@mail09.mitre.org Received: by norlmn.gce.com (UCX X4.2-14, OpenVMS E7.1-1H1 Alpha); Thu, 22 Jan 1998 17:16:27 -0500 Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by mercury.mv.net (8.8.8/mem-971025) with ESMTP id IAA29967 for ; Thu, 22 Jan 1998 08:46:55 -0500 (EST) Received: from TGATE3 (tgate3.mitre.org [129.83.20.27]) by mbunix.mitre.org (8.8.8/8.8.8/mitre.0) with ESMTP id IAA07358 for ; Thu, 22 Jan 1998 08:50:31 -0500 (EST) Received: from mail09.mitre.org (unverified [129.83.20.43]) by tgate3.mitre.org (EMWAC SMTPRS 0.83) with SMTP id ; Thu, 22 Jan 1998 08:50:08 -0500 Received: by mail09.mitre.org; (5.65v3.2/1.1.8.2/22Jun94-0628PM) id AA17203; Thu, 22 Jan 1998 08:50:04 -0500 Subject: FWD: Re: [NTSEC] Registry Security From: everhart@mail09.mitre.org (Glenn C. Everhart) To: everhart@gce.com (everhart@gce.com) Message-Id: <980122085003.31233@mail09.mitre.org.0> Date: Thu, 22 Jan 98 08:50:04 -0500 X-Mailer: MailWorks 2.0-4 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===_tgate3_45146_96627030_==="