[ISN] Windows 2000 Port Invites Intruders

From: InfoSec News (isnat_private)
Date: Tue Aug 28 2001 - 02:54:19 PDT

  • Next message: InfoSec News: "[ISN] Crimes bill targets hackers, DoS attacks"

    Forwarded by: Jonathan Rickman <jonathanat_private>
    By Brian McWilliams, Newsbytes
    26 Aug 2001, 6:14 PM CST
    Exploiting a hole in Windows 2000, a hacker says he penetrated
    Microsoft's corporate network earlier this month and had full access
    to hundreds of the company's computers.
    The security breach, which took place over a six-day period beginning
    Aug. 12, involved a shopping server that was part of the Microsoft
    Network in Europe, as well as scores of workstations and servers
    located overseas, he says. A list of the vulnerable machines was
    provided to Newsbytes by the anonymous intruder, a self-proclaimed
    white-hat hacker who uses the nickname "Benign."
    Microsoft officials refused to comment on the incident, noting that
    the company does not confirm or deny whether an unauthorized intrusion
    into its network has occurred.
    But a security expert who reviewed specific details of the penetration
    said the break-in appeared realistic.
    "It looks plausible. He was brazen, but a bit impressive too," said
    Jeff Forristal, lead security developer at Neohapsis, a Chicago,
    Illinois-based network and security consulting firm.
    To breach one of the most heavily defended networks on the planet, the
    intruder says he did not exploit any known or new software bugs, nor
    did he use any special hacking tools. Instead, Benign claims to have
    virtually strolled into the systems' back door, using Windows 2000's
    TCP port 445, which is open by default to allow file sharing with
    remote systems.
    Benign said his entry was unimpeded by authentication; all of the
    computers had no password or used the word "password" for accessing
    the systems' administrative accounts.
    According to the intruder, who says he worked alone and doesn't belong
    to a hacking group, two insecure Windows 2000 (Win2K) systems on the
    periphery of Microsoft's network were used to gain entry to the
    company's firewalled corporate network.
    Besides being connected to the Internet, the vulnerable systems were
    "dual-homed" and linked to an intranet that was part of Microsoft's
    corporate network, said the man, who claimed to be a graduate student
    in his thirties.
    Although he had privileges to perform any operation he wished on the
    machines, Benign claimed he did not damage or even view files on them.
    "At times I feel like a kid in a candy store. I read reports of new
    ways to hack Windows and I roll my eyes. Why bother, when I have what
    seems like a field of powerful Win2K machines at my disposal,
    stretching as far as the eye can see?" he said.
    The list of vulnerable computers provided to Newsbytes included the IP
    address, machine name, workgroup, username, and password of more than
    400 Microsoft systems on the internal Microsoft network. Among the
    workgroup names were "NT_DEV," "Redmond," "SouthAmerica," and
    Scott Culp, head of Microsoft's security response center, confirmed
    that Win2K does not require administrators to set a password when
    installing the software, although Microsoft advises them to pick a
    strong one.
    "None of this is a flaw in Windows 2000. The problem is the password,
    not the file sharing service. Any system that has a blank or easily
    guessable password is prone to compromise from a variety of avenues,"
    said Culp, who noted that having port 445 open by default is
    appropriate because Win2K was designed for business users on a
    Earlier versions of Windows, however, ship with file sharing disabled.
    As a further precaution, most Internet service providers and
    corporations follow the advice of the SANS Institute and other
    security experts by firewalling access to port 139, the file sharing
    service used by Windows 9x and ME.
    Even Microsoft security specialists recognize that the new port
    introduced in Win2K can create a vulnerability. In a posting to a
    security mailing list in November of 1999, David LeBlanc, a security
    expert who is now part of Microsoft's network security group weighed
    the advantages and disadvantages of the new operating system compared
    to its predecessor, Windows NT. "In terms of what's worse, there are
    more ports to worry about - port 445 yields much of the same
    functionality as 139, so it is another port to block," he wrote.
    Such blocking strategies were born of necessity: Port 139 is
    perennially among the top-ten most attacked ports, according to
    Johannes Ullrich, operator of the intrusion statistics site
    But few administrators cordon off the newer port 445. Fortunately, a
    small number of computer intruders rattle the door knob on port 445.
    Participating Dshield sites recorded only 42 scans to port 445 for the
    entire week just ended. Port 139, on the other hand, received several
    thousand scans per day.
    "Right now, port 445 is an under-utilized avenue for attack. It could
    be a disaster waiting to happen," said Greg Shipley, director of
    security consulting services for Neohapsis.
    Exactly why computer attackers have yet to pounce on port 445 is not
    clear, but one pragmatic issue may be at work: Using Server Message
    Block (SMB) protocol to communicate with the port is difficult unless
    an attacker is also running Win2K.
    Microsoft's Windows XP operating system, the successor to Win2K, also
    uses port 445 but is hardened out of the box against the sorts of
    attacks utilized by Benign against Microsoft. For example, if an
    administrator chooses a blank password, Windows XP will disable
    network file sharing, according to Culp.
    But the software, which shipped to PC manufacturers Friday, could
    prove to be a double-edged sword, giving malicious XP users a means to
    easily access the port on unprotected Win2K systems, according to
    Benign said he discovered the unlocked back entrance to Win2K last
    spring after installing the operating system on his PC. While sharing
    music and video files over the Internet with a friend, he was startled
    to find that he could log in as administrator on his pal's Win2K
    system without using a password.
    Curious, he used a popular network tool to scan a section of Internet
    address space for other systems with unlocked port 445s. He says his
    scanner quickly spooled out a list of tens of thousands of Win2K
    systems with the port unblocked, and of those, thousands had no
    password set.
    That so many Win2K machines on the Net lack basic password protection
    is no surprise to Steve Gibson, operator of Shields Up, a Web-based
    service which allows computer users to probe their systems for open
    ports. (Port 445 is currently not among those tested, but Gibson said
    he intends to add it soon.)
    According to Gibson, users often don't set passwords because they
    wrongly assume that passwords only control local log-ons to their
    "In a single-user home or small office setting, where users don't
    perceive much danger of physical access by anyone else, passwords are
    seen as an unnecessary annoyance," said Gibson.
    Benign claims he reported many exposed Win2K machines this summer to
    their owners, which included two large Web hosting firms as well as an
    Internet radio broadcaster. But there were still thousands of Win2K
    systems connected to DSL and cable modem lines that could be
    commandeered by unauthorized outsiders over port 445.
    Thanks to a feature in Win2K known as anonymous enumeration,
    identifying powerful administrative accounts on an exposed system is
    easy, according to Benign. The capability, enabled by default, allows
    an unauthenticated remote user to obtain system information, including
    usernames and details, account policies, and share names.
    With the benefit of 20/20 hindsight, Microsoft released a security
    tool last week that advises Win2K operators to disable anonymous
    enumeration through a system-registry tweak. In Microsoft's current
    view, the issue represents a severe security exposure.
    On a whim earlier this month, Benign says he turned his scanner on
    Microsoft's network, beginning with Internet protocol addresses
    assigned to its main Web sites. The scan produced the two unprotected
    Win2k machines that provided his gateway into the corporation's
    intranet, he says.
    Benign said Microsoft recently secured the systems he used to access
    the firm's internal network. But he has offered to meet with company
    officials in person to explain his mode of entry on their and other
    companies' Win2K systems. The firm has not responded to his
    invitation. When Newsbytes contacted Microsoft for information about
    the intrusion, a company spokesman said, "Do you realize you are
    cavorting with a felon?"
    But Benign insists that he has done nothing unethical.
    "Microsoft obviously needs to educate customers and its own internal
    users about the problem. The world wouldn't have known about it unless
    somebody checked."
    Microsoft's information on Port 445 is at
    http://support.microsoft.com/support/kb/articles/Q204/2/79.ASP .
    Neohapsis is at http://www.neohapsis.com .
    Shields Up is at http://www.grc.com .
    Dshield's statistics on port 445 probes is at
    http://www1.dshield.org/port_report.php?port=445 .
    The SANS Institute's list of the top ten security threats is at
    http://www.sans.org/topten.htm .
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 28 2001 - 05:54:13 PDT