('binary' encoding is not supported, stored as-is) What are the circumtances for many of the default accounts (TsInternetUser, IUSR_, IWAM_, krbtgt, Guest for instance) having blank passwords? I realize that all of the security checklists, etc. always recommend disabling the Guest account, etc. but a system I know of has recently been "hacked" by the attacker adding TsInternetUser into the administrators group and then using Term Services to login interactively using the TsInternetUser account. Currently, it appears that the TsInternetUser account has a blank password. I was under the impression that the TsInternetUser account was only needed when using TermSvc in application server mode, and in that case the password is changed frequently (daily if I recall correctly) by the system, as discussed in a MS knowledge base Q article. In any other instance the account can be deleted without breaking anything, based on my experiences so far. What I don't understand is why some installs I've seen feature blank passwords and others dont, when the installation process was basically the same...win2k terminal services in remote administration mode. Installed from the same media, one system gets a blank password and the other gets a strong password. Why is this? I've not found any good docs on this phenomenon but if I've missed them please help point the way. I'm ruling out the obvious, because I know that the end user did NOT change any passwords after their installation and would not have assigned a password to these accounts manually. On one of my personal lab installs, TsInternetUser is using a strong password; I've got the 2nd half of the password cracked by using LC4. What I don't understand is why my clients system featured (ha) a blank password for this account. I suppose that an audit of the actual processes taking place when these services are installed could be useful here. It would be useful for pen testing processes to know the method that the OS uses to create these passwords. Any tips on this? I've also noticed blank passwords in various places for the IUSR and IWAM accounts, as well as a blank password for the krbtgt account on my test AD domain controller. When attempting to login via TermSvc with krbtgt and a blank password, a password change prompt comes up, but does not seem to allow interactive access, perhaps due to the blank password being the "old" password that the pw change GUI was not accepting? I've tried using krbtgt in net use commands to test the functionality of this account and to see what it's limits might be, but I'm still testing. Anyone out there beat me to this care to share your results? On a slightly different but related note, is anyone aware of a canned exploit for IIS or SQL Server that adds the TsInternetUser into the Administrators group? I've been tasked with discovering the origin of a specific system attack in a non-hardended system (it does have all the current patches and hotfixes however, but we all know that's not enough). The attacker deleted their event viewer logs and cleaned up after themselves better than most that I've seen. Due to timing logistics I was unable to get a disk image or any type of memory dump, with the exception of some stack dumps from SQL Server that happened around the same time as the penetration. I'm currently analyzing these (and could use some help) to determine what happened. If anyone is good at analyzing these types of dumps, or can correlate these dumps with any of the SQL Server exploits, I would appreciate any assistance. Thanks Curt Wilson Netw3 Security www.netw3.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 24 2002 - 01:28:29 PST