RE: more info on a hopefully unsuccessful compromise

From: winter (shonky_secat_private)
Date: Mon Jul 14 2003 - 02:34:54 PDT

Next message: LiNERROR: "Re: more info on a hopefully unsuccessful compromise"

Previous message: Herman Sheremetyev: "Re: more info on a hopefully unsuccessful compromise"
In reply to: Etaoin Shrdlu: "Re: more info on a hopefully unsuccessful compromise"
Next in thread: LiNERROR: "Re: more info on a hopefully unsuccessful compromise"
Next in thread: Harlan Carvey: "Re: more info on a hopefully unsuccessful compromise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

While I agree with the majority of what you are saying Etaoin, was all that
necessary?

>If some moron renamed it <the administrator account>, the above stuff with
Retina will still work

It should, but wouldn't that *moron* be doing the right thing?

LiNERROR, if the "Users and Computers" applet of "Computer Management"
doesn't show you the admin account, then download a couple of other tools to
see if they show using them, userdump (hammerofgod.com) springs to mind. 

How did you successfully authenticate using those 3 pwds? Did you log on
interactively or remotely?

winter

-----Original Message-----
From: shrdluat_private [mailto:shrdluat_private] On Behalf Of Etaoin
Shrdlu
Sent: Monday, 14 July 2003 4:04 AM
To: Incidents List
Subject: Re: more info on a hopefully unsuccessful compromise

LiNERROR wrote:
> 
> upon running an audit on one of my networks Retina 4.90 discovered two 
> systems, running windows 2000 pro, with sp3 and all updates with what 
> appeared to be multiple administrator accounts.

No. This is what happens when users assume the task of auditing, rather than
leaving it to the professionals. I suspect that you read NONE of the very
helpful replies to your previous post, as well. To make absolutely sure that
you understand, I will address each of the logs (these are NOT phantom
accounts, btw, it's the Administrator account, and it belongs).

> snip ---
> Accounts: User: Administrator Pass: rotartsinimdA - Account password 
> reverse of account

Here is Retina trying the word administrator backwards. Since the account
has NO PASSWORD, it succeeds, and incorrectly logs the password as valid.

> Accounts: User: Administrator Pass: Administrator - Account password 
> same as account

Here is Retina trying the word administrator forwards. Since the account has
NO PASSWORD, it succeeds, and incorrectly logs the password as valid.

> Accounts: User: Administrator Pass: - Account with no password snip 
> ---

Here's the log entry that is meaningful. You have an ADMINISTRATOR account
with no password. What were you thinking? Put a good password on the
administrator account, and be done with it. I'd suggest that a little
reading from the Microsoft site, or from any book not containing the title
words "21 days" or "dummies" would be of great benefit to you. I'd also
suggest that a part time administrator to assist you with your machines
would be helpful.

> However the system shows no evidence of these accounts in the user 
> manager...  but the accounts are there.

No, no, no. The Administrator account is supposed to be there. If some moron
renamed it, the above stuff with Retina will still work. Look at the users,
under the manage menu. If there is no Administrator account, then check by
the properties menu to see what group(s) the accounts are members of. The
administrator account is traditionally a member of only the Administrators
group (kind of reminds you of setprv on VMS, hmmmmmm), but that's all it
needs. Check EACH account. There may be more than one account with
administrator privileges. If so, then you need to check the (sorry, I don't
remember the wintel equivalent offhand of UID) specific identifier to see
which was created first. The oldest is the real Administrator. Rename it
back to Administrator, and give it a damned password.

--
I cannot help fearing that men may reach a point where they look on every
new theory as a danger, every innovation as a toilsome trouble, every social
advance as a first step toward revolution, and that they
may absolutely refuse to move at all.   (Alexis de Toqueville)

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's
to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
----------------------------------------------------------------------------

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: LiNERROR: "Re: more info on a hopefully unsuccessful compromise"
Previous message: Herman Sheremetyev: "Re: more info on a hopefully unsuccessful compromise"
In reply to: Etaoin Shrdlu: "Re: more info on a hopefully unsuccessful compromise"
Next in thread: LiNERROR: "Re: more info on a hopefully unsuccessful compromise"
Next in thread: Harlan Carvey: "Re: more info on a hopefully unsuccessful compromise"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 14 2003 - 09:56:49 PDT