-----BEGIN PGP SIGNED MESSAGE----- Sekure, Talking about Null Session Attacks, it's not so simple as you pointed in your e-mail but it's not also a big deal as some people say. In fact when you find a PDC or a BDC server (talking about *yuck* Windows NT), you can create a null session using standard 'net use' commands from DOS prompt. If you're successful, you'll open an IPC$ connection. With it, you can use some tools like DumpACL (now DumpSEC) to get a list of users even from the Admin group. If I'm not wrong you can find this tool at http://www.systemtools.com No wthat you know the users from that system, you can place several different 'net uses' using these usernames with different passwords, that you can try to get using brute force attacks, dictionary attacks, etc. Note that most of passwords are weak and easy to crack (and no password is uncrackeable). Null Session, in my point of view, can open a system for a confidentiality attack. It's more used to 'probe' for info. If you want to avoid this thing on your servers, there's a reg key you can change. Check the www.microsoft.com web site (security bulletin) to get more info about it. Just remember that some tools need to create null sessions and, changing this reg key, can lead you to a availability problem. Any comments, folks? All the best! FatFinger - ----- Original Message ----- From: "sekure" <sekureat_private> To: <VULN-DEVat_private> Sent: Tuesday, April 10, 2001 8:53 AM Subject: Security Issues ... NT vuln ? > Hi Guy, > > In first, Sorry for my poor english. > > I'm sending this mail...because i have severals about security. :-) > > > 1) I saw...in my machine that we have a "control of IIS" named > Console root > but when i call it (local machine) it open me a grapical screen > to config. > But your name ie CONSOLE root, can i use it in text mode ?? How > ?? > If it is possible can i use to remote! Do you know if all > machines have > it file/application ?? The name that i use to execute is: > iis.msc :-) > > 2) I have done tests with netmask... we know that i can't see > computers > with other netmasks ... example machine A = > 200.210.55.240/255.255.255.248 > can't see B=200.210.55.241/255.255.255.216 ... correctilly ?? Do > you know > some mode of see this others machines without change your > Netmask ?? > A scanner that simule other netmask i don't know!! :-) > If you know... please... tell-me! > > 3) I install NT4.0 and put SP6.0 ... and install IIS ... it put > IIS3.0! :) > How to upgrade it to 4.0 ?? Only with Option Pack 4.0 ?? Is it > possible > upgrade to IIS 5.0 ?? How to ?? Where i can get this upgrades, > or IIS's ? > > 4) I already saw in several TXT about security in NT ...speaking > that is > very dangerous have NETBIOS/SAMBA. We can connect with null > session. > Ok, suppose that i done it! > In my network: "net use \\192.168.0.100\ipc$ "" /user:""" it > work very > well! But then ?? What can do i with it ?? With it i try access > other > shares how admin$ and i don't have access. I try access the > registry ... > and i don't have access again. Why it can be very dangerous ?? > I can't unserstand, suppose that a a bit-lamma user have user: > "joao" > and passwd: "joao" and it is a normal user (no member of admin > group). > Why can i do with it ?? Can't access the registry, others > shares, c$, > d$, e$, ...!! For me it is equivalent to null session. I cannot > make > Anythink!! If you know a good "trick" that i can do with it. > please > speak me! :-) > > 5) I install Option Pack 4.0 in my NT+IIS4 to test! :-) > It is good, but when i try test(s) of NT-box ...in IIS ... it > didn't > allow ... !! :-) I tryed to execute ... nt-box ... and execute > mkilog, > dnsform, cts.idc, *.htx, ... All this files EXIST in my server!! > :-) > But when i try access (execute) one of this files it is not > executed > it return me: "A screen to download the file" i can save the > file... > or execute ...if i execute...it open a cmd screen and execute it > and > close the window! What is it ?? A protection of Option Pack > 4.0?? > Permissions of NTFS ?? Permissions in users of IIS ?? How can i > change it? > How can i crack it ?? > > 6) Somebody know a program for command (cmd.exe or command.com) > that can > manipule the registry ?? To see keys, write in keys, ... ! Do > you know?? > Where i can get it ?? > > 7) The "nt hash" stay in the registry ?? Who can read it ?? Where > is it ?? > I found in my NT with regedit and regedt32 ... but i can't > found...i saw > The keys HKEY_LOCAL_MACHINE\SAM\SAM <- but this key appear is in > blank, and > your color is different of other color.. your color is gray!! > I'm findind > as administrator. Exist date(s) in \HKEY_LOCAL_MACHINE\SAM\SAM ? > Why i can't > see ?? How to do to see ?? > > 8) I'm thinking...! :-) > Suppose that i can spoof the network... then i can see the > hashes of > authentication!! Can i get this authentication and re-send to > server ? > It will accept it only how more one packege ?? Or it will accept > it how > a authorization ?? If it work, i can change my privilegis of > normal user > to administrator! :-) And better... i don't need lost much time > trying > crack the password from the hash! :-) > > 9) The administrator that put NTFS security permissions in CMD.EXE > and > Command.com and inetpub folder (with good permission only to > administrator) > withou access to IUSR_MACHINE and EVERYONE. Can we say that your > IIS is > 100% security or 99.99999999999% ?? What can be doned against it > ?? > > > Thkz For all attention and help in the advance. > > Excuse-me for the accumulated of question(s)... =) > > Best Regards. > > [ ]'s > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQEVAwUBOtcy+O8uJYTAsvxwAQG9jAf/Rf/4lLMFl9AFs/lZqwiPWqnXr11a8OhR y7oTXN1wGMfdJJ9zbTDdR4tCSqY7YOlwj24glPwCa2wFD7B51LfNWBOCQhVvuyzQ sGD/oZUoQ2MsAsZkuYZI2amZl3G1R6QwjR3mUbUVvxsuoikBmkPH+8MRNMHZTAsV PvcfBJAKME5UNZorihSpVdUV+VZzZluu0rzn1NeuwyeCcPWJCkt6SXC4ggOwryE2 ttAHvG1sdKmC48Lz4vD4+wo6J36qX5sCVVk4zrWpAiBcVW6kcTZVd1JPo12d3y68 Jg5WGsUQme94V0hA0lVBgav5ZbSCRAvhpBZ6mJ8Rui1IbGY3/LxZbQ== =Hau+ -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 23:38:50 PDT