Beware using that key (it restricts null user sessions) in an environment where NT trust relationships are in place. Turning null sessions off removes a trusting domain's ability to enumerate users in the trusted domain. This causes authentication to fail. If you have no trust relationships, I highly recommend using the key to restrict null sessions. Keith T. Morgan Chief of Information Security Terradon Communications keith.morganat_private 304-755-8291 x142 > -----Original Message----- > From: FatFinger [SMTP:fatfingerat_private] > Sent: Friday, April 13, 2001 1:10 PM > To: VULN-DEVat_private > Subject: Re: Security Issues ... NT vuln ? > > -----BEGIN PGP SIGNED MESSAGE----- > > Sekure, > > Talking about Null Session Attacks, it's not so simple as you pointed > in your e-mail but it's not also a big deal as some people say. > > In fact when you find a PDC or a BDC server (talking about *yuck* > Windows NT), you can create a null session using standard 'net use' > commands from DOS prompt. If you're successful, you'll open an IPC$ > connection. With it, you can use some tools like DumpACL (now > DumpSEC) to get a list of users even from the Admin group. If I'm not > wrong you can find this tool at http://www.systemtools.com > > No wthat you know the users from that system, you can place several > different 'net uses' using these usernames with different passwords, > that you can try to get using brute force attacks, dictionary > attacks, etc. Note that most of passwords are weak and easy to crack > (and no password is uncrackeable). > > Null Session, in my point of view, can open a system for a > confidentiality attack. It's more used to 'probe' for info. If you > want to avoid this thing on your servers, there's a reg key you can > change. Check the www.microsoft.com web site (security bulletin) to > get more info about it. Just remember that some tools need to create > null sessions and, changing this reg key, can lead you to a > availability problem. > > Any comments, folks? > > All the best! > > FatFinger > > > - ----- Original Message ----- > From: "sekure" <sekureat_private> > To: <VULN-DEVat_private> > Sent: Tuesday, April 10, 2001 8:53 AM > Subject: Security Issues ... NT vuln ? > > > > Hi Guy, > > > > In first, Sorry for my poor english. > > > > I'm sending this mail...because i have severals about security. :-) > > > > > > 1) I saw...in my machine that we have a "control of IIS" named > > Console root > > but when i call it (local machine) it open me a grapical screen > > to config. > > But your name ie CONSOLE root, can i use it in text mode ?? How > > ?? > > If it is possible can i use to remote! Do you know if all > > machines have > > it file/application ?? The name that i use to execute is: > > iis.msc :-) > > > > 2) I have done tests with netmask... we know that i can't see > > computers > > with other netmasks ... example machine A = > > 200.210.55.240/255.255.255.248 > > can't see B=200.210.55.241/255.255.255.216 ... correctilly ?? Do > > you know > > some mode of see this others machines without change your > > Netmask ?? > > A scanner that simule other netmask i don't know!! :-) > > If you know... please... tell-me! > > > > 3) I install NT4.0 and put SP6.0 ... and install IIS ... it put > > IIS3.0! :) > > How to upgrade it to 4.0 ?? Only with Option Pack 4.0 ?? Is it > > possible > > upgrade to IIS 5.0 ?? How to ?? Where i can get this upgrades, > > or IIS's ? > > > > 4) I already saw in several TXT about security in NT ...speaking > > that is > > very dangerous have NETBIOS/SAMBA. We can connect with null > > session. > > Ok, suppose that i done it! > > In my network: "net use \\192.168.0.100\ipc$ "" /user:""" it > > work very > > well! But then ?? What can do i with it ?? With it i try access > > other > > shares how admin$ and i don't have access. I try access the > > registry ... > > and i don't have access again. Why it can be very dangerous ?? > > I can't unserstand, suppose that a a bit-lamma user have user: > > "joao" > > and passwd: "joao" and it is a normal user (no member of admin > > group). > > Why can i do with it ?? Can't access the registry, others > > shares, c$, > > d$, e$, ...!! For me it is equivalent to null session. I cannot > > make > > Anythink!! If you know a good "trick" that i can do with it. > > please > > speak me! :-) > > > > 5) I install Option Pack 4.0 in my NT+IIS4 to test! :-) > > It is good, but when i try test(s) of NT-box ...in IIS ... it > > didn't > > allow ... !! :-) I tryed to execute ... nt-box ... and execute > > mkilog, > > dnsform, cts.idc, *.htx, ... All this files EXIST in my server!! > > :-) > > But when i try access (execute) one of this files it is not > > executed > > it return me: "A screen to download the file" i can save the > > file... > > or execute ...if i execute...it open a cmd screen and execute it > > and > > close the window! What is it ?? A protection of Option Pack > > 4.0?? > > Permissions of NTFS ?? Permissions in users of IIS ?? How can i > > change it? > > How can i crack it ?? > > > > 6) Somebody know a program for command (cmd.exe or command.com) > > that can > > manipule the registry ?? To see keys, write in keys, ... ! Do > > you know?? > > Where i can get it ?? > > > > 7) The "nt hash" stay in the registry ?? Who can read it ?? Where > > is it ?? > > I found in my NT with regedit and regedt32 ... but i can't > > found...i saw > > The keys HKEY_LOCAL_MACHINE\SAM\SAM <- but this key appear is in > > blank, and > > your color is different of other color.. your color is gray!! > > I'm findind > > as administrator. Exist date(s) in \HKEY_LOCAL_MACHINE\SAM\SAM ? > > Why i can't > > see ?? How to do to see ?? > > > > 8) I'm thinking...! :-) > > Suppose that i can spoof the network... then i can see the > > hashes of > > authentication!! Can i get this authentication and re-send to > > server ? > > It will accept it only how more one packege ?? Or it will accept > > it how > > a authorization ?? If it work, i can change my privilegis of > > normal user > > to administrator! :-) And better... i don't need lost much time > > trying > > crack the password from the hash! :-) > > > > 9) The administrator that put NTFS security permissions in CMD.EXE > > and > > Command.com and inetpub folder (with good permission only to > > administrator) > > withou access to IUSR_MACHINE and EVERYONE. Can we say that your > > IIS is > > 100% security or 99.99999999999% ?? What can be doned against it > > ?? > > > > > > Thkz For all attention and help in the advance. > > > > Excuse-me for the accumulated of question(s)... =) > > > > Best Regards. > > > > [ ]'s > > > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> > > iQEVAwUBOtcy+O8uJYTAsvxwAQG9jAf/Rf/4lLMFl9AFs/lZqwiPWqnXr11a8OhR > y7oTXN1wGMfdJJ9zbTDdR4tCSqY7YOlwj24glPwCa2wFD7B51LfNWBOCQhVvuyzQ > sGD/oZUoQ2MsAsZkuYZI2amZl3G1R6QwjR3mUbUVvxsuoikBmkPH+8MRNMHZTAsV > PvcfBJAKME5UNZorihSpVdUV+VZzZluu0rzn1NeuwyeCcPWJCkt6SXC4ggOwryE2 > ttAHvG1sdKmC48Lz4vD4+wo6J36qX5sCVVk4zrWpAiBcVW6kcTZVd1JPo12d3y68 > Jg5WGsUQme94V0hA0lVBgav5ZbSCRAvhpBZ6mJ8Rui1IbGY3/LxZbQ== > =Hau+ > -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Sun Apr 15 2001 - 13:06:26 PDT