Hackers Desk Reference

Now, true, remote registry editing is not allowed in NT4, but this rule does not apply to Administrator (or perhaps other users in the Administrators group.. ::grin::).

Ok, so far we've covered some pretty good information, but lets go into that new product that microsoft loves so much. The product they really hyped.. NTFS (NewTechnologiesFileSystem). First of all, NTFS is a rip off of the OS/2 file system, HPFS. No biggie, lets not get picky. Anyhow, NTFS is actually a beautiful thing, if used properly. NTFS allows administrator to not only put access permissions on folders, but it also allows for access permissions on individual files within that folder.

Example: Jane and Ralph both have access to the folder 'Shoes'. Theres only one file within the 'shoes' folder. Only jane has access to this one file, Ralph does not. So when Ralph opens the 'shoe' folder, it appears empty, but when Jane opens the 'shoe' folder, the file is there.

Now, If an administrator does not set permissions on files within a folder but you know the exact path to the file, you can copy the file out of the folder onto a FAT (File Allocation Table) system, successfully bypassing the security. Example:

The folder 'Shoes' has permissions on it. You do not have access permission to the folder, BUT if you typed:

copy c:\shoes\secure.txt a:\

It would allow you to copy the file. Pretty neat huh?

I have heard that the latest NT4 patches have corrected this problem, I will let ya know when I get a chance to test it out.

File Sharing, I love those words. SMB file and print server protocols used by NT are harder to spoof than the NFS implementation on Unix systems. It is possible that a gateway (and I dont mean the brand name company) machine could spoof an SMB session, then read and write any files to which the true user of the session had access. - WARNINGThis method is not for the beginner.

Now, windows allows for this wonderful thing called User Profiles. This allows for users to have login scripts, personalized desktops, etc etc. Now some very personal information can be contained within these profiles. For example, some users put the userid and password that they use for Microsoft Mail onto their logon script, this way when they log into the machine, it auto logs them into their mailbox. User profiles are stored in the %SYSTEMROOT%\SYSTEM32\CONFIG directory and also on a shared directory on the server.

Lets discuss our little friend, the special share. NT shares the %SYSTEMROOT%\SYSTEM32\REPL\IMPORT\SCRIPTS directory, this way, users can read their login scripts during login. Under normal default conditions, ANYONE can access this share and read anyone elses login script. So whatever juicy pieces of information are in the login script are now yours. Some other special shares are created depending on other software installed on NT or other servers that NT has to cooperate with. These other shares will probably be discussed in another BlackPaper.

Getting lucky with that special account. There is a certain type of NT account that has the ability to BackUp and Restore database and account information. Accounts of this type have the ability to read, modify and write any file in the system. So, if ya cant get the Admin account, who knows... maybe theres a backup operator account. Ya never know.

==============Part Two==============

===================The Techniques for Survival===================

[8.0.0] NetBIOS Attack Methods

This NetBIOS attack technique was verified on Windows 95, NT 4.0 Workstation, NT 4.0 Server, NT 5.0 beta 1 Workstation, NT 5.0 beta 1 Server, Windows 98 beta 2.1. One of the components being used is NAT.EXE by Andrew Tridgell. A discussion of the tool, it switches, and common techniques follows:

NAT.EXE [-o filename] [-u userlist] [-p passlist] <address>

Switches:

-o Specify the output file. All results from the scan

will be written to the specified file, in addition

to standard output.

-u Specify the file to read usernames from. Usernames

will be read from the specified file when attempt-

ing to guess the password on the remote server.

Usernames should appear one per line in the speci-

fied file.

-p Specify the file to read passwords from. Passwords

will be read from the specified file when attempt-

ing to guess the password on the remote server.

Passwords should appear one per line in the speci-

fied file.

<address>

Addresses should be specified in comma deliminated

format, with no spaces. Valid address specifica-

tions include:

hostname - "hostname" is added

127.0.0.1-127.0.0.3, adds addresses 127.0.0.1

through 127.0.0.3

127.0.0.1-3, adds addresses 127.0.0.1 through

127.0.0.3

127.0.0.1-3,7,10-20, adds addresses 127.0.0.1

through 127.0.0.3, 127.0.0.7, 127.0.0.10 through

127.0.0.20.

hostname,127.0.0.1-3, adds "hostname" and 127.0.0.1

through 127.0.0.1

All combinations of hostnames and address ranges as

specified above are valid.

[8.0.1] Comparing NAT.EXE to Microsoft's own executables

[8.0.2] First, a look at NBTSTAT

First we look at the NBTSTAT command. This command was discussed in earlier portions of the book ( [5.0.6] The Nbtstat Command ). In this section, you will see a demonstration of how this tool is used and how it compares to other Microsoft tools and non Microsoft tools.

What follows is pretty much a step by step guide to using NBTSTAT as well as extra information. Again, if youre interested in more NBSTAT switches and functions, view the [5.0.6] The Nbtstat Command portion of the book.

C:\nbtstat -A XXX.XX.XXX.XX

NetBIOS Remote Machine Name Table

..__MSBROWSE__.<01> GROUP Registered

MAC Address = 00-C0-4F-C4-8C-9D

Here is a partial NetBIOS 16th bit listing:

Computername <00> UNIQUE workstation service name

Computername <03> UNIQUE Registered by the messenger service. This is the computername

[8.0.3] Intro to the NET commands

The NET command is a command that admins can execute through a dos window to show information about servers, networks, shares, and connections. It also has a number of command options that you can use to add user accounts and groups, change domain settings, and configure shares. In this section, you will learn about these NET commands, and you will also have the outline to a NET command Batch file that can be used as a primitive network security analysis tool. Before we continue on with the techniques, a discussion of the available options will come first:

[8.0.4] Net Accounts: This command shows current settings for password, logon limitations, and domain information. It also contains options for updating the User accounts database and modifying password and logon requirements.

[8.0.5] Net Computer: This adds or deletes computers from a domains database.

[8.0.6] Net Config Server or Net Config Workstation: Displays config info about the server service. When used without specifying Server or Workstation, the command displays a list of configurable services.

[8.0.7] Net Continue: Reactivates an NT service that was suspended by a NET PAUSE command.

[8.0.8] Net File: This command lists the open files on a server and has options for closing shared files and removing file locks.

[8.0.9] Net Group: This displays information about group names and has options you can use to add or modify global groups on servers.

[8.1.0] Net Help: Help with these commands

[8.1.1] Net Helpmsg message#: Get help with a particular net error or function message.

[8.1.2] Net Localgroup: Use this to list local groups on servers. You can also modify those groups.

[8.1.3] Net Name: This command shows the names of computers and users to which messages are sent on the computer.

[8.1.4] Net Pause: Use this command to suspend a certain NT service.

[8.1.5] Net Print: Displays print jobs and shared queues.

[8.1.6] Net Send: Use this command to send messages to other users, computers, or messaging names on the network.

[8.1.7] Net Session: Shows information about current sessions. Also has commands for disconnecting certain sessions.

[8.1.8] Net Share: Use this command to list information about all resources being shared on a computer. This command is also used to create network shares.

[8.1.9] Net Statistics Server or Workstation: Shows the statistics log.

[8.2.0] Net Stop: Stops NT services, cancelling any connections the service is using. Let it be known that stopping one service, may stop other services.

[8.2.1] Net Time: This command is used to display or set the time for a computer or domain.

[8.2.2] Net Use: This displays a list of connected computers and has options for connecting to and disconnecting from shared resources.

[8.2.3] Net User: This command will display a list of user accounts for the computer, and has options for creating a modifying those accounts.

[8.2.4] Net View: This command displays a list of resources being shared on a computer. Including netware servers.

[8.2.5] Special note on DOS and older Windows Machines: The commands listed above are available to Windows NT Servers and Workstation, DOS and older Windows clients have these NET commands available:

Net Config

Net Diag (runs the diagnostic program)

Net Help

Net Init (loads protocol and network adapter drivers.)

Net Logoff

Net Logon

Net Password (changes password)

Net Print

Net Start

Net Stop

Net Time

Net Use

Net Ver (displays the type and version of the network redirector)

Net View

For this section, the command being used is the NET VIEW and NET USE commands.

[8.2.6] Actual NET VIEW and NET USE Screen Captures during a hack.

C:\net view XXX.XX.XXX.XX

Shared resources at XXX.XX.XXX.XX

------------------------------------------------------------------------------

The command completed successfully.

NOTE: The C$ ADMIN$ and IPC$ are hidden and are not shown.