?? ntsec.html
字號:
<html>
<head>
<title>Networking and NT Security Issues</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#000000" text="#ffffff" link="#ffffff" vlink="#ffffff">
<div align="center">
<table width="680" border="0" cellspacing="2" cellpadding="2" align="center">
<tr>
<td width="693">
<pre>
::::::::: :::::::: ::::::::: ::::::::::
:+: :+: :+: :+: :+: :+: :+:
+:+ +:+ +:+ +:+ +:+ +:+
+#++:++#+ +#++:++#++ +#++:++#: :#::+::#
+#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+# #+# #+# #+#
######### ######## ### ### ###
<a href="http://blacksun.box.sk" target="_blank">http://blacksun.box.sk</a>
_____________________________
______________________I <b> Topic:</b> I_____________________
\ I I /
\ HTML by: I <b>Networking and NT</b> I Written by: /
> I <b>Security Issues</b> I <
/ <a href="mailto:black_mesa@hacktik.org">Martin L.</a> I_____________________________I <i><log-file></i> \
/___________________________> <_________________________\</pre>
</td>
</tr>
</table>
<p> </p></div>
<p><font color="#ff0000">====[ START ]=====</font></p>
<p><b><Cypher></b> ============== Networking and NT Security Issues =================<br>
<b><Cypher></b> first things first, so i'll start with a little story about NetBIOS,
oki?<br>
<b><m0ded></b> k go<br>
<b><Cypher></b> as probably most of u know NetBIOS (aka Network Input/Output
System) was originally developed to be<br>
<b><Cypher></b> an API (app programming interface)<br>
<b><Cypher></b> for the client (software) to be able to use and access resources
of the LAN<br>
<b><Cypher></b> actually, NetBIOS is the interface for accessing networking services<br>
<b><Cypher></b> its a software (layer) to connect a network system with the hardware<br>
<b><Cypher></b> computers on a NetBIOS-compatible LAN talk to each other by establishing
a session, a NetBIOS session, or by<br>
<b><Cypher></b> datagrams or broadcasting methods<br>
<b><Cypher></b> questions so far?<br>
<b><Sub></b> no<br>
<b><QX-Mat></b> .<br>
<b><m0ded></b> go on<br>
<b><Freezer></b> nope<br>
<b><Cypher></b> ok<br>
<b><Cypher></b> there is a thing in NT called the IPC<br>
<font color="#ff0000">*** DR_CooL has joined #bsrf</font><br>
<b><Cypher></b> which is an "InterProcess Communication"<br>
<b><Cypher></b> used for Server-to-Server communications<br>
<b><Cypher></b> this is actually a default NT share<br>
<font color="#ff0000">*** TTT has joined #bsrf</font><br>
<b><Cypher></b> hey DR_CooL, TTT<br>
<b><m0ded></b> a hidden NT share?<br>
<b><Olaf></b> Hi TTT<br>
<b><TTT></b> Hi, cypher!<br>
<b><Cypher></b> m0ded, yes kinda<br>
<b><TTT></b> You already started?<br>
<font color="#ff0000">*** elad sets mode: +m</font><br>
<font color="#ff0000">*** elad sets mode: +v Cypher</font><br>
<b><elad></b> now lecture.<br>
<b><Cypher></b> :)<br>
<font color="#ff0000">*** elad sets mode: +o Cypher</font><br>
<font color="#ff0000">*** ChanServ sets mode: -o Cypher</font><br>
<b><Cypher></b> so<br>
<b><Cypher></b> anyhow, the IPC is a hidden NT share, as m0ded sayed<br>
<font color="#ff0000">*** elad sets mode: -m</font><br>
<b><DR_CooL></b> that's better<br>
<b><Cypher></b> a malicious ;-) user could connect to it<br>
<b><Cypher></b> and gather information about the system<br>
<b><Cypher></b> this is done by an NT command (yep, microsoft gave us that)<br>
<b><Cypher></b> the NBTSTAT command<br>
<b><Cypher></b> it establishes a NULL Session (no credentials required) to the
targer system<br>
<b><Cypher></b> target<br>
<b><Cypher></b> its syntax is simple (from the prompt of course):<br>
<b><Cypher></b> nbtstat -a 123.123.123.123<br>
<b><Cypher></b> nbtstat -a <IP><br>
<font color="#ff0000">*** _sniper_on_moon- has joined #bsrf</font><br>
<b><Cypher></b> by using this command u'll get the ....wait... let me quote this<br>
<b><DR_CooL></b> and what indormation does it give ?<br>
<b><Cypher></b> "NetBIOS Remote Machine Name Table"<br>
<b><Cypher></b> this is actually the first step to gathering information the
remote machine<br>
<b><Cypher></b> and, btw, i didn't mention this before, but info gathering is
about 60% (if not more) of the job<br>
<font color="#ff0000">*** FrEEkY[cooking] is now known as FrEEkY</font><br>
<b><Cypher></b> now lets try to establish that NUll session<br>
<b><Cypher></b> there is another "kewl" command<br>
<b><Cypher></b> the "net" command<br>
<b><Sub></b> net use<br>
<b><m0ded></b> use is a parameter<br>
<b><Cypher></b> yep<br>
<b><Cypher></b> it has many useful features (read the manual) but we'll mostly
focus on "net use" and "net view"<br>
<b><Cypher></b> net view lets us see the<br>
<b><Cypher></b> shares on the machine (depending on its security policy of course)<br>
<b><Cypher></b> net view \\IP_ADDRESS might get us ether the shares or the "Access
is denied" msg<br>
<b><Cypher></b> if it gives us the shares, then...well... this part is done<br>
<b><Cypher></b> but if not<br>
<b><Cypher></b> we will try the next thing:<br>
<b><Cypher></b> net use \\IP_ADDRESS\ipc$ "" /user:""<br>
<b><Cypher></b> which means, connect to the IPC share (ipc$ - the default share)
with a "" (blank) password<br>
<b><Cypher></b> and with the "" (blank) user name<br>
<b><TTT></b> and now?<br>
<b><Cypher></b> as i said, the IPC needs no credentials<br>
<b><Cypher></b> if we get the "The Command completed successfully"
msg<br>
<b><Cypher></b> then we have established the null session and now we can get
that list of shares<br>
<b><Cypher></b> meaning issue the "net view \\IP" command<br>
<b><Cypher></b> so, actually the list of shares is usually unavailable until
u establish the null session<br>
<b><Cypher></b> questions?<br>
<b><m0ded></b> yeah<br>
<b><Sub></b> can you establish a null session any other way?<br>
<b><m0ded></b> what u mean a null session?<br>
<font color="#ff0000">*** TTT has joined #bsrf</font><br>
<b><_zach-></b>; where no credntilas are required<br>
<b><_zach-></b>; from you<br>
<font color="#ff0000">*** Esamurai has joined #bsrf</font><br>
<b><Cypher></b> Sub, the null session can be established by the built-in "net
use" command or any other "null session establishment" tools
(there are plenty)<br>
<b><_zach-></b>; to conenct<br>
<b><FrEEkY></b> I have an addition<br>
<b><_zach-></b>; to the target<br>
<b><Cypher></b> m0ded, null session<br>
<b><Cypher></b> right zach<br>
<b><_zach-></b>; :)<br>
<b><Cypher></b> m0ded answer = zach<br>
<b><FrEEkY></b> if you turn your filesharing on and then after your in you turn
it off, it can get the neccesary files on your computer to mask you as a part
of the network<br>
<b><Cypher></b> its a connection throught the IPC share<br>
<b><_zach-></b>; w00t<br>
<b><Sub></b> so, what packets would you have to send to establish a null session,
if you were coding an exploit for instance?<br>
<b><Cypher></b> Sub, i haven't actually tryed "raw" connection to ipc
yet...<br>
<b><tcg></b> whats an ipc share<br>
<b><Cypher></b> tcg, its a default (hidden) NT share (one of them, at least)<br>
<b><QX-Mat></b> Can we carry on?<br>
<b><Cypher></b> QX-Mat, of course<br>
<font color="#ff0000">*** DR_CooL has quit IRC (Ping timeout)</font><br>
<font color="#ff0000">*** _sniper_on_moon- is now known as sniper</font><br>
<b><TTT></b> Has anyone a log from beginning of the lesson?<br>
<b><m0ded></b> yes me<br>
<b><Sub></b> me<br>
<b><FrEEkY></b> I do<br>
<b><Cypher></b> lets now move to a bit different direction - securing NT<br>
<b><tcg></b> why nt got that?<br>
<b><TTT></b> okay<br>
<b><Cypher></b> tcg, inner communications</font><br>
<font color="#ff0000">*** Samcon has joined #bsrf</font><br>
<b><Cypher></b> now, the basic steps/checklist<br>
<b><tcg></b> what is it good for?<br>
<b><Cypher></b> to "start" securing an NT machine<br>
<b><FrEEkY></b> securing an NT machine, orignall idea<br>
<b><QX-Mat></b> )<br>
<b><Cypher></b> first thing, and the obvious one<br>
<b><Cypher></b> is Passwords<br>
<b><Cypher></b> (duh) ;)<br>
<b><Cypher></b> unfortunatly, many admins neglect password policies, for some
reason<br>
<b><dr3x></b> min_password_length = 12 :)<br>
<b><tcg></b> but I can't telnet an nt box<br>
<b><tcg></b> so who cares<br>
<b><Cypher></b> putting passwords, such as "john" on a "john"
user account<br>
<b><Sub></b> tcg: there is a telnetd for NT<br>
<b><Cypher></b> dr3x, good, but can the "dumb" user remember it?<br>
<b><tcg></b> password guessing is out of fashion<br>
<b><elad></b> tcg; you can install some ssh server and ssh to it, yeah :)<br>
<b><dr3x></b> nope<br>
<b><elad></b> why would a sane person want to use telnet? :)<br>
<b><tcg></b> haha<br>
<font color="#ff0000">*** sniper has quit IRC (Ping timeout)</font><br>
<b><TTT></b> you can do interesting things with telnet, which you can't do with
ssh<br>
<b><FrEEkY></b> tcg: you can get into NBTSTAT in a whole other way, to get info
on the computer so you can access it better with telnet<br>
<b><elad></b> hahahha!<br>
<b><elad></b> ok lets let cypher go on with his lecture<br>
<b><Olaf></b> whith telnet we can do everything!!!<br>
<b><Cypher></b> good idea, elad...<br>
<b><QX-Mat></b> Olaf: true!<br>
<b><Cypher></b> shall we continue??<br>
<b><Sub></b> yes<br>
<b><m0ded></b> yeah<br>
<b><Slayer[reading_eating]></b> yes<br>
<b><m0ded></b> <b><Cypher></b> putting passwords, such as "john" on
a "john" user account<br>
<b><tcg></b> say<br>
<b><Cypher></b> so obviously, the admin has to put proper password policies,
which include (mostly):<br>
<b><tcg></b> a password that is like the username isn't good right?<br>
<b><Cypher></b> tcg, yeah :)<br>
<b><Cypher></b> password age:<br>
<b><tcg></b> ??<br>
<b><Cypher></b> the amount of time the password remains valid<br>
<b><Cypher></b> this is sometimes not set, or disabled on some accounts<br>
<b><FrEEkY></b> I've never thought of microsoft passwords as being a problem
<br>
<b><Cypher></b> causing one password to last "a lifetime"<br>
<b><Cypher></b> so its better to put a password age as something about 30 days<br>
<b><tcg></b> all these stuff are right both for nt4 and win2k?<br>
<b><Cypher></b> tcg, yes<br>
<b><tcg></b> my password is complex. its my username backwards. :)<br>
<b><tcg></b> and nt3.51?<br>
<b><Olaf></b> I'm using a secure unix which acepts guest!!!!<br>
<b><_zach-></b>; ./dns Olaf<br>
<b><_zach-></b>; lol<br>
<b><m0ded></b> heh<br>
<b><elad></b> like<br>
<b><Slayer[reading_eating]></b> :)<br>
<b><elad></b> shut the fuck up and let him get to the questions part<br>
<b><elad></b> or i will rape your mothers<br>
<b><tcg></b> hahaha<br>
<b><elad></b> to death<br>
<b><Cypher></b> besides the password also has to be good, meaning a combination
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -