At 09:09 AM 7/1/96 edt, dnewman @
>Russ Cooper writes:
>>> "Because NT has even more security holes than Irix *duck*, I wont list
>>> them here,"
>>Its interesting that you should say this. Bill Stout put a very good list
>>together, but a number of those issues can be addressed. . .
> Russ, can you please post a URL for this list? TIA.
> David Newman
The following is a small list of 'concerns' I had posted to 'NT
security' in administering my own domain, with additional
comments. Hackers already know these, so protect your systems:
Is it possible to hack a connect onto a NT fileservice from
the network? There _must_ be holes:
1. I know DOS and Linux have drivers which allow you to RWED
files on an NTFS disk, if the disk is in the same machine.
Some have stated only read is possible with the NTFSDOS.EXE
driver. I heard that a write-capable driver does exist, and
if not, making a write capable driver is trivial once you can
read the disk. Either way you can read the registry and files,
then run crack.
2. I accidently had full access to all files once on an NT
3.51 server w/service pack 3, when I first started up
NT 4.0b1 client on my network. Using any account I accessed
all protected files and directories. I even double-checked
permissions to see if I was really browsing a directories that
only had user privileges. I haven't had time to duplicate it,
but quickly fixed the problem (applied SP4) after I picked my
jaw off the floor!
I would appreciate it if someone with NT3.51 SVR sp3 could load
NT4.0 WS (b1/b2?) to see if this happens, and e-mail me.
3. NT Workstations having the wrong challenge response can have a
user login using cached data with the network cable disconnected
(bypassing 'netlogon' service). When the cable is reconnected,
all services (and network files) are available. I found this
after someone installed a duplicate domain, the clients
authenticated on the wrong domain, and wouldn't connect on the
correct one, except for disconnect-logon-reconnect process.
This is like bypassing NIS+ by unplugging the cable/Internet for a second.
The CIFS/1.0 draft RFC by MS has some interesting comments about
passwords in section "8.3 LANMAN 2.1 (and earlier) Challenge/Response",
and in the sections that follow. See:
4. NT MSV1.0 encrypts user password in RSA MD-4, but compromises
the password by also encrypting the password in Lan Manager DES
compatible mode. Then transmits the same password in both
encrypted formats. For Lan Manager compatibility, of course.
NT uses only RSA MD-4 when the password is longer than 14 characters.
None of the existing NT user interfaces allow > 14 characters.
The password is encrypted and exchanged as a 16-byte data string,
which is compared to the encrypted string in the SAM database. This
being a constant can be captured and reused.
NT password crackers:
ScanNT - http://www.omna.com/yes/andybaron/scannt.htm
Kane also cracks NT - http://www.intrusion.com/ksant.htm
(Very good security reports on NT users/permissions/integrity)
I think both need to run on NT, and target a host or domain.
5. NT Server accepts connections without domain entries (WFW
compatibility), and passwords in DES vs. RSA encryption (Lan
Manager compatibility), security is compromised by the lowest
common denominator: WFW and Lan Manager compatibility.
Also, browse your systems' registry (95/NT) from a remote webserver:
This one might make you want to unplug your Internet feed!
If you know of a webserver running NT, try this
from in front of your firewall, using 95 or NT:
C:\> nbtstat -A 22.214.171.124 #(ftp.microsoft.com)
NetBIOS Remote Machine Name Table
Name Type Status
FTP <00> UNIQUE Registered
INETSERVERS <00> GROUP Registered
FTP <20> UNIQUE Registered
INETSERVERS <1C> GROUP Registered
FTP <03> UNIQUE Registered
INETSERVERS <1E> GROUP Registered
_SERVICE <03> UNIQUE Registered
INet~Services <1C> GROUP Registered
IS~FTP.........<00> UNIQUE Registered
FTP <01> UNIQUE Registered
MAC Address = 08-00-2B-A3-77-EC
Just like finger, but better.
I would appreciate someone setting me straight on these. For example,
if there were a way to turn off Lan Manager compatibility (DES) and
accept only RSA passwords, I would appreciate it. Also, it would be
nice to enforce domain entries in the connection string (I only run
NT Clients). I suppose I could also remove the floppies from the
servers, since I load all software with CDs.
Since C2 certification was granted only with network connections
disabled, there must be good reason for this.
William B. Stout | Major revelations:
Senior Systems Admin | "All objects are part of a larger object."
Hitachi Data Systems | "3 aware beings comprise a person; mind, body, spirit."
NT/UNIX/I-net/Routers | "The secret of life: To be involved with 'creation'."
408-970-4822 | Disclaimer: I speak for no one but us three people. ;)