Back Home
Windows 2000 Security? Win2k Win2000
---------------------------------------------------------
Diary of a Windows 2000 hack and the dangers.
by Avoid N F8
With special thanks going to GreyZone for technical support along the way
http://www.compsecurity.net/
First of all I would like to say thank you to all of those who have come before me and taken the time to put there thoughts on paper and ideas into code to be published freely. I hope this opens up some eyes as others have opened mine. Many people have asked me why I use or am even concerned about security on a Microsoft system and my answer is simple. When my mother can install configure and run her business on Linux then I wont concern myself with windows anymore. My mother, who cant install kids games and calls me at least three times a week for information on little things, on Linux? Yeah Right!! How many users can actually run Linux and when I say users I mean USERS…you know the ones that call help desk about their coffee cup holder constantly closing. We've all heard them, yet they are the backbone of today's computer world. All of are information, that we as security administrators hold dear, at one time or another is solely in the hands of the user. Maybe it's on his laptop as he is working on it in an airport hotel. Maybe it is on his home systems that he uses to telecommute. In any case it is out of our hands and in there's and chances are very good that it is on a Microsoft system, not on our ultra secure Linux/Unix/NT Firewall protected Web servers with tape backup and fault tolerant raid systems. Lets not forget about the home office user. Why should you concern yourself about them? Well let's ask some simple questions. Does your insurance agent work out of his home? What about your stockbroker, or perhaps your banker? This is why I concern myself solely with Microsoft Security. Why do I hack from a Microsoft box? That is also simple. Its because its what my son would use and thousands of other script kiddies out there who would have no regard for what there doing or destroying. These are the ones we have to stop first. Because if they can find a way to compromise network security then they will undoubtedly wreak havoc by deleting everything we hold dear. Now with that said lets get to work
The Goal:
I wanted to see how secure Windows 2000 was, so I decided to go about it, as a basic NT hacker would have under NT 4.0, to see if Microsoft closed the holes. I think you'll be surprised as I was to see that not only did they not close the holes instead they added a GAPING hole to the system. Please note that this approach was run on a Windows 2000 Professional system and will not work on a windows 98 or 95 system. I am an MCSE so Microsoft has seen fit to provide me with beta copies for evaluation. Below is my evaluation. They may not like it but oh well.
The Approach:
The first thing I needed was a list of possible targets running Windows 2000 in a normal user/home type environment that were installed by the average user. Since this isn't a publicly released OS yet I figured the best place to go would be the software piracy channels on IRC better known as "warez" channels. I set up an IP scanner in these channels and by the next morning had a list of some 6000 individual IP addresses. Now these addresses are both dial up and full time connections. Not what I need for a fast test so I parsed these for the first octet of "24" known to normally be cable connections or other full time access accounts. This brought the list down to about 700. Now I need to separate NT/2000 from windows 98/95 machines. For this I used Winfingerprint 2.10 by vacuum@technotronic.com & Mike@eEye.com. This brought the list down to 213 NT/2000 machines (it is difficult at this stage to tell the difference between the two remotely). Now to start the attack.
I decided to go about this with the standard methods and programs that are available as freeware and readily available as my intent was to see if 2000 in the home environment would be safe and secure for the average user or would be a detriment to security. For this I first used CIS (formerly) NTInfoScan by David Litchfield of Cerberus Information Security.
Table 1.1 is the output that I got on a fairly consistent basis from the 2000 machines (57 of a total of approximately 78 windows 2000 machines or 73% tested)
Table 1.1
Cerberus Internet Scanner
Results
for
24.?.?.? (changed to protect the innocent)
by David Litchfield
Cerberus Information Security
NetBIOS
Share Information
Share Name :IPC$
Share Type :Default Pipe Share
Comment :Remote IPC
WARNING - Null session can be established to \\24.?.?.?\IPC$
Share Name :ADMIN$
Share Type :Default Disk Share
Comment :Remote Admin
Share Name :C$
Share Type :Default Disk Share
Comment :Default share
Account Information
Account Name :Administrator
The Administrator account is an ADMINISTRATOR, and the password was changed 3 days ago. This account has been used 2 times to logon. The default Administrator account has not been renamed. Consider renaming this account and removing most of its rights. Use a different account as the admin account.
Comment :Account upgraded from Windows 95 or Windows 98
User Comment :
Full name :Administrator
Account Name :Guest
The Guest account is a GUEST, and the password was
changed 0 days ago. This account has been used 0 times to logon.
Comment :Built-in account for guest access to the computer/domain
User Comment :
Full name :
Account Name :USER1
The USER1 account is an ADMINISTRATOR, and the password was
changed 3 days ago. This account has been used 22 times to logon.
Comment :Account upgraded from Windows 95 or Windows 98
User Comment :
Full name :USER1
WARNING Administrator's password is blank
WARNING USER1's password is blank
Two things struck me as odd. First was that the Administrator and another user (who is also an administrator) password was blank. Second that these accounts were upgraded from Windows 98 or 95 as it says in the comment field. This got me curious so I decided to study it further. I upgraded one of my 98 machines to 2000 professional. This machine was in a peer-to-peer workgroup with windows logon set as the primary network logon. The upgrade process and how smooth it went impressed me. I upgraded this, like a normal user would, by hitting ok to every prompt and was impressed at how little it asked me. It went through the install and rebooted coming to a screen that asked me to set a password for all new Windows 2000 accounts. It showed me a list of accounts it said were created in the upgrade and that I should type a password to be used for all of the listed accounts. Being the typical user and remembering the hint from my windows 98 install about passwords saying something about "hint: if you don't want to see this screen again then just hit enter" I hit [ENTER]. Sure enough the OK key was highlighted and it brings up a window stating that I have not entered a password and it is unsafe to set a blank password on accounts that have full access to my computer. Am I sure I want to do this. Hmm …(typical user mode on) No one ever gets in my house and uses my computer that I don't want to and I don't like entering passwords. Again remembering the hint from 98 and hit [ENTER]. Logon screen. Now I have two accounts set up with administrative access to this machine with blank passwords. This test was again confirmed when I had three other normal (not computer wizards) upgrade the same machine from 98 to 2000 each time resulting in 2 accounts with out passwords. Hmm I don't like this at all. I must remember to post a company wide memo about this so my users don't make this mistake at home. For now let's get back to the attack.
Well back to the attack and even more security flaws.
Next I connected to these machines through a session by going to dos and typing
net use \\machineIP\ipc$ "" /user:Administrator"" this opens a session to the machine telling it That I am the Administrator and giving it the password of Blank "". And received the following results
C:\>net use \\24.?.?.?\IPC$ "" /user:Administrator
The command completed successfully.
I am now connected to this machine as an administrator and could map the drives and browse them as I would my own…nothing unusual so far except Microsoft hasn't cleaned up the old security holes…they are still there and kicking. Determined to go on and try to find something good about 2000 I dig deeper.
Next I open computer manager (Photo 1.2) and connect to his machine. Hmm I can't add accounts it seems as the local user groups are disabled remotely (BRAVO)
Photo 1.2
This out of the way I dive deeper into computer management and find that disk management is also inaccessible so I can't format his drives remotely (Again Bravo). So I dig deeper then under services I notice Telnet (photo 1.3). Microsoft set this item to be installed by default on Windows 2000 professional? Why does a workstation user need a telnet server by default? It seems to me that this should be an option to be installed by a user when it is needed, not a default setting that the user is unaware of. It's not started by default, but it is set to log on as Localsystem. Curious I dove even deeper
Photo 1.3
I look at the properties of the service (photo.1.4) and find that not only can I start the service but also I can set it to Automatic on boot up.
Photo 1.4
Now this service will start at boot up and is running as localsystem. Hmmm surely Microsoft did something to stop me from logging into this machine and being able to execute any command I want…. They did !! Whew… its called NTLM authentication and telnet is set to validate by NTLM only by default. And only windows 2000 telnet will authenticate NTLM. What does that mean? It means that if there computer doesn't recognize who you are by your login and password and know that your from a trusted domain then it wont let you on there system…hmmm bravo? …Not quite!!! As I looked into the telnet service on my machine I went to administrative tools and started the Telnet Server Administration console. Seeing the option to change the registry settings I grew worried. Sure enough there it is, Option 7 NTLM, and setting it to 1 will authenticate with NTLM when it can and if it fails it will use clear text thus any telnet client will connect. To verify my suspicions I fired up regedit and was able to connect to the remote machine's registry and there under the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0 was the key NTLM …a quick modification of the value from 2 to 1 and then restarted the telnet server session.
The Result:
A minute later and I am logged on to this machine through telnet!!!! Now I have full control over this machine including the right to set user accounts and format the drives (so much for the earlier bravo's) as well as the right to run code on this machine including launch attacks from this machine without the users knowledge. A few commands later and I have a User account set up (using net user /add command) with administrator rights (using net localgroup /add) and have created a hidden dir from which to launch attacks. Using the DOS FTP client I log on to my ftp site and download the code I need to run and set up a Scheduler (using the AT command) to run the code in early mornings so no one will notice, then FTP me the results back… hmm too easy…TOO DANGEROUS.
Some of you may ask why is it so dangerous to have telnet running? Well Lets say I hack into your machine and from there telnet to www.whitehouse.gov and redo the web page with an anti government hate page telling the world how much you hate the president and wish he was dead. The server of course logs these things and the IP number they come from, which in this case, is your IP not mine. Now, two days later, while your calmly trying to install that new scanner you just bought and reading the directions because you don't understand all this computer gibberish, there is a knock at your door by some guys in black suits. See the danger now?
My thoughts:
In retrospect it is my opinion that at the very least c:\winnt\system32\tlntsvr.exe should be deleted, as the average user does not need this service. Further all accounts on the 2000 professional OS that are upgraded from Windows 98/95 should be set to log on locally only and file and printer sharing should be disabled. Remote registry editing and computer management should also be disabled by default as they are in 95/98. These are the items that should not have been installed by default and should have been put in as an option pack to be installed by knowledgeable users only when needed.
How many users are going to buy 2000 in it s release on Feb 17th? How many will upgrade there home system or laptop to 2000? And because of this how many machines will be vulnerable on Feb 18th?
With the Internet connection speeds into today's world being faster than most small networks of 5 years ago we have to start looking at the internet security of the home users computer just like it was an office computer. As a matter of instance most home users computers now have business information stored on them as well as tons of other information we don't want to let out. Windows 95/98 wasn't the greatest operating system in the world but the only way you could gain access to it was to implant a back door in the system by a Trojan horse or if the user had installed and configured file and printer sharing and set the shares to no password. In the latter of the two this was a conscious effort by the user and the user usually new the consequences. Now that the user has upgraded his fairly secure machine to windows 2000 these rights have been taken from him. He now installs file and printer sharing by default. Since the user had no password on his windows 98 machine he assumes that he doesn't need one in 2000 and installs without one. Now we have two administrator accounts with a password. All of the users drives are shared and accessible to all users via the Internet and the high-speed connection that almost everyone has either through cable connections or ADSL. To me, this shows that Microsoft is losing the end user outlook and focusing on corporate America. This in itself is not a bad thing, if it were to focus solely on corporate America. But they don't, they focus on corporate America and the end user as one huge demographic. Not every end user has a security administrator in the family they can call on to come and secure their new operating system so that their son or daughter can browse the web in privacy. Not everybody can call the family computer expert to come set there cable connection up so that they can keep the business contact list free from spying eyes, nor should they have to. Microsoft seems to have lost site of the end user and there security needs. They surely have lost site of their technical ability and understanding. The installation of Telnet Server by default in a workstation shows that they have also lost site of their software needs in the home and workplace.
What should have been done? In my opinion if the product was upgraded from a 95 or 98 machine then 2000 should have done what an upgrade is supposed to do and install the components needing an upgrade. If file and printer sharing and remote registry management were not installed on the old Computer then why is it installing it on the new one without asking us or even warning us of the dangers involved? This product doesn't upgrade, it over writes all the security settings that have kept my users information safe for the past 5 years.
Avoid N F8
MCSE
Comments or suggestions may be sent to avoindf8@hotmail.com