-o Specify the output file. All results from the scan
will be written to the specified file, in addition
to standard output.
-u Specify the file to read usernames from. Usernames
will be read from the specified file when attempt-
ing to guess the password on the remote server.
Usernames should appear one per line in the speci-
fied file.
-p Specify the file to read passwords from. Passwords
will be read from the specified file when attempt-
ing to guess the password on the remote server.
Passwords should appear one per line in the speci-
fied file.
<address>
Addresses should be specified in comma deliminated
format, with no spaces. Valid address specifica-
tions include:
hostname - "hostname" is added
127.0.0.1-127.0.0.3, adds addresses 127.0.0.1
through 127.0.0.3
127.0.0.1-3, adds addresses 127.0.0.1 through
127.0.0.3
127.0.0.1-3,7,10-20, adds addresses 127.0.0.1
through 127.0.0.3, 127.0.0.7, 127.0.0.10 through
127.0.0.20.
hostname,127.0.0.1-3, adds "hostname" and 127.0.0.1
through 127.0.0.1
All combinations of hostnames and address ranges as
specified above are valid.
NAT.EXE does all of the above techniques plus it will try Administrative shares ($), scan a range of IP addresses and use a dictionary file to crack the NetBIOS passwords. NAT.EXE is the
The run your favorite unix password cracker like john.exe (John The Ripper) against a large dictionary file or ntucrack.exe which will brute force crack the password.
Registry Vulnerabilities:
RDISK
rdisk /s will dump the security and sam portions of the registry into c:\winnt\repair directory.
It will also give you the option of creating an emergency repair diskette. This .zip includes SAMDUMP.EXE which can be used to extract passwords from emergency repair diskettes.
Within that directory there will be a sam._ file. It is ethically used for the emergency repair disk. If you have gained access to the local drive through physical access or through netbios shares, run rdisk /s There is a utility called SAMDUP included within this .zip that will extract the passwords.
GAINING ACCESS TO THE ENTIRE REGISTRY (Local)
For this to work, you will need to start the schedule service.
From the Command Prompt:
C:\>net start schedule
The Schedule service is starting.
The Schedule service was started successfully.
From a Command Prompt:
at <time> /interactive "regedt32.exe"
Where, <time> gets replaced with the current time plus about a minute to take care of your command typing time.
At <time>, regedt32.exe will appear on your desktop. This execution of regedt32.exe will be running in the system's
security context. As such, it will allow you access to the entire registry, including SAM and SECURITY hives.
Note that this will not work against a remote registry; you will need to do this locally on the system you want
to modify registry.
If sussessful, you will recive a message similar to the following:
Added a new job with job ID = 0
samproof.txt example showing the SAM can be opened
Where, <time> gets replaced with the current time plus about a minute to take care of your command typing time. At <time>, regedt32.exe will appear on your desktop. This execution of regedt32.exe will be running in the system's security context. As such, it will allow you access to the entire registry, including SAM and SECURITY hives. Note that this will not work against a remote registry; you will need to do this locally on the system you want to modify registry.
Basic remote registry access that does not include the sam and security hives:
Windows NT supports accessing a remote registry via the Registry Editor and also through the RegConnectRegistry() Win32 API call. The security on the following registry key dictates which users/groups can access the registry remotely:
HKEY_LOCAL_MACHINE\
SYSTEM\
CurrentControlSet\
Control\
SecurePipeServers\
Winreg
If this key does not exist, remote access is not restricted, and only the underlying security on the individual keys control access. In a default Windows NT workstation installation, this key does not exist. In a default Windows NT server installation, this key exists and grants administrators full control for remote registry operations, in addition to granting Everyone Create Subkey and Set Value access (special access).
REGEDT32.EXE
To access the registry of a REMOTE NT computer you must have ADMINISTRATOR RIGHTS.
NAT.EXE (covered in the NetBIOS Section) has often lead to compromised administrator
passwords. Administrators should turn off all shares, including C$
To modify the Registry on a remote computer
Start Regedt32
1 On the File menu, click Connect.
2 Type the name of the remote computer.
3 In the Users on Remote Computer dialog box, click the user that is interactively logged on, and then click OK. Typically, there is only one user logged on.
4 Double-click Local User to change HKEY_CURRENT_USER Registry settings.
5 Double-click Local Computer to change HKEY_LOCAL_MACHINE Registry settings.
6 On the File menu, click Save.
7 On the File menu, click Disconnect.
Notes:
You can access the Registry only on computers for which you have administrative permission. The computer can be running any version of Windows NT Workstation or Windows NT Server. You can only access two predefined keys (HKEY_USERS and HKEY_LOCAL_MACHINE) of a remote computer registry.
REGINI is a tool that can be used from the command line to manipulate (in our case write to) the registry on a REMOTE machine. A very closely related tool, REGDMP.EXE works very closely with the REGINI tool and can be used to "dump" the contents of the registry on a remote machine to a file for your browsing. It should be noted that the entire contents of the registry (The Security & SAM hives) will NOT be dumped as they were with the
where: -m specifies a remote Windows NT machine whose registry is to be manipula
ted.
-h specifies a specify local hive to manipulate.
-w specifies the paths to a Windows 95 system.dat and user.dat files
-i n specifies the display indentation multiple. Default is 4
-o outputWidth specifies how wide the output is to be. By default the
outputWidth is set to the width of the console window if standard
output has not been redirected to a file. In the latter case, an
outputWidth of 240 is used.
-s specifies summary output. Value names, type and first line of data
registryPath specifies where to start dumping.
If REGDMP detects any REG_SZ or REG_EXPAND_SZ that is missing the
trailing null character, it will prefix the value string with the
following text: (*** MISSING TRAILING NULL CHARACTER ***)
The REGFIND tool can be used to clean these up, as this is a common
programming error.
Whenever specifying a registry path, either on the command line
or in an input file, the following prefix strings can be used:
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_USER
USER:
Each of these strings can stand alone as the key name or be followed
a backslash and a subkey path.
RedButton exploits a flaw allowing the creation of a new entry in the registry which describes a new drive share with access granted to Everyone. After reboot the new share is published on the network to Everyone. By sharing system drive one can obtain a copy of a password file updated by rdisk -s from the %SYSTEMROOT%\Repair directory among other things. Please visit www.ntsecurity.com for further information as this program relates directly to the registry and NetBIOS share topic covered in this paper.
Using the Registry to Execute Malicious Code
Note: Regedit.exe lets you export keys to .reg files which can also be very handy.
.REG files are used to directly change registry keys. The contents of a .reg file
are similar to the contents of the textfile used with REGINI.EXE
Example (included as notepad.reg) will launch notepad.exe on startup. This of course
Where trojan.reg looks similar to the example notepad.reg shown above.
This evil shortcut can be propagated throughout NT domains through Profiles. Use START.EXE to cause a wide variety of commands / executables to be launched.
I The new environment will be the original environment passed
to the cmd.exe and not the current environment.
MIN Start window minimized
MAX Start window maximized
SEPARATE Start 16-bit Windows program in separate memory space
SHARED Start 16-bit Windows program in shared memory space
LOW Start application in the IDLE priority class
NORMAL Start application in the NORMAL priority class
HIGH Start application in the HIGH priority class
REALTIME Start application in the REALTIME priority class
WAIT Start application and wait for it to terminate
B Start application without creating a new window. The
application has ^C handling ignored. Unless the application
enables ^C processing, ^Break is the only way to interrupt the
application
NOTE: /m is used to minimize the window another available option is /wait which will cause the program to wait until the other program exits /B starts application without creating new window. Play with these switches to get desired effect.
Starts a separate window to run a specified program or command.
start.exe and at.exe can be used in combination if the scheduler service is started.
Security hole within winnt\profiles and login scripts
Using the trojan building information above, trojans can be deseminated by strategically placing .lnk shortcuts or modifying the login script.
Any user logging in to the machine for the first time would inherit your malicious shortcuts.
or
C:\WINNT\Profiles\userid of exiting user\Start Menu\Programs\Startup
would cause existing users to launch your malicious shortcuts on startup.
If roaming profiles are turned on, your malicious shortcut would follow the user as they logged on from machine to machine. If you install these .lnk files on the primary domain controller in the winnt\profiles\userid directory they would also pass themselves down to
the workstation when the user logged in. If you are unable to install your trojan in a roaming profile environment or the Primary Domain Controller the trojan would not spread unless placed into the login script.
C:\WINNT\SYSTEM32\REPL\IMPORT\SCRIPTS
Is the location that login scripts (.CMD) files are stored. Malicious code can be inserted into a new or existing login script. All users loging on to the machine would execute this code.
Here are the default NTFS permissions:
C:\WINNT\PROFILES and C:\WINNT\SYSTEM32\REPL\IMPORT\SCRIPTS
Administrators Full Control
Everyone Read
System Full Control
FAT Partitions have no file level security. New users logging into the system would automatically execute this program everytime they login. If this is done on NT Workstation the attack will only spread to new users logging into the workstation locally. If this attack is performed on a NT domain controller it would spread throughout the domain profiles.
Hiding Detection
Replace an existing startup program with trojan. Rename your trojan so that it is not suspicious. Change the properties of the trojan's icon to look like the replaced icon. An antivirus program would be a great choice, you could even launch the real, renamed application after your trojan is loaded.
Workarounds for common sytsem policy restrictions:
System Policies are implemented to restrict the user from performing certain tasks.
Installing Printers:
If you do not have access to the printers folder from the Start/Settings/Printers or from the My Computer Icon.Click Network Neighborhood. Double-Click on your computername. The printers folder will be available. Open the folder and Double Click on the Add-Printer Icon to start the Printer Installation Wizard.
Control Panel Restrictions:
If you do not have access to the Control Panel from Start/Settings/Control Panel or from the My Computer Icon.Click Start/Help/Index (If you do not have help, you can open it using Explorer or My Computer. Double-click on C:\winnt\System32\control.hlpSearch for Control Panel
All of the normally displayed icons appear as help topics.
If you click on "Network" for example a Windows NT Help Screen appears with a nice little shortcut to the Control Panel Network Settings. Printers can also be installed using this method as well as the method mentioned above. Network options can also be accessed by right clicking on Network Neighborhood and then selecting properties.
Missing Command Prompt:
Start NT Explorer change tgo c:\winnt\system32 Double click on COMMAND.COM a command prompt will start. This is also well known, but included for thoroughness. Find Command is gone from Start/Find or from within NT Explorer: To find a computer:If you have a command prompt:
Net View <Enter> is like Network Neighborhood Net View \\COMPUTERName is like Double Clicking on a computer within network neighborhood
Net use x: \\Computername\Sharename maps a drive letter to the share.
Finding a file is simple:dir filename.ext /sRun Command Missing:
This is rather obvious but I will include it as it is a valid system policy restriction. Navigate your Hard Disk using My Computer, winfile or NT Explorer. Double-click on the program you wish to run. Duh!
System Policies that I have NOT found a workaround for yet: If your display settings are restricted in control panel. If registry editing has been disabled.
PWDUMP.EXE
When running pwdump.exe it is a good idea to echo the results to a file. Otherwise, the results are just dumped to the screen.
pwdump >pwd.txt
NOTE: This is the pwdump from the webserver the Lan Manager password is set to "password".
Administrator:500:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C:Built-in account for administering the computer/domain::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:Built-in account for guest access to the computer/domain::
