Cracking standard PWL files generated on the average Windows 95 box is easy. For this, you need a utility called Glide.

http://morehouse.org/hin/blckcrwl/hack/glide.zip 

Two different functions are used in the PWL system: one to encrypt and store the password and another to retrieve it. Those routines are as follows:

The password remains cached. You can write a routine in Visual C++ or Visual Basic (VB) that will get another user’s password; the only restriction is that the targeted user must be logged in when the program is executed (so the password can be trapped). The password can then be cached out to another area of memory. Having accomplished this, you can bypass the password security scheme by using that cached version of the password. (This technique is called cache flushing. It relies on the same principle as using a debugger to expose authentication schemes in client software.)

You can also force the cached password into the swap file. However, this is a cumbersome and wasteful method; there are other, easier ways to do it.

Either way, the PWL system is inherently flawed and provides very little protection against intrusion. If you are using Windows 9x or Windows Me, you need to install third-party access control. This chapter provides a list of such products and their manufacturers in the “Access Control Software” section later in this chapter. Not all products have a version for Windows Me. Check with the manufacturers for availability.

Several protocol parsers in Netmon have unchecked buffers. When an attacker sends a malformed frame to a server that is monitoring network traffic, and if the administrator is using a protocol parser with unchecked buffers, the malformed frame either causes Netmon to fail or causes code of the attacker’s choice to run on the server. If you are running Netmon under a local administrator’s account, the attacker can gain complete control over the server, but not over the domain. However, if you are running Netmon under a domain administrator’s account, the attacker might be able to gain control over the domain as well.

An intruder can only exploit this vulnerability locally. The intruder causes a denial-of-service attack on either a client or server box by sending large packets of random data to it. If the intruder identifies a system process that has an existing Link Control Protocol (LCP) connection with a privileged thread, she can then spoof the client and make requests that she wouldn’t ordinarily be able to perform. The amount of damage she can perform depends on which processes are running in the thread and what they permit her to do. The intruder can also eavesdrop on your session and potentially gather privileged information.

The SNMP Parameters key, RAS Administration key, and MTS Package Administration key all have inappropriately loose default permissions. This vulnerability could enable an attacker to manage or configure devices on the network, such as misconfiguring routers and firewalls and starting or stopping services on a machine.

When an attacker sends a malformed request for remote Registry access, the request can cause the Winlogon process to fail, which in turn can cause the entire system to fail.

Inappropriate permissions assigned to a networking mutex can permit an intruder to run code to gain control of the mutex and then deny access to it. Doing this prevents other processes from being able to perform network operations with the machine.

A perfect example is the RDISK hole. RDISK is a Windows NT utility that allows you to create emergency repair disks. This is a valuable utility for a system administrator. However, when it’s accessible to the wrong person, RDISK is an enormous security hole. Here’s why: A user can instruct RDISK to dump all security information (including passwords and Registry information) into the directory C:WINNTREPAIR. From there, an attacker can load a password cracker, and within hours, the box is completely compromised. This is just one more reason you should not walk away from your computer and leave it logged on. Would you like to try it yourself? Issue this command at a prompt: rdisk /s. Then go to the directory C:WINNTREPAIR, where you will find the necessary information you need to crack the box.

A malicious user with physical access to and administrative logon privileges on your domain server can install malicious code if the server was promoted to a domain server using the Configure Your Server tool. The only domain server in the forest that can be affected by this vulnerability is the one that was installed first.

Refer to the section “General Windows NT Security Vulnerabilities,” for an explanation of this vulnerability. This vulnerability affects both Windows 2000 and Windows NT.

This is privilege elevation vulnerability. An attacker could exploit this vulnerability to take any action he wanted to on your box, because it enables him to run commands and programs with the privileges of the operation system itself.

The Phone Book Service is used with dial-up networking clients to provide a prepopulated list of dial-up networking servers to the client. This service has an unchecked buffer in a portion of the code that does the processing of requests for phone book updates. When an attacker sends a malformed request, it can result in overrunning the buffer. This enables the attacker to execute any code that a user logged in to the server can run. In other words, the attacker can install and run code of his choice; add, delete, or change Web pages; reformat the hard drive; or do any number of other tasks.

If a malicious Webmaster were operating a Telnet server and you initiated a session with that server, the Webmaster could collect your NTLM responses and then use them to possibly authenticate to your box. This is possible because, as part of the session, your box might pass your cryptographically protected NTLM authentication credentials to his server. After he has obtained these credentials, he could then use an offline brute-force attack to gain your plaintext password.

This is a remote denial-of-service vulnerability. A malicious remote user can send a malformed input string from her box that would then cause the Telnet server to fail, causing the loss of any work in progress.

A malicious Web site can download a .CAB file to any disk on your box and then use the .CAB file to overwrite files, including system files. This could render your machine inoperable and create a denial of service on your box.

When you use Basic authentication to authenticate to a secured Web page, MSIE caches your user ID and password to minimize the number of times you must authenticate to the same site. Although MSIE should pass your cached credentials only to secured pages on the site, it will also send them to the site’s nonsecured pages. If an attacker has control of your box’s network communications when you log on to a secured site, the attacker can spoof a request for a nonsecured page and then collect your credentials.

This vulnerability enables an attacker to embed malicious VB code into Microsoft Access via Internet Explorer. Simply visiting a malicious Web site or previewing an email that contains malicious code can compromise your box.

When a connection to a secure server is made through either a frame or an image on a Web site, MSIE verifies only that the server’s Secure Sockets Layer (SSL) certificate was issued by a trusted root and does not verify either the server name or the expiration date of the certificate. When you make a secure connection via any other means, MSIE performs the expected validation. If a user establishes a new SSL session with the same server during the same MSIE session, MSIE does not revalidate the certificate.

A malicious Web site operator could entice a user to click a link on the operator’s site that would allow the operator to read, change, or add a cookie to that user’s box.

This vulnerability could enable an intruder to get around the antirelaying features of an Internet-connected Exchange server. Because encapsulated Simple Mail Transfer Protocol (SMTP) addresses are not subject to the same antirelaying protections as nonencapsulated SMTP addresses, an intruder can cause a server to forward an encapsulated SMTP address from the attacker to any email address she wants—as though the server were the sender of the email.

The Exchange Server normally checks for invalid values in the MIME header fields. However, the Exchange service will fail if a particular type of invalid value is present in certain MIME header fields. You can restore normal operations by restarting the Exchange Server and then deleting the offending mail. The offending mail will be at the front end of the queue after you restart the Exchange service.

When an attacker issues a series of incorrect data, an application error can result in the Server Information Store failing. It also causes users to fail in their attempts to connect to their folders on the Exchange Server.

When an attacker issues a series of incorrect data, an application error can result in the Internet Mail Service failing.

An intruder, running a sniffer on your network, might be able to observe an SSL-encrypted session, interrogate the server involved in that session, recover the session key used in that session, and then recover the encrypted data from that session.

A malicious user can log on to Exchange by using an account with a known username (EUSR_EXSTOREEVENT) and a password that Exchange creates during the setup process. Normally, this account has only local user rights, meaning that the account is neither a privileged account nor can it gain access to Exchange 2000 data. However, when you install Exchange 2000 on a domain controller, the system automatically gives Domain User privileges to the account, so it can gain access to other resources on the affected domain. Microsoft recommends that you disable or delete this account after the setup process has completed.

When a malicious user runs code masquerading as a third-party Web site, that code can take any action on your box that the third-party Web site is permitted to take. If you designate that Web site as a trusted site, the attacker’s code could take advantage of the increased privileges. The attacker can make the code persistent, so that if you return to that Web site in the future, the code will begin to run again.

FrontPage Server Extensions ship with IIS 4.0 and IIS 5.0 and provide browse-time support functions. A vulnerability exists in some of these functions that allows an attacker to levy a malformed form submission to an IIS server that would cause the IIS service to fail. In IIS 4.0, you have to restart the service manually. In IIS 5.0, the IIS service will restart by itself.

An attacker can cause a requested file to be processed by the .HTR ISAPI extension in such a way as to cause fragments of server-side files, such as .ASP files, to be sent to the attacker.

IIS uses the same session ID for both secure and nonsecure pages on the same Web site. What this means to you is that when you initiate a session with a secure Web page, the session ID cookie is protected by SSL. If you subsequently visit a nonsecure page on the same site, that same session ID cookie is exchanged, only this time in plaintext. If a malicious user has control over the communications channel of your box, she could then read the plaintext session ID cookie and use it to take any action on the secure page that you can.

An attacker can execute operating system commands that would enable her to take any action that any interactively logged-on user could take. This would enable her to add, delete, or change files on the server; modify Web pages; reformat the hard drive; run existing code on the server; or upload code onto the server and then run it.

An attacker can send an invalid URL to the server which, through a sequence of events, could result in an invalid memory request that would cause the IIS service to fail. Microsoft engineers believe that the underlying problem actually exists within Windows NT 4.0 itself.

By sending a malformed URL with an extremely large number of escape characters, an attacker can consume large quantities of CPU time and thus slow down or prevent the IIS server from providing service for a period of time.

An attacker can change or delete files or Web pages, run existing code on the Web server, upload new code and run it, format the hard disk, or take any number of other destructive actions.

Administrator Assistant Tool Kit is an application suite that contains utilities to streamline system administration on Windows NT boxes.

FileAdmin is an advanced tool for manipulating file permissions on large Windows NT-based networks. This utility can save you many hours of work.

Kane Security Analyst provides real-time intrusion detection for Windows NT 4.0 and Windows 2000. This utility monitors and reports security violations and is very configurable. It assesses six critical security areas: access control, data confidentiality, data integrity, password strength, system monitoring, and user account restrictions.

The LANguard Network Security Scanner not only enables you to monitor and control Internet usage on your network, but also monitors network traffic to detect break-ins from outside your network. With Network Security Scanner, you use keywords to block access to unwanted sites (such as IRC). You can also use keywords to block searches for objectionable material at search engine sites without blocking the entire search engine. With the network monitor, you can watch for suspicious incoming traffic to a specific server that shouldn’t be accessible to outside traffic.

Security Reporter collects data about your Windows NT 4.0 or Windows 2000 network, such as user rights, users having administrative rights, and resource permissions, among others. This information is stored in a central database, and you use this information to generate reports that help you to identify and fix potential security problems.

NT Crack is a tool that audits Windows NT passwords. This is the functional equivalent of Crack for Unix.

The Administrator’s Pak includes a variety of tools for recovering crashed Windows 2000 and Windows NT 4.0 systems. This bundle includes the NT Locksmith, NTRecover, Remote Recover, and NTFSDOS Pro tools, just to name a few. The Administrator’s Pak bundle is a great value for tools that will help with recovering your Windows 2000 and Windows NT boxes.

NTFSDOS Pro allows you to copy and rename permissions on Windows 2000 and Windows NT 4.0 from a DOS disk. This is a great tool to keep around for emergencies (for example, when you lose that Administrator password).

RemoteRecover is a salvage program. It allows you to access dead Windows NT/2000/XP volumes via a network—now is that cool or what? NTRecover uses TCP/IP to access files and volumes on a dead NT box. You use the TCP/IP network connection to make the disks on the dead box seem as though they are mounted on your own system.

PC Firewall ASaP is a bi-directional packet filter suite for Windows 9x/Me and Windows NT 4.0 clients.

RegAdmin is an advanced tool for manipulating Registry entries on large networks, which is a big timesaver.

Sniffer Basic (formerly named NetXRay Analyzer) is a powerful protocol analyzer (sniffer) and network monitoring tool for Windows NT. It is probably the most comprehensive NT sniffer available.

Somarsoft DumpSec dumps permissions for the NTFS file system in the Registry, including shares and printers. It offers a bird’s-eye view of permissions, which are normally hard to gather on large networks.

Somarsoft DumpEvt dumps Event Log information for importation into a database for analysis.

Somarsoft DumpReg dumps Registry information for analysis. It also allows incisive searching and matching of keys.

Virtuosity is a wide-scale management and Windows NT rollouts tool. (Good for heavy-duty rollouts.)

Cetus StormWindow allows you to incisively hide and protect almost anything within the system environment, including the following:

In all, Cetus StormWindow offers very comprehensive access control. (This product also intercepts most alternate boot requests, such as warm boots, Ctrl+Alt+Delete, and function keys.)

ConfigSafe Complete Recovery v4 records changes and updates made to the Registry, system files, drivers, directory structures, DLL files, and system hardware. You can instantly restore a system to a previously working configuration with ConfigSafe.

DECROS Security Card provides C2-level access control using physical security in the form of a card key. Without that card, no one will gain access to the system.

Desktop Surveillance is a full-fledged investigation and access control utility. (This product has strong logging and audit capabilities.)

The Detective is a simple but powerful tool for monitoring system processes. Omniquad Detective enables you to monitor computer usage, reconstruct activities that have occurred on a workstation or server, identify intruders who try to cover their tracks, perform content analysis, and define user search patterns. In all, this very comprehensive tool is tailor-made to catch someone in the act and is probably suitable for investigating computer-assisted crime in the workplace.

Windows Task-Lock 6.2 provides a simple, inexpensive, and effective way to password-protect specified applications no matter how you (or someone else) execute them. It is easy to configure and requires little to no modifications to your current system configuration. Optional Sound events, stealth mode, and password timeout are also included.

WinSafe allows you to encrypt your files using strong cryptography algorithms such as Blowfish and CAST. With WinSafe you can choose from among 28 different algorithms. Other tools included with this package are File Wiping and Merge Files. File Wiping rewrites deleted files with random trash for the number of times that you specify, whereas Merge Files enables you to merge two files so that you can hide one file in another.

Secure Shell (SSH), . as you have seen throughout the book, provides safe, encrypted communication over the Internet or other untrusted networks. SSH is an excellent replacement for Telnet or rlogin. SSH uses IDEA and Rivest-Shamir-Adelman (RSA) encryption and is therefore extremely secure. It is reported that the keys are discarded and new keys are made once an hour. SSH completely eliminates the possibility of third parties capturing your communication (for example, passwords that might otherwise be passed in clear text). SSH sessions cannot be overtaken or hijacked, nor can they be sniffed. The only real drawback is that for you to use SSH, the other end must also be using it. Although you might think such encrypted communication would be dreadfully slow, it isn’t.

If you are new to Windows NT security, the Windows NT Security Frequently Asked Questions document is an absolute must. I would wager that better than half of the questions you have about NT security are answered in this document.

http://www.it.kth.se/~rom/ntsec.html

NTBugTraq is an excellent resource provided by Russ Cooper of RC Consulting. The site includes a database of Windows NT vulnerabilities, plus the archived and searchable versions of the NTBugTraq mailing list.

http://www.ntbugtraq.com

This site is hosted by Aelita Software Group division of Midwestern Commerce, Inc., a well-known development firm that designs security applications for Windows 2000 and Windows NT, among other things.

http://www.ntsecurity.com/

This is a forum in which advanced Windows XP, Windows 2000, Windows NT, and Windows 9x/Me issues are discussed. It is a good place to find possible solutions to very obscure and configuration-specific problems. Regulars post clear, concise questions and answers along the lines of “I have a PPRO II w/ NT 4.0 and IIS 3 running MS Exchange 5.0, with SP3 for NT and SP1 for Exchange. So, why is my mail server dying?”

http://www.zdnet.com/community/?ROOT=331&MSG=331&T=index

The Windows IT Security site, hosted by Windows 2000 Magazine, is full of information about the latest in security. You can subscribe to discussion lists about advanced vulnerabilities in the Windows 2000 and Windows NT operating systems. You can find it at the following URL:

http://www.ntsecurity.net/

“An Introduction to the Windows 2000 Public Key Infrastructure” is an article written by Microsoft Press. It presents an introduction to one of Windows 2000’s new security features, PKI.

http://www.microsoft.com/windows2000/techinfo/howitworks/security/pkiintro.asp

I know what you’re thinking—commercial magazines are probably not very good sources for security information. Windows and .NET Magazine is the former Windows 2000 magazine, and the site offers numerous articles and FAQs on security for Windows .NET, XP, 2000 and NT. You can reach the site at http://www.winntmag.com/.

“Securing Windows NT Installation” is an incredibly detailed document from Microsoft on establishing a secure Windows NT server. You can find it at this site:

http://www.microsoft.com/ntserver/techresources/security/Secure_NTInstall.asp

Microsoft lists the steps necessary to upgrade to Windows 2000. Included is how to check whether your hardware and software are compatible with Windows 2000 and how to choose a filesystem. You can find it here:

http://www.microsoft.com/TechNet/win2000/srvchk.asp

This site contains a wide (and sometimes eclectic) range of tools and fixes for Windows NT. (A good example is a fully functional Curses library for use on NT.)

ftp://microlib.cc.utexas.edu/microlib/nt/