HOW SECURE IS YOUR NT? ~~~~~~~~~~~~~~~~~~~~~~ Written by: Armageddon. (Editor of A-S Magazine) LEGAL BIT ~~~~~~~~~ First published for Anti-Social Magzine, www.antisocial.cjb.net Reproduced by permission of the author. Anyone else who wishes to re-produce this article in their zine or wants it for their web site MUST contact me at : Khorne@compuserve.com All information within is produced for educational purposes ONLY. INTRODUCTION ~~~~~~~~~~~~~ Windows NT, Microsoft's flagship operating system in many peoples eyes (including their own). Developed to try and take over the UNIX monopoly on networking OS by using a pretty point an click GUI instead of the command driven UNIX OS. Within 6 months of it's launch NT had taken over 20% of the web server OS market and are slowly gaining more and more of a grip on the market, though arguably UNIX has made a small come back in recent months. On the LAN market however, NT is storming away from UNIX. The early days where every US high school (and I don't live in the states so if my terminology for your schools is wrong fuck it) was networked using UNIX and the only real people that got to touch the network were computer science students and such like are LONG gone. Today every school in every town has their computers networked but for use by everyone, this causes a problem in the fact that around 5% of most UK college students can't tell you what a word processor is never mind what ls does in UNIX. The point being, if they don't really have a clue what their doing on a GUI OS they'll die a quick death on one which is command driven. Consequently when it comes to buying software for the network NT is the only choice for the server and its often backed up by Win95 clients. So overall, with the exception of WAN's and web servers, what are we left with? Well in short, a Microsoft dominated market. However, you know it, I know it and Bill Gates probably knows it. When it comes to coding security, unless you give them a good 20 attempts, MS can't get the job done. Some might say that's because nobody likes Bill Gates, MS coders have done all kinds of mad things in MS products, in Excel if you click on a certain cell you'll find a flight simulator loading up -written by a programmer who was apparently "bored at the time". Look at MS's cd-key protection: first three digits can be anything at all, the remaining seven digits must be divisible by 6. I mean come on, I could write that kind of protection code in my sleep and so could loads of you. Enough of the introduction and on to the bulk of this article. Bear a few things in mind first: I have limited space to produce this article thus it can't be a 100 page manual all in one go, secondly I have limited time to produce it and finally this isn't really my specialist operating system.....I don't like it that much, like 95 it's written like shit with one objective in mind "get it to work...fuck how you do it." I'm sure Bill Gates uses that as his motto to Microsoft. A BUNCH OF TERMS TO LEARN:- UI (User Interface) : What the user sees on screen LSA (Local Security Authority) : Main security component, deals with the security polices and log auditing. aka security subsystem SAM (Security Account Manager) : Handles user and group accounts and provides user authentication for LSA SRM (Security Reference Monitor) : Access validation and LSA auditing enforcer. This is responsible for checking a user's account (their privileges mainly) as they go about on the system, opening files for example. Auditing messages are generated in response to the users actions e.g. a user trying to get in to a directory they don't have access to. Contains a copy of the access validation code to ensure that resources are protected uniformly throughout the system, regardless of resource type. SOME DEFAULT GROUPS TO BE AWARE OF ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Being in one of these groups will allow:- Server Operators : Do a shutdown, even remotely!, reset the system clock, perform backups and restores. Backup Operators : Do a shutdown; perform backups and restores. Account Operators : Do a shutdown. Print Operators : Do a shutdown. GENERAL PASSWORDING SCHEME ~~~~~~~~~~~~~~~~~~~~~~~~~~ You may remember that in the last issue of A-S Mag (7) in the UNIX Hacking Guide (Part 3) I showed how passwords on UNIX systems were encrypted and you still find that system employed today, mainly due to the fact that for large companies a system that works is a system to be left alone, large site licenses are usually too expensive to warrant use unless on networks which contain mission critical data, and then you generally won't find such a network open to the wide world they'll be LAN and if the security consultant who set it up has any brains he'll have even taken into account Ethernet electro-magnetism and how data can be retrieved on its travels around the network as a result of it without gaining direct connection to the system (though the equipment used to do such a thing is bloody expensive). However, NT Networks use an improved security feature (also explained in the UNIX hacking guide as UNIX now has the same system available). This was developed by some of the best mathematicians in the world and works on the idea that if you don't store the password on the system AT ALL the system is far more secure then it would be if you simply encrypted the password field in the password database. So how do you do this? Well it's done by keeping the password in an irreversible parameter which is used to calculate a "Hash Value" for the password, it is this hash value which is stored in the password database and not an encrypted version of the password. So now at a login when a password is entered a mathematical function will be called, generating a hash value for the entered password and then comparing the two hash values. The end result is that to gain access the two hash values must be equal to each other. Clearly if the password isn't there in the first place you can't simply guess the encryption algorithm or decrypt it straight from what you find in the password database. FIRST SECURITY WARNING ~~~~~~~~~~~~~~~~~~~~~~ At this point, one major thing still occurs and while it's used there's defiantly a security problem on the NT (or any networkable OS). This is the fact that if your still comparing one value to another value to decide if the password is accurate or not there's always a breach in that all you have to do is try EVERY password possible given a set of characters and turn each combination into a hash value and compare the two. Due the hash method has been so well documented a slow increase of programs are being released for NT that do just this for you.....and if you don't know, this method of attack is refereed to as a "Brute force" attack, for obvious reasons. Brute force attacks are generally efficient, well give them enough time and/or CPU power and they'll be 100% efficient on their task and thus very popular attack methods when dealing with a system that you know is tightly secured AND/OR you know the members of the system aren't going to use weak passwords. Alternatively, and a very popular/efficient one it is to, is the dictionary attack. This is where the program takes a list of words (a dictionary file) and try each word, one after another. On large networks and/or networks where many members of the system are semi-computer illiterate this route will cut attack times down greatly, having said that though it is less likely to gain you an admin. account or similar unless they actually use a full word but thats getting very rare. WHERE TO FIND THESE HASHES ~~~~~~~~~~~~~~~~~~~~~~~~~~~ I've now mentioned two types of attacks but both refer back to a place where these passwords are stored, ok that might be the wrong word, where the hash values of the passwords are stored to be correct. They're stored in what's known as a SAM file (Security Account Manager), and generally speaking you won't have direct access to this file....but getting access to this file I talk about later. However, if for some strange reason you have got a large amount of access on the system (e.g. admin privileges) and this may occur say if the company staff are on holiday or whatever and only the system admin and you (ignoring security and other irrelevant staff etc.) are in the building and (s)he is setting up this fine new network running on NT. Well it's not unheard of that the admin will, for reasons that baffle me, set-up the network giving all members admin privileges and then down-grading them.....not to sure why they do this, possibly they like to login as a few other members and go "aha I have admin access" or something like that but anyway just a little something I was informed about while attending a lecture on NT security that was being held in a side room to a computer fair (you know like one of their little side attractions to the main computer fair they sometimes but on -quite interesting usually). Anyway should you have this kind of access you'll find the file in the following location:- \WINNT\SYSTEM32\CONFIG\SAM But hey you can do better then that, what you really want is a nice little program that will run to the SAM and put userid's with hash values, after all that's going to make your life far easier. Well such a program does exist (thank god) and it goes by the name "pwdump.exe" VERY useful program as you should have noticed by now. I'm sure I'm going to cause a whole bunch of you to run off in search of this program so I'll save you the search time, you can find it at (our usual) www.hack-net.com and if its not up at the time of writing this I'll do my best to get it to Shanners and up on the site by the time of release for this issue. RUNING PWDUMP WITHOUT ADMIN ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ok you've not got admin access (and if you had, would you really be trying to run pwdump -probably not) but you want to get pwdump run on the machine, how to achieve this? Well believe it or not, a *few* administrators will go for a bit of a lie and run the program without even knowing what it does. Trick here, well one which has been known to work, is to social engineer (the polite way of saying "lie" or "negotiate") the admin into running the program for you when they have admin access -get them when they're at a terminal logged on and say person X said to run/test this for them and act like you ain't got a fucking clue what a disk or motherboard is. Now timing is essential so just as the clicks of the mouse sound the execution of the program go off you want a MAJOR distraction......hdd failure on a machine in the distance from the terminal logged in with admin access or lots of "Oh my god what have I done...arrrgh, help" kind of noises works wonders. Remember it has to be a spontaneous reaction from the admin, you can't say "person X wants to see you now! they said it was very urgent" If they have half a brain the admin will log off first and your chance has been missed. Of course if the above trick works and allowing you are starting with a legit account anyway it might be worth running getAdmin and upgrading your account to Admin access -but what does this do but indicate it was you who hacked the machine! (*far* safer to hack another persons account and upgrade them and/or just hack admin) Yeah yeah, you COULD put pwdump in an activeX control on a web page and get the admin to go to that site (obviously using an admin account) and that would work but I admit to the fact that this method is a little vague to me and as I said NT isn't my strongest OS....but hey I'm a master at negotiation an where the fucks the fun in hoping they'll visit some web page (and even then, if they have it setup properly it won't do shit for you) when you can trick them into running the program for you by word of mouth....which regardless of what some may tell you, is fine tool in hacking. SNIFF SNIFF -Second security warning ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Got access to the Ethernet cabling? sometimes you actually won't have but on most LAN's you will have a good level of access to the cabling and in this cause you'll be able to to a little wire tapping and sniff those password hashes out just by the data that's traveling around on the cables. Remember that calls to the SRM (see top of file) have to be made every time a user accesses a file/directory and so there's a lot of password data being fired around a network which is unnoticed by many a user. This is the bit I find highly ironic, NT was written by Microsoft as you all should know well isn't it nice of them to then go and release a very good tool for hacking their own OS! how kind of them, ah Bill Gates so nice to see you back in the hacking scene. The tool in question is called "Network Monitor" by Microsoft, offering a lovely graphical user interface -I mean why write a pretty OS without having a pretty hacking tool to go with it!?!? Even better is the fact that network monitor can be used to sniff out password data even on the Internet! unfortunately as you should have guessed, to do such a thing you'd need direct access to the backbone cabling at your (or any) ISP -but hey, something to keep in mind if you ever go on a little field trip at your ISP and they're stupid enough to let you near their main computers with a laptop in your hand, or better still you start working night shifts at your ISP and get a little bored. The down side, and lets face it there had to be a down side, is that unfortunately NT simply doesn't work on the same SMB protocol which older networking OS once worked on, that being they *don't* send password hashes in full but instead they use a request response protocol which greatly increases security on that system. This system works by the client remembering a 16 bit hash when the user logs in and when needed the client does a calculation whereby the server sends a 8 byte random value to the client machine, the client then uses it's remembered 16 bit hash along with 5 null bytes to generate *three* 56 bit DES encrypted keys. The 8 byte value is then DES encrypted with each of the 56 bit keys......leading to the creation of a final 24 byte response which is sent back to the server. The server now does the same thing as the client just did using it's SAM database and if the answer is the same the action is allowed. Ok now as you can see that's going to be one fucker of a task to get the password data out of all that, and that's pretty much a no go (though not impossible) for most hackers, by that I mean your odds on being able to crack it are pretty low and so many see it as not worth bothering with, why when there's a far nicer route to the same answer? A FAR FAR NICER ROUTE? ~~~~~~~~~~~~~~~~~~~~~~ "Aha I know we'll stop the password data being sent all in one go across the network.....instead we'll store all the data on the client and generate responses from that stored data" Did that statement bring up any ideas? No, argh fuck this whole article has been a waste. So either you managed to come up with an idea for how to exploit such a system described in the above statement or you haven't got a clue but really want to know more (nice to hear it!). Well what do you reckon would happen if we were using a tampered with client and this "improved" client was running a cracked NT password database, yes with hashed LanManager and NT passwords. Have I got your idea's flowing yet? Basically the server creates the challenge and sends it to the client. The client searches for the hash value to use (in the copy of the NT password database) and calculates the response. Sends the answer back to server which now does the same and oh look all is clear and happy!! YES BUT I NEED THE PASSWORD FILE FIRST ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well yes you do, but of course you don't think I'd leave you all with out one or two final top tricks now do you? of course not!!!! So you can't get the fucker to run pwdump and you can't manage to get him away from the machine while admin is logged in. Well try this on for size: Every admin/sysop I've ever talked to (and trusted me I've talked to a lot) is, bottom line, scared shitless about having some big file loss where the whole system goes down and the data that was on it, or a large chunk of it (e.g. anything that would take more then an hour or two to re-setup/install) is deleted beyond recovery...I refer to this occurrence as data being "burned" but if you don't like that term, don't use it. So what do you find with any network????? backup tapes, fucking tons of them. No I swear a system administrators closest relative is the hamster, the difference being that the hamster stashes nuts and such like and your average admin stashes backup takes. We're not talking "the latest stuff" or "The vital files" here in any way what so ever. We're talking "Every fucking file that ever touched the system" name a file and I bet they've got it on a backup tape be that email, a letter to an enemy about how hard you fucked their wife last night or whatever....its on a backup tape. So imagine how much your admin's face face will light up with pleasure when you cheerfully inform them that there's this great way of making backup files of the password database!!!! I mean we're not talking an easy thing to setup here, if your network has 200 users on and admin has to setup each account (which is standard normally) think of how fucking long it would take to re-setup all those accounts -and how many holes they fear they may create because they got really bored thus lazy when re-typing out all these accounts!!!! Nice way to backup the file, they'll give you an award for telling them all about it. Ok what you want them to do is: Create repair disks, preferably lots of them! It may be worth quoting the fact that *ALL* the large systems in the country (UK -but I'd put money on the whole world) carries ar least 3 backups of files this vital (normally you have: "Onsite" -general-, "offsite" -outside in a fire proof safe- and "off location" -same as off site only this time its on the other side of the country to protect against large bomb attacks which the above safe wouldn't be able to protect against). Obviously you don't want them to have 3 copies all over the country, you want 5-10 copies all over the building lying around don't you. So aim your negotiation strategy on that idea. Why? Well on repair disks is the SAM file but this time without any read/write protection so anyone can come along and use it! CRACKING A PASSWORD FILE ~~~~~~~~~~~~~~~~~~~~~~~~~ The best until last you think? I don't know, this whole article hasn't been a bad one to write, pretty informative overall. Ok lets face it, the bottom line is that his really is going to be a lot of you lot's favorite bit......but I encourage you to actually read the other 14K or so of text if you haven't already because if you don't you maybe "what the fuck?" more then anything. Got pwdump working, got a SAM dump and it all looks very nice and pretty. Oh yeah you've missed something, you ain't cracked any passwords to hack the system with. Bring in the final tool for this article:- NTcrack2.zip -by: Jonathan Wilkins OK not the final, there's another one I like lc15exe.tgz -by: Mudge & Weld pond (L0pht members) Which one do I prefer, it has to be said that the later by L0pht is the best of the two, basically because the first is only a dictionary cracker where as L0pht's can brute force OR use a dictionary which ever attack you like. and the format I've provided their names in should help you find them online be it at hack-net (hopefully they'll be up there, if they're not already) or out and about on the Internet. Well that about raps it all up for this article, hopefully I've not missed anything. I'm sure there's stuff I've been forced to leave out due to file size (it's pointless writing 120K articles every month if the reader gets bored shitless and doesn't read the last 70+K). You may see me do additions to this article in the future....it's very likely, so what can I say other then: Watch this space! -[ARMAGEDDON]- armageddon@hack-net.com (back up soon) Khorne@compuserve.com