Windows 9x/NT Internet Security
This paper is an attempt to explain how to access a Windows 9x/NT machine
connected to the Internet; equiped with this knowledge, an administrator
can better secure his own system from remote penetration.
The exploit is a malformed configuration of the Windows networking protocol
NetBIOS over TCP/IP. With a Windows machine allowing "File and Print Sharing",
one must be careful about how the sharing is implemented. In most
circumstances, file and printer sharing is intended for local area network
(LAN) sharing, not internet sharing. The problem is, most systems are not
configured properly to prevent the same sharing over the internet as on their
LAN.
The Exploit
The exploit process requires the Windows operating system and some basic
knowledge of connecting to Windows SMB network shares. One additional
component will make the process quicker and more productive, this component
is known as a NetBIOS port scanner. There are many NetBIOS port scanners
available but I am going to recommend using the "Legion" scanner. It scans
a subnet for the NetBIOS port (139) and makes a list of all computers
responding to the port probe. Once the scan is complete, Legion will go back
through the list requesting available shares from the computers which are
responding. When all is complete, you will have a list of all computers on
the specified subnet which are responding to NetBIOS probes and another list
which shows the computers that are broadcasting the network share names that
they have available. The available networks shares are the computers we are
going to penetrate.
First, to connect to a remote SMB network share, right click the Network
Neighborhood Icon and choose the option: "Map Network Drive". The Map
Network Drive applet will appear and have two selection boxes. The first box
designates which drive you would like to alias with the network share, choose
any drive you want. The second selection box is the location of the network
share. In this box you can either use a computer name or an IP address. For
a local area network (LAN), you could most likely specify the name of the
computer. For our exploit, you will be using the IP address of the remote
computer we are going to penetrate. The IP address is specified as follows:
"\\www.xxx.yyy.zzz". When you know the name of the network share you wish to
connect, for example a share name "C", the complete syntax for the path
option is as follows: "\\www.xxx.yyy.zzz\C".
Note: In the Map Network Drive applet, there exists a check box with
the option to "Reconnect at logon", clear this checkbox before
mapping the remote share.
For people who are more familiar with the NetBIOS network sharing, you can
also use the command line syntax to achieve the same results:
net use drive path
net use x: \\www.xxx.yyy.zzz\C
Note: When using the command line syntax on remote networks such as
the internet, a problem can occur. The problem is that the net
command may try and use your LAN subnet to look for the IP address.
When using the GUI approach, and two IP address exist (LAN and
Internet), it will prompt you which gateway to use, choose the
Internet IP address (gateway).
Once you have found a remote computer with a network share, try to map the
share to your computer using one of the processes explained above. You will
have most likely used the Legion port scanner to find the remote computer.
The only other alternative is to use the "net" command line utility to go
through a subnet line by line which is not very efficient. If, when you try
to map the drive and it asks for a password, try a blank password, if it
denies you access to the share, just leave it alone and find another computer
to try and penetrate. I don't recommend trying to break into a random
computer by guessing passwords just for this exercise.
When the remote network share is mapped to your system, go into "My Computer"
and double-click the share. From this point, you are browsing their hard-disk
from your system. Don't forget to unmap the drive when you are finished, this
process is the opposite of the mapping process. Right-click the "Network
Neighborhood" icon and choose "Disconnect Network Drive". Select the share
you mapped and choose OK.
Sensitive Windows 9x Files
- C:\WINDOWS\*.PWL
- C:\WINDOWS\USER.DAT
- C:\WINDOWS\SYSTEM.DAT
- C:\WINDOWS\COOKIES\*.*
- C:\WINDOWS\FAVORITES\*.*
- C:\WINDOWS\MY DOCUMENTS\*.*
Local Security Evaluation
To confirm that your computer is safe from remote NetBIOS penetration or fix
your computer should you determine if it is vulnerable, the following
instructions should help:
Method 1
- Go into the Network applet from the Control Panel.
- Go to the "Dial-Up Adapter" properties.
- Select the "Bindings" tab under the properties applet, make a note of check boxes that are checked (the protocols).
- Find the protocols that were checked and perform the following steps on each.
- Select the protocol and then choose properties (or double-click the protocol).
- Go to the "Bindings" tab.
- Uncheck the checkbox labeled "File and Print sharing for Microsoft Networks".
- Choose OK to close the applet.
- Click OK at the bottom of the Network applet and restart the computer when prompted.
Method 2
This method assumes you are not sharing any folders or printers
on a local area network (LAN).
- Go into the Network applet from the Control Panel.
- Click the button labeled "File and Print Sharing".
- Uncheck any boxes that may be checked.
- Click OK and then OK again on the Network applet.
- Restart the computer when prompted.
If you are not sharing on a local area network (LAN), you may find it a good
idea to ensure that Method 1 is implemented as well as Method 2. The last
method that may be used in combination with the two methods above is to get
a firewall. A properly configured firewall will prevent any access to network
shares from remote (Internet accessible) systems. For a simple home firewall,
I would recommend the BlackICE firewall by
Network ICE. There exists more elaborate
firewalls but as the complexity of the firewall grows, so does the
configuration, as the configuration goes up, and your intricate knowledge of
firewalls remains the same, your security decreases.
SMB Security
Using NetBIOS (external)
NET HEX Codes
<![CDATA[
Name Number Type Usage
=====================================================================
<computername> 00 U Workstation Service
<computername> 01 U Messenger Service
<_MSBROWSE_> 01 G Master Browser
<computername> 03 U Messenger Service
<computername> 06 U RAS Server Service
<computername> 1F U NetDDE Service
<computername> 20 U File Server Service
<computername> 21 U RAS Client Service
<computername> 22 U Exchange Interchange
<computername> 23 U Exchange Store
<computername> 24 U Exchange Directory
<computername> 30 U Modem Sharing Server Service
<computername> 31 U Modem Sharing Client Service
<computername> 43 U SMS Client Remote Control
<computername> 44 U SMS Admin Remote Control Tool
<computername> 45 U SMS Client Remote Chat
<computername> 46 U SMS Client Remote Transfer
<computername> 4C U DEC Pathworks TCPIP Service
<computername> 52 U DEC Pathworks TCPIP Service
<computername> 87 U Exchange MTA
<computername> 6A U Exchange IMC
<computername> BE U Network Monitor Agent
<computername> BF U Network Monitor Apps
<username> 03 U Messenger Service
<domain> 00 G Domain Name
<domain> 1B U Domain Master Browser
<domain> 1C G Domain Controllers
<domain> 1D U Master Browser
<domain> 1E G Browser Service Elections
<INet~Services> 1C G Internet Information Server
<IS~Computer_name> 00 U Internet Information Server
<computername> [2B] U Lotus Notes Server
IRISMULTICAST [2F] G Lotus Notes
IRISNAMESERVER [33] G Lotus Notes
Forte_$ND800ZA [20] U DCA Irmalan Gateway Service
]]>
NBTStat
If a portscan reports that port 139 is open on the target machine, a natural
process follows. The first step is to issue an NBTSTAT command.
The NBTSTAT command can be used to query network machines concerning NetBIOS
information. It can also be useful for purging the NetBIOS cache and
preloading the LMHOSTS file. This one command can be extremely useful when
performing security audits. Interpretation the information can reveal more
than one might think.
Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval]
Switches -a Lists the remote computer's name table given its host name.
-A Lists the remote computer's name table given its IP address.
-c Lists the remote name cache including the IP addresses.
-n Lists local NetBIOS names.
-r Lists names resolved by broadcast and via WINS.
-R Purges and reloads the remote cache name table.
-S Lists sessions table with the destination IP addresses.
-s Lists sessions table conversions.
The column headings generated by NBTSTAT have the following meanings:
Input
Number of bytes received.
Output
Number of bytes sent.
In/Out
Whether the connection is from the computer (outbound) or from another
system to the local computer (inbound).
Life
The remaining time that a name table cache entry will "live" before your
computer purges it.
Local Name
The local NetBIOS name given to the connection.
Remote Host
The name or IP address of the remote host.
Type
A name can have one of two types: unique or group.
The last byte of the 16 character NetBIOS name often means something because
the same name can be present multiple times on the same computer. This shows
the last byte of the name converted into hex.
State
Your NetBIOS connections will be shown in one of the following "states":
State Meaning
Accepting An incoming connection is in process.
Associated The endpoint for a connection has been created and your computer
has associated it with an IP address.
Connected This is a good state! It means you're connected to the remote
resource.
Connecting Your session is trying to resolve the name-to-IP address mapping
of the destination resource.
Disconnected Your computer requested a disconnect, and it is waiting for the
remote computer to do so.
Disconnecting Your connection is ending.
Idle The remote computer has been opened in the current session,
but is currently not accepting connections.
Inbound An inbound session is trying to connect.
Listening The remote computer is available.
Outbound Your session is creating the TCP connection.
Reconnecting If your connection failed on the first attempt, it will display
this state as it tries to reconnect.
Here is a sample NBTSTAT response:
C:\>nbtstat -A 195.171.236.139
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
MR_B10NDE <00> UNIQUE Registered
WINSEKURE LABS <00> GROUP Registered
MR_B10NDE <03> UNIQUE Registered
MR_B10NDE <20> UNIQUE Registered
WINSEKURE LABS <1E> GROUP Registered
MAC Address = 44-45-53-54-00-00
Using the table below, what can you learn about the machine?
Name Number Type Usage
=========================================================================
00 U Workstation Service
01 U Messenger Service
<\\_MSBROWSE_> 01 G Master Browser
03 U Messenger Service
06 U RAS Server Service
1F U NetDDE Service
20 U File Server Service
21 U RAS Client Service
22 U Exchange Interchange
23 U Exchange Store
24 U Exchange Directory
30 U Modem Sharing Server Service
31 U Modem Sharing Client Service
43 U SMS Client Remote Control
44 U SMS Admin Remote Control Tool
45 U SMS Client Remote Chat
46 U SMS Client Remote Transfer
4C U DEC Pathworks TCPIP Service
52 U DEC Pathworks TCPIP Service
87 U Exchange MTA
6A U Exchange IMC
BE U Network Monitor Agent
BF U Network Monitor Apps
03 U Messenger Service
00 G Domain Name
1B U Domain Master Browser
1C G Domain Controllers
1D U Master Browser
1E G Browser Service Elections
1C G Internet Information Server
00 U Internet Information Server
[2B] U Lotus Notes Server
IRISMULTICAST [2F] G Lotus Notes
IRISNAMESERVER [33] G Lotus Notes
Forte_$ND800ZA [20] U DCA Irmalan Gateway Service
Unique (U): The name may have only one IP address assigned to it. On a network
device, multiple occurences of a single name may appear to be registered, but
the suffix will be unique, making the entire name unique.
Group (G): A normal group; the single name may exist with many IP addresses.
Multihomed (M): The name is unique, but due to multiple network interfaces
on the same computer, this configuration is necessary to permit the
registration. Maximum number of addresses is 25.
Internet Group (I): This is a special configuration of the group name used
to manage WinNT domain names.
Domain Name (D): New in NT 4.0.
The next step for an intruder would be to try and list the open shares on the
given computer, using the net view command, Here is an example of the net view
command used against my box with the open shares C:\ and C:\MP3S\
C:\>net view \\195.171.236.139
Shared resources at \\195.171.236.139
Sharename Type Comment
--------------------------------------------------------------------
C Disk Drive C:\
MP3S Disk My collection of MP3s
The command was completed successfully.
Now, using the nbtstat command, the intruder can get the login name of anyone
logged on locally at that machine. In the results from the nbtstat command,
entries with the <03> identifier are usernames or computernames. Gleaning
usernames can also be accomplished through a null IPC session and the SID
tools.