the goal:
I want to see how Windows 2000 security performance, so I decided to try it. Correct
Win2000
Basic attacks should use NT 4.0 to query whether the other party is patching a vulnerability. I think you will be very surprised.
They not only do not repair vulnerabilities, but there are new vulnerabilities. I am a MCSE, so microsoft
I have a beta version. Here is my assessment.
way:
First of all, I need to find some ordinary users who use Win2000, I open IP Scanner, find
About 6000 IP addresses, these IPs are dial-up users for long-term connection, and analyze the use
Win2000 users. Ok, attack begins;
First use the Table 1.1 tool to get the basic information of WIN2000:
NetBIOS
Share Information
Share Name: IPC $
Share Type: DEFAULT PIPE Share
Comment: Remote IPC
Warning - null session can be be establish to //24.?.?.?/ipc $
Share Name: admin $
Share Type: DEFAULT Disk Share
Comment: Remote Admin
Share Name: C $
Share Type: DEFAULT DISK Share
Comment: Default Share
Account Information
Account Name: Administrator
The Administrator Account IS An Administrator, And The Password Was Changed 3
Days ago. This Account Has Been Used 2 Times To Logon. The Default Administrator
Account Has Not Been Renamed. Consider Renaming this Account And Removing Most of
ITS Rights. Use a Different Account as The Admin Accommount.
Comment: Account Upgrade from Windows 95 or Windows 98
User Comment:
Full name: administrator
Account name: GUEST
The Guest Accent Is A Guest, And The Password WAS
Changed 0 days ago. This Account Has Been Used 0 Times To Logon.
Comment: Built-in Account for Guest Access To The Computer / Domain
User Comment:
Full Name:
Account Name: User1
The user1 account is an administrator, and the password WAS
Changed 3 days ago. This Account Has Been Used 22 Times To Logon.
Comment: Account Upgrade from Windows 95 or Windows 98
User Comment:
Full name: User1
Warning Administrator's Password Is Blank
Warning User1's Password Is Blank
I feel strange. The first is that the administrator account and another user (also a supervisor) password is blank. These accounts seem to have been upgraded from Win98 or 95, which caused my curiosity, so
I decided to do an attempt. I upgraded my 98 machine to 2000. This machine
Inside a point-to-point network work group, there is a domain master server in the system. I follow the prompt
Steps, the upgrade process is smooth. After restarting, set the window that sets the new Win2000 account password.
Port, it gives a list of accounts created during the upgrade process, you need to set your password for each user. odd
It's strange. It has a prompt to set up the same password as Win98: [if you don not want to see
This Screen Again Then Just Hit Enter]. I press it to enter, enter Win2000, and I am on the machine
Users set the password empty, this is not safe, I also increased on another Win98 machine.
Level 2000, all created a password empty ADM user.
Now, continue to attack. There may be other vulnerabilities.
I have established a session with these machines and use ADM.
C: /> NET use //24.?.?.?/ipc $ "" / user: administrator
The Command Complated SuccessFully.
I will now connect to this machine as an ADM and can be an inactive drive and like my own drive.
Browse it. The security vulnerability MS upgraded to Win98 upgrade to Win2000 is not paying attention.
I decided to continue to deepen, I hope to find that Win2000 other vulnerabilities I open computer manager
(Photo 1.2), join his machine. I can use my local machine on the remote machine.
increase user.
Photo 1.2
I deeply study computer management, and I found that the disk management is also fragile, so I can remotely.
His drive. I will continue to deepen, pay attention to the Telnet remote login service (Pohot1.3).
Is Microsoft set up this Telnet service when the default installation of Win2000? An ordinary user
Need a Telnet service? This seems to be set in the installation process, it is not started by the default, but it
Set as a LocalSystem login. Curious heart makes me continue to study. I have seen the properties of the service
(Photo.1.4) and find not only I can start the service, but I can automatically start.
Photo 1.4
This service is now started when it starts and is run as a Localsystem. It is definitely Microsoft
Due some things to stop me from entering this machine and execute the command I want to perform. They did it! It is called
NTLM certification and remote login is set only by default NTLM. And only Win2000
Remote login will identify NTLM. What does that mean? This means that if your account and password do not
By confirming, or if you don't confirm that you are in an approved domain, the system will reject your access.
I tested the remote login service on my machine, I launched a remote login service at the console. I
Doubt the key value of TelnetServer in the registry can avoid NTLM. In order to verify me
Doubt, I connect to the registry of the remote machine and put it
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / TelnetServer / 1.0 key value from 2
To 1, restart the service.
result:
One minute later and I log in to this machine via remote login! ! Now I can completely control
This machine, build user account and format drive, and use this machine to run attack programs
Row attack.
After using some commands, I built a user account of the ADM group and created a hidden.
Run the catalog of the attack, then I ftp to my FTP site and download the program I need to run, and launch the Scheduler service to run my attack program in the morning, and transfer the results with FTP to me, this
There will be no more attention.
Dangerous
Some people may ask, why do Telnet services are dangerous, OK, I will invade you
In Telnet to Whitehouse.gov, replace it with an anti-government page, the server will record you.
IP, then you will have a big problem.
Problem resolution:
Press my opinion, at least to delete the c: /winnt/system32/tlntsvr.exe file, because of ordinary use
This service does not require this service.
references
http://www.compsecurity.net/
solution
If you don't need it, close all shares and add more complicated passwords.
At least you want to delete the C: /Winnt/System32/TLNTSVR.EXE file, because ordinary users do not need this service.