Windows 2000 security hazard

zhaozj2021-02-11  192

Windows 2000 security hazard

Add time: 01-1-4 08:48:24

Previous

Article classification

Next

Original author

Avoidnf8@hotmail.com

Greyzone@compsecurity.net

Greyzone

the goal:

I want to see how Windows 2000 security performance, so I decided to try it. Win2000

Basic attacks should use NT 4.0 to query whether the other party is patching a vulnerability. I think

You will be very surprised to see that they don't have no repair vulnerabilities, but there are new vulnerabilities. I'm

A MCSE, so Microsoft offers a beta version. Here is me.

evaluation of.

way:

First of all, I need to find some ordinary users who use Win2000, I open IP Scanner, find about 6,000 IP addresses, all of which are long-term dial-up users, and analyze users using Win2000.

Ok, the attack begins;

First use the Table 1.1 tool to get the basic information of WIN2000:

NetBIOS

Share Information

Share Name: IPC $

Share Type: DEFAULT PIPE Share

Comment: Remote IPC

Warning - null session can be be establish to //24.?.?.?/ipc $

Share Name: admin $

Share Type: DEFAULT DISK Share

Comment: Remote Admin

Share Name: C $

Share Type: DEFAULT DISK Share

Comment: Default Share

Account Information

Account Name: Administrator

The Administrator account is an ADMINISTRATOR, and the password was changed 3 days ago. This account has been used 2 times to logon. The default Administrator account has not been renamed. Consider renaming this account and removing most of its rights. Use a different account as the admin account.

Comment: Account Upgrade from Windows 95 or Windows 98

User Comment:

Full name: administrator

Account name: GUEST

The Guest Accent Is A Guest, And The Password WAS

Changed 0 days ago. This Account Has Been Used 0 Times To Logon.

Comment: Built-in Account for Guest Access To The Computer / Domain

User Comment:

Full Name:

Account Name: User1

The user1 account is an administrator, and the password WAS

Changed 3 days ago. This Account Has Been Used 22 Times To Logon.

Comment: Account Upgrade from Windows 95 or Windows 98

User Comment:

Full name: User1Warning Administrator's Password Is Blank

Warning User1's Password Is Blank

I feel strange. The first is that the administrator account and another user (also a supervisor) password is blank. These accounts seem to be upgraded from Win98 or 95, which caused my curiosity, so I decided to do an attempt. I upgraded my 98 machine to 2000. This machine inside a point-to-point network work group and there is a domain master server in the system. I will perform according to the prompt step, the upgrade process is smooth. After restarting, the window that sets the new WIN2000 account password appears, which gives a list of accounts created during the upgrade process, you need to set your password for each user. The weird thing is. It has a prompt to set up the same password as Win98: [if you don Not Want to See this Screen Again Then Just Hit Enter]. I press Enter to enter WIN2000, and the users on my machine will set the password empty. This is unsafe. I have upgraded 2000 in another Win98 machine, and I created a password empty ADM user. .

Now, continue to attack. There may be other vulnerabilities.

I have established a session with these machines and use ADM.

C: /> NET use //24.?.?.?/ipc $ "" / user: administrator

The Command Complated SuccessFully.

I will now connect to this machine as an ADM and can shoot the drive and browse it like your own drive. The security vulnerability MS upgraded to Win98 upgrade to Win2000 is not paying attention.

I decided to continue deep, I hope to find that Win2000 other vulnerabilities

I turned on the computer manager (Photo 1.2) and joined his machine. I can add users to the remote machine as using my local machine.

Photo 1.2

I deeply study computer management, and find that disk management is also fragile, so I can remotely format his drive. I will continue to deepen, pay attention to the Telnet remote login service (Pohot1.3). Is Microsoft set up this Telnet service when the default installation of Win2000? An ordinary user needs Telnet service? This seems to be set during the installation process, it is not started by default, but it is set as a localSystem login. Curiously let me continue to study. I have seen the properties of the service (Photo.1.4) and found not only I can start the service, but I can make it automatically started.

Photo 1.4

This service is now started when it starts and is run as a Localsystem. It is definitely Microsoft to do something to stop me from entering this machine and execute the command I want to perform. They did it! It is called NTLM certification and remote login is set only by the default NTLM. And only the remote login of WIN2000 will identify NTLM. What does that mean? This means that if

solution:

If you don't need it, close all shares and add more complicated passwords.

At least you want to delete the C: /Winnt/System32/TLNTSVR.EXE file, because ordinary users do not need this service.

转载请注明原文地址:https://www.9cbs.com/read-5673.html

New Post(0)