Windows 2000 security hazard
Add time: 01-1-4 08:48:24
Previous
Article classification
Next
Original author
Avoidnf8@hotmail.com
Greyzone@compsecurity.net
Greyzone
the goal:
I want to see how Windows 2000 security performance, so I decided to try it. Win2000
Basic attacks should use NT 4.0 to query whether the other party is patching a vulnerability. I think
You will be very surprised to see that they don't have no repair vulnerabilities, but there are new vulnerabilities. I'm
A MCSE, so Microsoft offers a beta version. Here is me.
evaluation of.
way:
First of all, I need to find some ordinary users who use Win2000, I open IP Scanner, find about 6,000 IP addresses, all of which are long-term dial-up users, and analyze users using Win2000.
Ok, the attack begins;
First use the Table 1.1 tool to get the basic information of WIN2000:
NetBIOS
Share Information
Share Name: IPC $
Share Type: DEFAULT PIPE Share
Comment: Remote IPC
Warning - null session can be be establish to //24.?.?.?/ipc $
Share Name: admin $
Share Type: DEFAULT DISK Share
Comment: Remote Admin
Share Name: C $
Share Type: DEFAULT DISK Share
Comment: Default Share
Account Information
Account Name: Administrator
The Administrator account is an ADMINISTRATOR, and the password was changed 3 days ago. This account has been used 2 times to logon. The default Administrator account has not been renamed. Consider renaming this account and removing most of its rights. Use a different account as the admin account.
Comment: Account Upgrade from Windows 95 or Windows 98
User Comment:
Full name: administrator
Account name: GUEST
The Guest Accent Is A Guest, And The Password WAS
Changed 0 days ago. This Account Has Been Used 0 Times To Logon.
Comment: Built-in Account for Guest Access To The Computer / Domain
User Comment:
Full Name:
Account Name: User1
The user1 account is an administrator, and the password WAS
Changed 3 days ago. This Account Has Been Used 22 Times To Logon.
Comment: Account Upgrade from Windows 95 or Windows 98
User Comment:
Full name: User1Warning Administrator's Password Is Blank
Warning User1's Password Is Blank
I feel strange. The first is that the administrator account and another user (also a supervisor) password is blank. These accounts seem to be upgraded from Win98 or 95, which caused my curiosity, so I decided to do an attempt. I upgraded my 98 machine to 2000. This machine inside a point-to-point network work group and there is a domain master server in the system. I will perform according to the prompt step, the upgrade process is smooth. After restarting, the window that sets the new WIN2000 account password appears, which gives a list of accounts created during the upgrade process, you need to set your password for each user. The weird thing is. It has a prompt to set up the same password as Win98: [if you don Not Want to See this Screen Again Then Just Hit Enter]. I press Enter to enter WIN2000, and the users on my machine will set the password empty. This is unsafe. I have upgraded 2000 in another Win98 machine, and I created a password empty ADM user. .
Now, continue to attack. There may be other vulnerabilities.
I have established a session with these machines and use ADM.
C: /> NET use //24.?.?.?/ipc $ "" / user: administrator
The Command Complated SuccessFully.
I will now connect to this machine as an ADM and can shoot the drive and browse it like your own drive. The security vulnerability MS upgraded to Win98 upgrade to Win2000 is not paying attention.
I decided to continue deep, I hope to find that Win2000 other vulnerabilities
I turned on the computer manager (Photo 1.2) and joined his machine. I can add users to the remote machine as using my local machine.
Photo 1.2
I deeply study computer management, and find that disk management is also fragile, so I can remotely format his drive. I will continue to deepen, pay attention to the Telnet remote login service (Pohot1.3). Is Microsoft set up this Telnet service when the default installation of Win2000? An ordinary user needs Telnet service? This seems to be set during the installation process, it is not started by default, but it is set as a localSystem login. Curiously let me continue to study. I have seen the properties of the service (Photo.1.4) and found not only I can start the service, but I can make it automatically started.
Photo 1.4
This service is now started when it starts and is run as a Localsystem. It is definitely Microsoft to do something to stop me from entering this machine and execute the command I want to perform. They did it! It is called NTLM certification and remote login is set only by the default NTLM. And only the remote login of WIN2000 will identify NTLM. What does that mean? This means that if
solution:
If you don't need it, close all shares and add more complicated passwords.
At least you want to delete the C: /Winnt/System32/TLNTSVR.EXE file, because ordinary users do not need this service.