The Unofficial NT Hack FAQ

[ Return to TOC | Return to FAQ Page ]

Section 12

For Administrators Only

12-1. How do I secure my server?
12-2. I'm an idiot. Exactly how do hackers get in?

12-1. How do I secure my server?

12-2. I'm an idiot. Exactly how do hackers get in?

I mentioned the World Star Holdings Inc. Cybertest '96 contest earlier in the FAQ. I wish I could say that this contest involved some type of massive attack rich in color and unbelievable hacking genius, but alas, it was too easy. Using techiques outlined in this FAQ, I simply got a list of exported shares and logged in as GUEST. I enjoyed trying to get past the special HTML scripting language they were using, and only did it because I wanted the $50,000.00 prize money. But I wasn't the first one in, and they changed the rules mid-contest anyway.

Here's a scenario that pulls some of this together.

The Exploit

The attacker has a copy of Samba on his Linux machine, and applied the patches from Hobbit's paper making smbclient a little more dangerous. He starts looking at his target Using a port scanner he determines that ports 135-139 are open, and suspects the box might be NT.

The target IP address is So he tries his hack version of nmblookup like so -

    nmblookup -B -S \*

The name INNOCENT is returned, and this is plugged into the hacked smbclient like so -

    smbclient \\\\INNOCENT\\WINNT$ -I -d 3 -n WHATEVER -m

Note that the hacker is trying to access the C drive, is using debug level 3 to see errors (and see how long before an error occurs), forged his computer's name, and dummied down the passwords to try Lan Manager style (uppercase) only.

Several simple passwords are tried, and it looks like Administrator has not been altered to lock out incorrect tries. However the usual easy passwords do not work. The hacker is not frustrated. He decides to throw his uppercase dictionary at it -

    smbclient \\\\INNOCENT\\WINNT$ -I -d 0 -n WHATEVER -m
     LANMAN2 -U ADMINISTRATOR < dictionary.file.upppercase

The hacked smbclient will continue until the dictionary file is exhausted, the hacker stops the program, or he gets in. After a while, success.

The hacker uploads a trojan to \SYSTEM32 to capture passwords. Then the hacker goes to \SYSTEM32\CONFIG\SAM and \REPAIR and finds copies of the SAM database. These are copied down to his home machine.

The hacker disconnects and proceeds to use PWDump and L0phtcrack to get ALL passwords. The hacker knows that some of the passwords might be old -- after all, he couldn't grab the live SAM database. But between the old passwords and the trojan, the hacker isn't even worried if the Administrator changes passwords. The hacker will simply use another account name and check the \TEMP directory for the collected passwords.

[ Return to TOC | Return to FAQ Page ]