| Security Risks |
Last
Update: March 17, 1997 |
This web site is dedicated
to exposing security risks in an effort to educate the
networking community. Use this information at your own
discretion and risk, and certainly feel free to
contribute if you'd like. Send all correspondence to: security@ntshop.net
While browsing this page,
click on the  symbol for information describing
an exploit, and click on the  symbol for information
on defending against the exploit. The items in [ Blue ] reveal the classification,
while the items in [ Red ] reveal the nature of possible
attacks (from over a network, or from physical access).
The  symbol represents the newer
additions to this page, while the  symbol indicates the newest exploits
discovered.
The information on the
ensuing pages is updated frequently, and derived from
many informational sources -- credit is given wherever
possible. Thanks to all who report the hazards --
godspeed. To receive immediate email notification of new
NT security problems and updates to this site, subscribe
to our NTSD
newsletter.
 Trojans 
[ Trojan ] [ Physical & Network ] Password Grabbing
Trojans are now incredibly easy to create with new
functionality in NT 4.0. The problem lies in the ability
to call a .DLL upon the change of any password.
[ Trojan ] [ Physical & Network ] Reverting an ISAPI
Script to the SYSTEM account (and level
of authority) is a literal walk in the park for those in
the know. Beware of ISAPI programs on your IIS Web
servers.
[ Trojan ] [ Physical & Network ] Rollback.exe
is a handy little tool for administrators, and
for intruders unfortunately. Can you say "bye bye
registry" ?
[ Trojan ] [ Physical & Network ] System DLLs Can Be Replaced
causing untold damage and creating unforseen security
holes.
[ Trojan ] [ Physical & Network ] Executable Files
can be renamed with or without new extensions, and in
some cases will run irregardless of the new name.
Applications
[ App
Attack ] [ Network ] Windows 95 Passwords
can be grabbed using an SMB server, and a little game of
cat and mouse.
[ App
Attack ] [ Network ] Internet Explorer
has yet ANOTHER problem when running on NT 4.0. How about
snagging your User ID, psw, NetBIOS hostname, NT domain
name, IP address, et al ?
[ App
Attack ] [ Network ] Shockwave Plugins
may have more "shock" value than you
anticipate. How about people being able to read your
email at will? Tisk. Tisk.
[ App
Attack ] [ Network ] Internet Explorer AND
Netscape both have a nasty hole that can force an SMB
negotiation, at which point your user ID and password are
snagged.
[ App
Attack ] [ Network ] Internet Explorer
has a problematic hole if a user clicks on a malicious
.url or .lnk hyperlink -- get the patch before your get
zapped
[ App
Attack ] [ Network ] Internet Explorer allows users to use
URLs describing a remote directory and program that can
be downloaded and launched almost automatically.
[ App
Attack ] [ Network ] Internet Explorer has another hole
that allows a malicious Web page to automatically run any
program and/or issue commands on the user's system.
[ App
Attack ] [ Network ] Active Server Pages can
be easily downloaded before processing, which may reveal
sensitive IDs and passwords.
[ App Attack ] [ Network ] ActiveX Enabled Browsers have
a vulnerability in that the controls inherit the
permissions of the local user. Can you say "out of
control" Web controls?
[ App Attack ] [ Network ]
O'Reilly WebSite 1.1 has serious problems with
the sample CGI programs. (where's that breeze coming from? ;-)
[ App Attack ] [ Network ]
.BAT and .CMD files present a considerable
risk if you're running older IIS software, and haven't
patched your systems yet.
[ App Attack ] [ Network ]
/..\.. on the end of a URL can present a
considerable risk if you're running older IIS software,
and haven't patched your systems yet.
[ App Attack ] [ Network ]
Truncated files are a real possibility if
you're running older IIS software, and haven't patched
your systems.
[ App Attack ] [ Network ]
Redirecting Output of a command can wreak
havok on your site if you're running older IIS software,
and haven't patched your systems yet.
[ App Attack ] [ Network ]
Changes
in Security in Microsoft Access Version 2.0 can
allow a user to add objects to an Access database...
Passwords
[ Pswd Attack ] [ Physical ]
SMS Netmon Passwords are easily cracked in
today's world. There are at least two programs that can
already do it easily.
[ Pswd Attack] [ Physical ]
Password Grabbers can easily get your
Windows, Windows for Workgroups, and Windows 95 passwords
due to weak encryption.
[ Pswd Attack] [ Physical ]
Unprotecting Word Documents apparently
isn't as hard as you might think. Take a look...early
versions of Word are a cake walk.
[ Pswd Attack] [ Physical ]
Unprotecting Word 6 Documents apparently
isn't all that hard either. Want a program to test your
protection?
[ Pswd Attack] [ Physical ]
Unprotecting WordPerfect Documents is
apparently no more difficult than Word. Explanation and
source codes are here...
[ Pswd Attack] [ Physical ]
Unprotecting Excel Spreadsheets can be done
quickly as well. This page tells you how for versions up
to Excel 7.0.
[ Pswd Attack] [ Physical ]
Unprotecting QuattroPro Spreadsheets can be
cracked quickly too. This page tells you how for most
versions including Corel Office 7.0.
[ Pswd Attack] [ Physical ]
Unprotecting Lotus 1-2-3 Spreadsheets is
just a easy. Geeez. This page tells you how for all
versions.
[ Pswd Attack] [ Physical ]
Quicken is a very popular tool for keeping
financial records straight - if you have it you probably
love it -- and so would I if I wanted to get in to your
books! Your Quicken password is a useless defense....
 COMING QUICK! -
LANMAN 2.1 (and earlier) Challenge/Response Attack
COMING QUICK! - NT LM 0.12
Challenge/Response Attack
Direct
Access
[ Direct Access ] [ Physical ] SNA Server is subject to a
subtly dangerous problem where the first user's access
permissions to shared folders is inherited by a second
user.
[ Direct Access ] [ Physical ]
NTFSDOS is a program that can mount NTFS
partitions from a DOS based machine, bypassing all
security permissions. Ouch.
[ Direct Access ] [ Physical ]
Linux now supports the NTFS file system,
which means this Unix variety could actually mount your
NTFS partitions.
[ Direct Access ] [ Physical ]
Windows 95 Netware Clients pose
considerable risk if the system administrators are not
incredibly careful.
Denial
of Service
[ DoS ] [ Network ] Crashing IIS is
yet another walk in the park, unless you've loaded the
latest service packs. Beware.
[ DoS ] [ Network ] Forcing NT to use
100% CPU is not so hard to do - who knew all you
needed was a Telnet client? Both NT 3.51 and 4.0 are
vulnerable. Ouch.
[ DoS ] [ Network ] SYN Floods are
one of the worst nightmares on the Internet today. If you
come under this attack, you could be in for one heck of
experience.
[ DoS ] [ Network ] Ping of Death will
stop your TCP/IP stack in it's tracks everytime. Don't
let this simple exploit get the best of you.
[ DoS ] [ Network ] The "dir ..\" command
issued by a Samba client can crash NT 3.5 and
3.51
[ DoS ] [ Physical ] Users without permissions can delete
files at the server, even after permissions have
been seemingly set correctly. Watch out for this one....
COMING QUICK! - MetaInfo DNS Attack
COMING QUICK! - Microsoft DNS
Attack
Snooping
[ Snooping ] [ Network ] NBTSTAT Command
is incredibly revealing about your NT
systems and network. Why give the intruder a head start?
[ Snooping ] [ Network ] Keystroke Grabbers are
a nasty hazard, and if you have Windows 95 or regular
Windows in your shop, watch out for these.
Man in
the Middle
[ MiM ] [ Network ] Novell Netware is found in
many NT shops today, since most people live in mixed
environments. Well, one bright young man has succesfully
written code that can excute a Man-in-the-Middle attack
on Novell, completely taking over the user session, and
here it is for your indulgence.
[ MiM ] [ Network ] The New CIFS file system is
vulnerable to Man-in-the-Middle attacks. Read this before
you assume it's bullet proof...
[ MiM ] [ Network ] The CIFS File System attack
discussed in detail by Hobbit, complete with source code
proving it can be done. (185K)
[ MiM ] [ Network ] Web Spoofing is a real
possibility today -- and it's incrediblity hard to
prevent.
COMING QUICK! -
SMB Downgrade Attack
COMING QUICK! -
Counterfeit Servers
Other
Attacks
[ Share Access ] [ Network ]
Samba clients, which run on
Unix, can easily connect to your Windows base shares.
Windows for Workgroups, and Windows 95 are especially
vulnerable.
[ Routing ]
[ Network
] Source
Routing is nasty trick #1, and it's easy to stop cold
-- if you've got the right stuff.
[ Routing ]
[ Network
] ICMP
Redirect is nasty trick #2, and it too is easy to
prevent.
[ Spoofing ] [ Network ]
IP Spoofing is nasty trick #3,
and as you may have guessed, it's also easy to stop.
COMING QUICK! -
Hijacked Connections
Other
Resources
Click Here for more NT security related
resources
This site
has not yet been rated by the Major Motion Picture
Industry of America.
[VDA] Viewer Descression is Advised.
;-)
Copyright
© 1994-97, Service Marks - MJE, Ltd. ALL RIGHTS
RESERVED. Legal Stuff
All other marks are Copyrights and/or Trademarks of their
respective owners.
0101- 
Thanks to Bill Stout for encouraging
the creation of this page,
which eventually lead to the creation of this entire Web
site.
All connections to this network are
monitored closely 24 hours a day, 7 days a week.
If this bothers you, then leave now or forever hold your
peace.
|