 NT Security Risks |
Last
Update: February 20, 1997 |
This web site is dedicated
to exposing security risks in an effort to educate the
networking community. Use this information at your own
discretion, and certainly feel free to contribute if
you'd like. Send all correspondence to: security@ntshop.net
While browsing this page,
click on the  symbol for information describing
an exploit, and click on the  symbol for information
on defending against the exploit. The items in [ Blue ] reveal the classification,
while the items in [ Red ] reveal the nature of possible
attacks (from over a network, or from physical access).
The  symbol represents the newer
additions to this page, while the  symbol indicates the newest exploits
discovered.
The information on the
ensuing pages is updated frequently, and derived from
many informational sources -- credit is given wherever
possible. Thanks to all who report the hazards --
godspeed. To receive email notification of updates to
this page, send email to updates@ntshop.net with the word UPDATES as
the subject and in the body of the message.
 Trojans 
[ Trojan
] [ Physical &
Network ]
Password Grabbing Trojans are now incredibly easy to
create with new functionality in NT 4.0. The problem lies
in the ability to call a .DLL upon the change of any
password.
[ Trojan ] [ Physical & Network ] Reverting an ISAPI
Script to the SYSTEM account (and level
of authority) is a literal walk in the park for those in
the know. Beware of ISAPI programs on your IIS Web
servers.
[ Trojan ] [ Physical & Network ] Rollback.exe
is a handy little tool for administrators, and
for intruders unfortunately. Can you say "bye bye
registry" ?
[ Trojan ] [ Physical & Network ] System DLLs Can Be Replaced
causing untold damage and creating unforseen security
holes.
[ Trojan ] [ Physical & Network ] Executable Files
can be renamed with or without new extensions, and in
some cases will run irregardless of the new name.
Applications
[ App Attack ] [ Network ]
.BAT and .CMD files present a considerable
risk if you're running older IIS software, and haven't
patched your systems yet.
[ App Attack ] [ Network ]
/..\.. on the end of a URL can present a
considerable risk if you're running older IIS software,
and haven't patched your systems yet.
[ App Attack ] [ Network ]
Truncated files are a real possibility if
you're running older IIS software, and haven't patched
your systems.
[ App Attack ] [ Network ]
Redirecting Output of a command can wreak
havok on your site if you're running older IIS software,
and haven't patched your systems yet.
[ App
Attack ] [ Network ] O'Reilly WebSite 1.1
has serious problems with the sample CGI programs. (where's that breeze coming from?
;-)
[ App
Attack ] [ Network ] ActiveX Enabled Browsers
have a vulnerability in that the controls inherit the
permissions of the local user. Can you say "out of
control" Web controls?
[ App
Attack ] [ Network ] Active Server Pages can
be easily downloaded before processing, which may reveal
sensitive IDs and passwords.
[ App Attack ] [ Network ] Changes in Security in Microsoft
Access Version 2.0 can allow a user to add
objects to an Access database...
Passwords
[ Pswd Attack ] [ Physical ]
SMS Netmon Passwords are easily cracked in
today's world. There are at least two programs that can
already do it easily.
[ Pswd Attack] [ Physical ]
Password Grabbers can easily get your
Windows, Windows for Workgroups, and Windows 95 passwords
due to weak encryption.
[ Pswd Attack] [ Physical ] Unprotecting Word Documents apparently
isn't as hard as you might think. Take a look...early
versions of Word are a cake walk.
[ Pswd Attack] [ Physical ] Unprotecting Word 6 Documents
apparently isn't all that hard either. Want a program to
test your protection?
[ Pswd Attack] [ Physical ] Unprotecting WordPerfect
Documents is apparently no more difficult than Word.
Explanation and source codes are here...
[ Pswd Attack] [ Physical ] Unprotecting Excel Spreadsheets
can be done quickly as well. This page tells you how for
versions up to Excel 7.0.
[ Pswd Attack] [ Physical ] Unprotecting QuattroPro
Spreadsheets can be cracked quickly too. This page
tells you how for most versions including Corel Office
7.0.
[ Pswd Attack] [ Physical ] Unprotecting Lotus 1-2-3
Spreadsheets is just a easy. Geeez. This page tells
you how for all versions.
[ Pswd Attack] [ Physical ] Quicken is a very popular
tool for keeping financial records straight - if you have
it you probably love it -- and so would I if I wanted to
get in to your books! Your Quicken password is a useless
defense....
 COMING QUICK! -
LANMAN 2.1 (and earlier) Challenge/Response Attack
COMING QUICK! - NT LM 0.12
Challenge/Response Attack
Direct
Access
[ Direct Access ] [ Physical ]
NTFSDOS is a program that can mount NTFS
partitions from a DOS based machine, bypassing all
security permissions. Ouch.
[ Direct Access ] [ Physical ]
Linux now supports the NTFS file system,
which means this Unix variety could actually mount your
NTFS partitions.
[ Direct Access ] [ Physical ]
Windows 95 Netware Clients pose
considerable risk if the system administrators are not
incredibly careful.
Denial
of Service
[ DoS ] [ Network ] SYN Floods are
one of the worst nightmares on the Internet today. If you
come under this attack, you could be in for one heck of
experience.
[ DoS ] [ Network ] Ping of Death will
stop your TCP/IP stack in it's tracks everytime. Don't
let this simple exploit get the best of you.
[ DoS ] [ Network ] Crashing IIS is
yet another walk in the park, unless you've loaded the
latest service packs. Beware.
[ DoS ] [ Network ] Forcing NT to use
100% CPU is not so hard to do - who knew all you
needed was a Telnet client? Both NT 3.51 and 4.0 are
vulnerable. Ouch.
[ DoS ] [ Network ] The "dir ..\" command
issued by a Samba client can crash NT 3.5 and
3.51
[ DoS ] [ Physical ] Users without permissions can delete
files at the server, even after permissions have
been seemingly set correctly. Watch out for this one....
COMING QUICK! - MetaInfo DNS Attack
COMING QUICK! - Microsoft DNS
Attack
Snooping
[ Snooping ] [ Network ] NBTSTAT Command
is incredibly revealing about your NT
systems and network. Why give the intruder a head start?
[ Snooping ] [ Network ] Keystroke Grabbers are
a nasty hazard, and if you have Windows 95 or regular
Windows in your shop, watch out for these.
Man in
the Middle
[ MiM ] [ Network ] Web Spoofing is a real
possibility today -- and it's incrediblity hard to
prevent.
[ MiM ] [ Network ] The New CIFS file system is
vulnerable to Man-in-the-Middle attacks. Read this before
you assume it's bullet proof...
[ MiM ] [ Network ] Novell Netware is found in
many NT shops today, since most people live in mixed
environments. Well, one bright young man has succesfully
written code that can excute a Man-in-the-Middle attack
on Novell, completely taking over the user session, and
here it is for your indulgence.
COMING QUICK! -
SMB Downgrade Attack
COMING QUICK! -
Counterfeit Servers
Other
Attacks
[ Share Access ] [ Network ]
Samba clients, which run on
Unix, can easily connect to your Windows base shares.
Windows for Workgroups, and Windows 95 are especially
vulnerable.
[ Routing ]
[ Network
] Source
Routing is nasty trick #1, and it's easy to stop cold
-- if you've got the right stuff.
[ Routing ]
[ Network
] ICMP
Redirect is nasty trick #2, and it too is easy to
prevent.
[ Spoofing ] [ Network ]
IP Spoofing is nasty trick #3,
and as you may have guessed, it's also easy to stop.
COMING QUICK! -
Hijacked Connections
Other
Resources
Click Here for more NT security related
resources
home
- book - tools - ntsd
- resources - contact us
This site
has not yet been rated by the Major Motion Picture
Industry of America.
[VDA] Viewer Descression is Advised.
;-)
The NT
Shop, Netropolis Technology Group, NTg, the logos, and
this HTML page are
Copyright © 1994-97 and Service Marks of Mark Joseph
Edwards, ALL RIGHTS RESERVED.
All other marks are Copyrights and/or Trademarks of their
respective owners.
0101- 
All
connections to this network are monitored closely 24
hours a day, 7 days a week.
If this bothers you, then leave now or forever hold your
peace.
|
