Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Peter Wood, First Base Technologies: Losing Control of Your Windows Network

February 2008 by Peter Wood, Chief of Operations, First Base Technologies

I imagine that most people would consider the chances of an attacker guessing a privileged account name and password in two or three guesses to be astronomical. Unfortunately, nothing could be further from the truth. Breaking into corporate networks, and thereby corporate information, has never been easier. Why? Firstly, access to systems (usually Windows) at the desktop is universal. Secondly, most people, including IT staff, don’t appear to know how to select adequately secure passwords.

We have used the following technique for the past ten years, and it still gives us administrative control of a Windows network in at least fifty percent of cases. Imagine that you are a disgruntled employee or perhaps an intruder who has gained access to the building posing as a cleaner or a visitor. You will be able to gain complete control of the organisation’s Windows network in less than 20 minutes if this works.
First you plug in a Windows laptop anywhere on the network - this can be in head office, at a branch office or store, anywhere in any trusted third-party premises or perhaps through a remote connection. You browse the network using Windows Explorer and see all the Windows machines on the network - there’s no need to logon or join a domain for this to happen (or of course you could be using a legitimate desktop or laptop machine if you are an employee or contractor).

Select a server (they’re usually named in a obvious fashion) and attempt a “null session” connection - null sessions is a standard feature of NT & Windows 2000 which enables you to list users, groups, group memberships, etc. without any form of authentication whatsoever. There’s plenty of free and licensed software on the Internet that will help you to establish a null session and then interrogate this information - my personal favourite is Hyena, a tool designed for managing Windows networks, but many miscreants will use free tools like SuperScan or Cain & Abel.

Next check the domain account lockout policy so you know how many password attempts you will be permitted in how long before the account is locked out (and a possible alert raised). Now list the users in the Administrators and Domain Admins groups and look for patterns, or rather exceptions to a pattern. Typically, organisations use formal naming conventions for user accounts, with combinations of surname and first name or initials such as WOODP.

Unfortunately, these are usually ignored where service accounts are concerned - service accounts are administrator-level accounts used to enable applications to log on to servers and domains (applications such as Backupexec, ArcServe and Tivoli are obvious examples). Select each of these service accounts in turn and try to guess its password - it’s not as hard as you might think.

Frequently, network administrators will select something obvious, such as a password the same as the account name! Of course there are also long lists of default account names and passwords on the web which you can try. Beware that you don’t exceed the account lockout threshold within the specified time period, otherwise even the most harassed admin may eventually guess something is up.

If these fail, try those accounts which look like shared administrator accounts or scripted accounts, such as Ghost, Install, AutoInstall or similar. At least fifty percent of the time you’ll gain Domain Admin access, allowing you to create your own administrator account, join the domain legitimately and help yourself to any information on any server.
Clear guidance on setting up service accounts and how to select a high quality, easily remembered password would eliminate this vulnerability. Some technical understanding of how Windows passwords work would also help IT staff select better quality passwords.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts