Security Incidents mailing list archives
Re: Pubstro rash
From: Brian Eckman <eckman () umn edu>
Date: Wed, 23 Mar 2005 15:11:43 -0600
(attempted to fixed top-post)
David Gillett wrote:Further detail: I'm being told that all of the compromised workstations are running 2KPro or NTW. So that suggests that the attackers are getting in through a hole that is fixed in XP or its service packs.
> Nick Fitzgerald wrote:
Or poor password policies... Most pubstros I've seen succeed do so with just password guessing (and relatively trivial guessing at that) -- not that they don't have other methods, just that pwd guessing gets them plenty of victims. Are these machines visible to the world for any kind of standard NT authentication connections? If so, start with the simplest (and probably most likely), which is user slackness (blank, "admin", "guest", "pass", "aaaaa", "qwerty", "12345", etc passwords). Vulns common to NT and 2K but not XP would be fairly rare (other than in non-XPSP2 IE 6??), unless you have very limited patch control over non-XP machines but good control of XP patching. Regards, Nick FitzGerald
David LeBlanc wrote: > That would be a good guess. XP was the first version where blank > passwords can only be used at the console. <snip>Not only that, but XP was the first version where anonymous enumeration of users was turned off by default. That means folks can typically only remotely crack passwords against the built-in Administrator account on Windows XP (assuming it hasn't been renamed), while they can (and do) easily obtain a list of all accounts on Windows 2000 and NT to try weak passwords against all of the accounts. (Unless folks turned off anonymous enumeration of users on their Win2k/NT4 machines, but we all know that's rare.)
We see this type of attack regularly in the .EDU world. Folks break into one computer via <some method>. They put a backdoor server on it (typically ServU FTP, but some groups have more of an imagination), load on some password cracking tools, and aim them at the local network's IP space. The tools commonly used automatically try to enumerate a list of accounts on target computers and try a small dictionary against all accounts, as well as dynamically try using the username itself as that username's password. (For example, if it finds an account named "user612", it will automatically try "user612" as the password.)
It's also very common for hacked machines to have pwdump2 (or pwdump3) run on them, and the attackers will grab the results and (easily) break the LANMAN hashes. They will then import the results into their custom dictionary file for your network and rescan. In areas that have the same administrator password on many machines, the results can be devistating.
(Imagine an administrator password of "G5&cv@A6-zc1", as an example. Nobody is reasonably going to crack that by brute force or a dictionary attack. However, if there is a local administrative user named "brian" on that same computer, that has a password of "brian", or some other dictionary word, the attacker can grab the entire password database, locate the LANMAN hash for the administrator account, and break it in minutes[1]. They can then add "G5&cv:A6-zc1" to their dictionary, resume password cracking on your network, and all boxes that have File and Print Sharing enabled with that as the Administrator password are now 0wned.)
[1] http://www.antsight.com/zsl/rainbowcrack/ Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota
Current thread:
- RE: Pubstro rash David Gillett (Mar 17)
- RE: Pubstro rash Nick FitzGerald (Mar 17)
- <Possible follow-ups>
- RE: Pubstro rash k levinson (Mar 17)
- RE: Pubstro rash David LeBlanc (Mar 18)
- Re: Pubstro rash Brian Eckman (Mar 28)
- RE: Pubstro rash Joshua Berry (Mar 18)
- Re: Pubstro rash Jeff Kell (Mar 18)
- Re: Pubstro rash Valdis . Kletnieks (Mar 18)