Re: Pubstro rash

[Brian Eckman <eckman () umn edu>]

(attempted to fixed top-post)

> > David Gillett wrote:
> > >  Further detail:  I'm being told that all of the compromised 
> > > workstations are running 2KPro or NTW.  So that suggests that the 
> > > attackers are getting in through a hole that is fixed in XP or its 
> > > service packs.

> Nick Fitzgerald wrote:
> > Or poor password policies...
> >
> > Most pubstros I've seen succeed do so with just password guessing (and
> > relatively trivial guessing at that) -- not that they don't have other
> > methods, just that pwd guessing gets them plenty of victims.  Are these
> > machines visible to the world for any kind of standard NT authentication
> > connections?  If so, start with the simplest (and probably most likely),
> > which is user slackness (blank, "admin", "guest", "pass", "aaaaa",
> > "qwerty", "12345", etc passwords).
> >
> > Vulns common to NT and 2K but not XP would be fairly rare (other than in
> > non-XPSP2 IE 6??), unless you have very limited patch control over
> > non-XP machines but good control of XP patching.
> >
> >
> > Regards,
> >
> > Nick FitzGerald

David LeBlanc wrote:

> That would be a good guess. XP was the first version where blank
> passwords can only be used at the console.

<snip>

Not only that, but XP was the first version where anonymous enumeration of 
users was turned off by default. That means folks can typically only 
remotely crack passwords against the built-in Administrator account on 
Windows XP (assuming it hasn't been renamed), while they can (and do) 
easily obtain a list of all accounts on Windows 2000 and NT to try weak 
passwords against all of the accounts. (Unless folks turned off anonymous 
enumeration of users on their Win2k/NT4 machines, but we all know that's rare.)

We see this type of attack regularly in the .EDU world. Folks break into 
one computer via <some method>. They put a backdoor server on it (typically 
ServU FTP, but some groups have more of an imagination), load on some 
password cracking tools, and aim them at the local network's IP space. The 
tools commonly used automatically try to enumerate a list of accounts on 
target computers and try a small dictionary against all accounts, as well 
as dynamically try using the username itself as that username's password. 
(For example, if it finds an account named "user612", it will automatically 
try "user612" as the password.)

It's also very common for hacked machines to have pwdump2 (or pwdump3) run 
on them, and the attackers will grab the results and (easily) break the 
LANMAN hashes. They will then import the results into their custom 
dictionary file for your network and rescan. In areas that have the same 
administrator password on many machines, the results can be devistating.

(Imagine an administrator password of "G5&cv@A6-zc1", as an example. Nobody 
is reasonably going to crack that by brute force or a dictionary attack. 
However, if there is a local administrative user named "brian" on that same 
computer, that has a password of "brian", or some other dictionary word, 
the attacker can grab the entire password database, locate the LANMAN hash 
for the administrator account, and break it in minutes[1]. They can then 
add "G5&cv:A6-zc1" to their dictionary, resume password cracking on your 
network, and all boxes that have File and Print Sharing enabled with that 
as the Administrator password are now 0wned.)

[1] http://www.antsight.com/zsl/rainbowcrack/

Brian

--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota