[Fwd: 22 *potential* Windows 2000 holes]

[Blue Boar <BlueBoar () THIEVCO COM>]

Vamprella wrote:
> My mail server at home is wacky. I don't know if this post got to the list.
> Please post if it didn't.
> Thanks,
> Vamprella
>
> "This list exists to allow people to report potential or undeveloped holes.
>  The idea is to help people who lack expertise, time, or information about
> how to exploit a hole do so." So, I have all these ideas about potential
> W2K holes. But, I don't know where to go after the theory part so I'm
> posting here. Since I've had this stuff around for awhile, if it doesn't
> all make sense, forgive me. Please be warned that some of these ideas seem
> really evil. They are just theories and I'd prefer to announce them to
> Microsoft and post on BugTraq if any of them come to fruition, than do
> anything harmful because I love and respect computers. Anyway, here are
> just a *few* ideas. I hope this isn't complete information overload.This
> should keep everyone busy for a couple of days.
>
> 1. Reboot Active Directory Restore in recovery mode. It's possible the
> password is blank. Remotely reboot Active directory is the password is
> blank. Insert a new domain admin account, reboot again with the normal
> admin account. This should take only 5 minutes and other than the
> start-up/shutdown logs, no one would know (there wouldn't be any way to
> trace it).
>
> 2. Why can't MS throw out pirate software with mods such as /cmd: during
> installation so they know who is using the pirated software? What about
> companies that use pirated software but have actual licenses?
>
> 3. Is it possible to add yourself to the Global Catalog and automatically
> have transitive trusts? In order to add yourself to the Global Directory
> from outside the network, you have to have rights and hack an account
> first. Are there any default accounts that can be used?
>
> 4. One huge company is connected to another huge company. Everyone has
> access to everything. The original hacker gets away in the mass confusion.
> Even if it's caught right away, the replications between the different
> Domain Controllers will take some time. This will be enough time to really
> screw things up.
> 5. Make a duplicate SID, make the USN higher than the original. Run
> Security account management in ntdsutil (@ command prompt) to get rid of
> duplicate SID clean up and manage the Security Account Database. You now
> have access.
>
> 6. what are the qualities/components to establish that one computer trusts
> another? Is it possible to spoof  trust? What is the weakest link? Attack
> that weakest link to do the spoof.
>
> 7. Is is possible to force a Full Zone transfer?
> Make client serial number lower than the serial number of the oldest
> version of the zone on the server. Would the number 1 work? Is there a
> checksum or any other type of redundancy checking going on?
> If the server responding to the IXFR doesn't recognize the query type, the
> client can initiate an AXFR. So, just initiate an AXFR.
> This will give you IP addresses and Host names. Yippee! Can any IP address
> requests the zone transfer info from the master server or must they be on
> the zone database file? How can a client spoof them self on the zone
> database file and then request a full zone transfer? May only work on W2K
> professional. All other versions of W2K, the zone data is stored as an
> active directory object.
> How would you change the serial number of the IXFR request?
>
> 8. The more it's automated, the easier it is to break! DNS Dynamic update
> protocol. Updates DNS servers automatically so resource records can be
> updated w/o administrator intervention. Could there be a possible buffer
> overflow to write-in your IP address? Or, grab an IP on the network using
> DHCP. Is DHCP still used? Only secure updates is when  Active Directory is
> installed. W2K professional doesn't come with Active Directory. Otherwise,
> the zone and the resource records can be modified by users w/o
> authorization. This means ALL W2K professional machines.
> 9.  How hard would it be to make a 'trojan' Active Directory? It sounds
> like it's similar to PC Anywhere. If it uses a consistent management
> interface, can't we just copy that and spoof as if we're the Domain Admin?
> Would this bypass the username/password since only the Domain Admin would
> have access to the management of the Active directory. Since you can
> "monitor " routers, can you get in through the routers (since the
> monitoring must send TCP/IP packets back and forth) and then bypass any/all
> firewalls or get info from the network. Do routers sit outside the
> firewalls? Is so, it's a great way to get packets into the secured network.
> Once in active directory as an admin, does it continue to verify credentials?
> 10. With using Active Directory, may have to break Kerberos V.5 or x.509
> certificates which may be tough. Unless, you get into Active Directory
> after the certificate information is passed and before the 'good stuff' is
> presented. Something similar to TCP/IP piggyback or TCP/IP hijacking. Can a
> man in the middle attack be done between the authorization of the Kerberos
> Certificate and when the other information is passed?
>
> 11. With transitive trusts, is it possible that all computers can link to
> each other until eventually, everyone is trusting everyone and we're really
> all on one BIG network. Ah, we can dream, can't we? Won't this make
> security fun if everything is completely open?
>
> 12. Is it possible to write a program (like looking for MX records in DNS)
> to get a mail server, ldap server, etc. Then, it could be put in a nice
> graphical interface.
>
> 13. Can you spoof being a domain controller on the network?
> 14. Figure out the Knowledge consistency checker and break it. Starts every
> time the machine is started. Put in info and when the machine is rebooted,
> the trojan Knowledge consistency checker will run.
>
> 15. How would one get into the Bridge Head Servers?
>
> 16. KCC promotes one machine to be the Inter ..... topology ..... That
> means if you have access to that, you'll have access to the topology of the
> network.
>
> 17. Publishing Software - Document Invocation - Starts application when
> unknown file type is double-clicked on. Isn't this the same problem with
> the ILY.vbs virus?
>
> 18. There's no audit trail on Software deployment
>
> 19. Terminal server Licenses aren't ever checked against the License
> Server. If you reinstall the license server, isn't it like having 50 new
> licenses to assign?
>
> 20. Can we write a program that sets dial-up-networking to always call back
> to a specific number? It would bring down the company's remote access for a
> little while but would be really annoying to the victim's home number.
> Imagine a computer calling again and again and again. And, if it's traced,
> it won't come from your number and can't be traced back to you.
>
> 21. With implementing Connection Sharing, put a trojan on the other
> computer than just wait until the target computer connects to you and lets
> you have access to the network.
>
> 22. With Remote Installation Services, how does it know the computer is
> *really* on the network when it downloads the information to a new machine?
> There are 4 things that are needed, this is a possible way of getting
> around this.
> DNS Records - do a full zone transfer mentioned above
> DHCP - Steal an IP or hijack an address.
> Active Directory - Can install it on the machine
> Answer file - make your own on a floppy and trojan it into the network (if
> it's downloading from the network).
>
> Your Best Friend,
> Vamprella
> ---
>
> http://www.vamprella.com -- 1998 SN&R Award  -- 1999 Losers Award
> "Worship Me and Await Instructions"