Vulnerability Development mailing list archives
[Fwd: 22 *potential* Windows 2000 holes]
From: Blue Boar <BlueBoar () THIEVCO COM>
Date: Thu, 17 Aug 2000 14:47:01 -0700
Vamprella wrote:
My mail server at home is wacky. I don't know if this post got to the list. Please post if it didn't. Thanks, Vamprella "This list exists to allow people to report potential or undeveloped holes. The idea is to help people who lack expertise, time, or information about how to exploit a hole do so." So, I have all these ideas about potential W2K holes. But, I don't know where to go after the theory part so I'm posting here. Since I've had this stuff around for awhile, if it doesn't all make sense, forgive me. Please be warned that some of these ideas seem really evil. They are just theories and I'd prefer to announce them to Microsoft and post on BugTraq if any of them come to fruition, than do anything harmful because I love and respect computers. Anyway, here are just a *few* ideas. I hope this isn't complete information overload.This should keep everyone busy for a couple of days. 1. Reboot Active Directory Restore in recovery mode. It's possible the password is blank. Remotely reboot Active directory is the password is blank. Insert a new domain admin account, reboot again with the normal admin account. This should take only 5 minutes and other than the start-up/shutdown logs, no one would know (there wouldn't be any way to trace it). 2. Why can't MS throw out pirate software with mods such as /cmd: during installation so they know who is using the pirated software? What about companies that use pirated software but have actual licenses? 3. Is it possible to add yourself to the Global Catalog and automatically have transitive trusts? In order to add yourself to the Global Directory from outside the network, you have to have rights and hack an account first. Are there any default accounts that can be used? 4. One huge company is connected to another huge company. Everyone has access to everything. The original hacker gets away in the mass confusion. Even if it's caught right away, the replications between the different Domain Controllers will take some time. This will be enough time to really screw things up. 5. Make a duplicate SID, make the USN higher than the original. Run Security account management in ntdsutil (@ command prompt) to get rid of duplicate SID clean up and manage the Security Account Database. You now have access. 6. what are the qualities/components to establish that one computer trusts another? Is it possible to spoof trust? What is the weakest link? Attack that weakest link to do the spoof. 7. Is is possible to force a Full Zone transfer? Make client serial number lower than the serial number of the oldest version of the zone on the server. Would the number 1 work? Is there a checksum or any other type of redundancy checking going on? If the server responding to the IXFR doesn't recognize the query type, the client can initiate an AXFR. So, just initiate an AXFR. This will give you IP addresses and Host names. Yippee! Can any IP address requests the zone transfer info from the master server or must they be on the zone database file? How can a client spoof them self on the zone database file and then request a full zone transfer? May only work on W2K professional. All other versions of W2K, the zone data is stored as an active directory object. How would you change the serial number of the IXFR request? 8. The more it's automated, the easier it is to break! DNS Dynamic update protocol. Updates DNS servers automatically so resource records can be updated w/o administrator intervention. Could there be a possible buffer overflow to write-in your IP address? Or, grab an IP on the network using DHCP. Is DHCP still used? Only secure updates is when Active Directory is installed. W2K professional doesn't come with Active Directory. Otherwise, the zone and the resource records can be modified by users w/o authorization. This means ALL W2K professional machines. 9. How hard would it be to make a 'trojan' Active Directory? It sounds like it's similar to PC Anywhere. If it uses a consistent management interface, can't we just copy that and spoof as if we're the Domain Admin? Would this bypass the username/password since only the Domain Admin would have access to the management of the Active directory. Since you can "monitor " routers, can you get in through the routers (since the monitoring must send TCP/IP packets back and forth) and then bypass any/all firewalls or get info from the network. Do routers sit outside the firewalls? Is so, it's a great way to get packets into the secured network. Once in active directory as an admin, does it continue to verify credentials? 10. With using Active Directory, may have to break Kerberos V.5 or x.509 certificates which may be tough. Unless, you get into Active Directory after the certificate information is passed and before the 'good stuff' is presented. Something similar to TCP/IP piggyback or TCP/IP hijacking. Can a man in the middle attack be done between the authorization of the Kerberos Certificate and when the other information is passed? 11. With transitive trusts, is it possible that all computers can link to each other until eventually, everyone is trusting everyone and we're really all on one BIG network. Ah, we can dream, can't we? Won't this make security fun if everything is completely open? 12. Is it possible to write a program (like looking for MX records in DNS) to get a mail server, ldap server, etc. Then, it could be put in a nice graphical interface. 13. Can you spoof being a domain controller on the network? 14. Figure out the Knowledge consistency checker and break it. Starts every time the machine is started. Put in info and when the machine is rebooted, the trojan Knowledge consistency checker will run. 15. How would one get into the Bridge Head Servers? 16. KCC promotes one machine to be the Inter ..... topology ..... That means if you have access to that, you'll have access to the topology of the network. 17. Publishing Software - Document Invocation - Starts application when unknown file type is double-clicked on. Isn't this the same problem with the ILY.vbs virus? 18. There's no audit trail on Software deployment 19. Terminal server Licenses aren't ever checked against the License Server. If you reinstall the license server, isn't it like having 50 new licenses to assign? 20. Can we write a program that sets dial-up-networking to always call back to a specific number? It would bring down the company's remote access for a little while but would be really annoying to the victim's home number. Imagine a computer calling again and again and again. And, if it's traced, it won't come from your number and can't be traced back to you. 21. With implementing Connection Sharing, put a trojan on the other computer than just wait until the target computer connects to you and lets you have access to the network. 22. With Remote Installation Services, how does it know the computer is *really* on the network when it downloads the information to a new machine? There are 4 things that are needed, this is a possible way of getting around this. DNS Records - do a full zone transfer mentioned above DHCP - Steal an IP or hijack an address. Active Directory - Can install it on the machine Answer file - make your own on a floppy and trojan it into the network (if it's downloading from the network). Your Best Friend, Vamprella --- http://www.vamprella.com -- 1998 SN&R Award -- 1999 Losers Award "Worship Me and Await Instructions"
Current thread:
- [Fwd: 22 *potential* Windows 2000 holes] Blue Boar (Aug 17)
- Re: [Fwd: 22 *potential* Windows 2000 holes] Timothy J. Miller (Aug 18)
- <Possible follow-ups>
- Re: [Fwd: 22 *potential* Windows 2000 holes] Symon Thurlow (Aug 21)