The key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA, and the
value name is RestrictAnonymous.
In NT 4.0, RestrictAnonymous only supports a value data of 0 or 1. Win2k
supports 0,1 and a new value data of 2: no access without explicit
permissions- meaning that RA=2 will even keep you from doing a [net use
\\box\ipc$ "" /user:""]

And you are correct- setting RA=1 does break some functionality, and RA=2
breaks even more. However, the entire implementation of RA is funky- it
doesn't really keep me from enumerating users via a null session.

Though it will make DumpSec fail, and other progs that use most of the Net*
API calls, it does not put ACL's on LookupAccountName or LookupAccountSID
(that is why user2sid/sid2user still work with ra=1). Additionally, one can
make calls to NetUserGetInfo as a null user to return all account
information on both NT and Win2k (even extended schema info on 2k).

I combined these calls together in UserDump to allow you to effectively dump
the entire user-base with a single command line as the null user even with
RA=1 set. (Feel free to check it out at
http://www.hammerofgod.com/download.htm)

So, setting RA=1 doesn't really do much for you, and setting RA=2 normally
breaks too much necessary functionality that it is not used- meaning that we
can always dump all of your users if we want to. Though the MS security team
has been after Dev to change this for a while, it still remains an issue.
Word on the street is that they finally got through to them, and that they
are going to fix these 'holes' in RA=1... That is really what is necessary,
and I will be happy when I see it. Until then, keep your net-facing boxes
blocking upd 137,138, and 445 and tcp 139 and 445.

---------------------------------
Attonbitus Deus
ThorHammerofGod.Com

----- Original Message -----
From: "Keith.Morgan" <Keith.MorganTERRADON.COM>
To: <VULN-DEVSECURITYFOCUS.COM>
Sent: Sunday, April 15, 2001 11:30 AM
Subject: Re: Security Issues ... NT vuln ?

> Beware using that key (it restricts null user sessions) in an environment
> where NT trust relationships are in place. Turning null sessions off
> removes a trusting domain's ability to enumerate users in the trusted
> domain. This causes authentication to fail.
>
> If you have no trust relationships, I highly recommend using the key to
> restrict null sessions.
>
> Keith T. Morgan
> Chief of Information Security
> Terradon Communications
> keith.morganterradon.com
> 304-755-8291 x142
>
>
> > -----Original Message-----
> > From: FatFinger [SMTP:fatfingerUOL.COM.BR]
> > Sent: Friday, April 13, 2001 1:10 PM
> > To: VULN-DEVSECURITYFOCUS.COM
> > Subject: Re: Security Issues ... NT vuln ?
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > Sekure,
> >
> > Talking about Null Session Attacks, it's not so simple as you pointed
> > in your e-mail but it's not also a big deal as some people say.
> >
> > In fact when you find a PDC or a BDC server (talking about *yuck*
> > Windows NT), you can create a null session using standard 'net use'
> > commands from DOS prompt. If you're successful, you'll open an IPC$
> > connection. With it, you can use some tools like DumpACL (now
> > DumpSEC) to get a list of users even from the Admin group. If I'm not
> > wrong you can find this tool at http://www.systemtools.com
> >
> > No wthat you know the users from that system, you can place several
> > different 'net uses' using these usernames with different passwords,
> > that you can try to get using brute force attacks, dictionary
> > attacks, etc. Note that most of passwords are weak and easy to crack
> > (and no password is uncrackeable).
> >
> > Null Session, in my point of view, can open a system for a
> > confidentiality attack. It's more used to 'probe' for info. If you
> > want to avoid this thing on your servers, there's a reg key you can
> > change. Check the www.microsoft.com web site (security bulletin) to
> > get more info about it. Just remember that some tools need to create
> > null sessions and, changing this reg key, can lead you to a
> > availability problem.
> >
> > Any comments, folks?
> >
> > All the best!
> >
> > FatFinger
> >
> >
> > - ----- Original Message -----
> > From: "sekure" <sekurehadrion.com.br>
> > To: <VULN-DEVSECURITYFOCUS.COM>
> > Sent: Tuesday, April 10, 2001 8:53 AM
> > Subject: Security Issues ... NT vuln ?
> >
> >
> > > Hi Guy,
> > >
> > > In first, Sorry for my poor english.
> > >
> > > I'm sending this mail...because i have severals about security. :-)
> > >
> > >
> > > 1) I saw...in my machine that we have a "control of IIS" named
> > > Console root
> > > but when i call it (local machine) it open me a grapical screen
> > > to config.
> > > But your name ie CONSOLE root, can i use it in text mode ?? How
> > > ??
> > > If it is possible can i use to remote! Do you know if all
> > > machines have
> > > it file/application ?? The name that i use to execute is:
> > > iis.msc :-)
> > >
> > > 2) I have done tests with netmask... we know that i can't see
> > > computers
> > > with other netmasks ... example machine A =
> > > 200.210.55.240/255.255.255.248
> > > can't see B=200.210.55.241/255.255.255.216 ... correctilly ?? Do
> > > you know
> > > some mode of see this others machines without change your
> > > Netmask ??
> > > A scanner that simule other netmask i don't know!! :-)
> > > If you know... please... tell-me!
> > >
> > > 3) I install NT4.0 and put SP6.0 ... and install IIS ... it put
> > > IIS3.0! :)
> > > How to upgrade it to 4.0 ?? Only with Option Pack 4.0 ?? Is it
> > > possible
> > > upgrade to IIS 5.0 ?? How to ?? Where i can get this upgrades,
> > > or IIS's ?
> > >
> > > 4) I already saw in several TXT about security in NT ...speaking
> > > that is
> > > very dangerous have NETBIOS/SAMBA. We can connect with null
> > > session.
> > > Ok, suppose that i done it!
> > > In my network: "net use \\192.168.0.100\ipc$ "" /user:""" it
> > > work very
> > > well! But then ?? What can do i with it ?? With it i try access
> > > other
> > > shares how admin$ and i don't have access. I try access the
> > > registry ...
> > > and i don't have access again. Why it can be very dangerous ??
> > > I can't unserstand, suppose that a a bit-lamma user have user:
> > > "joao"
> > > and passwd: "joao" and it is a normal user (no member of admin
> > > group).
> > > Why can i do with it ?? Can't access the registry, others
> > > shares, c$,
> > > d$, e$, ...!! For me it is equivalent to null session. I cannot
> > > make
> > > Anythink!! If you know a good "trick" that i can do with it.
> > > please
> > > speak me! :-)
> > >
> > > 5) I install Option Pack 4.0 in my NT+IIS4 to test! :-)
> > > It is good, but when i try test(s) of NT-box ...in IIS ... it
> > > didn't
> > > allow ... !! :-) I tryed to execute ... nt-box ... and execute
> > > mkilog,
> > > dnsform, cts.idc, *.htx, ... All this files EXIST in my server!!
> > > :-)
> > > But when i try access (execute) one of this files it is not
> > > executed
> > > it return me: "A screen to download the file" i can save the
> > > file...
> > > or execute ...if i execute...it open a cmd screen and execute it
> > > and
> > > close the window! What is it ?? A protection of Option Pack
> > > 4.0??
> > > Permissions of NTFS ?? Permissions in users of IIS ?? How can i
> > > change it?
> > > How can i crack it ??
> > >
> > > 6) Somebody know a program for command (cmd.exe or command.com)
> > > that can
> > > manipule the registry ?? To see keys, write in keys, ... ! Do
> > > you know??
> > > Where i can get it ??
> > >
> > > 7) The "nt hash" stay in the registry ?? Who can read it ?? Where
> > > is it ??
> > > I found in my NT with regedit and regedt32 ... but i can't
> > > found...i saw
> > > The keys HKEY_LOCAL_MACHINE\SAM\SAM <- but this key appear is in
> > > blank, and
> > > your color is different of other color.. your color is gray!!
> > > I'm findind
> > > as administrator. Exist date(s) in \HKEY_LOCAL_MACHINE\SAM\SAM ?
> > > Why i can't
> > > see ?? How to do to see ??
> > >
> > > 8) I'm thinking...! :-)
> > > Suppose that i can spoof the network... then i can see the
> > > hashes of
> > > authentication!! Can i get this authentication and re-send to
> > > server ?
> > > It will accept it only how more one packege ?? Or it will accept
> > > it how
> > > a authorization ?? If it work, i can change my privilegis of
> > > normal user
> > > to administrator! :-) And better... i don't need lost much time
> > > trying
> > > crack the password from the hash! :-)
> > >
> > > 9) The administrator that put NTFS security permissions in CMD.EXE
> > > and
> > > Command.com and inetpub folder (with good permission only to
> > > administrator)
> > > withou access to IUSR_MACHINE and EVERYONE. Can we say that your
> > > IIS is
> > > 100% security or 99.99999999999% ?? What can be doned against it
> > > ??
> > >
> > >
> > > Thkz For all attention and help in the advance.
> > >
> > > Excuse-me for the accumulated of question(s)... =)
> > >
> > > Best Regards.
> > >
> > > [ ]'s
> > >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
> >
> > iQEVAwUBOtcy+O8uJYTAsvxwAQG9jAf/Rf/4lLMFl9AFs/lZqwiPWqnXr11a8OhR
> > y7oTXN1wGMfdJJ9zbTDdR4tCSqY7YOlwj24glPwCa2wFD7B51LfNWBOCQhVvuyzQ
> > sGD/oZUoQ2MsAsZkuYZI2amZl3G1R6QwjR3mUbUVvxsuoikBmkPH+8MRNMHZTAsV
> > PvcfBJAKME5UNZorihSpVdUV+VZzZluu0rzn1NeuwyeCcPWJCkt6SXC4ggOwryE2
> > ttAHvG1sdKmC48Lz4vD4+wo6J36qX5sCVVk4zrWpAiBcVW6kcTZVd1JPo12d3y68
> > Jg5WGsUQme94V0hA0lVBgav5ZbSCRAvhpBZ6mJ8Rui1IbGY3/LxZbQ==
> > =Hau+
> > -----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]