Tricks with Policies and Profiles in Windows NT. Vacuum of Rhino9 & Technotronic vacuum@technotronic.com ============================================================== Workarounds for common sytsem policy restrictions Security hole within winnt\profiles and malicious executables NetBIOS shares technique revisited Information gathering within NT ============================================================== System Policy workarounds: System Policies are implemented to restrict the user from performing certain tasks. Installing Printers: If you do not have access to the printers folder from the Start/Settings/Printers or from the My Computer Icon. Click Network Neighborhood. Double-Click on your computername. The printers folder will be available. Open the folder and Double Click on the Add-Printer Icon to start the Printer Installation Wizard. Control Panel Restrictions: If you do not have access to the Control Panel from Start/Settings/Control Panel or from the My Computer Icon. Click Start/Help/Index (If you do not have help, you can open it using Explorer or My Computer. Double-click on C:\winnt\System32\control.hlp Search for Control Panel All of the normally displayed icons appear as help topics. If you click on "Network" for example a Windows NT Help Screen appears with a nice little shortcut to the Control Panel Network Settings. Printers can also be installed using this method as well as the method mentioned above. Network options can also be accesssed by right clicking on Network Neighborhood and then selecting properties. Missing Command Prompt: Start NT Explorer change tgo c:\winnt\system32 Double click on COMMAND.COM a command prompt will start. This is also well known, but included for thoroughness. Find Command is gone from Start/Find or from within NT Explorer: To find a computer: If you have a command prompt: Net View is like Network Neighborhood Net View \\COMPUTERName is like Double Clicking on a computer within network neighborhood Net use x: \\Computername\Sharename maps a drive letter to the share. Finding a file is simple: dir filename.ext /s Run Command Missing: This is rather obvious but I will include it as it is a valid system policy restriction. Navigate your Hard Disk using My Computer, winfile or NT Explorer. Double-click on the program you wish to run. Duh! System Policies that I have NOT found a workaround for yet: If your display settings are restricted in control panel. If registry editing has been disabled. ==================================================================================== Information Gathering: Interesting NET commands that can be used to gather information. NET localgroup will show which groups have been created on the local machine. NET name will show you the name of the computer as well as who is logged in. NET accounts will show the password restrictions for the user. NET share displays the shares for the local machine including the $ shares which are supposed to be hidden heheh?? NET user will show you which accounts are created on the local machine. This can be useful when adding user names to NAT The NetBIOS Auditing Tool to brute force the shares show using NET share. =================================================================================== NetBIOS Revisited: Under NT I usually use NET VIEW \\XXX.XXX.XXX.XXX or NET VIEW \\COMPUTERNAME then NET USE X: \\XXX.XXX.XXX.XXX or NET USE X: \\COMPUTERNAME\SHARENAME Instead of using NBTSTAT -a or -A and then editing the LMHOSTS file and browsing for the computer. I find that this involves a few unnecessary steps. =================================================================================== Security Hole in profiles: Check to see if you have read/write access to the C:\winnt\profiles directory. The following types of programs can be "planted" and executed by the unsuspecting user at startup. Keyloggers, and other known exploits such as pwdump and getadmin could be launched. New users logging into the system for the first time will automatically spread the trojan to their profile. .lnk shortcuts This is the properties of a evil .lnk file C:\WINDOWS\COMMAND\START.EXE /m command.com /c mkdir c:\trojan or to add an entry to the registry C:\WINDOWS\COMMAND\START.EXE /m command.com /c trojan.reg NOTE: /m is used to minimize the window another available option is /wait which will cause the program to wait until the other program exits. .bat and .cmd batch files .com and .exe executables .reg registry files can be executed to update or add to the registry A malicious executable file can be planted in: C:\WINNT\Profiles\Default User\Start Menu\Programs\Startup NTFS partitions will have these default permissions. Administrators Full Control Everyone Read System Full Control However remote NetBIOS attacks can be accomplished. A compromised C$ (administrative share) using a tool like NAT.EXE NetBIOS Auditing Tool or an ill-advised Everyone/Full Control Share (which is Microsoft's Default Share Type). FAT Partitions have no file level security. New users logging into the system would automatically execute this program everytime they login. If this is done on NT Workstation the attack will only spread to new users logging into the workstation locally. If this attack is performed on a NT domain controller it would spread throughout the domain profiles. It is also possible to plant the "seed" into existing users profiles. C:\WINNT\Profiles\userid of exiting user\Start Menu\Programs\Startup Hiding Detection Replace an existing startup program with trojan. For example, replace McAfee's Antivirus program viruscan.exe with evil program. Use a shareware utility like microangelo to alter the icon of the program. Change the Now each time the existing user logs into the machine they would also execute this code. C:\WINNT\SYSTEM32\REPL\IMPORT\SCRIPTS Falls under the exact same restrictions as the Default user Startup Menu. .reg files can be made to do the same thing. Example cut and save as trojan.reg ----cut here-- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VirusScan"="ik.exe" ---cut here-- To get the executable to start before the login process. ----cut here-- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices] "VirusScan"="ik.exe" ----cut here--