Last update: Sunday, Dec 22, 1996
FTP admin on NT server
WWW adimin on NT
gopher admin on NT
These are some of the default scripts that come with NT for system administration, the scripts must be configured
for a particular server running NT server 4 (you have to save the htm then modify it yourself)... with these it could be easy to deny access to
all IP's effectivly shutting down a WWW server, a gopher server or even a FTP server..
If you need to find out what kind of server a machine on the internet is running then click here... This is a useful link.
anyway, don't ask questions about these, just see what you come up with (look around for that 'Powered By BackOffice logo'.)
I will be posting a lot of other info about NT here, such as script hacks etc, each of these files
must be configured for the machine you want to gain access to, I did not configure them for any
particular machine, because of legal reasons..
some portions (c)copyright Microsoft, and MS windows NT 4.0(tm)..
I am not posting this to piss anyone off, just to show that if you don't change the default configuration
in NT server, that you may be in trouble if someone gets a hold of the default scripts and modifies them to access another server.
which this has been done to my knowledge..
this is a possible problem which has not been exploited fully..
Holes which can be exploited:
Port 80 has a massive problem in NT 4.0 (see posting below)
FTP and POP on NT servers are not encrypted and with the use of a simple packet sniffer it would be
simple to snag legitimate logins and passwords by setting the sniffer to the machine and port.
CHARGEN, or port 19 which dumps endless ascii crap when connected to is a prime target for a flood,
suppose that a IP spoof flood comes in (ICMP, UDP whatever) and queries this port a few thousand times... perhaps
over a period of hours, the server will be shut down..
DNS port 53 is by default an open port on NT, this makes it very easy to play around in this port..
SNMP port 161 could be used to enable the NT performance monitor, by which a large amout of data about the targeted server
could be obtained very easy.
RSH and RCMD ports 513 and 514 respectively can be used to issue remote commands.
the RIP port (520) which uses UDP is another which could be used to spoof commands to a server. (send some mail via spoofed UDP to a forwarding address or whatever..)
in NT 3.51 the REMOTE.exe and RSHSVC.exe files though RSHSVC is supposed to more secure can be used to issue
commands over these servers with no restrictions. This could be potentially bad.
anyway, be good and
Have fun..
Here is some info that appeared in the Sneakers mailing list about port 80 in NT 4.0.
A lot of people are using the Microsoft Internet Information Server for
their corporate web sites and intranets.
The following procedure will halt the web services and effectively "kill"
whatever web server they may have.
1. telnet the server on port 80 (if 80 is the http port)
2. GET ../..
It definetely works on NT4 + SP1 + IIS2.0. There are conflicting reports
of it's effectiveness on 3.51, etc.
Microsoft has briefly addressed the problem stating that upgrading to
IIS3.0 will solve the problem, however, I have also heard conflicting
reports about that.
I guess a quick fix would be to move the http server to some other port
that would take a long time to guess, or you could set up your NT server
to reboot every 1.5 minutes.
But I digress.
letter sent to 2600 by me,
~
Other problems related to NT4, there is a default file called ism.html on IIS that can be used
for doing remote/local administration on a server. The security of this file is horribly poor,
each NT machine has a default account called "Administrator" and half of the servers out there
are using the domain names as the password, or the machine name as the password. The FTP
accounts on NT servers running virtual servers are very bad also. With "mainhost" being the host
machine, for a virtual server:
ftp://ftp.mainhost.com/home/www.virtualhost.com/cgi-bin/filename.cgi it will
give you access to that file and call it up[ on the screen if you are using
a web browser. Now if you then go to the main directory e.g
ftp.*.*/home/www.*.*/cgi-bin it then lists the scripts if you're in a web
browser u can view all the scripts on screen and check for any bugs, u then
pull up the web browser and access those scripts using
http://www.vurualhost.com/cgi-bin/filename.cgi?command and you can run the
scipt having found the bugs, and this is all from the anonymous ftp login. it works at
Microsoft.com as long as you know the directory structure you want to go to, even if the
directory is hidden in anonymous ftp.
This bug is lethal.
..
If you would like an article that fully covers more bugs and NT hacks let me know.
You can play around with servers by searching for Microsoft+Internet+Information+Server and and
or ism.html or default.html ... There is a default account called "administrator" which usually
has the same password as the "name" of the individual machine.. for instance some of the
japanese servers out there have been comprimised in this way.
Check out some of the NT stuff at the Virtually Unix project
click here for probably one of the most comprehensive pages with utils for Nt
GO BACK TO THE MAIN PAGE