(attempted to fixed top-post)
>> David Gillett wrote:
>>>
>>> Further detail: I'm being told that all of the compromised
>>> workstations are running 2KPro or NTW. So that suggests that the
>>> attackers are getting in through a hole that is fixed in XP or its
>>> service packs.
> Nick Fitzgerald wrote:
>> Or poor password policies...
>>
>> Most pubstros I've seen succeed do so with just password guessing (and
>> relatively trivial guessing at that) -- not that they don't have other
>> methods, just that pwd guessing gets them plenty of victims. Are these
>> machines visible to the world for any kind of standard NT authentication
>> connections? If so, start with the simplest (and probably most likely),
>> which is user slackness (blank, "admin", "guest", "pass", "aaaaa",
>> "qwerty", "12345", etc passwords).
>>
>> Vulns common to NT and 2K but not XP would be fairly rare (other than in
>> non-XPSP2 IE 6??), unless you have very limited patch control over
>> non-XP machines but good control of XP patching.
>>
>>
>> Regards,
>>
>> Nick FitzGerald
David LeBlanc wrote:
> That would be a good guess. XP was the first version where blank
> passwords can only be used at the console.
<snip>
Not only that, but XP was the first version where anonymous enumeration of
users was turned off by default. That means folks can typically only
remotely crack passwords against the built-in Administrator account on
Windows XP (assuming it hasn't been renamed), while they can (and do)
easily obtain a list of all accounts on Windows 2000 and NT to try weak
passwords against all of the accounts. (Unless folks turned off anonymous
enumeration of users on their Win2k/NT4 machines, but we all know that's rare.)
We see this type of attack regularly in the .EDU world. Folks break into
one computer via <some method>. They put a backdoor server on it (typically
ServU FTP, but some groups have more of an imagination), load on some
password cracking tools, and aim them at the local network's IP space. The
tools commonly used automatically try to enumerate a list of accounts on
target computers and try a small dictionary against all accounts, as well
as dynamically try using the username itself as that username's password.
(For example, if it finds an account named "user612", it will automatically
try "user612" as the password.)
It's also very common for hacked machines to have pwdump2 (or pwdump3) run
on them, and the attackers will grab the results and (easily) break the
LANMAN hashes. They will then import the results into their custom
dictionary file for your network and rescan. In areas that have the same
administrator password on many machines, the results can be devistating.
(Imagine an administrator password of "G5&cv_at_A6-zc1", as an example. Nobody
is reasonably going to crack that by brute force or a dictionary attack.
However, if there is a local administrative user named "brian" on that same
computer, that has a password of "brian", or some other dictionary word,
the attacker can grab the entire password database, locate the LANMAN hash
for the administrator account, and break it in minutes[1]. They can then
add "G5&cv:A6-zc1" to their dictionary, resume password cracking on your
network, and all boxes that have File and Print Sharing enabled with that
as the Administrator password are now 0wned.)
[1] http://www.antsight.com/zsl/rainbowcrack/
Brian
--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
Received on Mar 28 2005
Intro
