Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Using Null Session information from NAT.EXE

From: "Pierre Kroma" <kroma () syss de>
Date: Fri, 2 Nov 2001 01:04:19 +0100
Hi @all,

i wonder nobody seems to test the following nice, alternatively and very
powerful tool, which called LanGuard.
(http://www.gfisoftware.com/languard/lanscan.htm)

I prefer LANguard Network Scanner v2.0 - BETA!
(ftp://ftp.languard.com/lannetscan2.exe)


Feature List:
<snip>
Scans large networks
          by sending UDP query status to every IP.
Lists NETBIOS name
          table for each responding computer.
Provides NETBIOS
          hostname, currently logged username & MAC address.
OS detection using
          SMB queries (Windows 9x/NT/2k/Unix).
Enumerates all
          shares on the remote computer (including printers, administrative
shares C$,D$,ADMIN$).
Identifies crackable
          passwords (share level security) on Windows 9x.
Tests password
          strength on Windows 9x/NT/2k systems using a dictionary of
commonly used passwords.
Identifies well
          known services (such as www/ftp/telnet/smtp...).
Provides list of
          shares, users (detailed info), services, sessions, remote TOD
(time
          of day) from remote computer (NT/2k).
Gets registry information.

Port scanning (including
          banner grabbing, i.e., application name).
SNMP device detection,
          SNMP Walk for inspecting network devices like routers, network
printers...

Support for sending
          spoofed messages (social engineering).
DNS lookup (www.somehost.com
          - > xxx.xxx.xxx.xxx); resolve hostnames (reverse DNS).
Traceroute support
          for network mapping.
Reports are outputted
          in HTML.
LANguard Network
        Scanner runs on Windows systems (Windows 9x/Me/NT/2k) but Windows
NT/
        Windows 2000 is recommended.

<snip>

Best Regards,

Dipl.-Inform. Pierre Kroma
Security Consultant
========================================================

System Security Schreiber (SySS)
Friedrich-Dannenmann-Stra?e. 2
72070 Tubingen
Germany
Voice: ++49 7071-407856-014
Fax: ++49 7071-407856-019
Mobil: ++49 172-7121572
mailto: Kroma () syss de
http://www.syss.de



-----Original Message-----
From: Tom Fischer [mailto:rustomfi () helpdesk rus uni-stuttgart de]On
Behalf Of Tom Fischer
Sent: Donnerstag, 1. November 2001 01:42
To: Ian Lyte
Cc: pen-test () securityfocus com
Subject: Re: Using Null Session information from NAT.EXE


Hi,

On Wed, Oct 31, 2001 at 10:07:10AM +0000, Ian Lyte wrote:

[...]
The big question is, for me anyway, since NAT.EXE has succesfully found

the

Admin password it is obviously managing to connect to the other box

somehow

and get authenticated. How is it that NAT can and I can't? Is this due to
NAT using its own modified SMBCLIENT and if so where can I get a copy of

the

SMBCLIENT only?

what's about the different LAN Manager authentication level? Nat.exe
use the cygwin.dll (http://www.cygwin.com/) and not the Windows own LAN
Manager authentication.
So have a look at the authentication level:

Windows NT (Q147706):
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMcompatibilityLevel
(REG_DWORD)
Level 0 - Send LM response and NTLM response; never use NTLMv2 session
Level 1 - Use NTLMv2 session security if negotiated
Level 2 - Send NTLM authenication only
... (default 0)

Windows 2000 (see GroupPolicy: LAN Manager Authentication Level)

Alternatively use a linux box and smbclient ... or cygwin or ...

ciao, Tom
--
Tom Fischer                              Tom.Fischer () rus uni-stuttgart de
RUS-CERT University of Stuttgart       Tel:+49 711 685-8076 / -5898 (fax)
Allmandring 30, D-70550 Stuttgart           http://cert.uni-stuttgart.de/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: