RE: Hacked NT/2K box

From: Chris Lynch, MCSE CCNAv2 (lynch00@msn.com)
Date: 07/23/01 

From: "Chris Lynch, MCSE CCNAv2" <lynch00@msn.com>
To: <keydet89@yahoo.com>, <focus-ms@securityfocus.com>
Subject: RE: Hacked NT/2K box
Date: Mon, 23 Jul 2001 10:21:35 -0700
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAdIbHQDj1HEy4d8LgvrQfS8KAAAAQAAAABCkhOl3S/0WDYiZ2yk4J9gEAAAAA@msn.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Of course you can hack into an NT box like a Linux/UNIX box. I can
generate code that will cause a buffer-overrun and will allow me Root
like access (local/domain admin). I can then remotely install
BackOrifice or some other trojan program.

Essentially, you are correct in saying that you cannot establish a
remote console session. But you can with trojan programs. Well, NT
has this capability built-in, but there isn't a way to exploit it
unless you have Terminal Services installed and running.

Also, with XP being released, there would be no reason to say that a
hacker wouldn't be able to use an XP box for DDoS attacks. Because
XP will have RAW Sockets, instead of the conventional NT-based W32
Sockets. But, this wouldn't be an issue if system Admins kept up to
date with security bulletins and also having a reliable firewall in
place. Also a good security policy would only help against attacks
internally.

Chris Lynch, MCSE CCNAv2
Professional Services Consultant
Allied Riser Communications
(213) 628-9070 ext 232
(213) 628-9074 Fax
(213) 713-3125 Cell
clynch@arcmail.com

- -----Original Message-----
From: keydet89@yahoo.com [mailto:keydet89@yahoo.com]
Sent: Monday, July 23, 2001 4:15 AM
To: focus-ms@securityfocus.com
Subject: Hacked NT/2K box

When I was at BlackHat and DefCon recently, I was

having discussions with some folks regarding an

article I'd written on NT incident response. I'd

written the article along the same lines as a

Linux or Solaris incident response procedure, but

with NT in mind.

The discussion centered around this...having your

hands on an NT or 2K box that was 'hacked' in much

the same way as a Linux or Solaris box. I wasn't

able to find anyone who has seen such a thing. I

work on an all-NT infrastructure, with 2K systems

providing web hosting in the data center. Many

others have similar infrastructures.

When a Linux box is 'hacked' (generally speaking,

of course), the attacker puts on a rootkit and

uses that box to step off an attack other systems.

This isn't something you see with NT. The

'sadmin/IIS' (poisonbox) worm is another good

example.

So, my question to the group is this...has anyone

seen a 'hacked' NT or 2K box? If so, what did you

find out about it? What technique did the attacker

use? How did they establish a foothold on the box,

what tools did they load, and what did they do

from there? I've already read through JD Glaser's

BlackHat presentation from '99.

It's been said that NT boxes are easy to hack b/c

of vulnerabilities to services, but not easy to

hack b/c you can't 'get on the box' the same way

you can with Linux or Solaris.

Input is appreciated.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBO1xdHX/JJT1WDJfQEQJ9RwCaAngAfOjbsz5fXdPU548bYCNHlF4AoM40
7F0sNly65ob5C2C3DqHTsKgj
=G7Cg
-----END PGP SIGNATURE-----