Re: Hacked NT/2K box

From: Bronek Kozicki (brok@rubikon.pl)
Date: 07/24/01 

Message-ID: <009e01c11444$8af3f520$c503a8c0@waw.getin.pl>
From: "Bronek Kozicki" <brok@rubikon.pl>
To: <lynch00@msn.com>, <keydet89@yahoo.com>, <focus-ms@securityfocus.com>
Subject: Re: Hacked NT/2K box
Date: Tue, 24 Jul 2001 15:28:33 +0200

> Essentially, you are correct in saying that you cannot establish a
> remote console session. But you can with trojan programs. Well, NT

As others pointed on this list before, there are tools (rcmd , rconsole from
Resource Kit and more) that allow remote command prompt. These tools are
more than enough to gain remote console, if properly installed, and any
buffer overflow in inetinfo.exe will give necessary privileges.

> has this capability built-in, but there isn't a way to exploit it
> unless you have Terminal Services installed and running.
>
> Also, with XP being released, there would be no reason to say that a
> hacker wouldn't be able to use an XP box for DDoS attacks. Because
> XP will have RAW Sockets, instead of the conventional NT-based W32

Sorry, but it's Gibson-like bullish. You should know already, that all
necessary functionality is in winsocks2 already - ready to use in Win2K
(and WinNT4 eventually too) . Please consult chapter 13 of "Network
Programming for Windows" by Anthony Jones, Jim Ohlund, ISBN 0735605602. And
there are a lot of home, un-patched Win2K "systems" - as we had occasion to
see recently.

> Sockets. But, this wouldn't be an issue if system Admins kept up to
> date with security bulletins and also having a reliable firewall in
> place. Also a good security policy would only help against attacks
> internally.

Agree. But there is big difference between corporate server & home computer.
What you wrote here clearly applies only to the former one. What you wrote
before (about trojaned software and XP) apparently applies to home computer.
What we are talking about, then ?

Regards

B.