Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows 2000, Null Sessions and MSRPC • Todd Sabin • BlackHat Windows 2000, Feb. 2001.

Published byEthelbert Lynch Modified over 8 years ago

Similar presentations

Presentation on theme: "Windows 2000, Null Sessions and MSRPC • Todd Sabin • BlackHat Windows 2000, Feb. 2001."— Presentation transcript:

1 Windows 2000, Null Sessions and MSRPC • Todd Sabin • BlackHat Windows 2000, Feb. 2001

2 About Me Todd Sabin- RAZOR Team, Bindview HackerShield vulnerability scanner Discovered NT vulnerabilities  SYSKEY keystream reuse  LPC issues Written various utilities  Pwdump2  Lsadump2  Strace for NT

3 Agenda • Review – Wksta, Srv – LSA – SAM • What’s new in W2K • MSRPC • Countermeasures • Q&A

4 What is a Null Session? • Talking to a machine anonymously? • “Authenticating” without credentials – not the Guest account – NT grants you • NT AUTHORITY\ANONYMOUS • Everyone (unless RA=2) • Used by the SYSTEM account on NT4 • [c:\] net use \\a.b.c.d\ipc$ “” /user:””

5 What do you get • Browser lists - lots of domain info – netviewx • Workstation svc – Transports • Server svc – Shares – Transports • Carvdawg’s null.pl

6 What do you get (cont.) • SAM – Password policy (“User Modals”) – Users – Groups (“Global Groups”) • and members – Aliases (“Local Groups”) • and members – User Info • passwd change date, account flags (disabled, etc), allowed wksta, … – Tool: dumpacl

7 What do you get (cont.) • LSA – Policy info • Domain • Role • Trusts – SID Name mappings • sid2user, user2sid – Walking the SIDs 1000-? • when to stop

8 What about Win2k? • Professional, non DC Servers – More or less = NT4 • Add SMB over TCP 445 • new RestrictAnonymous = 2 option – very tight, but compatibility issues

9 Domain Controllers & Active Directory • Things get complicated • Factors – Pre-Windows 2000 Compatible Access – RestrictAnonymous – Trust relationships – ACLs on Active Directory objects – Presence of multiple DCs

10 Domain Controllers & Active Directory (cont.) • Pre-Windows 2000 Compatible Access – Controls access to SAM calls – LSA still open – May require reboot • RestrictAnonymous=1 – same as NT4 – LSA still open – requires reboot

11 Domain Controllers & Active Directory (cont.) • RestrictAnonymous=2 – Shuts down everything • (no longer have Everyone access) – Backward compatibility problems – requires reboot • Trust relationships – Allowing NT4 domains to trust • Multiple DCs – complicates SID walking

12 More about MSRPC • a.k.a. DCE/RPC • What does the actual work

13 Protocol breakdown - port 139

14 Protocol breakdown - port 445

15 Microsoft (DCE) RPC protseqs • Different transport methods • Primary ones: – ncacn_np (SMB) – ncacn_ip_tcp (TCP) • IP-TCP-MSRPC – ncadg_ip_udp (UDP) • IP-UDP-MSRPC – ncacn_nb_tcp (NBT) • IP-TCP-NBT-MSRPC – ncacn_http (HTTP) – others (ipx, apple talk, etc.)

16 ncacn_http (COM Internet Services) • RPC over port 80 • proxied by IIS not installed by default must be explicitly enabled • lets DCOM (and normal RPC) work through firewalls • somewhat similar to SOAP

17 Endpoint Mapper • Analagous to portmapper on unix • Listens on – TCP 135 – UDP 135 – NBT 135 (SRVNAME ) – SMB “\pipe\epmapper” – HTTP 593 • rpcdump - Lists dynamically registered endpoints • Note: also used for DCOM activation

18 RPC Management Interface • RPC runtime implements • All servers support it • Provides general info about RPC server • rpc_mgmt_inq_if_ids: – returns supported RPC interfaces • Tool: ifids – can be used to identify RPC servers

19 Endpoints and Interfaces

20 What about Null Sessions? • Lsass on W2K Domain Controllers – contains extra RPC servers – listens on: • TCP • UDP • HTTP, if COM Internet Services • can enumerate users, etc. over TCP, UDP, possibly HTTP

21 Countermeasures – Firewalling • Prefer default deny • Block Endpoint mapper – UDP 135, TCP 135 & 593 • Block SMB access – TCP 139 & 445; also UDP 137 & 138 • Block TCP and UDP to RPC range – HKLM\Software\Microsoft\RPC – be careful with DNS • use split DNS • Don’t install COM Internet Services

22 Countermeasures – Configuration • Unbind NetBIOS from TCP/IP • Disable Server service • RestrictAnonymous=1, or 2 • Pre-Windows 2000 Compatible Access – Remove “Everyone”

23 Countermeasures – ACLs • Active Directory - ACLs on objects, properties, etc. • What about non-AD machines? • LSA and SAM object hierarchies – can still set ACLs on objects, but need special tools • Fixpol • Samacl & lsaacl • No reboots required • Downside: ‘invisible’ change somewhat dangerous

24 Summary • Defaults favor attackers • Assess - be sure • Firewall • RestrictAnonymous • Tighten ACLs

25 Questions? • For followup: – http://razor.bindview.com – tsabin@razor.bindview.com

Download ppt "Windows 2000, Null Sessions and MSRPC • Todd Sabin • BlackHat Windows 2000, Feb. 2001."

Similar presentations

Ethical Hacking Module IV Enumeration.

Ethical Hacking Module IV Enumeration.
Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
Web Services Darshan R. Kapadia Gregor von Laszewski 1http://grid.rit.edu.

Web Services Darshan R. Kapadia Gregor von Laszewski 1http://grid.rit.edu.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Windows 2003 SP1 Member Server in ASU Active Directory WNUG/CCC February 2, 2006 Sharon Bushart CLAS Information Technology.

Windows 2003 SP1 Member Server in ASU Active Directory WNUG/CCC February 2, 2006 Sharon Bushart CLAS Information Technology.
By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.

By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.
Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost 127.0.0.1 (loopback address)  Internal networks 

Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost (loopback address)  Internal networks 
Hussain Ali Department of Computer Engineering KFUPM, Dhahran, Saudi Arabia Microsoft Networking.

Hussain Ali Department of Computer Engineering KFUPM, Dhahran, Saudi Arabia Microsoft Networking.
Windows Assessment Vulnerability Assessment Course.

Windows Assessment Vulnerability Assessment Course.
Understanding Active Directory

Understanding Active Directory
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.

11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.
Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.

Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.
1 Chapter Overview Understanding the Windows 2000 Networking Architecture Using Microsoft Management Console.

1 Chapter Overview Understanding the Windows 2000 Networking Architecture Using Microsoft Management Console.
Lesson 17. Domains and Active Directory. Objectives At the end of this Presentation, you will be able to:

Lesson 17. Domains and Active Directory. Objectives At the end of this Presentation, you will be able to:
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Samba

Samba

Similar presentations

Ads by Google