RE: Null Session information from NAT.EXE

From: Zwan-van-der.Erwin (Erwin.Zwan-van-der@siemens.nl)
Date: Tue May 21 2002 - 08:38:56 EDT


Try some other null sessions tools first, to get a feel for the system.
Then, if some new info develops, try to exploit that. Did you make a full
port scan already? Do you have a glue about services running on your target?
Of course the goal is set to go for admin. Try to find an exploit and dump
the SAM or sniff something from the wire.

Some other command line tools are:

Enum Windows NT Command lint tool to enumeration Windows information using
null sessions. Enum can retrieve userlists, machine lists, sharelists,
namelists, group and member lists, password and LSA policy information. enum
is also capable of a rudimentary brute force dictionary attack on individual
accounts. http://razor.bindview.com/tools/index.shtml

Exporter Windows NT Command line tool for exporting users, groups, group
members, services, computers, shares, disk space, and printers (in any
combination) from any or all computers on any Windows NT/Windows 2000
domain. Includes online .HLP documentation file. Exporter is also
integrated into Hyena. http://www.somarsoft.com

GetAcct Windows NT Command line tool to sidestep "RestrictAnonymous=1" and
acquires account information on Windows NT/2000 machines. Input the IP
address or NetBIOS name of a target computer in the "Remote Computer"
column. Input the number of 1000 or more in the "End of RID" column. The RID
is user's relative identifier by which the Security Account Manager gives it
when the user is created. Therefore, it is input as 1100, if there are 100
users. Finally push the "Get Account" button. http://www.securityfriday.com
 
NBTEnum Windows NT Command line tool for Windows which can be used to
enumerate one single host or an entire class C subnet. This utility can run
in two modes: query and attack. The main difference between these modes is
that when NBTEnum is running in attack mode it will seek for blank password
and for passwords that are the same as the username but then in lowercase
letters. Changes: Dictionary attack added, now does enumeration of NT
version and Service Pack level, AutoAdminLogon detection, WinVNC encrypted
password extraction, and Enumeration of NT services.
http://ntsleuth.0catch.com/. By NTSleuth

NTInfo Windows NT Command line tool to provide the a complete overview of a
Windows NT system. This script creates an information file with info on
registry, services, drivers, hardware, nbtstat, arp, winmsd, route, ipconfig
etc. Requires several tools from the Resources kit to create the overview.
 
UserInfo Windows NT Command line tool that retrieves all available
information about any know user from any NT/Win2k system that you can hit
139 on. Specifically calling the NetUserGetInfo api call at Level 3,
UserInfo returns standard info like SID, Primary group, logon restrictions,
etc., but it also dumps special group information, pw expiration info, pw
age, smartcard requirements, and lots of other stuff. This guy works as a
null user, even if the system has RA set to 1 to specifically deny anonymous
enumeration. http://www.hammerofgod.com/download.htm

IPC$ Cracker Windows NT Command line tool to attempt to crack a user's
password using a dictionary attack by connecting to the IPC$ hidden share on
a NT machine and trying passwords read from a text file.
 
NTCrack Windows NT Command line tool to run password dictionary attacks
using administrator account to access Windows share or service.
http://somarsoft.com/ntcrack.htm

 
-----Original Message-----
From: cgreen001@hotmail.com [mailto:cgreen001@hotmail.com]
Sent: donderdag 16 mei 2002 23:23
To: pen-test@securityfocus.com
Subject: Q: Null Session information from NAT.EXE

I ran NAT.EXE on a machine and got the following results:
(contents changed)

=======================================================
[*]--- Checking host: xxx.xxx.xxx.xxx
[*]--- Obtaining list of remote NetBIOS names
[*]--- Remote systems name tables:

     ZONEACE
     ZONEWORKGROUP
     ZONEACE
     ZONEACE
     ZONEWORKGROUP

[*]--- Attempting to connect with name: *
[*]--- Unable to connect

[*]--- Attempting to connect with name: ZONEACE
[*]--- CONNECTED with name: ZONEACE
[*]--- Attempting to connect with protocol: MICROSOFT
NETWORKS 1.03
[*]--- Server time is xxx
[*]--- Timezone is UTC+9.0
[*]--- Remote server wants us to encrypt, telling it not to
[*]--- Attempting to establish session

[*]--- Obtained server information:

Server=[ZONEACE] User=[] Workgroup=[ZONEWORKGROUP] Domain=[]

[*]--- Obtained listing of shares:

        Sharename Type Comment
        --------- ---- -------
        IPC$ IPC:

[*]--- Attempting to access share: \\ZONEACE\
[*]--- Unable to access

[*]--- Attempting to access share: \\ZONEACE\ADMIN$
[*]--- Unable to access

[*]--- Attempting to access share: \\ZONEACE\C$
[*]--- Unable to access

[*]--- Attempting to access share: \\ZONEACE\D$
[*]--- Unable to access

[*]--- Attempting to access share: \\ZONEACE\ROOT
[*]--- Unable to access

[*]--- Attempting to access share: \\ZONEACE\WINNT$
[*]--- Unable to access

========================================================

It seems that this system is O.K.
What else should I check to test the penetration?
In other words, how could you proceed?

Thank you.

James.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT