NT Exploits
Harry Bush
* From Area: LV.HARDSOFT (LV.HARDSOFT)
* Friday February 21 1997 from Alexander Smishlajev 2:5100/14 to All:
http://www.secnet.com/ntinfo/index.html
=== begin cut ===
[Image]
---------------------------------------------------------------------------
Good guys annouce security weaknesses, the bad guys keep them to
themselves...
This page will attempt to list all known NT Exploits used in hacking NT
security, and application security related to an NT system. If you know of
hacks, security bugs, patches, workarounds, or additional information which
may be relevant to this list, please e-mail me jwil...@secnet.com.
This page was originally created by Bill Stout bill....@hidata.com. He
had some problems with his management and asked that someone else take over
the page. Thanks to Bill for his efforts in creating this resource
Thanks to the NT security mailing list at ntsec...@iss.net, sister (or
copycat) sites such as http://www.ntshop.net/security/ntis.htm, and
contributors to this list.
If you wish to subscribe to the NT security mailing list, send mail to
request-n...@iss.net and, in the text of your message (not the
subject line), write: subscribe ntsecurity.
Jonathan Wilkins
---------------------------------------------------------------------------
[Image]
[Image] [Image]
Trojans Denial of Service
Dlls Ping of Death
Password Synchronisation DLL SYN Attack
Rollback.exe IIS Crash (GET ../..)
Renamed Executables CPU Attacks (Telnet to port XX)
Unauthorized File deletion
Application Attacks SMB Crash (Dir ..\)
MS Office 7.0 FileManager hole
MS Access 1.0/2.0 SIDs Snooping
MS Word/Excel Macro virus Nbtstat
Scanners
Passwords Sniffing data
Guessing/Brute force
Snooping Man in the Middle
Cracking (decrypting) SMB Hijacking
Password caching SMB Downgrade (force clear text passwords)
SMB 0.12 encrypted handshake intercept
Direct access TCP Sequence Number Prediction
Ntfsdos.exe
Linux ntfs Registry attacks
Registry open to guest access
Other Local Attacks Registry automatic write by .reg files
Win32K Crash
Webserver attacks
CGI/Active Server
Perl & cgi-bin
IIS Guest access same as Domain User
IIS .BAT/.CMD
IIS Dot dot /..\..
IIS Truncate
IIS Redirect
Application security bugs
Frontpage 1.1 Default permissions
MS Office 7.0 FileManager hole
Systems Management Server
Microsoft SNA AS/400 shared LU ID
FTP Server Passive connection support
Browsers
Active-X
Java
Javascript
Cookies
COM/OLE
---------------------------------------------------------------------------
[Image]
---------------------------------------------------------------------------
Security Checklists - Coming soon
Site Survey - Coming soon
---------------------------------------------------------------------------
[Image]
Robert Malmgren created a most impressive FAQ at
http://www.it.kth.se/~rom/ntsec.html
Community Connection, the maker of a 128-bit encrypted version of the
Apache webserver called Stronghold, has a NT Hack site at
http://www.c2.net/hackmsoft/.
A comprehensive NT Security book and more info is available from Tom
Sheldon at: http://www.ntresearch.com.
At least three other NT Security books are due someday from Charlie
Rutstein, Trusted Informations Systems, and Mark Joseph Edwards/Peter
Cardin/Andy Pozo.
---------------------------------------------------------------------------
Windows, Windows NT, Microsoft, and IIS are trademarks of Microsoft
Corporation.
==== end cut ====
* Crossposted in RU.SECURITY
* Crossposted in RU.OS.CMP