Windows NT Security Holes

1
Windows NT Security Holes

• Windows NT is getting more popular. More
  and more companies use NT as their platform of
  the Internet.They also use NT as the platform of
  Intranet solution.Today we will discusses the
  most serious security holes of Windows NT
  operation system.

2
Two Parts

• 1.The first part is about security holes existing
  in NT server and workstation
• 2. the second part talks about two security holes
  existing in browser and NT machine.
  
  

3
Part 1.Hole 1. How to get Administrator

• Step 1. Rename c\winnt\system32\logon.scr to
  
• logon.old
• Step 2. Rename usrmgr.exe to logon.scr
• Step 3. Restart your NT machine
• Because logon.scr is existed in NT Startup
  Utility.It will be executed when Windows NT
  restart.And you will not be required to input
  your password.Usrmgr.exe can be executed,then you
  can join Administrator group.

4
Part 1.Hole 2.The second way to get
Administrator right

• Reinstall Windows NT operating system,
• The new operating system will cover the old
  operating system.Then you can config new system
  at your pleasure so that get Administrator right.
• The situation will happen when somebody come in
  your Sever Center Room unlawful.

5
Part 1.Hole 3. How to get Password

• In Windows NT workstation,anybody can use some
  special tools to read ADMINST.PWD
• (ADMINST.PWD is a encrpytion file)
• In Windows9X.X Client,anybody can use some
  special tools to read ADMINST.PWL (ADMINST.PWL
  is a encrpytion file)
• After you get password,you can get the right
  of Default Manager, especially it is easy to get
  in Windows9X.X Client.

6
Part 1.Hole 4. Remote access Registry

• In Windows 9X.X Client and the source which can
  be shared by system manager, you can run
  REGEDIT.EXE,then you can access NT Sever
  alternately and remotely.
• Because Registrys default setting allow anybody
  create and full control it. So somebody can
  delete and change Registry.

7
Part 1.Hole 5.Anybody can access a resource in
NT Domain

• In command mode,anybody just enter
• ..\\IPaddress\C OR
• ..\\IPaddress\D OR
• ..\\IPaddress\WINNT
• then you can contact any shared resource in
  Windows NT Domain.

8
Part 1.Hole 6.How to kill a NT machine

• You can use Ping command to kill a NT
  machine.NT cant accept a large ICMP
• (Internet Control Messages Protocol) Package.If
  a Package is 64K,NTs TCP/IP Stack will not work
  good and System will work offline until
  restart.So system will refuse some service.
• Try this command,see what happen
• ping -l 65524 host.domain.com

9
Part 2.Hole 1.Browsers Hole

• There is a hole about all of browsers in NT
  Win9X.X.When you want to view a HTML page,your
  browser will look for the page in your local
  drive at first-time.If your NT machine just is a
  SMB Sever,it will send username and password
  automatically.
• But you will never know what happen.
• SMB is Service Message Block

10
Security Countermeasures.

• Authenticating Users
• Resource Access Control
• Block unwanted TCP/IP Ports
• Auditing and logging
• Firewalls
• Packet filters
• Physical isolation
• Etc,.

11
Thank you

• Author BoYong Jiang
• Student ID 103016
• Date 06/03/2000