Simple Windows NT 4 Hacks

Windows NT 4 is one of the most popular server operating systems. Despite Microsofts best efforts Windows NT 4 has not been rated as C2 secure. Sadly NT 4 Server is riddled with security flaws, some of which I will try and cover in this document.

In this document I will not cover the denial of service attacks that are possible on NT, rather ways around the "security" system that is built into NT. First it is worth having some understanding of how the NT security system works. The NT security system is built around the idea of domains, a domain is a collection of groups which are themselves collections of users, both users and groups can be allocated security privileges. For a domain to exist there must be a Primary Domain Controller (PDC), this is a computer that maintains the security database for the domain, additionally it is possible to hack Backup Domain Controllers (BDC), these maintain a copy of the security database and via various forms of load sharing code can also authenticate log on requests.

Therefore the best way to gain access to the passwords is to gain access to either the PDC or a BDC and copy the security database, this could prove problematic as the database is normally locked open by the OS at boot up, however a user with Administrator level rights can dump the encrypted (hashed) passwords into a file which can then be cracked. The best software for this is L0pht crack, it is multi-threaded for the speed freaks out there and can make a very good job of cracking the password. Passwords can be dumped over a network, providing the required access rights have been granted.

To obtain a password dump the dumping program (pwdump or pwdump2) could be left in the start-up directory, when the machine is logged onto by an administrator the password file will be dumped. Another source of NT passwords are the Sam files, located on either the the repair disk or the backup directory in the System32 directory, it would also be possible to obtain the file required from a backup, to recover password to these files you need samdump

Other options include testing the password for the hidden shares, these are drive letters followed by a $ symbol, they are defaults and can be removed although most sysadmins will not remove them as they simplify their jobs. It is also possible to attempt a brute forcing of passwords over a network, because the administrator account cannot be locked out by wrong password guesses (obvious denial of service) 1000s of attempts may be made, however a good sysadmin will have configured their NT box to log mistaken password guesses and will then adjust their password.

If you are able to gain physical access to an NT machine then a program called getadmin can be used, this is able to make any user a member of the Administrators group, even if the system has been patched to prevent this another program (crash4.exe) can bypass the security. If getadmin is run on a PDC or BDC it will make the named user an Administrator for the whole domain rather than the NT box it was run on.

There are many other NT expoilts, redbutton allows access to various registry information, including the name of the currently logged on user and the shares that are available, Winnuke will crash any NT 4 machine, even if it does have service pack 3, it requires a further hotfix to prevent.

Burntime