[LUGA] Mit freundlicher Unterstützung von:

Mail Thread Index

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NT Security tips

Forwarded from comp.risks newsgroup


Summary of recent attacks that have become more well known.

These attacks have been discussed on NT Security mailing list but the
knowledge about them has not spread widely outside of the security mailing
list circle: NT CPU Port Attacks, NT DNS Denial Attack, NT Trojan Password

* NT CPU Port Attacks

On NT 3.51 and NT 4.0, there are TCP ports that are open that when an
attacker connects to them, types in some random characters, and drops
the connection, the CPU on the machine goes to 100% usage.

For example, connect to TCP port 135 (RPC server), type in
"thiswilldoacpuattack" and disconnect.  Then check the CPU usage.  The
CPU will be at 100% usage and the machine will be noticeably slower.  It
is possible to kill and restart the rpcss process to stop the CPU usage.

DNS (TCP port 53 & 65589) is susceptible to this attack as well.  In
16-bits, port 65589 is port 53.  65589 = 0x10035. 53 = 0x35


On NT 4.0, there is filter capability to block all TCP ports except
needed critical ones.  You may want to enable that.

There is a hotfix available on 

There is a DNS beta that fixed the random character on the port attack.
It is available via ftp from rhino.microsoft.com, log on as DNSBeta with
a password of DNSBeta. In the /service_pack3/x86 directory there is a
file called DNS.EXE dated 1/26/97.

* NT DNS Denial Attack

If an attacker spoofs a response that the DNS never requested, DNS will
terminate.  There is an advisory on this available at


Currently, Microsoft is working on a solution.

* NT Trojan Password DLL 

On NT 4.0 and 3.51, there is some entries in the registry that point to
a DLL that does not exist, that lets an attacker to put their own DLL in
place.  There is one DLL that will capture all password changes into a
file, so an attacker can obtain any passwords that get changed pertaining to
passwords residing on that machine.  Ideally for an attacker, placing the DLL
on a domain controller machine where most password changes can take place may 
produce the greatest amount of password information.  

More information is available with source code for the password changer
DLL at: ftp://ftp.iss.net/pub/lists/ntsecurity-digest.archive/v02.n114
or Knowledge Base article http://www.microsoft.com/kb/articles/q151/0/82.htm 


To defend against this type of Trojan attack is to protect
access to your registry fiercely. A routine part of your security
maintenance checks should be to take a close look at this registry key:

          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Lsa\Notification Packages 

Make sure that it does not contain any strange entries. NT 4.0 ships
with a single entry to this registry key:


If anything else in this registry entry, find out what it is and whether or
not it's needed. If not sure, remove the errant entry immediately.  Netware
requires the DLL, so if you already have installed the Netware DLL, then it
should have be installed admin-writable only.  If you do not have the
Netware DLL installed, make sure the register entry is blank.


Thanks to the posters of the NT Security Mailing list where almost all of
this information was derived.  To subscribe, send e-mail to majordomo@iss.net
and within the body of the message, type: "subscribe ntsecurity".

Christopher William Klaus, Internet Security Systems, Inc., 41 Perimeter
Center #660, East,Atlanta,GA 30346  http://www.iss.net/  (770)395-0150

powered by LINUX the choice of a gnu generation
linux user group austria;
Letzte Änderung:
September 2010