An explanation of NTLM security policy in Windows 2000

Win 2000 now has the Telnet service installed by default, but it does not start by default. You can start the service by using the Start Network Tools service (or by running the Tlntsvr.exe program). On the client click the Start button, select Run from the pop-up menu, and then enter the following command to establish the connection:

Telnet[remote-system][port-number]

This will be displayed on the screen:

Normally, after the service starts, typing the command should be the remote computer loopback login and password information, prompting the user for a username and password. This is true under the Linux network operating system:

Telnet porky.math.ukans.edu

Trying 129.237.128.11 ...

Connected to porky.math.ukans.edu.

Escape character is ' ^] '.

SunOS UNIX (Porky)

Login:wl

Password:xxxxxx

But take a closer look at the above display, there is no opportunity to enter your username and password, directly disconnected, what is the reason for this? This is the result of a authentication method for Telnet in Win2000: Windows NT LAN Manager (NTLM). The early SMB protocol transmits passwords in plaintext on the network, and then the LAN Manager challenge/response authentication mechanism, called LM, is simple enough to be cracked, and Microsoft then presents the WINDOWSNT Challenge/Response verification mechanism, NTLM. There are now updated NTLMV2 and Kerberos authentication systems. The NTLM workflow is like this:

1, the client first encrypts the current user's password locally to become the password hash

2, the client to the server to send their own account number, this account is not encrypted, clear text direct transmission

3, the server produces a 16-bit random number sent to the client, as a Challenge (challenge)

4, the client again encrypted with the password hash to encrypt this challenge, and then return this to the server. As response (response)

5, the server put the user name, to the client's challenge, the client returns response these three things, sends the domain controller

6. The domain controller uses this username to locate the user's password hash in the SAM Password Management Library, and then use this password hash to encrypt the challenge.

7, the domain controller compares two times encrypts the challenge, if the same, then the authentication succeeds.

From the above procedure, we can see that NTLM sends a login request to the Telnet server as the current user, instead of logging in with your own account and password, and obviously your login will fail. For instance, your machine name is a (local machine), you log in the machine named B (remote machine), your account on a is ABC, the password is 1234, your account number on B is XYZ, the password is 5678, when you want to telnet to B, NTLM automatically takes the current user's account number and password as the credentials for the login to do the above 7 actions, that is, with ABC and 1234, and not with you to login account xyz and 5678, and these are automatically completed, do not give you the opportunity to start, so your login operation will fail.

The NTLM authentication option has three values. The default is 2. You can have the following values:

0: Do not use NTLM authentication.

1: Try NTLM authentication first, and if it fails, then use the username and password.

2: Use NTLM authentication only.

When the Telnet server uses one of the 3 options for NTLM, the customer opportunity displays one of the following:

1) authentication option = 0 o'clock

Microsoft (R) Windows (TM) Version 5.00 (Build 2195)

Welcome to Microsoft Telnet Service

Telnet Server Build 5.00.99201.1

Login

Password

NTLM authentication option 0 does not use ntml authentication, enter the username and password directly, for example, you can enter your login account password xyz and 5678.

2) authentication option = 1 o'clock

NTLM authentication failed due to insufficient credentials. Please login withclear text username and password

Microsoft (R) Windows (TM) Version 5.00 (Build 2195)

Welcome to Microsoft Telnet Service

Telnet Server Build 5.00.99201.1

Login

Password

Try NTLM authentication first, and if it fails, then use the username and password, which, in fact, is no different from the previous approach.

3 Authentication option = 2 o'clock, is the phenomenon we first encountered.

Changes to NTLM authentication option values can use Win2000 to provide us with Telnet Server management program Tlntadmn.exe; Win2000 also provides us with Telnet client and server programs: Telnet.exe is the client program ( Client), Tlntsvr.exe is a server program (servers), and Telnet Server management program Tlntadmn.exe. If we do not require NTLM authentication, you can set the following steps:

1, click "Start"-> "Run", type tlntadmn, and then determine

2, select Display in the pop-up option, then choose Change Registry Settings.

3, choose NTLM.

4. Change NTLM value to 0 do not use ntml authentication

5, restart the Telnet server.

You can also use Tlntadmn.exe to configure other default settings for the Telnet service, and you will need to restart the Telnet service after configuration. The following figure:

Allowtrusteddomain: Allow domain users to access. The default value is 1, which allows trusted domain users to access. Can be changed to 0: Domain users are not allowed access (only local users are allowed).

DefaultDomain: You can set any domain that has a trust relationship with this computer. The default value is ".".

Defaultshell: Displays the path location of the shell installation. The default value is:%systemroot%system32cmd.exe/q/k

Maxfailedlogins: Displays the maximum number of unsuccessful attempts to log on before the connection terminates. The default is 3.

Loginscript: Displays the path location of the Telnet server logon script. The default location is "%systemroot%system32login.cmd", and you can change the script content so that the Welcome screen that you log in to Telnet is different.

Telnetport: Displays the port on which the Telnet server listens for Telnet requests. The default is: 23. You can also change to another port.

As a result, NTLM is also an important security policy for Windows 2000, and for intruders, NTLM is a big mountain in front of you, even if you get an administrator account and password, it's not easy to simply pass NTLM. In addition, the Telnet default in Win2000 only NTLM authentication, of course, while, outsmart, as a network administrator, not to say that with NTLM protection, you can rest easy, for the network master or hacker, at all times in the trap system loopholes and administrators negligence, To break through the NTLM lockdown, there are several common ways to do this:

1, change the Telnet server configuration by modifying the remote registry, changing the authentication mode from 2 to 1 or 0;

2, the use of NTLM.exe, upload directly after the operation, Telnet Server can be validated from 2 to 1;

3, in the local establishment of the scanned users, as this user to open Telnet client and remote login;

4, the use of software, such as Opentelnet.exe (requires administrator privileges and open the IPC pipeline)

5, the use of scripts, such as RTCs, (requires administrator privileges but not dependent on the IPC pipeline)

Basically is the above 5 kinds, one of the latter two is our comparison commonly used to open telnet the technique, and the use method is very simple, the order is as follows:

OpenTelnet.exe Server username Password Ntlmauthor telnetport

OpenTelnet.exe Server address Administrator Username Password Authentication Method (fill 0 or 1) Telnet port

cscript rtcs.vbe targetip username password ntlmauthor

cscript rtcs.vbe < target ip> < Admin user name > < password > < validation mode >