Empty connection in Windows NT/2000

Empty connection in Windows NT/2000

Release date:2002-03-28
Abstract:

Date: 2002-03-11
By Joe finamore

Overview

Riddle: "When is it null instead of null? "

Answer: "when it is an empty connection. "

Empty connection is a session established with the server without trust. This article will discuss NT4.0 and windows
The null connection in section 2000 will study the use and weakness of connections and show how to control and eliminate these weaknesses.
Point.

LANMAN session in NT 4.0

Before we start to discuss NULL connections, we need to know what the connection is and have a very good NTLM Verification
In the URL:

Http: // www. [M $]. com/MSJ/defaultframe. asp?
Page =/MSJ/0299/security/security0299.htm
& Nav =/MSJ/0299/newnav.htm

Security/security0299.htm & nav =/MSJ/0299/newnav.htm

Windows NT 4.0 uses the challenge response protocol to recommend a session with a remote machine. This session is a security tunnel.
And the machines that participate in the tunnel can communicate with each other. The order of this event is as follows:

1) The session requestor (customer) transmits a packet to the session receiver (server) and requests the creation of a security tunnel.
Li.

2) The server generates a random 64-digit (Challenge) value and transmits it back to the customer.

3) The customer obtains the 64-digit number generated by the server and disconnects it with the password of the account trying to establish a connection.
Returns to the server (response ).

4) The server receives the response and sends it to the local security authentication (LSA). lsa confirms the identity of the requester by using the user
Confirm the password verification response. If the requester's account is the local account of the server, verify that the local account has occurred. If the request
The account is a domain account, and the response is sent to the domain controller for verification. When the response to the challenge is verified as correct
Generate access tokens and send them to the customer. The customer uses this access token to connect to the resources on the server
The recommended session is terminated.

LANMAN session-Kerberos Authentication in Windows 2000

Windows 2000 uses Kerberos to establish a session "admission ticket". The RFC document for Kerberos V5 can be found below:
Face address:

Http://www.ietf.org/rfc/rfc1510.txt

The sequence of events is as follows:

1) The customer sends a request to the KDC (Key Distribution Center) for a TGT (ticket authorization ticket ).
Contains pre-verification data encrypted using the User Password hashed algorithm.
The timestamp when TGT is not intercepted. KDC runs on the domain controller that acknowledges the admission ticket.

2) KDC extracts user identity hashes from its database and uses it to decrypt pre-verification data.
A very near timestamp, the process continues.

3) The server generates a TGT, which contains other things, such as a session encrypted with a hashed password.
Key, which also contains the security identifier (SID) that identifies the user and the group ).

4) The user uses the hash decryption session key of the user password.

5) The customer uses the admission ticket to access the resources on the server. The customer is verified and a session is established.

Tickets generated in this way include the following unencrypted information:

Domain Name of the Windows 2000 Domain for publishing tickets

Name of the admission ticket ID

The admission ticket also contains the following encrypted information:

Admission Ticket "mark"

Session Encryption key

Domain Name of the user account that contains the published admission ticket

Main name of the user whose admission ticket is published

Session Start Time

Session End Time: When the admission ticket expires, the admission ticket has a limited validity period.

Customer machine address

Verification information that includes the access information permitted by the customer

What is an empty connection?

Now we understand what a connection is, and the authentication information contained in the connection to access resources. We can open it empty.
The secret of connection. An empty connection is a connection established with a server without user authentication. Change
It is an anonymous access to the server. No trusted user name and port are provided when a connection is established.
. The access token ("verification data" on Windows 2000) contains the SID to the user's "S-1-5-7",
The username of "Anonymous Logon". This access token contains the following disguised group:

Everyone

Network

Under the limits of the security policy, this will authorize access to all the information that the above two groups have access.

How to create an empty connection

From a user's point of view, a connection to the server is established or logged in, or any other need to access the server
Server resources. For example, a user named "Bob" wants to access a server named "datastore" for sharing
Some files named "data" have not been verified before. He will release the following command:

Net use * // datastore/Data */User: Bob

He will prompt to enter his password, and the verification method will be removed. If he is verified, he will generate an "Access
The token "or" admission ticket ", which can be used to connect to the desired share.

On the other hand, if an empty connection is allowed and "data" is shared as an "Empty share", simply enter:

Net use * // datastore/Data ""/User :""

This will connect Bob as an anonymous user to "data" sharing, without providing a user name or password... A hacker's
Dream!

Empty connections can also be established in API dialogs using languages such as C ++. For example
Below:

Http://www.securityfocus.com/cgi-bin/vulns-item.pl
? Section = Exploit & amp; id = 494

An empty connection can be used to establish a connection to the "Empty connection named pipe", if the server is configured in this way. A "Pipe
"Is a convenience, which allows processes on a system to communicate with processes on different systems. Empty connection
Usually establish a connection to the sharing, including system sharing such as // servername/IPC $. IPC $ is a special hidden
It allows communication between two processes (internal process Communication) on the same system. IPC $ sharing is performed on the machine.
A sub-interface of the server process, which is also associated with a pipeline, so it can be remotely accessed.

Why do I create an empty connection?

Logically, this question is: "Why does [M $] Provide support for NULL connections? "Touches nt and windows in [M $]
When 2000 is secure, isn't empty connections more or less bypass verification security?

In general, "yes", empty connections tend to damage the underlying security structure of the operating system. However, there are mandatory
The reason for merging them into the [M $] network, the initial purpose of the empty connection is to allow unverified machines to obtain from the server
You can view the list. Remember that nt and Windows 2000 Act as "domains" in the Machine Group, and the domains share the same security.
Boundary machine sets, that is, they share the same user and machine account database, including connections
Password of each other. A user password is usually used to verify a user in the domain. A machine password is usually used to maintain the machine.
And the domain controller. In both cases, passwords are usually between machines/users and domain servers.
Create a trust size.

If all communications are within the domain, empty connections are not required.
Connect to and execute the following tasks:

View a list of servers in different domains

Verify users in different domains

This problem is partially accomplished through the concept of trust relationships between domains. trust relationships are a kind of association between two different domains.
Trust the security integrity of other domains with the consent of one domain. Therefore
Information flow. The password is negotiated when the trust relationship is established. Basically, the trust relationship is a verification between two domains.
System.

The problem is that the trust relationship cannot solve all internal connection problems on a site. For example, first, establish trust
If "domain1" wants to establish a trust relationship with "domain2", it needs to contact the PDC of that domain
Negotiate a password for the security tunnel. To achieve this, it needs to list machines in the domain and determine
Name, there are many methods to find names (subsequently, addresses), including wins, DNS, LmHosts, AD (Activity
Directory. Empty connections make this process easier to implement because it allows very few
Give priority to list machines and resources in the domain.

There are other scenarios that benefit from empty connections. For example, considering administrators on multiple domain sites
Some domains do not have a trust relationship. When an administrator is working, it is often necessary to connect to all domains
Empty connections make it easier to list users, machines, and resources.

In another case, a null connection is required, that is, in the environment where the LmHosts. Sam file uses the "include" label, the package
The sharing point containing the encoded ded file must be installed with a null connection sharing. For this article, you can find it at the following site:
:

Http: // support. [M $]. com/default. aspx?
SCID = KB; en-US; q121281

Some earlier articles were released in, but updated on 1994, they should be commented out.
In the template LmHosts. Sam of NT 4.0 and Windows 2000
Windows 2000 is retained.

It should also be mentioned that there are many sellers advocating the use of their software hollow connections, on these aspects
Some interesting articles are as follows:

Http://www.dcs.ed.ac.uk/home/archives/bugtraq/msg00784.html

This article references a vendor's installation process, which creates an empty connection on the server to execute its tasks,
It can be imagined that the server is dangerous, but the Administrator is not aware of it.

In the last useful example of an empty connection, a service runs under a local "system" account and needs to access
Some resources in the network. This is only possible if the resources can be accessed through an empty connection.
Chapter:

Http: // support. [M $]. com/default. aspx?
SCID = KB; en-US; q124184

For this question, [M $] does not recommend opening a null connection. However, they recommend that you use a specific account to run
Service.

What is the weakness of null connection?

Now we have a better understanding of sessions and empty connections. Which of the following statements is usually displayed?
What are some vulnerabilities? There are several possible causes of security concerns, just as we are unaware that access control
The list (ACL) is a list of a series of ACE (Access Control entries), which controls
. An ace uses Sid to specify a user/group to list the permissions that a user/group is allowed or denied.
The problem with Ace is to authorize the embedded group "everyone". In NT, "everyone" means literally
If the "everyone" group has the right to access a resource through ace, it means that the resource can be accessed.
Sources, such as pipelines or shares, are also open to "everyone", and resources are anonymous to anyone.

What types of things are involved? If you execute an NT4.0 out-of-the-box installation, you will note that
Many things are accessible to "everyone", especially the root of the system disk (usually C:/), a significant
Open to "everyone" is a folder containing repair information:

% SystemRoot %/repair (usually: "C:/winnt/Repair ")

A more sensitive file, such as "Sam. _", has more restrictive security requirements, but most of the files are readable.
For some reason, if the parent folder of a shared point is available, sharing is an empty connection.
It is easy to use for any anonymous intruders. You will also notice that many registered regions are accessible to "everyone"
This makes it possible to connect to the IPC $ share of a server and run the Registry Editor.
(Regedt32.exe) to view and even change some registry values... Convenience from anonymity.

In addition, the weakness exposed through NULL connections is the list of user accounts in the domain. Why is this a problem? Because it moves
This is a barrier that encroaches on half of a domain account. To pretend to be someone else, you need two pieces of information:

User Name

Password

Once you know the user name, it is just a question of guessing or cracking the password. If you duplicate the domain
Name the Administrator account (you must have renamed the Administrator account, right ?) If exposed, then this
The weakness reaches its vertices. Intruders only need to connect to an empty session, and then enumerate users to find
You can. You can find the example code at the following site to complete this task:

Http://www.securityfocus.com/cgi-bin/vulns-item.pl
? Section = Exploit & amp; id = 494

This weakness is a very important part of the famous "red code attack", which is resolved in SP3 of NT4.0.
.

Enumeration of machines or resources in a domain makes it easier for someone to break into the domain.
With the name of the machine, and then list the resource sharing on these machines, this becomes a very simple thing.
Try all the resources until you find that one is open to "everyone. Default System Disk root pair
"Everyone" is open. By default, shared-level security applications are applied to a newly created shared authorization. "Full access"
"Everyone", this problem is obvious.

How to protect against attacks?

The best way to prevent empty connections is to prevent all possible ranges. To do this, the attack is evaluated as
The dumpsec tool lists the shares on the system and provides security constraints for each.
The Registry permission is used to execute other useful security audit tasks. dumpsec can get the following information:

Http://www.systemtools.com/somarsoft/

There is a pair of related registry keys:

HKLM/system/CurrentControlSet/control/LSA
/Restrictanonymous

"HKLM" reference configuration unit "HKEY_LOCAL_MACHINE". If it is set to "1", the anonymous connection is restricted.
Anonymous Users can still connect to IPC $ share, but the "1" value limits anonymity.
The user lists SAM accounts and shares; added "2" in Windows 2000 to restrict all anonymous access unless otherwise specified
Authorization.

Other keys to be checked are:

HKLM/system/CurrentControlSet/services/
LanmanServer/parameters/NullSessionShares

And:

HKLM/system/CurrentControlSet/services/
LanmanServer/parameters/NullSessionPipes

These are the multi_sz (multi-threaded) registration parameters, which list the sharing and pipeline separately, and open the empty connection. For example
If you don't want to open it, make sure there is no sharing or pipeline to open. Also placed securely on these keys for confirmation not easy
Check that only "system" and "Administrators" have access to these keys.

In Windows 2000, where security is protected in security policies, policy settings are managed through the relevant embedded MMC ([M $]
Management Console ). On a domain controller (DC), drop down the "Domain Security Policy" MMC from "Administrative Tools ".
On a non-DC Server, click the "Local Security Policy" MMC panel and you will find an entry:

"Additional restrictions on anonymous connections"

In three possible values:

"None. Dependent on the default permission"

"Enumeration of SAM accounts and sharing is not allowed"

"Access is denied without explicit anonymous permissions"

The last value is the safest, which is equivalent to "2" in the registry value:

HKLM/system/CurrentControlSet/control/
Lsa/restrictanonymous

As discussed above, be sure to test "valid Settings". Other levels of policy settings can affect "valid Settings ".

Other wise steps are to restrict access to the registry. in Windows 2000 and later versions, only
Staff and Backup Operators have the right to access the Registry over the Internet. It is a good idea to check remote access on your server.
The Registry access settings can be completed by verifying the security permissions in the following registration key:

HKLM/system/CurrentControlSet/control/
SecurePipeServers/winreg

When a user attempts to connect to the remote computer's registry, the "server" service on the target machine checks the preceding
(Winreg) key. If the key does not exist, you can connect to the registry of the target machine.
Yes. The ACL on the key is checked. If the ACL is read or written to the user, the user can connect to the Registry. I
Once the user allows remote connection to the registry, the ACL on the separate key takes effect. For example
Security is set to allow "read" Access to "everyone". It is possible to access the Registry through null connection and anonymous "read ".
Is not a good idea! It will make people worried and dangerous, and remove from all registration keys for "everyone"
Remote security, so the best idea is not to allow access unless a specific account or group. There are several values in the "winreg" Key
Also applied. These values are as follows:

HKLM/.../winreg/allowedpaths/Machine

HKLM/.../winreg/allowedpaths/users

These two values are of the multi_sz type. in Windows 2000, there is no "users" value by default.
Which registration keys are open for remote access to machines and users. They can cover the security of the "winreg" key,
The machine may need to access some services such as Directory replication and counterfeit offline printing. There are two articles about this.
Including details about Remote Registry access:

Http: // support. [M $]. com/directory/
Article. asp? Id = KB; en-US; q186433

Http: // support. [M $]. com/directory/
Article. asp? Id = KB; en-US; q153183

This is a good idea. After installing the software on the server, confirm that the installation process has not opened any blank connection sharing.
And pipelines, in fact, before installation on a "real" server, testing on a testing machine is always a good master
Especially if the server is in the DMZ zone or an external LAN. Anonymous access to a public network or semi-public network Machine
It will cause heavy losses.

Remember that an empty connection security token contains two preset groups: "Everyone" and "network". You can
To locate the specific location of the file on the volume, and to protect it by changing the permissions. Of course, these volumes must be NTFS. Division
You do need an empty connection to access resources. Otherwise, use the built-in group "Authenticated Users ".
"Everyone" group. Xcacls or a third-party access control management software can complete this task. However
You must be careful with the operations, especially when using subfolders. When xcacls is used, you must enable the "/E" option
Make sure you are editing the ACL instead of replacing them. Delete the "everyone" group from all locations.
Add the same permissions to the "Authenticated Users" group. In addition, each time you create a share, you must
The "everyone" group is deleted from the ACL and replaced with "Authenticated Users" or an appropriate user or group.

The last step is to set the policy pair:

"Access a computer from a network"

If the "everyone" group has this privilege, remove it from the group and ensure that it is added before removing it from the "everyone" group.
This privilege is assigned to the corresponding users and groups. In NT4.0
", Implemented on a domain controller through" domain user manager. In Windows 2000
Change the policy under "User Privilege assignment" under the Policy Management Unit.

Conclusion

Empty connections are created to facilitate communication between internal platforms, especially at the service level. However, it is possible
Anonymous Users who compromise system security have exposed information. If possible, empty connections are completely eliminated from your system,
If it is not possible for other reasons, take all possible preventive measures to ensure that only the information you want to expose is exposed.
If not, empty connections can provide a convenient portal to access your system, which may cause security risks.