Up until now all the crap I’ve written has been pointless drivel. Hopefully, I can begin to write something halfway informative and spread some of my disinformation around. Consider this paper a King Menace Security Advisory, illustrating how very insecure a Micro$oft IT environment is.
Hopefully, I can begin to write something halfway informative and spread some of my disinformation around. Consider this paper a King Menace Security Advisory, illustrating how very insecure a Micro$oft IT environment is.
How To ‘OWN’ Your IT Department. This article is aimed at Helpdesk newbies that want to have fun with the Bastard Operators From Hell that love to torment them. The methods explained below are to be used as defense tactics.
If you are a lowly Helpdesk peon then you know how it feels to have some NT ‘Dickhead’ Administrator fuck around with you. Usually, NT Admins think that they are God’s gift to networking.
More often than not they regard the Helpdesk as brainless morons and forget that they were there themselves once, (probably six months ago). God forbid they give someone in the Helpdesk Account Operator or the Holy Grail of NT accounts…
If the NT Admins at your company are worth their weight in salt then they have convinced your IT Manager that the Helpdesk is not to be trusted with any access higher then PRINT OPERATOR. They have probably accomplished this by telling him or her that some systems were compromised, or a server went down. They don’t have event logs, but they are positive it was the Helpdesk. Those Helpdesk Morons. They can hardly turn on a PC. We can’t give them ACCOUNT OPERATOR. They’ll fuck’up every account on the domain.
Most, if not all Helpdesks have suffered from this scenario. If yours hasn’t then chanced are it will. So I am going to give you some tips to help protect you from these unscrupulous NT bastards. Also, do yourself a favor. Do you want to be an Administrator? Go the UNIX route.
First, you have to secure your workstation. NT is preferred because it has a modest amount of security compared to Win9x. Assuming your system is NT; make sure the file system is NTFS. If it is FAT then convert it. Be sure to remove “Domains Admins” from your local Administrator group. This will prevent them from connecting to your Administrative shares, i.e., c$. Next stop all services that are not needed to connect to the network. This means McAfee services, Netware gateway services, and especially any remote administration services. If you can get away with it, the best thing to do is build a system from scratch and load NT yourself. Be sure to disable the A: drive from booting and put a password on your PC’s BIOS. Add your Domain Account to your workstation’s local Administrator group. RENAME YOUR LOCAL ADMIN ACCOUNT AND CHANGE THE PASSWORD.
If your company is large enough then all the workstations have a standard image. What this means to you is that your workstation is a clone of a master image. Unfortunately, this also means that the computer’s Security Identifier (SID) is exactly the same as everyone else’s. Anyone who makes an RDISK on his or her PC can use it to gain access to your PC. Since all the workstations share the same SID the RDISK doesn’t know the difference. To prevent this from happening to install NT from scratch, or use NewSID from Sysinternals.
Now that we have secured our workstation as much as possible let’s take a look at some administration tools. In order to beat the NT Admins at their own game, we need to be able to view all account info on the domain. But I only have DOMAIN USER rights you say. Big Deal.
With an ingenious tool called Hyena we can view the same account info that a Domain Admin can! We can see who’s in the Domain Admin group and who’s in the Account Op group. We can see what groups an account is a member of and when the password was last changed. More importantly, we can see what groups our own domain account is a member of. We can also check to see if the NT Admins are enforcing a roaming profile or a malicious login script.
Hyena is a very valuable tool. When used properly you can catch an NT Admin in a lie and take a screenshot for evidence. For example, let’s say that the NT Admins tell your boss that they have just cut your Account Op status because a new policy says that only “Official NT Administrators” are allowed this. A week goes by and you fire up your trusty copy of Hyena with your weak DOMAIN USER access and you decide to see who is in the Account Op group.
Wait! It looks like Fubar Aknod in the programming dept. has Account Operator! Those Bastards! Screenshot time! This is when is helps to have a company-approved copy of Hyena. Uh Boss, didn’t the NT group say that they are they only department allowed Account Op? Well, according to one of the users (just say it was an anonymous Helpdesk call) Fubar Aknod has Account Op and he is only a contractor.
Now for the offensive tactics… These methods are not recommended and are explained for informational purposes only. Understand that the use of these tactics will most likely get you fired, or worse… arrested. I take no responsibility for the information below.
To truly ‘OWN’ your IT department you need power and you need information. To accomplish this you need passwords. This is easy enough in the day and age of Windows shops. Unfortunately, most IT personnel are fooled into thinking that their NT Workstation is safe and secure because their box is protected with NTFS, mandatory policies, and event logging. If someone tries to log onto my system I’ll know about it. HA HA HA. Yeah Right.
One of the most powerful tools in your arsenal is NTFSDOS. Simply put, NTFSDOS mounts NTFS partitions in MS-DOS completely bypassing any and all NTFS security measures! No joke. This is probably Micro$oft’s most obvious security hole and it affects all NT products, including Win2k! By mounting the NT boot drive you can copy the SAM (Security Account Manager) file, which has cached passwords of possibly every account that has logged into the PC! Want Domain Admin rights? Easy. Simply copy the SAM from a Domain Admin’s workstation! The SAM file is located in “%systemroot%\system32\config”. The file is encrypted so we must crack it. This leads us to our next tool…
L0phtCrack is one of the most prolific security tools ever developed. The egg is still on Micro$oft’s face from this one. L0phtCrack is capable of cracking every password on an NT Domain in about 20 minutes. It’s pretty cool! L0phtCrack does have a legitimate use though. NT Admins can use L0phtCrack to determine if the company’s password policies are secure. Most Admins don’t because they are too stupid to enact proactive security measures.
Anyway, after we copy the SAM file to a floppy disk we open it up with L0phtCrack and voila! Passwords! Some are harder to crack than others, but usually, you can get them pretty fast. NTFSDOS and L0phtCrack are very powerful programs. If you copy the SAM file from an NT Domain Controller and crack it then you have every password on the domain!
Now that I’ve shown you how to attain the coveted Domain Admin rights you literally ‘OWN’ your company’s IT Dept. You should have full access to every NT Server and Workstation on the domain!
With this access, you have enough power to attain the root password of your company’s UNIX servers! But I’m going to save that for another time.
Have fun and be careful!