hackfaq-12.html
1831294b0e5acaa8af074d0b45aab6edeeee322fb64d1755406a422a8e7017d6
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.6">
<TITLE>The Hack FAQ: NT Denial of Service</TITLE>
<LINK HREF="hackfaq-13.html" REL=next>
<LINK HREF="hackfaq-11.html" REL=previous>
<LINK HREF="hackfaq.html#toc12" REL=contents>
</HEAD>
<BODY BGCOLOR="black" TEXT="white" LINK="gray" VLINK="gray" HLINK="red">
<A HREF="hackfaq-13.html">Next</A>
<A HREF="hackfaq-11.html">Previous</A>
<A HREF="hackfaq.html#toc12">Contents</A>
<HR>
<H2><A NAME="ntdenialofservice"></A> <A NAME="s12">12. NT Denial of Service</A></H2>
<P>This section deals with
<A HREF="hackfaq-5.html#denialofservicebasics">Denial of Service</A>
attacks that are specific to NT.
<P>
<H2><A NAME="ss12.1">12.1 What can telnet give me in the way of denial of service?</A>
</H2>
<P>There are several DoS attacks involving a simple telnet client that can be used against
an NT server.
<P>First, by telnetting to port 53, 135, or 1031, and then typing in about 10 or so
characters and hitting enter will cause problems. If DNS (port 53) is running, DNS will
stop. If 135 answers, the CPU utilization will increase to 100%, slowing performance.
And if port 1031 is hit, IIS will get knocked down. Typically the fix is to reboot the
server, as it will be hung or so slow as to render it useless.
<P>Telnetting to port 80 and typing "GET ../.." will also crash IIS.
<P>If the latest service pack is loaded the attack will not work.
<P>
<H2><A NAME="ss12.2">12.2 What can I do with Samba?</A>
</H2>
<P>Don't get me started ;-)
<P>As far as DoS, if you connect to a server with Samba to 3.X NT that does not have the
latest service pack loaded, you can send it "DIR ..\" and crash it.
<P>
<H2><A NAME="ss12.3">12.3 What's with ROLLBACK.EXE?</A>
</H2>
<P>If the file ROLLBACK.EXE is executed, the registry can be wiped. You must re-install or
do a complete restore if this happens to you. Sys Admins will probably want to remove
this file. Renamed, it makes for one hell of a nasty trojan.
<P>It is reportedly possible to lock onto a port, say like port 19, and when the server
crashes and comes up ROLLBACK.EXE will start trying to unlock the port and subsequently
opens up the registry for anyone to wipe it. I was unsuccessful in getting this to
happen in the lab, but probably because I find DoS attacks rather lame I didn't try
very hard to get it to work. But others claim it can happen, so keep it in mind.
<P>
<H2><A NAME="ss12.4">12.4 What is an OOB attack?</A>
</H2>
<P>This attack is fairly simple, and a fair amount of source code is available. Basically
it involves sending an out-of-band message to a Windows operating system. Typically port
139 is used. This was patched with SP3 and a Hot Fix but apparently with a little
monkeying around with the code you can get around this.
<P>This DoS is very popular, mainly because of the wide variety of implementations of
sockets. I've seen Unix and Windows NT versions of code, an implementation in Perl, and
even an implementation using the Rexx Socket APIs on OS/2.
<P>If you are so inclined, try a web search for "winnuke" which will get you probably a
thousand locations with the code.
<P>
<H2><A NAME="ss12.5">12.5 Are there any other Denial of Service attacks?</A>
</H2>
<P>If a domain user logs onto the console, creates a file and removes its permissions, it
is possible that another user can log onto the console and delete the file. The problem
affects all versions of NT. However, this isn't what I'd consider "Denial of Service" as
it is more like denial of a file. Depending on the file, though, it could be used as DoS.
<P>If you are running smbmount with version 2.0.25 of Linux, you can crash an NT server.
smbmount is intended to be run on Linux 2.0.28 or higher, so it doesn't work right on
2.0.25. You also need a legit user account. Running as root, type
smbmount //target/service /mnt -U client_name, followed by ls /mnt will hang the shell
on Linux (no biggie) and blue screen the target server (biggie).
<P>The final DoS I'm aware of involves Microsoft's DNS on NT 4.0 server. If you send it a
DNS response when it did not make a query, DNS will crash.
<P>The latest service packs and post service pack patches fix all of these problems.
<P>
<P>
<HR>
<A HREF="hackfaq-13.html">Next</A>
<A HREF="hackfaq-11.html">Previous</A>
<A HREF="hackfaq.html#toc12">Contents</A>
</BODY>
</HTML>