Administrator Password Guessing

Administrator Password Guessing


•Assuming that NetBIOS TCP139 port is open, the most effective method of breaking into NT/2000 is password guessing.
•Attempting to connect to an enumerated share (IPC$, or C$) and trying username/password.
•Default Admin$, C$, %Systemdrive% shares are good starting point.
One common security lapse seen is to leave in the built-in Administrator account with a null password. Password guessing appeals to the attacker because complicated passwords are difficult to remember and hence users tend to choose easiest password possible. It is often seen that users choose something that is easy to remember like birthday, pet's name, kid's name etc. Examples of these common user/password combinations can be downloaded all over the Internet.
One can categorize password guessing attacks by the amount of interaction they require with an authentication system. They are considered to be on-line attacks when the perpetrator must make use of an authentication system to check each guess of a password. On the other hand, offline attacks sees an attacker obtaining information (e.g. password hash) that will allow him to check password guesses on his own, without any further access to the system. On-line attacks are generally considered slower than off-line ones.
Automated password attacks can be divided into two basic categories, dictionary attacks and brute force attacks.
•A simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as LophtCrack or John the Ripper, and running it against user accounts located by the application. The larger the word and word fragment selection, the more effective the dictionary attack is.
•The brute force method is the most inclusive - though slow. Usually, it tries every possible letter and number combination in its automated exploration.
•A hybrid approach is one which combines features of both the methods mentioned above. It usually starts with a dictionary and then tries combinations such as two words together or a word and numbers.
Legion automates the locating and connecting of Windows-based shares. The software depends on the user not protecting their shares with passwords before connecting to the Internet. The software also has a brute-force password cracking plug-in that can be used to find passwords for shares that are protected.
Legion polls wide range of IP addresses to check for availability of shared folders. The application broadcasts a NetBIOS request across the LAN to find all computers that have NetBIOS services. The application then searches each polled computer for available shares, and displays the results. Once these shares are known, there is little to do on the administrator's part to detect or deter brute force password guessing. The commercial version of Legion has an option to brute force crack any shares that were identified as shared, but password protected. The vulnerable system can have its drive mapped to the attacker's system and he can use this point of access for further nefarious activities such as installing Trojans, stealing information and even corrupting the system - thereby resulting in a denial of service. The most obvious countermeasure is to make sure that File and Print Sharing is disabled. If this is required, it must be password protected and allowed only to specific IP addresses because DNS names can be spoofed. The system must also restrict null sessions.
NTInfoScan is a security scanner for NT 4.0 is a vulnerability scanner that produces an HTML based report of security issues found on the target system and further information.
NTInfoScan (now Cerberus internet scanner) is a vulnerability scanner designed by David Litchfield specifically to address the security concerns of Windows NT 4.0 operating system. It still works with Windows 2000 and The HTML based report highlights the security issues found on the target system along with further information. It tests a number of services such as ftp, telnet, web service, for security problems. Added to this NTInfoScan will check NetBIOS for share security and User account security.