Weak NT pass isn't really a software exploit, it's a user exploits. It exploits users that use weak passwords. As far as I know, the only way to secure yourself against the "weak NT pass" attack is to use a strong password.
thatsmej
Oct 22 2003, 11:29 AM
just disable the "server" service
=k3Rn=
Oct 23 2003, 03:07 AM
hm can you tell me what consequenses there are when disabeling the "server" service? what could it be used for?
and i am still wondering what service / share or something dameware uses to connect to hosts. (and then i want to close that entry point)
z0mbi3
Oct 23 2003, 09:08 AM
i think dameware uses port 139 to enter thru admin$ shares... thus if you have the username and password you will be able to access that share..
the thing is some isps block 139 whereas some do not port 139 is netbios(network basic input output system)
so if you use a firewall and block this then you won't be attacked..unless you have a crap firewall
l8r.
BlaStA
Oct 23 2003, 09:33 AM
There's a Dameware Mini Remote Control service, why don't disable it?
=k3Rn=
Oct 23 2003, 01:16 PM
@blasta: nonsens!
i am quite sure dameware uses ipc$ share to connect. but i have problems to delete that share. net share ipc$ /delete even doesn't work on my system (access denied). i thought this key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "RestrictAnonymous"=dword:00000001 disables the ipc$ share but this seems to be wrong.
BlaStA
Oct 23 2003, 01:55 PM
Try using psexec or another prog except dameware mrc to connect.
Sh4dowWalker
Nov 10 2003, 03:42 PM
lol BlaStA, yeah, disable Dameware Mini Remote Control service. Hey... tell me one thing - how do you want to disable it if it's not installed yet? I really wonder how you'll do that. Dameware may install this service AFTER it connects succesfully to target machine.
Hmm... this method with using psexec is even more interesting. So you're saying that if i want to prevent my comp from Dameware access i need to use psexec. Yeah right and what will i execute with psexec? =k3Rn= wants to prevet access by Dameware to his comp.
=k3Rn=, i'm using one additional registry key you didn't mentioned here (with the rest of course).
Set it to 1 and this will prevents against enumerating sam accounts. BTW "RestrictAnonymous"=dword:00000001 is not disabling ipc$ share but doesn't allow anonymous users to list domain user names and enumerate share names.
As for Server service you asked about, here's some info about it that should helps.
QUOTE
Server Used for file and print sharing from your computer. For security purposes, you may disable this service if you do not require local printers and files shared across your network. Connectivity, however, still exists even on incoming shared network drives. Workstation needs to be running to connect to another computer that has the files you are looking for. Note: If you disable File and Print sharing, the Server Service may disappear from the Services listing. Just enable File and Print sharing again and the Server Service will return. Default 2000 Server: Automatic Default 2000 Pro: Automatic Safe Setting: Automatic Dependencies: What service Server needs to function properly: None What other services require Server to function properly: · Computer Browser · Message Queuing
I have disabled this one. Here's some extra info about these Computer Browser and Message Queuing services to prevent further questions
QUOTE
Message Queuing May be used on some domains, but the "average" home user will never need this service. Default 2000 Server: Not Installed Default 2000 Pro: Not Installed Safe Setting: Not Installed Dependencies: What services Message Queuing needs to function properly: · Distributed Transaction Coordinator o Remote Procedure Call (RPC) o Security Accounts Manager · NT LM Security Support Provider · Protected Storage o Remote Procedure Call (RPC) · Remote Procedure Call (RPC) · Server What other service require Message Queuing to function properly: · None
Computer Browser Computer Browser service maintains a listing of computers and resources located on the network. This service is not required on a standalone system. In fact, even if you want to browse the network (workgroup or domain) or have mapped network shares as local hard drives, you can still do so. On a large network, one computer is designated the "master" browser and another one is the "backup" browser. All others just announce they are available every 12 minutes to "take over" duties if one of the other computers fail. No lag time is discernable if this service remains disabled on all but one computer. Honestly, I do not even believe one needs to be running. You could, "just in case," but it sure does not need to be running on all computers, all of the time. Default 2000 Server: Automatic Default 2000 Pro: Automatic Safe Setting: Disabled Dependencies: What services Computer Browser needs to function properly: · Server · Workstation What other service require Computer Browser to function properly: · None
For Dameware not to work you only need to disable Server service (keep in mind that for some internet uses or some programs may need this service to ran on your machine). Additional system securing with these registry keys and setting up a good admin password is good to be done too.
Ahhh.. and you can also disable Messenger service. If i remember correctly there was some flaw in it discovered recently. It can be used for spamming for example.
QUOTE
Messenger This service provides the ability to send messages between clients and servers. This service needs not to be running under normal "home" conditions. It is also advisable to make this service go away to avoid the possibility of "net send" messages hitting your computer from the internet. This has nothing to do with MSN Messenger, nor is it "WinPopUp." To test for this security vulnerability, at the command prompt, (run: cmd.exe) type: net send 127.0.0.1 hi If you get a popup "hi" message, you should disable the Messenger service. If you get an error stating, "The message alias could not be found on the network," you are safe. If, for whatever reason, you need the Messenger service running but wish not to have spam popups active, you can disable the particular ports at your firewall. The Messenger service uses UDP ports 135, 137, and 138; TCP ports 135, 139, and 445.
Ok, i think this should help you. For me it works great. Maybe there's some other way too....
Peace
BlaStA
Nov 10 2003, 04:19 PM
QUOTE (Sh4dowWalker @ Nov 10 2003, 03:42 PM)
lol BlaStA, yeah, disable Dameware Mini Remote Control service. Hey... tell me one thing - how do you want to disable it if it's not installed yet? I really wonder how you'll do that. Dameware may install this service AFTER it connects succesfully to target machine.
QUOTE
the problem is, that can still access the puter using dameware (knowing the admin pass). can anyone tell me how to secure against that access?
So he installed the Damware MRC on the remote system. So there IS a Dameware service on the remote pc.
Sh4dowWalker
Nov 10 2003, 04:43 PM
BlaStA (Se)... Then try your DameWare on new machine. And what have you got (I assume you knew admin l/p)? Tada - it will ask you about installing this service first. This service allows DameWare to do some remote administration thingy. BTW there's one more service that may be installed by DameWare (depends how do you want to use dameware)
Of course disabling will help AFTER DameWare was installed. But it will help you only until another DameWare Access try. =k3Rn= wants to prevent his machine to be accessed by DameWare. BlaSta, assume that the machine we want to protect against DW is clean from it, then how do you want to protect it? By disabling nonexisted service?
Here's a little info about both services Dameware Mini Remote Control Service - DWRCS.EXE - this one comes when you want remote desktop Dameware NT Utilities Service - DNTUS26.EXE - and this one is installed after first use of remote command. They're using Admin$ share when trying to install.
Susboy
Nov 17 2003, 12:45 AM
QUOTE (thatsmej @ Oct 22 2003, 11:29 AM)
just disable the "server" service
^ Prolly the best way to secure yourself. Or have a batch running on start up running:
net share c$ /delete /y net share d$ /delete /y net share admin$ /delete /y net share ipc$ /delete /y
etc etc. But the best would be closing ports 138 139 445 so they cant even scan for passes/connect to you.
=k3Rn=
Nov 26 2003, 08:37 PM
thx for your reply shadowwalker - intresting!
WaZa
Nov 30 2003, 03:44 AM
u may think deleting the shares is the best way to secure, but shares are created by sysop probably becuase he needs them. if he notices his shares down, he will prbably just recreate them, and if he notices them disabled more than once, he may get suspicous of a hacker
=k3Rn=
Nov 30 2003, 03:48 AM
i only remove the admin shares c$ admin$ ipc$
they are not needed
net
Dec 13 2003, 04:01 PM
weak pw is very relative though.. because the longer the hacker scanns the weaker your pw gets
but using a long pw with 10 or more characters would protect you kinda well..
removing the shares also helps but don't forget that the shares are added again on every reboot.. you would have to create a batch that runs on every sys boot
greetz
northernsky
Dec 30 2003, 08:48 PM
Hmmm, securing against a weak password attack......Unless anybody starts brute forcing you, as long as you don't use a weak password (6 char. with numbers/letters usually works well enough) Most people only really go for the easy kills anyway.
Krogoth
Jan 1 2004, 05:48 PM
let's think of a password with the combination of letters and numbers. eg. t3st(4u&7ry.
i think this will be safe else you can use a firewall to block port 139.
eXist
Jan 3 2004, 01:59 AM
If you don't need NetBIOS on, apart from using a GOOD password, you could chuck all this in a batfile and run it:
net share /delete C$ /y net share /delete D$ /y net share /delete E$ /y net share /delete F$ /y net share /delete IPC$ /y net share /delete ADMIN$ /y net stop "Remote Registry Service" net stop "Computer Browser" net stop "Server" >> server.txt net stop "REMOTE PROCEDURE CALL" net stop "REMOTE PROCEDURE CALL SERVICE" net stop "Remote Access Connection Manager" net stop "telnet" net stop "messenger" net stop "netbios" net stop "Net Logon" net stop "TCP/IP NetBIOS Helper Service"
f0cker
Jan 8 2004, 03:52 AM
Shares can be added remotely using rmtshare.exe from microsoft
t_gillum
Jan 8 2004, 01:43 PM
Yeah you could just get rid of the admin hidden shares but the only thing is that once you restart they get shared agian. That creates sorta a hassle if you know what i mean
mal.one
Jan 15 2004, 01:46 PM
i don't know if i'm right but as far as i know dameware is at least able to recreate the default admin shares , so i'm a bit sceptic about that shares deleting thing ...
greetz
TrIaNguLaR
Jan 18 2004, 04:02 PM
very long passwds means lot better chances of you not getting hacked
nulladd
Jan 18 2004, 05:08 PM
windows stores both the lm and ntlm hashes, because lm hashes are less secure you can turn them off if your not worried about compatability with older windows versions
go here: Control Panel ->Administrative Tool -> Local Security Settings ->Local Policies -> Security Options and change the values in "Network Security: do not store lan manager hash....." and "Network Security: lan manager authentication level
BTW northernsky
QUOTE
6 char. with numbers/letters usually works well enough
that can be brute forced in seconds
Spookie
Jan 18 2004, 11:16 PM
Heres some information for you regarding passwords, you may find of assistance.
My pref. is passwords that are 8 characters in length which contain Upper Case - Lower Case - Special Characters - and numbers.
robmilman
Mar 2 2004, 08:59 PM
Sorry, but I wanted to get back to the Dameware part of this thread.
I found this post from a Google search looking for a way to prevent Dameware from being installed by unauthorized users.
Setting restrict anonymous higher than 1 and disabling the administrative shares wasn't a great solution. This is what I ended up doing after getting nowhere with Dameware support.
I created a file in the %SystemRoot%\System32 folder called DWRCS.exe. Then I explicitly denied access to that file for everyone except the Domain Admins. Testing this on various W2K servers in our organization proved that no one but Domain Admins can install Dameware Mini Remote on our servers.
I hope that was clear enough, being my first post here.
Regards.
technoboy
Mar 4 2004, 07:50 PM
you could also disable auto share:
QUOTE
Set WshShell=CreateObject("Wscript.Shell")
WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\AutoShareWks","0","REG_DWORD" wscript.echo "²Ù×÷³É¹¦" set WshShell=nothing
-8-
May 16 2004, 01:48 PM
Hi guys, here comes my 2 cents.
As well as using capital letters and numbers in yer password you could try using a non-standard ascii character (smething i read). Basically pick a number between 155 and 210 (rough guess on the numbers, but any number between that range will give you the non-standard character) hold down ALT key and type yer number in, try it in a word processor or notepad. This number and ALT will produce ONE character. simply insert this somewhere in yer password. So you get this "password(ALT-179)". Apparently i can't spell to save my life, but these charaters are said to beat most password cracking software (LC3).
I hope that was helpful, (can i have my two cents back now?)
hottzo
May 17 2004, 06:43 PM
i believe the above batch script should do the job, also @ the begining add "@echo off" so that there will be no output 4 selected action:D also u can add the string to run the batch script in registry... HKLM\Software\Microsoft\Windows\CurrVers\Run, and add the the path of ur batch script....hf
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
because the longer the hacker scanns the weaker your pw gets 
