Training session 29: Windows 2000
Learn how to break some Windows 2000 Policies
Although Windows 2000 is in my opinion the only half acceptable version of windows to be created, and the fact it somehow has less problems than XP, it is fun to find local security faults in. The local schooling system entirely runs 2000 now, even the major universities decided to install it. So i decided to have some fun and see how truly secure it really is.
First thing i found is that by normal policies you cannot edit nearly any of the registry. This means you cant see hidden files or anythign through explorer. Well this is just not acceptable, to play with 2000 i must be able to see everything thats going on. So first thing is to modify the registry to remove all of the anti moron settings:
Windows Registry Editor Version 5.00
Paste this file into notepad, save and run it. After logging out and back in you should have a much more appealing view of files. Generally the admin will decide to lock out access to c: drive and other drives, here is an easy workaround:
Open up notepad and past the following into it:
<a href="file://c:/">Give me Access</a>
Then save the file as 'drive.html', open it and click on the link. If all goes to plan you will have a nice explorer window in c: drive. Through a little more fiddling from the admin this is also possible to dissable, so lets fix the new problen. Right click anywhere on the desktop and click 'New > Shortcut'. Type in 'c:\' as the location. Now drag this shorcut down onto the taskbar. Something like 'Local Disk (C:)' will appear as a new bar, and when you click on any of the files there, none will open. So to fix this, resize the toolbar till only 'Local Disk (C:)' can bee seen with two arrows next to it, click the arrows and now you can use this to do whatever you like. When the admins decide to get even more smarter, then its time to just plain piss them off, go back into notepad and paste the following into a file and name it 'drive.cmd':
subst z: c:\
Run the file and your z: drive will now be a direct link to your c: drive but without the viewing restrictions. Although a .cmd file is pretty much a .bat file, refrain from using .bat as the system may be set to log all .bat commands, and since .cmd is generally used for logon scripts, it wont be logged.
Admins like to get even smarter and disable right click. To fix this just go into my computer and use the file menu, it does exactly the same thing as a normal right click, but is just a slight bit more annoying.
A rather interesting file exists in the root of a roming profile. 'Go into c:\documents and settings\your username' so for example 'c:\documents and settings\m101' and now remove all of the conents of ntuser.dat after 'reg'. This in effect if is allowable by your current permissions, will stop all updates that are made to your profile, for example when the admin decides you shouldnt have right click access, everyone is affected but you.
An interesting feature of 2000 is that any user may install microsoft office and update it through msi scripts. This means by creating your own scripts with the same signiature and name as an office script, you can edit anything at all, no matter what it is.
Although it may appear administrator is the highest user level, it isnt. SYSTEM has no restrictions and has the ability to even block the admin from doing things. It is possible depending on policies to gain a SYSTEM shell. Get into dos any way you wish, whether through batch file or promp, and try to run 'at'. If you get an Access Denied message then your out of luck, but otherwise you can gain SYSTEM. Lets look at the what at can do:
The AT command schedules commands and programs to run on a computer at
a specified time and date. The Schedule service must be running to use
the AT command.
AT [\\computername] [ [id] [/DELETE] | /DELETE [/YES]]
AT [\\computername] time [/INTERACTIVE]
[ /EVERY:date[,...] | /NEXT:date[,...]] "command"
\\computername Specifies a remote computer. Commands are scheduled on the
local computer if this parameter is omitted.
id Is an identification number assigned to a scheduled
/delete Cancels a scheduled command. If id is omitted, all the
scheduled commands on the computer are canceled.
/yes Used with cancel all jobs command when no further
confirmation is desired.
time Specifies the time when command is to run.
/interactive Allows the job to interact with the desktop of the user
who is logged on at the time the job runs.
/every:date[,...] Runs the command on each specified day(s) of the week or
month. If date is omitted, the current day of the month
/next:date[,...] Runs the specified command on the next occurrence of the
day (for example, next Thursday). If date is omitted, the
current day of the month is assumed.
"command" Is the Windows NT command, or batch program to be run.
From this we can see that AT strands for Automatic Scheduler. It allows the user to add programs to be run at specific times. An example command would be 'at \\bm 16:26 /interactive cmd'. Make sure yours uses the computer name of the computer you are on and the correct 24 hour time that is a minute or so later than the current time. After the minute has passed a command prompt will be launched as SYSTEM. Anything launched from this box will be as SYSTEM. This means if you run regedit, then you have full access to everything.
Another toy admins love is 'proquota'. This little program stops users from logging off if their profile is over a set ammount. To kill this there are a few methods, firstly just after you logon, and while your profile is within the limits, open up notepad, type 'admins suck', and without saving go into the start menu and click log off. The end program window will come up asking to close notepad, click cancel. Such a little trick has just killed proquota for the rest of your session. Another method is to overload your account with crap until the message that tells you that you cant log off until deleting some crap. Dont close this message, but go into task manager and click end task on it. After a few second the 'This program is not responding' message will come up and you can happily kill proquota yet again. In some cases it may be neccessary to move file into %temp% before killing the program so that your profile isnt over the limit.
Admins seem to love limitting things, so when the internet usage bill comes through, and they get yelled at, they have to fix it. Since the place is a bunch of cheap arses, they use 'Microsoft Proxy Server 2.0' or some other version that comes with windows 2000 advanced server. By now you would think they would learn. Basically what happens here is that profiles or computers get limits placed on their total download allowance, as soon as this is reached, the proxy returns and tells you to kindly remove yourself. In most cases, the low quality of this proxy can be defeated by a small workaround. Create thw two following files:
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<frameset cols="*" frameborder="NO" border="0" framespacing="0" rows="50%,50%">
<frame name="topFrame" scrolling="NO" noresize src="bw.html">
<frame name="blankFrame" scrolling="NO" noresize src="www.school.com/asdasdasdasd">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<a href="www.area-6.net" target="scammed">Click to open a new window to surf!</a>
When you save index.html, make sure you replace 'www.school.com' on the fourth last line with the exact address of your school website. For example '<frame name="blankFrame" scrolling="NO" noresize src="www.college.com/asdasdasdasd" If you have created them properly, when you click on the link, it will open another window, and the open window will not be restricted. Not all graphics may load however, but most surfing is unrestricted, even sites that are normally restriced to access are now accessable. DO NOT close the primary window that keeps refreshing until you have finished browsing, or the exploit will stop working. If you fiddle with the refresh rate in index.html it is possible to create more fluent browsing.
As you can see with only small tricks, windows 2000 policies can be defeated, these are not the only tricks possible, or even close to the ammount of vulnerabilities, but you can have some fun finding them now...