COMMAND
Hackershield v1.1
SYSTEMS AFFECTED
Microsoft NT 4.0 SP5
PROBLEM
Following is based on Nomad Mobile Research Centre Advisory. The
HackerShield product creates a local account during installation
with a password that is not machine specific. This includes the
HackerShield demo product available via the Internet. Testing was
done with the following configuration:
Microsoft NT 4.0 Server and Workstation with SP3 (no additional hotfixes)
Microsoft NT 4.0 Server and Workstation with SP5 (with Csrss, LSA-3, RAS, WinHelp hotfixes)
HackerShield Product Version 1.10.1105, Package Version 11
Hackershield, originally developed by Netect, but recently
purchased by Bindview is a security scanner that scans for
security flaws on Windows and Unix platforms. It is very similar
and compares nicely to the feature set of ISS' Internet Security
Scanner and NAI's CyberCop. It allows both manual and
auto-updates of new hack signatures, called RapidFire updates, as
well as automated scanning sessions which allow a system
administrator to define a schedule for scanning a set of network
resources. The idea is to provide an automated method of keeping
your systems fairly up-to-date from a security perspective by
downloading new vulnerabilities and running pre-scheduled scans.
This is fairly similar to the modern anti-virus model where you
set your anti-virus software to automatically download new virus
signature files from the anti-virus vendor's FTP site and then
run the virus scan, except the automated updates come via
PGP-signed email.
To facilitate HackerShield automation of scanning, a Service User
named NetectAgentAdmin$ is installed with local Administrator
privileges on the scanning computer. Unfortunately, the password
can be easily recovered. Since the advent of recent patches to
Microsoft NT, recovery of Service User password information is a
little harder. For example, pwdump will not recover the hash for
NetectAgentAdmin$, but pwdump2 will. Users of L0phtcrack will not
be able to dump this user, but using pwdump2 will get the
following for this user (text is wrapped):
NetectAgentAdmin$:1001:7a8754eda3b21376136260cc65a99030: \
2d6156879a7f61fdddb10c96427483d7:::
Being security conscious, the HackerShield folks at least made the
password 14 characters, but the password is not machine-specific.
The first 12 characters are np7m4qM1M7VT while the last two are
non-printing characters. Due to the non-printing characters,
L0phtcrack will not brute-force crack the password using the
standard choices of character sets (although it should be possible
to type in the alt codes into a custom character set -- NMRC did
not try this as the characters are still non-printing), but using
Paul Ashton's code (posted to NTBugtraq August 9, 1997) it can be
extracted as plaintext on an NT 4 SP3 workstation or server. The
implications of this should be obvious -- a service user with a
known password and local administrator rights is a prime target
for intruders of NT systems. Depending on where the product is
loaded in your organization, you have a potential vehicle for
additional password recovery, trojan horse planting, and further
compromise of the NT environment.
Eric Schultze added following. Dumping the LSA password for the
NetectAgentAdmin$ service, we get the following hex codes:
6E 00 70 00 37 00 6D 00 34 00 71 00 4D 00 31 00
4D 00 37 00 56 00 54 00 09 00 3D 00
which equates to:
np7m4qM1M7VT<tab>=
The thirteenth character, a tab, makes this a difficult password
to enter from GUI applications. It's best to resort to command
line to logon with the username/password combo
net use \\172.16.1.101\ipc$ "np7m4qM1M7VT ="
/user:172.16.1.101\netectagentadmin$
"the CL above may be wrapped.)
NOTE: this account has admin privileges.
SOLUTION
If you have loaded the HackerShield product (including the demo)
then you have installed the Service User, and the two services
called HackerShieldAgent and HackerShieldSniffer. If this system
is not physically secure, or has Server services running, you
have the potential for compromise via the Service User. Do not
install HackerShield on non-physically secured systems. If you
have loaded HackerShield onto an NT host only to perform a
localhost scan, it is recommended you uninstall the product using
the HSUninstall.exe program once you have completed the scan.
Bindview has developed a patch for the Service User password to
be machine specific. It can be downloaded from
http://www.bindview.com/products/HackerShield/HS_Patch2.zip
In the Readme file with the zip, Bindview has a reference to the
following page:
http://www.bindview.com/products/HackerShield/HS_Patch2_advisory.html