In Windows NT/95 OS and what it offers in its networking capabilities, there are some security issues that people should know.
You can quickly scan a network, identify any win95/NT machine, grab a list of the resources available through the machine, and attempt to access those resources. Once gained access to a file shared resource, we attempt to see if the ".." bug exists. There is also the users on the machine itself that as we scan, we send a message to each user that they have been scanned.
Some of the problems with Win95/NT/WfWg is the same problem that exists in almost every configurable device on the network, is that the users have not configured it securely. We have found most people who set up sharable directories have left them passwordless. This allows any intruder on the Internet to steal files and possible modify them/delete them.
The password mechanism on these systems has many flaws. It is easy to write a program that does automated password checking. Here is the choice of possible passwords we try:
As you are well aware of, that even when a password is used, the chance of finding a easily guessible password is quite high. With the scans we have done, we are doing the brute force attack at about 200 passwords/second. We do about 18,000 passwords attempts in under 2 minutes.
Windows 95 has no control of locking out further access attempts so the intruder can endlessly pound away on your machines.
Windows 95 has no logging of any of these attempts. An intruder can not only try quite a large number of passwords in a short period of time, there is no log of these attempts. Knowing someone is attempting to attack is as important as fixing the problems themselves.
Once the scan accesses a file shared directory, it attempts to determine if the machine is vulnerable to the ".." bug. This bug allows intruders to access the rest of the hard drive, even though the machine is configured to only allow access to a certian directory.
The bug is effective because the OS does not properly check for "..", "...", and "..\" which would give you access to directories above the directory file shared. This same type of bug is found on older NFS implementations on Unix.
The file sharing service if available and accessible by anyone can crash the NT 3.51 machine by using the dot..dot bug and require it to be rebooted. This technique on a Windows 95 machine potentially allows anyone to gain access to the whole hard drive. This vulnerability is documented in Microsoft Knowledge Base article number Q140818 last revision dated March 15, 1996. Resolution is to install the latest service pack for Windows NT version 3.51. The latest service pack to have the patch is in service pack 4.
It is easy for a network scanner to send a message through the popup program to let the users know they were scanned. The problem with this message utility is that the popup program lacks any authentication, therefore an intruder could masquarade as the administrator and tell everyone to make their directories sharable because he/she needs access to it. It would not be the first time a user fell prey to this type of attack.
Here are some future improvements in security for the resource sharable file system (some of these features are on NT, but not available on Win95):
User education needs to take place to ensure proper configuration. Here are some essential procedures to follow to have a more secure network:
Firewalls:
The SMB protocol, which file sharing takes place, is on udp/tcp ports 137, 138, and 139. Make sure your firewalls/routers block these ports.