Tricks with Policies and Profiles in Windows NT.
           Vacuum of Rhino9 & Technotronic
              vacuum@technotronic.com 

==============================================================
Workarounds for common sytsem policy restrictions
Security hole within winnt\profiles and malicious executables
NetBIOS shares technique revisited
Information gathering within NT
==============================================================
System Policy workarounds:

System Policies are implemented to restrict the user from performing certain tasks.

Installing Printers:
If you do not have access to the printers folder from the Start/Settings/Printers or from
the My Computer Icon.

Click Network Neighborhood.
Double-Click on your computername. The printers folder will be available. Open the folder
and Double Click on the Add-Printer Icon to start the Printer Installation Wizard.

Control Panel Restrictions:
If you do not have access to the Control Panel from Start/Settings/Control Panel or from the 
My Computer Icon.
Click Start/Help/Index
(If you do not have help, you can open it using Explorer or My Computer. Double-click on
C:\winnt\System32\control.hlp
Search for Control Panel
All of the normally displayed icons appear as help topics. 
If you click on "Network" for example a Windows NT Help Screen
appears with a nice little shortcut to the Control Panel Network Settings.
Printers can also be installed using this method as well as the method mentioned
above.

Network options can also be accesssed by right clicking on Network Neighborhood and then selecting properties.

Missing Command Prompt:
Start NT Explorer change tgo c:\winnt\system32 Double click on COMMAND.COM
a command prompt will start. This is also well known, but included for thoroughness.

Find Command is gone from Start/Find or from within NT Explorer:

To find a computer:
If you have a command prompt:
Net View <Enter> is like Network Neighborhood
Net View \\COMPUTERName is like Double Clicking on a computer within network neighborhood
Net use x: \\Computername\Sharename maps a drive letter to the share.

Finding a file is simple:
dir filename.ext /s

Run Command Missing:
This is rather obvious but I will include it as it is a valid system policy
restriction. Navigate your Hard Disk using My Computer, winfile or NT Explorer.
Double-click on the program you wish to run. Duh!

System Policies that I have NOT found a workaround for yet:
If your display settings are restricted in control panel.
If registry editing has been disabled.
====================================================================================
Information Gathering:
Interesting NET commands that can be used to gather information.
NET localgroup <enter> will show which groups have been created on the local machine.
NET name <enter> will show you the name of the computer as well as who is logged in.
NET accounts <enter> will show the password restrictions for the user.
NET share <enter> displays the shares for the local machine including the $ shares
which are supposed to be hidden heheh??
NET user <enter> will show you which accounts are created on the local machine. This can
be useful when adding user names to NAT The NetBIOS Auditing Tool to brute force the shares
show using NET share.

===================================================================================
NetBIOS Revisited:
Under NT I usually use NET VIEW \\XXX.XXX.XXX.XXX
or NET VIEW \\COMPUTERNAME
then NET USE X: \\XXX.XXX.XXX.XXX
or NET USE X: \\COMPUTERNAME\SHARENAME

Instead of using NBTSTAT -a or -A
and then editing the LMHOSTS file and browsing for the computer.
I find that this involves a few unnecessary steps.


===================================================================================
Security Hole in profiles:

Check to see if you have read/write access to the C:\winnt\profiles directory.

The following types of programs can be "planted" and executed by
the unsuspecting user at startup. Keyloggers, and other known exploits such 
as pwdump and getadmin could be launched. New users logging into the system
for the first time will automatically spread the trojan to their profile.


.lnk shortcuts
This is the properties of a evil .lnk file

C:\WINDOWS\COMMAND\START.EXE /m command.com /c mkdir c:\trojan
or to add an entry to the registry
C:\WINDOWS\COMMAND\START.EXE /m command.com /c trojan.reg

NOTE: /m is used to minimize the window another available option is /wait
which will cause the program to wait until the other program exits.


.bat and .cmd batch files
.com and .exe executables
.reg registry files can be executed to update or add to the registry

A malicious executable file can be planted in:

C:\WINNT\Profiles\Default User\Start Menu\Programs\Startup

NTFS partitions will have these default permissions.
Administrators   Full Control
Everyone         Read
System           Full Control

However remote NetBIOS attacks can be accomplished.
A compromised C$ (administrative share) using a tool like NAT.EXE
NetBIOS Auditing Tool or an ill-advised Everyone/Full Control Share (which is 
Microsoft's Default Share Type).

FAT Partitions have no file level security.

New users logging into the system would automatically execute this program everytime they
login. If this is done on NT Workstation the attack will only spread to new users logging into the workstation locally. If this attack is performed on a NT domain controller it would spread throughout the domain profiles. It is also possible to plant the "seed" into
existing users profiles.

C:\WINNT\Profiles\userid of exiting user\Start Menu\Programs\Startup


Hiding Detection
Replace an existing startup program with trojan.
For example, replace McAfee's Antivirus program viruscan.exe with evil program.
Use a shareware utility like microangelo to alter the icon of the program. Change the 


Now each time the existing user logs into the machine they would also execute this code.

C:\WINNT\SYSTEM32\REPL\IMPORT\SCRIPTS
Falls under the exact same restrictions as the Default user Startup Menu.




.reg files can be made to do the same thing. 
Example cut and save as trojan.reg
----cut here--

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VirusScan"="ik.exe"

---cut here--

To get the executable to start before the login process.

----cut here--

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"VirusScan"="ik.exe"

----cut here--