Metasploit Framework 3 and Windows NT4

[thorin]

I ran an autopwn on a Windows NT4 sp6a that hasn't been patched in years. To my big surprise not one session was created. How come Metasploit can't exploit such an old architecture? And how can it be done?

That's kinda like asking how to change the oil and filter in a car but then not telling us what model/year. Therefore my answer is "just do it".

True. However. I want the box out. Together with his BDC friend. Problem is the NT 4 domain is needed for an ancient SMS setup that is needed on a daily basis. So if I want to convince the management it has to go, DoS won't be good enough... If I could control the box however (without using my admin account ) that would be more persuasive...

Proving the box is vulnerable is completely irrelevant if there is no risk associated with it. If it's a PDC then it's highly unlikely that it's exposed to the internet. Therefore the only threat agents are internal employees. Depending on the type of business you're part of chances are the majority of your internal employees aren't going to be able to do anything to the box (even if they had some motivation, like being fired). So that leaves you and any other technical staff. If management isn't confident that you won't intentionally break things or leak information to competitors then they should just fire you. If they do trust you then the box's vulnerabilities are completely irrelevant.

The arguments surrounding replacing the box should be things like:
1) Aging hardware.
2) Lack of hardware support/maintenance agreements with vendors (HP, Dell, whoever).
3) Performance issues.
4) Lack of support for the OS should anything happen.
5) Incompatibility with other infrastructure or important technologies used within the company.

Your best bet is to prove that the old system is actively costing them money (something along the lines of ... you're wasting a lot of time support it) or that it has significant potential to cost them money (if it goes down no one will be able to work for x days, while you then build up a new system or recover the old thing).

[ReveB]

But of course he doesn't want to hear that because he wants us to spoonfeed him a hack so he can do something illegal.

For someone who doesn't know me, you seem to be confident to make a lot of statements about me.

First of all. I have admin rights on the box. All I want to do is see if the box has serious security issues that might justify an immediate removal. Checking a box for obvious exploits is all I want to do. Do I want to write my own hacks to do it? Hell no. What would be the purpose? I just want to know if Joe Average can hop online, download something like MetaSploit and gain access. If you feel like you have to accuse me of illegal activities, I'll leave that up to you.

If it's a PDC then it's highly unlikely that it's exposed to the internet.

It is not exposed to the internet. However. It is exposed to a worldwide intranet where thousands and thousands of people can have access to it. If I could firewall it, I would, but the problem is it needs to be on the intranet because of NT Trusts and the lot...

Your best bet is to prove that the old system is actively costing them money (something along the lines of ... you're wasting a lot of time support it) or that it has significant potential to cost them money (if it goes down no one will be able to work for x days, while you then build up a new system or recover the old thing).

Yeah, that's what I tried man. The box is costing us €6000 euro on hwardware maintenance alone! But hey, they need it to support their SMS 2.0. And given the importance of that application, they are prepared to pay it...

I think the only argument that would work is pointing them at obvious security flaws. But it seems there aren't any... Never knew NT was so secure

[purehate]

In my humble opinion if a box in vulnerable to DOS then I consider it pwned. There are evil "hackers" who hold huge companies ransom with denial of service attacks on their networks. I'm very sorry if i bruised your gentle feelings but in my experiance when peoples first few posts consist of "I wanna own a box" and "tell me how to hack this and that" it bad news. Forgive me for being cautious.

[ReveB]

In my humble opinion if a box in vulnerable to DOS then I consider it pwned. There are evil "hackers" who hold huge companies ransom with denial of service attacks on their networks. I'm very sorry if i bruised your gentle feelings but in my experiance when peoples first few posts consist of "I wanna own a box" and "tell me how to hack this and that" it bad news. Forgive me for being cautious.

No hard feelings. I completely understand your reaction.

FWIW, I did a C|EH course last week, got certified, and signed an NDA not to perform any black hat lameness with the knowledge and tools provided to me. That doesn't make me a hacker, but I'm just playing around now to see what works and what doesn't. Don't we all? I'm here to learn...


More on the subject. DoS'ing would be a problem. The thing is, it never happened, so they are prepared to take the risk. Box down, reboot it and look on the network where the attack came from and sack the employee that did it. DoS'ing is so noisy. On the other hand, if someone could sneak onto the NT4 and play around, that's probably more convincing...

[thorin]

If it's only your PDC for a few thousand people then who cares if it there's a small posability that it can be breached by an insider. If you can't make an argument (or more than one) based on the suggested subjects then live with the old system. For a international company of 1000s, 6000 Euro is a pittance.

If I was your management and this thread was any evidence of the arguements you might make for keeping vs getting rid of the box I'd tell you to suck it up too.

I'm curious about what CEH course you took for certification that would suggest you jump right in with Metasploit. Any course that teaches a halfway decent methodology should have you starting at basics and not depending on a single tool.

[ReveB]

I'm curious about what CEH course you took for certification that would suggest you jump right in with Metasploit. Any course that teaches a halfway decent methodology should have you starting at basics and not depending on a single tool.

It was a 5 day course done by ssr-i.com. I understand your point, but in the course we didn't "jump right in with Metasploit". We covered all the basics, and the necessary steps in the hacking process.

But that was not my concern in this case. There's two things I wanted to achieve:

1) Assess how easy it would be for someone to go online, download Metasploit, and attack an old architecture like NT4. During the course I was impressed by Metasploit. Let's say I still think it's a nice tool, but not earthshocking..
2) Based on 1) try to speed up the process of removing two old servers with an unsupported Operating System that is open to 1000s of people. Not only employees, but also visitors and contractors... SMS should have been replaced by Altiris a year ago...