 Go ahead and give everybody a little background because there's a lot of similarities and some of the registry-based things and the same methods of attack. So let's start off with the old stuff. My favorite and common attacks in Windows are what we call keying. You have somebody who leaves an open share, you get read access to a drive. When you read the drive, all you need is a user and system.dat file. You can use a program on my web page called regraper to turn that into a .reg file. From there, let's say your victim has Netscape mail, how many of you use it? They've given you a cast password because you've said, sure enough, clicked on remember my password. So most people think, you know, let's try to crack it. Let's go ahead and disassemble it, try to break the encryption. It's like peeing up a rope. It's real simple. You export the key. You then copy the key over to your box, put it in safe preferences, set up a fake mail server, mount it across, snake the packet, your authentication will be in clear text. Same thing with online accounts, Gino, private VPNs, all of it is cached in Windows 2000 as well. All you need is read access to the registry. I'm going to move right along to shares, we have a brief overview. We have file print and sharing. A lot of people still leave it enabled. The biggest myth in NT and 2K security, people think because they remove net buoy that they're not vulnerable. They don't understand this. What we have called the net bias helper is when you have a little blue hand in a nutshell, you're sharing. No matter what protocols you think you may or may not have installed. And I'd say the most common problem with Windows is the fact that people don't know how to secure these. They don't know how to password or share. And especially within T, people have moved more and more away from a secure domain model and using things like file and print servers. Mostly you go into a consulting gig or you show up at your company, you click that thing, you've got a whole bunch of people in the network neighborhood, no sorting, no order. Half of them sharing their MP3s or their entire C drives, giving you, as I previously mentioned, read access to everything. I call this the cum-sodomize-me attitude towards security. Now, people think even when they're passworded, it's still not that secure. The only way to really securely use sharing, because let's face it, you go to your IT folks, you say turn sharing the bloody hell off. So it's going to break outlook and everything else. We don't have to work and make a secure domain model. We just want to mesh where everybody can sort of grab what they want. I love that attitude. It's great. I'm glad I'm grabbing what I want from their networks as well. But what it comes down to is on the securing side, you need to make sure there is one machine sharing. That would be your file server. Outlook's not going to break if you make people use a secure bloody system. People have gotten way too used to the Microsoft mesh. They don't remember a lot of the original A plus certs. When they're going through the network training, all the new IT guys these days, they're not looking for what's a secure domain model. They see token ring. They see the topology. Well, what they're looking for is, hey, what's going to pass this test? Get me this cert. Get me a nice pan job. Therefore, you get a lot of idiots going through, oh, I got free shares. And the networks aren't releasing and people going Windows isn't secure. Okay, yeah, granted, all Windows boxes are about as secure as a plus size as model. But when you set up correctly, they can be really highly effective. Then we have the same problem with shares. We have people who put up a firewall and they think, okay, I can put up a firewall in front of my Win2K box, block 135 through 139, which are all in the NetBios and NetBow reports. And nobody's going to be able to get my information. Oops. Mostly all you have to do, let's say for instance, you have somebody who's got the nice, fancy picks, which is a very nice secure firewall, they've blocked off everything and they haven't turned off and they have all these machines sharing. You do an NBT stat. The request goes through 80 and when it replies, NetBow will piggyback over TCPIP and send you the table, stat it right out. The way to obviously fix this or you have the same problem, people will turn off any incoming, 139, 135, 137. Somebody sends in the request. NetBowy makes it easy and very secure route for itself. It makes that route any way it can. So once you've mapped a share of the IPC dollar sign, it's going to send its request or you send any NBT request to sending broadcasting. It's going to piggyback out and send its request over 80. So you've got your NBT table showing a list of shares, work groups, if you want them enumerated users, local log on accounts, land man hashes, what have you. At the point, the firewall is pretty well useless. Next, I'm going to go ahead and move into software updates. That'd be a technology. One of the biggest problems you have is somebody slapping 2K over an old NT box. The best way to do it is format the box and install it fresh. Because if you install 2K over old NT, you're managing to take all the beautiful, creative, innovative disasters that are in T4.0 and combine them with the instability and lack of support for 2K. That's a beautiful combination if you happen to be working in Redmond, but otherwise it doesn't work down here. To go ahead and bounce back to sharing, when 2K was first released they had a wonderful horrendous bug. You could have admin rights. You could map the admin shares if you were an unauthenticated member of the domain because you could map $C sign across the network until they went ahead and patched that in the pre-releases. But they're not always just as messy. There are other options you can go into and send the protocol, trusted IPs and such. That'd be the best place to lock it down. Personally, I think that nobody should have that on their servers. It should be one file server. You see, one company had a really secure way of transferring files in your office. I think they call it FTP. There is no reason or excuse for a mesh network. Next, I want to go ahead and move into some of the semi-new creative bugs that they managed to carry over from good old NT. Combined with the wonderful great new features of Windows, let's say, for instance, I'm sure a lot of you heard about the Microsoft Outlook vulnerabilities, which allows you to write overwrite local files. Well, a buddy of mine recently reminded me of the NT exploit where you take any executable file, any .exe, or any DLL, or binary file that has executable stream in it. You go ahead and rename it logon.scr. You then use one of our beautiful new Outlook vulnerabilities to write that to the System32 directory. So this works great on servers, too. Logon.scr is a little bouncing screen when you don't hit Control-Alt-Delete when you log in or you have it sitting there. But sure enough, it executes. When your code executes, if you can't write a decent Trojan that doesn't show anything, well, you still got the wonderful thing. By definition, the one time it's going to execute is when they're not at the computer. Personally, I think Outlook should not be left on a 2K system. You can see a lot of people trying to stay on the bleeding edge of technology and deploy 2K before it's been thoroughly tested. And once again, cutting cost corners. I cannot stress this enough. Never install 2K over 4.0. Also one of the newest creative disasters. I'm sure you all have heard of Windows Millennium, the new upgrade to 98 that's coming out. I use upgrade and then lose as possible since the term. Well, Windows 2K is using a lot of the same bastardized ActiveX things and controls, beautiful things like internet connection sharing for private users, things like allowing links. But the biggest is operating system-wide VBS support. And once you can go ahead and remove your Windows scripting host, but I can guarantee you there's going to be at least three or four things in your registry that need that. Yeah, it's a slicker and more effective GUI. The only problem is that, well, you still have VBS as support worldwide. And unlike Windows 98 and NT, it's a lot harder to go through the registry and manually edit out a lot of those keys if any of you guys have wanted around the 2K registry. You have to notice that you try going into the SAM or the Hive keys. After a bloody week, I had to go through and individually set the security permissions. It wouldn't even let the administrator read them. Security through obscurity. And what I was looking at here is that they secured the SAMs. Beautiful. They did not bother doing it for the applications. So anything under HKEY local machine, slash, Microsoft, current version, Windows, and all the installed apps. You know, you're gonna go app paths, all those things. They didn't add the extra security there. The only area you have to worry about when doing a redjet it is using redjet at 32 and having locked out and bastardized binary values that you can't touch without going every single key by hand undoing them. Now the structure of the secure keys. The secure and supposedly uneditable. They're only system ones. Where the SAMs and the user names and log onto stored. I'll go into that in a second but I want to reiterate the fact that it doesn't matter because if you've left sharing on it, you're letting it by us and it will help run. You can enumerate those with any cookbook script and get it full in about maybe two minutes. Three if you stop for a beer. I was looking through these keys and they had a very simple structure. Let's say you have user names, administrator, guest, victim, whatever. You have these three named accounts. You unlock the keys. You'll say administrator, guest, victim. And you'll see that there's an entry with each of them blank. I was looking at this hive structure and right above them under a different key. One of the HE SAMs is the exact same number of keys as the number of accounts on the machine where the simple garbage cash string is the names. And under those another seven and so on. Those keys are not really a target rich environment. All that and seven and that time to play with them yet. But the biggest problem with this is that people think because of all the new security features, when 2K is going to be locked down tight. People, you know, because it's faster and they've added all these new patches. Ooh, they put out SB6. I'm so excited. And all for a good old 4.0. The only problem is just how long has this been out? By definition, the people who have been training and going through your IT are now working in low level monkey jobs and tech support or mostly your deployment team. Yeah, a lot of them are still just getting to play with 2K. If they're worth their salt, they know how to pirate an MSDN one. Which is out loud. But a lot of them are playing with 2K for the first time. And they see the new network neighborhood interface. They see all these different icons. They see a wonderful attempt by Microsoft to hide all the user settings. And they haven't really gotten the full hang of how to customize it out. But everybody's going to rush into deploying 2K because well, it's the cutting edge of technology. And Windows NT is no longer going to release any service packs. Funny coincidence. There's no more service packs for NT. 2K is out and then all of a sudden a great slew around the time they announce that there's, we're not going to fix anything else. And new exploits come out for NT. Yeah, of course you got Pan and Caffe managers and they know how to go ahead and hit a packet storm and oh my God, there's an unrelated exploit but the Word 2000 is in there and no, the Word NT is in there. So let's go ahead and deploy it. Or you've got a lot of investors who don't like the ideas of servers running on old technology. Old equals reliable in some cases. Well, okay, I can't say Microsoft's reliable with a straight face. What I can't say is that for God's sakes, if you're working in IT or deployment, do not let your bosses deploy 2K until all your techs have had a chance to play with it. Because they get so lost in the new GUI and the features and once again, that really creative attempt to hide network neighborhood, that sucks. I mean that they haven't bothered to do the simple things. People overlook the basics. You know, the basic in T security, passwording the shares, nothing fully readable. Making sure it's all patched and updated. And yeah, it messes no problem with this. I call it's the pay-no-attention to the man behind the curtain theory. With all the new slick and shiny features and pretty icons, nobody's gonna bother to go through and hit their basic chat list, go to cert. And because the structure of the icons the network are separated. My network neighborhood and entire network computers near me. Sure thing is a beautiful touch. If I'm hacking somebody's box, I wanna know all the computers near them. All these have managed to take the horrible mesh that most corporations network neighborhood icons were and separate them into a couple of other unorganized mess. Much more effective that way. However, 2K does have a lot of good security features. That's called the off switch. And the biggest thing is it is really, I will say this, it's got a slicker feel in the interface. And if you know how to use it and you've spent a couple of months going through and playing with every teeny feature and living nothing and breathing nothing but 2K, yeah, you'll be able to learn it fine. But if you're some tech who's sitting on IRC during his knock shift late night who's gotta deploy these boxes and who's in the meantime mailing out his resumes and you get another contract gig, the guy's not gonna go through and do all the basics because the user settings are way too hard to find. And of course we have Win2K and SQL. All the old SQL exploits are still applyable. What's the slew of new ones that, well like I said last year, hacking might, some hackers say they don't like Windows because hacking Microsoft is like mugging the retarded. I say mugging the retarded can be both fun and profitable. So let's go ahead and get back into the meat of it. Some of the new tricks and toys for it. People do not understand how to set up a, they figure they got their 2K blocks and they're using VPN, which is one of the latest buzzwords. They figure that this is gonna make them secure. They don't seem to understand that, yeah, even a firewall is enough. You've got a great big firewall laid out in front of your 2K servers. You've now got, you know, something that they haven't had any decent support on. Nobody's bothering to update the software patches because 2K is the bleeding edge. We're not gonna put any money out for it because we've already paid for how many licenses for advanced server. And you've got VPN. Of course you've got maybe 200 people in your global corporation, VPNing in from their little 98 laptops with shared seed drives. And they give a nice anonymous encrypted tunnel through the firewall. Can you see buggered.com? The way to exploit this is simple. Go ahead and run, if you guys are familiar with the Rhino 9 tools, you can get them on PacketStorm. There's one of them called Legion. If, okay, hypothetically, if somebody were to download one of these things and let's say, give it an address, range one of your local cable modem providers, especially if you live in the Silicon Valley area, sure enough you're gonna find a lot of people's resumes, a lot of them say security with their nice map seed drives. And as you're reading through my documents, you might wanna go ahead and take the time to grab the registry and the RNA keys. I'm sure all of you know, remember the little program that allows you to dial up networking passwords from people saved dial-in accounts to cracks those. Pretend bonus course, does anybody wanna tell me what class of connection the VPN connection to dial-in is? Yep, it's dial-up networking and just as easily exploitable. So what you go ahead and do after you've given them a subscription to Nambla because you find a file called visa.rtf is you grab the keys and here comes another beautiful Microsoft feature. You have your VPN tunnel into the firewall. There's two ways to go about it here, attacking it from the 98 box. You can use internet connection sharing. Hey, I'm all about sharing if they left that enabled. If not, just go ahead and use your name and password information and then guarantee you nine out of 10 of them are not set up to verify by IP. The system does not support that, you know, trusted host. So now you can use your name and passwords and you're telecommuting in and do a little work around that company. And sure enough, since they haven't bothered securing the domain, well, I've got a big net buoy mesh there. You have all kinds of other wonderful things to go through. People think if they disable, you know, remote administration that, you know, and they don't use work groups, they figure they can just stick them all in the same mesh. Here's the web server in the same network neighborhood as the CEO's Windows 98 box. He's got John Q. Scriptkitty going. They're going, hmm, where do I want to go today? That is the easiest and most common way to harvest through Win 2K. I'm going to go through a couple other of my favorite pet exploits and I'm going to give you guys a little time for Q and A. A lot of the holes here are Win 2Ks, like I said, connection with Windows 98. They've made sure that the two can interface and much like sex between two fat people, once they've made a connection and authenticated, you can't tell where one ends and the other begins and it's all ugly. And with any outlook bugs that you're taking forever to patch, Win 2K, you know, Win 2K does offer a lot of great security features, but like I was saying before, there's no way in hell, you know, your tech's going to go through and play with them all. Well, not on your guys' time anyway, if you're hiring them and get them all set up properly. So your best bet would actually probably be, I don't really endorse a lot of products, but I'd say CyberCop would be the best bet because CyberCop keeps an up-to-date database of the NetBooey vulnerabilities and failing that if you're on a contract or brand new job, it generates enough documentation to scare the hell out of your CEO and give them to do whatever you want. Yeah, so CyberCop, it's basically, it's got your anti-security checklist and it gives you a nice vulnerability database that's presentable so you don't have to do the typing. Okay, some of the oldies, but goodies. One2k still has a lot of vulnerabilities with readable, people don't seem to understand that when you share a drive or a folder, everything under that is readable. You got NTFS permissions set? Well, it's fine and dandy. I've often been raping the system by enumerating a list of user names, password shares, seeing who's got the blank guest account. Remember your domain, so I can just go ahead and copy those. NTFS permissions are not a protection. They are false security. I mean, 98% of the exploits were before somebody, a lot of different people, decided it was time to go after Microsoft Outlook, which my personal theory on that digresses, has nothing to do with security and vulnerability. It has to do with a lot of sort of sickies and that thing at the office and dialing in and waiting for 30 minutes for it to sync a folder. But, one2k security, especially when it comes to the 98 interface, biggest problems is the connections are very highly unauthenticated. Once it's in your network neighborhood, it's a member and it's a friend. And all you need is read access to any of those boxes or their MBT stables. For instance, you see somebody on IRC or whoever you got the IP, ICQ, what have you. So you go ahead and do an MBT step minus A. Slash slash their IP. You've got a list of their tables. First three common targets you always try. C dollar sign, admin dollar sign. And, oh, it's got me. IPC first and the others. Once you've mapped the IPC and it's completed successfully, go ahead and net use any of the others. For those of you who I'm going to fast for, net slash question mark. No, excuse me, net use slash question mark. Get into a text file, read it, love it. And MBT stat, same thing. That'll give you a list of all the command lines which is ways to play with it. Now, a lot of people, they have problems hacking in MBT boxes because, well, they're UNIX geeks and think that the Windows interface is illogical. And yeah, it is. I don't want to have to hit start to shut the computer down, that hurts the mind. But the biggest problem in interfacing from the hacking side of it is, a lot of you, especially, let's say you're going through your company network and you've got a legitimate reason to access a folder like your boss is porn. And you try to connect to it. Excuse me, the file server and shared resources. You got to connect to it. And it says, connect as, ask for a password. Well, the 98 box doesn't do that. Why isn't mine working? A, because your IT department's incompetent, because you don't know how to map it. A lot of the time is the leap of light password. There's a difference between user and shared level, shares. They both have the pros and cons, but I'd recommend going for a per user authentication. And one of the best ways to make sure, this means that I'm using per user, you have a list of trusted hosts. So nobody's coming in and playing silly buggers remotely. Well, not that easily anyway. You should at least, in my opinion, for not to be an easy hack, not be able to finish your beer before you've got all the company information. It's my opinion. But user and share level and 98, most of it's stock share level. Meaning you didn't bother connecting as who. Well, when you have 2K and NT boxes on the same network, there's a lot of 98 laptops. A lot of people don't bother with the log-on scripts and such, and they want to leave them easily connectable for people who don't have opposable thumbs and need to use 98 SE to connect and can't figure out. The main name slash username. What they do is they just leave it blank. So you have connect as. So go ahead and use username and enter no password. I can guarantee you nine times out of 10, it'll work. Because people don't bother getting the interface right on them when they have their 98 boxes coming in. You also have things like the syncing for outlook. Maybe you've ever tried to sync into an outlook domain for the first time after getting a new job. I can guarantee you you'll be missing hair and very frustrated in yelling and screaming obscenities in whatever your natural language is at the IT guy until you've got it right. Because there you have username password domain to deal with. And half the time you get people running a 10-1 network still using their company's startup name, has a domain name, maybe a DMZ there, and the external name is maybe their new name, whatever.com. So it's a big tangled mess. Most people figure the best way to deal with this big tangled mess. Even I've seen competent security people do it. As hell, let's just make shortcuts everywhere with wind and leave it blank. You cannot do this. The best way I'd recommend getting around this problem would be, well first of all, if you separate it into work groups, set the permissions properly on work groups. A big mess is unacceptable. From a security point of view, let's say you're not even worrying about an intruder. How many of you've ever tried to find, let's say a copy of Netscape or whatever you need in your corporate network and you don't know the backups? Do you go surfing through every single one of those? How much time is that costing your company? As a, or let's say you've got a project and you've got to search one of your co-workers' drives for everything. How much time is that costing your company? The insecure mesh domain topology? The biggest problem with that is, yeah let's say I hack your site, I make the horrible fun of you on the news, sitting on your web page, decent PR, you're gonna get around that. How much time is lost looking for the files where if they just had one single file server, they wouldn't bother with it. If they couldn't find it there, they know it's gone. Think of how much man hours company-wide and nationwide are wasted on that. Some of my happy pet thieves. But one of the biggest part of security is usability and people seem to forget that. That's one of my biggest no scores on Win 2K. The usability is very low when it comes to usability over security. With good old NT, all you had to do was point at some of my just work scare the hell out of your bosses and yell at your IT guys to learn how to write a log on script. With a brand new 2K, it gets to the point where if you're a tech who's gotta slap out 50 production servers and God knows whatever else your developers and marketing geeks in the pink alligator shirts want, you don't have time to go through and play with all these individual settings and because some of the creative disasters I've seen people using their network topology to try to work around 2K. They don't have the time to make a secure image or there isn't one secure image it'll work around because they haven't bothered investigating and checking out the user and shared passwords and networking. I'm gonna go ahead and go into a little QA and I'll go with a couple of tasty exploits I'm saving for last. In the green shirt in the front. Yeah, defined blocked. Defined blocked. What's the traffic deny? Is it deny any any? Deny any inbound? Yeah. Okay. First you can get a list of the shares. Hobbit and the Riner 9 guys they wrote a really nice NetBowy doc. It'll have, you'll see a list of names and that codes and such and it'll have the list of all the services. You go ahead and decode those and you look at the table. The next thing you do. Okay. One of my favorite things for hacking 2K boxes or any NetBowy stuff. Look at the computer name first. I think I believe it's like O3 is in parenthesis before it. The new ones. If you see OEM work group or compact one, a preferred customer your job is going to be very easy. But so much of the memory of the shares the other thing you can do is run a SID dump. You know, S2 SID and you'll have a list of Landman passwords, how long ago they were changed, expired wind fingerprint will do that for you. Won't you mean the IPC connection? You can also do a NetView. Good question. The first thing, one for it, huh? Correct. You go to 445, that before an easier method. What you do is at that point you go ahead and use the right vulnerability and just get the tables that way. Over, you know, planetrogen in there like it'll back orifice and get it out. But once you've got the information it's a big profiling hole. If you've managed to map IPC you are now a member of the world group. So go surfing through and explore and you'll find something open to make another connection through. Okay. Would I ever do five or three? It'll go out and through it, yes. Okay. With all of those blocked at the firewall what you're going to have to do is go ahead and switch attack methods but you can still get a lot of useful information like user lists, things like that from it. Okay. Don't put it. It's called separating your networks. You can also filter you know heavy-pull filtering is going to make no usability. My personal interest is I prefer a decent typology where you keep the networks off. You separate them into work groups so let's say, yeah, they get your marketing geeks. Who cares? You keep your production servers separate. You can also use like a NukeNet, you can use a NukeNet burn and set it to look for a certain or a packet filter or an IDS and set it to look for a certain series coming in, you know, you stiff the packets record. See anything that looks even vaguely like an MBT stat, it tells it to bugger off. When I go through and lock down an NT box, the first thing I do is go, how was that? The first thing I do is go ahead. Everybody's in the system. I don't go through the standard cert list and your standard secured list. I go registry level first. You got some message to distribute. Who is it? There is already a very nice NT reg patch that's written. First you lock down that way, then you install your IDS. I don't like tripwire that much. It's not because, you know, I have any faults with the product. It's having a lot of time to play with it that much and I prefer, go ahead and hit a packet store once again. If you're gonna use, I use a combination of ViperDB for file and ReelSecure for warnings. ReelSecure isn't that very good when it comes to dealing with it, it'll give you a lot of false alarms. It comes with file modification, port traffic like that. But once you get it down, it can be very good in the reporting tool and it's a better whistleblower. And ViperDB is a damn good IDS but it doesn't have a slick interface. So I use the hybrid of those two as a preference for my home systems. Did you wanna know like production things if I was gonna do it differently for outside? There is a list of reg patches on my website actually that'll have this for you. I use the custom set. www.dis.org forward slash Mr. Mojo. M-R-M-O-J-O, no caps. And in the hacking section, if I manage to make it back to my computer in time, I'll go and double check that it's slammed up on the servers. It'll be called ntredgepatch.zip. They'll be linked to it. That's most of my standard favorites. You see the problem with using a stock customized reg patch though, is you've got a big production server that's got who knows what. Let's say I want to use Outlook, Sinking and some things. If you turn off too much stuff or you might be good for one person, isn't gonna be always good for everybody else. You have to go through and read the rem statements and make sure you don't break stuff and have the IT department once you're head. Okay, for the domain model, I like to keep it sweet and simple. I always keep my production, I always wanna keep the production servers in their own DMZ. You keep the workgroup set up. It's gonna cause a little communication problems, but in my opinion, developers should not be talking to the same machine they shouldn't have redundant connections. So what you do is go ahead and launch workgroups. Then you have an administrator in each group who has limited access to do modifications and manage them. If you don't have a personnel, just keep a title ran on it yourself. So you have your workgroup set out, your production and internal that should be not on the same servers though, as well as any developer who needs to have outside in an access, stick them in the hell outside the firewall and make sure he's not VPNing or using any kind of remote management. Was that what you wanted? Got next. Hold on. I said that, I didn't see there wasn't a point to it, but alone it is not an invaluable tool. It is a very needed thing. It's one of the basic things in your checklist. Read access to user and system and recreate the registry from the raw files. You said everyone, everyone, right? Or you can still read it or copy it. I have a lot of Trojans and programs and papers and such on how to sneak around NTFS. And what it comes down to though is if you have these vulnerable things readable, there is no way to secure, let's say you go into the program files, you just keep switching targets off. You find the account names on a different part of the system or you use good old wind fingerprint. I can't remember what it was originally called, which would give you a list of accounts and you can brute force them at that point. So here's the part where I see which one of the people who make these systems here bought me the most beer. No. What I prefer is that you don't use VPN, let's say you're doing, you have a whole bunch of boxes, co-load. I actually PC anywhere on a high encryption level. That's a really good remote networking situation. A, it runs as an NT service. Now you can set it up so when, this isn't just from a security standpoint, it's from standpoint of usability. You don't wanna have to fly to Taipei or some godforsaken place to yell at somebody in a foreign coal or to restart it when you reboot the server. And it's really simple, you're not looking through somebody else's slick interface remote networking. Now you can use like open source or site source. You can view files from monitoring and PC anywhere, so you're actually at the box. You never trust anything on Windows Box as it's being done remotely unless you can see the screen in front of you. Okay, well a lot of the biggest missing, I'll go for the simple level first. I'll take it a little up, it's a multi-parted question there. Okay, a prime example the first time is you get the tables past that. If you don't have one outbound as well as inbound packets to nine, once you make the request, it comes in through 80. You know, your local network sees it 139, sends it back out 80, that's how you get the tables. And go ahead and you can get, you know, S2s, SID dumps, all the other wonderful Windows hacking tools which will give you the accounts list. Passwords, it'll tell you blank passwords. Once you get a blank password, or we guest account, or something in these fields that's way too easy to brute force, then you go ahead and make the connection that way through an authenticated manner. Okay, you're denying the 135, 137. If you're allowing them out, we're gonna lose this in those outbound through those ports. Once you made the request via in 80, maybe those went clear. Yeah, oh, the other biggest reason it kinda slipped me there. The main problem I have with installing 2K over NT as well. Remember Loft Crack? Remember what I was saying about secured keys? Loft Crack, I don't know if they've upgraded it, the SMB stuff will still work. But when I first played with Loft Crack in 2K a few months ago, it choked. Unless if you'd installed it over a good old 2K system and guess what, it would crack the locals. Because those files are still there. Yes, anybody else interesting in skipping should be near the pool. Was there any other questions in the meantime? Oh, on your servers, yeah. Any IT boss that says you're building all the desktop to 2,000, he's incompetent, just shoot him. So what you're looking at is for a more secure connection. It'll show it, yeah. Okay, brings a good point out. Now, when you're worried about, I suppose I got the best thing you can do. You're not gonna like it. When you're saying about if you're in a situation where you have to go ahead and make a secure connection for a whole bunch of 2K laptops, I feel your pain, and it's secure and safe. Your best bet would be sure that you lock down all the NFS, give them Nuke nabbers, you know, to block the 135, 139. Make sure you've got a very, your best protection in that case is security policy. Hey, writing them, but they're wonderful. You make sure you got a secure image, which are available in it for, you can probably find those by manufacturers, or there's other places. I think cert.org has resources on where to find those. Go ahead and slap a secure image on, and your best protection in that case would be informing them. Informing your users, send them an email. Don't get too technical. See if you do this, this, this, and this, one of the things you should have been writing down in these recordings, you're gonna get attacked. So informing them, and making sure they're secure, that's your best bet. Maybe adding a port blocker. Oh yeah. Okay, so you've got a separate organization, you've got separate parts of your organization. Yeah, lots of co-locations, and you can't definitely deploy it to all those 500, and you've got an unmanaged firewall. Well the first thing for the unmanaged firewall, is you take firewall one off the box, and you install it pegs. And the next thing you do is, do not use VP and dialect connections. Like I said, policies are your best protection. They should not be tunneling in. No matter how secure you think those boxes are, and that's your best mean of protection. If you've got anybody who's got home connections, which is kind of like the laptops that go into the firewall, open this. Could I open one thing that I can have IDent for my MIRC, everybody. You got home connections? Slap a firewall on them. What the best protection is, are you IT or security? All right, so do you do IT or security? Oh, in that case, the policy is the hand of God there. Just tighten up the rules a little. And once you have a running smoothly, it should be okay, and people will find that it's more usable as a security model. 90 day free CD. Oh wait, wait, oh that's Coaster. That's what those are. No I don't. You can use it as a Coaster, a Frisbee, jewelry, buggered. I'm not gonna go into that, there's research being done in that lit. Yeah, you don't get quite the new stuff until I finished it and polished it out. I said once again hit the website in a bit, but I think it sucks. And it's very dangerous. Oh, sorry, that'd be the question. You're asking about soap amounts to the Microsoft Developers Conference. I said, I haven't had a chance to go through and play with it, but from a security point of view, it looks like a really bad idea. Okay, I was just thinking the same, but what you do in that case, when you're training your new administrators, there's, you have certain network, just a lot of good security and policy stuff. You have an automated hacking site, if you search through, you know, you just search for infoseek, like the one view, the contents of your theater and such. But your best bet is to sit down in front of a box and show them. The only way they're gonna have the fear of gotten done into it, you get a help out. I've done this myself. I was having an argument at a contract that once took with a guy who said, he wanted to leave everything printable. He wanted to leave all the shares and the resources redriveable. There's no reason, because we have NTFS. And we went on for days about this and finally we scheduled another meeting and about the time I walked into the meeting, the scheduled job I'd planted on his, on his home laptop the night before, went ahead and printed out a 20-page document on that biosecurity, right, as he's about to talk to a boss. That does it. Use the fear of God tactics. You've got to demonstrate it on a close personal level. I'm not really gonna go into active directory because it's a whole new can of worms. Your best bet would be checking, access to the speech on that. Go ahead and check the archives on that. Did I go out for hours on that one? Your best bet is keep it simple and old-fashioned. If you don't know how the application works or you don't know every single bit of it, don't do it. We're gonna go for cost effectiveness. I said, get a different box. Don't ever do it. There is an entire slew of holes in the upgrade. I didn't notice I didn't catch that one. He's spent a lot of time with the documents. Yeah, I'll go ahead and I'll spew out the shot at your security versus resources right now. Go ahead and hit boughtspot.com, get one of those little programs that checks all these websites for you and drops you a mail with the latest stuff. One of my personal favorites is packetstorm.securefly.com. Go ahead and do you guys securityfocus.org or com now, securityfocus.com. Those are usually the quickest in getting the new exploits. You also see a lot of the stuff that's kind of a hybrid of both. There's something I missed on the Hackers News Network. My site also, when I get the time to get off my button, stop speaking, mentions getting the exploits out. My site again is www.dis.org, forward slash Mr. Mocho, all in lowercase. Well, once you've got the only way to deal with SMS, once you've got the registry plate just deployed, it gets turned off. I'm not, I don't really go into that much. I use it when I've got to deploy reg patches on somebody's unsecure system. Also another good list of security resources and making sure it's locked down though SMS vulnerabilities, cyber cop. Go ahead and use cyber cop and supplement it with input from the latest websites. You don't see any hands out there. Am I missing anybody? IPaSec is a very good thing, but never dependent solely on one source of security. Oh, I almost forgot. A really simple problem you were mentioning with 2K Pro, that piece of technology that you get a lot of IT departments. They forget that when they deploy server or advanced server, because your figure's gonna be faster whenever, they forget to turn off bloody IIS. So you've got all your laptops wearing advertising web server in an unpatched and unprotected one at that. Well, I think that's about the gist of it today.