绿盟安全月刊->第2期->工具介绍 Ntis ——小巧而实用的扫描器

作者：goodwell (goodwell@nsfocus.com)
出处：绿色兵团
主页：http://www.nsfocus.com
日期：1999-10-15

运行程序只有一个！所有的报告都来自INTERNET上发布该漏洞的站点最新的更新
信息，你可以把他放在任何一个EMAIL box里面！因为那个文件实在是小的可以！

主要扫描对象：NT
运行平台: win nt --->under dos mode
类型：远程扫描

扫描包括：
1.现存的直至你扫描当时已知的大多数NT漏洞
2.目标机器的用户名 139端口服务开启的话
3.尝试薄弱密码，他将检验出密码为空和用户名相同的密码
4.给出共享目录，包括隐含的 C$ | D$
5.针对漏洞给出详细的说明，通过连接点你还能得到更详细的说明文件
6.显示用户登陆信息

让我们看一个实例
ntis xxx.xxx.xxx.xxx

在当前目录下生成 xxx.xxx.xxx.xxx.html
用ie 打开如下显示
by David Litchfield
-----------------------------------------------------------------------
FTP Service (说明：ftp服务器类型--> M$的 ftp service 4.0)
Microsoft FTP Service (Version 4.0).
Security Issues (说明：安全性)
Anonymous logins are allowed to the ftp service.
(说明：匿名可以登陆)
Anonymous uploads allowed to root directory.
(说明：匿名可以登陆且可以上传文件到最上级的根目录)
-----------------------------------------------------------------------
Web Service (说明：web服务器类型--> M$的 基于NT ISS 4.0的web service)
Web Server Software is Internet Information Server 4.0
Security Issues(说明：安全性)
http://xxx.xxx.xxx.xxx/*.idc
(说明：*.idc 漏洞）
The physical location of the root directory found at ub\wwwroot\ By
requesting a non-existant IDC file it is possible to learn the physical
location of the web service's root directory. If Internet Database
Connectivity is not needed remove the script mapping for .idc files.
Alternatively installing Service Pack 4 will resolve the problem. For
more information read the Microsoft report :Q193689

http://xxx.xxx.xxx.xxx/scripts/tools/newdsn.exe
建立mdb默认文件漏洞
Newdsn.exe can be used by an a attacker to create files anywhere on
your disk if they have the NTFS correct file permissions to do so.
Newdsn.exe can also be used to overwrite the DSNs on existing on-line
databases making the information contained in the database
inaccessible.
This file, getdrvrs.exe, dsnform.exe and mkilog.exe should be deleted
or renamed unless there is a strong reason not to do so. In that case,
ensure that only Administrators may access them.

http://xxx.xxx.xxx.xxx/_vti_bin/fpcount.exe?Page=default.htm|Image=3|Di
gits=15
(说明：fpcount.exe漏洞 ）
Fpcount.exe has been found in the /_vti_bin/ directory. If, when the
link above is followed , fifteen digits are displayed this version of
fpcount.exe is from the FrontPage Server Extentions 97 package and it
contains a buffer overrun that allows remote execution of arbitary
code.
This should be deleted until a copy of the 98 version of FrontPage can
be obtained.

http://xxx.xxx.xxx.xxx/iissamples/issamples/query.asp
下载asp原码漏洞
The query.asp page is the default sample search page for Index Server
on IIS4. From here an attacker can perform searches for files of a
certain type using "#filename=*.exe" or "#filename=*.asp". Ensure that
Index Server has been configured not to return reults for searches such
as these.
Server exhibits the ::$DATA bug.
This can allow an attacker to download the source of scripts, such as
Active Sever pages or Perl scripts. This problem is fixed with service
pack 4 or a post SP3 hotfix can be downloaded the Microsoft web site.

http://xxx.xxx.xxx.xxx/iissamples/exair/search/advsearch.asp
查找执行漏洞
The sample ExAir site contains a number of scripts that can cause a
temporary situation where the inetinfo.exe process consumes 100 percent
of the processor time for 90 secs. This only happens if the Index
Server ISAPI dlls have not been loaded into memory. If they are not and
this page or query.asp or search.asp Are accessed directly the script
will loop.

The solution to this problem is to remove these files.
http://xxx.xxx.xxx.xxx/iisadmpwd/aexp2.htr
更改密码漏洞
From here an attacker can launch password attacks against the local
machine or or proxied attacks against other machines on the network.
More information can be found here
http://xxx.xxx.xxx.xxx/scripts/repost.asp
上传文件漏洞，需要域用户密码！

Microsoft's Site Server 2.0 is installed. This allows users to upload
files to the /users directory. Even if it doesn't exist any valid user
can create the diectory via the web and the default NTFS permissions
given to this directory give the Everybody Group the "Change"
permission - which allows anybody to create, modify or delete files in
that directory. Added to this IIS gives the "Write" permission allowing
users to use the HTTP PUT REQUEST_METHOD to place content on the web
site via the HTTP protocol. Because of the defaults, if anonymous
access is granted to the site anybody can do this. Ensure that, if the
directory exists the Anonymous Internet Account is given only read
access to this directory. Remove change permissions for the Everybody
Group and assign permissions per user.
-----------------------------------------------------------------------
NetBIOS
（NetBIOS 开启扫描结果）
Share Information
Share Name :NETLOGON (共享名称）
Share Type :Disk
Comment :
Share Name :IPC$ (隐含共享）
Share Type :Default Pipe Share
Comment :Remote IPC
WARNING - Null session can be established to \\xxx.xxx.xxx.xxx\IPC$
远程用户可能时候 net use Z: \\xxx.xxx.xxx.xxx\IPC$ "" /user:"" 隐射该目
录
Share Name :cc
Share Type :Disk
Comment :
Share Name :film$
Share Type :Disk
Comment :
Share Name :Share Type :Disk
Comment :
Share Name :Shareware
Share Type :Disk
Comment :
Share Name :xwh
Share Type :Disk
Comment :
Share Name :Music
Share Type :Disk
Comment :
Account Information
Account Name :Administrator
The Administrator account is an ADMINISTRATOR, and the password was
changed 67 days ago. This account has been used 78 times to logon.
The default Administrator account has not been renamed. Consider
renaming this account
and removing most of its rights. Use a differnet account as the admin
account.
目标机用户信息
Comment :User Comment :
Full name :
Account Name :cy （用户名）
The cy account is a normal USER, and the password was
changed 177 days ago. This account has been used 0 times to logon.
登陆的一点信息
Comment :
User Comment :
Full name :
Account Name :ftp_user
The ftp_user account is an ADMINISTRATOR, and the password was
changed 46 days ago. This account has been used 2 times to logon.
Comment :ChinaFilm Ftp User
User Comment :
Full name :
Account Name :Guest
The Guest account is a GUEST, and the password was
changed 0 days ago. This account has been used 0 times to logon.
The Guest account is DISABLED.
GUEST已经禁用
Comment :User Comment :
Full name :
Account Name :Ideal
The Ideal account is an ADMINISTRATOR, and the password was
changed 46 days ago. This account has been used 0 times to logon.
Comment :
User Comment :
Full name :
Account Name :IUSR_ASD
The IUSR_ASD account is a normal USER, and the password was
changed 320 days ago. This account has been used 1 times to logon.
Comment :Internet Server User Comment :Internet Server Full
name :Internet Guest
Account Name :IWAM_ASD
The IWAM_ASD account is a normal USER, and the password was
changed 320 days ago. This account has been used 0 times to logon.
Comment :Internet Server Web User Comment
:Internet
Server Web Full name :Web
Account Name :janna
The janna account is a normal USER, and the password was
changed 290 days ago. This account has been used 0 times to logon.
Comment :
User Comment :
Full name :
Account Name :jzy
The jzy account is an ADMINISTRATOR, and the password was
changed 67 days ago. This account has been used 0 times to logon.
Comment :
User Comment :
Full name :
Account Name :notebook
The notebook account is a normal USER, and the password was
changed 13 days ago. This account has been used 0 times to logon.
Comment :
User Comment :
Full name :
Account Name :puma
The puma account is an ADMINISTRATOR, and the password was
changed 297 days ago. This account has been used 0 times to logon.
Comment :
User Comment :
Full name :
Account Name :SERVERS$
The SERVERS$ account is a normal USER, and the password was
changed 38 days ago. This account has been used 0 times to logon.
Comment :
User Comment :
Full name :
Account Name :SQLExecutiveCmdExec
The SQLExecutiveCmdExec account is a normal USER, and the password was
changed 314 days ago. This account has been used 0 times to logon.
安装了sql server
Comment :SQL Executive CmdExec Task Account
User Comment :
Full name :SQLExecutiveCmdExec
Account Name :xwq
The xwq account is an ADMINISTRATOR, and the password was
changed 269 days ago. This account has been used 0 times to logon.
xwq是超级用户administrator组
Comment :
User Comment :
Full name :
WARNING cy's password is cy
WARNING ftp_user's password is ftp_user
WARNING puma's password is Blank
严重漏洞：用户cy 的密码是 cy
严重漏洞：用户ftp_user 的密码是 ftp_user
严重漏洞：用户puma 的密码是空

在众多的扫描器中ntis的web和ftp等等扫描的功能还不是很强大，但是他能自动的检验薄弱用户名,这也是我推荐大家一试的真正原因。

下载地址：http://www.infowar.co.uk/mnemonix/ntis.exe