1,5 Tales from the Crypt: Battlefield Triage
Note how the DependOnService field has been set to include LdmSvc, the faux
Logical Disk Management service.
Like many attackers, after they had established an outpost on our file server,
they went about securing the machine so that other attackers wouldn't be able
to get in. For example, they shut off the default hidden shares.
net share /delete C$ /y
net share /delete D$ /y
REM skipping E$ to Y$ for brevity
net share /delete Z$ /y
net share /delete $RPC
net share /delete $NT
net share /delete $RA SERVER
net share /delete $SQL SERVER
net share /delete ADMIN$ /y
net share /delete IPC$ /y
net share /delete lwc$ /y
net share /delete print$
reg add
"HKLH\SYSTEM\CurrentControlSet\Serv1ces\LanManServer\Parameters"
/v AutoShareServer /t REG_DWORD /d 0 /f
reg add
"HKLM\SYSTEM\CurrentControlSet\Serv1ces\LanManServer\Paranieters"
/v AutoShareWks /t REG_DWORD /d 0 /f
Years earlier, back when NT 3.51 was cutting edge, the college's original
IT director decided that all of the machines (servers, desktops, and laptops)
should all have the same password for the local system administrator account.
I assume this decision was insdtuted so that technicians wouldn't have to
remember as many passwords or be tempted to write them down. However,
once the attackers ran pwdumpB, giving them a text file containing the file
server's Lan Manager (LM) and New Technology Lan Manager (NTLM)
hashes, it was the beginning of the end. No doubt, they brute forced the LM
hashes offline with a tool like John the Ripper�"� and then had free reign to ev¬
ery machine under our supervision (including the domain controllers). Game
over, they sank our battleship.
In the wake of this initial discovery, it became evident that Hacker Defender
had found its way on to several of our servers, and the intruders were glee¬
fully watching us thrash about in panic. To amuse themselves further, they
surreptitiously installed Microsoft's Software Update Services (SUS) on our
54. http://www.opciiwall.com/john/.
Parti I 31