[4781] in WWW Security List Archive
Re: Rollback attack
daemon@ATHENA.MIT.EDU (John Johnson)
Wed Mar 12 08:48:49 1997
Date: Wed, 12 Mar 1997 22:30:43 +1000
To: Fiorini Simone <fiorinis@dsdata.it>
From: John Johnson <novatech@nectar.com.au>
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
At 04:36 PM 3/11/97 +0100, you wrote:
>I've heard about something like Rollback attack against NT based WWW
>servers.
>
>Can anyone tell me something about this ?
>
>Thanks.
>
>____________________
>Simone Fiorini
>DS DATA SYSTEMS spa
>
>fiorinis@dsdata.it
>
>_______________
>
>Simone Fiorini
>DS DATA SYSTEMS spa
>via Paradigna - PARMA (ITALY)
>
>fiorinis@dsdata.it
>fiorini@spiderlink.it
>
>
ok basically if you have a few open ports on a NT server (4.0) you can plat
it this way usually there are some protected ports (below 1024) open these
you can use a tool Like port lock ( Credits to The Hobbit or thats where i
got it) to lock onto a port and then useing either the get.../../.. attack
of if port 19 is open (useing linux you can open say 40,000 ports to it)
use something like the pounder attack on it and crash the machine now if
you have the port lock on it will start throwing rollback.exe at the locked
open port so upon reboot
(NT runs around looking for exe's ) it accepts this rollback play and opens
up the registry to all comers for reseting of the system (rollback is
allso used to recover lost administrator passwords but more on this later)
i know it sounds sooooo simple but hey the man asked if you dont beleive
me.. look at some of the Aussie press when we did this in public at a
sydney computor show I aint against NT ok?? i'm just tell you folks how
we do it..
cheers!
John Johnson WWW http://www.novatech.net.au
Tactical Director email novatech@novatech.net.au (business)
NovaTech Internet Security knytmare@nectar.com.au (private)
Australias Leading Dedicated Internet and Network Security Consultants
