NTA Monitor

Latest News

New version of network scanning tool arp-scan released

15th March 2011 A new version of a respected and popular network scanning tool has been released. Read More

Tests show rise in number of vulnerabilities affecting web applications with SQL Injection and XSS most common flaws

1st March 2011 SQL injection and cross-site scripting (XSS) were the most common flaws found in web applications in 2010 according to results from tests carried out by NTA Monitor. Read More

Assess risk to manage effects of budget cuts

9th February 2011 Signs of economic recovery may be appearing in some industries, but for most organisations - particularly in the public sector - budget cuts and cost savings are here to stay for the foreseeable future. Read More

"Basic security threats not changed in 15 years"

1st February 2011 There may have been significant technological advances to the hardware and software organisations use, but according to Roy Hills, who co-founded NTA Monitor in 1996, the basic security threats have not changed in the last 15 years. Read More

NT4 DNS flaw

Microsoft NT includes an Internet DNS (Domain Name Server) software component. However, NTA Monitor have now revealed that it leaks the identity of the NT administrator user, by inserting their name into domain responses.

Microsoft themselves recommend that the name of the administrator account should be changed by users away from the default, but with this flaw attackers can still find it out.

Because Windows allows remote login as the administrator, and permits unlimited login attempts, once an attacker knows the name of the admin account, they can attempt a brute force attack - the password being the only unknown.

Reference - Roy Hills of NTA Monitor's announcement 

>Date: Tue, 20 Jun 2000 17:16:18 +0100
>To: secure@microsoft.com
>From: Roy Hills {Roy.Hills@nta-monitor.com}
>Subject: NT DNS Server leaks administrator account name in SOA record
>
>Dear Microsoft Security Department,
>
>I've noticed that the Microsoft DNS server on NT Server 4.0 leaks the
>built-in administrator account name in the "contact" field of the DNS
>SOA record for all zones that it is authoritative for.
>
>For example, an DNS lookup for the SOA record of "domain.com" might
>give the following answer if the built-in administrator's account name is the
>default of "Administrator":
>
>domain.com.   86400 SOA  ns.domain.com. administrator.domain.com. (
>          2000062001  ; serial
>          7200   ; refresh (2 hours)
>          3600   ; retry (1 hour)
>          1209600   ; expire (14 days)
>          86400 )   ; minimum (1 day)
>
>If the administrator account name had been renamed from the default
>"Administrator" to "Hardman", the SOA record would be:
>
>domain.com.   86400 SOA  ns.domain.com. hardman.domain.com. (
>          2000062001  ; serial
>          7200   ; refresh (2 hours)
>          3600   ; retry (1 hour)
>          1209600   ; expire (14 days)
>          86400 )   ; minimum (1 day)
>
>Most NT security guides advise administrators to rename the built-in
>Administrator account to a hard-to-guess name.  However, if the NT server
>is acting as a DNS server using Microsoft DNS server software, it is possible
>to determine the name of the administrator account.
>
>It is possible to manually change the contact Email address in the SOA record
>to prevent this information leakage, but I guess that most people won't bother
>to do this and will leave it at the default.
>
>I've seen this behaviour on Windows NT Server 4.0 SP4 running the Microsoft
>DNS Server network service.
>
>Regards,
>
>Roy Hills
>NTA Monitor Ltd

This advisory was first released on 13th July 2000.