Comedy Way To Circumvent Group Policy
Shockeh
If a packet drops on the web and nobody's near to see it... Join Date: 2002-11-19 Member: 9336NS1 Playtester, Forum Moderators, Constellation
If a packet drops on the web and nobody's near to see it... Join Date: 2002-11-19 Member: 9336NS1 Playtester, Forum Moderators, Constellation
in Off-Topic
<div class="IPBDescription">Ah, wonderful Microsoft.</div> Hi all,
Well, as I work in <a href='http://www.zen.co.uk' target='_blank'>IT security</a>, this was just passed to us after being demonstrated at the wonders of <a href='http://www.defcon.org/html/defcon-12/dc-12-index.html' target='_blank'>Defcon 12</a>. And being the nice guy I <a href='http://www.amazon.com/exec/obidos/tg/detail/-/078062260X/102-9277414-6532101?v=glance' target='_blank'>am</a>, I thought you'd be delighted to share in it. It gave me a chuckle or three.
Basically, it lets you circumvent Microsofts vaunted <a href='http://www.microsoft.com/downloads/details.aspx?FamilyID=ef3a35c0-19b9-4acc-b5be-9b7dab13108e&DisplayLang=en' target='_blank'>Group Policy</a> on a supposedly locked down workstation. Suppose you have Group permissions in place to disallow web browsing, and obviously no shell access etc. Well, let's have a nosey at what little basics of hacking we can achieve, shall we?
It turns out MS's own help system relies on HTML, meaning that by definition, it can handle web calls. So we run venerable Windows <a href='http://www.erlangerhistorikerseite.de/netzsem/internet/bilder/calculator.gif' target='_blank'>Calculator</a> (it doesn't have to be this, but it's good for an example) and select 'Help'. Yes, I know we've only ever done it by mistake before, but it'll really help this time.
Voila, up comes the oh-so-unhelpful help menu. But what if we right click on the title bar itself? Good Lord, it would appear we have extra options. How about we wander down to 'Jump to URL' shall we, and let's see what we can get?
Now, if we were amateurs.... we'd now type in <a href='http://www.google.co.uk' target='_blank'>http://www.google.co.uk</a> or maybe even wander off to get our usual gaming <a href='http://www.unknownworlds.com/ns/' target='_blank'>fix</a>, but we're not. Let's get inventive, shall we? Try....<!--c1--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>CODE</b> </td></tr><tr><td id='CODE'><!--ec1-->shell:system<!--c2--></td></tr></table><div class='postcolor'><!--ec2-->
and behold, the <a href='http://www.netmemorials.co.uk/elvis-portrait3.jpg' target='_blank'>King</a> has spoken, and you now have access to /Windows/System! Sweet, should be appropriate about now.
From there, we could do all sorts of nasty <a href='http://www.imperva.com/application_defense_center/glossary/directory_traversal.html' target='_blank'>Directory Traversal</a>, but you can learn that level of stuff for yourselves.
Just thought I'd post & show how many holes lie in <b>every</b> O/S, Linux/Windows/Mac SysOps claiming to the contrary. Read, Learn, Digest, Enjoy.
The kids using tools to win at FPS? That's not hacking. There's a whole frightening culture out there kids, that can either send you straight to prison or make you a very rich person, if you apply that <a href='http://cscserver.cc.edu/jtowell/images/homer_brain.gif' target='_blank'>fleshy mass</a> that sits in your cranium correctly. What you do with that information is entirely your call.
Hope this has been enjoyable for you, all the information provided is freely available as of now, so maybe a little light reading would do us all good, eh?
Regards,
Shockwave
Well, as I work in <a href='http://www.zen.co.uk' target='_blank'>IT security</a>, this was just passed to us after being demonstrated at the wonders of <a href='http://www.defcon.org/html/defcon-12/dc-12-index.html' target='_blank'>Defcon 12</a>. And being the nice guy I <a href='http://www.amazon.com/exec/obidos/tg/detail/-/078062260X/102-9277414-6532101?v=glance' target='_blank'>am</a>, I thought you'd be delighted to share in it. It gave me a chuckle or three.
Basically, it lets you circumvent Microsofts vaunted <a href='http://www.microsoft.com/downloads/details.aspx?FamilyID=ef3a35c0-19b9-4acc-b5be-9b7dab13108e&DisplayLang=en' target='_blank'>Group Policy</a> on a supposedly locked down workstation. Suppose you have Group permissions in place to disallow web browsing, and obviously no shell access etc. Well, let's have a nosey at what little basics of hacking we can achieve, shall we?
It turns out MS's own help system relies on HTML, meaning that by definition, it can handle web calls. So we run venerable Windows <a href='http://www.erlangerhistorikerseite.de/netzsem/internet/bilder/calculator.gif' target='_blank'>Calculator</a> (it doesn't have to be this, but it's good for an example) and select 'Help'. Yes, I know we've only ever done it by mistake before, but it'll really help this time.
Voila, up comes the oh-so-unhelpful help menu. But what if we right click on the title bar itself? Good Lord, it would appear we have extra options. How about we wander down to 'Jump to URL' shall we, and let's see what we can get?
Now, if we were amateurs.... we'd now type in <a href='http://www.google.co.uk' target='_blank'>http://www.google.co.uk</a> or maybe even wander off to get our usual gaming <a href='http://www.unknownworlds.com/ns/' target='_blank'>fix</a>, but we're not. Let's get inventive, shall we? Try....<!--c1--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>CODE</b> </td></tr><tr><td id='CODE'><!--ec1-->shell:system<!--c2--></td></tr></table><div class='postcolor'><!--ec2-->
and behold, the <a href='http://www.netmemorials.co.uk/elvis-portrait3.jpg' target='_blank'>King</a> has spoken, and you now have access to /Windows/System! Sweet, should be appropriate about now.
From there, we could do all sorts of nasty <a href='http://www.imperva.com/application_defense_center/glossary/directory_traversal.html' target='_blank'>Directory Traversal</a>, but you can learn that level of stuff for yourselves.
Just thought I'd post & show how many holes lie in <b>every</b> O/S, Linux/Windows/Mac SysOps claiming to the contrary. Read, Learn, Digest, Enjoy.
The kids using tools to win at FPS? That's not hacking. There's a whole frightening culture out there kids, that can either send you straight to prison or make you a very rich person, if you apply that <a href='http://cscserver.cc.edu/jtowell/images/homer_brain.gif' target='_blank'>fleshy mass</a> that sits in your cranium correctly. What you do with that information is entirely your call.
Hope this has been enjoyable for you, all the information provided is freely available as of now, so maybe a little light reading would do us all good, eh?
Regards,
Shockwave
Comments
You can add the following key to the registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
with value REG_DWORD of 0x1
(you can also add this to HKEY_LOCAL_MACHINE).
This will cause the "Jump to URL" to no longer show up. The side effect is that
you cannot access local directories from IE. So if you go to IE and try to
navigate to c: you will be denied access.
And yes, there are holes in GPO. But it is not intended as a security system, more as a control mechanism. Security is ACL's and DACL's. Group Policy is just to herd your users like the cattle they are. <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile-fix.gif' border='0' style='vertical-align:middle' alt='smile-fix.gif' /><!--endemo-->
You can add the following key to the registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
with value REG_DWORD of 0x1
(you can also add this to HKEY_LOCAL_MACHINE).
This will cause the "Jump to URL" to no longer show up. The side effect is that
you cannot access local directories from IE. So if you go to IE and try to
navigate to c: you will be denied access.
And yes, there are holes in GPO. But it is not intended as a security system, more as a control mechanism. Security is ACL's and DACL's. Group Policy is just to herd your users like the cattle they are. <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile-fix.gif' border='0' style='vertical-align:middle' alt='smile-fix.gif' /><!--endemo--> <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
Hola MonsE, nice to see you back & posting. <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile-fix.gif' border='0' style='vertical-align:middle' alt='smile-fix.gif' /><!--endemo-->
While our good Mr.Evil in entirely correct (though I haven't tried it, I am more than sure he will be) therein lies our problem....
Let's count the number of SysOps in the world (including MS qualified, hell, even MS employed!) and let's now divide them into 3 categories....
<ul><li>Knew you could do this</li><li>Didn't know you could do this</li><li>Did know, but didn't implement it</li></ul>
The scary thought? How many fall into categories B & C. <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile-fix.gif' border='0' style='vertical-align:middle' alt='smile-fix.gif' /><!--endemo-->
Oh, and MonsE, try not to mention ACL's, I get IOS flashbacks every time I see the acronym.
- Shockwave, "They're coming out of the goddamn walls! Packets everywhere!"
Spoken like a true BOFH. Now if you could only find a way to have group policies electrocute people...
EDIT: <!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Shockwave, "They're coming out of the goddamn walls! Packets everywhere!"<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
Oh man, the next time I take a hands-on I'm going to shout this halfway through!
Spoken like a true BOFH. Now if you could only find a way to have group policies electrocute people... <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
Damn that would rock.
Hiya Shock! <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile-fix.gif' border='0' style='vertical-align:middle' alt='smile-fix.gif' /><!--endemo-->
We had this new security software on our CAD computers...
Basically we always finsihed early and wanted to play flight simulator..... but the security "blocked" the directory...
It was foolproof security like the earlier versions.... and basically our teacher told us if we could get onto it.. we could play it... one one condition.. we had to tell him how we beat the security..
We used explorer(right click) internet explorer, right clicking the taskbar, directly running the program, and many other things...
After he locked out all icons on the desktop except one we would open that one up and get to it by opening up the address bar (disabled, but could still get to it)
This was all basic stuff, but within several weeks of us finding out how to get it, the old way was always blocked... by the end of the year it would take us a good 2-3 weeks to find a new way to play it...
Never even occured to me that what we were doing not only was basically hacking (since we beat the security there preventing us from playing) but also we were beefing the security itself...
Was tons of fun though... everytime we found a new way to get on it was passed to the whole class in like.. 30 seconds.. and BAM.. 30 people would be playing Flight Sim over the LAN once again...
~Jason
Wow. Thats like the first thing they teach us:
Lesson 1: The Cisco documentation is wrong
Seriously though, our program has a NAT hands-on in almost every course, its all pretty straight forward so long as you were taught the right way the first time.
Knew you could do this
Didn't know you could do this
Did know, but didn't implement it
The scary thought? How many fall into categories B & C.<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
A very fair point. However, like I said, if you are relying on GPO to restrict your users desktop *security* settings, you are silly. If you have users sophisticated enough to figure out this setting, and you are worried about malicious behavior, lock your machines down properly. This is not what GPO is intended to do. Like the author said, *any* OS is open to flaws. What makes a good admin is one that closes those holes.
Oh, almost forgot - if you have set the policy 'Remove run from the start menu' in a policy, this registry setting is what actually gets written. So to answer this point, if you were stopping users from accessing the run line, you stopped them from using 'Jump to URL'.
The registry setting is just for brain expansion purposes... <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile-fix.gif' border='0' style='vertical-align:middle' alt='smile-fix.gif' /><!--endemo-->
Apparently not MonsE, that was the cause of the uproar, as far as I know.
Incidentally, that wasn't a cut & paste post, I wrote that. <!--emo&:p--><img src='http://www.unknownworlds.com/forums/html/emoticons/tounge.gif' border='0' style='vertical-align:middle' alt='tounge.gif' /><!--endemo--> Original author, psh.
@ Skulkbait : The problem comes from the fact that Cisco assumes everyone else is American too, so you get such interesting factoids as the fact the UK telco network is PPPoA, not PPPoE. These lead to all sorts of interesting debacles.
Add this to the fact that Cisco certification (or pretty much any industry specific certs, but especially IT) isn't part of the National Curriculum, so they don't get taught in schools. You have to learn it through a combination of trial & error, professional courses & sheer perserverance.
- Shockwave
I can now h4x with teh c4lcul4t0r!
Incidentally, that wasn't a cut & paste post, I wrote that. <!--emo&:p--><img src='http://www.unknownworlds.com/forums/html/emoticons/tounge.gif' border='0' style='vertical-align:middle' alt='tounge.gif' /><!--endemo--> Original author, psh. <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
Nope, it works. I've reproed it in 2000, XP and 2003 in the past. If people have 'remove run' set as a GPO, Jump to URL functionality is removed. It was a bug once upon a time that was resolved several years ago.
<!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile-fix.gif' border='0' style='vertical-align:middle' alt='smile-fix.gif' /><!--endemo-->
If you want to see for yourself on your XP/2000/2003 machine, just create a local GP by running 'gpedit.msc' and then go to 'user config | Admin templates | Start menu and Taskbar | remove run from start menu' and set it to enabled. Look at your start menu and run will now be gone. Then try the steps above and you will see that Jump to URL is no longer an option. Then go turn it back off! I'm not sure which service packs's resolved this, but it was fixed in early 2003, so if you have older or no SP's, it may in fact work as originally described.
So yes, if you allow users access to 'run', then you can do this. But if they have access to 'run', then well, they have access to a lot of stuff. <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile-fix.gif' border='0' style='vertical-align:middle' alt='smile-fix.gif' /><!--endemo-->
3 days for NAT?
=/
cisco is wrong about a bunch of things.
I found this hole to be pretty funny, I might have to remember this as there are a couple computer. But like Monse says fixes are out there for smart enough admins
web translation site.
Isnt websense by any chance is it?
<a href='https://proxify.com/' target='_blank'>Proxify</a>
Doesent work sometimes (get overloaded) to avoid that pay 20bucks for 6 mnths(also removes those nasty ads). If you pay, its reliable and works GREAT!
Use it at school all the time <!--emo&::asrifle::--><img src='http://www.unknownworlds.com/forums/html/emoticons/asrifle.gif' border='0' style='vertical-align:middle' alt='asrifle.gif' /><!--endemo-->
i was just getting all exited over this little jump to url/calc 'hack'. i just thought, do you have anything else like this? some small fun h0x that i can have some fun with on the school computer?
something, friendly for a newbie? <!--emo&:p--><img src='http://www.unknownworlds.com/forums/html/emoticons/tounge.gif' border='0' style='vertical-align:middle' alt='tounge.gif' /><!--endemo-->
just something silly, something i can do a little prank with? <!--emo&:D--><img src='http://www.unknownworlds.com/forums/html/emoticons/biggrin-fix.gif' border='0' style='vertical-align:middle' alt='biggrin-fix.gif' /><!--endemo--> (have this fun idea, nothing major/serious)
Are they using some backend content filtering server, like websense? Or are they just filling your restricted sites list with all the good sites in the IE GPO? <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile-fix.gif' border='0' style='vertical-align:middle' alt='smile-fix.gif' /><!--endemo-->
If it's XP and you want to see what policies are being applied, and the admins are dopes, try running 'RSOP.MSC' and see what's being applied. You may also be able to run GPRESULT /V > c:\gp.txt on the commandline...
You can just open Word and hyperlink something. If the system is blocked you can grant you access to some hidden parts from where access is allowed. It's the most noobish way there is hehe.
Well... it's not like the schools try it that hard.
I wonder how many people will try this and then realize that they don't know how to undo it as they have just disabled their ability to go to start > run again...
Are they using some backend content filtering server, like websense? Or are they just filling your restricted sites list with all the good sites in the IE GPO? <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile-fix.gif' border='0' style='vertical-align:middle' alt='smile-fix.gif' /><!--endemo-->
If it's XP and you want to see what policies are being applied, and the admins are dopes, try running 'RSOP.MSC' and see what's being applied. You may also be able to run GPRESULT /V > c:\gp.txt on the commandline... <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
Any easyier/faster way round websense on windows2kPro?
Translation websites take sooo long.