Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Deeper Penetration
From: Clem Colman <clem () COLMANCOMM COM>
Date: Thu, 16 Nov 2000 08:44:06 +1100

Another thought of course is a local service might be set to start up under
a highly privileged domain account.  In this case you could get the
passwords the service control manager uses from the registry (I seem to
remember somebody wrote something to do this) or just replace the exe the
service runs with your code and restart the service.

Most likely things to fall victim would probably be things like the backup
service (whatever they might be running) or some kind of agent monitoring
software (Tivolli etc.)  People have a nasty habit of making these Domain


-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Miller Scott Contr 30CS/FTI
Sent: Thursday, 16 November 2000 4:07 AM
Subject: Re: [PEN-TEST] Deeper Penetration

I did a similar penetration test against my own company as a
awhile back, and once I got into the webserver I was able to
crack some
accounts that shared passwords with their equivalents in the
domain.  If
that had failed, I probably would have tried setting up a NET
USER command
in one of the profiles and wait for a domain admin to log on.
 As for the
firewalling, how about using CPSHOST.DDL (should be standard
for IIS) to
upload a file by HTTP?


-----Original Message-----
From: thylacine () HUSHMAIL COM [mailto:thylacine () HUSHMAIL COM]
Sent: Wednesday, November 15, 2000 5:51 AM
Subject: Deeper Penetration

I'm working on a NT 4.0 server that appears to have SP5,
Exchange 5.5 SP3,
 IIS 4.0 installed.

It is running FAT on the boot partition (he said while sadly
shaking his
head) and I have been able to copy SAM._ to the wwwroot
directory, download
and crack it, (and delete it from wwwroot so no one stumbles
across it).

I already know what is going to happen when I show up with the admin
for this server. They are going to say this is just a member
server, so
it's no big deal. We all know this is wrong, but I need to
prove why. I
need to move on to a domain controller. None of the accounts
or passwords
I received from the local SAM on this server can be used to
directly attack
the domain. I need to establish a strong foot-hold on this
server and move
deeper into the domain.

At this point I would like to install a keyboard capture
program or perhaps
VNC. Problem is, the system is firewalled and I can't get the
server to
download any tools. Suggestions anyone.

Standard Pen-Test disclaimer: This is a legal hack. :-)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]