Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Hard-coded passwords in WINNT directory?
From: Tom Vandepoel <Tom.Vandepoel () UBIZEN COM>
Date: Tue, 28 Nov 2000 12:22:03 +0100

Jonathan Wrathall wrote:

During a test of a client's IIS web server, I've encountered the following
scenario:

1.  I am able to view files in the WINNT directory using the "MS Index
Server '%20' ASP Source Disclosure Vulnerability" vulnerability.

2. I am able to connect to IPC$, and I've used dumpsec to get the userlist
etc.

3. The winnt/system32/repair/sam._ file does not appear to be present.

Can anyone suggest other files that might reveal hard-coded passwords, or
other valuable information?


If you have remote registry access, try browsing that. Somarsoft's
'dumpreg' is your friend (http://www.systemtools.com/somarsoft)...

I recently had a major stroke of luck on a system which had VNC
installed; vnc stores its password hash in the registry and the
encryption is reversable, just use 'vncdec.c'.
This vnc password also appeared to be the 'administrator' password ;-)

No doubt other interesting tidbits are stored in the registry. The
question is how much you can access with a null session ofcourse...

Tom.


--
_________________________________________________

Tom Vandepoel
Sr. Network Security Engineer

www.ubizen.com
tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00
Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium
_________________________________________________

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]