Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Hard-coded passwords in WINNT directory?
From: "Loschiavo, Dave" <DLoschiavo () FRCC CC CA US>
Date: Tue, 28 Nov 2000 11:50:48 -0800

One of these days I'm going to learn how to ask what I mean... ;-)

I already have the %systemroot%\repair\system._. I've expanded it and looked
at it using a text editor. Next I will use the "Load Hive" command in
regedt32 to get a better look. However, any accounts that are using
impersonation will store their passwords in an encrypted format, right? What
I am looking for is a way to determine the (ExAdmin or ArcServe) passwords
for services that running in impersonation, and that are domain admins.

No VNC on this one.

-----Original Message-----
From: Davidson,Sam
Sent: 11/28/00 10:33 AM
Subject: Re: [PEN-TEST] Hard-coded passwords in WINNT directory?

Hash: SHA1

With RDS, you can rdisk.exe /s the system, then issue a command to
copy the repaired sam to the www_root directory, then download it.


Using RDS, enter echo commands to create an FTP script to upload the
SAMto an FTP host. That same FTP script can also be used to get
Netcat or any other just as suitable ( I prefer the NT SSH server )
and configure your listenting port, and execute commands as you

- -----Original Message-----
From: Loschiavo, Dave [mailto:DLoschiavo () FRCC CC CA US]
Sent: Tuesday, November 28, 2000 09:27
Subject: Re: [PEN-TEST] Hard-coded passwords in WINNT directory?

How about in cases where null session enumeration isn't possible
RestrictAnonymous, etc) but where you can get to c:\winnt\repair (via
Unicode, etc) and the sytem is running a FAT partition?

How would you go about sifting the registry for account names and
where services are using impersonation?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]