Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: Pwdump2 with UNICODE?

Re: Pwdump2 with UNICODE?

From: hellNbak <hellnbak_at_nmrc.org>
Date: Tue, 7 Aug 2001 22:07:14 -0400 (EDT)

You need admin level access to use PWDump. So, you can do a few things
depending on the config of the remote box.

There is a cool tool, also written by Todd Sabin author of PWDump called
HK which works great to elevate your privleges. Simply exploit Unicode to
upload HK to the directory you are dumping your tools in. Read the doc
with HK to understand the usage but it works great on NT 4.0 boxes.

Or, you can go to www.dogmile.com and grab a cool .asp that apparently
exploits some .asp vulnerability that launches your code in system
context. I haven't tested the .asp yet so I can't say too much about it.

You can also attempt to grab the sam._ from the \winnt\repair directory.

On Tue, 7 Aug 2001, Lists wrote:

> Hello all. Our company is currently doing a pentest for a customer.
> Normally, we grab the boot.ini file from the target server and that is
> sufficient. However, this customer has required us to "grab the hashes", as
> the sysadmin of the company stated. He feels that he has proper permissions
> set on all of the "important" files and this would not be an adequate test.
> The server was found to be vulnerable to the UNICODE vulnerability. We were
> able to use the upload.asp exploit to upload pwdump2.exe and samdump.dll to
> the server. However, we have been unable to get pwdump2 to execute properly.
> We also copied cmd.exe to another directory renaming it to cmd1.exe to run
> the commands. But again, no results.
>
> Has anyone been successful in getting pwdump2 to work through UNICODE? If
> so, what was the syntax you used to get it to go through?
>
> Any advise on this would be greatly appreciated.
>
> Thanks!
>
> Allen Archer
> Creative Solutions, Inc.
> Atlanta, Georgia 30303
>

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I'm in trouble for the things I haven't got to yet"

hellNbak_at_nmrc.org
http://www.nmrc.org

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Aug 08 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos