Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: Pwdump2 with UNICODE?

Re: Pwdump2 with UNICODE?

From: Tony Lambiris <methodic_at_libpcap.net>
Date: Wed, 8 Aug 2001 13:45:53 -0400

I thought under UNICODE, you arent able to run such commands as rdisk
and pwdump, because IIS runs as IUSR?

On 08.07.01, Kevin Lam <kevinlam_at_packet-works.com> wrote:
> Hi Allen,
>
> If you have UNICODE working, you could upload cmdasp.asp which will let
> you execute commands on that server.
>
> If this is NT then what you can do is run "rdisk /s-" to silently update
> the repair sam._ file (this is a little trick that I used to use when I
> did pen-testing for Deloitte). Then go to c:\winnt\repair and copy
> sam._ to say a public internet folder like c:\inetpub\wwwroot and then
> go to your browser and just download the file.
>
> Run l0phtcrack against it and you'll get your passwords. Hope this helps.
>
>
> Kevin
> kevinlam_at_packet-works.com, www.packet-works.com
>
> -----Original Message-----
> From: Lists [mailto:lists_at_ironcomet.com]
> Sent: Tuesday, August 07, 2001 2:29 AM
> To: Penetration Testers
> Subject: Pwdump2 with UNICODE?
>
>
> Hello all. Our company is currently doing a pentest for a customer.
> Normally, we grab the boot.ini file from the target server and that is
> sufficient. However, this customer has required us to "grab the hashes", as
> the sysadmin of the company stated. He feels that he has proper permissions
> set on all of the "important" files and this would not be an adequate test.
> The server was found to be vulnerable to the UNICODE vulnerability. We were
> able to use the upload.asp exploit to upload pwdump2.exe and samdump.dll to
> the server. However, we have been unable to get pwdump2 to execute properly.
> We also copied cmd.exe to another directory renaming it to cmd1.exe to run
> the commands. But again, no results.
>
> Has anyone been successful in getting pwdump2 to work through UNICODE? If
> so, what was the syntax you used to get it to go through?
>
> Any advise on this would be greatly appreciated.
>
> Thanks!
>
> Allen Archer
> Creative Solutions, Inc.
> Atlanta, Georgia 30303
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Aug 09 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos