Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: [PEN-TEST] Expand right under Win2K

Re: [PEN-TEST] Expand right under Win2K

From: Beauregard, Claude Q <CQBeauregard_at_AAAMICHIGAN.COM>
Date: Thu, 11 Jan 2001 14:41:09 -0500

If I remember corectly Cybercop incorporates a password cracker that doesn't
require access to the SAM file but I believe this is for NT 3.51 and 4.0.
However I assume they are keeping up with Win2k so they may have
incorporated some changes.

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST_at_SECURITYFOCUS.COM]On Behalf
Of Nelson Brito (a.k.a. stderr)
Sent: Thursday, January 11, 2001 7:34 AM
To: PEN-TEST_at_SECURITYFOCUS.COM
Subject: Re: [PEN-TEST] Expand right under Win2K

Hi...

Tamas Foldi wrote:
[...]

> 2. backdoors are not a choice, since they run with the rights of the above
> mentioned unicode

If you have write permissions in Registry, it's a alternative option.

> 3. HK doesn't work under win2k (it produced permission denied message)
> win2k never has been vulnarable to spoofed LPC port requests

Yeah, but who told it worked?

> 4. autorun.inf didn't execute on mapping the directory (maybe some trick
> is needed)

You're wrong, it works very well as possible. What you need is:
1 - Map the "Shared Directories;
2 - Put the autorun.inf and autorun.exe in this directory, maybe it
could be your own machine;
3 - Execute "UNICODE Transversal Directory Exposure BUG" to MAP your own
"Shared Directory";
4 - After, use NET command to mount, if possible, the C$ with
Administrator permissions, else you will need to share C$.
5 - Run your prefered tool, pwdump or l0phtcrack, to dump password from
target registry.

It worked against WinNT, maybe will work against Win2k.

> 5. AT command returns access denied

Yeah, by default, only Administrators could do this. Or, maybe, the
service is stoped.

>
> to Dave:
> it is interesting what you wrote, but i would like to ask You to go into
> details about the All_users startup
>
>
>
>> You could do this with a "Shell Folder" vulnerability, and others...
>

I don't know if it's the *REAL* name for this BUG, but you can find
something about Default Folders at SecurityFocus, but it's only works
against WinNT, I guess.

>
> Could you tell more info about this bug?
>
>
>>> 2) Brute force attack against accounts with local Administrator
>>> privilege.
>>
>
> Does anyone knows any password brute forcer that works without accessing
> the SAM file?
>
> We are still eager to hear further ideas on this issue since nothing that
> we tried worked yet.
>
> .. .. _ _________________________________________________________ _ .. .
> Foldi Tamas - We Are The Hashmar In The Rootshell - Security Consultant
> crow_at_linuxfreak.com / crow_at_kapu.hu / (+36 30) 221-74-77

sem mais, 

--
Nelson Brito
Security Analyst && Penetration Tester
Security Networks AG / IBQN - http://www.secunet.de/
Received on Jan 11 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos