Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: [PEN-TEST] Expand right under Win2K

Re: [PEN-TEST] Expand right under Win2K

From: Aidan O'Kelly <okelly_at_XNET.IE>
Date: Mon, 15 Jan 2001 13:58:01 -0000

I found the best way is to look around for programs that dont have their
rights properly set, for example, the admin just copied an exe while as a
user, and occasionly runs it as administrator, write a small exe that checks
what user called it, if it was an admin then do whatever u want to it and
call the original(now renamed and put somewhere else). and otherwise just
run the program as normal. Now, having said that, I've only tried it on NT 4
Win2k might be better at setting the rights and not letting IUSR_<mach>
overwrite files. But there could well be some exe lying around with write
permissions for everyone.

> -----Original Message-----
> From: Penetration Testers [mailto:PEN-TEST_at_SECURITYFOCUS.COM]On Behalf
> Of Paul Cardon
> Sent: Friday, January 12, 2001 11:09 PM
> To: PEN-TEST_at_SECURITYFOCUS.COM
> Subject: Re: [PEN-TEST] Expand right under Win2K
>
>
> Matthew Pemble wrote:
> >
> > Tamas wrote:
> >
> > >Does anyone knows any password brute forcer that works without
> > >accessing the SAM file?
> > >
> > >We are still eager to hear further ideas on this issue
> since nothing
> > >that we tried worked yet.
> >
> > If you can't get the SAM, can you run a packet sniffer on the target
> > machine? If so, grab the NTLM authentication hashes and L0phtcrack
> > can process them. Much, much slower than SAM cracking, though.
> >
> > You ought to be able to run a program within the IUSR context, your
> > ability to install will depend on the individual sniffer.
>
> Repeat after me everybody:
>
> "I am on a Win2K box using the IUSR_<blah> account gained
> via the IIS
> Unicode vulnerability. I do not have Administrator privileges. I can
> only get to what a non-privileged user can access which is why the SAM
> repair file is not readable."
>
> It's getting frustrating that people aren't paying attention or don't
> understand the scenario that was originally introduced, but hey, I'm
> still smiling. :^)
>
> Now, I honestly don't know of a sniffer that can be installed without
> Administrator privilege. If you can install a sniffer without those
> privs it seems like you could do plenty of other nasty stuff on that
> server.
>
> local.exe and global.exe from the resource kit can be used along with
> dumpsec.exe to determine which user accounts on the server or
> domain are
> in Administrator groups and will help you find the
> Administrator account
> even if it has been renamed.
>
> Somebody already mentioned SMBgrind for brute force login attempts. A
> similar tool (NetBIOS Auditing Tool) can be found at:
>
> http://www.nmrc.org/files/snt/nat10.tar.gz
>
> and doesn't require you to have a copy of CyberCOP around.
>
> Keep in mind that it will only be effective if the admin
> hasn't bothered
> to restrict the number of failed login attempts.
>
> -paul
>
Received on Jan 15 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos