Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Pentesting Network Share Access via wireless
From: pagvac <unknown.pentester () gmail com>
Date: Wed, 4 Jan 2006 02:17:15 +0100

If you want to aim for the highest I suggest attacking the BDC (backup
domain controller) as it's *not* usually as well patched  as the
primary domain controller and usually runs older versions of Windows
than the one running on the PDC (more chances to successfully run an
exploit).

In order to find the PDC and BDC you can use the free Microsoft tool
"nltest.exe". Just be careful with the version of Windows you're
running on your attacking machine (pentester's laptop?). For Windows
2K you need to get it from the Windows Resource Kit
[http://www.dynawell.com/reskit/microsoft/win2000/nltest.zip]. In the
case of Windows XP SP2 you need "Windows XP SP2 Support Tools"
[http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en].
This is due to applications such as "nltest.exe" that use API
functions that are *not* supported on newer Windows versions.

E.g.:

C:\Program Files\Support Tools>nltest /trusted_domains

(after this grab the domain that you want to enumerate the PDC/BDC from)

C:\Program Files\Support Tools>nltest /dclist:targetdomain

(now you actually enumerate the DCs of the target domain where
"targetdomain" is one of the domains you obtained from the first
command)

Go for the old trick: a canned buffer overflow exploit
[http://metasploit.org/tools/framework-2.5-snapshot.tar.gz]

I know it's *not* the most elegant attack, but if the BDC is *not*
patched against one of "your" exploits, then there are chances that
you'll root the box.

After that, upload pwdump
[http://www.bindview.com/Resources/RAZOR/Files/pwdump2.zip], and get
*all* the usernames and password hashes of the *entire* domain. I
personally upload pwdump to the target BDC by installing Solarwinds'
TFTP server (very easy to setup)
[http://www.solarwinds.net/Tools/Free_tools/TFTP_Server/] on my
attacking machine. So when you get a remote admin shell on the BDC you
tftp your attacking machine ("tftp" command from command prompt) and
download your pwdump executable onto the target (%temp% folder?) and
execute it (dump usernames and hashes).

Then copy and paste them all to notepad on your attacking machine and
save them so you can later open the file with your favorite Windows
hashes cracker.

In order to crack the hashes you could use LC5 for instance.

There are MANY other and simpler ways to accomplish this same goal
(you might be interested in checking the Meterpreter from Metasploit
[http://www.metasploit.com/projects/Framework/docs/meterpreter.pdf].
I'm just mentioning a way that works for me.

Hope that helps.

Let me know if you have any further questions.

Regards,
pagvac

On 1/2/06, Thor (Hammer of God) <thor () hammerofgod com> wrote:
----- Original Message -----
From: "Dean De Beer" <dean () indigodark com>
Cc: "'sherwyn williams'" <s-williams () nyc rr com>;
<pen-test () securityfocus com>
Sent: Sunday, January 01, 2006 4:52 PM
Subject: Re: Pentesting Network Share Access via wireless


Also, in WinXP the RestrictAnonymous Registry key default value is 0
but this may have been changed locally or via Group Policy to prevent
Null Sessions.

While XP's default value of RestrictAnonymous is indeed 0, the default value
of RestrictAnonymousSam is 1, and EveryoneIncludesAnonymouse is 0.  These
settings, by default, prevent null session enumeration of SAM accounts,
SID's, etc.

t


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------




--
pagvac (Adrian Pastor)
www.ikwt.com - In Knowledge We Trust

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]