Re: Non-GUI intrusion

["KK Mookhey" <kkmookhey () yahoo com>]

Hi,
This query was on  a pen-test we had to conduct where we had access to the DMZ
but needed to go really under the radar to get to the machines in the intranet.
(A blue team was watching)
Thanks to all those who replied. As a result of which, we were able to achieve
our objective of capturing the source code files, without raising alarms. We did
this by using nbtdump (and not enum, it has a very large footprint). This was
carried out during normal working hours, when it would be usual for the Win
machines to be exchanging such information. After that we used the net use
commands, for the rest.
The problematic part was pinpointing the machine which would have the source
code (as I had stated earlier, there were 100+ machines on the intranet). One of
the machines had its name as USERNAME-DEV. This was our clue (Dev=Development),
and it gave us what we needed. Since we only needed a few files to prove our
point (the source code was the capture flag), we took them and left. Removed
nbtdump, pwdump2, hk, etc and outputs of these. Cleared logs on DMZ machines
(where we had been most noisy).
We had a deadline for the project, which we would not have met, had it not been
for the inputs from this list.
Thanks again.
KKM


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/