Re: [PEN-TEST] Deeper Penetration

[Clem Colman <clem () COLMANCOMM COM>]

Another thought of course is a local service might be set to start up under
a highly privileged domain account.  In this case you could get the
passwords the service control manager uses from the registry (I seem to
remember somebody wrote something to do this) or just replace the exe the
service runs with your code and restart the service.

Most likely things to fall victim would probably be things like the backup
service (whatever they might be running) or some kind of agent monitoring
software (Tivolli etc.)  People have a nasty habit of making these Domain
Admins.

Cheers,
Clem.

> -----Original Message-----
> From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
> Of Miller Scott Contr 30CS/FTI
> Sent: Thursday, 16 November 2000 4:07 AM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: Re: [PEN-TEST] Deeper Penetration
>
>
> I did a similar penetration test against my own company as a
> demonstration
> awhile back, and once I got into the webserver I was able to
> crack some
> accounts that shared passwords with their equivalents in the
> domain.  If
> that had failed, I probably would have tried setting up a NET
> USER command
> in one of the profiles and wait for a domain admin to log on.
>  As for the
> firewalling, how about using CPSHOST.DDL (should be standard
> for IIS) to
> upload a file by HTTP?
>
> Scott
>
> -----Original Message-----
> From: thylacine () HUSHMAIL COM [mailto:thylacine () HUSHMAIL COM]
> Sent: Wednesday, November 15, 2000 5:51 AM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: Deeper Penetration
>
>
> I'm working on a NT 4.0 server that appears to have SP5,
> Exchange 5.5 SP3,
>  IIS 4.0 installed.
>
> It is running FAT on the boot partition (he said while sadly
> shaking his
> head) and I have been able to copy SAM._ to the wwwroot
> directory, download
> and crack it, (and delete it from wwwroot so no one stumbles
> across it).
>
> I already know what is going to happen when I show up with the admin
> password
> for this server. They are going to say this is just a member
> server, so
> it's no big deal. We all know this is wrong, but I need to
> prove why. I
> need to move on to a domain controller. None of the accounts
> or passwords
> I received from the local SAM on this server can be used to
> directly attack
> the domain. I need to establish a strong foot-hold on this
> server and move
> deeper into the domain.
>
> At this point I would like to install a keyboard capture
> program or perhaps
> VNC. Problem is, the system is firewalled and I can't get the
> server to
> download any tools. Suggestions anyone.
>
> Standard Pen-Test disclaimer: This is a legal hack. :-)