Penetration Testing mailing list archives
Re: [PEN-TEST] Deeper Penetration
From: Clem Colman <clem () COLMANCOMM COM>
Date: Thu, 16 Nov 2000 08:44:06 +1100
Another thought of course is a local service might be set to start up under a highly privileged domain account. In this case you could get the passwords the service control manager uses from the registry (I seem to remember somebody wrote something to do this) or just replace the exe the service runs with your code and restart the service. Most likely things to fall victim would probably be things like the backup service (whatever they might be running) or some kind of agent monitoring software (Tivolli etc.) People have a nasty habit of making these Domain Admins. Cheers, Clem.
-----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Miller Scott Contr 30CS/FTI Sent: Thursday, 16 November 2000 4:07 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] Deeper Penetration I did a similar penetration test against my own company as a demonstration awhile back, and once I got into the webserver I was able to crack some accounts that shared passwords with their equivalents in the domain. If that had failed, I probably would have tried setting up a NET USER command in one of the profiles and wait for a domain admin to log on. As for the firewalling, how about using CPSHOST.DDL (should be standard for IIS) to upload a file by HTTP? Scott -----Original Message----- From: thylacine () HUSHMAIL COM [mailto:thylacine () HUSHMAIL COM] Sent: Wednesday, November 15, 2000 5:51 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Deeper Penetration I'm working on a NT 4.0 server that appears to have SP5, Exchange 5.5 SP3, IIS 4.0 installed. It is running FAT on the boot partition (he said while sadly shaking his head) and I have been able to copy SAM._ to the wwwroot directory, download and crack it, (and delete it from wwwroot so no one stumbles across it). I already know what is going to happen when I show up with the admin password for this server. They are going to say this is just a member server, so it's no big deal. We all know this is wrong, but I need to prove why. I need to move on to a domain controller. None of the accounts or passwords I received from the local SAM on this server can be used to directly attack the domain. I need to establish a strong foot-hold on this server and move deeper into the domain. At this point I would like to install a keyboard capture program or perhaps VNC. Problem is, the system is firewalled and I can't get the server to download any tools. Suggestions anyone. Standard Pen-Test disclaimer: This is a legal hack. :-)
Current thread:
- [PEN-TEST] Deeper Penetration thylacine (Nov 16)
- Re: [PEN-TEST] Deeper Penetration Ryan Russell (Nov 16)
- <Possible follow-ups>
- Re: [PEN-TEST] Deeper Penetration Miller Scott Contr 30CS/FTI (Nov 16)
- Re: [PEN-TEST] Deeper Penetration Clem Colman (Nov 16)
- Re: [PEN-TEST] Deeper Penetration Riot (Nov 16)
- Re: [PEN-TEST] Deeper Penetration Clem Colman (Nov 16)
- Re: [PEN-TEST] Deeper Penetration Chris St. Clair (Nov 16)
- Re: [PEN-TEST] Deeper Penetration Oliver Petruzel (Nov 16)
- Re: [PEN-TEST] Deeper Penetration Oliver Petruzel (Nov 16)
- Re: [PEN-TEST] Deeper Penetration J. Oquendo (Nov 17)
- Re: [PEN-TEST] Deeper Penetration Beauregard, Claude Q (Nov 17)
- Re: [PEN-TEST] Deeper Penetration Clem Colman (Nov 17)