Penetration Testing mailing list archives
Re: [PEN-TEST] Expand right under Win2K
From: "Aidan O'Kelly" <okelly () XNET IE>
Date: Mon, 15 Jan 2001 13:58:01 -0000
I found the best way is to look around for programs that dont have their rights properly set, for example, the admin just copied an exe while as a user, and occasionly runs it as administrator, write a small exe that checks what user called it, if it was an admin then do whatever u want to it and call the original(now renamed and put somewhere else). and otherwise just run the program as normal. Now, having said that, I've only tried it on NT 4 Win2k might be better at setting the rights and not letting IUSR_<mach> overwrite files. But there could well be some exe lying around with write permissions for everyone.
-----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Paul Cardon Sent: Friday, January 12, 2001 11:09 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] Expand right under Win2K Matthew Pemble wrote:Tamas wrote:Does anyone knows any password brute forcer that works without accessing the SAM file? We are still eager to hear further ideas on this issuesince nothingthat we tried worked yet.If you can't get the SAM, can you run a packet sniffer on the target machine? If so, grab the NTLM authentication hashes and L0phtcrack can process them. Much, much slower than SAM cracking, though. You ought to be able to run a program within the IUSR context, your ability to install will depend on the individual sniffer.Repeat after me everybody: "I am on a Win2K box using the IUSR_<blah> account gained via the IIS Unicode vulnerability. I do not have Administrator privileges. I can only get to what a non-privileged user can access which is why the SAM repair file is not readable." It's getting frustrating that people aren't paying attention or don't understand the scenario that was originally introduced, but hey, I'm still smiling. :^) Now, I honestly don't know of a sniffer that can be installed without Administrator privilege. If you can install a sniffer without those privs it seems like you could do plenty of other nasty stuff on that server. local.exe and global.exe from the resource kit can be used along with dumpsec.exe to determine which user accounts on the server or domain are in Administrator groups and will help you find the Administrator account even if it has been renamed. Somebody already mentioned SMBgrind for brute force login attempts. A similar tool (NetBIOS Auditing Tool) can be found at: http://www.nmrc.org/files/snt/nat10.tar.gz and doesn't require you to have a copy of CyberCOP around. Keep in mind that it will only be effective if the admin hasn't bothered to restrict the number of failed login attempts. -paul
Current thread:
- Re: [PEN-TEST] Expand right under Win2K, (continued)
- Re: [PEN-TEST] Expand right under Win2K Nelson Brito (a.k.a. stderr) (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Pascal C. Kocher (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Edwards, David (JTD) (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Complx1 * (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Edwards, David (JTD) (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Complx1 * (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Beauregard, Claude Q (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Nelson (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Barber, Chris (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Oliver Friedrichs (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Aidan O'Kelly (Jan 15)