RE: hacking a NT domain after the member server

["Fabrizio Siciliano" <fsiciliano () optiumcorp net>]

If you get a cmd prompt on it...check out the arp cache. Try and
enumerate some of the machines you get from ARP, you know, using default
administrator, usernames, passwords.

Connect to the other boxes via NULL Sessions, and see if you can gain
some other info that way. 

There are quite a few things you could do...

Hope this helps at all...

./fab

> -----Original Message-----
> From: Jason [mailto:cisspstudy () yahoo com] 
> Sent: Thursday, June 13, 2002 4:49 AM
> To: pen-test () securityfocus com
> Subject: hacking a NT domain after the member server
>
>
>
>
> Currently doing a penetration test and managed to compromise 
> a development 
> SQL server (W2K/SQL 2000) that is a member of the domain.
>
> I am trying to gather additional information from this host that will 
> allow me to compromise the domain.
>
> There are no accounts on this host that are the same as the domain. 
> LSA secrets revealed nothing interesting.
>
> Does anyone have any other ideas?
>
> I would like to install a command line NTLM password sniffer. 
> Does anyone 
> know of one? 
>
> However, people rarely use this server and I am unlikely to 
> get any domain 
> passwords this way.
>
> Any other ideas?
>
> Any help appreciated.
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus Security 
> Intelligence Alert (SIA) Service. For more information on 
> SecurityFocus' SIA service which automatically alerts you to 
> the latest security vulnerabilities please see: 
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/