Penetration Testing mailing list archives
RE: penetration test in a Windows 2000/NT network
From: "Romes, Randall J." <Rromes () larsonallen com>
Date: Wed, 14 May 2003 16:35:07 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Try searching for SQL servers with SA accounts that have no password. By accessing these you can use the extended stored procedures to create local user accounts and add them to the local administrator's group. Then map a drive and dump what ever you want from the box-->sensitive files, the SAM... Nessus will find these, or eEye has a tool called Retina-SQL worm scanner that will find these accounts. Depending on the size of the network and the number of "servers" you can usually find a box with local account passwords that are applicable to domain accounts (Domain administrators...). You can also use NBTEnum to query Windows boxes for: - - user accounts - - groups and group memberships - - shares - - lockout policy - -->the tool can also be used to check all accounts for passwords that are <null> or the same as the user id. Again, you can usually find boxes these weak passwords. Randy Romes, CISSP, MCP Larson Allen Information Security Services Group http://www.larsonallen.com/technology/index.asp rromes () larsonallen com 612.397.3114 - -----Original Message----- From: Ballowe, Charles [mailto:CBallowe () usg com] Sent: Wednesday, May 14, 2003 4:11 PM To: 'heron heron'; pen-test () securityfocus com Subject: RE: penetration test in a Windows 2000/NT network This sounds like a test from within the company. As it seems that you will have physical access to facilities etc, would it be possible for you to install something like a hardware key logger on a network administrators workstation? If someone has physical access to the LAN, I don't see why they couldn't place devices on peoples systems. It may violate the rules for this particular pen-test, but is something to think about. I see that you've specified that physical access to Win2k systems is possible, and are interested in not modifying the administrator account -- hardware keyloggers seem like an ideal solution. What about wireless sniffers? Does the target use any wireless networking at their facility?
-----Original Message----- From: heron heron [mailto:h.heron () firemail de] Sent: Wednesday, May 14, 2003 8:30 AM To: pen-test () securityfocus com Subject: penetration test in a Windows 2000/NT network Hi, I will accomplish a penetration test in a Windows 2000/NT network shortly. A goal is to get confidential information (files) and if possible get admin rights. I will be with my computers in the LAN. A computer for normal uses (thus no Admin access) is likewise put to me at the disposal. Is there a possibility on a Windows 2000 computers (physical access is possible) to attain admin rights without to overwrite the admin account. Background: I would like try to crack the password of the local admin (e.g. by means of pwdump and John). There ist the possibility that all admin passwords (also for the domain) is alike. Is there a tool, with which I can crack NTLMv2 hashes. Background: I will try to sniff hashes during the registration at the DC (e.g. CAIN, ettercap) and to crack them. Unfortunately me is still no tool known in order to crack NTLMv2 hashes. A further possibility at to come to information, would be the employment of a SMB Proxy. By ARP Spoofing it would be nevertheless theoretically possible to intercept the LM/NTLM(v1/v2) authentication . Then the attacker could itself instead announce at the server. Does it give there already such a Tool? Who has suggestions? For Tools please give always in the Web URL (if possible of the programmer). Greeting Heron __________________________________________________________________ Arcor-DSL Flatrate - jetzt kostenlos einsteigen und bis zu 76,18 Euro sparen! Arcor-DSL gibt es jetzt auch mit bis zu 1500 Mbit/s Downstream!
http://www.angebot.arcor.net/cgi-bin/angebot.cgi?key=b13e92247022 - --------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-pen-test - ---------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPsK2iTe9i44rosLHEQL13wCg0lqCvKV5vusS/6kHJPUJf129pzYAn3F3 x4C8/9cmkmjoGp9oi3Fa4ln7 =8n8c -----END PGP SIGNATURE----- --------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-pen-test ----------------------------------------------------------------------------
Current thread:
- penetration test in a Windows 2000/NT network heron heron (May 14)
- RE: penetration test in a Windows 2000/NT network Mark Ng (May 14)
- Re: penetration test in a Windows 2000/NT network Michael Thumann (May 14)
- Re: penetration test in a Windows 2000/NT network Chris Beek (May 14)
- RE: penetration test in a Windows 2000/NT network Razvan (May 16)
- Re: penetration test in a Windows 2000/NT network Anders Thulin (May 27)
- <Possible follow-ups>
- RE: penetration test in a Windows 2000/NT network Ballowe, Charles (May 14)
- RE: penetration test in a Windows 2000/NT network Romes, Randall J. (May 14)
- RE: penetration test in a Windows 2000/NT network Herwig . Thyssens (May 15)
- RE: penetration test in a Windows 2000/NT network Matthew Wagenknecht (May 18)
- Re: penetration test in a Windows 2000/NT network H Carvey (May 28)