Follow up - Domain user to Domain Admin - Profiles and the

[mnemonix () GLOBALNET CO UK (Mnemonix)]

This is a multi-part message in MIME format.

------=_NextPart_000_000D_01BE9721.1BF74F20
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

There has been some questions over whether it is possible to "trojan" a =
profile and get the domain administrator to pick it up. Sometimes this =
works over the network sometimes not - thanks to all who have tried. =
Below is a sure fire way of getting this to succeed. I have tested this =
on both SP3 and SP4 machines and it has worked consistently:


Network setup:

NT Server 4 (SP4) Primary Domain Controller for domain TEST is called =
PDC.=20
NT Workstation 4 (SP4) client which is part of the TEST domain. This =
machine is called CLIENT.

The Administrator has a local profile stored on PDC.
All other domain users have a roaming profile - their profiles are =
stored in the %systemroot%\profiles directory which is shared as =
Profiles (\\PDC\profiles)
The share permissions give Everybody Full Control of the share but using =
NTFS permissions to tighten access to other peoples profiles meaning =
that only the user can access their profile in any way (with the =
exception of Administrators)

Domain User testacc logs onto CLIENT. Using reg.exe or a tool of their =
own making, they access the Registry of PDC. The winreg key on PDC =
specifies that only Administrators may access the registry remotely but =
the AllowedPaths specify that HKLM\Software\Microsoft\Windows =
NT\CurrentVersion is an allowed path. This is default. testacc changes =
the Administrator's ProfileImagePath to point to =
%systemroot%\profiles\testacc and then places a self deleting batch file =
in the Start Up folder. This batch file, when run with enough privileges =
will add testacc to the Domain Admins group. The next time Administrator =
logs onto PDC they pick up testacc's profile and the batch file is run =
making testacc a domain admin.

If anyone can still not repro this with this setup, then please let me =
know

Cheers,
David Litchfield
http://www.infowar.co.uk/mnemonix
http://www.arca.com


------=_NextPart_000_000D_01BE9721.1BF74F20
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">

<HTML>
<HEAD>

<META content=3Dtext/html;charset=3Diso-8859-1 =
http-equiv=3DContent-Type>
<META content=3D'"MSHTML 4.72.2106.6"' name=3DGENERATOR>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT color=3D#000000 size=3D2>There has been some questions over =
whether it is=20
possible to "trojan" a profile and get the domain =
administrator to=20
pick it up. Sometimes this works over the network sometimes not - thanks =
to all=20
who have tried. Below is a sure fire way of getting this to succeed. I =
have=20
tested this on both SP3 and SP4 machines and it has worked=20
consistently:</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2>Network setup:</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2>NT Server 4 (SP4) Primary Domain =
Controller for=20
domain TEST is called PDC. </FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2>NT Workstation 4 (SP4) client which =
is part of=20
the TEST domain. This machine is called CLIENT.</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2>The Administrator has a local =
profile stored on=20
PDC.</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT><FONT size=3D2>All other =
domain users have=20
a roaming profile - their profiles are stored in the =
%systemroot%\profiles=20
directory which is shared as Profiles (\\PDC\profiles)</FONT></DIV>
<DIV><FONT size=3D2>The share permissions give Everybody Full Control of =
the share=20
but using NTFS permissions to tighten access to other peoples profiles =
meaning=20
that only the user can access their profile in any way (with the =
exception of=20
Administrators)</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2>Domain User testacc logs onto =
CLIENT. Using=20
reg.exe or a tool of their own making, they access the Registry of PDC. =
The=20
winreg key on PDC specifies that only Administrators may access the =
registry=20
remotely but the AllowedPaths specify that =
HKLM\Software\Microsoft\Windows=20
NT\CurrentVersion is an allowed path. This is default. testacc changes =
the=20
Administrator's ProfileImagePath to point to =
%systemroot%\profiles\testacc and=20
then places a self deleting batch file in the Start Up folder. This =
batch file,=20
when run with enough privileges will add testacc to the Domain Admins =
group. The=20
next time Administrator logs onto PDC they pick up testacc's profile and =
the=20
batch file is run making testacc a domain admin.</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2>If anyone can still not repro this =
with this=20
setup, then please let me know</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2>Cheers,</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2>David Litchfield</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2><A=20
href=3D"http://www.infowar.co.uk/mnemonix";>http://www.infowar.co.uk/mnemo=
nix</A></FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2><A=20
href=3D"http://www.arca.com";>http://www.arca.com</A></FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV></BODY></HTML>

------=_NextPart_000_000D_01BE9721.1BF74F20--