Penetration Testing mailing list archives
Re: [PEN-TEST] Hypothetical Wargaming
From: "Deus, Attonbitus" <Thor () HAMMEROFGOD COM>
Date: Wed, 11 Oct 2000 07:41:42 -0700
I haven't seen this mentioned, but for a handy internal map (once in) I have found a full WINS dump (reskit) gives me plenty of info- computer names, username, domain names, etc. AD ----- Original Message ----- From: "H Carvey" <keydet89 () YAHOO COM> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Wednesday, October 11, 2000 3:20 AM Subject: Re: [PEN-TEST] Hypothetical Wargaming
Thanks for the response...It depends on what servicesare running,and that can vary from machine to machine.Right now, theheavy-hitters are IIS, and NetBIOS over TCP(NBT).Agreed. I've written and used a Perl script for null session enumeration, that's been pretty handy. It collects all of the necessary info in one nice little package...Domain Acct Policy (for account lockouts), usernames and account info (UID 500, disabled or machine accounts, etc), etc. This information allows the user to tailor follow-on work (the script is also available as a stand-alone .exe for those who don't want to use Perl. ;-) ) IIS is a good one...always new stuff coming out on that one. Either CIS or a Perl script using LWP::UserAgent is pretty effective. W/ Exchange, if port 389 is open, you can attempt an anonymous dump of user info...again, via Perl (hey, what can I say, it's the tool of choice).Try looking at ARIN and figureout how manyIP addresses they own.That, and the ever-popular DNS zone transfer!Use programs like "NetBios Auditing Tool" (canbe acquired frompacketstorm.securify.com) to pry account andfilesharing infofrom the hosts. From here, you should have someinformation toget started with, and maybe even a few passwordhashes to runthrough L0phtcrack (www.l0pht.com)Again, nothing against the NAT tool (great job on it, guys) but in the spirit of "rolling your own"...Focus on vulnerabilities you can find with IIS(you can even bea scriptkiddiot and use programs that otherpeople have written,they're out there...Sure...let the skryptkiddiots think that using such programs and looking for old vulnerabilities are "lame"...they aren't getting paid to run a pen test! Some other things to look for are VNC, pcAnywhere, etc. I've seen a site in which the admin has all machines NAT'd behind a "firewall"...MS Proxy 1.0. Don't ask. Anyway, a quick port scan shows that three machines are visible outside the firewall...three admin machines. The "justification" is that they _need_ the access, and NetBIOS is shut down. Yet, SQL is still bound to the interface (TCP 1433) and two accounts have blank passwords. Further, SNMP is installed...and IPSwitch has a great little utility that will graphically pull out the usernames and services (the whole MS MIB) for you. So...besides looking for trojans, to include the DefCon8 2.1...anything else?
Current thread:
- [PEN-TEST] Hypothetical Wargaming H Carvey (Oct 07)
- Re: [PEN-TEST] Hypothetical Wargaming Mark Teicher (Oct 09)
- Re: [PEN-TEST] Hypothetical Wargaming Etaoin Shrdlu (Oct 11)
- Re: [PEN-TEST] Hypothetical Wargaming Bennett Todd (Oct 11)
- Re: [PEN-TEST] Hypothetical Wargaming van der Kooij, Hugo (Oct 12)
- <Possible follow-ups>
- Re: [PEN-TEST] Hypothetical Wargaming Dunker, Noah (Oct 09)
- Re: [PEN-TEST] Hypothetical Wargaming Deus, Attonbitus (Oct 10)
- Re: [PEN-TEST] Hypothetical Wargaming Danny DS Stieler (Oct 09)
- Re: [PEN-TEST] Hypothetical Wargaming H Carvey (Oct 11)
- Re: [PEN-TEST] Hypothetical Wargaming Deus, Attonbitus (Oct 11)