Re: [PEN-TEST] Hypothetical Wargaming

["Deus, Attonbitus" <Thor () HAMMEROFGOD COM>]

I haven't seen this mentioned, but for a handy internal map (once in) I have
found a full WINS dump (reskit) gives me plenty of info- computer names,
username, domain names, etc.

AD

----- Original Message -----
From: "H Carvey" <keydet89 () YAHOO COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Wednesday, October 11, 2000 3:20 AM
Subject: Re: [PEN-TEST] Hypothetical Wargaming


> Thanks for the response...
>
> > It depends on what services
> are running,
> > and that can vary from machine to machine.
> Right now, the
> > heavy-hitters are IIS, and NetBIOS over TCP
> (NBT).
> >
>
> Agreed.  I've written and used a Perl script for
> null session enumeration, that's been pretty
> handy.  It collects all of the necessary info in
> one nice little package...Domain Acct Policy (for
> account lockouts), usernames and account info (UID
> 500, disabled or machine accounts, etc), etc.
> This information allows the user to tailor
> follow-on work (the script is also available as a
> stand-alone .exe for those who don't want to use
> Perl.  ;-) )
>
> IIS is a good one...always new stuff coming out on
> that one.  Either CIS or a Perl script using
> LWP::UserAgent is pretty effective.
>
> W/ Exchange, if port 389 is open, you can attempt
> an anonymous dump of user info...again, via Perl
> (hey, what can I say, it's the tool of choice).
>
> > Try looking at ARIN and figure
> out how many
> > IP addresses they own.
>
> That, and the ever-popular DNS zone transfer!
>
> > Use programs like "NetBios Auditing Tool" (can
> be acquired from
> > packetstorm.securify.com) to pry account and
> filesharing info
> > from the hosts.  From here, you should have some
> information to
> > get started with, and maybe even a few password
> hashes to run
> > through L0phtcrack (www.l0pht.com)
>
> Again, nothing against the NAT tool (great job on
> it, guys) but in the spirit of "rolling your
> own"...
>
> > Focus on vulnerabilities you can find with IIS
> (you can even be
> > a scriptkiddiot and use programs that other
> people have written,
> > they're out there...
>
> Sure...let the skryptkiddiots think that using
> such programs and looking for old vulnerabilities
> are "lame"...they aren't getting paid to run a pen
> test!
>
> Some other things to look for are VNC, pcAnywhere,
> etc.  I've seen a site in which the admin has all
> machines NAT'd behind a "firewall"...MS Proxy 1.0.
> Don't ask.  Anyway, a quick port scan shows that
> three machines are visible outside the
> firewall...three admin machines.  The
> "justification" is that they _need_ the access,
> and NetBIOS is shut down.  Yet, SQL is still bound
> to the interface (TCP 1433) and two accounts have
> blank passwords.  Further, SNMP is installed...and
> IPSwitch has a great little utility that will
> graphically pull out the usernames and services
> (the whole MS MIB) for you.
>
> So...besides looking for trojans, to include the
> DefCon8 2.1...anything else?