Re: [PEN-TEST] Expand right under Win2K

[Julian Linton <jlinton () CIS FAMU EDU>]

I've success using the unicode exploit along w/ cmdasp.asp to spawn a
shell w/ system shell, once cmdasp.asp start the shell i'll then run
ncx99.exe from cmdasp.asp which run as system. if you are lucky you can
add yourself to the user group w/ administrator policy (net user test test
/add )"or what ever u need to do". then add test to the local admin group
(net localgroup administrators test /add).

On Wed, 10 Jan 2001, Tamas Foldi wrote:

> Hi
>
> Thank You for the files and advice however nothing worked.
> 1. the SAM file cannot be read on the target (access denied) with the
> rights gained through unicode
> 2. backdoors are not a choice, since they run with the rights of the above
> mentioned unicode
> 3. HK doesn't work under win2k (it produced permission denied message)
> win2k never has been vulnarable to spoofed LPC port requests
> 4. autorun.inf didn't execute on mapping the directory (maybe some trick
> is needed)
> 5. AT command returns access denied
>
> to Dave:
> it is interesting what you wrote, but i would like to ask You to go into
> details about the All_users startup
>
>
> > You could do this with a "Shell Folder" vulnerability, and others...
>
> Could you tell more info about this bug?
>
> > > 2)  Brute force attack against accounts with local Administrator
> > > privilege.
>
> Does anyone knows any password brute forcer that works without accessing
> the SAM file?
>
> We are still eager to hear further ideas on this issue since nothing that
> we tried worked yet.
>
> . .. _ _________________________________________________________ _ .. .
> Foldi Tamas - We Are The Hashmar In The Rootshell - Security Consultant
>        crow () linuxfreak com / crow () kapu hu / (+36 30) 221-74-77