Penetration Testing mailing list archives
Re: [PEN-TEST] Expand right under Win2K
From: "Nelson Brito (a.k.a. stderr)" <stderr () SEKURE ORG>
Date: Thu, 11 Jan 2001 10:34:27 -0200
Hi... Tamas Foldi wrote: [...]
2. backdoors are not a choice, since they run with the rights of the above mentioned unicode
If you have write permissions in Registry, it's a alternative option.
3. HK doesn't work under win2k (it produced permission denied message) win2k never has been vulnarable to spoofed LPC port requests
Yeah, but who told it worked?
4. autorun.inf didn't execute on mapping the directory (maybe some trick is needed)
You're wrong, it works very well as possible. What you need is: 1 - Map the "Shared Directories; 2 - Put the autorun.inf and autorun.exe in this directory, maybe it could be your own machine; 3 - Execute "UNICODE Transversal Directory Exposure BUG" to MAP your own "Shared Directory"; 4 - After, use NET command to mount, if possible, the C$ with Administrator permissions, else you will need to share C$. 5 - Run your prefered tool, pwdump or l0phtcrack, to dump password from target registry. It worked against WinNT, maybe will work against Win2k.
5. AT command returns access denied
Yeah, by default, only Administrators could do this. Or, maybe, the service is stoped.
to Dave: it is interesting what you wrote, but i would like to ask You to go into details about the All_users startupYou could do this with a "Shell Folder" vulnerability, and others...
I don't know if it's the *REAL* name for this BUG, but you can find something about Default Folders at SecurityFocus, but it's only works against WinNT, I guess.
Could you tell more info about this bug?2) Brute force attack against accounts with local Administrator privilege.Does anyone knows any password brute forcer that works without accessing the SAM file? We are still eager to hear further ideas on this issue since nothing that we tried worked yet. .. .. _ _________________________________________________________ _ .. . Foldi Tamas - We Are The Hashmar In The Rootshell - Security Consultant crow () linuxfreak com / crow () kapu hu / (+36 30) 221-74-77
sem mais, -- Nelson Brito Security Analyst && Penetration Tester Security Networks AG / IBQN - http://www.secunet.de/
Current thread:
- [PEN-TEST] Expand right under Win2K Foldi Tamas (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Charlie Rhodes (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Paul Cardon (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Julian Linton (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Nelson Brito (a.k.a. stderr) (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Paul Cardon (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Tamas Foldi (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Julian Linton (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Nelson Brito (a.k.a. stderr) (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Nelson Brito (a.k.a. stderr) (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Paul Cardon (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Pascal C. Kocher (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Charlie Rhodes (Jan 09)
- <Possible follow-ups>
- Re: [PEN-TEST] Expand right under Win2K Edwards, David (JTD) (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Complx1 * (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Edwards, David (JTD) (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Complx1 * (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Beauregard, Claude Q (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Nelson (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Barber, Chris (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Oliver Friedrichs (Jan 11)