Re: [PEN-TEST] Expand right under Win2K

[Oliver Friedrichs <of () SECURITYFOCUS COM>]

To summarize this, and another message that was just posted by Nelson
[stderr () UNREAL SEKURE ORG],

This only works if you can authenticate to the host as Administrator (or
Domain Administrator), i.e. CyberCop needs to be running with these
credentials.  It also won't work if SYSKEY is running and the hashes are
encrypted.  It works like the original PWDump program by Jeremy Allison and
enumerates HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account\Users (after
changing permissions so it can access it).  This is saved to a file that can
then be fed into the CyberCop password cracker (which will crack both NT and
UNIX passwords btw).

SMBGrind on the other hand, is brute force password cracking that does not
use the NT API (we wrote our own CIFS code), so it can make many connections
in parallel, whereas NT is _very_ slow if you use the native API.

- Oliver

> -----Original Message-----
> From: Beauregard, Claude Q [mailto:CQBeauregard () AAAMICHIGAN COM]
> Sent: Thursday, January 11, 2001 11:41 AM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: Re: [PEN-TEST] Expand right under Win2K
>
>
> If I remember corectly Cybercop incorporates a password
> cracker that doesn't
> require access to the SAM file but I believe this is for NT
> 3.51 and 4.0.
> However I assume they are keeping up with Win2k so they may have
> incorporated some changes.
>
> -----Original Message-----
> From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
> Of Nelson Brito (a.k.a. stderr)
> Sent: Thursday, January 11, 2001 7:34 AM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: Re: [PEN-TEST] Expand right under Win2K
>
>
> Hi...
>
> Tamas Foldi wrote:
> [...]
>
> > 2. backdoors are not a choice, since they run with the
> rights of the above
> > mentioned unicode
>
> If you have write permissions in Registry, it's a alternative option.
>
> > 3. HK doesn't work under win2k (it produced permission
> denied message)
> > win2k never has been vulnarable to spoofed LPC port requests
>
> Yeah, but who told it worked?
>
> > 4. autorun.inf didn't execute on mapping the directory
> (maybe some trick
> > is needed)
>
> You're wrong, it works very well as possible. What you need is:
> 1 - Map the "Shared Directories;
> 2 - Put the autorun.inf and autorun.exe in this directory, maybe it
> could be your own machine;
> 3 - Execute "UNICODE Transversal Directory Exposure BUG" to
> MAP your own
> "Shared Directory";
> 4 - After, use NET command to mount, if possible, the C$ with
> Administrator permissions, else you will need to share C$.
> 5 - Run your prefered tool, pwdump or l0phtcrack, to dump
> password from
> target registry.
>
> It worked against WinNT, maybe will work against Win2k.
>
> > 5. AT command returns access denied
>
> Yeah, by default, only Administrators could do this. Or, maybe, the
> service is stoped.
>
> > to Dave:
> > it is interesting what you wrote, but i would like to ask
> You to go into
> > details about the All_users startup
> >
> >
> >
> > > You could do this with a "Shell Folder" vulnerability, and
> others...
> >
>
> I don't know if it's the *REAL* name for this BUG, but you can find
> something about Default Folders at SecurityFocus, but it's only works
> against WinNT, I guess.
>
> > Could you tell more info about this bug?
> >
> >
> > > > 2)  Brute force attack against accounts with local Administrator
> > > > privilege.
> >
> > Does anyone knows any password brute forcer that works
> without accessing
> > the SAM file?
> >
> > We are still eager to hear further ideas on this issue
> since nothing that
> > we tried worked yet.
> >
> > .. .. _
> _________________________________________________________ _ .. .
> > Foldi Tamas - We Are The Hashmar In The Rootshell -
> Security Consultant
> >        crow () linuxfreak com / crow () kapu hu / (+36 30) 221-74-77
>
>
> sem mais,
> --
> Nelson Brito
> Security Analyst && Penetration Tester
> Security Networks AG / IBQN - http://www.secunet.de/