Penetration Testing mailing list archives
Re: [PEN-TEST] Expand right under Win2K
From: Oliver Friedrichs <of () SECURITYFOCUS COM>
Date: Thu, 11 Jan 2001 13:13:05 -0800
To summarize this, and another message that was just posted by Nelson [stderr () UNREAL SEKURE ORG], This only works if you can authenticate to the host as Administrator (or Domain Administrator), i.e. CyberCop needs to be running with these credentials. It also won't work if SYSKEY is running and the hashes are encrypted. It works like the original PWDump program by Jeremy Allison and enumerates HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account\Users (after changing permissions so it can access it). This is saved to a file that can then be fed into the CyberCop password cracker (which will crack both NT and UNIX passwords btw). SMBGrind on the other hand, is brute force password cracking that does not use the NT API (we wrote our own CIFS code), so it can make many connections in parallel, whereas NT is _very_ slow if you use the native API. - Oliver
-----Original Message----- From: Beauregard, Claude Q [mailto:CQBeauregard () AAAMICHIGAN COM] Sent: Thursday, January 11, 2001 11:41 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] Expand right under Win2K If I remember corectly Cybercop incorporates a password cracker that doesn't require access to the SAM file but I believe this is for NT 3.51 and 4.0. However I assume they are keeping up with Win2k so they may have incorporated some changes. -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Nelson Brito (a.k.a. stderr) Sent: Thursday, January 11, 2001 7:34 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] Expand right under Win2K Hi... Tamas Foldi wrote: [...]2. backdoors are not a choice, since they run with therights of the abovementioned unicodeIf you have write permissions in Registry, it's a alternative option.3. HK doesn't work under win2k (it produced permissiondenied message)win2k never has been vulnarable to spoofed LPC port requestsYeah, but who told it worked?4. autorun.inf didn't execute on mapping the directory(maybe some trickis needed)You're wrong, it works very well as possible. What you need is: 1 - Map the "Shared Directories; 2 - Put the autorun.inf and autorun.exe in this directory, maybe it could be your own machine; 3 - Execute "UNICODE Transversal Directory Exposure BUG" to MAP your own "Shared Directory"; 4 - After, use NET command to mount, if possible, the C$ with Administrator permissions, else you will need to share C$. 5 - Run your prefered tool, pwdump or l0phtcrack, to dump password from target registry. It worked against WinNT, maybe will work against Win2k.5. AT command returns access deniedYeah, by default, only Administrators could do this. Or, maybe, the service is stoped.to Dave: it is interesting what you wrote, but i would like to askYou to go intodetails about the All_users startupYou could do this with a "Shell Folder" vulnerability, andothers...I don't know if it's the *REAL* name for this BUG, but you can find something about Default Folders at SecurityFocus, but it's only works against WinNT, I guess.Could you tell more info about this bug?2) Brute force attack against accounts with local Administrator privilege.Does anyone knows any password brute forcer that workswithout accessingthe SAM file? We are still eager to hear further ideas on this issuesince nothing thatwe tried worked yet. .. .. __________________________________________________________ _ .. .Foldi Tamas - We Are The Hashmar In The Rootshell -Security Consultantcrow () linuxfreak com / crow () kapu hu / (+36 30) 221-74-77sem mais, -- Nelson Brito Security Analyst && Penetration Tester Security Networks AG / IBQN - http://www.secunet.de/
Current thread:
- Re: [PEN-TEST] Expand right under Win2K, (continued)
- Re: [PEN-TEST] Expand right under Win2K Nelson Brito (a.k.a. stderr) (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Nelson Brito (a.k.a. stderr) (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Pascal C. Kocher (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Edwards, David (JTD) (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Complx1 * (Jan 09)
- Re: [PEN-TEST] Expand right under Win2K Edwards, David (JTD) (Jan 10)
- Re: [PEN-TEST] Expand right under Win2K Complx1 * (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Beauregard, Claude Q (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Nelson (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Barber, Chris (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Oliver Friedrichs (Jan 11)
- Re: [PEN-TEST] Expand right under Win2K Aidan O'Kelly (Jan 15)