Penetration Testing mailing list archives

Re: W2K Terminal Services pwd cracker

From: Thor () HammerofGod com
Date: Thu, 29 Nov 2001 15:10:37 -0800


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Tim Mullen (Thor) is building a tool called TSGrinder.  I don't think it 
is avaible yet but you may be able to convince him to let you beta test 
it.  He has a couple of other tools out for TS that might interest 
you.  Check out http://www.hammerofgod.com/download.htm


Thanks for the shout-outs! I saw the original post, but with TSGrinder 
being in Beta, I thought it best not to reply- I don't like to promote 
stuff that isn't ready yet :)

For those interested, here is where I am... The original TSGrinder 
basically used the TS ActiveX client, and exposed the TSNonScriptable 
interface via vtable binding in C++... You can also do it in VB, but I 
didn't know that at the time...
Anyway, even with the TS ActiveX client scripted, the server setup had to 
be non-default (you had to allow users to connect w/o requiring manual 
password entry) and that basically blew.

Sozni turned me on to a different dll that *does* allow direct manipulation 
of the send and receive channels of the ts client, and that is what I am 
trying to figure out.  I'm doing a LoadLibrary() and creating pointers to 
each function and basically fumbling through determining what the correct 
parameters are (no libs or anything available- just the .dll) So it is a 
bit slow going.  I think I'll break down and buy IDA which should help me 
out some.  We're starting to get a bit snow-bound up here in the mountains, 
so I should have some time to finish this guy up by XMas. This will also 
allow me to programmatically check for the presence of a "logon banner" and 
dispatch it, which would thwart the earlier TSGrinder based on the web 
client.  We can also by-pass the clients failed logon limit (5?) and keep 
the channel up all the time, rather than tearing it down each time to 
failed to log on.  It should be cool.

Thought I would let you all know the status on the project.  If there are 
any C++ geniuses out there who have nothing better to do than help me code 
up a free tool, then let me know!

Later.
AD

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPAbAbYhsmyD15h5gEQJarwCg8bJQIU4x1bXxOGHmY2wbCAzCLsAAnRLV
nqRaatikMCyi88Mskpxv2cOT
=YJ7u
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

W2K Terminal Services pwd cracker David Smith (Nov 27)
- <Possible follow-ups>
- Re: W2K Terminal Services pwd cracker Victor A. Rodriguez (Bit-Man) (Nov 28)
- Re: W2K Terminal Services pwd cracker Secterm . (Nov 29)
  - Re: W2K Terminal Services pwd cracker Thor (Nov 29)