Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Windows XP remote access methods for pen test

From: Curt Wilson <netw3_security () hushmail com>
Date: 5 Dec 2002 22:53:49 -0000



While working with the Security Configuration and Analysis MMC snap-in 
(applying securews template in this case) in a Win XP Pro SP1 system, I 
came across some items that could be useful to the attacker and/or pen 
tester. Anyone who has played with XP security policies will have seen 
these, however I've seen little information about the security 
ramifications of the following items, and would enjoy a discussion about 
these elements:

Local Policies...Security Options...Network Access: Named pipes that can 
be accessed anonymously
 
COMNAP,COMNODE,SQL\QUERY,SPOOLSS,LLSRPC,EPMAPPER,LOCATOR,TrkWks,TrkSvr  

Remotely accessible registry paths:

System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\C
ontrol\Print\Printers,System\CurrentControlSet\Control\Server 
Applications,System\CurrentControlSet\Services\Eventlog,Software\Microsoft
\OLAP Server,Software\Microsoft\Windows 
NT\CurrentVersion,System\CurrentControlSet\Control\ContentIndex,System\Cur
rentControlSet\Control\Terminal 
Server,System\CurrentControlSet\Control\Terminal 
Server\UserConfig,System\CurrentControlSet\Control\Terminal 
Server\DefaultUserConfiguration

(I'm assuming that these reg paths are useless to a remote attacker, 
unless the remote registry service is enabled and the attacker/pen tester 
has access. I always turn off remote registry so I've not explored these 
options)

Shares that can be accessed anonymously

COMCFG,DFS$

Has anyone successfully leveraged the existence of any of these elements, 
and do you have any information from practical experience that you would 
be willing to share? It strikes me that there could be some interesting 
content here if we could spend some time fuzzing and exploring.

Thanks

Curt Wilson
Netw3 Security Research
www.netw3.com





----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: