Penetration Testing mailing list archives

RE: hacking a NT domain after the member server

From: "Blake Frantz" <blake () mc net>
Date: Thu, 13 Jun 2002 14:49:02 -0500


You can get a win32 port of dsniff at
http://www.datanerds.net/~mike/dsniff.html.  I don't think this version
has support for NTLM authentication but it's my experience that people
reuse the same passwords for many services/boxes.

Does the SQL server authenticate via trusted connections?  Provided you
can sniff/snarf for NTLM you should be able to get domain credentials
when ever someone authenticates to the server (unless NTLMv2 auth is
used, I don't think I've seen a tool for this, anyone?)

Have you tried to nbtdump/enum the other winboxen?  Aside from names of
share and users I've seen admins actually put passwords in the Comment
field for user accounts that pertain to specific services.  Seriously.
While your at it, try out talkntlm and the methods described in
http://www.atstake.com/research/advisories/2000/a091400-1.txt.  Couldn't
hurt.

If all else fails brute force accounts using nat
http://www.cotse.com/tools/sw/nat10bin.zip.

Just some thoughts.

Blake Frantz  MCSE, CCNA
Network Security Analyst
mc.net
720 Industrial Drive #121
Cary, IL 60013
phn: (847)-594-5111 x5734
fax: (847)-639-0097
mailto:blake () mc net
http://www.mc.net

 
-----Original Message-----
From: Jason [mailto:cisspstudy () yahoo com] 
Sent: Thursday, June 13, 2002 3:49 AM
To: pen-test () securityfocus com
Subject: hacking a NT domain after the member server




Currently doing a penetration test and managed to compromise a
development 
SQL server (W2K/SQL 2000) that is a member of the domain.

I am trying to gather additional information from this host that will 
allow me to compromise the domain.

There are no accounts on this host that are the same as the domain. 
LSA secrets revealed nothing interesting.

Does anyone have any other ideas?

I would like to install a command line NTLM password sniffer. Does
anyone 
know of one? 

However, people rarely use this server and I am unlikely to get any
domain 
passwords this way.

Any other ideas?

Any help appreciated.

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see: https://alerts.securityfocus.com/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

hacking a NT domain after the member server Jason (Jun 13)
- RE: hacking a NT domain after the member server Blake Frantz (Jun 13)
  - Re: hacking a NT domain after the member server olle (Jun 18)
- <Possible follow-ups>
- RE: hacking a NT domain after the member server Fabrizio Siciliano (Jun 13)
- Re: hacking a NT domain after the member server hofmemi (Jun 14)
- Re: hacking a NT domain after the member server bart2k (Jun 14)
- Re: hacking a NT domain after the member server Erik Birkholz (Jun 19)