Penetration Testing mailing list archives
Re: hacking a NT domain after the member server
From: hofmemi () ey co za
Date: Fri, 14 Jun 2002 08:01:05 +0200
Jason, I have found the quickest way to compromise an NT domain is to try null or commonly used passwords. ie on the server you have compromised issue the standard domain enumeration commands: net view /domain and then net view /domain:domain_name then select a few interesting looking hosts and attempt to connect to the the default shares IPC$, C$, Admin$ by using net use * \\computer_name\c$ /user:administrator there are usually a few administrator accounts with a blank or easy to guess passwords. There are also many tools available to automate this and try brute forcing ... ie nbtbrute, nat etc. wrt to a command line tool for sniffing NTLM hashes your choices are limited. I would simply use tcpdump to capture any hashes and then u can either crack or use them in a repaly attack with a tool like smbproxy. Of course if the machine is seldom used you could simply install a remote control program like VNC and load up your GUI tools ;-) Rgds Michael Hofmeyr eSecurity Services Ernst & Young - Information Systems Assurance & Advisory Services Wanderers Office Park, 52 Corlett Drive, Illovo, 2196 South Africa ICQ: 114086666 Tel: +27 11 772 3784 Fax: +27 11 772 4784 GSM: +27 83 256 3716 Email: hofmemi () ey co za Internet: www.ey.com/southafrica Jason <cisspstudy@ya To: pen-test () securityfocus com hoo.com> cc: Subject: hacking a NT domain after the member server 2002/06/13 10:49 AM Currently doing a penetration test and managed to compromise a development SQL server (W2K/SQL 2000) that is a member of the domain. I am trying to gather additional information from this host that will allow me to compromise the domain. There are no accounts on this host that are the same as the domain. LSA secrets revealed nothing interesting. Does anyone have any other ideas? I would like to install a command line NTLM password sniffer. Does anyone know of one? However, people rarely use this server and I am unlikely to get any domain passwords this way. Any other ideas? Any help appreciated. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- hacking a NT domain after the member server Jason (Jun 13)
- RE: hacking a NT domain after the member server Blake Frantz (Jun 13)
- Re: hacking a NT domain after the member server olle (Jun 18)
- <Possible follow-ups>
- RE: hacking a NT domain after the member server Fabrizio Siciliano (Jun 13)
- Re: hacking a NT domain after the member server hofmemi (Jun 14)
- Re: hacking a NT domain after the member server bart2k (Jun 14)
- Re: hacking a NT domain after the member server Erik Birkholz (Jun 19)
- RE: hacking a NT domain after the member server Blake Frantz (Jun 13)