Re: hacking a NT domain after the member server

[olle <olle () nxs se>]

! WARNING - blatant plugs !

On Thu, Jun 13, 2002 at 02:49:02PM -0500, Blake Frantz wrote:
> Does the SQL server authenticate via trusted connections?  Provided you
> can sniff/snarf for NTLM you should be able to get domain credentials
> when ever someone authenticates to the server (unless NTLMv2 auth is
> used, I don't think I've seen a tool for this, anyone?)

huggorm[1] works fine with both old-style NTLM and new SSP exchanges, both
on SMB/IP (tcp 445) and SMB/NB/IP (tcp 139) and will probably be able to
sniff NT challenge-responses if the MSSQLserver uses named pipe transport.

> Have you tried to nbtdump/enum the other winboxen?  Aside from names of
> share and users I've seen admins actually put passwords in the Comment
> field for user accounts that pertain to specific services.  Seriously.

> If all else fails brute force accounts using nat
> http://www.cotse.com/tools/sw/nat10bin.zip.

Check out skravel and netu at http://olle.nxs.se/ 

I also recommend winfo at http://www.ntsecurity.nu/toolbox/winfo/

/olle, self-promoting bastard.

[1] http://olle.nxs.se/software/huggorm/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/