Penetration Testing mailing list archives
Re: hacking a NT domain after the member server
From: olle <olle () nxs se>
Date: Mon, 17 Jun 2002 21:45:47 +0200
! WARNING - blatant plugs ! On Thu, Jun 13, 2002 at 02:49:02PM -0500, Blake Frantz wrote:
Does the SQL server authenticate via trusted connections? Provided you can sniff/snarf for NTLM you should be able to get domain credentials when ever someone authenticates to the server (unless NTLMv2 auth is used, I don't think I've seen a tool for this, anyone?)
huggorm[1] works fine with both old-style NTLM and new SSP exchanges, both on SMB/IP (tcp 445) and SMB/NB/IP (tcp 139) and will probably be able to sniff NT challenge-responses if the MSSQLserver uses named pipe transport.
Have you tried to nbtdump/enum the other winboxen? Aside from names of share and users I've seen admins actually put passwords in the Comment field for user accounts that pertain to specific services. Seriously.
If all else fails brute force accounts using nat http://www.cotse.com/tools/sw/nat10bin.zip.
Check out skravel and netu at http://olle.nxs.se/ I also recommend winfo at http://www.ntsecurity.nu/toolbox/winfo/ /olle, self-promoting bastard. [1] http://olle.nxs.se/software/huggorm/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- hacking a NT domain after the member server Jason (Jun 13)
- RE: hacking a NT domain after the member server Blake Frantz (Jun 13)
- Re: hacking a NT domain after the member server olle (Jun 18)
- <Possible follow-ups>
- RE: hacking a NT domain after the member server Fabrizio Siciliano (Jun 13)
- Re: hacking a NT domain after the member server hofmemi (Jun 14)
- Re: hacking a NT domain after the member server bart2k (Jun 14)
- Re: hacking a NT domain after the member server Erik Birkholz (Jun 19)
- RE: hacking a NT domain after the member server Blake Frantz (Jun 13)