Re: add a local admin user without a pop-up ?

["Lee Lawson" <leejlawson () gmail com>]

have you considered using the AT command to execute your DOS commands?
This way, you can run it at a set time offset in the future (+5
minutes etc) and I don't think that it executes visibly to the user,
unless you use the /interactive switch.

Have a go and let us know.

Then let us know how you are executing the DOS from the email!

later,


On 12/1/06, me <deros68 () yahoo com> wrote:
> We are conducting a pen test that allows social
> engineering emails sent out that may allow us to take
> over the the user who opens one of them.  I created an
> email hack but am now wondering how to add a local
> admin user WITHOUT HAVING A DOS PROMPT POP UP WHEN THE
> EMAIL IS OPENED.
>
> I cannot transport any files (of any sort - no wscript
> file or vbs or any file!!) to the victim and I am
> limited to the native XP commands and processes that
> are on the victim machine.  If I catch a victim (catch
> & release) I will be able to reach the victim machine
> with native XP means (net use - nc to ports etc..).
> The victim then gets scolded about opening
> inappropriate emails...
>
>
> The victim is almost always an administrator or power
> user so almost any command or process can be used.  I
> tried many/many variants of invoking the "Cmd.exe"
> shell but so far it always creates a momentary DOS
> screen pop-up.
>
> tired many variants similar to below:
>
> CMD.EXE /Q /C net user testx password /add
> or
> start /B /wait cmd /Q /C c:\windows\system32\net.exe
> user testx password /add
>
> pop-ups in either case
>
> I have used rundll32.exe in the past to avoid pop-ups
> (in most cases) so I tried:
>
> rundll32.exe netapi32.dll,NetUserAdd
> (%COMPUTERNAME%,1,(NEWUSER,PASSWORD),0) (wrapped)
>
> I tried many variants of the above but I always get a
> pop up "An Exception occurred while trying to run
> netapi32.dll.."
>
> OK
>
> I plugged netapi32.dll into Olly and saw the dll entry
> NetUserAdd takes 4 parms -but the 3rd parm
> is a LBYTE pointer to the input buffer.  I wonder if
> rundll32.exe can construct such a pointer for me?
>
> Using only the programs and API calls available from
> what is essentially an XP DOS shell - does anyone have
> a better way to do this without creating a DOS pop-up
> ?
>
> I have already figured out how to write the "net user
> Username PSWD /add" & "net localgroup administrators
> Username /add" cmds to the registry (the run key) -
> without creating a pop-up! (Silently..)
>
> However, the problem with the above is that it
> requires a logon/logoff or re-boot to occur before the
> user is added. Thus my quest for a silent (no pop-up)
> but immediate means to do this.
>
> Since the email interface can call a winapi - I may
> have to try to call netapi32.dll/NetUserAdd - I hope
> that I do not have to do that - the test may be over -
> before I can decipher the correct syntax between my
> email system and the STDCALL Winapi
>
> Thanks
>
>
>
>
>
> ____________________________________________________________________________________
> Have a burning question?
> Go to www.Answers.yahoo.com and get answers from real people who know.
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------


--
Lee J Lawson
leejlawson () gmail com
leejlawson () hushmail com

"Give a man a fire, and he'll be warm for a day; set a man on fire,
and he'll be warm for the rest of his life."

"Quidquid latine dictum sit, altum sonatur."

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------