Penetration Testing mailing list archives
RE: Pentesting Network Share Access via wireless
From: " sherwyn williams" <s-williams () nyc rr com>
Date: Thu, 5 Jan 2006 00:39:03 -0500
Thanks for all of your comments I have already started trying a few, once I get successful I will report thanks again. And feel free to keep them coming. -----Original Message----- From: pagvac [mailto:unknown.pentester () gmail com] Sent: Wednesday, January 04, 2006 8:50 AM To: pen-test () securityfocus com Subject: Re: Pentesting Network Share Access via wireless If you want to aim for the highest I suggest attacking the BDC (backup domain controller) as it's *not* usually as well patched as the primary domain controller and usually runs older versions of Windows than the one running on the PDC (more chances to successfully run an exploit). In order to find the PDC and BDC you can use the free Microsoft tool "nltest.exe". Just be careful with the version of Windows you're running on your attacking machine (pentester's laptop?). For Windows 2K you need to get it from the Windows Resource Kit [http://www.dynawell.com/reskit/microsoft/win2000/nltest.zip]. In the case of Windows XP SP2 you need "Windows XP SP2 Support Tools" [http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126 -9761-BA8011FABF38&displaylang=en]. This is due to applications such as "nltest.exe" that use API functions that are *not* supported on newer Windows versions. E.g.: C:\Program Files\Support Tools>nltest /trusted_domains (after this grab the domain that you want to enumerate the PDC/BDC from) C:\Program Files\Support Tools>nltest /dclist:targetdomain (now you actually enumerate the DCs of the target domain where "targetdomain" is one of the domains you obtained from the first command) Go for the old trick: a canned buffer overflow exploit [http://metasploit.org/tools/framework-2.5-snapshot.tar.gz] I know it's *not* the most elegant attack, but if the BDC is *not* patched against one of "your" exploits, then there are chances that you'll root the box. After that, upload pwdump [http://www.bindview.com/Resources/RAZOR/Files/pwdump2.zip], and get *all* the usernames and password hashes of the *entire* domain. I personally upload pwdump to the target BDC by installing Solarwinds' TFTP server (very easy to setup) [http://www.solarwinds.net/Tools/Free_tools/TFTP_Server/] on my attacking machine. So when you get a remote admin shell on the BDC you tftp your attacking machine ("tftp" command from command prompt) and download your pwdump executable onto the target (%temp% folder?) and execute it (dump usernames and hashes). Then copy and paste them all to notepad on your attacking machine and save them so you can later open the file with your favorite Windows hashes cracker. In order to crack the hashes you could use LC5 for instance. There are MANY other and simpler ways to accomplish this same goal (you might be interested in checking the Meterpreter from Metasploit [http://www.metasploit.com/projects/Framework/docs/meterpreter.pdf]. I'm just mentioning a way that works for me. Hope that helps. Let me know if you have any further questions. Regards, pagvac On 1/2/06, Thor (Hammer of God) <thor () hammerofgod com> wrote:
----- Original Message ----- From: "Dean De Beer" <dean () indigodark com> Cc: "'sherwyn williams'" <s-williams () nyc rr com>; <pen-test () securityfocus com> Sent: Sunday, January 01, 2006 4:52 PM Subject: Re: Pentesting Network Share Access via wirelessAlso, in WinXP the RestrictAnonymous Registry key default value is 0 but this may have been changed locally or via Group Policy to prevent Null Sessions.While XP's default value of RestrictAnonymous is indeed 0, the default
value
of RestrictAnonymousSam is 1, and EveryoneIncludesAnonymouse is 0. These settings, by default, prevent null session enumeration of SAM accounts, SID's, etc. t
---------------------------------------------------------------------------- --
Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before
hackers do!
Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831
---------------------------------------------------------------------------- ---
-- pagvac (Adrian Pastor) www.ikwt.com - In Knowledge We Trust ---------------------------------------------------------------------------- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Pentesting Network Share Access via wireless Inspiration (Jan 01)
- Re: Pentesting Network Share Access via wireless Dean De Beer (Jan 01)
- Re: Pentesting Network Share Access via wireless Thor (Hammer of God) (Jan 01)
- Re: Pentesting Network Share Access via wireless pagvac (Jan 05)
- Re: Pentesting Network Share Access via wireless pagvac (Jan 04)
- RE: Pentesting Network Share Access via wireless sherwyn williams (Jan 04)
- Re: Pentesting Network Share Access via wireless Thor (Hammer of God) (Jan 01)
- Re: Pentesting Network Share Access via wireless Dean De Beer (Jan 01)
- <Possible follow-ups>
- RE: Pentesting Network Share Access via wireless Chris Serafin (Jan 01)