RE: hacking a NT domain after the member server

From: Blake Frantz (blake@mc.net)
Date: Thu Jun 13 2002 - 15:49:02 EDT


You can get a win32 port of dsniff at
http://www.datanerds.net/~mike/dsniff.html. I don't think this version
has support for NTLM authentication but it's my experience that people
reuse the same passwords for many services/boxes.

Does the SQL server authenticate via trusted connections? Provided you
can sniff/snarf for NTLM you should be able to get domain credentials
when ever someone authenticates to the server (unless NTLMv2 auth is
used, I don't think I've seen a tool for this, anyone?)

Have you tried to nbtdump/enum the other winboxen? Aside from names of
share and users I've seen admins actually put passwords in the Comment
field for user accounts that pertain to specific services. Seriously.
While your at it, try out talkntlm and the methods described in
http://www.atstake.com/research/advisories/2000/a091400-1.txt. Couldn't
hurt.

If all else fails brute force accounts using nat
http://www.cotse.com/tools/sw/nat10bin.zip.

Just some thoughts.

Blake Frantz MCSE, CCNA
Network Security Analyst
mc.net
720 Industrial Drive #121
Cary, IL 60013
phn: (847)-594-5111 x5734
fax: (847)-639-0097
mailto:blake@mc.net
http://www.mc.net

 
-----Original Message-----
From: Jason [mailto:cisspstudy@yahoo.com]
Sent: Thursday, June 13, 2002 3:49 AM
To: pen-test@securityfocus.com
Subject: hacking a NT domain after the member server

Currently doing a penetration test and managed to compromise a
development
SQL server (W2K/SQL 2000) that is a member of the domain.

I am trying to gather additional information from this host that will
allow me to compromise the domain.

There are no accounts on this host that are the same as the domain.
LSA secrets revealed nothing interesting.

Does anyone have any other ideas?

I would like to install a command line NTLM password sniffer. Does
anyone
know of one?

However, people rarely use this server and I am unlikely to get any
domain
passwords this way.

Any other ideas?

Any help appreciated.

------------------------------------------------------------------------

----
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see: https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT