RE: penetration test in a Windows 2000/NT network

From: Herwig.Thyssens@ey.be
Date: Thu May 15 2003 - 05:05:18 EDT

• Next message: Alfred Huger: "New Article - Security Tools: From Mermaids to Suckling Pigs"
• Previous message: Rohan Amin: "Re: Owl Intranet Engine - bypass admin"
• Maybe in reply to: heron heron: "penetration test in a Windows 2000/NT network"
• Next in thread: Razvan: "RE: penetration test in a Windows 2000/NT network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

An other way of tackling the problem is going 'SNMP'. If you can find a
hole in that (write access, etc), you control the complete network. Why go
specific if it is possible to become "puppet master of then all". There
are some nice tools out there (commercial and open source) to find the SNMP
services and play with them (e.g. solarwinds, sans SNMPing and of course
nmap).

But more specific towards your questions:

=> smbrelay; smbrelay2 (Sir Dystic, Cult of the dead cow, man-in-the middle
relay attack, a very fun tool :-)

Met vriendelijke groet,

Herwig Thyssens
Ernst & Young TSRS (formerly ISAAS)
Technology and Security Risk Services
204 Avenue Marcel Thiry Laan, B-1200 Brussels, Belgium
Tel: +32-(0)2-774.63.08 - Fax: +32-(0)2-774.94.79
E-mail: herwig.thyssens@ey.be Url: www.tsrs.be

- -----Original Message-----
From: Ballowe, Charles [mailto:CBallowe@usg.com]
Sent: Wednesday, May 14, 2003 4:11 PM
To: 'heron heron'; pen-test@securityfocus.com
Subject: RE: penetration test in a Windows 2000/NT network

This sounds like a test from within the company. As it seems that
you will have physical access to facilities etc, would it be possible
for you to install something like a hardware key logger on a network
administrators workstation?

If someone has physical access to the LAN, I don't see why they couldn't
place devices on peoples systems. It may violate the rules for this
particular pen-test, but is something to think about. I see that you've
specified that physical access to Win2k systems is possible, and are
interested in not modifying the administrator account -- hardware
keyloggers
seem like an ideal solution.

What about wireless sniffers? Does the target use any wireless networking
at their facility?

> -----Original Message-----
> From: heron heron [mailto:h.heron@firemail.de]
> Sent: Wednesday, May 14, 2003 8:30 AM
> To: pen-test@securityfocus.com
> Subject: penetration test in a Windows 2000/NT network
>
>
> Hi,
>
> I will accomplish a penetration test in a Windows 2000/NT
> network shortly. A
> goal is to get confidential information (files) and if
> possible get admin
> rights. I will be with my computers in the LAN. A computer
> for normal uses (thus
> no Admin access) is likewise put to me at the disposal.
>
> Is there a possibility on a Windows 2000 computers (physical
> access is possible)
> to attain admin rights without to overwrite the admin
> account. Background: I
> would like try to crack the password of the local admin (e.g.
> by means of pwdump
> and John). There ist the possibility that all admin passwords
> (also for the
> domain) is alike.
>
> Is there a tool, with which I can crack NTLMv2 hashes.
> Background: I will try to
> sniff hashes during the registration at the DC (e.g. CAIN,
> ettercap) and to
> crack them. Unfortunately me is still no tool known in order
> to crack NTLMv2
> hashes.
>
> A further possibility at to come to information, would be the
> employment of a
> SMB Proxy. By ARP Spoofing it would be nevertheless
> theoretically possible to
> intercept the LM/NTLM(v1/v2) authentication . Then the
> attacker could itself
> instead announce at the server. Does it give there already
> such a Tool?
>
> Who has suggestions? For Tools please give always in the Web
> URL (if possible of
> the programmer).
>
> Greeting
> Heron
>
> __________________________________________________________________
> Arcor-DSL Flatrate - jetzt kostenlos einsteigen und bis zu
> 76,18 Euro sparen!
> Arcor-DSL gibt es jetzt auch mit bis zu 1500 Mbit/s
> Downstream!
http://www.angebot.arcor.net/cgi-bin/angebot.cgi?key=b13e92247022

-
---------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown
enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-pen-test
-
----------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPsK2iTe9i44rosLHEQL13wCg0lqCvKV5vusS/6kHJPUJf129pzYAn3F3
x4C8/9cmkmjoGp9oi3Fa4ln7
=8n8c
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown
enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-pen-test
----------------------------------------------------------------------------

______________________________________________________________________

The information contained in this communication is intended solely for
the use of the individual or entity to whom it is addressed and others
authorized to receive it. It may contain confidential or legally
privileged information. If you are not the intended recipient you are
hereby notified that any disclosure, copying, distribution or taking
any action in reliance on the contents of this information is strictly
prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by responding to
this email and then delete it from your system. Ernst & Young is
neither liable for the proper and complete transmission of the
information contained in this communication nor for any delay in its
receipt.

---------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-pen-test
----------------------------------------------------------------------------

• Next message: Alfred Huger: "New Article - Security Tools: From Mermaids to Suckling Pigs"
• Previous message: Rohan Amin: "Re: Owl Intranet Engine - bypass admin"
• Maybe in reply to: heron heron: "penetration test in a Windows 2000/NT network"
• Next in thread: Razvan: "RE: penetration test in a Windows 2000/NT network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:33 EDT