From: Razvan (bugtraq@risc.ro)
Date: Fri May 16 2003 - 05:04:22 EDT
Hello folks,
Some of the first things I'd do (given that you'll have at your disposal
a 'usual' computer, not your own custom-made OS, laptop, wifi capable,
etc):
1. Get local administrator access to the workstation (that couldn't bee
too hard now, could it? :) )
1.1. You could obtain that either through the vast majority of known (or
not-so-known) flaws inherent to the OS (or)
1.2. Given that you have physical access to the computer (and a FDD),
you could try the excellent tool available at
http://home.eunet.no/~pnordahl/ntpasswd/. This one is a double-edged
method.. By bruteforcing and NOT overwriting the local admin password,
you could be able to gather something that could turn out to be cool..
(variants of it could be used for domain admin or sql, or web
management, or who knows..)
If you can get the local admin hash, I'd take it off-line (i.e. at our
HQ) and do some distributed bruteforcing on it for a 1-2 days.. If
nothing happens, overwrite away.. :)
2. Establish a covert channel for downloading the much needed tools
(establishing a ssl-enabled http bouncer with an innocent-looking domain
outside the perimeter would do it, or something along that line)
3. Download the much needed tools :)
4. Supposing direct Layer 3 communications with the outside are cut
(usual situation), find a way to remotely and covertly control the
computer. This one is nice for after-hours digging..
http://www.nocrew.org/software/httptunnel.html comes to mind..
5. Find a computer with a modem attached to it (look around the office..
you're bound to see one.. ask the fellow to mail you some document, to
get his IP.. I'd say wardial, but it could be hard to determine the IP
from the phone number, correct me if I'm wrong.. well, you could try
calling modem number +/- 1,2,3 and do some social engineering..). Once
you found it, own it (physical access during lunch hours comes to mind),
install a voice dialler of some sort, httptunnel it, and show the
management how you were able to make voice calls from your home computer
to China or smth through their network and PBX.. That's bound to get a
reaction.. :) Machiavelli would've been a great hacker.. :)
Final thoughts.. I'd leave ettercap and the sorts towards the end.. that
sort of tools could be quite noisy, and noise is a no-no.. on the other
hand, windows is a joy to poison (it happily overwrites static arp
entries, except XP). Anyway, there's quite a lot of damage to be done
given hands-on access.
Also, do not overlook the dangers of lax physical security. Seek the
path of least resistance towards your goal (wow.. :)) If you can mail
yourself the payroll files from the HR desktop, why intercept their SMB
password?
Razvan Teslaru
-----Original Message-----
From: heron heron [mailto:h.heron@firemail.de]
Sent: Wednesday, May 14, 2003 16:30
To: pen-test@securityfocus.com
Subject: penetration test in a Windows 2000/NT network
Hi,
I will accomplish a penetration test in a Windows 2000/NT network
shortly. A
goal is to get confidential information (files) and if possible get
admin
rights. I will be with my computers in the LAN. A computer for normal
uses (thus
no Admin access) is likewise put to me at the disposal.
Is there a possibility on a Windows 2000 computers (physical access is
possible)
to attain admin rights without to overwrite the admin account.
Background: I
would like try to crack the password of the local admin (e.g. by means
of pwdump
and John). There ist the possibility that all admin passwords (also for
the
domain) is alike.
Is there a tool, with which I can crack NTLMv2 hashes. Background: I
will try to
sniff hashes during the registration at the DC (e.g. CAIN, ettercap) and
to
crack them. Unfortunately me is still no tool known in order to crack
NTLMv2
hashes.
A further possibility at to come to information, would be the employment
of a
SMB Proxy. By ARP Spoofing it would be nevertheless theoretically
possible to
intercept the LM/NTLM(v1/v2) authentication . Then the attacker could
itself
instead announce at the server. Does it give there already such a Tool?
Who has suggestions? For Tools please give always in the Web URL (if
possible of
the programmer).
Greeting
Heron
__________________________________________________________________
Arcor-DSL Flatrate - jetzt kostenlos einsteigen und bis zu 76,18 Euro
sparen!
Arcor-DSL gibt es jetzt auch mit bis zu 1500 Mbit/s Downstream!
http://www.angebot.arcor.net/cgi-bin/angebot.cgi?key=b13e92247022
---------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-pen-test
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:33 EDT