RE: *** GMX Spamverdacht *** Remotely starting the "server" process on win XP

From: Gerald Cody Bunch (gbunch@gmx.net)
Date: Thu Sep 04 2003 - 08:28:56 EDT


Yes, the run as command allows you to run the command on the local
machine under the current context, and when running a command against a
remote box, it removes the need to authenticate, which services.msc
(under xp it gives the option to connect to remote computer, under 2k
you have to use computer mgnt) will need to do. However, your first
point, while correct nullifies this as having the server service stopped
takes care of this.

There may be other more creative methods of taking care of this, however
they escape me at the moment. IE the RPC/DCOM hole that blaster/nachi
used carried with it some shell code, which gave a console to the remote
machine. However, I do not know if it requires the server service to be
started (I don't believe so, but don't want to say without having
tested)

 Thanks,

 Gerald Cody Bunch
 gbunch@gmx.net

-----Original Message-----
From: Richard Stevens [mailto:richard@tccnet.co.uk]
Sent: Thursday, September 04, 2003 4:28 AM
To: gbunch@gmx.net; Lachniet, Mark; Pen-test@securityfocus.com
Subject: RE: *** GMX Spamverdacht *** Remotely starting the "server"
process on win XP

think I disagree with these..

you can do the first option from computer management (though couldnt
find it in services), but it does not work if the server service is not
running on the remote machine.

my understanding of the "run as" is that it will run this on the local
machine under the context of the user specified.. not helping with the
problem of starting server on the remote machine.... but will be happy
to be corrected on this??

I would be very interested to hear of a solution to this problem as it
seems a very good way of bullet-proofing XP/2k.

Regards

Richard

-----Original Message-----
From: Gerald Cody Bunch [mailto:gbunch@gmx.net]
Sent: 03 September 2003 02:49
To: 'Lachniet, Mark'; Pen-test@securityfocus.com
Subject: RE: *** GMX Spamverdacht *** Remotely starting the "server"
process on win XP

If you have already gained the admin password, the rest should be cake.

If your machine is 2k/xp you should be able to run services.msc

Right click 'Services' in the left pane, and click connect to another
computer. Give it the IP address of the remote machine, and when it asks
for authentication,
give it the username/password you have gained, and start all the
services you like.

Alternatively you can drop to the command prompt on your machine
"cmd.exe" And issue a (Runas /user:domain\username "mmc
%windir%\system32\services.msc")
Using the username and password of the user you have gained, and also
start services at your liking.

 Thanks,

 Gerald Cody Bunch
 gbunch@gmx.net

-----Original Message-----
From: Lachniet, Mark [mailto:mlachniet@sequoianet.com]
Sent: Tuesday, September 02, 2003 11:24 AM
To: Pen-test@securityfocus.com
Subject: *** GMX Spamverdacht *** Remotely starting the "server" process
on win XP

Hello all,

I was hoping someone could provide an opinion on the following scenario:

Assume that I am pen-testing a Windows XP workstation across the
network. Further assume that it is fully patched, and no known exploits
will work. Lastly, assume that I have gotten the admin password, but am
limited by the amount of fun I can have because the Server process is
not started, nor is IIS or any other obvious means of ingress. Short of
the usual trickery (physical access to the machine, tricking someone,
hacking a user workstation, etc.), can anyone suggest a good way to
remotely start the server process so that I could then continue
pen-testing the box?

Thanks,

Mark Lachniet

------------------------------------------------------------------------

---
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL 
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment 
technology powered by the award-winning FoundScan engine. Try it free
for  21 days at:
http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
------------------------------------------------------------------------
----
------------------------------------------------------------------------
---
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL 
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment 
technology powered by the award-winning FoundScan engine. Try it free
for  21 days at:
http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL 
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment 
technology powered by the award-winning FoundScan engine. Try it free for  21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:39 EDT