From: Bo Cato (jcato73@comcast.net)
Date: Wed Mar 01 2006 - 13:53:52 EST
As I understand the question, you are faced with the problem of
proving your access level on a system that you can not make
modifications too per some agreement for the test.
If memory serves me correctly, by default you have to have power-user
or above access to even see the contents of the local administrators
group.
So if you run "net localgroup administrators" and get a list and not
an error, you have proven elevated access. This requires no system
changes.
Also you never specified what kind of shell. Local or remote?
Assuming this is a cooperative test you could have the administrator
create a simple text file with only administrator rights. If you can
display contents with "type admin.txt" then there again is your proof.
And there are files that are administrator only such as in the
/windows/repair/ directory. The type command would prove access, but
I'd pipe it to more to cut down on the beeps and boops from
non-printable characters.
Displaying your ability to change permissions via cacls is good proof
but it may be in violation of your no modification agreement. Up to
you.
-b
JT> Are you trying to show current priv or levels for other users i.e sam
JT> list. Also what exactly are you trying to verify? There are a few off
JT> top that I know that can get you the info that you need.
JT> C:\dir /q /a
JT> C:\cacls /p user:perm - use this to set or deny perms and gauge against
JT> current permissions
JT> Or the old fashioned edit command GptTmpl.inf file
JT> Hope that helps
JT> Jasun Tate
JT> Sr. Security Administrator
JT> Network Operations-ICW Group
JT> Office #858-350-2459
JT> ~~INVEST IN LOSS~~ Chen Man Ching
JT> -----Original Message-----
JT> From: ROB DIXON [mailto:rdixon@workforcewv.org]
JT> Sent: Monday, February 27, 2006 5:32 AM
JT> To: dillama@gmail.com; pen-test@securityfocus.com
JT> Subject: Re: Windows Administrator access
JT> Hi Dillama,
JT> Can we ask how you have gained access at this point? What technique are
JT> you demoing?
JT> Robert L. Dixon, CSO
JT> CHFI A+
JT> State of West Virginia's
JT> West Virginia Office of Techonology
JT> Infrastructure Applications
JT> Netware/GroupWise Administrator
JT> Telephone: (304)-558-5472 ex.4225
JT> Email:rdixon@workforcewv.org
>>>> Dillama <dillama@gmail.com> >>>
JT> After gaining shell access to a Windows box, is there any way to show
JT> administrator privilege without changing the config or uploading new
JT> files?
JT> I have to demo the ability to gain administrator access to a Win 2000
JT> box, the catch is no changes on the box so adding a user or loading
JT> whoami.exe from resource kit would not be options. Any suggestion here
JT> would be appreciated.
JT> Thanks
JT> ---
JT> Dillama
JT> ------------------------------------------------------------------------
JT> ------
JT> Audit your website security with Acunetix Web Vulnerability Scanner:
JT> Hackers are concentrating their efforts on attacking applications on
JT> your
JT> website. Up to 75% of cyber attacks are launched on shopping carts,
JT> forms,
JT> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
JT> are
JT> futile against web application hacking. Check your website for
JT> vulnerabilities
JT> to SQL injection, Cross site scripting and other web attacks before
JT> hackers do!
JT> Download Trial at:
JT> http://www.securityfocus.com/sponsor/pen-test_050831
JT> ------------------------------------------------------------------------
JT> -------
JT> ------------------------------------------------------------------------
JT> ------
JT> Audit your website security with Acunetix Web Vulnerability Scanner:
JT> Hackers are concentrating their efforts on attacking applications on
JT> your
JT> website. Up to 75% of cyber attacks are launched on shopping carts,
JT> forms,
JT> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
JT> are
JT> futile against web application hacking. Check your website for
JT> vulnerabilities
JT> to SQL injection, Cross site scripting and other web attacks before
JT> hackers do!
JT> Download Trial at:
JT> http://www.securityfocus.com/sponsor/pen-test_050831
JT> ------------------------------------------------------------------------
JT> -------
JT> #####################################################################################
JT> Warning:
JT> This email and any files transmitted with it are confidential
JT> and intended solely for the use of the individual or entity to
JT> which it is addressed. If you are not the named addressee any
JT> review, dissemination, distribution or duplication of this e-mail
JT> is strictly prohibited. If you have received this email in error,
JT> please let us know by e-mail and delete it from your system.
JT> Please note that any personal views or opinions presented in this
JT> email are solely those of the author and do not necessarily
JT> represent those of the company.
JT> Thank You.
JT> #####################################################################################
------------------------------------------------------------------------------
This List Sponsored by: Lancope
"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA)
and Response solution, leverages Cisco NetFlow to provide scalable,
internal network security.
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response
Systems in the Enterprise."
http://www.lancope.com/resource/
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:35 EDT