xŸ>" фш€IPM.Microsoft Mail.Note1 €€г%)l'  #& ).1эRœЛ2˜ZKˆy_КњўфG 6pMS Office FilesqТжxвШ,R…, MBйЊ=‰haіž SMTP:SHONKY_TMP@HOTPOP.COM @?тxжТ эRœЛ2˜ZKˆy_КњўТ€ (.00000005shonky_tmp@hotpop.compop.hotpop.com).00000005shonky_tmp@hotpop.compop.hotpop.comB2’:Э MOQБхN›Юgxќ@о?ŸN Y@e € РF…€ РF…€ РFR…—:€ РF…Ё€ РFT…10.0 Ђ€ РF… Љ€ РF…Ќ€ РF… Ф€ РF‚…јэRœЛ2˜ZKˆy_КњўњэRœЛ2˜ZKˆy_Књўћ”8ЁЛхЁЛ+*VТmspst.dllNITAљПИЊ7йnC:\Documents and Settings\winter\Local Settings\Application Data\Microsoft\Outlook\Outlook.pstў 4§74NITAљПИЊ7йn100000000ED529CBB32985A4B8814795FBAFA00FE24482000сџџџџ =€Untitled Attachmentr€г%G€YThis attachment is a MAPI 1.0 embedded message and is not supported by this mail system.ђ€И  м! џџџЅA Цˆ ( @џџџ`p5˜p5xНx5˜Lё$чˆp5ь№Р x№П  € џџџџџџџџџџџџџџџџџџџџРРРРРРРРРРРРРРРРРРРРРџџџџџџџџџџџџџџџџџџџџџџџџ!A Ff (  €€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€џџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџ€€€€€€џџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџ€€€€€€РРРџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџРРР€€€€€€џџџРРРџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџРРРџџџ€€€€€€џџџџџРРРџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџРРРџџџџџџ€€€€€€џџџџџџџџџРРРџџџџџџџџџџџџџџџџџРРРРРРРРРРРРРРРџџџџџџџџџџџџџџџџРРРџџџџџџџџ€€€€€€џџџџџџџџџџџџРРРџџџџџџџџџџџРРР€€€€€€€€€€€€€€€РРРРРРџџџџџџџџРРРџџџџџџџџџџџ€€€€€€џџџџџџџџџџџџџџРРРџџџџџџРРР€€€џџџџџџџџџџџџџџџ€€€РРРРРРџџџРРРџџџџџџџџџџџџџџ€€€€€€џџџџџџџџџџџџџџџџџРРРРРР€€€џџџџџџџџџџџџџџџџџџ€€€РРРРРРџџџџџџџџџџџџџџџџџ€€€€€€џџџџџџџџџџџџџџџџџџРРР€€€џџџџџџџџџџџџџџџџџџџџџџџџџџ€€€РРРџџџџџџџџџџџџџџџџ€€€€€€џџџџџџџџџџџџџџџРРР€€€џџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџ€€€РРРџџџџџџџџџџџџџџ€€€€€€џџџџџџџџџџџџРРР€€€џџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџ€€€РРРџџџџџџџџџџџ€€€€€€џџџџџџџџџРРР€€€џџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџ€€€РРРџџџџџџџџџ€€€€€€џџџџџџРРР€€€џџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџ€€€РРРџџџџџ€€€€€€џџџРРР€€€џџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџ€€€РРРџџџ€€€€€€РРР€€€џџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџ€€€РРР€€€€€€€€€џџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџ€€€€€€€€€џџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџџ€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€КЇ„ ї"0MS Office Files 7РFxŸ>" фш€IPM.Microsoft Mail.Note1€MS Office Files€г 11€>>Romes, Randall J.SMTP:Rromes@larsonallen.comV€г-0R€!! € -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 During the course of a pen test, we have been able to download some word documents from a web server. I have determined that the author of the documents is/was an employee of the company I am testing. I recall a while back seeing a post somewhere about pulling credential information from Office documents, but I can' t seem to find it now. Does this ring a bell, and if so, can anyone point me in the right direction? Thanks Randy Romes rromes@larsonallen.com - -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPkwXcDe9i44rosLHEQLd1ACfW4aS0PT/xDhogZl/qjZTEJxYFNQAoOth IWXGpDaT2URQN5oCL/1aaTlb =Kn7u - -----END PGP SIGNATURE----- - ---------------------------------------------------------------------- - ------ This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPlDJR83ds5Ih53HSEQI22ACgoq80VgkztaTK8XxdUJZ2FuyDbCkAoLFd 7Wf7AZ13uyd2+yTd3IA9SKxg =GH4+ -----END PGP SIGNATURE----- 4Š €г$'O €!600D5F6A9147AB4EBCEB4FBA269CF94B џS+ЄОЃnнTpen-test@securityfocus.comSMTPpen-test@securityfocus.com0pen-test@securityfocus.com0SMTP0pen-test@securityfocus.com 0 SMTP:PEN-TEST@SECURITYFOCUS.COMі0?„9@9€n|ЌгТ;SMTP:RROMES@LARSONALLEN.COM?:+ЄОЃnнTwinterSMTPshonky_sec@hotpop.com@winterAF+ЄОЃnнTRomes, Randall J.SMTPRromes@larsonallen.comBRomes, Randall J.C:+ЄОЃnнTwinterSMTPshonky_sec@hotpop.comDwinterQSMTP:SHONKY_SEC@HOTPOP.COMRSMTP:SHONKY_SEC@HOTPOP.COMdSMTPeRromes@larsonallen.compMS Office FilesuSMTPvshonky_sec@hotpop.comwSMTPxshonky_sec@hotpop.com}Return-Path: Received: from outgoing3.securityfocus.com (outgoing3.securityfocus.com [205.206.231.27]) by mx1.hotpop.com (Postfix) with ESMTP id 91414E8031 for ; Fri, 14 Feb 2003 17:45:48 +0000 (UTC) Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing3.securityfocus.com (Postfix) with QMQP id C7950A30F1; Fri, 14 Feb 2003 09:40:17 -0700 (MST) Mailing-List: contact pen-test-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list pen-test@securityfocus.com Delivered-To: moderator for pen-test@securityfocus.com Received: (qmail 4727 invoked from network); 13 Feb 2003 22:05:11 -0000 Message-ID: From: "Romes, Randall J." To: pen-test@securityfocus.com Subject: MS Office Files Date: Thu, 13 Feb 2003 16:08:49 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2656.59) Content-Type: text/plain; charset="iso-8859-1" X-HotPOP-Delivered-To: shonky_sec@hotpop.com  Romes, Randall J. SMTP:RROMES@LARSONALLEN.COM SMTP Rromes@larsonallen.compen-test@securityfocus.com@ЎRшPдТ (/00000004shonky_sec@hotpop.compop3.hotpop.com)/00000004shonky_sec@hotpop.compop3.hotpop.com52C)D.E0F=pen-test-return-2723-shonky_sec=hotpop.com@securityfocus.com’@0рh}0xжТ@0ХжxжТо?Џo e!&b20030217113220a29abd650cbc2d47Т€ РF€…pop3.hotpop.comУ€ РF…00000004shonky_sec@hotpop.com, РFLPOP://pop.hotpop.com/a29abd650cbc2d47- РF"a29abd650cbc2d47/†РFX-Mailer$Internet Mail Service (5.5.2656.59)0†РF,X-HotPOP-Delivered-Toshonky_sec@hotpop.com3€v:NzЗаЅРOжV…,Internet Charset Body -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 During the course of a pen test, we have been able to download some word documents from a web server. I have determined that the author of the documents is/was an employee of the company I am testing. I recall a while back seeing a post somewhere about pulling credential information from Office documents, but I can' t seem to find it now. Does this ring a bell, and if so, can anyone point me in the right direction? Thanks Randy Romes rromes@larsonallen.com -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPkwXcDe9i44rosLHEQLd1ACfW4aS0PT/xDhogZl/qjZTEJxYFNQAoOth IWXGpDaT2URQN5oCL/1aaTlb =Kn7u -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ = MS Office FilesєїјэRœЛ2˜ZKˆy_КњўњэRœЛ2˜ZKˆy_Књўћ”8ЁЛхЁЛ+*VТmspst.dllNITAљПИЊ7йnC:\Documents and Settings\winter\Local Settings\Application Data\Microsoft\Outlook\Outlook.pstў 4§7'77 7џџџџ7њ@ћ@нЃWEГ @ќ@нЃWEГ § ў!E…јэRœЛ2˜ZKˆy_КњўњэRœЛ2˜ZKˆy_Књўћ”8ЁЛхЁЛ+*VТmspst.dllNITAљПИЊ7йnC:\Documents and Settings\winter\Local Settings\Application Data\Microsoft\Outlook\Outlook.pstўеv