This is a multi-part message in MIME format. ------=_NextPart_000_000D_01BE9721.1BF74F20 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable There has been some questions over whether it is possible to "trojan" a = profile and get the domain administrator to pick it up. Sometimes this = works over the network sometimes not - thanks to all who have tried. = Below is a sure fire way of getting this to succeed. I have tested this = on both SP3 and SP4 machines and it has worked consistently: Network setup: NT Server 4 (SP4) Primary Domain Controller for domain TEST is called = PDC.=20 NT Workstation 4 (SP4) client which is part of the TEST domain. This = machine is called CLIENT. The Administrator has a local profile stored on PDC. All other domain users have a roaming profile - their profiles are = stored in the %systemroot%\profiles directory which is shared as = Profiles (\\PDC\profiles) The share permissions give Everybody Full Control of the share but using = NTFS permissions to tighten access to other peoples profiles meaning = that only the user can access their profile in any way (with the = exception of Administrators) Domain User testacc logs onto CLIENT. Using reg.exe or a tool of their = own making, they access the Registry of PDC. The winreg key on PDC = specifies that only Administrators may access the registry remotely but = the AllowedPaths specify that HKLM\Software\Microsoft\Windows = NT\CurrentVersion is an allowed path. This is default. testacc changes = the Administrator's ProfileImagePath to point to = %systemroot%\profiles\testacc and then places a self deleting batch file = in the Start Up folder. This batch file, when run with enough privileges = will add testacc to the Domain Admins group. The next time Administrator = logs onto PDC they pick up testacc's profile and the batch file is run = making testacc a domain admin. If anyone can still not repro this with this setup, then please let me = know Cheers, David Litchfield http://www.infowar.co.uk/mnemonix http://www.arca.com ------=_NextPart_000_000D_01BE9721.1BF74F20 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN"> <HTML> <HEAD> <META content=3Dtext/html;charset=3Diso-8859-1 = http-equiv=3DContent-Type> <META content=3D'"MSHTML 4.72.2106.6"' name=3DGENERATOR> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT color=3D#000000 size=3D2>There has been some questions over = whether it is=20 possible to "trojan" a profile and get the domain = administrator to=20 pick it up. Sometimes this works over the network sometimes not - thanks = to all=20 who have tried. Below is a sure fire way of getting this to succeed. I = have=20 tested this on both SP3 and SP4 machines and it has worked=20 consistently:</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2>Network setup:</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2>NT Server 4 (SP4) Primary Domain = Controller for=20 domain TEST is called PDC. </FONT></DIV> <DIV><FONT color=3D#000000 size=3D2>NT Workstation 4 (SP4) client which = is part of=20 the TEST domain. This machine is called CLIENT.</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2>The Administrator has a local = profile stored on=20 PDC.</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2></FONT><FONT size=3D2>All other = domain users have=20 a roaming profile - their profiles are stored in the = %systemroot%\profiles=20 directory which is shared as Profiles (\\PDC\profiles)</FONT></DIV> <DIV><FONT size=3D2>The share permissions give Everybody Full Control of = the share=20 but using NTFS permissions to tighten access to other peoples profiles = meaning=20 that only the user can access their profile in any way (with the = exception of=20 Administrators)</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2>Domain User testacc logs onto = CLIENT. Using=20 reg.exe or a tool of their own making, they access the Registry of PDC. = The=20 winreg key on PDC specifies that only Administrators may access the = registry=20 remotely but the AllowedPaths specify that = HKLM\Software\Microsoft\Windows=20 NT\CurrentVersion is an allowed path. This is default. testacc changes = the=20 Administrator's ProfileImagePath to point to = %systemroot%\profiles\testacc and=20 then places a self deleting batch file in the Start Up folder. This = batch file,=20 when run with enough privileges will add testacc to the Domain Admins = group. The=20 next time Administrator logs onto PDC they pick up testacc's profile and = the=20 batch file is run making testacc a domain admin.</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2>If anyone can still not repro this = with this=20 setup, then please let me know</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2>Cheers,</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2>David Litchfield</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2><A=20 href=3D"http://www.infowar.co.uk/mnemonix">http://www.infowar.co.uk/mnemo= nix</A></FONT></DIV> <DIV><FONT color=3D#000000 size=3D2><A=20 href=3D"http://www.arca.com">http://www.arca.com></FONT></DIV> <DIV><FONT color=3D#000000 size=3D2></FONT> </DIV></BODY></HTML> ------=_NextPart_000_000D_01BE9721.1BF74F20--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:45:03 PDT