No, attackers cannot use "net use." to create user accounts, but YES, they can create user accounts after they use "net use" to connect to victimized systems. Just to demonstrate, here is one of the methods of attack: 1. "net use \\machine\ipc$" with admin id and weak password. assume it successfully connected to the system. 2. use "psexec" from sysinternals.com to copy necessary files to the victimized systems 3. use "psexec" to execute commands on the victimized system, i.e. Addusers. They can run any commands, programs, or viruses/worm/trojans now since they can copy all necessary files to the victimized system and run them as an administrator. That above method was the method used in the ocxdll.exe / taskmngr.exe worm/Trojan. Kyle Lai, CISSP, CISA KLC Consulting, Inc. 617-921-5410 klaiat_private www.klcconsulting.net --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.435 / Virus Database: 244 - Release Date: 12/30/2002 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:49:51 PST