RE: Pwdump2 with UNICODE?

From: Kevin Lam (kevinlam@packet-works.com)
Date: Tue Aug 07 2001 - 17:12:00 PDT

Next message: dcdave: "Re: New wireless vulnerability"

Previous message: kriskat_private: "RE: Pwdump2 with UNICODE?"
In reply to: Lists: "Pwdump2 with UNICODE?"
Next in thread: Tony Lambiris: "Re: Pwdump2 with UNICODE?"
Next in thread: hellNbak: "Re: Pwdump2 with UNICODE?"
Reply: Tony Lambiris: "Re: Pwdump2 with UNICODE?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Allen,

If you have UNICODE working, you could upload cmdasp.asp which will let
you execute commands on that server.

If this is NT then what you can do is run "rdisk /s-" to silently update
the repair sam._ file (this is a little trick that I used to use when I
did pen-testing for Deloitte).  Then go to c:\winnt\repair and copy
sam._ to say a public internet folder like c:\inetpub\wwwroot and then
go to your browser and just download the file.

Run l0phtcrack against it and you'll get your passwords.  Hope this helps.


Kevin
kevinlam@packet-works.com, www.packet-works.com

-----Original Message-----
From: Lists [mailto:listsat_private]
Sent: Tuesday, August 07, 2001 2:29 AM
To: Penetration Testers
Subject: Pwdump2 with UNICODE?


Hello all. Our company is currently doing a pentest for a customer.
Normally, we grab the boot.ini file from the target server and that is
sufficient. However, this customer has required us to "grab the hashes", as
the sysadmin of the company stated. He feels that he has proper permissions
set on all of the "important" files and this would not be an adequate test.
The server was found to be vulnerable to the UNICODE vulnerability. We were
able to use the upload.asp exploit to upload pwdump2.exe and samdump.dll to
the server. However, we have been unable to get pwdump2 to execute properly.
We also copied cmd.exe to another directory renaming it to cmd1.exe to run
the commands. But again, no results.

Has anyone been successful in getting pwdump2 to work through UNICODE? If
so, what was the syntax you used to get it to go through?

Any advise on this would be greatly appreciated.

Thanks!

Allen Archer
Creative Solutions, Inc.
Atlanta, Georgia 30303


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: dcdave: "Re: New wireless vulnerability"
Previous message: kriskat_private: "RE: Pwdump2 with UNICODE?"
In reply to: Lists: "Pwdump2 with UNICODE?"
Next in thread: Tony Lambiris: "Re: Pwdump2 with UNICODE?"
Next in thread: hellNbak: "Re: Pwdump2 with UNICODE?"
Reply: Tony Lambiris: "Re: Pwdump2 with UNICODE?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 08 2001 - 10:34:57 PDT