I thought under UNICODE, you arent able to run such commands as rdisk and pwdump, because IIS runs as IUSR? On 08.07.01, Kevin Lam <kevinlam@packet-works.com> wrote: > Hi Allen, > > If you have UNICODE working, you could upload cmdasp.asp which will let > you execute commands on that server. > > If this is NT then what you can do is run "rdisk /s-" to silently update > the repair sam._ file (this is a little trick that I used to use when I > did pen-testing for Deloitte). Then go to c:\winnt\repair and copy > sam._ to say a public internet folder like c:\inetpub\wwwroot and then > go to your browser and just download the file. > > Run l0phtcrack against it and you'll get your passwords. Hope this helps. > > > Kevin > kevinlam@packet-works.com, www.packet-works.com > > -----Original Message----- > From: Lists [mailto:listsat_private] > Sent: Tuesday, August 07, 2001 2:29 AM > To: Penetration Testers > Subject: Pwdump2 with UNICODE? > > > Hello all. Our company is currently doing a pentest for a customer. > Normally, we grab the boot.ini file from the target server and that is > sufficient. However, this customer has required us to "grab the hashes", as > the sysadmin of the company stated. He feels that he has proper permissions > set on all of the "important" files and this would not be an adequate test. > The server was found to be vulnerable to the UNICODE vulnerability. We were > able to use the upload.asp exploit to upload pwdump2.exe and samdump.dll to > the server. However, we have been unable to get pwdump2 to execute properly. > We also copied cmd.exe to another directory renaming it to cmd1.exe to run > the commands. But again, no results. > > Has anyone been successful in getting pwdump2 to work through UNICODE? If > so, what was the syntax you used to get it to go through? > > Any advise on this would be greatly appreciated. > > Thanks! > > Allen Archer > Creative Solutions, Inc. > Atlanta, Georgia 30303 > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 10:13:29 PDT