Try some other null sessions tools first, to get a feel for the system. Then, if some new info develops, try to exploit that. Did you make a full port scan already? Do you have a glue about services running on your target? Of course the goal is set to go for admin. Try to find an exploit and dump the SAM or sniff something from the wire. Some other command line tools are: Enum Windows NT Command lint tool to enumeration Windows information using null sessions. Enum can retrieve userlists, machine lists, sharelists, namelists, group and member lists, password and LSA policy information. enum is also capable of a rudimentary brute force dictionary attack on individual accounts. http://razor.bindview.com/tools/index.shtml Exporter Windows NT Command line tool for exporting users, groups, group members, services, computers, shares, disk space, and printers (in any combination) from any or all computers on any Windows NT/Windows 2000 domain. Includes online .HLP documentation file. Exporter is also integrated into Hyena. http://www.somarsoft.com GetAcct Windows NT Command line tool to sidestep "RestrictAnonymous=1" and acquires account information on Windows NT/2000 machines. Input the IP address or NetBIOS name of a target computer in the "Remote Computer" column. Input the number of 1000 or more in the "End of RID" column. The RID is user's relative identifier by which the Security Account Manager gives it when the user is created. Therefore, it is input as 1100, if there are 100 users. Finally push the "Get Account" button. http://www.securityfriday.com NBTEnum Windows NT Command line tool for Windows which can be used to enumerate one single host or an entire class C subnet. This utility can run in two modes: query and attack. The main difference between these modes is that when NBTEnum is running in attack mode it will seek for blank password and for passwords that are the same as the username but then in lowercase letters. Changes: Dictionary attack added, now does enumeration of NT version and Service Pack level, AutoAdminLogon detection, WinVNC encrypted password extraction, and Enumeration of NT services. http://ntsleuth.0catch.com/. By NTSleuth NTInfo Windows NT Command line tool to provide the a complete overview of a Windows NT system. This script creates an information file with info on registry, services, drivers, hardware, nbtstat, arp, winmsd, route, ipconfig etc. Requires several tools from the Resources kit to create the overview. UserInfo Windows NT Command line tool that retrieves all available information about any know user from any NT/Win2k system that you can hit 139 on. Specifically calling the NetUserGetInfo api call at Level 3, UserInfo returns standard info like SID, Primary group, logon restrictions, etc., but it also dumps special group information, pw expiration info, pw age, smartcard requirements, and lots of other stuff. This guy works as a null user, even if the system has RA set to 1 to specifically deny anonymous enumeration. http://www.hammerofgod.com/download.htm IPC$ Cracker Windows NT Command line tool to attempt to crack a user's password using a dictionary attack by connecting to the IPC$ hidden share on a NT machine and trying passwords read from a text file. NTCrack Windows NT Command line tool to run password dictionary attacks using administrator account to access Windows share or service. http://somarsoft.com/ntcrack.htm -----Original Message----- From: cgreen001at_private [mailto:cgreen001at_private] Sent: donderdag 16 mei 2002 23:23 To: pen-testat_private Subject: Q: Null Session information from NAT.EXE I ran NAT.EXE on a machine and got the following results: (contents changed) ======================================================= [*]--- Checking host: xxx.xxx.xxx.xxx [*]--- Obtaining list of remote NetBIOS names [*]--- Remote systems name tables: ZONEACE ZONEWORKGROUP ZONEACE ZONEACE ZONEWORKGROUP [*]--- Attempting to connect with name: * [*]--- Unable to connect [*]--- Attempting to connect with name: ZONEACE [*]--- CONNECTED with name: ZONEACE [*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03 [*]--- Server time is xxx [*]--- Timezone is UTC+9.0 [*]--- Remote server wants us to encrypt, telling it not to [*]--- Attempting to establish session [*]--- Obtained server information: Server=[ZONEACE] User=[] Workgroup=[ZONEWORKGROUP] Domain=[] [*]--- Obtained listing of shares: Sharename Type Comment --------- ---- ------- IPC$ IPC: [*]--- Attempting to access share: \\ZONEACE\ [*]--- Unable to access [*]--- Attempting to access share: \\ZONEACE\ADMIN$ [*]--- Unable to access [*]--- Attempting to access share: \\ZONEACE\C$ [*]--- Unable to access [*]--- Attempting to access share: \\ZONEACE\D$ [*]--- Unable to access [*]--- Attempting to access share: \\ZONEACE\ROOT [*]--- Unable to access [*]--- Attempting to access share: \\ZONEACE\WINNT$ [*]--- Unable to access ======================================================== It seems that this system is O.K. What else should I check to test the penetration? In other words, how could you proceed? Thank you. James. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu May 23 2002 - 21:29:44 PDT