Windows XP remote access methods for pen test

From: Curt Wilson (netw3_securityat_private)
Date: Thu Dec 05 2002 - 14:53:49 PST

Next message: s_garciaat_private: "SMS (Short Message Service) Security"

Previous message: Chris McNab: "Big in China"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) While working with the Security Configuration and Analysis MMC snap-in (applying securews template in this case) in a Win XP Pro SP1 system, I came across some items that could be useful to the attacker and/or pen tester. Anyone who has played with XP security policies will have seen these, however I've seen little information about the security ramifications of the following items, and would enjoy a discussion about these elements: Local Policies...Security Options...Network Access: Named pipes that can be accessed anonymously COMNAP,COMNODE,SQL\QUERY,SPOOLSS,LLSRPC,EPMAPPER,LOCATOR,TrkWks,TrkSvr Remotely accessible registry paths: System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\C ontrol\Print\Printers,System\CurrentControlSet\Control\Server Applications,System\CurrentControlSet\Services\Eventlog,Software\Microsoft \OLAP Server,Software\Microsoft\Windows NT\CurrentVersion,System\CurrentControlSet\Control\ContentIndex,System\Cur rentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration (I'm assuming that these reg paths are useless to a remote attacker, unless the remote registry service is enabled and the attacker/pen tester has access. I always turn off remote registry so I've not explored these options) Shares that can be accessed anonymously COMCFG,DFS$ Has anyone successfully leveraged the existence of any of these elements, and do you have any information from practical experience that you would be willing to share? It strikes me that there could be some interesting content here if we could spend some time fuzzing and exploring. Thanks Curt Wilson Netw3 Security Research www.netw3.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/

Next message: s_garciaat_private: "SMS (Short Message Service) Security"
Previous message: Chris McNab: "Big in China"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Dec 06 2002 - 11:42:11 PST