Re: Pen on IIS with webroot not on C

From: Chris McNab (chris.mcnabat_private)
Date: Thu Mar 13 2003 - 03:34:12 PST

Next message: Bill Martin: "Firewall Firmware/IOS"

Previous message: Nicolas Gregoire: "Re: Pen on IIS with webroot not on C"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

You'll find that on a unicode vulnerable IIS 5.0 system you can usually
reach cmd.exe by the following executable directories that map to the c: on
a default install:

	/msadc	c:\program files\common files\system\msadc
	/iisadmpwd	c:\winnt\system32\inetsrv\iisadmpwd

There may be a couple of others. But under most of the IIS 4.0 / 5.0 tests
I've done over the last couple of years running the webroot from a different
partition, I have good results with /msadc and /iisadmpwd.

As a sidenote, unitools.tgz can be used to set up an uploader.asp on the
target system if outbound traffic is being filtered (ports such as UDP 69,
TCP 514 and 21).

One question I've been trying to ask recently but hasn't found its way onto
the list is this:

Recently I was using unicode to compromise a moderately hardened IIS 4.0
server, which I could not gain Administrator or SYSTEM access to (ncx99.exe
wouldn't upload because of AV, aggressive firewalling outbound was in place,
et al). I ended up using smbcrack.exe and tools such as enum.exe to
eventually compromise weak machines on the internal network, but not this
server in particular.

What I need is a local LSA brute force tool, that will _locally_ (no, not
through SMB via 139 or 445) brute force a specified user password. Does
anybody know of any such tools in existence?

Regards,

Chris



Chris McNab
Technical Director

Matta Security Limited
18 Noel Street
London W1F 8GN

Tel: 0870 077 1100


This e-mail was sent from Matta Security Limited. The information contained
in this message is confidential, may be privileged, and is intended for the
addressee(s) only. If you have received this message in error please notify
the originator immediately. The unauthorised use, disclosure, copying or
alteration of this message is strictly forbidden. Matta Security Limited
does not warrant that any attachments are free from viruses or other
defects. Matta Security Limited will not be liable for direct, special,
indirect or consequential damages arising from alteration of the contents of
this message by a third party or as a result of any virus being passed on.


----------------------------------------------------------------------------

Are your vulnerability scans producing just another report?
Manage the entire remediation process with StillSecure VAM's
Vulnerability Repair Workflow.
Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html

Next message: Bill Martin: "Firewall Firmware/IOS"
Previous message: Nicolas Gregoire: "Re: Pen on IIS with webroot not on C"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 13 2003 - 13:55:41 PST