Hi, You'll find that on a unicode vulnerable IIS 5.0 system you can usually reach cmd.exe by the following executable directories that map to the c: on a default install: /msadc c:\program files\common files\system\msadc /iisadmpwd c:\winnt\system32\inetsrv\iisadmpwd There may be a couple of others. But under most of the IIS 4.0 / 5.0 tests I've done over the last couple of years running the webroot from a different partition, I have good results with /msadc and /iisadmpwd. As a sidenote, unitools.tgz can be used to set up an uploader.asp on the target system if outbound traffic is being filtered (ports such as UDP 69, TCP 514 and 21). One question I've been trying to ask recently but hasn't found its way onto the list is this: Recently I was using unicode to compromise a moderately hardened IIS 4.0 server, which I could not gain Administrator or SYSTEM access to (ncx99.exe wouldn't upload because of AV, aggressive firewalling outbound was in place, et al). I ended up using smbcrack.exe and tools such as enum.exe to eventually compromise weak machines on the internal network, but not this server in particular. What I need is a local LSA brute force tool, that will _locally_ (no, not through SMB via 139 or 445) brute force a specified user password. Does anybody know of any such tools in existence? Regards, Chris Chris McNab Technical Director Matta Security Limited 18 Noel Street London W1F 8GN Tel: 0870 077 1100 This e-mail was sent from Matta Security Limited. The information contained in this message is confidential, may be privileged, and is intended for the addressee(s) only. If you have received this message in error please notify the originator immediately. The unauthorised use, disclosure, copying or alteration of this message is strictly forbidden. Matta Security Limited does not warrant that any attachments are free from viruses or other defects. Matta Security Limited will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. ---------------------------------------------------------------------------- Are your vulnerability scans producing just another report? Manage the entire remediation process with StillSecure VAM's Vulnerability Repair Workflow. Download a free 15-day trial: http://www2.stillsecure.com/download/sf_vuln_list.html
This archive was generated by hypermail 2b30 : Thu Mar 13 2003 - 13:55:41 PST