Hello folks, Some of the first things I'd do (given that you'll have at your disposal a 'usual' computer, not your own custom-made OS, laptop, wifi capable, etc): 1. Get local administrator access to the workstation (that couldn't bee too hard now, could it? :) ) 1.1. You could obtain that either through the vast majority of known (or not-so-known) flaws inherent to the OS (or) 1.2. Given that you have physical access to the computer (and a FDD), you could try the excellent tool available at http://home.eunet.no/~pnordahl/ntpasswd/. This one is a double-edged method.. By bruteforcing and NOT overwriting the local admin password, you could be able to gather something that could turn out to be cool.. (variants of it could be used for domain admin or sql, or web management, or who knows..) If you can get the local admin hash, I'd take it off-line (i.e. at our HQ) and do some distributed bruteforcing on it for a 1-2 days.. If nothing happens, overwrite away.. :) 2. Establish a covert channel for downloading the much needed tools (establishing a ssl-enabled http bouncer with an innocent-looking domain outside the perimeter would do it, or something along that line) 3. Download the much needed tools :) 4. Supposing direct Layer 3 communications with the outside are cut (usual situation), find a way to remotely and covertly control the computer. This one is nice for after-hours digging.. http://www.nocrew.org/software/httptunnel.html comes to mind.. 5. Find a computer with a modem attached to it (look around the office.. you're bound to see one.. ask the fellow to mail you some document, to get his IP.. I'd say wardial, but it could be hard to determine the IP from the phone number, correct me if I'm wrong.. well, you could try calling modem number +/- 1,2,3 and do some social engineering..). Once you found it, own it (physical access during lunch hours comes to mind), install a voice dialler of some sort, httptunnel it, and show the management how you were able to make voice calls from your home computer to China or smth through their network and PBX.. That's bound to get a reaction.. :) Machiavelli would've been a great hacker.. :) Final thoughts.. I'd leave ettercap and the sorts towards the end.. that sort of tools could be quite noisy, and noise is a no-no.. on the other hand, windows is a joy to poison (it happily overwrites static arp entries, except XP). Anyway, there's quite a lot of damage to be done given hands-on access. Also, do not overlook the dangers of lax physical security. Seek the path of least resistance towards your goal (wow.. :)) If you can mail yourself the payroll files from the HR desktop, why intercept their SMB password? Razvan Teslaru -----Original Message----- From: heron heron [mailto:h.heronat_private] Sent: Wednesday, May 14, 2003 16:30 To: pen-testat_private Subject: penetration test in a Windows 2000/NT network Hi, I will accomplish a penetration test in a Windows 2000/NT network shortly. A goal is to get confidential information (files) and if possible get admin rights. I will be with my computers in the LAN. A computer for normal uses (thus no Admin access) is likewise put to me at the disposal. Is there a possibility on a Windows 2000 computers (physical access is possible) to attain admin rights without to overwrite the admin account. Background: I would like try to crack the password of the local admin (e.g. by means of pwdump and John). There ist the possibility that all admin passwords (also for the domain) is alike. Is there a tool, with which I can crack NTLMv2 hashes. Background: I will try to sniff hashes during the registration at the DC (e.g. CAIN, ettercap) and to crack them. Unfortunately me is still no tool known in order to crack NTLMv2 hashes. A further possibility at to come to information, would be the employment of a SMB Proxy. By ARP Spoofing it would be nevertheless theoretically possible to intercept the LM/NTLM(v1/v2) authentication . Then the attacker could itself instead announce at the server. Does it give there already such a Tool? Who has suggestions? For Tools please give always in the Web URL (if possible of the programmer). Greeting Heron __________________________________________________________________ Arcor-DSL Flatrate - jetzt kostenlos einsteigen und bis zu 76,18 Euro sparen! Arcor-DSL gibt es jetzt auch mit bis zu 1500 Mbit/s Downstream! http://www.angebot.arcor.net/cgi-bin/angebot.cgi?key=b13e92247022 --------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-pen-test ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri May 16 2003 - 08:38:34 PDT