Re: hacking a NT domain after the member server

From: olle (olle@nxs.se)
Date: 06/17/02 

Date: Mon, 17 Jun 2002 21:45:47 +0200
From: olle <olle@nxs.se>
To: Blake Frantz <blake@mc.net>

! WARNING - blatant plugs !

On Thu, Jun 13, 2002 at 02:49:02PM -0500, Blake Frantz wrote:
>
> Does the SQL server authenticate via trusted connections? Provided you
> can sniff/snarf for NTLM you should be able to get domain credentials
> when ever someone authenticates to the server (unless NTLMv2 auth is
> used, I don't think I've seen a tool for this, anyone?)

huggorm[1] works fine with both old-style NTLM and new SSP exchanges, both
on SMB/IP (tcp 445) and SMB/NB/IP (tcp 139) and will probably be able to
sniff NT challenge-responses if the MSSQLserver uses named pipe transport.

> Have you tried to nbtdump/enum the other winboxen? Aside from names of
> share and users I've seen admins actually put passwords in the Comment
> field for user accounts that pertain to specific services. Seriously.

> If all else fails brute force accounts using nat
> http://www.cotse.com/tools/sw/nat10bin.zip.

Check out skravel and netu at http://olle.nxs.se/

I also recommend winfo at http://www.ntsecurity.nu/toolbox/winfo/

/olle, self-promoting ***.

[1] http://olle.nxs.se/software/huggorm/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Quantcast