Re: priviledge escalation techniques

• Previous message: GomoR: "Re: Routers, Switches, and Firewall testing"
• In reply to: Dan Rogers: "priviledge escalation techniques"
• Next in thread: miguel.dilaj_at_pharma.novartis.com: "Re: priviledge escalation techniques"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 17 Jan 2005 10:16:14 -0600
To: Dan Rogers <pentestguy@gmail.com>

Hi Dan,

One of my favorite methods is to gain local admin via a linux boot disk (like
ntchpw), install a keylogger, then break something or disable a needed service
and call the help desk. Since they usually can't fix anything detailed, the
2nd level tech usually comes around and logs in with an admin account to take a
look.

Sometimes the responding tech is Domain Admin (yay!), but in any case his are
good credentials to have, and a nice place to start.

You can skip a step and just go with a hardware keylogger, but I'm wary of doing
that before asking an admin to come over. Also, test your keylogger against
whatever A/V software they're using before you install it there. Antivirus
alerts = not subtle.

Those are the most fun assignments - Enjoy!

Chuck Herrin
www.chuckherrin.com

Quoting Dan Rogers <pentestguy@gmail.com>:

> Hi List,
>
> I have been asked to test the network security of my organisation from
> an internal perspective. My boss has not been particularly specific in
> his requirements (other than asking that I don't break any operational
> infrastructure) so I can approach the problem from whichever way I
> deem most appropriate.
>
> I suspect the first thing I will attempt is privilege escalation
> techniques from a workstation with a domain user account to see if I
> can install my own software/toolset. Can anyone suggest any good
> whitepapers or tools that I can use to get a head start?
>
> I intend to follow this up by scanning/targeting critical parts of our
> infrastructure - domain controllers, mail servers, routers etc.
> However, I am interested to know what other people would do when given
> free reign to identify internal weaknesses - so how should I approach
> this? This is not an 'audit' exercise, as I will not be given access
> to server/infrastructure configurations.
>
> Any advise on this appreciated.
>
> Dan
>

• Previous message: GomoR: "Re: Routers, Switches, and Firewall testing"
• In reply to: Dan Rogers: "priviledge escalation techniques"
• Next in thread: miguel.dilaj_at_pharma.novartis.com: "Re: priviledge escalation techniques"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Deny Interactive Logon but Allow Runas ... users may also need to install a fix-pack, ... be an admin to install. ... if your secret app is really so bad ... As our users don't have local admin rights they usually have ... (microsoft.public.windowsxp.security_admin) RE: Office tries to repair/reinstall ... Giving admin rights to everyone is not the solution. ... The file association issue should be also related to the Office 2007 installation. ... I will check the registry and install windows installer. ... (microsoft.public.office.setup) RE: Administrator Rights? ... but the "run as" secondary logon is sufficient. ... Someone with Admin credentials does not have to be the primary logon for the ... updates to fire and install. ... Windows update will not install ANY update if the Admin is not logged on. ... (Security-Basics) Re: Client Installation Issues: SMS 2.0 SP5 ... Log on locally as LOCAL admin and install. ... Log on Locally as domain user who has LOCAL admin rights. ... The SMS Service account IS a domain admin ... (microsoft.public.sms.setup) Re: Getting frustrated ... > after I had given her user name admin privileges. ... > between the user accounts. ... I'd like for her to be able to install and uninstall ... > I have another workstation to set up that is XP Pro. ... (microsoft.public.windowsxp.security_admin)