Re: Pentesting Network Share Access via wireless



If you want to aim for the highest I suggest attacking the BDC (backup
domain controller) as it's *not* usually as well patched as the
primary domain controller and usually runs older versions of Windows
than the one running on the PDC (more chances to successfully run an
exploit).

In order to find the PDC and BDC you can use the free Microsoft tool
"nltest.exe". Just be careful with the version of Windows you're
running on your attacking machine (pentester's laptop?). For Windows
2K you need to get it from the Windows Resource Kit
[http://www.dynawell.com/reskit/microsoft/win2000/nltest.zip]. In the
case of Windows XP SP2 you need "Windows XP SP2 Support Tools"
[http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en].
This is due to applications such as "nltest.exe" that use API
functions that are *not* supported on newer Windows versions.

E.g.:

C:\Program Files\Support Tools>nltest /trusted_domains

(after this grab the domain that you want to enumerate the PDC/BDC from)

C:\Program Files\Support Tools>nltest /dclist:targetdomain

(now you actually enumerate the DCs of the target domain where
"targetdomain" is one of the domains you obtained from the first
command)

Go for the old trick: a canned buffer overflow exploit
[http://metasploit.org/tools/framework-2.5-snapshot.tar.gz]

I know it's *not* the most elegant attack, but if the BDC is *not*
patched against one of "your" exploits, then there are chances that
you'll root the box.

After that, upload pwdump
[http://www.bindview.com/Resources/RAZOR/Files/pwdump2.zip], and get
*all* the usernames and password hashes of the *entire* domain. I
personally upload pwdump to the target BDC by installing Solarwinds'
TFTP server (very easy to setup)
[http://www.solarwinds.net/Tools/Free_tools/TFTP_Server/] on my
attacking machine. So when you get a remote admin shell on the BDC you
tftp your attacking machine ("tftp" command from command prompt) and
download your pwdump executable onto the target (%temp% folder?) and
execute it (dump usernames and hashes).

Then copy and paste them all to notepad on your attacking machine and
save them so you can later open the file with your favorite Windows
hashes cracker.

In order to crack the hashes you could use LC5 for instance.

There are MANY other and simpler ways to accomplish this same goal
(you might be interested in checking the Meterpreter from Metasploit
[http://www.metasploit.com/projects/Framework/docs/meterpreter.pdf].
I'm just mentioning a way that works for me.

Hope that helps.

Let me know if you have any further questions.

Regards,
pagvac

On 1/2/06, Thor (Hammer of God) <thor@xxxxxxxxxxxxxxx> wrote:
> ----- Original Message -----
> From: "Dean De Beer" <dean@xxxxxxxxxxxxxx>
> Cc: "'sherwyn williams'" <s-williams@xxxxxxxxxx>;
> <pen-test@xxxxxxxxxxxxxxxxx>
> Sent: Sunday, January 01, 2006 4:52 PM
> Subject: Re: Pentesting Network Share Access via wireless
>
>
> > Also, in WinXP the RestrictAnonymous Registry key default value is 0
> > but this may have been changed locally or via Group Policy to prevent
> > Null Sessions.
>
> While XP's default value of RestrictAnonymous is indeed 0, the default value
> of RestrictAnonymousSam is 1, and EveryoneIncludesAnonymouse is 0. These
> settings, by default, prevent null session enumeration of SAM accounts,
> SID's, etc.
>
> t
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>


--
pagvac (Adrian Pastor)
www.ikwt.com - In Knowledge We Trust

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



Relevant Pages

  • Re: Pentesting Network Share Access via wireless
    ... If you want to aim for the highest I suggest attacking the BDC (backup ... Just be careful with the version of Windows you're ... > Audit your website security with Acunetix Web Vulnerability Scanner: ...
    (Pen-Test)
  • RE: Pentesting Network Share Access via wireless
    ... If you want to aim for the highest I suggest attacking the BDC (backup ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... > Hackers are concentrating their efforts on attacking applications on your ...
    (Pen-Test)
  • Re: :: Genesis of the Daleks - wrap-around DVD cover!
    ... Your website has a links page. ... I'm not blindly attacking them; ... impression that your site is somehow the official site. ... simply the amazon pre-order price which you have linked to. ...
    (rec.arts.drwho)
  • Re: OT: Just to set the record straight
    ... > I'm not attacking the power of empowerment. ... According to your version of the story Windows ... not sure Joe has, either. ... either stop attacking Windows or get it out of your shop. ...
    (comp.sys.mac.advocacy)
  • Re: Spyware/adware and Internet Explorer and Attack
    ... There is someone or something attacking my static ip address ... There is a hole in my Internet Explorer. ... b) Windows update is current (updated around 5PM on ... >There IS a way to get rid of the HTML engine completely. ...
    (comp.security.misc)