|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: more info on a hopefully unsuccessful compromise
From: Harlan Carvey (keydet89
yahoo.com)
Date: Sun Jul 13 2003 - 15:31:17 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Etaoin,
Is this something specific to your setup, or to the
default Administrator account?
I set up a user account on a Win2K box, and added it
to the Administrators group. I ensured that the
account had no password. I logged into the box using
the test account and no password, and was successful.
However, trying the account name, and then the account
name backwards proved to be unsuccessful.
I agree w/ your sentiment regarding users auditing
systems. In this particular case, there may be
something else going on...the original poster seems to
think he's got three different accounts but they all
have the same name. Also, the OP has stated that the
accounts do not exist in the User Manager, yet goes on
to say that he tried to disable the user account and
couldn't...which would be impossible if it did not
exist.
However, I was not able to replicate the issue.
Anything you may be able to provide could prove
useful.
Thanks,
Harlan
--- Etaoin Shrdlu <shrdludeaddrop.org> wrote:
> LiNERROR wrote:
> >
> > upon running an audit on one of my networks Retina
> 4.90 discovered two
> > systems, running windows 2000 pro, with sp3 and
> all updates with what
> > appeared to be multiple administrator accounts.
>
> No. This is what happens when users assume the task
> of auditing, rather
> than leaving it to the professionals. I suspect that
> you read NONE of the
> very helpful replies to your previous post, as well.
> To make absolutely
> sure that you understand, I will address each of the
> logs (these are NOT
> phantom accounts, btw, it's the Administrator
> account, and it belongs).
>
> > snip ---
> > Accounts: User: Administrator Pass: rotartsinimdA
> - Account password
> > reverse of account
>
> Here is Retina trying the word administrator
> backwards. Since the account
> has NO PASSWORD, it succeeds, and incorrectly logs
> the password as valid.
>
> > Accounts: User: Administrator Pass: Administrator
> - Account password same
> > as account
>
> Here is Retina trying the word administrator
> forwards. Since the account
> has NO PASSWORD, it succeeds, and incorrectly logs
> the password as valid.
>
> > Accounts: User: Administrator Pass: - Account with
> no password
> > snip ---
>
> Here's the log entry that is meaningful. You have an
> ADMINISTRATOR account
> with no password. What were you thinking? Put a good
> password on the
> administrator account, and be done with it. I'd
> suggest that a little
> reading from the Microsoft site, or from any book
> not containing the title
> words "21 days" or "dummies" would be of great
> benefit to you. I'd also
> suggest that a part time administrator to assist you
> with your machines
> would be helpful.
>
> > However the system shows no evidence of these
> accounts in the user
> > manager... but the accounts are there.
>
> No, no, no. The Administrator account is supposed to
> be there. If some
> moron renamed it, the above stuff with Retina will
> still work. Look at the
> users, under the manage menu. If there is no
> Administrator account, then
> check by the properties menu to see what group(s)
> the accounts are members
> of. The administrator account is traditionally a
> member of only the
> Administrators group (kind of reminds you of setprv
> on VMS, hmmmmmm), but
> that's all it needs. Check EACH account. There may
> be more than one account
> with administrator privileges. If so, then you need
> to check the (sorry, I
> don't remember the wintel equivalent offhand of UID)
> specific identifier to
> see which was created first. The oldest is the real
> Administrator. Rename
> it back to Administrator, and give it a damned
> password.
>
> --
> I cannot help fearing that men may reach a point
> where they look on
> every new theory as a danger, every innovation as a
> toilsome trouble,
> every social advance as a first step toward
> revolution, and that they
> may absolutely refuse to move at all. (Alexis de
> Toqueville)
>
>
----------------------------------------------------------------------------
> Attend the Black Hat Briefings & Training, July 28 -
> 31 in Las Vegas, the
> world's premier technical IT security event! 10
> tracks, 15 training sessions,
> 1,800 delegates from 30 nations including all of the
> top experts, from CSO's to
> "underground" security specialists. See for
> yourself what the buzz is about!
> Early-bird registration ends July 3. This event
> will sell out. www.blackhat.com
>
----------------------------------------------------------------------------
>
__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]