hey steve

i wrote a little tool to get all userinfos(name, rights,
groups...), all accounts (user, workstation), all shares
and a pw check.. you can also try to crack all user pw
with the bf method.

http://www.clicknet.ch/chscene

you can disable anonymous connection (null
connect) in the registry, when you work in a single
domain envoirement. the nunn connection is used
when you admin. multible domains (with trust), afaik.

greets

michael
> Hi list!
>
> Working on an NT box running IIS 4.0 (seems
to be patched).
> Certain tell-tale ports are open
(25,80,135,5800,5900) TCP.
>
> After doing more research on NT RPC
protocol, and searching
> documented vulnerabilities, I have the ability to
dump the contents of the
> endpoint mapper, and can connect to this port.
What could the dumped
> information be used for? Obviously other
connections are displayed, but
> after scouring Vuln and mailing list archives, the
only risk RPC seems to
> pose is denial of service problems.
>
> So... my question(s):
>
> 1. Is there a way to authenticate through
RPC, or potentially
> brute force for weak passwords?
>
> 2. Is there a way to execute server side
commands using RPC?
>
> finally...
>
> 3. Are there any RPC vulnerabilities out
there? (besides denial of
> service)
>
>
> TIA!
>
> Steve
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]