OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Nelson Brito (a.k.a. stderr) (stderrSEKURE.ORG)
Date: Thu Jan 11 2001 - 06:34:27 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi...

    Tamas Foldi wrote:
    [...]

    > 2. backdoors are not a choice, since they run with the rights of the above
    > mentioned unicode

    If you have write permissions in Registry, it's a alternative option.

    > 3. HK doesn't work under win2k (it produced permission denied message)
    > win2k never has been vulnarable to spoofed LPC port requests

    Yeah, but who told it worked?

    > 4. autorun.inf didn't execute on mapping the directory (maybe some trick
    > is needed)

    You're wrong, it works very well as possible. What you need is:
    1 - Map the "Shared Directories;
    2 - Put the autorun.inf and autorun.exe in this directory, maybe it
    could be your own machine;
    3 - Execute "UNICODE Transversal Directory Exposure BUG" to MAP your own
    "Shared Directory";
    4 - After, use NET command to mount, if possible, the C$ with
    Administrator permissions, else you will need to share C$.
    5 - Run your prefered tool, pwdump or l0phtcrack, to dump password from
    target registry.

    It worked against WinNT, maybe will work against Win2k.

    > 5. AT command returns access denied

    Yeah, by default, only Administrators could do this. Or, maybe, the
    service is stoped.

    >
    > to Dave:
    > it is interesting what you wrote, but i would like to ask You to go into
    > details about the All_users startup
    >
    >
    >
    >> You could do this with a "Shell Folder" vulnerability, and others...
    >

    I don't know if it's the *REAL* name for this BUG, but you can find
    something about Default Folders at SecurityFocus, but it's only works
    against WinNT, I guess.

    >
    > Could you tell more info about this bug?
    >
    >
    >>> 2) Brute force attack against accounts with local Administrator
    >>> privilege.
    >>
    >
    > Does anyone knows any password brute forcer that works without accessing
    > the SAM file?
    >
    > We are still eager to hear further ideas on this issue since nothing that
    > we tried worked yet.
    >
    > .. .. _ _________________________________________________________ _ .. .
    > Foldi Tamas - We Are The Hashmar In The Rootshell - Security Consultant
    > crowlinuxfreak.com / crowkapu.hu / (+36 30) 221-74-77

    sem mais, 

    --
Nelson Brito
Security Analyst && Penetration Tester
Security Networks AG / IBQN - http://www.secunet.de/