Matthew Pemble wrote:
>
> Tamas wrote:
>
> >Does anyone knows any password brute forcer that works without
> >accessing the SAM file?
> >
> >We are still eager to hear further ideas on this issue since nothing
> >that we tried worked yet.
>
> If you can't get the SAM, can you run a packet sniffer on the target
> machine? If so, grab the NTLM authentication hashes and L0phtcrack
> can process them. Much, much slower than SAM cracking, though.
>
> You ought to be able to run a program within the IUSR context, your
> ability to install will depend on the individual sniffer.

Repeat after me everybody:

   "I am on a Win2K box using the IUSR_<blah> account gained via the IIS
Unicode vulnerability. I do not have Administrator privileges. I can
only get to what a non-privileged user can access which is why the SAM
repair file is not readable."

It's getting frustrating that people aren't paying attention or don't
understand the scenario that was originally introduced, but hey, I'm
still smiling. :^)

Now, I honestly don't know of a sniffer that can be installed without
Administrator privilege. If you can install a sniffer without those
privs it seems like you could do plenty of other nasty stuff on that
server.

local.exe and global.exe from the resource kit can be used along with
dumpsec.exe to determine which user accounts on the server or domain are
in Administrator groups and will help you find the Administrator account
even if it has been renamed.

Somebody already mentioned SMBgrind for brute force login attempts. A
similar tool (NetBIOS Auditing Tool) can be found at:

    http://www.nmrc.org/files/snt/nat10.tar.gz

and doesn't require you to have a copy of CyberCOP around.

Keep in mind that it will only be effective if the admin hasn't bothered
to restrict the number of failed login attempts.

-paul

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]