OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Zwan-van-der.Erwin (Erwin.Zwan-van-dersiemens.nl)
Date: Tue May 21 2002 - 07:38:56 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Try some other null sessions tools first, to get a feel for the system.
    Then, if some new info develops, try to exploit that. Did you make a full
    port scan already? Do you have a glue about services running on your target?
    Of course the goal is set to go for admin. Try to find an exploit and dump
    the SAM or sniff something from the wire.

    Some other command line tools are:

    Enum Windows NT Command lint tool to enumeration Windows information using
    null sessions. Enum can retrieve userlists, machine lists, sharelists,
    namelists, group and member lists, password and LSA policy information. enum
    is also capable of a rudimentary brute force dictionary attack on individual
    accounts. http://razor.bindview.com/tools/index.shtml

    Exporter Windows NT Command line tool for exporting users, groups, group
    members, services, computers, shares, disk space, and printers (in any
    combination) from any or all computers on any Windows NT/Windows 2000
    domain. Includes online .HLP documentation file. Exporter is also
    integrated into Hyena. http://www.somarsoft.com

    GetAcct Windows NT Command line tool to sidestep "RestrictAnonymous=1" and
    acquires account information on Windows NT/2000 machines. Input the IP
    address or NetBIOS name of a target computer in the "Remote Computer"
    column. Input the number of 1000 or more in the "End of RID" column. The RID
    is user's relative identifier by which the Security Account Manager gives it
    when the user is created. Therefore, it is input as 1100, if there are 100
    users. Finally push the "Get Account" button. http://www.securityfriday.com
     
    NBTEnum Windows NT Command line tool for Windows which can be used to
    enumerate one single host or an entire class C subnet. This utility can run
    in two modes: query and attack. The main difference between these modes is
    that when NBTEnum is running in attack mode it will seek for blank password
    and for passwords that are the same as the username but then in lowercase
    letters. Changes: Dictionary attack added, now does enumeration of NT
    version and Service Pack level, AutoAdminLogon detection, WinVNC encrypted
    password extraction, and Enumeration of NT services.
    http://ntsleuth.0catch.com/. By NTSleuth

    NTInfo Windows NT Command line tool to provide the a complete overview of a
    Windows NT system. This script creates an information file with info on
    registry, services, drivers, hardware, nbtstat, arp, winmsd, route, ipconfig
    etc. Requires several tools from the Resources kit to create the overview.
     
    UserInfo Windows NT Command line tool that retrieves all available
    information about any know user from any NT/Win2k system that you can hit
    139 on. Specifically calling the NetUserGetInfo api call at Level 3,
    UserInfo returns standard info like SID, Primary group, logon restrictions,
    etc., but it also dumps special group information, pw expiration info, pw
    age, smartcard requirements, and lots of other stuff. This guy works as a
    null user, even if the system has RA set to 1 to specifically deny anonymous
    enumeration. http://www.hammerofgod.com/download.htm

    IPC$ Cracker Windows NT Command line tool to attempt to crack a user's
    password using a dictionary attack by connecting to the IPC$ hidden share on
    a NT machine and trying passwords read from a text file.
     
    NTCrack Windows NT Command line tool to run password dictionary attacks
    using administrator account to access Windows share or service.
    http://somarsoft.com/ntcrack.htm

     
    -----Original Message-----
    From: cgreen001hotmail.com [mailto:cgreen001hotmail.com]
    Sent: donderdag 16 mei 2002 23:23
    To: pen-testsecurityfocus.com
    Subject: Q: Null Session information from NAT.EXE

    I ran NAT.EXE on a machine and got the following results:
    (contents changed)

    =======================================================
    [*]--- Checking host: xxx.xxx.xxx.xxx
    [*]--- Obtaining list of remote NetBIOS names
    [*]--- Remote systems name tables:

         ZONEACE
         ZONEWORKGROUP
         ZONEACE
         ZONEACE
         ZONEWORKGROUP

    [*]--- Attempting to connect with name: *
    [*]--- Unable to connect

    [*]--- Attempting to connect with name: ZONEACE
    [*]--- CONNECTED with name: ZONEACE
    [*]--- Attempting to connect with protocol: MICROSOFT
    NETWORKS 1.03
    [*]--- Server time is xxx
    [*]--- Timezone is UTC+9.0
    [*]--- Remote server wants us to encrypt, telling it not to
    [*]--- Attempting to establish session

    [*]--- Obtained server information:

    Server=[ZONEACE] User=[] Workgroup=[ZONEWORKGROUP] Domain=[]

    [*]--- Obtained listing of shares:

            Sharename Type Comment
            --------- ---- -------
            IPC$ IPC:

    [*]--- Attempting to access share: \\ZONEACE\
    [*]--- Unable to access

    [*]--- Attempting to access share: \\ZONEACE\ADMIN$
    [*]--- Unable to access

    [*]--- Attempting to access share: \\ZONEACE\C$
    [*]--- Unable to access

    [*]--- Attempting to access share: \\ZONEACE\D$
    [*]--- Unable to access

    [*]--- Attempting to access share: \\ZONEACE\ROOT
    [*]--- Unable to access

    [*]--- Attempting to access share: \\ZONEACE\WINNT$
    [*]--- Unable to access

    ========================================================

    It seems that this system is O.K.
    What else should I check to test the penetration?
    In other words, how could you proceed?

    Thank you.

    James.

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/