Re: [PEN-TEST] Deeper Penetration

[Miller Scott Contr 30CS/FTI <Scott.Miller () VANDENBERG AF MIL>]

I did a similar penetration test against my own company as a demonstration
awhile back, and once I got into the webserver I was able to crack some
accounts that shared passwords with their equivalents in the domain.  If
that had failed, I probably would have tried setting up a NET USER command
in one of the profiles and wait for a domain admin to log on.  As for the
firewalling, how about using CPSHOST.DDL (should be standard for IIS) to
upload a file by HTTP?

Scott

-----Original Message-----
From: thylacine () HUSHMAIL COM [mailto:thylacine () HUSHMAIL COM]
Sent: Wednesday, November 15, 2000 5:51 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Deeper Penetration


I'm working on a NT 4.0 server that appears to have SP5, Exchange 5.5 SP3,
 IIS 4.0 installed.

It is running FAT on the boot partition (he said while sadly shaking his
head) and I have been able to copy SAM._ to the wwwroot directory, download
and crack it, (and delete it from wwwroot so no one stumbles across it).

I already know what is going to happen when I show up with the admin
password
for this server. They are going to say this is just a member server, so
it's no big deal. We all know this is wrong, but I need to prove why. I
need to move on to a domain controller. None of the accounts or passwords
I received from the local SAM on this server can be used to directly attack
the domain. I need to establish a strong foot-hold on this server and move
deeper into the domain.

At this point I would like to install a keyboard capture program or perhaps
VNC. Problem is, the system is firewalled and I can't get the server to
download any tools. Suggestions anyone.

Standard Pen-Test disclaimer: This is a legal hack. :-)