Penetration Testing mailing list archives

Re: [PEN-TEST] IIS HACKING

From: Tim Hirst <thirst () HIVERWORLD COM>
Date: Wed, 18 Oct 2000 15:56:29 -0700

L0phtcrack will die when trying to open a non-expanded SAM file. Expand
will not work on a damaged file and I can confirm that showcode.asp
seems to mangle the sam._ beyond repair. I suspect that it is stripping
some characters somewhere but I haven't done any testing to get the
specifics. However, showcode.asp can still be useful in grabbing other
files from the system. I primarily use it to view the source of various
.asp files that might be on the web server. You can often find DSNs,
usernames, and passwords to their back-end database by sifting through
the code. For many companies, having access to a database can often
times be more damaging than having access to the SAM.

"Costa, Andrew" wrote:

http://www.victim.com/msadc/samples/selector/showcode.asp?sour

ce=/msadc/../../../../../winnt/repair/sam._

      There you go, you get the infamous sam._ file, copy it,
expand it and crack
it using Lophtcrack, my personal choise, and you will get all
user passwords
even the administrator one.


I tried this on one of my boxes, and yes I got the SAM on the View Source
ASP page, but it appears to have gotten mangled by the ASP formatting. What
I tried next was use netcat to do a GET to the appropriate URL, strip out
the HTML tags leaving the SAM db, and then expand it using expand.exe. It
wouldn't expand, and when L0pht tried to open it, the program would just
disappear. The editors I tried using included wordpad/2K, console editor/2K,
and notepad/2K.

I would really like to see this one work in action, I think it would send a
strong wake-up call to my ppl within my organization about lax
intranet/internet security.

Andrew

PS: I know that the SAM._ is not syskey encrypted either, so that is not the
issue w/expansion or opening in l0pht


--
| Tim Hirst                          <thirst () hiverworld com>
| Professional Services            http://www.hiverworld.com
| 510.848.0740 [Office]                510.612.4384 [Mobile]
| Hiverworld  -=-  Adaptive, Distributed Security Technology

Current thread:

[PEN-TEST] IIS HACKING mount ararat blossom (Oct 17)
- <Possible follow-ups>
- Re: [PEN-TEST] IIS HACKING Jonah Kowall (Oct 17)
- Re: [PEN-TEST] IIS HACKING Tim Hirst (Oct 18)
  - Re: [PEN-TEST] IIS HACKING Renzo Toma (Oct 19)