home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
WINMX Assorted Textfiles
/
Ebooks.tar
/
Text - Tech - OS - NT - security guide 04.txt
< prev
next >
Wrap
Text File
|
2003-09-27
|
4KB
|
82 lines
NT security guideSection 04
From The Console
04-1. What does console access get me?
04-2. What about the file system?
04-3. What is NetMon and why do I care?
04-4. What can I do to get info from other computers from the console?
04-5. What is GetAdmin.exe?
04-1. What does console access get me?
There are a few advantages to having direct console access. First off, try the
hacks listed in sections 05-1, 05-2, and 05-3. 05-3 especially may not work
across a network if the administrator is not allowed to login except at the
console. And a brute force attack from the console will run a lot quicker than
across the network anyway.
04-2. What about the file system?
Obviously gaining access to the file system from the console is much easier than
across a network, especially if the Sys Admin is trying to keep you out.
Try booting up the system from an MS-DOS diskette, and running NTFSDOS.EXE to
access the NTFS file system. Currently this software is read only, so it is only
good for getting copies of existing data. Linux is another OS that will read an
NTFS file system, but "simply loading Linux" on a "spare partition" is usually
impractical, and hardly simple if you are not familiar with it. See section 02-3
for an easier Linux method.
04-3. What is NetMon and why do I care?
NetMon is Microsoft's Network Monitor. It is a sniffer that runs under NT, and
being a sniffer if you have to ask why you care, well, never mind ;-)
NetMon is protected by a password scheme on version 3.51 that has nothing to do
with regular NT security. In Phrack 48 file 15, AON and daemon9 have not only
cracked the encryption scheme, they have written exploits for it as well. Check
Section 10-6 for the location of the exploit code (it includes full source
including a Unix version in case you do not have an NT compiler).
By the way, compared to other commercial sniffers, NetMon sucks.
04-4. What can I do to get info from other computers from the console?
If the console you have stumbled on is a domain controller (or you have simply
hooked one up), try these steps to get a list of accounts on the target machine:
1. From the USER MANAGER, create a trusting relationship with the target.
2. Enter whatever when asked for a password. Don't fret when it doesn't work.
The target is now on your trusting list.
3. Launch NT Explorer and right click on any folder.
4. Select SHARING.
5. From the SHARED window, select ADD.
6. From the ADD menu, select your target NT server.
7. You will now see the entire group listing of the target.
8. Select SHOW USERS and you will see the entire user listing, including full
names and descriptions.
This gives you a list of user accounts to target for individual attack. By
studying the group memberships, you can even make decisions about who will have
more privileges than others.
04-5. What is GetAdmin.exe?
GetAdmin.exe is a program written by Konstantin Sobolev. It exploits a
subfunction in NtAddAtom that does not check the address of the output. By
altering where the output can be written to, GetAdmin adds a user to the
Administrators group. It works on NT 4.0.
The easiest way to use it is to simply copy it to \TEMP (along with its DLL,
GASYS.DLL) and run it like so: GETADMIN GUEST (or whatever account you wish to
add).
This will add Guest to the Administrators group.
GetAdmin will add domain accounts on a primary domain controller and even other
domain accounts. Since it is a command line tool, it will work across a telnet
session.
There is a post SP3 Hot Fix available from Microsoft that defeats this if
loaded.
It is possible that some type of filtering might be in place to prevent
uploading or downloading of files. To circumvent this, try renaming the
executable with some other extension. For example START GETADMIN.XXX GUEST will
work fine if EXEs are a problem.
