Hi all,

So I got some time in my company test lab and not really done much windows pen testing.

Does anyone have good resource or tools for windows services like

smb
ldap
ms sql
snmp
or any other ?

So I can learn more about them as nessue flags lots of problems but I am not sure how to verify them epically with smb and ldap.

Thanks

This is lab setup so it has lot of problem some of the problem listed include

default password for mysql
I tried to test for this using mysql ip -u root -p mysql but i get error cant connect or something.

smb null session
ldap null base search access
smb null session
smb uses sid to enumerate
smb lsaqueryinformationpolicy function

Jamie.R, I would highly recommend that you see about doing PWB and OSCP.

Tools for everything there are readily available in BackTrack, may even be nmap scripts for it

~TheXero

Jamie.R - in that case, you'd need to look for SQL- or command-injection to be able to pass root's login via a web app.  I recall having to do EXACTLY that, when I was helping beta test for the US Cyber challenge, a couple of summers ago.

A few guidelines from you original question:

smb - look for missing patches and public exploits. you can also dictionary attack smb for credentials. i'd start with username "administrator" You can also capture hashes for smb creds and use these in pass the hash techniques. There are a number of ways to do this.

ldap - if anonymous ldap sessions are allowed you can enumerate this service for lots of juicy info.

ms sql - look for missing patches. Better yet, if you can get creds for SA then more than likely they have xp_cmdshell functioning and you can get root, easy. You can get creds by dictionary attack, SE, or existing odbc connections.

snmp - again, dictionary attack. If you can find out the community string, you can likely read/write entire server configurations. This is a very powerful, yet often overlooked security issue on corporate lans.

I would recommend getting a copy of MSDN and installing your own AD environment so you can see all the moving parts of an AD environment. This is paramount to successful pentesting since most orgs use AD in one fashion or another.

Win XP in a domain environment, with a default Sec Policy, will cache up to 5 passwords I think.  I have to look at my lab DC.  But yeah XP even with SP3 is still a pretty good target.  Now if the Sys admin in the domain is doing it write, Windows Firewall is enabled so many of the attacks might not work. 

Also I think by default MS SQL will not allow network connections until you go into the config and turn it on.  MySQL may do the same thing.

Just because Nessus says it so, doesn't mean it is.  Get the MSSQL Management tool, this will allow you to test for connections.  Also NMAP has a nifty script to locate systems broadcasting services such as DNS, SQL and other types.


It will run a series of broadcast scripts.  If you want to see the details y ou can view them in the nmap/scripts folder.  There is also one for listening for Dropbox LAN sync broadcasts >D

Sorry if I got off topic a bit

Jamie.R, you if want a go at my challenge, drop by #intern0t on irc.freenode.net and we'll set you up for the CTF which is currently running

MCITP What does this cover is it only active directory or is it more like Microsoft admin course ?