December 2, 2011 at 4:08 pm #7104
So I got some time in my company test lab and not really done much windows pen testing.
Does anyone have good resource or tools for windows services like
or any other ?
So I can learn more about them as nessue flags lots of problems but I am not sure how to verify them epically with smb and ldap.
December 2, 2011 at 5:51 pm #44211TribanParticipant
craft clever phishing email
attach a pdf or excel sheet with embeded flash object which sets up a reverse shell connection
Wait for them to open it 😀
Proceed with recon! 😀
I keed I keed. Depends on your goal. With the Windows attacks, much of them have been due to 3rd party software not being patched rather than an actual flaw in Windows.
With SQL many times the built in SA account isn’t properly secured or utilizes the same admin password as say the local admin of the computer. If they are old versions of Windows (XP/2003) then you have more options. If they are newer versions (7/2008) then you will have your work cut out for you. If they have been hardened, it will be that much tougher.
December 3, 2011 at 1:53 pm #44212
This is lab setup so it has lot of problem some of the problem listed include
default password for mysql
I tried to test for this using mysql ip -u root -p mysql but i get error cant connect or something.
smb null session
ldap null base search access
smb null session
smb uses sid to enumerate
smb lsaqueryinformationpolicy function
December 3, 2011 at 4:00 pm #44213hayabusaParticipant
mysql might not be configured to allow root access from anywhere… Might only allow from localhost (thus via a local webapp, or something)
December 3, 2011 at 5:15 pm #44214TheXeroParticipant
Jamie.R, I would highly recommend that you see about doing PWB and OSCP.
Tools for everything there are readily available in BackTrack, may even be nmap scripts for it 🙂
December 3, 2011 at 5:25 pm #44215
That is a good point hayabusa but if that the case if nessus reports mysql using default credentials how can you confirm this as you cant really report an issue to client without being sure it is an issue.
I plan on doing OSCP but it just getting the money sadly my company wont pay for me as they prefer to train in house but I am trying to progress my training myself but as I am only junior don’t get paid that much.
It is on my list of things to do 😛
December 3, 2011 at 7:56 pm #44216hayabusaParticipant
Jamie.R – in that case, you’d need to look for SQL- or command-injection to be able to pass root’s login via a web app. I recall having to do EXACTLY that, when I was helping beta test for the US Cyber challenge, a couple of summers ago.
December 4, 2011 at 12:20 pm #44217
Cool will look into that does anyone have any good links for leaving more about windows ? I mean I have used windows for about 14 years at home but not really in a business environment so have not dealt with domain controllers and stuff like that.
December 5, 2011 at 2:28 am #44218
A few guidelines from you original question:
smb – look for missing patches and public exploits. you can also dictionary attack smb for credentials. i’d start with username “administrator” 😉 You can also capture hashes for smb creds and use these in pass the hash techniques. There are a number of ways to do this.
ldap – if anonymous ldap sessions are allowed you can enumerate this service for lots of juicy info.
ms sql – look for missing patches. Better yet, if you can get creds for SA then more than likely they have xp_cmdshell functioning and you can get root, easy. You can get creds by dictionary attack, SE, or existing odbc connections.
snmp – again, dictionary attack. If you can find out the community string, you can likely read/write entire server configurations. This is a very powerful, yet often overlooked security issue on corporate lans.
I would recommend getting a copy of MSDN and installing your own AD environment so you can see all the moving parts of an AD environment. This is paramount to successful pentesting since most orgs use AD in one fashion or another.
December 5, 2011 at 9:28 am #44219
Cool thanks for that any good link to things like smb and ldap and stuff ? Yah install AD might be worthwhile task.
December 5, 2011 at 2:17 pm #44220TribanParticipant
Win XP in a domain environment, with a default Sec Policy, will cache up to 5 passwords I think. I have to look at my lab DC. But yeah XP even with SP3 is still a pretty good target. Now if the Sys admin in the domain is doing it write, Windows Firewall is enabled so many of the attacks might not work.
Also I think by default MS SQL will not allow network connections until you go into the config and turn it on. MySQL may do the same thing.
Just because Nessus says it so, doesn’t mean it is. Get the MSSQL Management tool, this will allow you to test for connections. Also NMAP has a nifty script to locate systems broadcasting services such as DNS, SQL and other types.
nmap -P0 –script=broadcast
It will run a series of broadcast scripts. If you want to see the details y ou can view them in the nmap/scripts folder. There is also one for listening for Dropbox LAN sync broadcasts >D
Sorry if I got off topic a bit 😀
December 9, 2011 at 9:43 am #44221
what’s the best way to learn about domains is it good idea set one up can this be done for free ? any other useful information on testing windows or tools be really great thanks.
December 9, 2011 at 10:33 am #44222TheXeroParticipant
Jamie.R, you if want a go at my challenge, drop by #intern0t on irc.freenode.net and we’ll set you up for the CTF which is currently running 🙂
December 9, 2011 at 2:02 pm #44223
I think the system admin/network admin stuff is incredibly important to be a good pentester, so you definitely should learn all about AD. There are a few options:
– Start working helpdesk or sys/network admin roles
– Get your MCITP
– Spend $200 and get a subscription to MSDN so you can download and play with every piece of software MS makes. Then, set up your own AD domain, exchange server, sql server etc. etc. etc.
I really believe the network work is huge, simply because if you pop a box on a network, will you know where to go next? Would you know how to pull data off a sql server? Would you know how to export email off an exchange server? Just a few simple things, but can be incredibly valuable to a client because getting domain admin might not mean as much to them as stealing the CEO’s email.
December 12, 2011 at 12:01 pm #44224
MCITP What does this cover is it only active directory or is it more like Microsoft admin course ?
December 12, 2011 at 2:03 pm #44225
It’s heavy on AD but there are other areas of focus as well.
December 12, 2011 at 9:31 pm #44226FlorinParticipant
cd1zz pointed you to some very good directions; for a real world scenario I will add searching for shares and trying to access them – you will be amazed how many misconfigurations exist.
For ldap: after you enumerate the juicy stuff, you can try again a dictionary attack on the user names discovered, even if the account lock-out is in place you might get lucky and guess a password with a dictionary attack.
December 13, 2011 at 9:40 am #44227
Cool I will try look into all these things and let you know how i get on.
December 19, 2011 at 12:22 am #4422824772433Participant
If you want to tinker with AD for free Microsoft have quite a few pre-configured VHDs for Microsoft Virtual Server.
I’ve used these in the past, mainly the Exchange servers for evaluation and testing. With the standalone 2008/2003 servers you can easily create an AD environment just by running the command DCPROMO from RUN. A simple wizard will configure AD on your server.
December 19, 2011 at 9:59 am #44229
Cool thanks for the link will have to take a look at that.
- You must be logged in to reply to this topic.