Network vs. PC Priviledges

Printable View

March 9th, 2006, 02:15 AM
Anglachel17

Network vs. PC Priviledges

I have been researching methods of gaining administrator priviledges on computers one has physical access to for a few weeks now. I have recently had a (relative to newbnish) breakthrough.
On PC's on a larger network I have read about many ways to get administrator on the PC and they are great methods. The problem I have requires that I first make a supposition though. This question seems rather ambiguous to me, but I'm sure that is just due to the wetness behind my ears.
Suppose when logging on to windows XP you have the choice of logging onto a) the network or b) the PC. Using standard methods of account promotion (cracking the local SAM with syskey), you've obtained an administrator user account; but this account is for the PC not the network and you are therefore not satisfied.
When roaming through the hard drive you've notice NTuser.day files and many folders of network users and not local users. The question is (finally, if you have't already guessed) how would you poise yourself to go after getting a network account, especially an admin account that yoy may or may not know the name of?
Cheers!
March 9th, 2006, 02:51 AM
d0pp

I would wait until an administrator has logged off of the machine, and just grab the cached logon.

Many administrators do not take steps to prevent this.
March 9th, 2006, 03:05 AM
morganlefay

Local administrator groups should not contain the server administrator account....only the domain administrators group...which again is a limited group...they cant elavate you to the server admin...afaik

All depends on the setup...and the admin.

As for cracking the SAM....that is where strong passwords would circumvent.....unless you have ALOT of time....and a very fast computer/s

MLF
March 9th, 2006, 03:23 AM
nihil

I am inclined to agree with Morgana~ on this one. The box should have a local admin group only.

There really is no logical reason for it to have the server administrator, unless it is used for that purpose. I would think that you would need to be using a machine in the network support area.

Also, servers are frequently protected by device specific rules, so admins can only log on from designated machines. Naturally, these are protected by a different level of physical security.

:)
March 9th, 2006, 03:45 AM
Anglachel17

Thanks for your replies.
As for the SAM, that was a cinch.
Once logged on as local admin, there was a folder of a network admin account in documents and settings. Within this there were nt user files. Can those be used to recover the pw of that account?
This is a sub-net of an even larger server.

Also d0pp, could you briefly explain what you mean by grabbing the cached login or send me in the right direction?

Thanks a lot guys.
March 9th, 2006, 04:13 AM
zencoder

Quote:

Originally posted here by morganlefay
...
As for cracking the SAM....that is where strong passwords would circumvent.....unless you have ALOT of time....and a very fast computer/s

MLF

What about http://www.rainbowcrack-online.com/ for cracking the passwords? I think that would remove the time/cpu power obstacle. I mean, that is the point of rainbow tables...
March 9th, 2006, 04:39 AM
nihil

Hi Zen~ this is an interesting subject to me.

As I understand things, rainbow tables are sort of exponential. Like a 14 character set takes up 60Gb.....and so on?

We are AFAIK talking pure "brute force" are we not?

So, if I have enough storage and a half decent processor I should be able to crack a pass inside 24 hours? Storage would be the problem?

I believe that Billy Windows supports a 127 character pass, with one check digit making 128 in all? Those would be one hell of a set of rainbow tables? We have got to be talking terrabytes?

I am rather out of my depth here, but I have mentioned the concep of "packing" a password, and had no feedback.

Say I have a "core" PASSWORD and I just add stuff infront and behind.

¬!"£$%^&*()_+PASSWORD`1234567890-=

I can pretty soon get to a very long password without having to remember anything but the "core"?

Comments appreciated :)
March 9th, 2006, 05:59 AM
morganlefay

Well if you want internet access on my network...you have to have an account with access...cause a local account wont do it....so you wont have access to the site ;)

As for admin passwords...MS recommends 26 charactors minimum....supposed to take an extremely long time to crack......

Quote:

So, if I have enough storage and a half decent processor I should be able to crack a pass inside 24 hours? Storage would be the problem?

...........or an extremely powerful machine....no???

I guess if you get the data and then take it off site...then crack it..and come back..maybe the passwords would be changed by then..

This is beyond me...but good password policies *should* be able to circumvent and attack of this nature...

IMHO

as always

MLF
March 9th, 2006, 06:12 AM
nihil

Hi Morgana~

Quote:

...........or an extremely powerful machine....no???

Hey, I am no expert, but I don't think so. The idea of rainbow tables is that they are precomputed solutions (not like John the Ripper) so the issue has to be more one of storage space?

The actual look up and compare should not be so much of an issue?

I am still curious as to whether my "packing" concept would work, given that all the characters are hashed and the rainbow process seems to be a straight comparison?

:confused:
March 9th, 2006, 06:25 AM
morganlefay

MS also recommends the *Pass Phrase*...

Is that what you are refering to Nihil??

"t0day I would like to see you crack my pa$$word....good luck : )"

How long do you think a rainbow table would take to crack that??? :confused:

MLF
March 9th, 2006, 07:33 AM
nihil

Actually not, Morgana~

I am aware of the concept of pass phrases, but I was more simplistic.

My example used "PASSWORD" as a core and then added the keyboard top row in uppercase and lower case, fore and aft...................

Would that sort of thing work?
March 9th, 2006, 05:15 PM
Anglachel17

To build off of your discussion guys and to get back to my own as well,
1) I've been wondering for a a couple weeks how you build a rainbow table, or where to download one (building something of that size seems more reasonable to me though).
2) Can nt user files, dat files whatever, be used to recover passwords of known users?
3) Could someone direct me or briefly inform me of how to take advantage of cached logons such as d0pp mentioned earlier?
Thanks, peace.
March 9th, 2006, 05:18 PM
morganlefay

open up a browser..go to www.google.com

type in ntuser.dat

search within

cached

or do a search on this site

before you get negged :rolleyes:

MLF