Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: bypassing win2k security.

  1. #11
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    is it true your re-starting IHG?
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  2. #12
    Couple of points to ponder/consider regarding the runas command and group policy...

    EvilSeed stated that the network has NT4 servers as the PDC and BDC...which would remove active directory from the overall environment. This would also limit the amount of security policy settings available to restrict rights to certain groups of individuals on what they can and cannot do in the domain(s).

    The "runas" command only runs in the current context of the person who is using it. How that could be construed as a security hole, I would like to see the proof of exploit. Now, the question becomes how much you need to limit the rights of low-level techs in the domain. If you know the machine name (NetBIOS name), why not restrict them to logging in just to those machines as administrator (or another name with admin rights) until the device installation is completed? Set up a temporary admin account that can only log into the machine locally, then delete the account from the SAM once the installs have been completed?

    In the absence of a fully-integrated ADS network, using a temporary local admin acount may be the easiest overall solution.
    \"No matter where you go,
    there you are.\"

  3. #13
    Senior Member
    Join Date
    Sep 2001
    Posts
    831
    Well, I had a look quickly for runas exploits/flaws, and found 2 of them...

    The "runas" command only runs in the current context of the person who is using it
    Maybe, but as stated in this flaw documentation,

    After the RunAs utility has terminated, the user credentials supplied to execute the command are still stored (in cleartext) in memory.
    Since the page file is only removed on a restart/shutdown AFAIK, not a logout/logoff, if the general user logs in afterwards, they could get the credentials used issued on the last use of RunAs, providing it was paged to disk and they can find it..


    So, I'd say that's a way that using runas could open up a security hole.....

    I found another one, but wasn't interested enough to actually go through it....
    http://www.securitytracker.com/alert...v/1002731.html
    -Matty_Cross
    \"Isn\'t sanity just a one trick pony anyway? I mean, all you get is one trick. Rational Thinking.
    But when you\'re good and crazy, hehe, the skies the limit!!\"

  4. #14
    You can get programs that elevate your priverliges in windoz such as getadmin, which get be downloaded of antionline.
    I have also read once that you can delete the login script in the win32 folder, and on restart a little menu starts up and you can add yourself to the admin list....but thats sounds 2 easy.
    also if you cant get to win32 or the system folder, you can open a shell of it through word by opening windows explorer at c:/winnt/win32. thats done in the immediate window of the macro editor. In win32 you can edit some of the priveliges if there isnt much security or if its badly set up.

  5. #15

    hmm

    Well guys this is what I tried to do. I tried to make a program (in visual basic) that my lower level techs could click on and it would bring up the runas /:user administrator and an directory they typed in.. now I tried putting the password for the administrator account as an argument in the command line. But RunAs will not allow this. So I went to microsofts website and downloaded the SU program for windows2k. (works the same as the XP and Linux vers.) so I tried to SU to administrator the same way I did with RunAs. The problem with that being that it was well doesnt allow you to put the password as a argument in the command line. The nice thing is that when you do a Winexec api call in VB you do not see the command line parameters, I know that is a stupid thing.. but I am not exactly trying to hide the password from a buncha hackers. .. Anyways I am back against a wall here again.. the inability to put the password as an argument has really got me. I tried doing findwindow api calls and having vb write the password in the command prompts password prompt, but thats just a tad beyond my skill since I have only been in vb for like a week.

    Well guys im going to try your lil hacks you posted, and see what I can do with them. And Yes I am the IHG guy.. and some old members would like to pull IHG back together.. I will write another topic about this after I resolve this issue. And maybe, just maybe we will pull IHG back together and get back to hacking.

    Thanks guys!
    ------------EViLSEED
    Hackers are impervious. Resistant is futile.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •