Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Help with Exploit

from [Miha Pihler] Network Security [Permanent Link]
Subject: RE: Help with Exploit
Date: Tue, 17 Apr 2007 19:31:15 +0200 
Hi,

You can also use psexec from
http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx to do
this... 

psexec -i -d -s c:\windows\regedit.exe
(Run Regedit interactively in the System account to view the contents of the
SAM and SECURITY keys)

Vista will not allow you to run "at" with "/interactive"...

Miha

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of James D. Stallard
Sent: Tuesday, April 17, 2007 5:30 PM
To: 'Harlan Carvey'; 'Nicolas RUFF'; 'Murda Mcloud'; 'Vic Brown'
Cc: focus-ms@securityfocus.com
Subject: RE: Help with Exploit

Harlan, et al

To access the security regkeys in HKLM you don't need to change the ACLs.

This is an age-old (well, since early NT4 anyway) trick to get LOCALSYSTEM
privs on anything that allows you to run an AT job:

. Get the current time.
. From CMD line run "AT <time+1 minute> /interactive CMD.EXE".
. Wait for a minute.
. CMD window opens in LOCALSYSTEM context.
. Run REGEDIT from new CMD window.
. Navigate to HKLM\SECURITY.
. Marvel at now visible security keys: Cache, Policy, RXACT, SAM.

This particular trick is the basis for a deal of trivial priv escalation
attacks on windows, so if you can, you should secure the Task Scheduler with
a non-priv'ed user or disable it. Another good reason for not giving users
local admin rights.

Cheers

James

James D. Stallard, MIoD
Microsoft and Networks Infrastructure Technical Architect
Web: www.leafgrove.com
LinkedIn: www.linkedin.com/in/jamesdstallard
Skype: JamesDStallard






-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Harlan Carvey
Sent: 17 April 2007 14:40
To: Nicolas RUFF; Murda Mcloud; 'Vic Brown'
Cc: focus-ms@securityfocus.com
Subject: Re: Help with Exploit



I've done some googling and am finding that the

new RR version  checks the

security hive(which I believe to be 'invisible' to

regedit-can someone

correct me if I'm wrong?).


On a live system, the Security hive is not accessible by default.  You need
to change the ACLs so that the Admin has the ability to read the hive.


I know I am coming late on this one, but registry keys that contain 
NULL characters cannot be accessed through REGEDIT. You have to rely 
on the low-level NTDLL API to access them. It is known "copy 
protection" trick :)


What?


------------------------------------------
Harlan Carvey, CISSP
author: "Windows Forensic Analysis"
http://windowsir.blogspot.com
------------------------------------------

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Help with Exploit, James D. Stallard
Next by Date:  Re: Help with Exploit, Thor (Hammer of God)
Previous by Thread:  RE: Help with Exploit, James D. Stallard
Next by Thread:  RE: Help with Exploit, Murda Mcloud
Indexes:  [Date] [Thread] [Top] [All Lists]