Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: add a local admin user without a pop-up ?

from [Jason M Frey] Network Security [Permanent Link]
Subject: RE: add a local admin user without a pop-up ?
Date: Mon, 4 Dec 2006 09:21:51 -0600 
Try the "start" command.   It has options to start commands minimized
and without a new window created.  It might be able to do what you need.

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of me
Sent: Friday, December 01, 2006 5:44 PM
To: pen-test@securityfocus.com
Subject: add a local admin user without a pop-up ?

We are conducting a pen test that allows social
engineering emails sent out that may allow us to take
over the the user who opens one of them.  I created an
email hack but am now wondering how to add a local
admin user WITHOUT HAVING A DOS PROMPT POP UP WHEN THE
EMAIL IS OPENED.

I cannot transport any files (of any sort - no wscript
file or vbs or any file!!) to the victim and I am
limited to the native XP commands and processes that
are on the victim machine.  If I catch a victim (catch
& release) I will be able to reach the victim machine
with native XP means (net use - nc to ports etc..).
The victim then gets scolded about opening
inappropriate emails...


The victim is almost always an administrator or power
user so almost any command or process can be used.  I
tried many/many variants of invoking the "Cmd.exe"
shell but so far it always creates a momentary DOS
screen pop-up.

tired many variants similar to below:

CMD.EXE /Q /C net user testx password /add
or
start /B /wait cmd /Q /C c:\windows\system32\net.exe
user testx password /add

pop-ups in either case

I have used rundll32.exe in the past to avoid pop-ups
(in most cases) so I tried:

rundll32.exe netapi32.dll,NetUserAdd
(%COMPUTERNAME%,1,(NEWUSER,PASSWORD),0) (wrapped)

I tried many variants of the above but I always get a
pop up "An Exception occurred while trying to run
netapi32.dll.."

OK

I plugged netapi32.dll into Olly and saw the dll entry
NetUserAdd takes 4 parms -but the 3rd parm
is a LBYTE pointer to the input buffer.  I wonder if
rundll32.exe can construct such a pointer for me?

Using only the programs and API calls available from
what is essentially an XP DOS shell - does anyone have
a better way to do this without creating a DOS pop-up
?

I have already figured out how to write the "net user
Username PSWD /add" & "net localgroup administrators
Username /add" cmds to the registry (the run key) -
without creating a pop-up! (Silently..)

However, the problem with the above is that it
requires a logon/logoff or re-boot to occur before the
user is added. Thus my quest for a silent (no pop-up)
but immediate means to do this.

Since the email interface can call a winapi - I may
have to try to call netapi32.dll/NetUserAdd - I hope
that I do not have to do that - the test may be over -
before I can decipher the correct syntax between my
email system and the STDCALL Winapi

Thanks





________________________________________________________________________
____________
Have a burning question?
Go to www.Answers.yahoo.com and get answers from real people who know.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?campp16
00000008bOW
------------------------------------------------------------------------


The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  If the reader of this message is not the intended recipient,
you are hereby notified that your access is unauthorized, and any review,
dissemination, distribution or copying of this message including any
attachments is strictly prohibited.   If you are not the intended
recipient, please contact the sender and delete the material from any
computer.


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?campp1600000008bOW
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Pen-testing - pricing model, Erin Carroll
Next by Date:  Re: RE: CISSP, mr . nasty
Previous by Thread:  add a local admin user without a pop-up ?, me
Next by Thread:  Re: add a local admin user without a pop-up ?, Lee Lawson
Indexes:  [Date] [Thread] [Top] [All Lists]