From The Console 04-1. What does console access get me? 04-2. What about the file system? 04-3. What is NetMon and why do I care? 04-4. What can I do to get info from other computers from the console? 04-5. What is GetAdmin.exe?
04-1. What does console access get me?
There are a few advantages to having direct console access. First off, try the hacks listed in sections 05-1, 05-2, and 05-3. 05-3 especially may not work across a network if the administrator is not allowed to login except at the console. And a brute force attack from the console will run a lot quicker than across the network anyway.
04-2. What about the file system?
Obviously gaining access to the file system from the console is much easier than across a network, especially if the Sys Admin is trying to keep you out.
Try booting up the system from an MS-DOS diskette, and running NTFSDOS.EXE to access the NTFS file system. Currently this software is read only, so it is only good for getting copies of existing data. Linux is another OS that will read an NTFS file system, but "simply loading Linux" on a "spare partition" is usually impractical, and hardly simple if you are not familiar with it. See section 02-3 for an easier Linux method.
04-3. What is NetMon and why do I care?
NetMon is Microsoft's Network Monitor. It is a sniffer that runs under NT, and being a sniffer if you have to ask why you care, well, never mind ;-)
NetMon is protected by a password scheme on version 3.51 that has nothing to do with regular NT security. In Phrack 48 file 15, AON and daemon9 have not only cracked the encryption scheme, they have written exploits for it as well. Check Section 10-6 for the location of the exploit code (it includes full source including a Unix version in case you do not have an NT compiler).
By the way, compared to other commercial sniffers, NetMon sucks.
04-4. What can I do to get info from other computers from the console?
If the console you have stumbled on is a domain controller (or you have simply hooked one up), try these steps to get a list of accounts on the target machine:
1. From the USER MANAGER, create a trusting relationship with the target.
2. Enter whatever when asked for a password. Don't fret when it doesn't work. The target is now on your trusting list.
3. Launch NT Explorer and right click on any folder.
4. Select SHARING.
5. From the SHARED window, select ADD.
6. From the ADD menu, select your target NT server.
7. You will now see the entire group listing of the target.
8. Select SHOW USERS and you will see the entire user listing, including full names and descriptions.
This gives you a list of user accounts to target for individual attack. By studying the group memberships, you can even make decisions about who will have more privileges than others.
04-5. What is GetAdmin.exe?
GetAdmin.exe is a program written by Konstantin Sobolev. It exploits a subfunction in NtAddAtom that does not check the address of the output. By altering where the output can be written to, GetAdmin adds a user to the Administrators group. It works on NT 4.0.
The easiest way to use it is to simply copy it to \TEMP (along with its DLL, GASYS.DLL) and run it like so: GETADMIN GUEST (or whatever account you wish to add).
This will add Guest to the Administrators group.
GetAdmin will add domain accounts on a primary domain controller and even other domain accounts. Since it is a command line tool, it will work across a telnet session.
There is a post SP3 Hot Fix available from Microsoft that defeats this if loaded.
It is possible that some type of filtering might be in place to prevent uploading or downloading of files. To circumvent this, try renaming the executable with some other extension. For example START GETADMIN.XXX GUEST will work fine if EXEs are a problem.