(More) Fun With Novell
Cronicl3 (cronicl3@gmail.com)
I've received a lot of e-mails from people in reference to my article "Fun With Novell" in 23:4, and I figured I'd write up this addendum to it addressing a lot of the common issues and discussing some further exploits.
The most common issue I was asked about is the "software conflict" with Norton AntiVirus.
When you put the PWDUMP2 files on a flash drive or e-mail them to yourself, Norton eats up the files almost immediately.
If you can access MSCONFIG.EXE and REGEDIT, then you can just turn off the auto-protect and so it's no longer an issue; however, Norton does have some defense against this, and most users are locked out of those utilities.
An even simpler and more obvious solution is to just uninstall Norton altogether.
Most institutions use Norton AntiVirus Corporate Edition, which you cannot uninstall it without a password. Fortunately, incompetent admins such as mine don't change the default password which is: symantec
Another issue commonly encountered was lack of access to the command prompt. The easiest way to get there is to open up Internet Explorer and put C:\Windows\System32 in the address bar.
Then, CMD.EXE is right there. However, if this is not an option, you can always put the PWDUMP2 executable and DLL on a flash drive and write a simple little runme.bat batch file with the following code:
This will capture the hashes output by PWDUMP2 to a text file called output.txt, so you can just open up your flash drive, double-click your batch file, and not even have to worry about getting manual command prompt access.
Over the past several months, I've also furthered the depth of my exploits and explored them to the greater of their potential.
The PsTools suite, previously owned by Sysinternals and recently bought out by Micro$oft, has some great tools.
For example, PsShutdown and PsExec are awesome little programs that you can use to remotely shutdown machines and execute programs.
You can have great fun with this during presentations.
Here's a quick anecdote for you: there was this new teacher that everyone hated because he didn't know any of the material he was supposed to be teaching and acted as more of a police officer in the class rather than a teacher. He would constantly kick kids out or give them detentions for ridiculous things like checking the weather or their e-mail; one kid even got his computer privileges suspended because he was caught downloading Firefox. Forgive the kid for not wanting to use Internet Explorer 6, the browser that makes any security professional quake with fear.
Anyway, one day this teacher, with his supervisor present, was making a presentation to the class when, suddenly, two dozen pop-ups of tubgirl.com came onto the screen. Much laughter (of the students) ensued.
To this day, our "network manager" is baffled by this. It was all done through the wonders of PsExec, which will remotely execute a program on a target machine.
If necessary, it will also copy a program to the remote machine and then execute it; however, I have not been able to get this feature working correctly.
The other utility, PsShutdown, will remotely log off, restart, or shutdown a target machine; you can also provide a list of machines in a separate file. You can download all of the PsTools and read the guide on the syntax of their use at: learn.microsoft.com/en-us/sysinternals/downloads/pstools
Once again, you can make some nasty automated batch files with this. Here's a good example with what I like to call the "SuperShutdown".
Make a batch file with the following code:
This will effectively shutdown every machine in the same Windows domain as you at 9:00 a.m.
The time is in specified 24-hour format. You'll also need to use an administrator's username and password, which you conveniently got with PWDUMP2 and john if you read my last article, for this to work.
The other parameters are -k to shut down the machine, -f to force any applications running on the machine to close, -n 10 to specify the timeout connecting to remote machines because psshutdown won't work on Windows 98, and -v 0 to disable the dialog that appears when the machine is being shutdown.
Make sure you don't forget the -v 0; otherwise, a dialog will display on their machine that you from your machine are running the shutdown!
As always, use your head when playing around with this stuff. You can play some great pranks with PsShutdown and PsExec, but pay careful attention to the various switches and parameters they have; forgetting or misusing one is an easy way to get yourself caught.
Speaking of getting caught, if you are captured by enemy sysadmins, any knowledge of your existence will be disavowed.