Hi All,

Found this forum at Google and must say nice Threads here Maybe one of you Pros can help me. Pls excuse me English but iam german.

I have little Problems getting Admin rights on a w2k client/server running IIS. I got many tuts dealing with hk.exe which only works on NT for gettign admin rights.

Since iam at a W2k Station here HK wont help me. so far i exploited the Servers Unice-Directory-Traversal bug und uploaded nc.exe first, then switched to iqd.dll (component of ispc you have to upload)

ISPC claims to give me admin rights when i connect to my victim but iam not sure about it. As soon as i connect i get my cmd shell so far so good...i even can access the sam. in the repiar folder ( i dont think i can acces it as IUSR_*), so i thought i must have Admin/system rights.

BUT i cant add a user or change a password with net user ...i always get Access Deinied, Error 5. Also i cant dump the Password Hashes with pwdump2.exe ...which should be possible with admin rights.

Now iam wonderig if i have admin rights or not :? I cant bruteforce the sam, since syskey is installed by default and i cant dump the hashes, snce pwdump wont work (as said above).

If anyone knows whats happing here or know other way to gain Admin rights pleeeeaaaseee tell me

Last Question: How can clear the IIS Logfiles since they are used by the system and unaccessable for me :?

Big Thx i advance

Ray

Well....

***********
Disclaimer, I hope this is your own computer
***********

QUOTE

ISPC claims to give me admin rights when i connect to my victim but iam not sure about it. As soon as i connect i get my cmd shell so far so good...i even can access the sam. in the repiar folder ( i dont think i can acces it as IUSR_*), so i thought i must have Admin/system rights.

Not if the machine is fully patched

QUOTE

i dont think i can acces it as IUSR_*),

It's possible if they have poor directory rights

QUOTE

Also i cant dump the Password Hashes with pwdump2.exe

To be honest I have never been able to dump the hashes on a machine that has been configured with syskey.

Do you have access to remote registry editing? If the machine is allowing it you can reset the admin account from inside the registry.

QUOTE

How can clear the IIS Logfiles since they are used by the system and unaccessable for me

Either delete them from the system32 directory, or do what most people do.... Flood the box with http requests and hope the logfile dumps after 40mb.

Doesn't PWDUMP3 work even if syskey is enabled ??

Hi GSecure,

thx für your reply and help. Unfortunately i cant connect to registry. But i think you need a valid user account to do so, or ? I have a tut, where i first need to map a drive to the machine with a valid acc. Once i have connected this drive i also can connect to the registry (in the tut they tell u need to map the drive becausue u cant enter a username/pass when u connect to registry . But since u already connected (the drive in explorer) the login informartion will just be forwared).

About the Logfiles:

I dont know how to send 40 MB of http request in a affordable time really no idea, ist there some flooding tool around ? As for deleting: As i said i cant delete them i get access denied. But iam not sure if the are locked by the system (are they only acess upon a request or are they open by the system all them time ?) or if i just have insufficient file permissions

As for the my original question: Is there any other way to get admin rights. Its kinda disappoiting if u managed to break in but then are stuck with too less rights and just missing the final step.

Btw: Do you mind if i send u a private email with some questions ?

Thx again for your patience and i hope u got what mean (damn englsih *g*) ;D
Ray

QUOTE

But i think you need a valid user account to do so, or ?

Believe it or not you can some time connect to the registry by anonymous. It's a remote chance but it is a chance

QUOTE

I dont know how to send 40 MB of http request in a affordable time  really no idea, ist there some flooding tool around ?

Yep, I use Munga Bunga's Brute forcer. http://www.hackology.com

Then use this definition file modified for the site you wish to flood.

CODE

This definition is SUPPOSED to report "incorrect" every time a submission is made! ' That means the expected response WASN'T received, and hence, it WON'T stop running until it's out of passwords (which is just gibberish). ' Run it off anonymous dialup. ' Author: An anonymous hackology agent. you for your message. 43huht874htreuhtdjhg http://www.riaa.com/Contact_Confirm.cfm &Name=strPassword &Email=strPassword@strUsernamestrPassword.com &Subject=strPassword &message=strPassword napster (strPassword) wins you butt fucks! Adapt to technology, don't expect people to adapt to your cyberphobic primitive asses! Ya relix!

This is the code that was used to flood the RIAA website. They used it as a DOS tool in this case you are just using it to flood the logfiles. Even if the logs don't get dumped they will most likely just think they were hit with a DDoS attack and forget to look at other entries.

QUOTE

As i said i cant delete them i get access denied. But iam not sure if the are locked by the system (are they only acess upon a request or are they open by the system all them time ?) or if i just have insufficient file permissions

Sorry didn't see you couldn't delete them, you probably just don't have sufficient permissions

QUOTE

Btw: Do you mind if i send u a private email with some questions ?

Sure, I can try to help

QUOTE

Jay wrote: Doesn't PWDUMP3 work even if syskey is enabled ??

I believe it is supposed to but I have never been successful.

Ignore my last post just realized that you didn't have admin right's.

Have you ever noticed that when an admin comes to your machine, maps a drive with his admin account, and then disconnects it (without logging off), you can then re-map the drive with his admin credentials (no account or password is requested).

So when you admins are out running around on user machines, always log off and use your own account. If you do the above instead, log the user off (which is almost the same as logging in as admin in the first place, and more secure--sure it leave creds in the registry, but most users won't try that, but it's more likely that they will try the re-map).

I don't think this works with "run as" in w2k or xp, just mapping drives.

was going though the post i know that dump3 dont work with syskey all the time but as for pwdump2 you can try this

pwdump2 >> hash.txt or
pwdump2 > hash.txt

this would put the password in the txt file rather then displaying it in the dos promt

try checking net share if the shares arent there eg ADMIN$ then i think that is problem as well you could put it back on at times it work

net share ADMIN$

hope it helps

I did a demo. of hacking a IIS 5.0 web server for extra credit in my Network Security class in college and hk.exe did not work for me.

I used pipeup.exe which I think is also PipeUpAdmin.exe by Maceo.
Windows 2000 uses predictable named pipe names for controlling services. Any user process can create a named pipe with the next name and force a service to connect to the pipe. Once connected. the user process can impersonate the service, which in most cases runs in the SYSTEM account.

It took several tries but PipeUpAdmin.exe worked for me.

I also used netddemsg.exe and it work as well.

Hope this helps.

I just found this through Google.

HTTPODBC.DLL

http://home.scarlet.be/~mm898196/

This site gives some info on hacking a IIS.

I haven't tried this method yet. It looks promising.