We are conducting a pen test that allows social
engineering emails sent out that may allow us to take
over the the user who opens one of them. I created an
email hack but am now wondering how to add a local
admin user WITHOUT HAVING A DOS PROMPT POP UP WHEN THE
EMAIL IS OPENED.
I cannot transport any files (of any sort - no wscript
file or vbs or any file!!) to the victim and I am
limited to the native XP commands and processes that
are on the victim machine. If I catch a victim (catch
& release) I will be able to reach the victim machine
with native XP means (net use - nc to ports etc..).
The victim then gets scolded about opening
inappropriate emails...
The victim is almost always an administrator or power
user so almost any command or process can be used. I
tried many/many variants of invoking the "Cmd.exe"
shell but so far it always creates a momentary DOS
screen pop-up.
tired many variants similar to below:
CMD.EXE /Q /C net user testx password /add
or
start /B /wait cmd /Q /C c:\windows\system32\net.exe
user testx password /add
pop-ups in either case
I have used rundll32.exe in the past to avoid pop-ups
(in most cases) so I tried:
rundll32.exe netapi32.dll,NetUserAdd
(%COMPUTERNAME%,1,(NEWUSER,PASSWORD),0) (wrapped)
I tried many variants of the above but I always get a
pop up "An Exception occurred while trying to run
netapi32.dll.."
OK
I plugged netapi32.dll into Olly and saw the dll entry
NetUserAdd takes 4 parms -but the 3rd parm
is a LBYTE pointer to the input buffer. I wonder if
rundll32.exe can construct such a pointer for me?
Using only the programs and API calls available from
what is essentially an XP DOS shell - does anyone have
a better way to do this without creating a DOS pop-up
?
I have already figured out how to write the "net user
Username PSWD /add" & "net localgroup administrators
Username /add" cmds to the registry (the run key) -
without creating a pop-up! (Silently..)
However, the problem with the above is that it
requires a logon/logoff or re-boot to occur before the
user is added. Thus my quest for a silent (no pop-up)
but immediate means to do this.
Since the email interface can call a winapi - I may
have to try to call netapi32.dll/NetUserAdd - I hope
that I do not have to do that - the test may be over -
before I can decipher the correct syntax between my
email system and the STDCALL Winapi
Thanks
____________________________________________________________________________________
Have a burning question?
Go to www.Answers.yahoo.com and get answers from real people who know.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
|