[THIN] Re: Way OT but hey... i want to kill 2k server

• From: "Ziots, Edward" <EZiots@xxxxxxxxxxxx>
• To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
• Date: Fri, 21 Feb 2003 10:29:02 -0500

If you know the IP Address and host name do the following.=20

nbtstat -A IP address.=20

Get the computers MAC address.=20

If you are using Cisco Swtiches, then basically do a MAC search on the
switch the person is connected to, find the port and disable it, after =
you
have sent one of your network folks out to identify the switch port, =
and
jack interface this machine is being connected from, then trace it back =
to
the offending station. ( I pray you have this well documented)

Once you find the system, kill the port. Watch there horror, and then
proceed to have your manager talk with this individual at length, about
putting unauthorized systems on the network. After that, if it happens
again, fire him/her/it.=20

The best way to stop this is to set only one MAC per port, and if that =
MAC
changes, the Port basically gets disabled. Also, all unused ports =
should be
disabled by default.=20

Another way of going about this is the following.=20

1) See if the user has a null share vulnerability ( Didn't set
Restrictanonymous=3D2 in Local GPO) and net use \\servername\IPC$ "" =
/user:""

2) Then do a sid2user and user2sid against the machine to find out the =
true
administrator account, it will have a RID of 500.=20

3) After this, use pwdump3e to dump the hash if possible,
import this hash into LC4, with your favorite password list, and crack =
the
admin password.=20
Then use cusrmgr.exe to change the local administrator username and =
password
on this machine, to what you know.=20

4) After that, map a drive to the C:\winnt\system32 copy up =
shutdown.exe,and
netcat. ( Have netcat run from a batch file in the startup folder, so =
that
it shovels a shell back to your workstatiom, the next time the person
reboots the machine. Also a regedit file that puts a logo at login that =
this
is an unauthorized Server on the network and that someone from IT will =
be
contacting you soon about the issue.=20

I think after you got the password from the machine, and changed it, =
then
you basically got them dead to right.=20

Also, before you go doing any of this type of stuff, make sure you have
authority from your CTO, your manager and your security officer in =
writing,
or it might be you that is getting fired, 10 secs after you start some =
of
this stuff.=20

EZ


Message-----
From: Kristof.DeMey@xxxxxxxxxxxxxx =
[mailto:Kristof.DeMey@xxxxxxxxxxxxxx]
Sent: Friday, February 21, 2003 3:05 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Way OT but hey... i want to kill 2k server


Hi group
=20
I have a rather funny issue here...
Someone has implemeted a server in the network here but we cant find it =
:)
He is using a range reserved for our trading people and they want to =
bring
the=20
server down to be able to use the ip it has in ues.. There is also a =
SLAMMER
VULNERABLE=20
sql server installed and thats also a reason to take it out.
=20
We have only: IP Addres and Hostname,=20
No login info, he's not added to a domain , nobody seems to be aware of =
the
machine,=20
No dns record in the dns server..
=20
I'v send mails too all it personel (about 400) and nobody knows about =
the
machine.
So i am DIENG to kill it remote.
=20
We tried spamming it with a telnet on port 19 (rdm text generator) but =
the
simple tcp ip services are disabled
I tried the SMB die vulnerability but he is NOT vulnerable.
=20
Any one any ideeN? I tried remote registry suff and all but nothing =
seems to
work.
We are slowing it down by issueing huge ping request but untill now =
nobody
is complaining so still no luck :)
=20
Anyone?
=20
Thx in advance....
=20
Any tip to slow the bagger down is also verry welcome!=20
That way we can trigger the "server installer" to call the networking
department and then we got him :)
=20
=20
=20
=20

Met vriendelijke groeten - Bien =E0 vous ,=20

Kristof De Mey=20

Electrabel IT-Services -  Infrastructure Services=20
Service Operations - Exploitation NT & Mailing Systems=20
                              =20
Werhuizenkaai 16 - Q015 - 1000 Brussel=20
Tel intern:  80.3387 - Tel: 00-32-2-206 33 87=20
Fax intern: 80.3427 - Fax: 00-32-2-206 34 27=20

=20

*********************************************************
This Week's Sponsor - Neoware=20
Now through March 31, 2003=20
Neoware is offering a Capio 500/Eon Proven 2100=20
for $299! Click the link below:
http://www.neoware.com/promocp4a/thinnetban.html
**********************************************************

For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
*********************************************************
This Week's Sponsor - Neoware 
Now through March 31, 2003 
Neoware is offering a Capio 500/Eon Proven 2100 
for $299! Click the link below:
http://www.neoware.com/promocp4a/thinnetban.html
**********************************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts:

• » [THIN] Way OT but hey... i want to kill 2k server
• » [THIN] Re: Way OT but hey... i want to kill 2k server
• » [THIN] Re: Way OT but hey... i want to kill 2k server
• » [THIN] Re: Way OT but hey... i want to kill 2k server
• » [THIN] Re: Way OT but hey... i want to kill 2k server
• » [THIN] Re: Way OT but hey... i want to kill 2k server
• » [THIN] Re: Way OT but hey... i want to kill 2k server
• » [THIN] Re: Way OT but hey... i want to kill 2k server

1. Home
2. thin
3. Archive
4. 02-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---