Windows NT Desktop

Hi All,
I was wandering if anyone could help me with the following

Background

There are couple of PC's (Windows NT) which are part of a domain (say XYZ). For the users of this domain the USB, CD drive etc. are disabled. The commond prompt , RUN option, Regestiry and BIOS is also disabled. Also the admin has done the hardening at desktop level and not at domain level
The PC's have access to an application on remote server via html login. All the processing is done online and nothing is stored locally


Objective and ethical test that needs to be done

I want to get local admin rights or somehow change the privilge levels to enable USB or Floppy drive. The other option is if I could access other domains thru this one.

It would be nice if someone could suggest a methodology or approach

You've got to be WAY more specific.  Do you really mean NT?  As in
"NT?"  What do you mean "Registry and BIOS are disabled?"  Exactly how
have they disabled the USB, CD and floppy?  When you say "the other
option is to access other domains thru this one," what does that mean?

And what is your goal- just to get local admin?  If all the processing
is "online and nothing is stored locally" what difference does it make
if you get admin and enable USB?  There are a million ways to "get
admin" on an NT box, or any box for that matter if you're sitting in
front of it.  

There are many people on this list who can help, but if you want to get
any value out of a post, you've got to be clear about what you want.
All that being said, the first thing I would suggest is to hire a
professional pen-tester unless you are just doing this for fun.

t


disabled.
> The commond prompt , RUN option, Regestiry and BIOS is also disabled.
> Also the admin has done the hardening at desktop level and not at
> domain level
> The PC's have access to an application on remote server via html
login.

This is not a mailing list where we tell you how to hack. If you want to
hang out with hackers, go play with IRC.

Notwithstanding, Windows NT does not support USB devices, so unless the BIOS
supports booting from USB and that is switched on in the BIOS, you are stuck
there. If the admin has done his job properly and you cannot introduce an
external device, then you are left with the old physical attack of popping
the top and introducing a second internal harddrive with your own OS on it.
Windows NT suffered from hundreds of attach vectors, but you don't provide
enough information to suggest a good one.

If you can boot from USB then a bootable USB/CD/floppy drive is all you need
to introduce anything you like in the way of rootkits or straight password
reset/hack tools. However, if the admin is any good, he will have locked
down the BIOS properly (as you suggest), will detect your attempts to add
yourself to the local admins group or create local users and will have a way
of automatically resetting group memberships and changing the local admins
account password often enough that you can't keep up in your attempts to
hack it.

Given time, skills and physical access to a machine, it is only possible to
truly keep out a would-be hacker with total drive encryption and intelligent
network quarantining.

A technique I once used years ago involved an early version of L0phtcrack
with a built-in hash sniffer. The sniffer was run on a laptop (configured in
a workgroup of the same name as the domain) and waited for the SMS server to
try and install the client app, whereupon the password hash of the SMSAdmin
account was captured and cracked offline. That provided a domain admin
account that allowed me to elevate to localsystem with the AT job hack and
from there clear the policies out of the registry and do what I liked
locally or anywhere on the domain. It's an old technique and unlikely to
work these days, but it's enough to get you thinking on the right lines.





-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of sisram2@...
Sent: 22 November 2007 13:32
To: focus-ms@...
Subject: Windows NT Desktop

Hi All,

I was wandering if anyone could help me with the following


Background


There are couple of PC's (Windows NT) which are part of a domain (say XYZ).
For the users of this domain the USB, CD drive etc. are disabled. The
commond prompt , RUN option, Regestiry and BIOS is also disabled. Also the
admin has done the hardening at desktop level and not at domain level

The PC's have access to an application on remote server via html login. All
the processing is done online and nothing is stored locally



Objective and ethical test that needs to be done


I want to get local admin rights or somehow change the privilge levels to
enable USB or Floppy drive. The other option is if I could access other
domains thru this one.


It would be nice if someone could suggest a methodology or approach