omas.jakobsson at corren
Aug 21, 2001, 12:04 AM
Post #2 of 2
(391 views)
Permalink
|
Hi there!
Regarding PCA 9.0.
I to had that problem, just use PCA 9.2 instead, PCA 9.0 is not to be
installed on a Windows 2000 machine at all, as you said, it crashes when
the service is starting up, you can, however, back up to a previos
config by pressing F8 at startup, then start your system and uninstall
PCA 9.0.
Seemed to work ok for me.
Regards.
/Omas Jakobsson
H D Moore skrev:
>
> Hi everyone,
>
> I need help testing whether a new plugin I am writing works. It tries to if a
> PCAnywhere host has a password set, I put it all together from itraffic dump,
> so I dont know how well it works on anything but a single system. If you
> have a PC Anywhere system somewhere on your network and the permission to run
> assessment tools on it, can you do please the following:
>
> 1. Take the code at the end of this email and paste in into a file.
> 2. Setup PCAnywere to do No Caller Authentication
> 3. Run nasl /path/to/plugin.nasl -t <host> and make sure it comes back as
> vulnerable.
> 4. Change PCAnywhere to Windows Auth
> 5. Run plugin, report which Exit Level it stops at and the PCA version (or
> that it screwed up and false positived)
> 6. Change PCAnywhere to PCA Auth
> 7. Run plugin, report exit level.
>
> I would really appreciate a tcpdump-style log of the network traffic but I
> would understand if its not feasible. Thanks in advance!
>
> H D Moore
> http://www.digitaldefense.net - work
> http://www.digitaloffense.net - play
>
> --- cut here ---
>
> # this code needs some real testing, the box I was using
> # went down hard and I have to reinstall. to anyone using
> # vmware with win2k advanced server, dont install PCA 9.0!
>
> # the plugin code didnt crash it, starting the service after rebooting did
>
> #
> # The script code starts here
> #
>
> cl[0] = raw_string (0x00, 0x00, 0x00, 0x00);
> sv[0] = "ter...";
>
> cl[1] = raw_string (0x6f, 0x06, 0xff);
> sv[1] = raw_string (0x1b, 0b61);
>
> cl[2] = raw_string (0x6f, 0x61, 0x00, 0x09, 0x00, 0xfe, 0x00,
> 0x00, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00);
> sv[2] = raw_string (0x1b, 0x62);
>
> cl[3] = raw_string (0x6f, 0x62, 0x01, 0x02, 0x00, 0x00, 0x00);
> sv[3] = raw_string (0x65, 0x6e);
>
> # 0x20 = client name (actual first last name) / 0x41 = clients host name
> cl[4] = raw_string(0x6f, 0x49, 0x00, 0x4c, 0x20, 0x20, 0x20, 0x20,
> 0x20, 0x20, 0x20, 0x20, 0x20, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x09, 0xff, 0x05, 0x00, 0x00, 0x00,
> 0x60, 0x24, 0x00, 0x09, 0x00, 0x00, 0x00, 0x06,
> 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
> 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x31);
> sv[4] = raw_string(0x1b, 0x16);
>
> cl[5] = raw_string(0x6f, 0x73, 0x02, 0x01, 0x00, 0x02);
> sv[5] = "Service Pack";
>
> port = 5631;
> if(!get_port_state(port)) exit(0);
>
> soc = open_sock_tcp(port);
> if(!soc) exit(0);
>
> for(d=0;cl[d];d=d+1)
> {
> display(":: entering negotiation level ", d, "\n");
> send(socket:soc, data:cl[d]);
> r = recv(socket:soc, length:4096);
> if (! sv[d] >< r)
> {
> close(soc);
> display("exiting at level ", d, "\n");
> exit(0);
> }
> }
> display("vulnerable!\n");
>
> ----------------
|
omas.jakobsson.vcf
