local admin to network admin?

[Supfresh]

Ok so heres the situation. Say there's a public network of shared computers. Each computer can log in locally on that machine or on the AD domain. Accounts being separate for each obv.

The network:
On the network you can either log in as a guest or with your username/pasword. Let's say you log into the guest account,which logs you into an AD account unique for that computer (computername.AD). very limited access, cant view any folders except (c:\docs and sets\desktop), can't use any programs except those with shortcuts on the desktop, cmd.exe is not on the desktop. So after logging in and realising that they have disabled cmd.exe you try a batch file and realise that they havent disabled the creation/use of batch files. However more importantly you discover that the net user command is fully functional. What i mean its you can use it on a LIMITED account to create an ADMIN account locally on the computer.

net user Supfresh /add *
net localgroup aministrators Supfresh /add
pause

you can also use it to modify the default admin account's password

you log out and log in with your new admin acount and have full access to the local computer, everything from system files to the software that restores the saved image on shut down (prevents permanent installation of programs).

Question: is it possible to gain a network admin account on the AD doamin using a local admin account?
My thoughts so far: use a packet sniffer to scan for admin loggon info? use that to login and create a new account. Data most likely isnt encrypted, possible but unlikely. How exaclty do packet sniffers work? can i use one without network admin status? Also how likely would it be that they would have some sort of detection against netowrk scanning software?
Pretty knew at this so no idea if it would work and for the record i have no intention of actually hacking a network this is purely acedemic, in this case the payoff would be mild amusement whereas the consequences would be significantly more severe, so definatly not worth it.

[insomaniacal]

I don't have much time on my hands, but yes, you'd probably be looking to sniff packets in this case.

Look into ARP poisoning. Basically, you are tricking the other computers on the network into thinking you are the router. They send you the packets, you save them, and then send it on to the actual router, so nothing appears amiss to the other users.

[Supfresh]

I don't have much time on my hands, but yes, you'd probably be looking to sniff packets in this case.

Look into ARP poisoning. Basically, you are tricking the other computers on the network into thinking you are the router. They send you the packets, you save them, and then send it on to the actual router, so nothing appears amiss to the other users.

Thanks for the reply,
just wiki'd it, interesting stuff ill have to give it more of a look later, if i ever get around to finishing this lab report im working on .

A few follow up questions/ some info i forgot to mention last time. On top of logging on to these public machines users also have the ability to use their own laptop both wirelessly or wired. The difference is when using a laptop the user must login with their username and password to access the internet. So the batch file exploit lets the user have complete anonymitity.

So with that being said would it be safe to assume that a network like this does have a method for catching network intrusion? Or would spoofing the mac address to the gateway fool even that? Extending on this train of thought, if an intrusion is detected would it be linked to the username/password on the account? or the computer name? (would spoofing the mac address also cover the original identity of the machine?
Although i guess those last two are irrelevant since the account is completely anonymous and i suppose the computer name/ other methods of identification could be changed.

-- Thu Nov 11, 2010 8:51 pm --

So giving this some more thought (this report is never getting done ):

The network already implements arp routing to force users not on the public computers to login. Would it be possible to redirect users to the compromised computer where a fake webpage (somewhat like a phising page i guess) would record the data, store it (like an excel file userid/psrd) then return a "incorrect username/pswrd" message, then on a subsequent attempt the user would be routed back to the standard login page, or would this be significantly more complicated than just stealing/analysing packets with a program like Wireshark/WinDump? Also distinguishing between admin and standard user accounts is very easy on this network, standard users begin with numbers, admins do not.

[tremor77]

See if any of these are available to you
\\ADServerName\NETLOGON
\\ADServerName\SYSVOL
\\ADServerName\Users (Just for giggles, I like to see what people are saving in their my documents folders)

The NETLOGON folder could be especially helpful, many admins will use batch or vbscripts to run some logon scripts for network users. If one were able to edit these, it could prove to be quite useful.

Also, is there an Exchange server? Is the AD 2003 or 2008 and is it SBS? And is there a default companyweb? There could be hours of fun prying to see what the admins have left unguarded thinking a login policy has their asses covered. Really depends on the competency.

[Supfresh]

See if any of these are available to you
\\ADServerName\NETLOGON
\\ADServerName\SYSVOL
\\ADServerName\Users (Just for giggles, I like to see what people are saving in their my documents folders)

The NETLOGON folder could be especially helpful, many admins will use batch or vbscripts to run some logon scripts for network users. If one were able to edit these, it could prove to be quite useful.

Also, is there an Exchange server? Is the AD 2003 or 2008 and is it SBS? And is there a default companyweb? There could be hours of fun prying to see what the admins have left unguarded thinking a login policy has their asses covered. Really depends on the competency.

no cant access domain controller or any commands with local account, already tried . And im not sure, im assuming there is an exchange server somewhere on campus this lan doesnt have access to it as far as i know but i could be wrong. and defiantly not running SBS, this is a university network and the computers in question are on the public library lan probably a few hundred pcs split between 4 libraries, computers would be in the thousands and accounts would be in the tens of thousands over the whole domain. There are also multiple AD domains this is the main one for public access. Not sure if its 2003 or 2008, but probably 2008 since they try to keep everything up to date and this school defiantly isn't afraid of throwing money around.

To be honest i dont think this:
"thinking a login policy has their asses covered." is the case. more likely they know about this exploit. For starters isnt the default option in windows that users can;'t make admin accounts? My guess is they have created it in case somthing goes wrong/people hack into the admin account and they need a "backdoor" way to fix it. More likely than not they just assumed no-one would try, or dont care if they do. The other networks, for example the applied science one (my faculty), is far more secure and you cant create accounts on them this easily.