Vulnerabilities > CVE-1999-0504 - Unspecified vulnerability in Microsoft Windows 2000 and Windows NT
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
A Windows NT local user or administrator account has a default, null, blank, or missing password.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 2 |
Exploit-Db
| description | Microsoft Windows Authenticated User Code Execution. CVE-1999-0504. Remote exploit for windows platform |
| id | EDB-ID:16374 |
| last seen | 2016-02-01 |
| modified | 2010-12-02 |
| published | 2010-12-02 |
| reporter | metasploit |
| source | https://www.exploit-db.com/download/16374/ |
| title | Microsoft Windows Authenticated User Code Execution |
Metasploit
description This module uploads an executable file to the victim system, creates a share containing that executable, creates a remote service on each target system using a UNC path to that file, and finally starts the service(s). The result is similar to psexec but with the added benefit of using the session's current authentication token instead of having to know a password or hash. id MSF:EXPLOIT/WINDOWS/LOCAL/CURRENT_USER_PSEXEC last seen 2020-05-22 modified 2017-07-24 published 2012-10-24 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/current_user_psexec.rb title PsExec via Current User Token description This module uses a valid administrator username and password to enumerate users currently logged in, using a similar technique than the "psexec" utility provided by SysInternals. It uses reg.exe to query the HKU base registry key. id MSF:AUXILIARY/SCANNER/SMB/PSEXEC_LOGGEDIN_USERS last seen 2020-01-14 modified 2019-03-05 published 2012-12-04 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/smb/psexec_loggedin_users.rb title Microsoft Windows Authenticated Logged In Users Enumeration description This module uses a valid administrator username and password to execute a powershell payload using a similar technique to the "psexec" utility provided by SysInternals. The payload is encoded in base64 and executed from the commandline using the -encodedcommand flag. Using this method, the payload is never written to disk, and given that each payload is unique, is less prone to signature based detection. A persist option is provided to execute the payload in a while loop in order to maintain a form of persistence. In the event of a sandbox observing PSH execution, a delay and other obfuscation may be added to avoid detection. In order to avoid interactive process notifications for the current user, the psh payload has been reduced in size and wrapped in a powershell invocation which hides the window entirely. id MSF:EXPLOIT/WINDOWS/SMB/PSEXEC_PSH last seen 2020-06-01 modified 2018-07-30 published 2013-08-15 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/psexec_psh.rb title Microsoft Windows Authenticated Powershell Command Execution description This module executes powershell on the remote host using the current user credentials or those supplied. Instead of using PSEXEC over TCP port 445 we use the WMIC command to start a Remote Procedure Call on TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel traffic through that session. The result is similar to psexec but with the added benefit of using the session's current authentication token instead of having to know a password or hash. The remote host must be configured to allow remote Windows Management Instrumentation. id MSF:EXPLOIT/WINDOWS/LOCAL/WMI last seen 2020-04-11 modified 2019-03-29 published 2013-09-20 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/wmi.rb title Windows Management Instrumentation (WMI) Remote Command Execution description This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description. id MSF:EXPLOIT/WINDOWS/SMB/PSEXEC last seen 2020-05-22 modified 2020-05-14 published 2015-05-20 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/psexec.rb title Microsoft Windows Authenticated User Code Execution description This module uses Powershell Remoting (TCP 47001) to inject payloads on target machines. If RHOSTS are specified, it will try to resolve the IPs to hostnames, otherwise use a HOSTFILE to supply a list of known hostnames. id MSF:EXPLOIT/WINDOWS/LOCAL/POWERSHELL_REMOTING last seen 2020-04-11 modified 2017-07-24 published 2014-12-04 references https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0504 reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/powershell_remoting.rb title Powershell Remoting Remote Command Execution description This module uses a valid administrator username and password to execute an arbitrary command on one or more hosts, using a similar technique than the "psexec" utility provided by SysInternals. Daisy chaining commands with '&' does not work and users shouldn't try it. This module is useful because it doesn't need to upload any binaries to the target machine. id MSF:AUXILIARY/ADMIN/SMB/PSEXEC_COMMAND last seen 2020-06-06 modified 2020-05-30 published 2013-11-01 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/smb/psexec_command.rb title Microsoft Windows Authenticated Administration Utility
Nessus
NASL family Windows NASL id SMB_BLANK_ADMIN_PASSWORD.NASL description The remote host is running one of the Microsoft Windows operating systems. It was possible to log into it using the administrator account with a blank password. last seen 2020-06-01 modified 2020-06-02 plugin id 26918 published 2007-10-04 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/26918 title Microsoft Windows SMB Blank Administrator Password NASL family Windows NASL id SMB_LOGIN_AS_USERS.NASL description This script attempts to log into the remote host using several login / password combinations. last seen 2020-04-30 modified 2000-05-10 plugin id 10404 published 2000-05-10 reporter This script is Copyright (C) 2000-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/10404 title Microsoft Windows SMB Guessable User Credentials
Packetstorm
data source https://packetstormsecurity.com/files/download/123729/wmi.rb.txt id PACKETSTORM:123729 last seen 2016-12-05 published 2013-10-23 reporter Ben Campbell source https://packetstormsecurity.com/files/123729/Windows-Management-Instrumentation-WMI-Remote-Command-Execution.html title Windows Management Instrumentation (WMI) Remote Command Execution data source https://packetstormsecurity.com/files/download/122390/psexec_psh.rb.txt id PACKETSTORM:122390 last seen 2016-12-05 published 2013-07-13 reporter RageLtMan source https://packetstormsecurity.com/files/122390/Microsoft-Windows-Authenticated-Powershell-Command-Execution.html title Microsoft Windows Authenticated Powershell Command Execution data source https://packetstormsecurity.com/files/download/130975/powershell_remoting.rb.txt id PACKETSTORM:130975 last seen 2016-12-05 published 2015-03-24 reporter Ben Campbell source https://packetstormsecurity.com/files/130975/Powershell-Remoting-Remote-Command-Execution.html title Powershell Remoting Remote Command Execution data source https://packetstormsecurity.com/files/download/115238/current_user_psexec.rb.txt id PACKETSTORM:115238 last seen 2016-12-05 published 2012-08-03 reporter Jabra source https://packetstormsecurity.com/files/115238/Psexec-Via-Current-User-Token.html title Psexec Via Current User Token