Tony Wasson wrote:
> ...
> Here's my exploit demonstration game plan:
> 1) Run Netcat in listener mode on my demo PC.
> 2) Run IIS5HACK against a Windows 2000 server.
> 3) Show the Windows 2000 command prompt in my Netcat with no security
> limitations.
> 4) Copy over the NT Rootkit and 'deploy' it.
> 5) Show that I am 'invisible' when connected to the Rootkit (netstat output)
> 
> What do you recommend I demonstrate? Most offices I've seen are running
> Windows 9x for clients and a Win NT/2000 server. Some run ancient *NIX boxes
> and terminals. My clients are running Debian GNU/Linux servers. ;-)

Sounds good so far.  If you poke around Packetstorm (& google) you can
get more goodies.
"snmpwalk" is scary if you can get the public/private strings (almost
always "PUBLIC" and "PRIVATE").  Enumerating shares (and more) over a
null session is fun & all the tools are already there.

net use \\HostNameOrIP\ipc$ "" /user:""
net view \\HostNameOrIP 
net view /domain
net view /domain:DomainName (if there are multiple)

DumpSec.exe works on a null connection & gives you user & group info.

If you've got the Resource Kit, nltest.exe and nbtstat.exe.
Enum.exe from Bindview is good and easy to get. PipeUpAdmin.exe is fun
on W2k, turns your minion-class user into an Administrator at the next
login. You can sniff password hashes off the wire & crack them with
L0phtcrack.  Maybe grab Psexec from
http://www.sysinternals.com/ntw2k/freeware/psexec.shtml
Browse through Foundstone.com and Bindview.com and you should find
enough tools.

"How should I attack Windows?" is like asking "where should we eat?"

You will, of course, want to be very very sure that you've got proper
authorization before you start scaring the pants off of them :-)

Steve
"Children of the night...What a mess they make!"--Dracula (Leslie
Nielsen)