ID CVE-1999-0504
Summary A Windows NT local user or administrator account has a default, null, blank, or missing password.
References
Vulnerable Configurations
  • Microsoft Windows 2000
    cpe:2.3:o:microsoft:windows_2000
  • Microsoft Windows NT
    cpe:2.3:o:microsoft:windows_nt
CVSS
Base: 7.5 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description Microsoft Windows Authenticated User Code Execution. CVE-1999-0504. Remote exploit for windows platform
id EDB-ID:16374
last seen 2016-02-01
modified 2010-12-02
published 2010-12-02
reporter metasploit
source https://www.exploit-db.com/download/16374/
title Microsoft Windows Authenticated User Code Execution
metasploit via4
  • description This module executes powershell on the remote host using the current user credentials or those supplied. Instead of using PSEXEC over TCP port 445 we use the WMIC command to start a Remote Procedure Call on TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel traffic through that session. The result is similar to psexec but with the added benefit of using the session's current authentication token instead of having to know a password or hash. The remote host must be configured to allow remote Windows Management Instrumentation.
    id MSF:EXPLOIT/WINDOWS/LOCAL/WMI
    last seen 2019-03-12
    modified 2017-07-24
    published 2013-09-20
    reliability Excellent
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/wmi.rb
    title Windows Management Instrumentation (WMI) Remote Command Execution
  • description This module uses a valid administrator username and password to execute a powershell payload using a similar technique to the "psexec" utility provided by SysInternals. The payload is encoded in base64 and executed from the commandline using the -encodedcommand flag. Using this method, the payload is never written to disk, and given that each payload is unique, is less prone to signature based detection. A persist option is provided to execute the payload in a while loop in order to maintain a form of persistence. In the event of a sandbox observing PSH execution, a delay and other obfuscation may be added to avoid detection. In order to avoid interactive process notifications for the current user, the psh payload has been reduced in size and wrapped in a powershell invocation which hides the window entirely.
    id MSF:EXPLOIT/WINDOWS/SMB/PSEXEC_PSH
    last seen 2019-03-23
    modified 2018-07-30
    published 2013-08-15
    reliability Manual
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/psexec_psh.rb
    title Microsoft Windows Authenticated Powershell Command Execution
  • description This module uses a valid administrator username and password to execute an arbitrary command on one or more hosts, using a similar technique than the "psexec" utility provided by SysInternals. Daisy chaining commands with '&' does not work and users shouldn't try it. This module is useful because it doesn't need to upload any binaries to the target machine.
    id MSF:AUXILIARY/ADMIN/SMB/PSEXEC_COMMAND
    last seen 2019-03-10
    modified 2019-03-05
    published 2013-10-31
    reliability Normal
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/smb/psexec_command.rb
    title Microsoft Windows Authenticated Administration Utility
  • description This module uploads an executable file to the victim system, creates a share containing that executable, creates a remote service on each target system using a UNC path to that file, and finally starts the service(s). The result is similar to psexec but with the added benefit of using the session's current authentication token instead of having to know a password or hash.
    id MSF:EXPLOIT/WINDOWS/LOCAL/CURRENT_USER_PSEXEC
    last seen 2019-03-10
    modified 2017-07-24
    published 2012-10-24
    reliability Excellent
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/current_user_psexec.rb
    title PsExec via Current User Token
  • description This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.
    id MSF:EXPLOIT/WINDOWS/SMB/PSEXEC
    last seen 2019-03-24
    modified 2018-09-15
    published 2014-11-19
    reliability Manual
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/psexec.rb
    title Microsoft Windows Authenticated User Code Execution
  • description This module uses a valid administrator username and password to enumerate users currently logged in, using a similar technique than the "psexec" utility provided by SysInternals. It uses reg.exe to query the HKU base registry key.
    id MSF:AUXILIARY/SCANNER/SMB/PSEXEC_LOGGEDIN_USERS
    last seen 2019-03-28
    modified 2019-03-05
    published 2012-12-04
    reliability Normal
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb
    title Microsoft Windows Authenticated Logged In Users Enumeration
  • description This module uses Powershell Remoting (TCP 47001) to inject payloads on target machines. If RHOSTS are specified, it will try to resolve the IPs to hostnames, otherwise use a HOSTFILE to supply a list of known hostnames.
    id MSF:EXPLOIT/WINDOWS/LOCAL/POWERSHELL_REMOTING
    last seen 2019-03-16
    modified 2017-07-24
    published 2014-12-04
    reliability Excellent
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/powershell_remoting.rb
    title Powershell Remoting Remote Command Execution
nessus via4
  • NASL family Windows
    NASL id SMB_LOGIN_AS_USERS.NASL
    description This script attempts to log into the remote host using several login / password combinations.
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 10404
    published 2000-05-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=10404
    title Microsoft Windows SMB Guessable User Credentials
  • NASL family Windows
    NASL id SMB_BLANK_ADMIN_PASSWORD.NASL
    description The remote host is running one of the Microsoft Windows operating systems. It was possible to log into it using the administrator account with a blank password.
    last seen 2019-02-21
    modified 2018-07-27
    plugin id 26918
    published 2007-10-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26918
    title Microsoft Windows SMB Blank Administrator Password
packetstorm via4
Last major update 09-09-2008 - 08:34
Published 01-01-1997 - 00:00
Back to Top