Hi. I'm looking for some ideas from knowledgeable people.
First, an introduction. The network I'm dealing with has these features:
- Windows Server 2003
- a public facing IIS-6.0 server (run by the Windows Server) with ports 80, 443, and 22 open
- --port 80 redirects to port 443, and the only thing that I can tell is on port 443 is Microsoft Office Outlook Web Access (OWA)
- Around 200 machines running Windows XP that connect to the 2003 server
- all of the client machines have the same LOCAL admin password, which I have compromised
- each domain user has access to certain shares on the server
- --I have compromised the passwords of various users whose shares I would like to access, however I can not crack the domain admin password
So basically my goal is to be able to regularly access the shares of certain domain users. The problem is that I cannot physically access a PC to log in without being seen (because other users are always working at neighboring PCs).
So do you guys have any ideas?
Perhaps I could set up some sort of remote access software on one of the XP machines using a local admin password? Though then it would have to be able to be seen through the restricted firewall...
Perhaps something could be done using the open port 22? I don't know much about SSH.
Perhaps OWA is vulnerble? Or IIS-6.0?