Ideas for compromising Server 2003 network; already know some passwords

[howsit]

Hi. I'm looking for some ideas from knowledgeable people.

First, an introduction. The network I'm dealing with has these features:

• Windows Server 2003
• a public facing IIS-6.0 server (run by the Windows Server) with ports 80, 443, and 22 open
• --port 80 redirects to port 443, and the only thing that I can tell is on port 443 is Microsoft Office Outlook Web Access (OWA)
• Around 200 machines running Windows XP that connect to the 2003 server
• all of the client machines have the same LOCAL admin password, which I have compromised
• each domain user has access to certain shares on the server
• --I have compromised the passwords of various users whose shares I would like to access, however I can not crack the domain admin password

So basically my goal is to be able to regularly access the shares of certain domain users. The problem is that I cannot physically access a PC to log in without being seen (because other users are always working at neighboring PCs).

So do you guys have any ideas?


Perhaps I could set up some sort of remote access software on one of the XP machines using a local admin password? Though then it would have to be able to be seen through the restricted firewall...
Perhaps something could be done using the open port 22? I don't know much about SSH.
Perhaps OWA is vulnerble? Or IIS-6.0?



Thanks!

[lupin]

Can you explain more about your relationship to the company that operates this network?

[phangs]

Can you explain more about your relationship to the company that operates this network?

I think he's just an unpriveleged copyguy there compromising passwords through shoulder-surfing. Probably trying to make money by selling sensitive data to the company's competition...

I hope he clears his relationship otherwise he could be banned here...

I hope I could be first to report him...


I don't think he'll be back again... sad...

[lupin]

At this point Im not expecting a reply.