Escalating Privelage in Windows Operating Systems

[warl0ck7]

Hi everyone,

In this article i am going to discuss all the methods(almost ) of obtaining administrative privelages
on a winodws box.

A. WIndows 98/95/ME

These do not have any restrictions but still if don't want those login window do this

1.When windows boots prees F8,this will show a menu. Select "safemode command prompt"
2.Type deltree -y c:\windows *.pwl,this will delete all the password files
3.Yes this is it !!! :-)

Note: If you don't want the people pressing F* and getting the startup menu do the
following edit Msdos.sys in the root directory and add a line BootKeys=0

B. Windows NT

1. GetAdmin

This expoit adds a user to the administrator group.It works by exploiting
ChangeNtGlobalFlag(GetNtGlobalFlagPtr()); and DLL injection.
Get it from
http://packetstorm.linuxsecurity.com...k/getadmin.zip

simply type getadmin aor getadmin <user_name> and enjoy

2. Sechole.exe

This exploit by exploiting existing Windows NT services, an application can locate a certain
API call in memory (OpenProcess), modify the instructions in a running instance, and gain
Debug level access to the system, where it then grants the currently logged-in user complete
membership to the Administrators group in the local SAM database.
Get it from

http://packetstorm.linuxsecurity.com...t-sechole2.zip

Simply execute sechole.exe
If your machine hangs reboot and observe that a user will added to the administrators group.


C. Windows 2000


1. PipeUpAdmin

This exploit uses the Named Pipe Vulnerability.As Windows 2000 uses predictable named pipe
names for controlling services, any user process can create a named pipe with the next name
and force a service, they can start, to connect to the pipe.Once connected, the user process
can impersonate the service.
Get it from

http://content.443.ch/pub/security/b...ipeUpAdmin.exe

Simpy execute PipeUpAdmin and logout and log backin, you will be added to the administrators
group.

2. NetDDe,GetAd

This exploit uses a security vulnerability in Windows's NetDDE that allows local attackers to
gain arbitrary privileges, this by causing the NetDDE to execute arbitrary code.The exploit
code and binaries can be found at

http://imm.uinc.ru/getad/

Executing getad will spawn a shell running as SYSTEM.



D. Windows XP

1.NetDDe,GetAD2

This expoit is brother of the Windows 2000 GetAD exploit and yes it works.Get it from

http://imm.uinc.ru/getad/

Executing GetAd2 will spawn a shell running as SYSTEM.

E. Windows NT/2000/XP

1. Booting into Alternative OS and deleting the SAM file clears the Adminstrator password!!!.
One can use a Linux floppy with kernel's NTFS read/write support or you can use NTFS dos
professional for DOS. Visit www.bootdisk.com for more...:-).

[Tedob1]

good tut warl0ck7. i think its good that the ligitimate community sees what the darker side has already seen and is using.

ahh...the importance of patches

[CraZy_AhmaD]

hmm might be a good idia to copy the pwl's to different extension
so you could grab the passwords later...

also there is the iusr_bug in nt4 with iis... but the the most easiest way is getadmin...