EG Information

Main Index
EG Manual
Legal Information
Hall of Fame
Hall of Shame
Member Rankings
Members List
Meet the Staff
Hacker's Home Page
IRC Flash Chat

Training Missions

Read Me First
Basic Skills
Realistic Scenarios
Software Cracking
Linux ELF Binary Cracking
Logical Thinking
Captcha Cracking
Deface This Wall

Knowledge Bank

Discussion Forums
Exploit Database
Articles / Tutorials
Online EG MP3 Player Radio

Code Resources

Submit Code

Pimp Us Out!

Review on

Has Enigma Group Helped You? Then Help Us By Advertising For Us. Place One Of The Following Images On Your Site And Create A Link Back To Enigma Group.

Enigma Group

Enigma Group

Enigma Group

Enigma Group

Enigma Group's Articles

Return to Category Selection

Rooting a Windows Machine : Lesson 2-SMB Exploits - Submitted By: DarkPontifex 2008-08-19 11:11:43
Yeah thats Right. Alright you made it past lesson 1 congragulations!!! YEAH!!! Anyway Now is a Good time to load yourself on some basic rooting  tools namely a portscanner, password cracker,and in this particular case you will need a tool known as ENUM.exe ( which stands for Enumeration, which is the third stage of rooting, speaking of which, we have to get some learning. TO THE LEARN-MOBILE

Rooting Computers - The Steps

In Rooting the First step is called "Footprinting" this  involves WHOIS searchs,traceroot,DNS zone transfers, IP mapping you know that kind of stuff, We get into this in the next chapter.

The Second step is Scanning which can mostly be completed with NMAP (

The third step is Enumeration as I already said, This involves Listing user accounts, File shares, and running applications.

The fourth step is the kicker, Gaininig Access -there will be a couple chapters devoted to this basically this involves ways of getting an account.You will need a password cracker such as JTR (

The fifth step is escalation (If you have not already accomplished in step 4) This basically means hijacking the SAM and cracking the hashs.

Then comes Pilfering - evaluate the trust relations between clients, search for neat info you want, fuck up the computer, the stuff you wanna do.

Then the 7th (optional) step is placing backdoors - such as VNC, backorifice, etc. so incase the exploit is fixed you can still gain access.

The 8th (NOT OPTIONAL) step is erasing logs - There is gonna be a chapter for this - basically it means not leaving any traces ANYWHERE.

Back to SMB or Server Message block. Most XP/2000 computers have this improperly configured, It comes badly configured by default, and is difficult to properly configure. I am willing to bargain 75% of all computers are vulnerable to this.

SMB attacks are very similar in nature to NetBios attacks, but insted of releing on NetBios shares, you use SMB shares.

Step 1 > IP range
The first step is to obtain remote IP addresses running NT, W2000, or XP. I will talk about scanning huge IP fields for IPs later but as for now I am assuming you know the IP of your victim.

Step 2 > Enumerating remote target
Next step is to obtain information about the remote IP address, user account info, share lists, etc. To do this I had to first establish an anonymous null connection to the remote PC's named pipe IPC$(Keep reading I explain and it gets simpler) (A resource sharing the named pipes that are essential for communication between programs. ) This can be accomplished by using the Windows NET command, below is the syntax for establishing an anonymous null connection to remote PC's named pipe. NET USE \\nnn.nnn.nnn.nnn\ipc$ "" /u:"" (Replace "nnn" with remote IP address) Once the command has executed successfully you can then use other tools to enumerate the remote host.  The syntax for enumerating the remote user account and share info is ENUM -U -S -d nnn.nnn.nnn.nnn  (did i mention nnn.nnn.nnn.nnn is the IP?)

Step 3 > Getting root
Now that we have successfully enumerated the remote PC we can now take the next step and that's to attempt in accessing the remote computer's hard drive. Our job has been cut down to half the task cause we now have a valid username all we need to do if necessary is guess the password. Once again I use enum for this task, enum is a powerful tool and one of my favorites because it offers other options such as Dictionary Attack! . Below is the syntax for using the dictionary attack function for ENUM enum -D -u "Administrator (Replace with Root/SYSOP Username)" -f pswdfile.txt nnn.nnn.nnn.nnn (The switch -D is to execute dictionary attack; the switch -u requires a username; switch -f requires the path to a word list file; and nnn.nnn.nnn.nnn should be replaced with the remote IP)

See Me Next Time In  LESSON 3 - Footprinting

Return to Category Selection
If you wish to submit a comment, you must be a registered member and logged in.

Login or Register.

Return to Category Selection


Who Visited EnigmaGroup Today?

1679 Guests, 162 Users (105 Spiders)
hey, The212, hobrien8, ndb3hunnid, psychomarine, bolofecal, afroman1728, nayD93, UnrDos, 0x08x, pollolololo, sparticus, IcemanBo, Ididitforthelulz, EdwardNygma, Galagatron, timebomb2788, Fakiz, dark_void, cyborgmaik, boomjack1901, blackerrorhelp, destiny, herouvim, Dogbytes, thelocotauren, LeeroyJenkins, danya140, crushcrushcrush, Olusegun Faith, chewbacca, Tastenkrieg, snowflake, Thomas250, ellisp, peke, crazyduckyz, Philippe, FrankEinstein, Asdras, Asator, anti696, n1b1ru, Annumbo, crzymnky20, 1al01al0, Gregsen, yuansunxue1, dollarsign, Sherl0ck, IAmTheGreatest, Zyron, woshiu, Delanoesh, FKiller, fir3fly, N3W70N, QuKo, deekhax, Timba, Arti, mannohnekopf, GeStApO 007, OdwDröhntanne, WizardWars, ragnorok, Fanta992, tswagmaster, statix, Victory94, qar, claydeath, Ebeke Augustine, 17schilli17, Geronimo_Ras, moin, jackk55, HATbkwds, 05jogrady, chinmay, untchable01, Nightraven, Tödelrö, Lucius, 05jogrady1, ap0770, hagelbagel101, MartinGamingX, coolboy123, fishman, kikoWicked, TanqR_Atom, BlackBox777, ilogic22, htwstudent, Äsy, kami, dedos4me, Hing3Input, Securex, 25caik, CryptexHD, asexton57, Hexodust, DrStrike, m17r4, JirikCZ, Ardiscor, jonson78, philipp_lukas, C4sp3r, abcdegtxx, okay, Tatewaki, triggerhapppy, uClearBug, Smadelad, Osisthe, sniper pex, theshady, ironman4, maclin, LasagnaLove1, amone, riot1337, cor3dump, itsukiminami2, Bhairab, UneasySunday, wokias, anastasiasergievich, rajbakshi, WhatAJoker, appropriate, Siddhism05, night_crawler001, P1v0, BlueBit, bassbone, kana, GerCrafterPlace, jhaksum3334, samuelAY, nasramimi101, fulger13, justallen, geoo117, The_End, P4rzival, gh05t1ng, CREDteam, henry123456789, x$pl0it, satan_claus, sonic175, FrankSSx, nightlyhacker16, ayenonthrusto, HeatWave8, elguapo, MrSnack, Attila
Enigma Group