Rooting a Windows Machine : Lesson 2-SMB Exploits - Submitted By: DarkPontifex 2008-08-19 11:11:43
Yeah thats Right. Alright you made it past lesson 1 congragulations!!! YEAH!!! Anyway Now is a Good time to load yourself on some basic rooting tools namely a portscanner, password cracker,and in this particular case you will need a tool known as ENUM.exe (http://www.governmentsecurity.org/forum/index.php?act=Attach&type=post&id=109) which stands for Enumeration, which is the third stage of rooting, speaking of which, we have to get some learning. TO THE LEARN-MOBILE
Rooting Computers - The Steps
In Rooting the First step is called "Footprinting" this involves WHOIS searchs,traceroot,DNS zone transfers, IP mapping you know that kind of stuff, We get into this in the next chapter.
The third step is Enumeration as I already said, This involves Listing user accounts, File shares, and running applications.
The fourth step is the kicker, Gaininig Access -there will be a couple chapters devoted to this basically this involves ways of getting an account.You will need a password cracker such as JTR (http://www.openwall.com/john/)
The fifth step is escalation (If you have not already accomplished in step 4) This basically means hijacking the SAM and cracking the hashs.
Then comes Pilfering - evaluate the trust relations between clients, search for neat info you want, fuck up the computer, the stuff you wanna do.
Then the 7th (optional) step is placing backdoors - such as VNC, backorifice, etc. so incase the exploit is fixed you can still gain access.
The 8th (NOT OPTIONAL) step is erasing logs - There is gonna be a chapter for this - basically it means not leaving any traces ANYWHERE.
Back to SMB or Server Message block. Most XP/2000 computers have this improperly configured, It comes badly configured by default, and is difficult to properly configure. I am willing to bargain 75% of all computers are vulnerable to this.
SMB attacks are very similar in nature to NetBios attacks, but insted of releing on NetBios shares, you use SMB shares.
Step 1 > IP range The first step is to obtain remote IP addresses running NT, W2000, or XP. I will talk about scanning huge IP fields for IPs later but as for now I am assuming you know the IP of your victim.
Step 2 > Enumerating remote target Next step is to obtain information about the remote IP address, user account info, share lists, etc. To do this I had to first establish an anonymous null connection to the remote PC's named pipe IPC$(Keep reading I explain and it gets simpler) (A resource sharing the named pipes that are essential for communication between programs. ) This can be accomplished by using the Windows NET command, below is the syntax for establishing an anonymous null connection to remote PC's named pipe. NET USE \\nnn.nnn.nnn.nnn\ipc$ "" /u:"" (Replace "nnn" with remote IP address) Once the command has executed successfully you can then use other tools to enumerate the remote host. The syntax for enumerating the remote user account and share info is ENUM -U -S -d nnn.nnn.nnn.nnn (did i mention nnn.nnn.nnn.nnn is the IP?)
Step 3 > Getting root Now that we have successfully enumerated the remote PC we can now take the next step and that's to attempt in accessing the remote computer's hard drive. Our job has been cut down to half the task cause we now have a valid username all we need to do if necessary is guess the password. Once again I use enum for this task, enum is a powerful tool and one of my favorites because it offers other options such as Dictionary Attack! . Below is the syntax for using the dictionary attack function for ENUM enum -D -u "Administrator (Replace with Root/SYSOP Username)" -f pswdfile.txt nnn.nnn.nnn.nnn (The switch -D is to execute dictionary attack; the switch -u requires a username; switch -f requires the path to a word list file; and nnn.nnn.nnn.nnn should be replaced with the remote IP)