carlo
11-04-2005, 12:46 PM
Netbios
-------------------
There is hardly a soul alive who doesn't know about this problem, and
pretty much everybody and their mother has written a tutorial on
"netbios hacking" (seriously guys, do we really need this many netbios
tutorials circulating around?). Therefore, I will only make a brief
mention of this point of entry purely for the very few of you who may
have not heard of this issue. This problem generates from ignorant
users who enable file sharing on their LAN without setting permissions.
This comes to be, since many users who set up their LAN don't seem to
want to waste their time with having to push in a password every time
they want to get a file off a networked computer. However, what they
don't understand with this is that when they share a computer like
this, they are not only sharing information with other computers on
their LAN, but everybody else on the internet. Therefore, just as
easily as they can access files on their computer, so can the rest
of the world. The way that you, the intruder, would go about exploiting
this example of user ignorance is by first getting a port scanner if
you don't already have one. If you are a Windows user, probably your
best bet is to get IPEye. Though nmap is probably the best port scanner
out, it's Windows port is a tad unstable, and is not very reliable to
use. IPEye on the other hand has all the scan types of nmap, yet is
more robust and dependable than the nmap windows port. Anyways, upon
port scanning this computer you will be looking for port ***. There
is a scanner called XSharez Scanner that will scan a range of IP
addresses for the presense of this port. This is good to use if you
want to gain access into just anybody's information. Anyways, once you
find the presense of port *** then you will go into command prompt
(Start/Run/type in "command" and press Enter) and type in "nbtstat
-A ip.address.here" and press Enter. A llist will show up with shared
resource names, and the MAC address will be listed at the bottom. If
you see a shared name with <20> beside it,then you know that file
sharing is enabled. You will then go to c:\windows(or winnt)\ and go to
lmhosts and open it with notepad. Then go to the bottom of the file and
type in the victim's ip address, and save. Then go to
Start\Find\Computer and type in the ip address and click "Find Now".
Once the computer shows up you just double click it and you're in.
There are a few other ways to do this same task, but of course, there
are countless "netbios hacking" tutorials out there you can read to
find out about other methods for this task. So this concludes it for
this section, now onto other points of entry that are not quite so
commonly discussed.
Internet Explorer
----------------------------
In these times, using Internet Explorer as your default browser is
a very bad decision to make. There are so many vulnerabilities for
Internet Explorer right now, that using it is like leaving the door
wide open for anybody to just walk in. Even CERT (Computer Emergency
Readiness Team) has finally warned everybody to not use Internet
Explorer. However, does your average end user even listen? Not hardly.
Therefore, this issue remains a very common point of entry into your
average Windows home user. The task in exploiting Internet Explorer
is to trick it into dropping an executable onto the remote computer
so that we can run our favorite RAT server and setup a backdoor onto
the user's computer. First we can try exploiting it via object tags.
Go to the below link to get a proof of concept for this vulnerability.
http://www.geocities.com/protonigg*r/ie6-exedrop-asp-POC.zip
Just incorporate this vulnerability into your own web page, and then
add perhaps a cgi ip logger or such so that you can log the ip address
of the visitor so that you can connect to the server, and then when
they visit the page, just load up your RAT client and connect to the
newly established server (note: RAT means Remote Administration Tool,
trojan in lamemen's terms). Of course, maybe there is the off chance
that the user you are targeting has patched up this problem. In this
case, you can use a more recent vulnerability of this type. Go to the
below link to get a full report on this vulnerability...
http://62.***.86.***/analysis.htm
Or if you want to get straight to the point, you can find the proof
of concept to utilize at the below link...
http://62.***.86.***/security/idiots/repro/exploit.zip
Of course, this vulnerability is only as effective as the RAT you
choose is. If you use an obvious one like Sub7 then you will probably
not be successful. Even if the user you are targeting does not have
antivirus software installed, most ISPs block commonly used trojan
ports to thwart such activity. I can not choose a RAT for you. This
will be up to you, and will like many things in this sort of field of
activity be a trial and error process. Well that pretty much wraps it
up for this section. No matter how many security warnings are released
to the public, most people just don't listen. Therefore, this can be
a highly effective point of entry into someone's personal computer.
Now, onto our next section...
Windows
-------------------
Of course, applications and configurations used aren't the only source
of such vulnerabilities. Windows itself can be a point of entry if
not properly patched. First lets get into the dcom vulnerability.
The Distributed Component Object Model service is a default service
on Windows NT, 2000, XP, and 200* that allows for COM objects to
communicate over a network. This service can be exploited to allow
arbituary (remote) commands to be executed on the remote side. This
is the vulnerability that MyDoom used to distribute itself, so many
computers are already patched from this issue. However, there are
plenty that are not, so it's always nice to check. If you have a
specific user in mind, then you can use the following tool to check
if the user is vulnerable, and exploit the service if it is
vulnerable...
www.geocities.com/protonigg*r/rpcexploit.zip
You can also use the tool linked below to scan a range of ip addresses
for the presense of this vulnerability...
http://www.eeye.com/html/Research/Tools/RPCDCOM.html
Thats it!
Hope you enjoyed it.
Carlo
-------------------
There is hardly a soul alive who doesn't know about this problem, and
pretty much everybody and their mother has written a tutorial on
"netbios hacking" (seriously guys, do we really need this many netbios
tutorials circulating around?). Therefore, I will only make a brief
mention of this point of entry purely for the very few of you who may
have not heard of this issue. This problem generates from ignorant
users who enable file sharing on their LAN without setting permissions.
This comes to be, since many users who set up their LAN don't seem to
want to waste their time with having to push in a password every time
they want to get a file off a networked computer. However, what they
don't understand with this is that when they share a computer like
this, they are not only sharing information with other computers on
their LAN, but everybody else on the internet. Therefore, just as
easily as they can access files on their computer, so can the rest
of the world. The way that you, the intruder, would go about exploiting
this example of user ignorance is by first getting a port scanner if
you don't already have one. If you are a Windows user, probably your
best bet is to get IPEye. Though nmap is probably the best port scanner
out, it's Windows port is a tad unstable, and is not very reliable to
use. IPEye on the other hand has all the scan types of nmap, yet is
more robust and dependable than the nmap windows port. Anyways, upon
port scanning this computer you will be looking for port ***. There
is a scanner called XSharez Scanner that will scan a range of IP
addresses for the presense of this port. This is good to use if you
want to gain access into just anybody's information. Anyways, once you
find the presense of port *** then you will go into command prompt
(Start/Run/type in "command" and press Enter) and type in "nbtstat
-A ip.address.here" and press Enter. A llist will show up with shared
resource names, and the MAC address will be listed at the bottom. If
you see a shared name with <20> beside it,then you know that file
sharing is enabled. You will then go to c:\windows(or winnt)\ and go to
lmhosts and open it with notepad. Then go to the bottom of the file and
type in the victim's ip address, and save. Then go to
Start\Find\Computer and type in the ip address and click "Find Now".
Once the computer shows up you just double click it and you're in.
There are a few other ways to do this same task, but of course, there
are countless "netbios hacking" tutorials out there you can read to
find out about other methods for this task. So this concludes it for
this section, now onto other points of entry that are not quite so
commonly discussed.
Internet Explorer
----------------------------
In these times, using Internet Explorer as your default browser is
a very bad decision to make. There are so many vulnerabilities for
Internet Explorer right now, that using it is like leaving the door
wide open for anybody to just walk in. Even CERT (Computer Emergency
Readiness Team) has finally warned everybody to not use Internet
Explorer. However, does your average end user even listen? Not hardly.
Therefore, this issue remains a very common point of entry into your
average Windows home user. The task in exploiting Internet Explorer
is to trick it into dropping an executable onto the remote computer
so that we can run our favorite RAT server and setup a backdoor onto
the user's computer. First we can try exploiting it via object tags.
Go to the below link to get a proof of concept for this vulnerability.
http://www.geocities.com/protonigg*r/ie6-exedrop-asp-POC.zip
Just incorporate this vulnerability into your own web page, and then
add perhaps a cgi ip logger or such so that you can log the ip address
of the visitor so that you can connect to the server, and then when
they visit the page, just load up your RAT client and connect to the
newly established server (note: RAT means Remote Administration Tool,
trojan in lamemen's terms). Of course, maybe there is the off chance
that the user you are targeting has patched up this problem. In this
case, you can use a more recent vulnerability of this type. Go to the
below link to get a full report on this vulnerability...
http://62.***.86.***/analysis.htm
Or if you want to get straight to the point, you can find the proof
of concept to utilize at the below link...
http://62.***.86.***/security/idiots/repro/exploit.zip
Of course, this vulnerability is only as effective as the RAT you
choose is. If you use an obvious one like Sub7 then you will probably
not be successful. Even if the user you are targeting does not have
antivirus software installed, most ISPs block commonly used trojan
ports to thwart such activity. I can not choose a RAT for you. This
will be up to you, and will like many things in this sort of field of
activity be a trial and error process. Well that pretty much wraps it
up for this section. No matter how many security warnings are released
to the public, most people just don't listen. Therefore, this can be
a highly effective point of entry into someone's personal computer.
Now, onto our next section...
Windows
-------------------
Of course, applications and configurations used aren't the only source
of such vulnerabilities. Windows itself can be a point of entry if
not properly patched. First lets get into the dcom vulnerability.
The Distributed Component Object Model service is a default service
on Windows NT, 2000, XP, and 200* that allows for COM objects to
communicate over a network. This service can be exploited to allow
arbituary (remote) commands to be executed on the remote side. This
is the vulnerability that MyDoom used to distribute itself, so many
computers are already patched from this issue. However, there are
plenty that are not, so it's always nice to check. If you have a
specific user in mind, then you can use the following tool to check
if the user is vulnerable, and exploit the service if it is
vulnerable...
www.geocities.com/protonigg*r/rpcexploit.zip
You can also use the tool linked below to scan a range of ip addresses
for the presense of this vulnerability...
http://www.eeye.com/html/Research/Tools/RPCDCOM.html
Thats it!
Hope you enjoyed it.
Carlo