Here are some tips for users interested in taking advantage of the DCOM exploit.

I am not going to provide direct links to where to get the software but I will give enough info to help you find it.

First, you need a scanning tool to help you find machines that are vulnerable. I recommend the free scanner from eEye Security. It will scan an IP range for vulnerable machines. It will show which machines that are not patched but it will not indicate what OS is running. This does not matter too much because the next tool I recommend only has 6 options and all can be tried within a few seconds.

Second, you need a tool to help you gain root access once you find a machine that is vulnerable. I recommend using DCOM.exe. Save this file somewhere on your computer. Then launch the command prompt and navigate to this file and run it. It will show the exact command to use on an IP. Simple stuff here.

Third, once you have root level access. (Great feeling, huh.) Your goal is to be able to download or upload files to the victim's machine. This is where most people get lost. I have read posts mentioning FTP or other similar techniques. These are not bad but I recommend something better.

Always remember this. Once you are dropped to the command prompt. You have "System" level access. This is higher then Administrator access. What does this mean to you? Well, it means that nothing is off limits. Anything and everything can be done. No limits.

Ok, lets get to work. Your goal is to quickly create a new user that belongs to the Administrators group. You do this by using the "net" command. Just type "net" and you will see the list of arguments. Make sure once you add a new user to add it to the Administrators group.

[URL=https://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/datacenter/dsadmin_n_manageusers.asp]All of the commands. Straight from Microsoft.[/URL]

Ok, so did you create a new account? Good.

Finally, go to the Start Menu -> Run. Then Type \\ipnumberhere\c$ When prompted use the account you created to login. BOOM! Now you can download, upload, and make changes all through the Windows GUI.

Hi,

so far so good! The only problem is, if using the dcom.exe and choosing the wrong target ID the RPC stack will die and you are not able to try the exploit a second time, or do I miss something?

Cheers

Well, you can try as many times as you want.

The only problem I have found is that the RPC service crashes after you are connected for a few minutes. The user gets a message on their screen saying that RPC has failed and the system will force a reboot.

You can try as many IDs as you need to in order to get access. The crash only seems to happen after you get connected.

Hi all, I'm quite new here, this is my first post actually...

I'm having probs sorting out the NET commands.

I add a user called 'TestUser'
[B]c:\>NET USER TestUser PassWord /ADD[/B]

Next step would be to add the TestUser to the administrators group, wich I cannot find out how...
The info in the link above applies only to Windows Server 2003... I've read most of the help docs but I cannot find it.

If this account has admin rights, could I start a process on the remote pc by using psexec?

OK, nevermind my stupid question...

SOLUTION:

c:\>NET LOCALGROUP Administrators TestUser /ADD

I get network path cannot be found every time I try this:

[QUOTE]go to the Start Menu -> Run. Then Type \\ipnumberhere\c$[/QUOTE]

Yes...I did create users and add them to administrator localgroup.

Same here, maybe this can only be done on a local area network...

in the prompt type:

net share c$

perhaps this will solve your problems

(other shares: admin$, d$, e$, ...)

btw anyone know how to scan for what os is running ? someone said i should use nmap, but i don't get results with that proggy

Cosimo, try "GFI LANguard Network SecurityScanner", it should do the job

Hey iPhrankie, i just wanted to say thanks for that. That helped me out alot I wa stuck on uploading and dling files. But now its all clear

i cannot get this to work ive tried everything.

i just type
net use x: \\myip\ashare /user:blah

and copy stuff and send stuff from my computer

there have been a few intences that this hasnt worked but 95% it does.

Also

i have a programe called dameware. ya might have heard of it its like a remote
desktop app. www.dameware.com
ive tried shareing admin$ adding a new user to the local administrator group and starting netbios but still not go.....
maybe ya can play around and post a reply.


NetComm

this helped me alot

cheers

Yep..I also can't this to work in dameware even if I create a username and password with admin access. I just either get network path cannot be found or user/password doesn't exist.

It worked for me.

i think i found what might be wrong. I found a few where this worked and it looked like they had the ipc share enabled and set up. The ones for which it didn't work didn't have the ipc share set up. Does anybody know the commands to setting up the ipc share. Its different from the other ones like net share admin$=c:\winnt

I've always used net share ipc$

alright guys, i've gotten root (on one of my computers for educational reasons) and i set up the accounts and everything but when i run the \\ip\c$ it automatically has usernames like "YOUR-VVX88VYRXO\Guest" and the box is greyed out. I tried going to map drive and log on as different user and then finish, it goes: attempting to connect... and it pops up first with the username that I put in i put in the pw again, press okay, then i get the same box with "YOUR-VVX88VYRXO\Guest" in it again.

also, when i do just plain "net user" it displays the users then says: The command completed with one or more errors.

well, i worked around that by adding guest as the administrator, but i wish there was a better way. Any help?

Actually, that only worked for 1 computer :\

Hmmm..this is very strange. It seems to work for some computers but not all..maybe 1 out of every 4 machines. I'm gonna try to figure out what those machines that it worked for have in common...

hmm.. i am not sure but i think i read somewhere:

net start netbios
net share c=c:\ (heh, or admin$=c:\winnt i suppose)

That light do it..

anyone had any luck with tftp (nix)?

net share ipc$ should ya going..

ive also tried share IPC and it doesnt work..
let me know how you go..

Peace
NetComm

neither for me...it says log or pass are not correct

but interressant thing when i try to list user via Dameware... no users are listed and it says COMPLETE (so no error) is it possible the SAM are not shared???? whats the solution