Windows: Some little stories...

[Reply] [View by Thread] [Help]
[Back To Communitas]

Beta Lt Icydemon

I feel a bit guilty for not posting the regular tips of the week, and I think its high time to share a story that is both funny and sad and will teach you a thing or two.

DISCLAIMER: This is not a hacking tutorial, the only purpose of this post is to understand that there are serious vulnerabilities out there (impove ourselves by hacking ourselves)

When I was working on an internet cafe, some time ago, except from our internal problems we, sometimes had external problems (and some of you people know what it means for the routers to fail and someone has to reroute the network (damned utp cables)).

One day we had a potential hacker dude (not someone that wanted to copy a game or screw up with a particular pc, but someone who wanted to do harmful things). "Ok", I said, "PVP time" (good old World of Warcraft times).

I always say, that the first thing is to be one step ahead of your opponent. Get into his computer and see what he does. Apart from a Remote Desktop (vnc and stuff) that is clearly visible what do we got? Windows Explorer ;)

Exploiting a thingie in windows networks. Sometimes administrators do not lock the default shares of hard disks. Pretty nice. But how do you get admin? In a situation like this (school, internet cafe, etc) the person who installed them has probably made one hard disk image and then copied to the rest of the computers (using Norton Ghost for example, I suggest you google that :). So everything shares the same accounts, shared passwords, voila, If i get mine, i get yours.

I got the credentials to login in my computer as admin. Then i just create a shortcut (\\remote-computer\C$), i verify myself as an admin and I got access. I mount both of the disks on my computer to work better (i.e. search for the newest files etc.)

Long-story short, that particular guy wanted to do something strange (most of us know that Cain&Abel can do serious things) and in my opinion the best thing is to:

shutdown -r -m \\computername -t 1 -c "OWNED"

I can see the little window for a split second, notifying the user that the system is going down, and then Reboot procedure begins.

Now let's see:

Vulnerability 1: The system was not secure (i.e. normally i couldn't access share C$ (insert_hard_disk_lettter_here$) in a remote computer). I did.
Vulnerability 2: shutdown.exe - Shutdown.exe works only if you have successfully logged yourself in a remote computer as an admin. The best way to do that is via Windows network (\\computer_name and provide admin username and pass)
Vulnerability 3: Shared accounts, easy to break :)

Funny part of the story: When the computer rebooted the dude called for a co-worker of mine to ask why the computer rebooted. He pointed at me and told him I'm the one who's fixing things like that. I went to speak to him but he told me he was only watching his emails (ok dude you got really pwned).

Now that you saw the power of shutdown(.exe) its time I think to look for more info for yourself. shutdown/? in a command prompt will do the trick.

Moving into the next part. How you can become the SYSTEM user in windows? (SYSTEM>Administrator). Hmm.... lets see....

We all know that we can schedule some jobs for us in our windows box, like disk defragmenter. There is a specific console command for that named "at" (at.exe). To ensure that programs won't have any permission at programs at runs as SYSTEM (try the trick to see if you are secure)

Win+R then type cmd 
open the Task Manager and Kill explorer.exe 
look at the clock (or type time in the command prompt) mine says 22:47 now
in the command prompt type: at 22:28 /interactive "cmd.exe" 
close the command prompt and wait for the minute to pass
a new command prompt pops up.. wait a sec it says "C:\windows\system32\svchost.exe"... weird...
in that command prompt type explorer then enter and voila it starts to load
If you click on start menu you'll realise you are the SYSTEM user

This vulnerability is fixed now (it hit SP2 of WinXP) and the admin can fix it by disabling the Scheduled tasks for non-administrative users.

So up to now we saw shutdown.exe and at.exe.

And I think most of us have sometimes seen a computer that has its Run option locked or when we hold down Ctrl+Alt+Del it says that the good administrator has disabled task manager. what do we do?

In some versions of windows (mainly XP Professional and the Server family and I think all of Vista) we have a tool called Group Policy Editor (gpedit.msc). If you can't "run" it (Start menu's run is absent) make a shortcut and type gpedit.msc. Go there and play with the stuff that are locked (User Configuration -> Administrative Templates)

I covered much things here that are good for people that want to administer windows Machines and especially the shutdown/shares/schedule bugs.

If you got any questions just throw them below ;)

Lieutenant Icydemon
General Plumbing (a.k.a. Super Mario)

There are no replies to this post yet.

Guest:
Subject:
Message:	On 2008-06-12 19:56:22, Icydemon wrote >I feel a bit guilty for not posting the regular tips of the week, and I think its high time to share a story that is both funny and sad and will teach you a thing or two. > >[b]DISCLAIMER: [/b] This is not a hacking tutorial, the only purpose of this post is to understand that there are serious vulnerabilities out there (impove ourselves by hacking ourselves) > >When I was working on an internet cafe, some time ago, except from our internal problems we, sometimes had external problems (and some of you people know what it means for the routers to fail and someone has to reroute the network (damned utp cables)). > >One day we had a potential hacker dude (not someone that wanted to copy a game or screw up with a particular pc, but someone who wanted to do harmful things). "Ok", I said, "PVP time" (good old World of Warcraft times). > >I always say, that the first thing is to be one step ahead of your opponent. Get into his computer and see what he does. Apart from a Remote Desktop (vnc and stuff) that is clearly visible what do we got? Windows Explorer ;) > >Exploiting a thingie in windows networks. Sometimes administrators do not lock the default shares of hard disks. Pretty nice. But how do you get admin? In a situation like this (school, internet cafe, etc) the person who installed them has probably made one hard disk image and then copied to the rest of the computers (using Norton Ghost for example, I suggest you google that :). So everything shares the same accounts, shared passwords, voila, If i get mine, i get yours. > >I got the credentials to login in my computer as admin. Then i just create a shortcut (\\remote-computer\C$), i verify myself as an admin and I got access. I mount both of the disks on my computer to work better (i.e. search for the newest files etc.) > >Long-story short, that particular guy wanted to do something strange (most of us know that Cain&Abel can do serious things) and in my opinion the best thing is to: >[code]shutdown -r -m \\computername -t 1 -c "OWNED"[/code] > >I can see the little window for a split second, notifying the user that the system is going down, and then Reboot procedure begins. > >Now let's see: >[list] >[]Vulnerability 1: The system was not secure (i.e. normally i couldn't access share C$ (insert_hard_disk_lettter_here$) in a remote computer). I did. >[]Vulnerability 2: shutdown.exe - Shutdown.exe works only if you have successfully logged yourself in a remote computer as an admin. The best way to do that is via Windows network (\\computer_name and provide admin username and pass) >[*]Vulnerability 3: Shared accounts, easy to break :) >[/list] > >Funny part of the story: When the computer rebooted the dude called for a co-worker of mine to ask why the computer rebooted. He pointed at me and told him I'm the one who's fixing things like that. I went to speak to him but he told me he was only watching his emails (ok dude you got really pwned). > >Now that you saw the power of shutdown(.exe) its time I think to look for more info for yourself. shutdown/? in a command prompt will do the trick. > >Moving into the next part. How you can become the [b]SYSTEM[/b] user in windows? (SYSTEM>Administrator). Hmm.... lets see.... > >We all know that we can schedule some jobs for us in our windows box, like disk defragmenter. There is a specific console command for that named "at" (at.exe). To ensure that programs won't have any permission at programs at runs as SYSTEM (try the trick to see if you are secure) >[code]Win+R then type cmd >open the Task Manager and Kill explorer.exe >look at the clock (or type time in the command prompt) mine says 22:47 now >in the command prompt type: at 22:28 /interactive "cmd.exe" >close the command prompt and wait for the minute to pass >a new command prompt pops up.. wait a sec it says "C:\windows\system32\svchost.exe"... weird... >in that command prompt type explorer then enter and voila it starts to load >If you click on start menu you'll realise you are the SYSTEM user >[/code] >This vulnerability is fixed now (it hit SP2 of WinXP) and the admin can fix it by disabling the Scheduled tasks for non-administrative users. > >So up to now we saw [b]shutdown.exe[/b] and [b]at.exe[/b]. > >And I think most of us have sometimes seen a computer that has its Run option locked or when we hold down Ctrl+Alt+Del it says that the good administrator has disabled task manager. what do we do? > >In some versions of windows (mainly XP Professional and the Server family and I think all of Vista) we have a tool called Group Policy Editor (gpedit.msc). If you can't "run" it (Start menu's run is absent) make a shortcut and type gpedit.msc. Go there and play with the stuff that are locked (User Configuration -> Administrative Templates) > >I covered much things here that are good for people that want to administer windows Machines and especially the shutdown/shares/schedule bugs. > >If you got any questions just throw them below ;)
Signature:
Optional Image Link:
http://

CyberArmy::Forum v0.6
Generated In 0.02537 seconds