Part 2 – We have entered the building
Now that we are connected, we may now try a few methods of attack. Of course there are many, but allow me to test a few, and you may choose the one that best suits your situation. (Note, everything highlighted in yellow is code, what you type in the terminal)
Now that you are apart of the network by accessing the router, we may go back to the lovely command prompt, but this time within the Win32 environment. Open up the command prompt and type: ipconfig, so you can gain information about what the router gateway is, and what your IP is automatically assigned as, (such as, 192.168.1.XXX, or 172.16.1.XXX. Simple rule of thumb is, if it is a 192 prefix, then the router address will most likely be 192.168.0.1, and for 172, it will be 172.16.0.1). So, write down the default gateway, and paste it into your browser with http:// infront of it. Odds are, there will be a password. Considering yourself lucky if it does not require one. Second best bet is going to http://www.phenoelit.de/dpl/dpl.html, which lists all of the default username and passwords for each model number of a router out there that may be purchased by the public. If all works accordingly, now you will be able to poke around with all of the glorious settings, such as opening the ports, which is the MOST important thing to hold onto. We will discuss this later. Let us poke around and try this method of attack. Go back to command prompt and type: net view. This will display all computers connected on the network that you have so rudely joined. Now, we whip out our handy dandy program called Nessus, (or any OS fingerprinting tool that you may prefer such as, GDI, etc). The point of this is to find out what OS is on each local intranet IP address. Now, as we all know, Windows XP Pro is the sweet OS. Why, you may ask? By default, XP Pro comes with remote registry enabled by default. I ask myself why everyday, but why not profit from Microsofts flaws. Also, no, you are correct, noobs do not disable this service. This may be time for you to turn off yours by going into services.msc. So, let us proceed while ignoring that last sidenote. Open up your registry editor, regedit. Click File>Connect Network Registry. (Please note that in certain scenarios, you may not connect to the remote registry if the person has a blank password. To test this theory, I hopped on a wi-fi network that I was indeed allowed to connect to, and tried to connect to a passwordless computer. Low and behold, it worked, but not all of the registry keys showed up, but enough to get yourself into trouble.) Follow the directions, click connect, etc. Now I know that you are thinking to yourself, we are riding on a lot of hope/faith here that everything the victim does fit's our needs. Well, yeah, duh. This is why this is the 'non-preffered' method of choice. But its the snowballs chance in hell, so 'never going to happen you have to try it anyway' method. Let us proceed. Now, browse to the HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server. Under the Terminal Server key, you'll find a REG_DWORD value named fDenyTSConnection. Double-click on that value to open the Edit DWORD Value box and change the value data from 1 (Remote Desktop disabled) to 0 (Remote Desktop enabled). To reboot the machine if you are impatient, go back to the command prompt shell, and type: shutdown -m \\servername_or_ip_of_server_here -r Ah, now wait for the glorious boot up. If all goes accordingly, you will now be able to connect remotely to the noobs desktop, and do whatever the hell you want. Seriously, do I need to go into FURTHER detail!?
More plausible method
Let's say you are currently connected locally to the same access point, and are eager to try another form of attack. Now, since we wish to have remote access, let us apply what we call, a 'trojan.' A trojan gives you remote access from another place. So there are a couple of ways of doing this. One, you can download a program called Sub7. This is a VERY well known trojan. To get it, go to: http://www.hackpr.net/~sub7/. Follow the directions provided. Once you have created your server.exe, (tweaked it etc. and renamed it) we can proceed to our next step. Odds are, the noob has several victims on his network with open shares. Probably consists of .txt, .doc, .jpg, etc. files within its open shares. Usually, they are accessed quite often, especially if the document is currently being edited. Your job, (for once) is to google for something what we may call, a '.exe binder.' This is a beautiful tool indeed. It binds the server.exe that you have made, and enables you to spoof it as the picture file or text document that the person has in their shares. Once you spoof this, the victim will eventually execute the file, plus the hidden file that you have stealthily implemented. I would suggest to attach this on as many files as possible found on each computer. This is probably the most direct approach. Remember when you assigned a port to the Sub7 server.exe? Well, this brings us back to the default gateway IP address that we cracked, (accessed) earlier. Browse to the open port page, and add the port you had assigned to server.exe. While you're at it, you can go to a remote place such as a library and spoof send server.exe, (preferably rename it for the following instances to game.exe, or patch.exe, setup.exe. You get the picture.) Or apply it to a .jpg as a picture of something random to the e-mail address that you could have stealthfully acquired while sniffing on the network that you had connected to. Such as, getting a packet sniffer for windows and waiting for anything that is sent out with an @. This could also be very useful to get passwords, usernames, and so on. Anyway, be creative in terms of getting the server file to some computer on that network. For the time being, go back home, and leave your Sub7 client on, and it will notify you when it is executed. Thankfully, the programmers of the Sub7 are quite brilliant, and have the server.exe copied to some ambiguous directory, without self-destructing itself. Thus eliminating the idea that the file that 'does nothing' is a trojan. Eventually, the victim will connect, and you will have some fun from there.
Stay tuned for the next tutorial to be posted that involves part 3.
0 comments:
Post a Comment