(NOTE: When I use 203.123.123.1, it is an example of what the IP could be...IT IS NOT the actual IP)
Ok, now some weirdo on a power trip has pissed you off. It happens to the best of us. So we do not get mad, we get even...An eye for an eye, now let's go get em.
This file will be aimed at the Macintosh variety of people, for they are generally on a higher level of understanding (not to mention I.Q) than that of the Wintel bigots.
Ok, we're assuming you attend the school you want to practice electronic terrorism on, if you don't, it just makes things a little harder (but by no stretch of the imagination, impossible).
Step 1). Build your info.
This includes IP addresses, OS types and versions, modem
dialups and just about EVERYTHING else you can think of. The single best way of doing this is social engineering, keep your ear to the ground and see what you can hear. Passwords, Usernames, and Administrators level of Paranoia are great. Become a nerdy computer monitor, become freindy with people who can tell you
things, build up the level of trust and you would be surprised what they tell you. We're using the network of my school as an example, but this is generic info so don't panic.
Your system operator may be choosing passwords to a format (i.e. birthdate) so make sure you get all his details...name, address, mother's maiden name, social security number,etc. (Use social engineering!
Forgive me if our schools have different setups but hey, you get that...Our school has a Windoze NT 4.0 server, lots of W95 computers, lots of Macs and a website. Teachers get email addresses. The Macs are almost independent of the Windows LAN, though they are able to log into the NT volume and store/retrieve
files. The Mac has it's own server. All the Macs run At Ease for Workgroups. All the Windows computer get their profiles from the NT server. The NT server is situated in the library with CD drives and the modems that are permanently connected to their ISP. Each of the Windows computers (as far as we have been able to tell) have different, static IPs. We haven't yet checked the Macs.We
are yet to confirm that the Windows NT 4.0 server has no Service Packs (although this is our theory).
Step 2). Further Research
If your school has a website, this is where to start. Using AGNetTools (http://www.aggroup.com) for a Name lookup. Type in the name address, and get back the IP address. Our school has 203.123.123.1 (if it has a one on the end, they probably have run of the domain (all from 203.123.123.1 to 203.123.123.255) A lovely thing called a ping scan is available in AGNetTools so
pump in 203.123.123.1 to 203.123.123.255 (for our case). Look for active computers that give a response.
PING SCAN ______________________________
203.123.123.1 0.lost the number...
203.123.123.2 0.242
203.123.123.4 0.467
203.123.123.12 0.386
203.123.123.13 0.932
Make sure you do this during working hours, and after hours. Actually, try all times.
The next step is to have fun with the port scan feature on AGNetTools. Pump in the feedback IPs that you just got and scan for fun services. Fun services include TELNET<23>, FTP<21>, Hotline<5500/5501>, systat<11>, finger<79>, mail<25>, etc.
Do this on each of the computers and find the versions for all these. Find the sendmail version, Find the FTP version. Hell, just find ALL the versions. Now the fun begins.
Step 3) Use your info
Now from here, there are two steps that you can take. The evil hacker or the good little hacker. The good little hacker is when we go and look for all the bugs in their system versions and the proceed to inform the administrator of them. Well since they pissed you off first, they shall pay. Remember, an eye for an eye...
Now, get those versions (oh yeah, by now you should have a hefty text file of all your port scans and stuff. The first place you should look is the bugtraq archive. Chances are that if there is a security hole in something, it's posted here. Go to http://www.geek-girl.com/bugtraq and have a search. If you find
nothing there just use a search engine and type in some keywords to see what you find. If that still fails, check places like www.l0pht.com for exploits.
Another fun thing is to finger your life away. Type in the IP addresses and see if you get those logged in at that moment. That should, if enabled, give at least one login name. Finger the server/s with things like: @, root, administrator,admin, guest,etc.
What we got from 203.123.123.4:
Line User Host(s) Idle Location
2 tty 2 LIBRARY\ksAsyncinterface 0
3 tty 3 LIBRARY\kaAsync interface 0
Actually, our IP was in here to but we deleted it. These are local users, and seem to be permanently connected. (Although once we saw another login name there)
A cool thing with AGNetTools is the service scan. Type in a service you want to look for, type in the start IP and the end IP, and let it do it's business. It's fun...trust me.
If the server is NT 4.0, as is our target's, there are a few programs out there tailored to our needs. If you want to piss them off, hell you could just PoD them. Or there is NT Surprise Packet By Darkside Matrix (available at HackAddict which uses the RPC call as an attack, but any old cretin can do that).
Apparently, if they are using Microsoft Internet Information Server on NT, telnet to the http port-99.9% likely that it is port 80, and type in GET "../..". As read from a nice text file "halt the web services and effectively "kill" whatever web server they may have." Gunna have to try this one REAL SOON.
Step 3). Go do your thing
You should have the versions and the exploits by now, and since there are so many of them I can't give specific info on them. If you
want more info on the local PC side, read the Windows security by Somaticm scattered on Hotline servers around the world.
If there is one thing you can do to piss people off (if they are using Wintel trash) virii are fast, efficient and effective, especially on networks.
Alternative Step). For Evil People with Attitude Only
Today we learn the fun of WinNT 4.0's own "Regedit". This program is usually left open to the elements of *evil* people, but I guess they believe passwords only keep honest people out.
Now, where is that admin password?
Ok, this is only for LAN's only. At the 'Enter Network Password' prompt, press Ctrl+Esc. This gives you the task manager. You can do anything practically from here. Lets stay focused, right? Now, choose the 'browse' button and go to "c:/windows/regedit.exe". This is the Registry Editor on the terminal. What does it do? It remembers desktop layouts for each user, as well as passwords. Even admin. However, it is not obvious where they are located, and even then, they are in bin hex form, but it can be cracked quite easily, as I discuss later.
Ok, now all you see is a shitload of numbers and crap. Well, two have red icons, as opposed to the regular blue icons of regedit. Look closer at them, and usually only one will have a code similar to '1e 2d 34'. Usually one, rarely two have this property. Why? Because one is the full access password, and the other is the read-only password. Usually, admins don't need to give themselves read-only
access, but why would you want that anyway? Ok, copy down that precious code! Hiho, hiho, itsa crackin we shall go...
How do I get this cracked, you ask? I'll tell you only if you have an evil grin. Well, you will need a program available from the Hotline "The No Shit Server" located on 'tracked.dyn.ml.org' tracker. This is usually up on weekdays, and usually around 10:00am-1:00pm GMT. I wouldn't know about other times, however. The program is made by the UMS (United Microsoft Slayers) and is totally cool. You type in the admins' bin hex password code, and well, in short, it cracks in
seconds. At only 50K in size, a handy weapon. Win95 only though I think. That aside, this gave us access to the computers. If you get busted doing this stuff, go back to regedit and "accidentally" delete all the keys. That PERMENANTLY screws it forever, but I guess being a PC doesn't give you much scope for wrecking it.....Windoze has already beat ya to it.
NOTE: Check "Home_Sweet_Hell" <http://www.cybernet.dk/users/droop/menu.htm> and
look there for the program, it could be easier. Its Danish, but it isn't that bad.
Somatic-somatic@usa.net "Existance is resistance"
HooL-hool@usa.net "Here's to the crazy ones"
This text can be freely distributed in electronic form, so long it remains unaltered, and informational email is sent to AT LEAST one of the authors if included it any publications (electronic or otherwise)...HackAddict doesn't count because they ROCK!
