NT HACK FAQ '97
By Chameleon and Vacuum
of Rhino9


            As it slowly becomes more and more clear to those network people that tons of security information about Unix can be found, but little to none is available on windows NT, turn to rhino9. This paper will walk and educate someone on the steps involved in some of todays most used windows NT exploits. This paper is meant for System Administrators and Serious Security Professionals, so you can get a taste of what an attack is like.
	My name is chameleon and for the next few pages or so I will walk you through some basic backdoors of NT and how to kick down some frontdoors. I wont sit an brag about what qualifys me to talk about NT hacking techniques but, by the time you finish going over this material, you will know why Im qualified, and why Im with rhino9. 

Thank you to the Rhino9 team and especially Vacuum for help with the ideas found within... your my people.

For the remainder of this paper I will refer to a few terms that you should know...
www.victim.com = The server you are trying to check the exploit on.
Also remember that when I say to type stuff it is case sensative.

These techniques are listed in no particular order, just how my brain was thinking at the time.

				·Chameleon·

Is it an NT server?

To check if a server is nt there are a few things you can do...
 1. Telnet to it on port 21 (ftp) and see if it says nt.
 2. Goto http://www.netcraft.com/cgi-bin/Survey/   whats and see what it says for the server.
 3. Check if the server simply says what it is running. (check their page)
 4. Try NBTSTAT -A [ip address] and check the response.

 If you really want to become familiar with better detection methods, you should become more familiar with WindowsNT as an operating system. Check the rhino9 site and read up on some text files. (www.x-treme.abyss.com/techvoodoo/rhino9)

Common user names:
Administrator
Guest
mail

Password file locations:
\\WINNT\SYSTEM32\CONFIG\SAM
\\WINNT\REPAIR

Ok, so you found an NT server, now what?

Does it have file sharing?

To check if a server has file sharing you do the following...
 1. dns www.victim.com and get the IP
 2. goto a dos prompt and type: nbtstat -A IPADDRESS
  You will get one of 2 things back:
  A. Host not found. (if you get host not found, that is not exactly an accurate error statement. If a router (or the NT server itself) has clossed of ports 137,138,139.. you will also get this error message. for more on the ports, check out the NetBIOS paper at the rhino9 site)
  or you will get a listing somewhat like thins:
  B.  NetBIOS Remote Machine Name Table

   Name               Type         Status
---------------------------------------------
TARGET         <00>  UNIQUE      Registered
A DOMAIN       <00>  GROUP       Registered
TARGET         <03>  UNIQUE      Registered
TESTUSER       <03>  UNIQUE      Registered
TARGET         <20>  UNIQUE      Registered
A DOMAIN       <1E>  GROUP       Registered

MAC Address = 00-60-97-35-C1-5C

If you got this then the remote computer has file sharing.
To try and access this file sharing you do one of 2 things.
1. edit the c:\windows\lmhosts (the LMHOSTS file is a flat text file containing NetBIOS to IP address mappings) and add in a line at the very top that has the ip address then a space then the first unique name, in this case target. So the lmhosts would look like this:
Servername(call it whatever you want)       ServersIPAddress

Next click your start button then goto find then computer. Then in the Named box put in the first unique name, the name that you added to the lmhosts file as the servername. Hit enter and hopefully a little icon of a computer will show up. Double click this icon. If the filesharing on the target computer is passworded it will popup a password box. You can either try to guess the password or brute force it. A brute program can be obtained at: http://www.technotronic.com/files/nat10bin.zip or at the rhino9 site.

The second way to do filesharing is this...
drop to a dos prompt and type
net use \\IPADDRESSOFTARGETCOMPUTER\c$
what this will try to do is connect to the target computers shared drive C. c$ means drive C. This might prompt you for a password also.
You would be suprised how many people dont have passwords.

A word on ASP Viewing:
Say you goto www.victim.com/secretinfo.asp and it has forms or whatever and you are wonder hmm whats behind this asp code wonder if there is something secret in it like passwords or something. To view the code inside a .asp file you simply do the following:
http://www.victim.com/secrectinfo.asp.   
Note: This is patched on newer systems (systems running service pack 2 or 3).

A word on Dumping directorys:
To break out of the wwwroot directory (the web server directory) simply put in the following: http://www.victim.com/..\.. (this may not work on IIS 3.0/NT 4.0 running service pack 3)

A quick note on the Find File Exploit:
This exploit is often used and works on a vast number of servers, its an underground favorite.

By going to:
http://www.victim.com/samples/search/queryhit.htm 
If it brings up a search page then the server is more than likely wide open for attack. In this field you can search for files and the deadliest part is that you can view these files.

So we maybe search for:
\\WINNT\SYSTEM32\CONFIG\SAM - thats the nt password file
\\WINNT\REPAIR - thats the backup nt password file
#filename=*.pwd - thats the frontpage server extensions password file. Which I will explain how to crack later.
another - any other keywords which might lead to intersting files that they dont want you to read.
Also play with:
http://www.victim.com/scripts/samples/search/webhits.exe 

In depth FrontPage Hacking, Chameleon/Vacuum style:
Well these are the techniques that I know best. I want to thank Vacuum a lot for being able to talk to me an understand me when I talked about frontpage server's and for him finding flaws that would push me to find some my self. Well here is what we have learned so far:

First off you must have frontpage! You cant hack the damn frontpage server if you dont have frontpage. Get it at www.microsoft.com. Now you must also understand how to connect to a server to see if it has a password etc... Here are the steps to do that:

1. File
2. Open frontpage web
3. More Webs
4. Put the server name in the box below where it says "Select a web server or disk location" then click list webs

Then 1 of 2 things will happen
1. It will say there is an error 505 etc..
2. It will list some folder names in the box below "front page web servers found at location"
3. Double click one of the folders that it lists. If the Admin is lazy or just stupid you wont even be prompted for a password and it will list the remote computers files which from there you can drag and drop your new hacked page. 

First thing to do is find some nt servers. Here are 2 ways:
1. Goto www.yahoo.com or whatever and search for iisadmin
2. Goto www.yahoo.com or whatever and search for _vti_bin/_vti_aut/
Whatever your pleasure they will both return NT servers running IIS and frontpage server extensions.

Ways of getting into a frontpage server Chameleon style:

1. What many people dont know is the fact that most people dont even have passwords set on there frontpage servers. So if you are bored enough and lame enough you can goto www.yahoo.com and pull up a list of frontpage servers and sit there and try to connect to them with no password.

2. Try this out: http://www.victim.com/_vti_pvt/service.pwd if you are lucky they messed up on file access rights and that will show you whats inside sevice.pwd which is the frontpage password file. Cracking it will be explained later.

3. This is by far the best way and the way that works most. As I said before there is a flaw that lets you search for files on the target computer and view them no matter what access rights you have. So if this is true why not view the frontpage password file? We would do this as follows: http://www.victim.com/samples/search/queryhit.htm

Then once at that page, in the search box we simply put in #filename=*.pwd and then hit enter and it will hopefully show a list of links to .pwd files. Save these pwd files for later cracking. Now if a sysadmin was smart they may have re-named the password file so that it is not .pwd at all. So to find out where they hide the real password file we must basiclly find the shadowed password file (bit of Unix for ya). We do the same as before with the file search flaw except for this time we search for #filename=#haccess.ctl 
Now #haccess.ctl is the file that points to the frontpage password file. The contents of a default #haccess.ctl file are:

-FrontPage-

Options None

<Limit GET POST PUT>
order deny,allow
deny from all
</Limit>
AuthName default_realm
AuthUserFile c:/frontpage\ webs/content/_vti_pvt/service.pwd
AuthGroupFile c:/frontpage\ webs/content/_vti_pvt/service.grp

The second to the last line is the most important. AuthUserFile = the location of the real password file. So if it is: 
AuthUserFile c:/frontpage\ webs/content/_vti_pvt/shadow.pas
We now know that the real password file is in shadow.pas so we would then do the search file exploit and this time search for #filename=shadow.pas 

A normal service.pwd (frontpage password) would look like this:
chameleon:jk53kjnb43
Where chameleon is the user name and jk53kjnb43 is the encrypted password.

Those are a few ways to get the frontpage password. Now your asking how do we decrypt it? Well thats what me and vacuum asked our selfs. First I told people to try l0pht crack to see if it was the same encryption but, it wasnt. Then a few minutes later Vacuum msgs me and says he cracked it!!! It turns out the encryption for frontpage passwords is the same as a passwd file in unix. So basically you can use any unix passwd crack to crack frontpage passwords. Vacuum and I decided that Microsoft must have done this because of frontpages unix support. To get the formating right for the unix passwd crackers you will want to take the frontpage password file information say:

chameleon:jk53kjnb43

and stick it in unix format:

chameleon:jk53kjnb43:0:0:comments:/:/bin/bash

Ok so you've broke into www.victim.com and got the user and password. Now you could be a tard and jump right into frontpage and connect and change the page and tell everyone how kewl you are and get busted within a week or, you could use the following techniques.

Here is the information for this example:
Server: www.victim.com
Server IP: 2.2.2.2
User: chameleon
Pass: greenman

Tools need:
A unix port bouncer such as, anonirc.c bounce.c etc...

The first thing you want to do if you want to be very secure is setup a bounce. 

Before you read anymore go read my paper on wingate so you can understand the following information. My paper on wingate can be found at: http://www.intercore.com.ar/chameleon/wingate.htm

Hey Admins, wanna know how the hack without leaving a trace... read on:

1. Telnet to a wingate computer on port 23.
Ex: Stuff with [s] is stuff you send. Stuff with [r] is stuff received.
[s] telnet www.onlinecomputer.com 23
[r] WinGate>
Once you get that wingate prompt type in the shell with the unix bounce program then a space and the port number. Ex:
unix.shell.com 23
So it should be
WinGate> unix.shell.com 23

Now hit enter. If that doesnt drop you to your shell then hit control + enter and if that doesnt work try control + j and if that doesnt work get a new telnet program. Ok so you went through your wingate to your unix shell. So now you are sitting at a unix prompt. Ex:
rhino9#
Now type cc -o RUNNAME BOUNCE.C
RUNNAME = Whatever file named you want the compiled dot c file to be. 
BOUNCE.C = Your bounce program. Ex: anonirc. bounce.c etc..

Now as a said before the frontpage server we want to hack is www.victim.com so we want the unix server to bounce to the frontpage server. So now we setup the bounce. Note: Most bounces want the IP, which in this case I said was 2.2.2.2 

So now we make our bounce program set the listen port on the unix server to 20356 or whatever number works and the remote port to 80. So there for if we set the unix server to listen on port 20444 and to connec to www.victim.com on port 80 this means that when we go into frontpage and to the connection box instead of just putting www.victim.com we put unix.shell.com:20444 To say it in other words we put the unix server then a : then the port we made unix server listen on. So now the only ip that the frontpage server logged was the unix servers IP but they will not beable to trace who it was on the unix server they will just know that it was someone. This was kind of hard to explain so if you need more help e-mail me chameleon@pemail.com or catch me on undernet in #hackphreak or #rhino9

Well thats all for now, me and vacuum will keep you all posted on more of our findings

Later People,
Chameleon
Chameleon@pemail.com
http://chameleon.core.com.ar
http://www.x-treme.abyss.com/techvoodoo/rhino9
Proud Member of the Rhino9 NT Security Team