How do i get started hacking?
What is a Secure Shell Account?
What tools do I need?
Script writting tutorial
Author : audio_head
Hi I have created this text as a guide to newbies
or just an explanation of
in the main the Logon screensaver security hole which can allow users
either
full access to a computer or the lack of security which can allow a user
to
Dump hashes from the SAM database the more advanced and sometimes even
moderately able users might want to skip some sections as I wanted fully
inform a new “Hacker/Cracker” and not say things that might
go over their
heads. I know some of the things in the file might seems overly simplistic
but I remember having a lot of trouble starting out by others assuming
I
knew what certain things were. At the time I put this down to an inadequacy
of myself but as I have learned more I now assume the creators of those
text
files were either lazy or didn’t fully understand a subject themselves.
*discalimer*
The following material is for educational use only
and should not be
practised except on machines which you have explicit authorisation to
do so
Windows NT security holes
To fully understand how we can by-pass Windows
NT security you must
understand how an operating system works. An operating system creates
an
"environment" within which a user can work. The most basic operating
system
that a computer has is usually DOS (Dirty operating system (as i understand
it)) DOS manipulates the computer by a series of instructions given to
it by
the user. DOS by itself has no security limitations and so it cannot stop
any user from accessing any files. However most people have only ever
seen
DOS running from inside an operating system, this is called a dos shell
and
is accessible through a command prompt this command prompt is a program
inside the operating system called CMD.exe and is usually located on a
windows NT machine at C:\WINNT\system32. The shell version of DOS has
got
limitations because it is running from inside another operating system
and
as such has a few limitations. Limitations of a DOS prompt/shell are usually
quite small such as it can not access files which are already in use by
the
operating system, this is so two applications don't try to change the
same
data at the same time which would result in a system crash. Another of
the
restrictions you might get are "Access Denied" this might occur
when you try
to delete or modify a file which NT security will not let you.
The Microsoft operating system is the one which
most users will have "Grown
up with" or be most used to using however for the more advanced user
it is
adamant that they understand that Windows runs a GUI (Graphical User
Interface) this means that every action the user takes is made easier
by I.E
clicking on and icon or pressing a button, when a user presses a button
the
computer interprets that action and at a lower functioning level runs
a
command line that performs the equivalent of this action. However a DOS
prompt gives the user a chance to by-pass the GUI and type the commands
they
want to happen themselves. Its is possible that you have heard that DOS
is a
lot more powerful than the windows operating system, this is because the
GUI
only offers you a certain range of options were as DOS gives you the full
range of options from the very beginning (you don't have to search through
meaningless sections).
So on a computer to be truly "free" about
our actions we most use DOS.
However the people at Microsoft have realised that allowing people to
manipulate computers at a base level creates many security risks and as
such
when using WINNT it is not possible using only the average programs that
come with your computer and operating system to get to a "Pure"
DOS
operating system. This inability to reach a pure DOS operating system
has
been a change between WINNT and older operating systems such as 98 or
95 and
is a result of Microsoft changing the file storage system that Windows
uses,
before NT a storage system called FAT32 was used and DOS was configured
to
read this storage system, unfortunately DOS can not read the new NTFS
type
file storage system.
WINNT Security
As everyone knows to enter a Windows NT Environment
one most enter a valid
account and password
and it also makes sense that if the computer is to know if the user has
entered a valid password and account this information must be stored
somewhere on the computer. NT stores this data in the SAM database these
passwords are protected by a one-way algorithm, which fortunately is readily
available in the public domain.
One-way algorithm- This is an algorithm that cannot
be reversed. It cannot
be reversed because the encryption used is very good. The first known
use of
encryption as a way of bamboozling an average reader was first use in
Rome
by a roman senator called Cicero his encryption was a simple numerical
switch I.E there are 26 letters in the alphabet but if we did the following
1 2 3 4 5 6 7 8 9 10
a b c d e f g h i j
1 2 3 4 5 6 7 8 9 10
x y z a b c d e f g
This would make a note incomprehensible to someone
who did not know how to
"decode" the text however things have advanced slightly since
those days.
Nowadays we use algorithms to displace the letters and numbers, which
we
use. You might think now that if we have the algorithm then we can decode
the text, not so. Microsoft's one way algorithm uses the password itself
to
form a part of the displacement algorithm thus ensuring it is irreversible
this is very clever as only the user can now know the original password
and
the information in the SAM file should be useless.
Are we going to let these small difficulties stop us? ha
As we know the algorithm, which encrypted the information
in the SAM file
all we have to do is take, a copy off (dump) the end encrypted text and
use
a program to brute force the password.
Brute-force - Using a computer to run guesses of
a password through the
known algorithm until the password we put in corresponds to the encrypted
text that we have taken from the SAM file (I deal with various methods
of
doing this later) however the bigger a password is the larger the
combination of possible letters the brute forcer has to try to gain the
password. (Brute forcing can take a loooooong time)
Fortunately there are some options to brute force
these are called
dictionary attacks.
Dictionary attack- using a program to encrypt words
from a dictionary file
using the same algorithm as the, in this case, NT algorithm in the hope
it
will give the same result as the information gleaned from the SAM file.
This sort of attack can be run much quicker than
a brute force attack and
also certain rules can be used to vary the words in the dictionary.
say the dictionary had tried all words and it was
non of these if we put a
rule were it added the number 1 to the end of all the words and tried
the
cracking again the rules can get very complicated trying the words together
and with random numbers at the beginning and end of the words in the
dictionary I personally call this a combination attack because it is a
mixture of brute force and dictionary attacking.
There is another way of cracking encryption called
cryptanalysis however I
am not going to go into this as it is beyond the scope of NT password
if you
ask me and may be used for other strong encryption.
Now you have a general knowledge of cracking encryption
with brute force and
dictionary's you have to know how to get that crucial information from
the
SAM file (this is the truly innovative and interesting bit)
SAM (security accounts manager)
Where is it?
One of a few place's actually
%Root%\WINNT\system32
%Root%\WINNT\system32\repair
%Root%\WINNT\system32\config
Of course %root% is the letter of your hard drive
and if you have placed
your operating system in a non-default place replace WINNT with what ever
you called it.
To get any information from the SAM database you
are going to need a tool
called samdump.exe however because this is a newbie file most of you are
not
going to be acquainted with using programs of this nature and I would
suggest a very useful tool kit called "win password toolset"
available at
http://astalavista.com/tools/password/wincrackers/
When extracted all the user has to do is run the file called "dump.bat"
and
then the file called "crack.bat" these two files will firstly
dump the
information from the SAM file and then use a program called "John
the
ripper" to try and brute force the password file. I hear you shout
"You
basterd why didn't you just tell us that" and the answer is simple
because
unless you are an administrator it isn’t going to work. You will
receive an
error saying unable to dump or something along those lines.
Now trying to get a successful dump from the SAM
file can be very hard
depending on the security settings on the computer you are on. The two
possible ways of getting round the access denied ending to your hacking
WINNT days involve either getting outside the environment of WINNT (I.E
DOS)
or another called user advancement which involves gaining privileges by
exploiting various security problems inherent in WINNT.
My favourite and the one I am going to describe
in detail is getting outside
the restrictive environment. I don't know who found this security loophole
but it is great and I hold no claims to it. At the log on screen a Windows
NT screen saver (by default) should pop up after 900 seconds or 15 minutes.
Well if we replace this screensaver with a DOS prompt it is possible to
run
samdump without any security problems. This screensaver is by default
located at
"C:\WINNT\System32\" and is called login.scr
now to use this information we must first of all create a backup copy
of
login.scr and keep it safe and then delete the original copy of login.scr
(If access is denied don't worry we will come back to how to get past
this,
however you still need to make a backup of login.scr before you use the
instructions below) now we need to replace login.scr with a command prompt
because CMD.exe is located in the system 32 directory we will have to
copy
CMD and move to another directory were we create a copy of it. With this
copy we rename it login.scr the .scr bit will make no difference to the
running of the file however it is important to know the actual attributes
of
the file have been changed. This means that if we have done this not
properly the file will now be called "login.scr.exe" to check
this we must
be in windows explorer and go to "Tools>folder options" and
when the new box
opens go to the view tab once there scan down the list and remove the
tick
from the "Hide file extensions for known types" box also while
you are here
look closely at what you do actually want to be able to see these options
may be hiding files from you (keep this in mind for future tutorials)
Then go back and check the file is actually called
"login.scr" if it is not
rename it and place it in the directory %root%:\WINNT\system32\
now when you log off the computer after 15 minutes
a DOS prompt will pop up
this is what i like to call a "Pure" DOS prompt. (by this point
we need to
have already installed "win password toolset"
and know were in the file structure we have installed it i am going to
assume it was installed to
"c:\temp\toolset\" When the Dos Prompt pops up you need to type
the
following into it
"cd c:\temp\toolset\" then type "dump.bat"
after this exit the prompt and
log on to windows replace login.scr with the original copy (this stops
a DOS
prompt popping up after 15 mins every time you are at the logon screen)
and
then go to "c:\temp\toolset\" and click on "crack.bat"
the following brute
forcing of the dumped password file could take a long time.
yey you hacked WINNT
For all you people who didn't have the privileges
to delete or rename files
under "c:\WINNT\System32\ well your going to need a cd writer and
some very
useful software available at
"http://www.astalavista.com/tools/utilities/misc/" called "in
code we trust"
which is by an anonymous hacker. When this is downloaded it will be in
a zip
file and inside will be a file called "ICWT.iso" an iso file
is an image of
a cd, which can be used by burning ROMs such as Nero (if you can't do
this
look it up on the internet, I’m not quite going to mother you that
much)
When this cd is made we need to restart our BIOS
settings. BIOS are the
thing stored in READ ONLY MEMORY, which initially starts our computer
and
loads the operating system. All BIOS's are different however when we restart
our computer generally a few lines of text come up saying something like
"Press F2 for BIOS" other normal buttons might include DEl.
once inside your
BIOS change the start up procedure we want the cd drive to fire up before
the hard disc. All BIOS's are different however most come with some sort
of
text explaining how to change settings and pages you are going to have
to
figure this out for yourself. then we restart and place the ICWT disc
into
the cd drive when it starts up it will give you a choice of file structures
you will most likely want the NTFS 4.0 option then just let it run and
you
will be presented by a flashing dos prompt.
You need to change to the hard drive were your operating system is stored
do
this by replacing my "c" with the letter of your drive:
cd c:
cd c:\WINNT\System32\
del login.scr (Make sure you backed this up previously)
Then restart you computer and continue with the instructions above.
This I have found to be the most full proof way (if there is a foolproof
way) of getting a dump from the SAM file. However there is another way
if
the above failed it is to do with a program called "getadmin.exe"
i am not
going to go into this in this text as i am sure somebody else will have
written comprehensibly about it.
Audio_head
comments,complaints,praise?
audio__head@hotmail.com