• ================================================!NOTE!: This is a fictional network and information gained from this idea will only be used for educationaly purposes and will not be used for illegal or malicous activities.

Hey people,

I thought this might be a good idea, or not but there is no harm in trying.

Ok I am going to outline a fictional scenario of a network that (fictionaly) needs to be hacked. Then everyone can post how they would go about it and what methods they would use. I am really interested in how different people’s methods would vary.

¶================================================ !NOTE!: This is a fictional network and information gained from this idea will only be used for educationaly purposes and will not be used for illegal or malicous activities.

You have a user logon and physical access to a network outlined below:

You know the following about the network at the moment:

It consists of:

About 200 client computers running windows 2000 sp4

Every computer is on one domain

It has access to the internet

The user account you have has the following restrictions: • Command prompt disabled • No access to the C: drive • Run disabled • Regedit disabled • No right click on the desktop

//———————————————————— • .bat files are not disabled • The system has Visual C++ installed and is accessible • USB drives / hard drives can be used • It is possible to boot from CD //———————————————————––

The plan is to gain as much access and control as possible. What would you do?

Relentless.

i'd make my own "network rootkit" in vb.

load it up on one of the machines, navigate to the program files folder, work out where the RAT is installed and what its exe is and take it from there.

this sounds like my school (a fictional school obviously lol) and well if it runs RM then its a bit dodgy, so i think your first target would be disabling that.

you can access any program from the windows folder using hyperlinks in powerpoint (incase that is of any help), also i think, if its the same config, that taskmgr.exe is disabled :(.

If they havn't disabled .bat's yet, do .exe's run? cos a way to get out of RM would be to make a simple c program using the windows api and just terminate the .exe.

Since booting from cd is possible you could boot up a Ophcrack live cd and use rainbow tables to crack the admin password. If all the computers have the same admin password this would most likely give you full access to all the computers, both locally and remote(through the C$ share). This is at least a beginning.

id write a cmd interface in C++ and use it to browse the network, then upload any files i want on the computer onto my web server and download with FTP - packet sniffers e.t.c. Full access pretty much :)

the most effective way I've seen of bypassing this stuff, like RM restrictions is to crash explorer. Just throwing it in there. so most likely I would hang around milw0rm.com untill I get a explorer crasing bug lik the animated cursor ones a little while ago, crash explorer, when it's restarted problem solved this works for RM by the way :)

Great! thanx for you reply’s! great info :) i am especially interested in mr noobs method! And i shall be doing some research as to how to go about such a method like how to create the interface etc. :D any help and advice would be greatly appreciated! :D

Cheers people! :P

Relentless.

If you're looking at using Visual C++ to create your own command-line terminal, check out the "Programming Visual C++ 5th Edition" from Microsoft Press. While I was playing around with Visual C++, I crafted a simple cmd process program frontend that just passed commands/arguments to cmd.exe and my own streamlined web-browser.

It's an older book, so you could probably find it in one of these resale shops for pretty cheap.

• It is possible to boot from CD :evil: really?

That's all I have to say … I'll leave you to wonder the possibilities of using a LiveCD on the system in question.

@regret Nice one cheers :)

Thank you all

Relentless.

plus as i think netfish is hinting you can pretty much do anything if you can boot from CD :p

Well, this might be easier then I first thought. You would need to open notepad and create a batch file that can either open command.com or cmd.exe (which are both available in Windows 2000 SP4 (btw, i'm using 2000 sp4)). Once you are in the command prompt, you will then want to create an administrator account, using various methods, and attempt to surf to the C: drive. If you cannot do what I stated above, then you could download an livecd version of linux, that can see NTFS partitions, and then access the data that way. There shouldn't be any security protocols running in Linux, which should mean you can see all of the files on the computer, without any problems. Then you can take a usb key or hd and extract the files you want, and then see them on your home comp.

Ok so lets say we take a linux distro like auditor and get access to all the files on the local machine. easy now how eay would it be to have a look around for servers and how easy would it be for the network admins to detect you. Would they be able to detect that you were using linux?

xD

Relentless.

if i rly need to get full access,, i would get a boot cd that resets admin pass,, then login on admin and enable everything :D

But what about network admin access?

There are loads of really easy ways to get Local Access. No worries. :D

Relentless.

What is sounds like you are looking for is access to the domain controller, the admin hashes are stored on that controller itself. What you will want to do is very similar to the way you'd traverse a locked down Unix network…user account escalation. using the adminpak.msi file found on the W2K OS disc, you can remotely inject users into the domain controller if you can map it.

You could log in as the local administrator and install a packet sniffer that will run in promiscuous mode. What you'll be looking for are domain transfer packets, DNS/DHCP request, maybe some user logins if they are transferred (inner-network) in plaintext.

Personally, in your scenario put forth, I'd be attempting to create a logical network map…IP addresses, router schemes, server types on the network, etc…

If you have no luck with that, since you have local access on one of the publicly used machines then you'll want to take a look and see if they set the domain users home folders to be stored on local machines or if they are pulled remotely from either the network controller or a file server…everything your looking to do can be done without loading up a super slow-running live cd.

Also…if you can manage to map the switching end of your network, you can always perform a man-in-the-middle attack and use a packet forwarding piece of software to funnel packets to yourself. Usually, the better times to perform such a task is either when everyone is just getting in or around the time when lunchtime ends.

Make sure you remove yourself from the MIM attack after a few moments as not to arouse any suspicion…after all, networks are prone to congestion problems.

Wow nice one people thank you very much for the replys. :P

Relentless.

Easiest ways to collect information on your system…

With a USB Flash Drive have DSL installed on it. This will take you off the network while leaving you in. You will then be able to use Samba to browse through to any drives that are not administrator locked. Once you find the main servers base drive you can access their Active Directory structure and look at it…here you will find a wealth of information, usernames, restrictions and much much more. Once you have gained this information it is time to find the SAM files on a few of the base machines(yours??) with this file you will have all the passwords of the users who have logged into it…let me see…do the ADMINS ever log into every computer? HELL YES! Now you have the admins passwords and you have their usernames. Once you have this you are GOD and you can set up your own account with administrator privs, make it look like you are still student though because admins get mighty pissy if they walk by the computer lab and see you are logged in with an admin screen ;)

That is all for now.

Nice one :P i am liking that method cheers AH :P

Relentless.