[TUT]Windows Local Area Network Hacking Tutorial[TUT]

Hellow I suppose you could consider this a hacking tutorial of sorts. There are tutorials written very poorly, I must say, that classify these techniques as NetBIOS hacking. It can be considered hacking when used for malicious purposes, and also when you are testing computer security and integrity. But as far as networking goes, you are using SMB (Server Message Block) , which is an application layer networking protocol, to provide shared access to files, printing services, serial ports, and other things between to nodes on a network. A node is just an active device connected to a computer network, like a computer or switch. In computer science, nodes are generally used in graphs, whether they be directed or undirected. The topology of a network acts in the same way, pretty much where two devices on a network intersect, as two lines would in a graph. But, security administrators should also turn SMB off unless they absolutely need it, in which case they should be implementing a network firewall. So, we are going to take advantage of their stupidity. The only difference between using the techniques in this tutorial and exploiting a remote network service with a stack overflow (also called a stack-based buffer overrun) is, well, they aren't as sexy as the latter. But, due to human stupidity, we can access remote machines through file sharing an we can also shut them down.

Well, first of all you can get into remote computers on the same Local Area Network because of a service no network should ever used unless they absolutely NEED to. It's called file sharing. To get into a remote computer, you have to use shares.

First, you need a target. Just to test this out, you are going to type in

Code:

net view

Then, you will see a list of host names. You could resolve them to IP Addresses to get into them using the

Code:

ping

command, but I just use the host name. Now you need to know the share you want to use with the remote host. Generally these shares are named

Code:

IPC$
ADMIN$
C$

Etc. Now, when you looked at those shares, which one made your weeble wobble? That's right, it's the ADMIN$ share. However, it would not be a bad idea to take a look at the other two shares. To display your local share names, type this command into your command prompt-

Code:

net share

Now let's say you found that ADMIN$ shares were being used locally across the network. Now what you are going to do is connect to the target host. Type this in-

Code:

net use * \\hostname\ADMIN$

Let me explain this-

Code:

net use

This is the command used to specify you want to use a shared resource on another computer.

Code:

*

The asterisk is the most important part. This character will help you navigate through the remote host's files, because it will create a drive. You could specify the drive if you wanted to, but for a tutorial like this we will use the asterisk, and it will generate a drive name. If you use more than one host, then the drive to use for the first host would be named Z:, the second Y:, etc.

Code:

\\hostname

This is the hostname specified in the net use command, which will be seen when you execute the net view command. The forward slashes are part of the syntax, but they will also be included in the output from the net view command.

Code:

\ADMIN$

This is the share name that you are using with the hostname. The dollar sign is part of the syntax of the share name, and the forward slash is part of the syntax of the net use command.

Here is an example of the command in action-

Code:

net use * \\ABCLI123-65\ADMIN$

Or

Code:

net use * \\192.168.1.100\C$

If this command works, then the message “The command completed successfully”, then you have connected to the remote host. Now, just click the Start button, navigate to “Computer”, or “My Computer”, and look for the drive name that was specified in the output from the command prompt after you executed the command. Click it, and of course you will have access to the files on the remote host.

AREN'T YOU A LUCKY DUCK!

Now, if this doesn't work, mostly because of system error 53 or system error 5, then deny the remote host service. No, we're not going to bust out the ping of death, but we will shut their machines down. Now then, if I was going to do this, which I have, I would use the interface to simplify things. Go to a command prompt and type in

Code:

shutdown -i

If you get another error, well, I'm not going to do a full tutorial for hacking Windows machines, but if you get no error, then here is what you do. Remember the

Code:

net view

command? Well, perform that command again, and look at all the machines on your network. When you see the list of machines, notice the [ \\ ] characters at the beginning of each host name. When you look at the interface for shutting down remote computers, there will be a button that says Add, in the top right hand corner, next to the text box. Click this button, and type in (or copy and paste) the host name into the input box you will be prompted with, and click Ok. You should see the host name in the text box. Now you can specify other options, such as the reason you are shutting them down, how long you want to shut them down for (in seconds), and a text box at the bottom to specify comments. Type in a comment after you specify the delay before shutdown, and give your reason (I usually choose the “Other” option). Then click the OK button at the bottom of your GUI, and if you don't get an error in the command prompt you invoked the GUI with, then the remote host has been shutdown. :)

AREN'T YOU A LUCKY DUCK!

Anyway, I enjoyed writing this little tutorial for you guys, hope you learned something new. :D